From Steven.Jones at vuw.ac.nz Tue Mar 1 00:21:02 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 1 Mar 2011 13:21:02 +1300 Subject: [Freeipa-devel] [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release In-Reply-To: <4D6C0EA5.3040708@redhat.com> References: <4D6C0EA5.3040708@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB722@STAWINCOEXMAIL1.staff.vuw.ac.nz> Not sure if I have to change anything in the repo? but rc2.0 does not appear... regards On Mon, 2011-02-28 at 16:07 -0500, Rob Crittenden wrote: > To all freeipa-interest, freeipa-users and freeipa-devel list members, > > The FreeIPA project team is pleased to announce the availability of the > Release Candidate 2 release of freeIPA 2.0 server [1]. > > * Binaries are available for F-14 and F-15 [2]. > * Please do not hesitate to share feedback, criticism or bugs with us on > our mailing list: freeipa-users at redhat.com > > Main Highlights of the Release Candidate. > > This release consists primarily of bug fixes and polish across all areas > of the project. Modifications include but are not limited to > * Make Indirect membership clearer. > * Input validation fixes. > * WebUI improvements. > * Created default Roles. > * IPv6 support > * Documentation updates > > Focus of the Release Candidate Testing > * There was a Fedora test day for FreeIPA on Feb 15th [3]. These tests > are still relevant and feedback would be appreciated. > * The following section outlines the areas that we are mostly interested > to test [4]. > > Significant Changes Since RC 1 > To see all the tickets addressed since the beta 2 release see [6]. > > Repositories and Installation > * Use the following link to install the RC 2 packages [5]. > * FreeIPA relies on the latest versions of the packages currently > available from the updates-testing repository. Please make sure to > enable this repository before you proceed with installation. > > Known Issues: > * There are known issues that currently prevent FreeIPA from > successfully installing with dogtag on F-15 [2]. We will send a separate > message when this issue is resolved. The FreeIPA server is installable > with the --selfsign option on F-15, or with dogtag on F-14. > * Server-generated error messages are not translated yet. > * The 'ipa help' command does not support localization. > > We plan to address all the outstanding tickets before the final 2.0 > release. For the complete list see [7]. > > Thank you, > The FreeIPA development team > > [1] http://www.freeipa.org/page/Downloads > [2] dogtag is having issues with systemd: > https://bugzilla.redhat.com/show_bug.cgi?id=676330 > [3] https://fedoraproject.org/wiki/QA/Fedora_15_test_days > [4] https://fedoraproject.org/wiki/Features/FreeIPAv2#How_To_Test > [5] http://freeipa.org/downloads/freeipa-devel.repo > [6] > https://fedorahosted.org/freeipa/query?status=closed&milestone=2.0.2+Bug+fixing+(RC2) > [7] > https://fedorahosted.org/freeipa/milestone/2.0.3.%20Bug%20Fixing%20%28GA%29 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Tue Mar 1 00:32:17 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 1 Mar 2011 13:32:17 +1300 Subject: [Freeipa-devel] [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release In-Reply-To: <4D6C0EA5.3040708@redhat.com> References: <4D6C0EA5.3040708@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> I have tried to download the rpms by hand and the dependencies are all broken ie python........well stuffed by the looks of it... regards From rcritten at redhat.com Tue Mar 1 03:10:43 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 28 Feb 2011 22:10:43 -0500 Subject: [Freeipa-devel] [PATCH] 0087 Fix winsync agreements setup In-Reply-To: <20110228114107.4ba83610@willson.li.ssimo.org> References: <20110226122415.4884cef0@willson.li.ssimo.org> <4D6BC409.1010505@redhat.com> <20110228111105.6ec07325@willson.li.ssimo.org> <4D6BCAE5.4030706@redhat.com> <20110228114107.4ba83610@willson.li.ssimo.org> Message-ID: <4D6C63B3.2090809@redhat.com> Simo Sorce wrote: > On Mon, 28 Feb 2011 11:18:45 -0500 > Rob Crittenden wrote: > >> Simo Sorce wrote: >>> On Mon, 28 Feb 2011 10:49:29 -0500 >>> Rob Crittenden wrote: >>> >>>> Simo Sorce wrote: >>>>> >>>>> Setting up a winsync agreement was broken. >>>>> >>>>> This patch fixes the code to allow setting up a winsync agreement >>>>> that requires access to a non-IPA ldap server. >>>>> >>>>> Simo. >>>> >>>> This changes the side we initiate the replication startup on. I >>>> don't know a ton about the internals of 389-ds replication but is >>>> this necessary? It has been this way for years. >>> >>> Sorry, I don't see that. >>> Where am I doing that ? >>> >>> Simo. >>> >> >> This is what I saw: >> >> mod = [(ldap.MOD_ADD, 'nsds5BeginReplicaRefresh', 'start')] >> - other_conn.modify_s(dn, mod) >> + conn.modify_s(dn, mod) >> >> It looks like you renamed the variable from other_conn to to conn so >> this change is ok. > > Oh yes it is just a rename of the variable not an actual change. > > Simo. > Works great, ack. rob From rcritten at redhat.com Tue Mar 1 03:10:59 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 28 Feb 2011 22:10:59 -0500 Subject: [Freeipa-devel] [PATCH] 0091 Make wrappers for sasl binds In-Reply-To: <20110226123122.0e0333a8@willson.li.ssimo.org> References: <20110226123122.0e0333a8@willson.li.ssimo.org> Message-ID: <4D6C63C3.4010609@redhat.com> Simo Sorce wrote: > > Sasl gssapi binds were done w/o a wrapper, this caused sasl binds to > behave differently in some cases ad __lateinit() was never called on > them. > > Unify sasl binds in ipaldap.py > > This is needed in conjuction with patch 0092 to fix managing replicas > with krb credentials > > Simo. > ack From rcritten at redhat.com Tue Mar 1 03:11:07 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 28 Feb 2011 22:11:07 -0500 Subject: [Freeipa-devel] [PATCH] 0092 Fix replica management with krb credentials In-Reply-To: <20110226123409.40148bcb@willson.li.ssimo.org> References: <20110226123409.40148bcb@willson.li.ssimo.org> Message-ID: <4D6C63CB.1000106@redhat.com> Simo Sorce wrote: > > If no bind password is provided it is not possible to create the basic > replication user. Creating this user is not necessary for winsync > agreements or to create new replica connections that use gssapi auth so > make it optional if krb credentials are used. > > Simo. ack From rcritten at redhat.com Tue Mar 1 03:14:31 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 28 Feb 2011 22:14:31 -0500 Subject: [Freeipa-devel] [PATCH] 0086 add loginShell to winsynced users In-Reply-To: <4D5EEF05.5080308@redhat.com> References: <20110218171024.04d3ee1b@willson.li.ssimo.org> <4D5EEF05.5080308@redhat.com> Message-ID: <4D6C6497.2040008@redhat.com> Rich Megginson wrote: > On 02/18/2011 03:10 PM, Simo Sorce wrote: >> Fixes #266 >> >> I haven't been able to test this as the Windows machine we have >> available decided to not behave today. >> I may try again next week assuming I have time. > ack > Second ack. I tested the patch and it worked fine. rob From rcritten at redhat.com Tue Mar 1 04:05:29 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 28 Feb 2011 23:05:29 -0500 Subject: [Freeipa-devel] Localization patches. In-Reply-To: <4D6BC731.3000901@redhat.com> References: <4D5BEEDC.5050902@redhat.com> <4D5C9F5D.1090706@redhat.com> <4D5D7C29.2020102@redhat.com> <4D5D9888.6010603@redhat.com> <4D5E4B36.1010805@redhat.com> <4D640B71.7080304@redhat.com> <4D654D43.5030601@redhat.com> <4D6BC731.3000901@redhat.com> Message-ID: <4D6C7089.9080605@redhat.com> Pavel Zuna wrote: > On 02/23/2011 07:09 PM, Pavel Z?na wrote: >> On 2011-02-22 20:16, Rob Crittenden wrote: >>> Pavel Z?na wrote: >>>> On 2011-02-17 22:52, Rob Crittenden wrote: >>>>> Pavel Z?na wrote: >>>>>> On 2011-02-17 05:09, Rob Crittenden wrote: >>>>>>> Pavel Z?na wrote: >>>>>>>> My efforts in fixing localization all around the framework and >>>>>>>> preparing >>>>>>>> it for localizing docstrings have resulted in a lot of patches. >>>>>>>> Because >>>>>>>> I understand they have become a bit hard to track, I decided to >>>>>>>> post >>>>>>>> them all together in this thread to make review easier. >>>>>>>> >>>>>>>> After this is committed, there will be one more patch that switches >>>>>>>> xgettext for pygettext. Then hopefully, we'll be pretty much set >>>>>>>> when it >>>>>>>> comes to i18n. >>>>>>>> >>>>>>>> Pavel >>>>>>> >>>>>>> Patch 81 isn't applying for me. >>>>>>> >>>>>>> Help is not working for me either, this is due to patch 80. >>>>>>> >>>>>>> $ ipa help user >>>>>>> ipa: ERROR: NameError: global name '_' is not defined >>>>>>> Traceback (most recent call last): >>>>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line >>>>>>> 1087, in >>>>>>> run >>>>>>> api.finalize() >>>>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line >>>>>>> 619, >>>>>>> in finalize >>>>>>> plugin_iter(base, (magic[k] for k in magic)) >>>>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/base.py", line >>>>>>> 397, in >>>>>>> __init__ >>>>>>> sorted(members, key=lambda m: getattr(m, name_attr)) >>>>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line >>>>>>> 608, >>>>>>> in plugin_iter >>>>>>> plugins[klass] = PluginInstance(klass) >>>>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line >>>>>>> 585, >>>>>>> in __init__ >>>>>>> self.instance = klass() >>>>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line >>>>>>> 184, >>>>>>> in __init__ >>>>>>> self.doc = _(inspect.getdoc(cls)) >>>>>>> NameError: global name '_' is not defined >>>>>>> ipa: ERROR: an internal error has occurred >>>>>>> >>>>>>> Patches 69, 71 and 73 are still working fine. >>>>>>> >>>>>>> What is switching from xgettext to pygettext going to do? >>>>>> >>>>>> This was answered by John Dennis: xgettext doesn't parse python >>>>>> docstrings. >>>>>> >>>>>>> >>>>>>> rob >>>>>> >>>>>> Rebased version of 81 attached. It should also fix the traceback >>>>>> you're >>>>>> getting. >>>>>> >>>>>> Pavel >>>>> >>>>> Something is still not working. I'm having a hard time reproducing >>>>> how I >>>>> got this but with LANG=es_US.UTF-8 for a while I was getting this with >>>>> every ipa user-* request: >>>>> >>>>> ipa: ERROR: UnicodeEncodeError: 'ascii' codec can't encode character >>>>> u'\xf1' in position 20: ordinal not in range(128) >>>>> Traceback (most recent call last): >>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1090, in >>>>> run >>>>> sys.exit(api.Backend.cli.run(argv)) >>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 917, in >>>>> run >>>>> rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, >>>>> **options) >>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/frontend.py", line >>>>> 953, >>>>> in output_for_cli >>>>> textui.print_entries(result, order, labels, flags, print_all) >>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 346, in >>>>> print_entries >>>>> self.print_entry(entry, order, labels, flags, print_all, format, >>>>> indent) >>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 378, in >>>>> print_entry >>>>> label, value, format, indent, one_value_per_line >>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 309, in >>>>> print_attribute >>>>> self.print_indented(format % (attr, text[0]), indent) >>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 232, in >>>>> print_indented >>>>> print (CLI_TAB * indent + text) >>>>> UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in >>>>> position 20: ordinal not in range(128) >>>>> ipa: ERROR: ha ocurrido un error interno >>>>> >>>>> I think it is blowing up on this user: >>>>> >>>>> User login: jose >>>>> First name: Jose >>>>> Last name: contrase?as >>>>> Home directory: /home/jose >>>>> Login shell: /bin/sh >>>>> Account disabled: TRUE >>>>> Member of groups: ipausers >>>>> >>>>> Then all of a sudden things started working fine, so I'm not sure >>>>> what's >>>>> going on. >>>>> >>>>> Is this traceback meaningful to you? >>>>> >>>>> rob >>>> >>>> This looks like a bug in the textui backend. >>>> >>>> You get this error when you do something like this: >>>> >>>> >>> a = u'\xf1' >>>> >>> a.decode('utf-8') >>>> Traceback (most recent call last): >>>> File "", line 1, in >>>> File "/usr/lib/python2.6/encodings/utf_8.py", line 16, in decode >>>> return codecs.utf_8_decode(input, errors, True) >>>> UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in >>>> position 0: ordinal not in range(128) >>>> >>>> It means we're not handling encoding/decoding from/to the CLI right >>>> somewhere. >>>> >>>> The character \xf1 corresponds to the small N with tilde in Jose's last >>>> name. >>>> >>>> I'm going to look into it, but I don't think it's related to the >>>> localization patches. >>>> >>>> Pavel >>> >>> I'm seeing 2 test failures: >>> >>> >>> ====================================================================== >>> FAIL: Test the `ipalib.plugable.Plugin.__init__` method. >>> ---------------------------------------------------------------------- >>> Traceback (most recent call last): >>> File "/usr/lib/python2.7/site-packages/nose/case.py", line 186, in >>> runTest >>> self.test(*self.arg) >>> File >>> "/home/rcrit/redhat/freeipa-tests/tests/test_ipalib/test_plugable.py", >>> line 237, in test_init >>> assert o.summary == 'Do sub-classy things.' >>> AssertionError >>> >>> ====================================================================== >>> FAIL: Test gettext translation >>> ---------------------------------------------------------------------- >>> Traceback (most recent call last): >>> File "/usr/lib/python2.7/site-packages/nose/case.py", line 186, in >>> runTest >>> self.test(*self.arg) >>> File "/home/rcrit/redhat/freeipa-tests/tests/test_ipalib/test_text.py", >>> line 122, in test_gettext >>> assert(translated[0] != prefix) >>> AssertionError >>> >>> patch 81 is probably going to need a rebase. I was able to get it >>> applied with a 3-way merge and one conflict in internal.py. >>> >>> rob >> >> Rebased patch 81 and 83 (pygettext). >> >> Created a new patch to fix these latest test failures - it was easier >> than doing a complex rebase. >> >> All latest versions of localization patches are attached to this email >> for review. >> >> I tried to apply them on a clean master clone, build RPMs, installed and >> run all unit tests. So hopefully, we're finally going to get this in. :) >> >> Pavel > > New version of the last patch (84) attached. It includes new tests for > i18n like switching languages. Testing with install/po/test_i18n.py was > also updated. > > I retested all the patches on a clean master again and everything seems > to work great. > > Pavel Ack x 8. This looks good, thanks for your patience and persistence. I'll push these in the morning, I want to be careful that I push the right ones. rob From mkosek at redhat.com Tue Mar 1 13:23:07 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 01 Mar 2011 14:23:07 +0100 Subject: [Freeipa-devel] [PATCH] 036 Inconsistent sysrestore file handling by IPA server installer Message-ID: <1298985787.4902.0.camel@dhcp-25-52.brq.redhat.com> IPA server/replica uninstallation may fail when it tries to restore a Directory server configuration file in sysrestore directory, which was already restored before. The problem is in Directory Server uninstaller which uses and modifies its own image of sysrestore directory state instead of using the common uninstaller image. https://fedorahosted.org/freeipa/ticket/1026 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-036-installer-inconsistent-sysrestore-file-handling.patch Type: text/x-patch Size: 3257 bytes Desc: not available URL: From sigbjorn at nixtra.com Tue Mar 1 10:55:07 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 1 Mar 2011 11:55:07 +0100 (CET) Subject: [Freeipa-devel] [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw. ac.nz> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> Hi, I updated my IPA test servers last night without a problem. I have only the default Fedora 14 repo + Fedora 14 updates-testing repo and the Freeipa-devel repo enabled on my IPA test servers. Rgds, Siggi On Tue, March 1, 2011 01:32, Steven Jones wrote: > I have tried to download the rpms by hand and the dependencies are all > broken ie python........well stuffed by the looks of it... > > regards > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > From ssorce at redhat.com Tue Mar 1 15:04:50 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 1 Mar 2011 10:04:50 -0500 Subject: [Freeipa-devel] [PATCH] 0094 Make it possible to list also winsync replicas Message-ID: <20110301100450.7b72668f@willson.li.ssimo.org> This patch registers winsync replica in the public tree with enough information to know which master is handling the agreement. Now when listing replicas, the type is also returned and winsync agreements are listed. When listing a specific server with --verbose, in case of a winsync peer the winsync peer status is shown by contacting the master that has the agreement. On winsync link removal, the public information about the agreement is also removed. Ticket 1007 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0094-Store-list-of-non-master-replicas-in-DIT-and-provide.patch Type: text/x-patch Size: 9032 bytes Desc: not available URL: From rcritten at redhat.com Tue Mar 1 15:32:21 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 01 Mar 2011 10:32:21 -0500 Subject: [Freeipa-devel] Localization patches. In-Reply-To: <4D6C7089.9080605@redhat.com> References: <4D5BEEDC.5050902@redhat.com> <4D5C9F5D.1090706@redhat.com> <4D5D7C29.2020102@redhat.com> <4D5D9888.6010603@redhat.com> <4D5E4B36.1010805@redhat.com> <4D640B71.7080304@redhat.com> <4D654D43.5030601@redhat.com> <4D6BC731.3000901@redhat.com> <4D6C7089.9080605@redhat.com> Message-ID: <4D6D1185.8030702@redhat.com> Rob Crittenden wrote: > Pavel Zuna wrote: >> On 02/23/2011 07:09 PM, Pavel Z?na wrote: >>> On 2011-02-22 20:16, Rob Crittenden wrote: >>>> Pavel Z?na wrote: >>>>> On 2011-02-17 22:52, Rob Crittenden wrote: >>>>>> Pavel Z?na wrote: >>>>>>> On 2011-02-17 05:09, Rob Crittenden wrote: >>>>>>>> Pavel Z?na wrote: >>>>>>>>> My efforts in fixing localization all around the framework and >>>>>>>>> preparing >>>>>>>>> it for localizing docstrings have resulted in a lot of patches. >>>>>>>>> Because >>>>>>>>> I understand they have become a bit hard to track, I decided to >>>>>>>>> post >>>>>>>>> them all together in this thread to make review easier. >>>>>>>>> >>>>>>>>> After this is committed, there will be one more patch that >>>>>>>>> switches >>>>>>>>> xgettext for pygettext. Then hopefully, we'll be pretty much set >>>>>>>>> when it >>>>>>>>> comes to i18n. >>>>>>>>> >>>>>>>>> Pavel >>>>>>>> >>>>>>>> Patch 81 isn't applying for me. >>>>>>>> >>>>>>>> Help is not working for me either, this is due to patch 80. >>>>>>>> >>>>>>>> $ ipa help user >>>>>>>> ipa: ERROR: NameError: global name '_' is not defined >>>>>>>> Traceback (most recent call last): >>>>>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line >>>>>>>> 1087, in >>>>>>>> run >>>>>>>> api.finalize() >>>>>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line >>>>>>>> 619, >>>>>>>> in finalize >>>>>>>> plugin_iter(base, (magic[k] for k in magic)) >>>>>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/base.py", line >>>>>>>> 397, in >>>>>>>> __init__ >>>>>>>> sorted(members, key=lambda m: getattr(m, name_attr)) >>>>>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line >>>>>>>> 608, >>>>>>>> in plugin_iter >>>>>>>> plugins[klass] = PluginInstance(klass) >>>>>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line >>>>>>>> 585, >>>>>>>> in __init__ >>>>>>>> self.instance = klass() >>>>>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line >>>>>>>> 184, >>>>>>>> in __init__ >>>>>>>> self.doc = _(inspect.getdoc(cls)) >>>>>>>> NameError: global name '_' is not defined >>>>>>>> ipa: ERROR: an internal error has occurred >>>>>>>> >>>>>>>> Patches 69, 71 and 73 are still working fine. >>>>>>>> >>>>>>>> What is switching from xgettext to pygettext going to do? >>>>>>> >>>>>>> This was answered by John Dennis: xgettext doesn't parse python >>>>>>> docstrings. >>>>>>> >>>>>>>> >>>>>>>> rob >>>>>>> >>>>>>> Rebased version of 81 attached. It should also fix the traceback >>>>>>> you're >>>>>>> getting. >>>>>>> >>>>>>> Pavel >>>>>> >>>>>> Something is still not working. I'm having a hard time reproducing >>>>>> how I >>>>>> got this but with LANG=es_US.UTF-8 for a while I was getting this >>>>>> with >>>>>> every ipa user-* request: >>>>>> >>>>>> ipa: ERROR: UnicodeEncodeError: 'ascii' codec can't encode character >>>>>> u'\xf1' in position 20: ordinal not in range(128) >>>>>> Traceback (most recent call last): >>>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line >>>>>> 1090, in >>>>>> run >>>>>> sys.exit(api.Backend.cli.run(argv)) >>>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 917, in >>>>>> run >>>>>> rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, >>>>>> **options) >>>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/frontend.py", line >>>>>> 953, >>>>>> in output_for_cli >>>>>> textui.print_entries(result, order, labels, flags, print_all) >>>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 346, in >>>>>> print_entries >>>>>> self.print_entry(entry, order, labels, flags, print_all, format, >>>>>> indent) >>>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 378, in >>>>>> print_entry >>>>>> label, value, format, indent, one_value_per_line >>>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 309, in >>>>>> print_attribute >>>>>> self.print_indented(format % (attr, text[0]), indent) >>>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 232, in >>>>>> print_indented >>>>>> print (CLI_TAB * indent + text) >>>>>> UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in >>>>>> position 20: ordinal not in range(128) >>>>>> ipa: ERROR: ha ocurrido un error interno >>>>>> >>>>>> I think it is blowing up on this user: >>>>>> >>>>>> User login: jose >>>>>> First name: Jose >>>>>> Last name: contrase?as >>>>>> Home directory: /home/jose >>>>>> Login shell: /bin/sh >>>>>> Account disabled: TRUE >>>>>> Member of groups: ipausers >>>>>> >>>>>> Then all of a sudden things started working fine, so I'm not sure >>>>>> what's >>>>>> going on. >>>>>> >>>>>> Is this traceback meaningful to you? >>>>>> >>>>>> rob >>>>> >>>>> This looks like a bug in the textui backend. >>>>> >>>>> You get this error when you do something like this: >>>>> >>>>> >>> a = u'\xf1' >>>>> >>> a.decode('utf-8') >>>>> Traceback (most recent call last): >>>>> File "", line 1, in >>>>> File "/usr/lib/python2.6/encodings/utf_8.py", line 16, in decode >>>>> return codecs.utf_8_decode(input, errors, True) >>>>> UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in >>>>> position 0: ordinal not in range(128) >>>>> >>>>> It means we're not handling encoding/decoding from/to the CLI right >>>>> somewhere. >>>>> >>>>> The character \xf1 corresponds to the small N with tilde in Jose's >>>>> last >>>>> name. >>>>> >>>>> I'm going to look into it, but I don't think it's related to the >>>>> localization patches. >>>>> >>>>> Pavel >>>> >>>> I'm seeing 2 test failures: >>>> >>>> >>>> ====================================================================== >>>> FAIL: Test the `ipalib.plugable.Plugin.__init__` method. >>>> ---------------------------------------------------------------------- >>>> Traceback (most recent call last): >>>> File "/usr/lib/python2.7/site-packages/nose/case.py", line 186, in >>>> runTest >>>> self.test(*self.arg) >>>> File >>>> "/home/rcrit/redhat/freeipa-tests/tests/test_ipalib/test_plugable.py", >>>> line 237, in test_init >>>> assert o.summary == 'Do sub-classy things.' >>>> AssertionError >>>> >>>> ====================================================================== >>>> FAIL: Test gettext translation >>>> ---------------------------------------------------------------------- >>>> Traceback (most recent call last): >>>> File "/usr/lib/python2.7/site-packages/nose/case.py", line 186, in >>>> runTest >>>> self.test(*self.arg) >>>> File "/home/rcrit/redhat/freeipa-tests/tests/test_ipalib/test_text.py", >>>> line 122, in test_gettext >>>> assert(translated[0] != prefix) >>>> AssertionError >>>> >>>> patch 81 is probably going to need a rebase. I was able to get it >>>> applied with a 3-way merge and one conflict in internal.py. >>>> >>>> rob >>> >>> Rebased patch 81 and 83 (pygettext). >>> >>> Created a new patch to fix these latest test failures - it was easier >>> than doing a complex rebase. >>> >>> All latest versions of localization patches are attached to this email >>> for review. >>> >>> I tried to apply them on a clean master clone, build RPMs, installed and >>> run all unit tests. So hopefully, we're finally going to get this in. :) >>> >>> Pavel >> >> New version of the last patch (84) attached. It includes new tests for >> i18n like switching languages. Testing with install/po/test_i18n.py was >> also updated. >> >> I retested all the patches on a clean master again and everything seems >> to work great. >> >> Pavel > > Ack x 8. This looks good, thanks for your patience and persistence. > > I'll push these in the morning, I want to be careful that I push the > right ones. > > rob All 8 patches pushed to master rob From ssorce at redhat.com Tue Mar 1 16:13:39 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 1 Mar 2011 11:13:39 -0500 Subject: [Freeipa-devel] [PATCH] 0086 add loginShell to winsynced users In-Reply-To: <4D6C6497.2040008@redhat.com> References: <20110218171024.04d3ee1b@willson.li.ssimo.org> <4D5EEF05.5080308@redhat.com> <4D6C6497.2040008@redhat.com> Message-ID: <20110301111339.4bb9dcd3@willson.li.ssimo.org> On Mon, 28 Feb 2011 22:14:31 -0500 Rob Crittenden wrote: > Rich Megginson wrote: > > On 02/18/2011 03:10 PM, Simo Sorce wrote: > >> Fixes #266 > >> > >> I haven't been able to test this as the Windows machine we have > >> available decided to not behave today. > >> I may try again next week assuming I have time. > > ack > > > > Second ack. I tested the patch and it worked fine. Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Mar 1 16:14:04 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 1 Mar 2011 11:14:04 -0500 Subject: [Freeipa-devel] [PATCH] 0087 Fix winsync agreements setup In-Reply-To: <4D6C63B3.2090809@redhat.com> References: <20110226122415.4884cef0@willson.li.ssimo.org> <4D6BC409.1010505@redhat.com> <20110228111105.6ec07325@willson.li.ssimo.org> <4D6BCAE5.4030706@redhat.com> <20110228114107.4ba83610@willson.li.ssimo.org> <4D6C63B3.2090809@redhat.com> Message-ID: <20110301111404.528ec7ee@willson.li.ssimo.org> On Mon, 28 Feb 2011 22:10:43 -0500 Rob Crittenden wrote: > Works great, ack. Thanks, pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Mar 1 16:14:28 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 1 Mar 2011 11:14:28 -0500 Subject: [Freeipa-devel] [PATCH] 0088 Fix ipa winsync plugin In-Reply-To: <4D6B6E18.1080606@redhat.com> References: <20110226122603.6b95a6d5@willson.li.ssimo.org> <4D6B6E18.1080606@redhat.com> Message-ID: <20110301111428.311b5b6e@willson.li.ssimo.org> On Mon, 28 Feb 2011 10:42:48 +0100 Jakub Hrozek wrote: > On 02/26/2011 06:26 PM, Simo Sorce wrote: > > > > When the plugin was adjusted to not use LDAP_DEPRECATED it was > > broken and DNs where generated withouth the RDN attribute name part. > > > > Simo. > > > > I broke this one.. > > Ack Thanks. Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Mar 1 16:14:57 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 1 Mar 2011 11:14:57 -0500 Subject: [Freeipa-devel] [PATCH] 0089 Fix user synchronization in ipa winsync In-Reply-To: <4D6BC077.1060603@redhat.com> References: <20110226122738.48d62108@willson.li.ssimo.org> <4D6BC077.1060603@redhat.com> Message-ID: <20110301111457.6bbb4e88@willson.li.ssimo.org> On Mon, 28 Feb 2011 08:34:15 -0700 Rich Megginson wrote: > On 02/26/2011 10:27 AM, Simo Sorce wrote: > > Apparently synchronizing new users down from AD didn't work as the > > account didn't have uidNumber added, an attribute required by the > > posixAccount objectclass. > ack Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Mar 1 16:15:17 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 1 Mar 2011 11:15:17 -0500 Subject: [Freeipa-devel] [PATCH] 0090 Make use of (in)activate groups optional In-Reply-To: <4D6BC058.2050209@redhat.com> References: <20110226122857.4595f3f6@willson.li.ssimo.org> <4D6BC058.2050209@redhat.com> Message-ID: <20110301111517.6737af6e@willson.li.ssimo.org> On Mon, 28 Feb 2011 08:33:44 -0700 Rich Megginson wrote: > On 02/26/2011 10:28 AM, Simo Sorce wrote: > > Since we remove the use of CoS for (in)active users, the ipa_winsync > > plugin was broken when configured to synchronize (in)active user > > status (the default). > ack Pushed to master. Thanks, Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Mar 1 16:15:36 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 1 Mar 2011 11:15:36 -0500 Subject: [Freeipa-devel] [PATCH] 0091 Make wrappers for sasl binds In-Reply-To: <4D6C63C3.4010609@redhat.com> References: <20110226123122.0e0333a8@willson.li.ssimo.org> <4D6C63C3.4010609@redhat.com> Message-ID: <20110301111536.26148c3b@willson.li.ssimo.org> On Mon, 28 Feb 2011 22:10:59 -0500 Rob Crittenden wrote: > > This is needed in conjuction with patch 0092 to fix managing > > replicas with krb credentials > > > > Simo. > > > > ack Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From edewata at redhat.com Tue Mar 1 19:36:39 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 01 Mar 2011 13:36:39 -0600 Subject: [Freeipa-devel] [PATCH] 117 Removed association facets based on memberofindirect. Message-ID: <4D6D4AC7.1020308@redhat.com> Association facets based on memberofindirect attribute have been removed because the attribute is non-assignable. Ticket 1027 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0117-Removed-association-facets-based-on-memberofindirect.patch Type: text/x-patch Size: 1026 bytes Desc: not available URL: From ayoung at redhat.com Tue Mar 1 20:56:26 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 01 Mar 2011 15:56:26 -0500 Subject: [Freeipa-devel] [PATCH] 117 Removed association facets based on memberofindirect. In-Reply-To: <4D6D4AC7.1020308@redhat.com> References: <4D6D4AC7.1020308@redhat.com> Message-ID: <4D6D5D7A.4040307@redhat.com> On 03/01/2011 02:36 PM, Endi Sukma Dewata wrote: > Association facets based on memberofindirect attribute have been > removed because the attribute is non-assignable. > > Ticket 1027 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Mar 1 21:48:49 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 01 Mar 2011 16:48:49 -0500 Subject: [Freeipa-devel] [PATCH] 744 use Sudo rather than SUDO In-Reply-To: <4D6C0D4D.8060802@redhat.com> References: <4D6BD189.3030804@redhat.com> <4D6BEEA7.2090205@redhat.com> <4D6C0570.1000101@redhat.com> <4D6C0D4D.8060802@redhat.com> Message-ID: <4D6D69C1.50100@redhat.com> Adam Young wrote: > On 02/28/2011 03:28 PM, Endi Sukma Dewata wrote: >> On 2/28/2011 12:51 PM, Endi Sukma Dewata wrote: >>> On 2/28/2011 10:47 AM, Rob Crittenden wrote: >>>> Use Sudo instead of SUDO in labels, descriptions, etc. >>>> >>>> ticket 1005 >>>> >>>> rob >>> >>> This patch is ACKed. The capitalization is now consistent in the CLI. >>> However, the UI capitalizes the labels in the action panel and the title >>> of association facets, so we still see a mix of Sudo and SUDO in the UI. >>> >>> There are still some SUDO leftover in the UI test data, but that can be >>> fixed in a separate patch. >> >> The attached patch fixes the UI test data. >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK pushed to master From rcritten at redhat.com Tue Mar 1 21:55:12 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 01 Mar 2011 16:55:12 -0500 Subject: [Freeipa-devel] [PATCH] 744 use Sudo rather than SUDO In-Reply-To: <4D6BEEA7.2090205@redhat.com> References: <4D6BD189.3030804@redhat.com> <4D6BEEA7.2090205@redhat.com> Message-ID: <4D6D6B40.4010902@redhat.com> Endi Sukma Dewata wrote: > On 2/28/2011 10:47 AM, Rob Crittenden wrote: >> Use Sudo instead of SUDO in labels, descriptions, etc. >> >> ticket 1005 >> >> rob > > This patch is ACKed. The capitalization is now consistent in the CLI. > However, the UI capitalizes the labels in the action panel and the title > of association facets, so we still see a mix of Sudo and SUDO in the UI. > > There are still some SUDO leftover in the UI test data, but that can be > fixed in a separate patch. > pushed to master From rcritten at redhat.com Tue Mar 1 22:34:28 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 01 Mar 2011 17:34:28 -0500 Subject: [Freeipa-devel] [PATCH] Revert-Set-hard-limit-on-number-of-commands-in-batch In-Reply-To: <4D67F67E.2050205@younglogic.com> References: <4D67F67E.2050205@younglogic.com> Message-ID: <4D6D7474.703@redhat.com> Adam Young wrote: > I have not tested this, just ran: > > git revert 79d22f8341026450ba7ca564e24812c9351c7e70 > > > Please test before ACKing. I will test as well now. > > ack From ayoung at redhat.com Tue Mar 1 22:39:57 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 01 Mar 2011 17:39:57 -0500 Subject: [Freeipa-devel] [PATCH] Revert-Set-hard-limit-on-number-of-commands-in-batch In-Reply-To: <4D6D7474.703@redhat.com> References: <4D67F67E.2050205@younglogic.com> <4D6D7474.703@redhat.com> Message-ID: <4D6D75BD.5000308@redhat.com> On 03/01/2011 05:34 PM, Rob Crittenden wrote: > Adam Young wrote: >> I have not tested this, just ran: >> >> git revert 79d22f8341026450ba7ca564e24812c9351c7e70 >> >> >> Please test before ACKing. I will test as well now. >> >> > > ack > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master From ayoung at redhat.com Tue Mar 1 22:51:31 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 01 Mar 2011 17:51:31 -0500 Subject: [Freeipa-devel] [PATCH] 0093, WAS: Re: Adding client on RHEL 6 fails to get DNS entry In-Reply-To: <20110226123517.0be3134b@willson.li.ssimo.org> References: <4D670C14.8040908@redhat.com> <20110225004703.4667cf61@willson.li.ssimo.org> <4D6807C7.3070603@redhat.com> <20110225151925.17ca0d60@willson.li.ssimo.org> <20110225170410.0a90e191@willson.li.ssimo.org> <20110226123517.0be3134b@willson.li.ssimo.org> Message-ID: <4D6D7873.9080805@redhat.com> On 02/26/2011 12:35 PM, Simo Sorce wrote: > On Fri, 25 Feb 2011 17:04:10 -0500 > Simo Sorce wrote: > >> On Fri, 25 Feb 2011 15:19:25 -0500 >> Simo Sorce wrote: >> >>> On Fri, 25 Feb 2011 14:49:27 -0500 >>> Adam Young wrote: >>> >>>> 2011-02-24 20:46:06,851 DEBUG stderr= >>>> 2011-02-24 20:46:06,878 DEBUG args=/usr/bin/kinit -k >>>> -t /etc/krb5.keytab 2011-02-24 20:46:06,879 DEBUG stdout= >>>> 2011-02-24 20:46:06,879 DEBUG stderr=kinit: Hostname cannot be >>>> canonicalized when creating default server principal name >>> ah no sorry this is the error, kinit failing ... >>> now on why this happens ... >>> >>> Simo. >>> >>> >> Ok this happens becaue /etc/hosts doesn't have an entry for the >> hostname and DNS doesn't still resolve it (chicken/egg) >> >> Please open a ticket, the fix is to pass the principal name as >> argument of the kinit command so that it doesn't have to go thorugh >> name resolution to understand what name to use. > The attached patch should fix nsupdates on machines configured like > this one. > > Simo. > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Mar 2 02:23:39 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 01 Mar 2011 21:23:39 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0206-2-Use-modified-entity-find-commands-for-associations Message-ID: <4D6DAA2B.4090704@redhat.com> Not a 100% solution, but keeps the groups-user facet from exploding. https://fedorahosted.org/freeipa/ticket/1011 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0206-2-Use-modified-entity-find-commands-for-associations.patch Type: text/x-patch Size: 4143 bytes Desc: not available URL: From ayoung at redhat.com Wed Mar 2 02:30:02 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 01 Mar 2011 21:30:02 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0206-2-Use-modified-entity-find-commands-for-associations In-Reply-To: <4D6DAA2B.4090704@redhat.com> References: <4D6DAA2B.4090704@redhat.com> Message-ID: <4D6DABAA.3050004@redhat.com> On 03/01/2011 09:23 PM, Adam Young wrote: > Not a 100% solution, but keeps the groups-user facet from exploding. > > https://fedorahosted.org/freeipa/ticket/1011 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Includes fixes for services -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0206-3-Use-modified-entity-find-commands-for-associations.patch Type: text/x-patch Size: 4912 bytes Desc: not available URL: From rcritten at redhat.com Wed Mar 2 14:16:50 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 02 Mar 2011 09:16:50 -0500 Subject: [Freeipa-devel] [PATCH] 0094 Make it possible to list also winsync replicas In-Reply-To: <20110301100450.7b72668f@willson.li.ssimo.org> References: <20110301100450.7b72668f@willson.li.ssimo.org> Message-ID: <4D6E5152.9030206@redhat.com> Simo Sorce wrote: > > This patch registers winsync replica in the public tree with enough > information to know which master is handling the agreement. > > Now when listing replicas, the type is also returned and winsync > agreements are listed. > When listing a specific server with --verbose, in case of a winsync > peer the winsync peer status is shown by contacting the master that has > the agreement. > > On winsync link removal, the public information about the agreement is > also removed. > > Ticket 1007 > > Simo. Works great, good call on the update file. I updated my existing installation and it worked fine. ack rob From rcritten at redhat.com Wed Mar 2 14:21:01 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 02 Mar 2011 09:21:01 -0500 Subject: [Freeipa-devel] [PATCH] 0094 Make it possible to list also winsync replicas In-Reply-To: <4D6E5152.9030206@redhat.com> References: <20110301100450.7b72668f@willson.li.ssimo.org> <4D6E5152.9030206@redhat.com> Message-ID: <4D6E524D.1090006@redhat.com> Rob Crittenden wrote: > Simo Sorce wrote: >> >> This patch registers winsync replica in the public tree with enough >> information to know which master is handling the agreement. >> >> Now when listing replicas, the type is also returned and winsync >> agreements are listed. >> When listing a specific server with --verbose, in case of a winsync >> peer the winsync peer status is shown by contacting the master that has >> the agreement. >> >> On winsync link removal, the public information about the agreement is >> also removed. >> >> Ticket 1007 >> >> Simo. > > Works great, good call on the update file. I updated my existing > installation and it worked fine. > > ack > > rob BTW, this needs a small rebase, it fails to apply the change to install/updates/Makefile.am rob From rcritten at redhat.com Wed Mar 2 14:21:27 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 02 Mar 2011 09:21:27 -0500 Subject: [Freeipa-devel] [PATCH] 0092 Fix replica management with krb credentials In-Reply-To: <4D6C63CB.1000106@redhat.com> References: <20110226123409.40148bcb@willson.li.ssimo.org> <4D6C63CB.1000106@redhat.com> Message-ID: <4D6E5267.2000707@redhat.com> Rob Crittenden wrote: > Simo Sorce wrote: >> >> If no bind password is provided it is not possible to create the basic >> replication user. Creating this user is not necessary for winsync >> agreements or to create new replica connections that use gssapi auth so >> make it optional if krb credentials are used. >> >> Simo. > > ack This has been pushed to master From rcritten at redhat.com Wed Mar 2 14:40:44 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 02 Mar 2011 09:40:44 -0500 Subject: [Freeipa-devel] [PATCH] Use pygettext to generate translatable strings from plugin files. In-Reply-To: <20110222213404.GD25025@zeppelin.brq.redhat.com> References: <4D6280DF.7020005@redhat.com> <20110222213404.GD25025@zeppelin.brq.redhat.com> Message-ID: <4D6E56EC.1060509@redhat.com> Jakub Hrozek wrote: > On Mon, Feb 21, 2011 at 04:12:31PM +0100, Pavel Z?na wrote: >> This goes on top of my other localization patches! >> >> This patch replaces xgettext with a custom pygettext to generate >> translatable strings from plugin files in ipalib/plugins. pygettext >> was modified to handle plural forms (credit goes to Jan Hendrik >> Goellner) and had some bugs fixed by myself. We only use it for >> plugins, because it's the only place where we need to extract >> docstrings for the built-in help system. >> >> I also had to make some changes to the way the built-in >> documentation system gets docstrings from modules for this to work. >> >> How to test? >> ============ >> >> 1) >> First, apply all of the localization patches found in thread >> "Localization patches" on freeipa-devel. Then apply this patch. >> >> 2) >> Regenerate your install/po/Makefile: >> - delete install/po/Makefile >> - run `./configure` in install >> >> 3) >> Regenerate the pot and po files: >> - run `make update-pot` in install/po >> - run `make update-po` in install/po > > I noticed that none of the .po files is regenerated when we run make > dist. Is that intentional? I think that all the released tarballs should > contain up-to-date translations. > >> >> 4) >> Make a change to one of the translations: >> - example: add translation to the ACI docstring >> * find docstring for ACI in install/po/es.po >> * change the corresponding msgstr "" to >> msgstr "\nBuenos dias, amigos!\n" >> >> Note: if the translatable string begins with \n, the translation >> also needs to begin with \n. Same goes for ending. >> >> 5) >> Install the modified translations: >> - run `make install` in install/po >> >> Note: I had some problems with this and had to make rpms and install >> IPA from beginning for it to work. Looks like doing `make install` >> manually updates /usr/local/share/locale instead of >> /usr/share/locale, but maybe I just did something wrong. >> > > ./configure --datadir=/usr/share > > My buildscript contains a variation of "rpm -E %configure". > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel This was pushed with the mass of i18n patches From ssorce at redhat.com Wed Mar 2 14:47:24 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 2 Mar 2011 09:47:24 -0500 Subject: [Freeipa-devel] [PATCH] 0094 Make it possible to list also winsync replicas In-Reply-To: <4D6E5152.9030206@redhat.com> References: <20110301100450.7b72668f@willson.li.ssimo.org> <4D6E5152.9030206@redhat.com> Message-ID: <20110302094724.350fc6fd@willson.li.ssimo.org> On Wed, 02 Mar 2011 09:16:50 -0500 Rob Crittenden wrote: > Simo Sorce wrote: > > > > This patch registers winsync replica in the public tree with enough > > information to know which master is handling the agreement. > > > > Now when listing replicas, the type is also returned and winsync > > agreements are listed. > > When listing a specific server with --verbose, in case of a winsync > > peer the winsync peer status is shown by contacting the master that > > has the agreement. > > > > On winsync link removal, the public information about the agreement > > is also removed. > > > > Ticket 1007 > > > > Simo. > > Works great, good call on the update file. I updated my existing > installation and it worked fine. > > ack > > rob Thanks, pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From edewata at redhat.com Wed Mar 2 15:14:08 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 02 Mar 2011 09:14:08 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0206-2-Use-modified-entity-find-commands-for-associations In-Reply-To: <4D6DABAA.3050004@redhat.com> References: <4D6DAA2B.4090704@redhat.com> <4D6DABAA.3050004@redhat.com> Message-ID: <4D6E5EC0.7050201@redhat.com> On 3/1/2011 8:30 PM, Adam Young wrote: > On 03/01/2011 09:23 PM, Adam Young wrote: >> Not a 100% solution, but keeps the groups-user facet from exploding. >> https://fedorahosted.org/freeipa/ticket/1011 > Includes fixes for services Some issues: 1. See these lines in associate.js: 604: that.relationship_filter = spec.relationship_filter; 899: var relationship_filter = 'in_' + that.entity_name; The spec.relationship_filter is actually never used and the relationship_filter will always be in_. For now this is not a problem because the only facet using this code is member_user, but I think 899 should be fixed to take that.relationship_filter if it's defined. 2. The description column has been removed from host's and service's enrollment dialogs, so the column widths for the remaining columns need to be adjusted (e.g. fqdn should be 200px now). Otherwise the column header will be too short (try adding a new managedby-host). that.create_adder_column({ name: 'fqdn', primary_key: true, width: '100px' }); - that.create_adder_column({ - name: 'description', - width: '100px' - }); -- Endi S. Dewata From ayoung at redhat.com Wed Mar 2 15:29:10 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 02 Mar 2011 10:29:10 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0206-2-Use-modified-entity-find-commands-for-associations In-Reply-To: <4D6E5EC0.7050201@redhat.com> References: <4D6DAA2B.4090704@redhat.com> <4D6DABAA.3050004@redhat.com> <4D6E5EC0.7050201@redhat.com> Message-ID: <4D6E6246.6010707@redhat.com> On 03/02/2011 10:14 AM, Endi Sukma Dewata wrote: > On 3/1/2011 8:30 PM, Adam Young wrote: >> On 03/01/2011 09:23 PM, Adam Young wrote: >>> Not a 100% solution, but keeps the groups-user facet from exploding. >>> https://fedorahosted.org/freeipa/ticket/1011 >> Includes fixes for services > > Some issues: > > 1. See these lines in associate.js: > > 604: that.relationship_filter = spec.relationship_filter; Meant to remove that. > > 899: var relationship_filter = 'in_' + that.entity_name; > > The spec.relationship_filter is actually never used and the > relationship_filter will always be in_. For now this is > not a problem because the only facet using this code is member_user, > but I think 899 should be fixed to take that.relationship_filter if > it's defined. We'll implement a complete solution next. I don't want to add unused code. > > 2. The description column has been removed from host's and service's > enrollment dialogs, so the column widths for the remaining columns > need to be adjusted (e.g. fqdn should be 200px now). Otherwise the > column header will be too short (try adding a new managedby-host). > > that.create_adder_column({ > name: 'fqdn', > primary_key: true, > width: '100px' > }); > > - that.create_adder_column({ > - name: 'description', > - width: '100px' > - }); > > We shouldn't be using px, either, but I'll adjust this way for now. Or could I do something like 100%? From edewata at redhat.com Wed Mar 2 16:07:13 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 02 Mar 2011 10:07:13 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0206-2-Use-modified-entity-find-commands-for-associations In-Reply-To: <4D6E6246.6010707@redhat.com> References: <4D6DAA2B.4090704@redhat.com> <4D6DABAA.3050004@redhat.com> <4D6E5EC0.7050201@redhat.com> <4D6E6246.6010707@redhat.com> Message-ID: <4D6E6B31.5090607@redhat.com> On 3/2/2011 9:29 AM, Adam Young wrote: >>>> Not a 100% solution, but keeps the groups-user facet from exploding. >>>> https://fedorahosted.org/freeipa/ticket/1011 >>> Includes fixes for services >> >> Some issues: >> >> 1. See these lines in associate.js: >> >> 604: that.relationship_filter = spec.relationship_filter; > Meant to remove that. > >> 899: var relationship_filter = 'in_' + that.entity_name; >> >> The spec.relationship_filter is actually never used and the >> relationship_filter will always be in_. For now this is >> not a problem because the only facet using this code is member_user, >> but I think 899 should be fixed to take that.relationship_filter if >> it's defined. > > We'll implement a complete solution next. I don't want to add unused code. I don't see any harm fixing 899 instead of removing 604. It's just a simple fix which provides convenience, not a big chunk of useless code. As soon as someone needs a different relationship filter we'd have to add 604 back in and fix 899 anyway. We have a lot of convenience code which are probably not used anyway (e.g. default values), but the overall code is better with them there. >> 2. The description column has been removed from host's and service's >> enrollment dialogs, so the column widths for the remaining columns >> need to be adjusted (e.g. fqdn should be 200px now). Otherwise the >> column header will be too short (try adding a new managedby-host). >> >> that.create_adder_column({ >> name: 'fqdn', >> primary_key: true, >> width: '100px' >> }); >> >> - that.create_adder_column({ >> - name: 'description', >> - width: '100px' >> - }); > > We shouldn't be using px, either, but I'll adjust this way for now. Or > could I do something like 100%? Try adding managedby-host with at least 6 hosts in the list (to make the scrollbar appear). If the column headers and the scrollbar appear fine then it's ok. -- Endi S. Dewata From ayoung at redhat.com Wed Mar 2 16:56:25 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 02 Mar 2011 11:56:25 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0206-2-Use-modified-entity-find-commands-for-associations In-Reply-To: <4D6E6B31.5090607@redhat.com> References: <4D6DAA2B.4090704@redhat.com> <4D6DABAA.3050004@redhat.com> <4D6E5EC0.7050201@redhat.com> <4D6E6246.6010707@redhat.com> <4D6E6B31.5090607@redhat.com> Message-ID: <4D6E76B9.1090509@redhat.com> This version uses the search widget. A little more intrusive than I wanted, but if fixes the issue with https://fedorahosted.org/freeipa/ticket/1011 On 03/02/2011 11:07 AM, Endi Sukma Dewata wrote: > On 3/2/2011 9:29 AM, Adam Young wrote: >>>>> Not a 100% solution, but keeps the groups-user facet from exploding. >>>>> https://fedorahosted.org/freeipa/ticket/1011 >>>> Includes fixes for services >>> >>> Some issues: >>> >>> 1. See these lines in associate.js: >>> >>> 604: that.relationship_filter = spec.relationship_filter; >> Meant to remove that. >> >>> 899: var relationship_filter = 'in_' + that.entity_name; >>> >>> The spec.relationship_filter is actually never used and the >>> relationship_filter will always be in_. For now this is >>> not a problem because the only facet using this code is member_user, >>> but I think 899 should be fixed to take that.relationship_filter if >>> it's defined. so I'm going to punt >> >> We'll implement a complete solution next. I don't want to add unused >> code. > > I don't see any harm fixing 899 instead of removing 604. It's just a > simple fix which provides convenience, not a big chunk of useless > code. As soon as someone needs a different relationship filter we'd > have to add 604 back in and fix 899 anyway. We have a lot of > convenience code which are probably not used anyway (e.g. default > values), but the overall code is better with them there. Removed the code at 604 for now. We'll see what the right solution is when we start implementing the others. I don't like how the code had to be split up due to the init function. > >>> 2. The description column has been removed from host's and service's >>> enrollment dialogs, so the column widths for the remaining columns >>> need to be adjusted (e.g. fqdn should be 200px now). Otherwise the >>> column header will be too short (try adding a new managedby-host). >>> >>> that.create_adder_column({ >>> name: 'fqdn', >>> primary_key: true, >>> width: '100px' >>> }); >>> >>> - that.create_adder_column({ >>> - name: 'description', >>> - width: '100px' >>> - }); >> >> We shouldn't be using px, either, but I'll adjust this way for now. Or >> could I do something like 100%? > > Try adding managedby-host with at least 6 hosts in the list (to make > the scrollbar appear). If the column headers and the scrollbar appear > fine then it's ok. > Fixed. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0206-4-Use-modified-entity-find-commands-for-associations.patch Type: text/x-patch Size: 9389 bytes Desc: not available URL: From edewata at redhat.com Wed Mar 2 17:08:42 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 02 Mar 2011 11:08:42 -0600 Subject: [Freeipa-devel] [PATCH] 114 Save changes before modifying association. In-Reply-To: <4D658600.9010105@redhat.com> References: <4D658600.9010105@redhat.com> Message-ID: <4D6E799A.1020507@redhat.com> On 2/23/2011 4:11 PM, Endi Sukma Dewata wrote: > In a details page, usually any changes done to the fields will not be > applied until the user clicks the Update button. However, if the page > contains an association table, any addition/deletion to the table will > be applied immediately. > > To avoid any confusion, the user is now required to save or reset all > changes to the page before modifying the association. A dialog box will > appear if the page contains any unsaved changes. Rebased. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0114-2-Save-changes-before-modifying-association.patch Type: text/x-patch Size: 7527 bytes Desc: not available URL: From ayoung at redhat.com Wed Mar 2 17:43:38 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 02 Mar 2011 12:43:38 -0500 Subject: [Freeipa-devel] [PATCH] 115 Fixed attribute for SUDO command group membership. In-Reply-To: <4D659D6A.5000601@redhat.com> References: <4D659D6A.5000601@redhat.com> Message-ID: <4D6E81CA.9070903@redhat.com> On 02/23/2011 06:51 PM, Endi Sukma Dewata wrote: > The correct attribute name for SUDO command group membership is > memberof_sudocmdgroup and it contains the group name instead of dn. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Mar 2 17:43:51 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 02 Mar 2011 12:43:51 -0500 Subject: [Freeipa-devel] [PATCH] 114 Save changes before modifying association. In-Reply-To: <4D6E799A.1020507@redhat.com> References: <4D658600.9010105@redhat.com> <4D6E799A.1020507@redhat.com> Message-ID: <4D6E81D7.3010709@redhat.com> On 03/02/2011 12:08 PM, Endi Sukma Dewata wrote: > On 2/23/2011 4:11 PM, Endi Sukma Dewata wrote: >> In a details page, usually any changes done to the fields will not be >> applied until the user clicks the Update button. However, if the page >> contains an association table, any addition/deletion to the table will >> be applied immediately. >> >> To avoid any confusion, the user is now required to save or reset all >> changes to the page before modifying the association. A dialog box will >> appear if the page contains any unsaved changes. > > Rebased. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Mar 2 17:52:14 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 02 Mar 2011 12:52:14 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0207-update-API.txt. Message-ID: <4D6E83CE.2030404@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0207-update-API.txt.patch Type: text/x-patch Size: 7868 bytes Desc: not available URL: From edewata at redhat.com Wed Mar 2 18:13:57 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 02 Mar 2011 12:13:57 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0207-update-API.txt. In-Reply-To: <4D6E83CE.2030404@redhat.com> References: <4D6E83CE.2030404@redhat.com> Message-ID: <4D6E88E5.7000201@redhat.com> On 3/2/2011 11:52 AM, Adam Young wrote: > ACK. -- Endi S. Dewata From ayoung at redhat.com Wed Mar 2 18:17:23 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 02 Mar 2011 13:17:23 -0500 Subject: [Freeipa-devel] Fwd: Re: [PATCH] admiyo-0207-update-API.txt. Message-ID: <4D6E89B3.6090409@redhat.com> Pushed to master -------- Original Message -------- Subject: Re: [Freeipa-devel] [PATCH] admiyo-0207-update-API.txt. Date: Wed, 02 Mar 2011 13:06:26 -0500 From: Rob Crittenden To: Adam Young Adam Young wrote: > > Ack. rob -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Mar 2 18:17:40 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 02 Mar 2011 13:17:40 -0500 Subject: [Freeipa-devel] [PATCH] 114 Save changes before modifying association. In-Reply-To: <4D6E81D7.3010709@redhat.com> References: <4D658600.9010105@redhat.com> <4D6E799A.1020507@redhat.com> <4D6E81D7.3010709@redhat.com> Message-ID: <4D6E89C4.4020704@redhat.com> On 03/02/2011 12:43 PM, Adam Young wrote: > On 03/02/2011 12:08 PM, Endi Sukma Dewata wrote: >> On 2/23/2011 4:11 PM, Endi Sukma Dewata wrote: >>> In a details page, usually any changes done to the fields will not be >>> applied until the user clicks the Update button. However, if the page >>> contains an association table, any addition/deletion to the table will >>> be applied immediately. >>> >>> To avoid any confusion, the user is now required to save or reset all >>> changes to the page before modifying the association. A dialog box will >>> appear if the page contains any unsaved changes. >> >> Rebased. >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Mar 2 18:17:55 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 02 Mar 2011 13:17:55 -0500 Subject: [Freeipa-devel] [PATCH] 115 Fixed attribute for SUDO command group membership. In-Reply-To: <4D6E81CA.9070903@redhat.com> References: <4D659D6A.5000601@redhat.com> <4D6E81CA.9070903@redhat.com> Message-ID: <4D6E89D3.90702@redhat.com> On 03/02/2011 12:43 PM, Adam Young wrote: > On 02/23/2011 06:51 PM, Endi Sukma Dewata wrote: >> The correct attribute name for SUDO command group membership is >> memberof_sudocmdgroup and it contains the group name instead of dn. >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Wed Mar 2 18:20:04 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 02 Mar 2011 12:20:04 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0206-2-Use-modified-entity-find-commands-for-associations In-Reply-To: <4D6E76B9.1090509@redhat.com> References: <4D6DAA2B.4090704@redhat.com> <4D6DABAA.3050004@redhat.com> <4D6E5EC0.7050201@redhat.com> <4D6E6246.6010707@redhat.com> <4D6E6B31.5090607@redhat.com> <4D6E76B9.1090509@redhat.com> Message-ID: <4D6E8A54.9060409@redhat.com> On 3/2/2011 10:56 AM, Adam Young wrote: > This version uses the search widget. A little more intrusive than I > wanted, but if fixes the issue with > https://fedorahosted.org/freeipa/ticket/1011 I tested this with Group's Member User: The Add button doesn't open a dialog box, but it tries to create the content of the dialog box under the search table. The Delete button does open a dialog box, but it doesn't delete the member, then it goes back to group's search page. Another thing, I was expecting the entire that.table = IPA.table_widget to be replaced by that.table = IPA.search_widget so we don't have to do this: if (that.columns.length == 1) { // do things with table widget } else { // do things with search widget } but it might be to complicated for this release. >>>> 604: that.relationship_filter = spec.relationship_filter; >>>> 899: var relationship_filter = 'in_' + that.entity_name; > Removed the code at 604 for now. We'll see what the right solution is > when we start implementing the others. I don't like how the code had to > be split up due to the init function. Then I'd ask that you put a note above 899, something like this: // TODO: fix hard-coded relationship filter -- Endi S. Dewata From ayoung at redhat.com Wed Mar 2 18:48:56 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 02 Mar 2011 13:48:56 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0206-2-Use-modified-entity-find-commands-for-associations In-Reply-To: <4D6E8A54.9060409@redhat.com> References: <4D6DAA2B.4090704@redhat.com> <4D6DABAA.3050004@redhat.com> <4D6E5EC0.7050201@redhat.com> <4D6E6246.6010707@redhat.com> <4D6E6B31.5090607@redhat.com> <4D6E76B9.1090509@redhat.com> <4D6E8A54.9060409@redhat.com> Message-ID: <4D6E9118.6080609@redhat.com> No search widget. This will keep the UI from throwing an Error, but doesn't give a way to get results beyond the first 100 On 03/02/2011 01:20 PM, Endi Sukma Dewata wrote: > On 3/2/2011 10:56 AM, Adam Young wrote: >> This version uses the search widget. A little more intrusive than I >> wanted, but if fixes the issue with >> https://fedorahosted.org/freeipa/ticket/1011 > > I tested this with Group's Member User: > > The Add button doesn't open a dialog box, but it tries to create the > content of the dialog box under the search table. > > The Delete button does open a dialog box, but it doesn't delete the > member, then it goes back to group's search page. > > Another thing, I was expecting the entire that.table = IPA.table_widget > to be replaced by that.table = IPA.search_widget so we don't have to > do this: > if (that.columns.length == 1) { > // do things with table widget > } else { > // do things with search widget > } > but it might be to complicated for this release. > >>>>> 604: that.relationship_filter = spec.relationship_filter; >>>>> 899: var relationship_filter = 'in_' + that.entity_name; > >> Removed the code at 604 for now. We'll see what the right solution is >> when we start implementing the others. I don't like how the code had to >> be split up due to the init function. > > Then I'd ask that you put a note above 899, something like this: > // TODO: fix hard-coded relationship filter > -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0206-5-Use-modified-entity-find-commands-for-associations.patch Type: text/x-patch Size: 4837 bytes Desc: not available URL: From edewata at redhat.com Wed Mar 2 19:13:05 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 02 Mar 2011 13:13:05 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0206-2-Use-modified-entity-find-commands-for-associations In-Reply-To: <4D6E9118.6080609@redhat.com> References: <4D6DAA2B.4090704@redhat.com> <4D6DABAA.3050004@redhat.com> <4D6E5EC0.7050201@redhat.com> <4D6E6246.6010707@redhat.com> <4D6E6B31.5090607@redhat.com> <4D6E76B9.1090509@redhat.com> <4D6E8A54.9060409@redhat.com> <4D6E9118.6080609@redhat.com> Message-ID: <4D6E96C1.3040802@redhat.com> On 3/2/2011 12:48 PM, Adam Young wrote: > No search widget. This will keep the UI from throwing an Error, but > doesn't give a way to get results beyond the first 100 ACK and pushed to master. -- Endi S. Dewata From jhrozek at redhat.com Wed Mar 2 19:50:18 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 2 Mar 2011 20:50:18 +0100 Subject: [Freeipa-devel] [PATCH] 065 Replace only if old and new have nothing in common In-Reply-To: <4D654586.3000906@redhat.com> References: <4D64F489.7050305@redhat.com> <4D652C0F.8090606@redhat.com> <4D654055.9070409@redhat.com> <4D654586.3000906@redhat.com> Message-ID: <20110302195017.GA26587@zeppelin.brq.redhat.com> On Wed, Feb 23, 2011 at 12:36:06PM -0500, Rob Crittenden wrote: > Jakub Hrozek wrote: > >-----BEGIN PGP SIGNED MESSAGE----- > >Hash: SHA1 > > > >On 02/23/2011 04:47 PM, Rob Crittenden wrote: > >>Jakub Hrozek wrote: > >>>Replace only if old and new have nothing in common > >>> > >> > >>This has problems when removing the last member. There is no adds, rems > >>has a single value (the member being removed). The intersection is 0 so > >>force_replace gets set to True and nothing ends up getting done. > >> > >>I added a len(v)> 0 to this conditional and it seems to work. I also > >>added a small test case based on Endi's initial report. I'm getting a > >>100% test pass rate. > >> > >>rob > > > >I hit one more problem with the patch, although I'm not entirely sure > >how is that possible - when a user is renamed, his memberof becomes > >indirect memberof: > > > ># ipa user-mod --rename test2 test > >- -------------------- > >Modified user "test" > >- -------------------- > > User login: test2 > > First name: Test > > Last name: User > > Home directory: /home/test > > Login shell: /bin/sh > > Account disabled: False > > Indirect Member of group: ipausers > > I think this is another timing issue with 389-ds postop plugins, > this time the referential integrity plugin. I don't think this is > related to this change. > > We start with: > > dn: uid=test, ... > uid: test > memberOf: ipausers > > dn: cn=ipausers, ... > cn: ipausers > member: uid=test,... > > When we we do the rename we immediately end up with: > > dn: uid=test2, .. > uid: test2 > memberOf: ipausers > > dn: cn=ipausers, ... > cn: ipausers > member: uid=test, ... > > We determine indirect membership by comparing the user's memberOf > with the results of a query for member=uid=test2 > > If the refint plugin hasn't updated the ipausers group by the time > we do the query the user will appear to be an indirect member. > > rob OK, you're probably right, I can't reproduce the issue anymore. This patch has an ACK from me. Since this is a very low-level change at a late stage, I have asked Martin to take a second look. Jakub From rcritten at redhat.com Wed Mar 2 21:51:04 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 02 Mar 2011 16:51:04 -0500 Subject: [Freeipa-devel] [PATCH] 745 restart dogtag DS instance after install Message-ID: <4D6EBBC8.8080805@redhat.com> The dogtag team tells me we should restart their LDAP backend right after installation. In some configurations not doing this can cause problems (using the CA as we do isn't one of the known cases but better safe than sorry). To do this we bring down dogtag, restart 389-ds, then bring dogtag back up. Ticket 1024 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-745-restart.patch Type: application/mbox Size: 1478 bytes Desc: not available URL: From rcritten at redhat.com Thu Mar 3 04:09:05 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 02 Mar 2011 23:09:05 -0500 Subject: [Freeipa-devel] [PATCH] 746 style and grammatical issues in help Message-ID: <4D6F1461.6080001@redhat.com> Fix style and grammatical issues in built-in command help. There is a rather large API.txt change but it is only due to changes in the doc string in parameters. ticket 729 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-746-man.patch Type: application/mbox Size: 76353 bytes Desc: not available URL: From mkosek at redhat.com Thu Mar 3 14:22:33 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 03 Mar 2011 15:22:33 +0100 Subject: [Freeipa-devel] [PATCH] 745 restart dogtag DS instance after install In-Reply-To: <4D6EBBC8.8080805@redhat.com> References: <4D6EBBC8.8080805@redhat.com> Message-ID: <1299162153.11002.43.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-03-02 at 16:51 -0500, Rob Crittenden wrote: > The dogtag team tells me we should restart their LDAP backend right > after installation. In some configurations not doing this can cause > problems (using the CA as we do isn't one of the known cases but better > safe than sorry). To do this we bring down dogtag, restart 389-ds, then > bring dogtag back up. > > Ticket 1024 > > rob > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel The patch looks OK and it actually worked for me, but why is the dogtag restarted only for replicas (ipa-replica-install)? Martin From mkosek at redhat.com Thu Mar 3 14:29:48 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 03 Mar 2011 15:29:48 +0100 Subject: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools. In-Reply-To: References: Message-ID: <1299162588.11002.49.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-02-28 at 18:15 +0000, JR Aquino wrote: > > On 2/25/11 9:27 AM, "Pavel Z?na" wrote: > > >On 2011-02-25 18:12, JR Aquino wrote: > >> > >> > >> On 2/25/11 5:58 AM, "Pavel Zuna" wrote: > >> > >>> On 02/23/2011 11:53 PM, Simo Sorce wrote: > >>>> On Wed, 23 Feb 2011 23:41:33 +0100 > >>>> Pavel Z?na wrote: > >>>> > >>>>> On 2011-02-15 16:36, JR Aquino wrote: > >>>>>> On 2/15/11 6:52 AM, "Simo Sorce" wrote: > >>>>>> > >>>>>>> On Tue, 15 Feb 2011 15:19:50 +0100 > >>>>>>> Pavel Zuna wrote: > >>>>>>> > >>>>>>>> I can't reproduce this. :-/ > >>>>>>>> > >>>>>>>> For me it goes fine: > >>>>>>>> > >>>>>>>> [root at ipadev tools]# ./ipa-nis-manage enable > >>>>>>>> Directory Manager password: > >>>>>>>> > >>>>>>>> Enabling plugin > >>>>>>>> This setting will not take effect until you restart Directory > >>>>>>>> Server. The rpcbind service may need to be started. > >>>>>>>> > >>>>>>> > >>>>>>> Pavel, > >>>>>>> Jr has set the minimum ssf to a non default value to test a > >>>>>>> configuration in which all communications are required to be > >>>>>>> encrypted. That's why you can't reproduce with the vanilla > >>>>>>> configuration. > >>>>>>> > >>>>>>> We want to support that mode although it won't be the default, so > >>>>>>> we need to fix any issue that causes that configuration to break > >>>>>>> (ie all non-encrypted/non-ldapi connections). > >>>>>>> > >>>>>>> Simo. > >>>>>>> > >>>>>>> -- > >>>>>>> Simo Sorce * Red Hat, Inc * New York > >>>>>>> > >>>>>>> _______________________________________________ > >>>>>>> Freeipa-devel mailing list > >>>>>>> Freeipa-devel at redhat.com > >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel > >>>>>> > >>>>>> The best way to do this is: > >>>>>> > >>>>>> -=- > >>>>>> service ipa stop > >>>>>> Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif > >>>>>> > >>>>>> Change: > >>>>>> nsslapd-minssf: 0 > >>>>>> > >>>>>> To: > >>>>>> nsslapd-minssf: 56<- 56 is chosen because SASL communicates a 56bit > >>>>>> handshake even though we utilize a much strong cipher... (It is a > >>>>>> known bug/feature) > >>>>>> > >>>>>> service ipa start > >>>>>> > >>>>> > >>>>> I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) > >>>>> with ldapi=True, but it raises a NotFound exception when trying to > >>>>> call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This > >>>>> exception originates in IPAdmin.__lateinit() when trying to retrieve > >>>>> this > >>>>> > >>>>> cn=config,cn=ldbm database,cn=plugins,cn=config > >>>>> > >>>>> For some reason it looks like this entry is inaccessible when doing a > >>>>> SASL EXTERNAL bind as root. > >>>>> > >>>>> I can retrieve the entry as "cn=directory manager": > >>>>> > >>>>> > >>>>> > >>>>> [root at vm-090 freeipa]# ldapsearch -D "cn=directory manager" -W -H > >>>>> ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b > >>>>> "cn=config,cn=ldbm database,cn=plugins,cn=config" -s one > >>>>> Enter LDAP Password: > >>>>> # extended LDIF > >>>>> # > >>>>> # LDAPv3 > >>>>> # base with scope > >>>>> oneLevel # filter: (objectclass=*) > >>>>> # requesting: ALL > >>>>> # > >>>>> > >>>>> # default indexes, config, ldbm database, plugins, config > >>>>> dn: cn=default indexes,cn=config,cn=ldbm > >>>>>database,cn=plugins,cn=config > >>>>> objectClass: top > >>>>> objectClass: extensibleObject > >>>>> cn: default indexes > >>>>> > >>>>> # search result > >>>>> search: 2 > >>>>> result: 0 Success > >>>>> > >>>>> # numResponses: 2 > >>>>> # numEntries: 1 > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> but not as root: > >>>>> > >>>>> > >>>>> > >>>>> [root at vm-090 freeipa]# ldapsearch -Y EXTERNAL -H > >>>>> ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b > >>>>> "cn=config" SASL/EXTERNAL authentication started > >>>>> SASL username: > >>>>>gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > >>>>> SASL SSF: 0 > >>>>> # extended LDIF > >>>>> # > >>>>> # LDAPv3 > >>>>> # base with scope subtree > >>>>> # filter: (objectclass=*) > >>>>> # requesting: ALL > >>>>> # > >>>>> > >>>>> # SNMP, config > >>>>> dn: cn=SNMP,cn=config > >>>>> objectClass: top > >>>>> objectClass: nsSNMP > >>>>> cn: SNMP > >>>>> nsSNMPEnabled: on > >>>>> > >>>>> # 2.16.840.1.113730.3.4.9, features, config > >>>>> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config > >>>>> objectClass: top > >>>>> objectClass: directoryServerFeature > >>>>> oid: 2.16.840.1.113730.3.4.9 > >>>>> cn: VLV Request Control > >>>>> > >>>>> # search result > >>>>> search: 2 > >>>>> result: 0 Success > >>>>> > >>>>> # numResponses: 3 > >>>>> # numEntries: 2 > >>>>> > >>>>> > >>>>> I'm not sure what the problem is, I tried setting different SASL > >>>>> security properties, but nothing helped. :( Next step is to analyze > >>>>> DS logs, but before I do that, I wanted to ask if anyone has any tips > >>>>> on what the solution might be. > >>>> > >>>> We have very strict ACIs when using EXTERNAL SASL as root. > >>>> Is there any reason you need to operate as root ? > >>>> you can also authenticate with SIMPLE (Dir MGr credentials), or > >>>> SASL/GSSAPI if you ahve credentials. > >>>> > >>>> If you need to run unattended as root then we may need to make > >>>> root+SASL/EXTERNAL more powerful but I'd like to understand exactly > >>>>why > >>>> you need that and can't use regular authentication with DirMgr or > >>>> GSSAPI credentials. > >>>> > >>>> Simo. > >>>> > >>> > >>> Thanks for advice! New version of the patch attached. > >> > >> Sorry Pavel, I Have to NACK again: > >> It looks like some comment info got left in the patch perhaps. > >> > >> > >> [root at auth2 ~]# ipa-compat-manage status > >> File "/usr/sbin/ipa-compat-manage", line 169 > >> <<<<<<< HEAD > >> > >> > >> [root at auth2 ~]# ipa-host-net-manage status > >> File "/usr/sbin/ipa-host-net-manage", line 195 > >> <<<<<<< HEAD > >> ^ > >> > >> > >> > > > >That's cool, I just wonder how it got there. :) > > > >Fixed version attached. > > > >Pavel > > I've verified the following: > install/migration/migration.py > install/tools/ipa-compat-manage > install/tools/ipa-compliance > install/tools/ipa-host-net-manage > install/tools/ipa-nis-manage > install/tools/ipa-replica-prepare > install/tools/ipa-server-install > ipaserver/install/ldapupdate.py > > > ACK for everything except: install/tools/ipa-server-certinstall > > I'm not sure how best to test that particular tool. > > The rest were verified by setting:nsslapd-minssf: 56 > Then testing each tool to verify functionality without an ssf error. > > ldapupdate.py was tested via running several different xml_rpc plugin > tests that indirectly utilize ldapupdate.py: test_hbac_plugin.py, > test_sudorule_plugin.py > > I tested NIS with Pavel's patch, it worked OK for me. But have anybody tested replicas with the Pavel's patch? In my environment the replica server wasn't replicating when I prepared the with modified ipa-replica-prepare: $ sudo ipa-replica-install replica-info-vm-139.idm.lab.bos.redhat.com.gpg <-- produced by Pavel's ipa-replica-prepare ... $ ipa user-find -------------- 1 user matched -------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash Account disabled: False Member of groups: admins ---------------------------- Number of entries returned 1 ---------------------------- $ sudo ipa-server-install --uninstall --unattended $ sudo ipa-replica-install replica-info-vm-139.idm.lab.bos.redhat.com.gpg.2 <-- produced by clean version ... $ ipa user-find --------------- 2 users matched --------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash Account disabled: False Member of groups: admins User login: ab First name: a Last name: b Home directory: /home/ab Login shell: /bin/sh Account disabled: False Member of groups: ipausers ---------------------------- Number of entries returned 2 ---------------------------- User "ab" which was present on the master server (I called ipa-replica-prepare on the master server) was replicated to the replica server only when the replica information file (*.gpg) was created with clean IPA server. Martin From rcritten at redhat.com Thu Mar 3 14:30:10 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 03 Mar 2011 09:30:10 -0500 Subject: [Freeipa-devel] [PATCH] 745 restart dogtag DS instance after install In-Reply-To: <1299162153.11002.43.camel@dhcp-25-52.brq.redhat.com> References: <4D6EBBC8.8080805@redhat.com> <1299162153.11002.43.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D6FA5F2.8000204@redhat.com> Martin Kosek wrote: > On Wed, 2011-03-02 at 16:51 -0500, Rob Crittenden wrote: >> The dogtag team tells me we should restart their LDAP backend right >> after installation. In some configurations not doing this can cause >> problems (using the CA as we do isn't one of the known cases but better >> safe than sorry). To do this we bring down dogtag, restart 389-ds, then >> bring dogtag back up. >> >> Ticket 1024 >> >> rob >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > The patch looks OK and it actually worked for me, but why is the dogtag > restarted only for replicas (ipa-replica-install)? This bug says it is only needed on clones: https://bugzilla.redhat.com/show_bug.cgi?id=680984 rob From mkosek at redhat.com Thu Mar 3 14:57:44 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 03 Mar 2011 15:57:44 +0100 Subject: [Freeipa-devel] [PATCH] 745 restart dogtag DS instance after install In-Reply-To: <4D6FA5F2.8000204@redhat.com> References: <4D6EBBC8.8080805@redhat.com> <1299162153.11002.43.camel@dhcp-25-52.brq.redhat.com> <4D6FA5F2.8000204@redhat.com> Message-ID: <1299164264.32128.1.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-03-03 at 09:30 -0500, Rob Crittenden wrote: > Martin Kosek wrote: > > On Wed, 2011-03-02 at 16:51 -0500, Rob Crittenden wrote: > >> The dogtag team tells me we should restart their LDAP backend right > >> after installation. In some configurations not doing this can cause > >> problems (using the CA as we do isn't one of the known cases but better > >> safe than sorry). To do this we bring down dogtag, restart 389-ds, then > >> bring dogtag back up. > >> > >> Ticket 1024 > >> > >> rob > >> _______________________________________________ > >> Freeipa-devel mailing list > >> Freeipa-devel at redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > > > The patch looks OK and it actually worked for me, but why is the dogtag > > restarted only for replicas (ipa-replica-install)? > > This bug says it is only needed on clones: > https://bugzilla.redhat.com/show_bug.cgi?id=680984 > > rob ACK from me then. I was confused by commit message - no info about clones here. Martin From pzuna at redhat.com Thu Mar 3 15:19:08 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 03 Mar 2011 16:19:08 +0100 Subject: [Freeipa-devel] [PATCH] 065 Replace only if old and new have nothing in common In-Reply-To: <20110302195017.GA26587@zeppelin.brq.redhat.com> References: <4D64F489.7050305@redhat.com> <4D652C0F.8090606@redhat.com> <4D654055.9070409@redhat.com> <4D654586.3000906@redhat.com> <20110302195017.GA26587@zeppelin.brq.redhat.com> Message-ID: <4D6FB16C.3090409@redhat.com> On 03/02/2011 08:50 PM, Jakub Hrozek wrote: > On Wed, Feb 23, 2011 at 12:36:06PM -0500, Rob Crittenden wrote: >> Jakub Hrozek wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> On 02/23/2011 04:47 PM, Rob Crittenden wrote: >>>> Jakub Hrozek wrote: >>>>> Replace only if old and new have nothing in common >>>>> >>>> >>>> This has problems when removing the last member. There is no adds, rems >>>> has a single value (the member being removed). The intersection is 0 so >>>> force_replace gets set to True and nothing ends up getting done. >>>> >>>> I added a len(v)> 0 to this conditional and it seems to work. I also >>>> added a small test case based on Endi's initial report. I'm getting a >>>> 100% test pass rate. >>>> >>>> rob >>> >>> I hit one more problem with the patch, although I'm not entirely sure >>> how is that possible - when a user is renamed, his memberof becomes >>> indirect memberof: >>> >>> # ipa user-mod --rename test2 test >>> - -------------------- >>> Modified user "test" >>> - -------------------- >>> User login: test2 >>> First name: Test >>> Last name: User >>> Home directory: /home/test >>> Login shell: /bin/sh >>> Account disabled: False >>> Indirect Member of group: ipausers >> >> I think this is another timing issue with 389-ds postop plugins, >> this time the referential integrity plugin. I don't think this is >> related to this change. >> >> We start with: >> >> dn: uid=test, ... >> uid: test >> memberOf: ipausers >> >> dn: cn=ipausers, ... >> cn: ipausers >> member: uid=test,... >> >> When we we do the rename we immediately end up with: >> >> dn: uid=test2, .. >> uid: test2 >> memberOf: ipausers >> >> dn: cn=ipausers, ... >> cn: ipausers >> member: uid=test, ... >> >> We determine indirect membership by comparing the user's memberOf >> with the results of a query for member=uid=test2 >> >> If the refint plugin hasn't updated the ipausers group by the time >> we do the query the user will appear to be an indirect member. >> >> rob > > OK, you're probably right, I can't reproduce the issue anymore. > > This patch has an ACK from me. Since this is a very low-level change > at a late stage, I have asked Martin to take a second look. > > Jakub > Tested a few corner cases and it seems to be cool. ACK from me too. Pavel From ayoung at redhat.com Thu Mar 3 15:23:20 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 03 Mar 2011 10:23:20 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0208-fix-truncated-message Message-ID: <4D6FB268.7040704@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0208-fix-truncated-message.patch Type: text/x-patch Size: 1156 bytes Desc: not available URL: From rcritten at redhat.com Thu Mar 3 15:20:53 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 03 Mar 2011 10:20:53 -0500 Subject: [Freeipa-devel] [PATCH] 035 IPA replica/server install does not check for a client In-Reply-To: <1298549324.3540.1.camel@dhcp-25-52.brq.redhat.com> References: <1298549324.3540.1.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D6FB1D5.30505@redhat.com> Martin Kosek wrote: > When IPA replica or server is configured it does not check for > possibly installed client. This will cause the installation to > fail in the very end. > > This patch adds a check for already configured client and suggests > removing it before server/replica installation. > > https://fedorahosted.org/freeipa/ticket/1002 > ack, pushed to master From pzuna at redhat.com Thu Mar 3 15:23:28 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 03 Mar 2011 16:23:28 +0100 Subject: [Freeipa-devel] [PATCH] Fix error in user plugin email normalizer for empty --setattr=mail=. Message-ID: <4D6FB270.2090300@redhat.com> An exception was raised when you tried to reset user email addresses and setting new ones using: ipa user-add SOMEUSER --setattr=mail= --addattr=mail=SOMEUSER at redhat.com Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-85-fixemailnorm.patch Type: application/mbox Size: 900 bytes Desc: not available URL: From pzuna at redhat.com Thu Mar 3 15:27:59 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 03 Mar 2011 16:27:59 +0100 Subject: [Freeipa-devel] [PATCH] Fix error in user plugin email normalizer for empty --setattr=mail=. In-Reply-To: <4D6FB270.2090300@redhat.com> References: <4D6FB270.2090300@redhat.com> Message-ID: <4D6FB37F.9070108@redhat.com> On 03/03/2011 04:23 PM, Pavel Zuna wrote: > An exception was raised when you tried to reset user email addresses and > setting new ones using: > > ipa user-add SOMEUSER --setattr=mail= --addattr=mail=SOMEUSER at redhat.com > > Pavel > > Just a correction: The example above should read 'ipa user-mod ...' ofc. Pavel From edewata at redhat.com Thu Mar 3 15:39:40 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 03 Mar 2011 09:39:40 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0208-fix-truncated-message In-Reply-To: <4D6FB268.7040704@redhat.com> References: <4D6FB268.7040704@redhat.com> Message-ID: <4D6FB63C.90305@redhat.com> On 3/3/2011 9:23 AM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From rcritten at redhat.com Thu Mar 3 15:55:50 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 03 Mar 2011 10:55:50 -0500 Subject: [Freeipa-devel] [PATCH] 036 Inconsistent sysrestore file handling by IPA server installer In-Reply-To: <1298985787.4902.0.camel@dhcp-25-52.brq.redhat.com> References: <1298985787.4902.0.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D6FBA06.3010401@redhat.com> Martin Kosek wrote: > IPA server/replica uninstallation may fail when it tries to restore > a Directory server configuration file in sysrestore directory, which > was already restored before. > > The problem is in Directory Server uninstaller which uses and modifies > its own image of sysrestore directory state instead of using the > common uninstaller image. > > https://fedorahosted.org/freeipa/ticket/1026 ack, pushed to master From rcritten at redhat.com Thu Mar 3 15:57:47 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 03 Mar 2011 10:57:47 -0500 Subject: [Freeipa-devel] [PATCH] 065 Replace only if old and new have nothing in common In-Reply-To: <4D6FB16C.3090409@redhat.com> References: <4D64F489.7050305@redhat.com> <4D652C0F.8090606@redhat.com> <4D654055.9070409@redhat.com> <4D654586.3000906@redhat.com> <20110302195017.GA26587@zeppelin.brq.redhat.com> <4D6FB16C.3090409@redhat.com> Message-ID: <4D6FBA7B.3080303@redhat.com> Pavel Zuna wrote: > On 03/02/2011 08:50 PM, Jakub Hrozek wrote: >> On Wed, Feb 23, 2011 at 12:36:06PM -0500, Rob Crittenden wrote: >>> Jakub Hrozek wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> On 02/23/2011 04:47 PM, Rob Crittenden wrote: >>>>> Jakub Hrozek wrote: >>>>>> Replace only if old and new have nothing in common >>>>>> >>>>> >>>>> This has problems when removing the last member. There is no adds, >>>>> rems >>>>> has a single value (the member being removed). The intersection is >>>>> 0 so >>>>> force_replace gets set to True and nothing ends up getting done. >>>>> >>>>> I added a len(v)> 0 to this conditional and it seems to work. I also >>>>> added a small test case based on Endi's initial report. I'm getting a >>>>> 100% test pass rate. >>>>> >>>>> rob >>>> >>>> I hit one more problem with the patch, although I'm not entirely sure >>>> how is that possible - when a user is renamed, his memberof becomes >>>> indirect memberof: >>>> >>>> # ipa user-mod --rename test2 test >>>> - -------------------- >>>> Modified user "test" >>>> - -------------------- >>>> User login: test2 >>>> First name: Test >>>> Last name: User >>>> Home directory: /home/test >>>> Login shell: /bin/sh >>>> Account disabled: False >>>> Indirect Member of group: ipausers >>> >>> I think this is another timing issue with 389-ds postop plugins, >>> this time the referential integrity plugin. I don't think this is >>> related to this change. >>> >>> We start with: >>> >>> dn: uid=test, ... >>> uid: test >>> memberOf: ipausers >>> >>> dn: cn=ipausers, ... >>> cn: ipausers >>> member: uid=test,... >>> >>> When we we do the rename we immediately end up with: >>> >>> dn: uid=test2, .. >>> uid: test2 >>> memberOf: ipausers >>> >>> dn: cn=ipausers, ... >>> cn: ipausers >>> member: uid=test, ... >>> >>> We determine indirect membership by comparing the user's memberOf >>> with the results of a query for member=uid=test2 >>> >>> If the refint plugin hasn't updated the ipausers group by the time >>> we do the query the user will appear to be an indirect member. >>> >>> rob >> >> OK, you're probably right, I can't reproduce the issue anymore. >> >> This patch has an ACK from me. Since this is a very low-level change >> at a late stage, I have asked Martin to take a second look. >> >> Jakub >> > > Tested a few corner cases and it seems to be cool. ACK from me too. > > Pavel pushed to master From rcritten at redhat.com Thu Mar 3 16:02:32 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 03 Mar 2011 11:02:32 -0500 Subject: [Freeipa-devel] [PATCH] 745 restart dogtag DS instance after install In-Reply-To: <1299164264.32128.1.camel@dhcp-25-52.brq.redhat.com> References: <4D6EBBC8.8080805@redhat.com> <1299162153.11002.43.camel@dhcp-25-52.brq.redhat.com> <4D6FA5F2.8000204@redhat.com> <1299164264.32128.1.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D6FBB98.90806@redhat.com> Martin Kosek wrote: > On Thu, 2011-03-03 at 09:30 -0500, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Wed, 2011-03-02 at 16:51 -0500, Rob Crittenden wrote: >>>> The dogtag team tells me we should restart their LDAP backend right >>>> after installation. In some configurations not doing this can cause >>>> problems (using the CA as we do isn't one of the known cases but better >>>> safe than sorry). To do this we bring down dogtag, restart 389-ds, then >>>> bring dogtag back up. >>>> >>>> Ticket 1024 >>>> >>>> rob >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >>> >>> The patch looks OK and it actually worked for me, but why is the dogtag >>> restarted only for replicas (ipa-replica-install)? >> >> This bug says it is only needed on clones: >> https://bugzilla.redhat.com/show_bug.cgi?id=680984 >> >> rob > > ACK from me then. I was confused by commit message - no info about > clones here. > > Martin > Ok, amended commit entry and pushed to master. rob From mkosek at redhat.com Thu Mar 3 16:43:45 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 03 Mar 2011 17:43:45 +0100 Subject: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools. In-Reply-To: <1299162588.11002.49.camel@dhcp-25-52.brq.redhat.com> References: <1299162588.11002.49.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1299170625.32128.15.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-03-03 at 15:29 +0100, Martin Kosek wrote: > On Mon, 2011-02-28 at 18:15 +0000, JR Aquino wrote: > > > > On 2/25/11 9:27 AM, "Pavel Z?na" wrote: > > > > >On 2011-02-25 18:12, JR Aquino wrote: > > >> > > >> > > >> On 2/25/11 5:58 AM, "Pavel Zuna" wrote: > > >> > > >>> On 02/23/2011 11:53 PM, Simo Sorce wrote: > > >>>> On Wed, 23 Feb 2011 23:41:33 +0100 > > >>>> Pavel Z?na wrote: > > >>>> > > >>>>> On 2011-02-15 16:36, JR Aquino wrote: > > >>>>>> On 2/15/11 6:52 AM, "Simo Sorce" wrote: > > >>>>>> > > >>>>>>> On Tue, 15 Feb 2011 15:19:50 +0100 > > >>>>>>> Pavel Zuna wrote: > > >>>>>>> > > >>>>>>>> I can't reproduce this. :-/ > > >>>>>>>> > > >>>>>>>> For me it goes fine: > > >>>>>>>> > > >>>>>>>> [root at ipadev tools]# ./ipa-nis-manage enable > > >>>>>>>> Directory Manager password: > > >>>>>>>> > > >>>>>>>> Enabling plugin > > >>>>>>>> This setting will not take effect until you restart Directory > > >>>>>>>> Server. The rpcbind service may need to be started. > > >>>>>>>> > > >>>>>>> > > >>>>>>> Pavel, > > >>>>>>> Jr has set the minimum ssf to a non default value to test a > > >>>>>>> configuration in which all communications are required to be > > >>>>>>> encrypted. That's why you can't reproduce with the vanilla > > >>>>>>> configuration. > > >>>>>>> > > >>>>>>> We want to support that mode although it won't be the default, so > > >>>>>>> we need to fix any issue that causes that configuration to break > > >>>>>>> (ie all non-encrypted/non-ldapi connections). > > >>>>>>> > > >>>>>>> Simo. > > >>>>>>> > > >>>>>>> -- > > >>>>>>> Simo Sorce * Red Hat, Inc * New York > > >>>>>>> > > >>>>>>> _______________________________________________ > > >>>>>>> Freeipa-devel mailing list > > >>>>>>> Freeipa-devel at redhat.com > > >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel > > >>>>>> > > >>>>>> The best way to do this is: > > >>>>>> > > >>>>>> -=- > > >>>>>> service ipa stop > > >>>>>> Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif > > >>>>>> > > >>>>>> Change: > > >>>>>> nsslapd-minssf: 0 > > >>>>>> > > >>>>>> To: > > >>>>>> nsslapd-minssf: 56<- 56 is chosen because SASL communicates a 56bit > > >>>>>> handshake even though we utilize a much strong cipher... (It is a > > >>>>>> known bug/feature) > > >>>>>> > > >>>>>> service ipa start > > >>>>>> > > >>>>> > > >>>>> I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) > > >>>>> with ldapi=True, but it raises a NotFound exception when trying to > > >>>>> call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This > > >>>>> exception originates in IPAdmin.__lateinit() when trying to retrieve > > >>>>> this > > >>>>> > > >>>>> cn=config,cn=ldbm database,cn=plugins,cn=config > > >>>>> > > >>>>> For some reason it looks like this entry is inaccessible when doing a > > >>>>> SASL EXTERNAL bind as root. > > >>>>> > > >>>>> I can retrieve the entry as "cn=directory manager": > > >>>>> > > >>>>> > > >>>>> > > >>>>> [root at vm-090 freeipa]# ldapsearch -D "cn=directory manager" -W -H > > >>>>> ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b > > >>>>> "cn=config,cn=ldbm database,cn=plugins,cn=config" -s one > > >>>>> Enter LDAP Password: > > >>>>> # extended LDIF > > >>>>> # > > >>>>> # LDAPv3 > > >>>>> # base with scope > > >>>>> oneLevel # filter: (objectclass=*) > > >>>>> # requesting: ALL > > >>>>> # > > >>>>> > > >>>>> # default indexes, config, ldbm database, plugins, config > > >>>>> dn: cn=default indexes,cn=config,cn=ldbm > > >>>>>database,cn=plugins,cn=config > > >>>>> objectClass: top > > >>>>> objectClass: extensibleObject > > >>>>> cn: default indexes > > >>>>> > > >>>>> # search result > > >>>>> search: 2 > > >>>>> result: 0 Success > > >>>>> > > >>>>> # numResponses: 2 > > >>>>> # numEntries: 1 > > >>>>> > > >>>>> > > >>>>> > > >>>>> > > >>>>> but not as root: > > >>>>> > > >>>>> > > >>>>> > > >>>>> [root at vm-090 freeipa]# ldapsearch -Y EXTERNAL -H > > >>>>> ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b > > >>>>> "cn=config" SASL/EXTERNAL authentication started > > >>>>> SASL username: > > >>>>>gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > > >>>>> SASL SSF: 0 > > >>>>> # extended LDIF > > >>>>> # > > >>>>> # LDAPv3 > > >>>>> # base with scope subtree > > >>>>> # filter: (objectclass=*) > > >>>>> # requesting: ALL > > >>>>> # > > >>>>> > > >>>>> # SNMP, config > > >>>>> dn: cn=SNMP,cn=config > > >>>>> objectClass: top > > >>>>> objectClass: nsSNMP > > >>>>> cn: SNMP > > >>>>> nsSNMPEnabled: on > > >>>>> > > >>>>> # 2.16.840.1.113730.3.4.9, features, config > > >>>>> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config > > >>>>> objectClass: top > > >>>>> objectClass: directoryServerFeature > > >>>>> oid: 2.16.840.1.113730.3.4.9 > > >>>>> cn: VLV Request Control > > >>>>> > > >>>>> # search result > > >>>>> search: 2 > > >>>>> result: 0 Success > > >>>>> > > >>>>> # numResponses: 3 > > >>>>> # numEntries: 2 > > >>>>> > > >>>>> > > >>>>> I'm not sure what the problem is, I tried setting different SASL > > >>>>> security properties, but nothing helped. :( Next step is to analyze > > >>>>> DS logs, but before I do that, I wanted to ask if anyone has any tips > > >>>>> on what the solution might be. > > >>>> > > >>>> We have very strict ACIs when using EXTERNAL SASL as root. > > >>>> Is there any reason you need to operate as root ? > > >>>> you can also authenticate with SIMPLE (Dir MGr credentials), or > > >>>> SASL/GSSAPI if you ahve credentials. > > >>>> > > >>>> If you need to run unattended as root then we may need to make > > >>>> root+SASL/EXTERNAL more powerful but I'd like to understand exactly > > >>>>why > > >>>> you need that and can't use regular authentication with DirMgr or > > >>>> GSSAPI credentials. > > >>>> > > >>>> Simo. > > >>>> > > >>> > > >>> Thanks for advice! New version of the patch attached. > > >> > > >> Sorry Pavel, I Have to NACK again: > > >> It looks like some comment info got left in the patch perhaps. > > >> > > >> > > >> [root at auth2 ~]# ipa-compat-manage status > > >> File "/usr/sbin/ipa-compat-manage", line 169 > > >> <<<<<<< HEAD > > >> > > >> > > >> [root at auth2 ~]# ipa-host-net-manage status > > >> File "/usr/sbin/ipa-host-net-manage", line 195 > > >> <<<<<<< HEAD > > >> ^ > > >> > > >> > > >> > > > > > >That's cool, I just wonder how it got there. :) > > > > > >Fixed version attached. > > > > > >Pavel > > > > I've verified the following: > > install/migration/migration.py > > install/tools/ipa-compat-manage > > install/tools/ipa-compliance > > install/tools/ipa-host-net-manage > > install/tools/ipa-nis-manage > > install/tools/ipa-replica-prepare > > install/tools/ipa-server-install > > ipaserver/install/ldapupdate.py > > > > > > ACK for everything except: install/tools/ipa-server-certinstall > > > > I'm not sure how best to test that particular tool. > > > > The rest were verified by setting:nsslapd-minssf: 56 > > Then testing each tool to verify functionality without an ssf error. > > > > ldapupdate.py was tested via running several different xml_rpc plugin > > tests that indirectly utilize ldapupdate.py: test_hbac_plugin.py, > > test_sudorule_plugin.py > > > > > > I tested NIS with Pavel's patch, it worked OK for me. > > But have anybody tested replicas with the Pavel's patch? In my > environment the replica server wasn't replicating when I prepared the > with modified ipa-replica-prepare: > > $ sudo ipa-replica-install replica-info-vm-139.idm.lab.bos.redhat.com.gpg <-- produced by Pavel's ipa-replica-prepare > ... > $ ipa user-find > -------------- > 1 user matched > -------------- > User login: admin > Last name: Administrator > Home directory: /home/admin > Login shell: /bin/bash > Account disabled: False > Member of groups: admins > ---------------------------- > Number of entries returned 1 > ---------------------------- > > $ sudo ipa-server-install --uninstall --unattended > $ sudo ipa-replica-install replica-info-vm-139.idm.lab.bos.redhat.com.gpg.2 <-- produced by clean version > ... > $ ipa user-find > --------------- > 2 users matched > --------------- > User login: admin > Last name: Administrator > Home directory: /home/admin > Login shell: /bin/bash > Account disabled: False > Member of groups: admins > > User login: ab > First name: a > Last name: b > Home directory: /home/ab > Login shell: /bin/sh > Account disabled: False > Member of groups: ipausers > ---------------------------- > Number of entries returned 2 > ---------------------------- > > User "ab" which was present on the master server (I called > ipa-replica-prepare on the master server) was replicated to the replica > server only when the replica information file (*.gpg) was created with > clean IPA server. > > Martin The above described problem was probably in a test environment. I tested the patch on a clean VMs and replication was working just fine. I did not run into any further errors during my NIS/Replica testing, I think this patch is OK. Martin From ayoung at redhat.com Thu Mar 3 16:50:03 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 03 Mar 2011 11:50:03 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0209-typo-in-truncation-message Message-ID: <4D6FC6BB.4020008@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0209-typo-in-truncation-message.patch Type: text/x-patch Size: 1047 bytes Desc: not available URL: From edewata at redhat.com Thu Mar 3 17:13:28 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 03 Mar 2011 11:13:28 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0209-typo-in-truncation-message In-Reply-To: <4D6FC6BB.4020008@redhat.com> References: <4D6FC6BB.4020008@redhat.com> Message-ID: <4D6FCC38.2060201@redhat.com> On 3/3/2011 10:50 AM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From dpal at redhat.com Thu Mar 3 17:15:55 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 03 Mar 2011 12:15:55 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0209-typo-in-truncation-message In-Reply-To: <4D6FC6BB.4020008@redhat.com> References: <4D6FC6BB.4020008@redhat.com> Message-ID: <4D6FCCCB.3030701@redhat.com> On 03/03/2011 11:50 AM, Adam Young wrote: > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Nack "Query returned more results than the configured size limit *allows to* show." "will show" does not sound right to my Russian ear ;-) The limit does not show anything. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Thu Mar 3 17:16:14 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 03 Mar 2011 12:16:14 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0209-typo-in-truncation-message In-Reply-To: <4D6FCC38.2060201@redhat.com> References: <4D6FC6BB.4020008@redhat.com> <4D6FCC38.2060201@redhat.com> Message-ID: <4D6FCCDE.5060505@redhat.com> On 03/03/2011 12:13 PM, Endi Sukma Dewata wrote: > On 3/3/2011 10:50 AM, Adam Young wrote: >> > > ACK and pushed to master. > Akhm :-) -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From edewata at redhat.com Thu Mar 3 17:34:57 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 03 Mar 2011 11:34:57 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0209-typo-in-truncation-message In-Reply-To: <4D6FCCDE.5060505@redhat.com> References: <4D6FC6BB.4020008@redhat.com> <4D6FCC38.2060201@redhat.com> <4D6FCCDE.5060505@redhat.com> Message-ID: <4D6FD141.8090503@redhat.com> On 3/3/2011 11:16 AM, Dmitri Pal wrote: > On 03/03/2011 12:13 PM, Endi Sukma Dewata wrote: >> ACK and pushed to master. > Akhm :-) Sorry, we can fix this again in another patch. So what should be the correct wording? While we're at it, is the second sentence grammatically correct? "First ${counter} results shown" seems to be missing a verb. -- Endi S. Dewata From dpal at redhat.com Thu Mar 3 17:49:03 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 03 Mar 2011 12:49:03 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0209-typo-in-truncation-message In-Reply-To: <4D6FD141.8090503@redhat.com> References: <4D6FC6BB.4020008@redhat.com> <4D6FCC38.2060201@redhat.com> <4D6FCCDE.5060505@redhat.com> <4D6FD141.8090503@redhat.com> Message-ID: <4D6FD48F.4080409@redhat.com> On 03/03/2011 12:34 PM, Endi Sukma Dewata wrote: > On 3/3/2011 11:16 AM, Dmitri Pal wrote: >> On 03/03/2011 12:13 PM, Endi Sukma Dewata wrote: >>> ACK and pushed to master. >> Akhm :-) > > Sorry, we can fix this again in another patch. So what should be the > correct wording? > > While we're at it, is the second sentence grammatically correct? > "First ${counter} results shown" seems to be missing a verb. > will be shown or are shown But may be "displayed" is better than "shown". -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Thu Mar 3 19:01:54 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 03 Mar 2011 14:01:54 -0500 Subject: [Freeipa-devel] [PATCH] Fix error in user plugin email normalizer for empty --setattr=mail=. In-Reply-To: <4D6FB270.2090300@redhat.com> References: <4D6FB270.2090300@redhat.com> Message-ID: <4D6FE5A2.30402@redhat.com> Pavel Zuna wrote: > ipa user-add SOMEUSER --setattr=mail= --addattr=mail=SOMEUSER at redhat.com Ack, pushed to master I created ticket 1048 for this problem and ammended the git commit message. rob From rcritten at redhat.com Thu Mar 3 19:04:50 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 03 Mar 2011 14:04:50 -0500 Subject: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools. In-Reply-To: <1299170625.32128.15.camel@dhcp-25-52.brq.redhat.com> References: <1299162588.11002.49.camel@dhcp-25-52.brq.redhat.com> <1299170625.32128.15.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D6FE652.1080802@redhat.com> Martin Kosek wrote: > On Thu, 2011-03-03 at 15:29 +0100, Martin Kosek wrote: >> On Mon, 2011-02-28 at 18:15 +0000, JR Aquino wrote: >>> >>> On 2/25/11 9:27 AM, "Pavel Z?na" wrote: >>> >>>> On 2011-02-25 18:12, JR Aquino wrote: >>>>> >>>>> >>>>> On 2/25/11 5:58 AM, "Pavel Zuna" wrote: >>>>> >>>>>> On 02/23/2011 11:53 PM, Simo Sorce wrote: >>>>>>> On Wed, 23 Feb 2011 23:41:33 +0100 >>>>>>> Pavel Z?na wrote: >>>>>>> >>>>>>>> On 2011-02-15 16:36, JR Aquino wrote: >>>>>>>>> On 2/15/11 6:52 AM, "Simo Sorce" wrote: >>>>>>>>> >>>>>>>>>> On Tue, 15 Feb 2011 15:19:50 +0100 >>>>>>>>>> Pavel Zuna wrote: >>>>>>>>>> >>>>>>>>>>> I can't reproduce this. :-/ >>>>>>>>>>> >>>>>>>>>>> For me it goes fine: >>>>>>>>>>> >>>>>>>>>>> [root at ipadev tools]# ./ipa-nis-manage enable >>>>>>>>>>> Directory Manager password: >>>>>>>>>>> >>>>>>>>>>> Enabling plugin >>>>>>>>>>> This setting will not take effect until you restart Directory >>>>>>>>>>> Server. The rpcbind service may need to be started. >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Pavel, >>>>>>>>>> Jr has set the minimum ssf to a non default value to test a >>>>>>>>>> configuration in which all communications are required to be >>>>>>>>>> encrypted. That's why you can't reproduce with the vanilla >>>>>>>>>> configuration. >>>>>>>>>> >>>>>>>>>> We want to support that mode although it won't be the default, so >>>>>>>>>> we need to fix any issue that causes that configuration to break >>>>>>>>>> (ie all non-encrypted/non-ldapi connections). >>>>>>>>>> >>>>>>>>>> Simo. >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Simo Sorce * Red Hat, Inc * New York >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Freeipa-devel mailing list >>>>>>>>>> Freeipa-devel at redhat.com >>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>>>>>> >>>>>>>>> The best way to do this is: >>>>>>>>> >>>>>>>>> -=- >>>>>>>>> service ipa stop >>>>>>>>> Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif >>>>>>>>> >>>>>>>>> Change: >>>>>>>>> nsslapd-minssf: 0 >>>>>>>>> >>>>>>>>> To: >>>>>>>>> nsslapd-minssf: 56<- 56 is chosen because SASL communicates a 56bit >>>>>>>>> handshake even though we utilize a much strong cipher... (It is a >>>>>>>>> known bug/feature) >>>>>>>>> >>>>>>>>> service ipa start >>>>>>>>> >>>>>>>> >>>>>>>> I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) >>>>>>>> with ldapi=True, but it raises a NotFound exception when trying to >>>>>>>> call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This >>>>>>>> exception originates in IPAdmin.__lateinit() when trying to retrieve >>>>>>>> this >>>>>>>> >>>>>>>> cn=config,cn=ldbm database,cn=plugins,cn=config >>>>>>>> >>>>>>>> For some reason it looks like this entry is inaccessible when doing a >>>>>>>> SASL EXTERNAL bind as root. >>>>>>>> >>>>>>>> I can retrieve the entry as "cn=directory manager": >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> [root at vm-090 freeipa]# ldapsearch -D "cn=directory manager" -W -H >>>>>>>> ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b >>>>>>>> "cn=config,cn=ldbm database,cn=plugins,cn=config" -s one >>>>>>>> Enter LDAP Password: >>>>>>>> # extended LDIF >>>>>>>> # >>>>>>>> # LDAPv3 >>>>>>>> # base with scope >>>>>>>> oneLevel # filter: (objectclass=*) >>>>>>>> # requesting: ALL >>>>>>>> # >>>>>>>> >>>>>>>> # default indexes, config, ldbm database, plugins, config >>>>>>>> dn: cn=default indexes,cn=config,cn=ldbm >>>>>>>> database,cn=plugins,cn=config >>>>>>>> objectClass: top >>>>>>>> objectClass: extensibleObject >>>>>>>> cn: default indexes >>>>>>>> >>>>>>>> # search result >>>>>>>> search: 2 >>>>>>>> result: 0 Success >>>>>>>> >>>>>>>> # numResponses: 2 >>>>>>>> # numEntries: 1 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> but not as root: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> [root at vm-090 freeipa]# ldapsearch -Y EXTERNAL -H >>>>>>>> ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b >>>>>>>> "cn=config" SASL/EXTERNAL authentication started >>>>>>>> SASL username: >>>>>>>> gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth >>>>>>>> SASL SSF: 0 >>>>>>>> # extended LDIF >>>>>>>> # >>>>>>>> # LDAPv3 >>>>>>>> # base with scope subtree >>>>>>>> # filter: (objectclass=*) >>>>>>>> # requesting: ALL >>>>>>>> # >>>>>>>> >>>>>>>> # SNMP, config >>>>>>>> dn: cn=SNMP,cn=config >>>>>>>> objectClass: top >>>>>>>> objectClass: nsSNMP >>>>>>>> cn: SNMP >>>>>>>> nsSNMPEnabled: on >>>>>>>> >>>>>>>> # 2.16.840.1.113730.3.4.9, features, config >>>>>>>> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config >>>>>>>> objectClass: top >>>>>>>> objectClass: directoryServerFeature >>>>>>>> oid: 2.16.840.1.113730.3.4.9 >>>>>>>> cn: VLV Request Control >>>>>>>> >>>>>>>> # search result >>>>>>>> search: 2 >>>>>>>> result: 0 Success >>>>>>>> >>>>>>>> # numResponses: 3 >>>>>>>> # numEntries: 2 >>>>>>>> >>>>>>>> >>>>>>>> I'm not sure what the problem is, I tried setting different SASL >>>>>>>> security properties, but nothing helped. :( Next step is to analyze >>>>>>>> DS logs, but before I do that, I wanted to ask if anyone has any tips >>>>>>>> on what the solution might be. >>>>>>> >>>>>>> We have very strict ACIs when using EXTERNAL SASL as root. >>>>>>> Is there any reason you need to operate as root ? >>>>>>> you can also authenticate with SIMPLE (Dir MGr credentials), or >>>>>>> SASL/GSSAPI if you ahve credentials. >>>>>>> >>>>>>> If you need to run unattended as root then we may need to make >>>>>>> root+SASL/EXTERNAL more powerful but I'd like to understand exactly >>>>>>> why >>>>>>> you need that and can't use regular authentication with DirMgr or >>>>>>> GSSAPI credentials. >>>>>>> >>>>>>> Simo. >>>>>>> >>>>>> >>>>>> Thanks for advice! New version of the patch attached. >>>>> >>>>> Sorry Pavel, I Have to NACK again: >>>>> It looks like some comment info got left in the patch perhaps. >>>>> >>>>> >>>>> [root at auth2 ~]# ipa-compat-manage status >>>>> File "/usr/sbin/ipa-compat-manage", line 169 >>>>> <<<<<<< HEAD >>>>> >>>>> >>>>> [root at auth2 ~]# ipa-host-net-manage status >>>>> File "/usr/sbin/ipa-host-net-manage", line 195 >>>>> <<<<<<< HEAD >>>>> ^ >>>>> >>>>> >>>>> >>>> >>>> That's cool, I just wonder how it got there. :) >>>> >>>> Fixed version attached. >>>> >>>> Pavel >>> >>> I've verified the following: >>> install/migration/migration.py >>> install/tools/ipa-compat-manage >>> install/tools/ipa-compliance >>> install/tools/ipa-host-net-manage >>> install/tools/ipa-nis-manage >>> install/tools/ipa-replica-prepare >>> install/tools/ipa-server-install >>> ipaserver/install/ldapupdate.py >>> >>> >>> ACK for everything except: install/tools/ipa-server-certinstall >>> >>> I'm not sure how best to test that particular tool. >>> >>> The rest were verified by setting:nsslapd-minssf: 56 >>> Then testing each tool to verify functionality without an ssf error. >>> >>> ldapupdate.py was tested via running several different xml_rpc plugin >>> tests that indirectly utilize ldapupdate.py: test_hbac_plugin.py, >>> test_sudorule_plugin.py >>> >>> >> >> I tested NIS with Pavel's patch, it worked OK for me. >> >> But have anybody tested replicas with the Pavel's patch? In my >> environment the replica server wasn't replicating when I prepared the >> with modified ipa-replica-prepare: >> >> $ sudo ipa-replica-install replica-info-vm-139.idm.lab.bos.redhat.com.gpg<-- produced by Pavel's ipa-replica-prepare >> ... >> $ ipa user-find >> -------------- >> 1 user matched >> -------------- >> User login: admin >> Last name: Administrator >> Home directory: /home/admin >> Login shell: /bin/bash >> Account disabled: False >> Member of groups: admins >> ---------------------------- >> Number of entries returned 1 >> ---------------------------- >> >> $ sudo ipa-server-install --uninstall --unattended >> $ sudo ipa-replica-install replica-info-vm-139.idm.lab.bos.redhat.com.gpg.2<-- produced by clean version >> ... >> $ ipa user-find >> --------------- >> 2 users matched >> --------------- >> User login: admin >> Last name: Administrator >> Home directory: /home/admin >> Login shell: /bin/bash >> Account disabled: False >> Member of groups: admins >> >> User login: ab >> First name: a >> Last name: b >> Home directory: /home/ab >> Login shell: /bin/sh >> Account disabled: False >> Member of groups: ipausers >> ---------------------------- >> Number of entries returned 2 >> ---------------------------- >> >> User "ab" which was present on the master server (I called >> ipa-replica-prepare on the master server) was replicated to the replica >> server only when the replica information file (*.gpg) was created with >> clean IPA server. >> >> Martin > > The above described problem was probably in a test environment. I tested > the patch on a clean VMs and replication was working just fine. > > I did not run into any further errors during my NIS/Replica testing, I > think this patch is OK. > > Martin Pushed to master From ayoung at redhat.com Thu Mar 3 19:16:26 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 03 Mar 2011 14:16:26 -0500 Subject: [Freeipa-devel] [PATCH] two one liners for verbage. Message-ID: <4D6FE90A.5090809@redhat.com> Since we are close to GA, I'll submit these for review instead of pushing under the one line rule. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0210-type-in-default-text.patch Type: text/x-patch Size: 913 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0211-Better-truncated-message.patch Type: text/x-patch Size: 1061 bytes Desc: not available URL: From edewata at redhat.com Thu Mar 3 19:37:28 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 03 Mar 2011 13:37:28 -0600 Subject: [Freeipa-devel] [PATCH] two one liners for verbage. In-Reply-To: <4D6FE90A.5090809@redhat.com> References: <4D6FE90A.5090809@redhat.com> Message-ID: <4D6FEDF8.3000601@redhat.com> On 3/3/2011 1:16 PM, Adam Young wrote: > Since we are close to GA, I'll submit these for review instead of > pushing under the one line rule. ACK and pushed both to master. -- Endi S. Dewata From rcritten at redhat.com Thu Mar 3 21:11:24 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 03 Mar 2011 16:11:24 -0500 Subject: [Freeipa-devel] [PATCH] 747 don't check DNS for sanity if we're installing DNS Message-ID: <4D7003FC.7060701@redhat.com> Skip the DNS checks during installation if we're configuring IPA as a DNS server. ticket 1036 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-747-install.patch Type: application/mbox Size: 1131 bytes Desc: not available URL: From ssorce at redhat.com Fri Mar 4 00:40:52 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 3 Mar 2011 19:40:52 -0500 Subject: [Freeipa-devel] [PATCH] 747 don't check DNS for sanity if we're installing DNS In-Reply-To: <4D7003FC.7060701@redhat.com> References: <4D7003FC.7060701@redhat.com> Message-ID: <20110303194052.1e031182@willson.li.ssimo.org> On Thu, 03 Mar 2011 16:11:24 -0500 Rob Crittenden wrote: > Skip the DNS checks during installation if we're configuring IPA as a > DNS server. > > ticket 1036 ACK Simo. -- Simo Sorce * Red Hat, Inc * New York From davido at redhat.com Fri Mar 4 00:46:41 2011 From: davido at redhat.com (David O'Brien) Date: Fri, 04 Mar 2011 10:46:41 +1000 Subject: [Freeipa-devel] [PATCH] 746 style and grammatical issues in help In-Reply-To: <4D6F1461.6080001@redhat.com> References: <4D6F1461.6080001@redhat.com> Message-ID: <4D703671.1070506@redhat.com> Rob Crittenden wrote: > Fix style and grammatical issues in built-in command help. > > There is a rather large API.txt change but it is only due to changes > in the doc string in parameters. > > ticket 729 > > rob > Couple of picks: --maxusername=INT Max. username length when creating/modifing a user (modifying) doc=_('Extra hashes to generate in password plugin.'), (plug-in should by hyphenated) doc=_('Force DNS zone creation even if name server not in DNS.'), (Sometimes we say "nameserver" and other times "name server". Our Style Guide prefers "nameserver", so "Force DNS zone creation even if the nameserver is not in the DNS.") ACK with those couple of fixes. -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb From edewata at redhat.com Fri Mar 4 15:48:02 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 04 Mar 2011 09:48:02 -0600 Subject: [Freeipa-devel] [PATCH] 118 Fixed host enrollment time Message-ID: <4D7109B2.6090503@redhat.com> The month in krblastpwdchange (LDAP Generalized Time) is 1-based but the month in JavaScript Date.setUTCFullYear() is 0-based so it needs a conversion. Ticket 1053 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0118-Fixed-host-enrollment-time.patch Type: text/x-patch Size: 1360 bytes Desc: not available URL: From rcritten at redhat.com Fri Mar 4 16:05:57 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 04 Mar 2011 11:05:57 -0500 Subject: [Freeipa-devel] [PATCH] 747 don't check DNS for sanity if we're installing DNS In-Reply-To: <20110303194052.1e031182@willson.li.ssimo.org> References: <4D7003FC.7060701@redhat.com> <20110303194052.1e031182@willson.li.ssimo.org> Message-ID: <4D710DE5.6060404@redhat.com> Simo Sorce wrote: > On Thu, 03 Mar 2011 16:11:24 -0500 > Rob Crittenden wrote: > >> Skip the DNS checks during installation if we're configuring IPA as a >> DNS server. >> >> ticket 1036 > > ACK > > Simo. > pushed to master From rcritten at redhat.com Fri Mar 4 16:09:57 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 04 Mar 2011 11:09:57 -0500 Subject: [Freeipa-devel] [PATCH] 746 style and grammatical issues in help In-Reply-To: <4D703671.1070506@redhat.com> References: <4D6F1461.6080001@redhat.com> <4D703671.1070506@redhat.com> Message-ID: <4D710ED5.7020105@redhat.com> David O'Brien wrote: > Rob Crittenden wrote: >> Fix style and grammatical issues in built-in command help. >> >> There is a rather large API.txt change but it is only due to changes >> in the doc string in parameters. >> >> ticket 729 >> >> rob >> > > Couple of picks: > > --maxusername=INT Max. username length when creating/modifing a user > (modifying) > > doc=_('Extra hashes to generate in password plugin.'), > (plug-in should by hyphenated) > > doc=_('Force DNS zone creation even if name server not in DNS.'), > (Sometimes we say "nameserver" and other times "name server". Our Style > Guide prefers "nameserver", so "Force DNS zone creation even if the > nameserver is not in the DNS.") > > > ACK with those couple of fixes. > Fixed, pushed to master From rcritten at redhat.com Fri Mar 4 16:15:03 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 04 Mar 2011 11:15:03 -0500 Subject: [Freeipa-devel] [PATCH] 118 Fixed host enrollment time In-Reply-To: <4D7109B2.6090503@redhat.com> References: <4D7109B2.6090503@redhat.com> Message-ID: <4D711007.90507@redhat.com> Endi Sukma Dewata wrote: > The month in krblastpwdchange (LDAP Generalized Time) is 1-based > but the month in JavaScript Date.setUTCFullYear() is 0-based so it > needs a conversion. > > Ticket 1053 ack, pushed to master From rcritten at redhat.com Fri Mar 4 18:14:53 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 04 Mar 2011 13:14:53 -0500 Subject: [Freeipa-devel] [PATCH] 748 always stop tracking cert on client uninstall Message-ID: <4D712C1D.4000808@redhat.com> certmonger stop_tracking() is robust enough to do the right thing if no certificate exists so go ahead and always call it. If the certificate failed to be issued for some reason the request will still in certmonger after uninstalling. This would cause problems when trying to reinstall the client. This will go ahead and always tell certmonger to stop tracking it. Testing instructions are in the ticket. ticket 1028 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-748-client.patch Type: application/mbox Size: 2378 bytes Desc: not available URL: From rcritten at redhat.com Fri Mar 4 18:25:06 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 04 Mar 2011 13:25:06 -0500 Subject: [Freeipa-devel] [PATCH] fix API, broken build Message-ID: <4D712E82.8040009@redhat.com> When I applied some fixes to the help text as suggested by David for patch 746 I missed that it affected the API. It is just a doc string change, pushed under the one-liner rule. --- a/API.txt +++ b/API.txt @@ -708,7 +708,7 @@ option: Str('idnsupdatepolicy', attribute=True, cli_name='update_policy', label= option: Flag('idnsallowdynupdate', attribute=True, autofill=True, cli_name='allow_dynupdate', default=False, label=Gettext('Dynamic update', domain='ipa', localedir=None), multivalue=False, required=True) option: Str('addattr*', validate_add_attribute, cli_name='addattr', exclude='webui') option: Str('setattr*', validate_set_attribute, cli_name='setattr', exclude='webui') -option: Flag('force', autofill=True, default=False,lag('force', autofill=True, default=False, doc=Gettext('Force DNS zone creation even if name server not in DNS.', domain='ipa', localedir=None)) +option: Flag('force', autofill=True, default=False,lag('force', autofill=True, default=False, doc=Gettext('Force DNS zone creation even if nameserver not in DNS.', domain='ipa', localedir=None)) option: Str('ip_address?', _validate_ipaddr,tr('ip_address?', _validate_ipaddr, doc=Gettext('Add the nameserver to DNS with this IP address', domain='ipa', localedir=None)) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui', flags=['no_output']) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui', flags=['no_output']) -- 1.7.3.4 From edewata at redhat.com Fri Mar 4 21:31:53 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 04 Mar 2011 15:31:53 -0600 Subject: [Freeipa-devel] [PATCH] 119, 120, 121, 122: Fixed memory leak caused by dialog boxes Message-ID: <4D715A49.6030309@redhat.com> These patches fixed most of the problems. There is still a few more. Ticket 1054 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0119-Fixed-memory-leak-caused-by-IPA.dialog.patch Type: text/x-patch Size: 1710 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0120-Fixed-memory-leak-caused-by-is_dirty-dialogs.patch Type: text/x-patch Size: 3884 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0121-Fixed-memory-leak-caused-by-reset-password-dialog.patch Type: text/x-patch Size: 5129 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0122-Fixed-memory-leak-caused-by-DNS-record-adder-dialog.patch Type: text/x-patch Size: 4884 bytes Desc: not available URL: From edewata at redhat.com Fri Mar 4 22:25:39 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 04 Mar 2011 16:25:39 -0600 Subject: [Freeipa-devel] [PATCH] 123 Fixed memory leak caused by DNS record deleter dialog. Message-ID: <4D7166E3.7020507@redhat.com> Ticket 1054 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0123-Fixed-memory-leak-caused-by-DNS-record-deleter-dialo.patch Type: text/x-patch Size: 5748 bytes Desc: not available URL: From rcritten at redhat.com Fri Mar 4 22:59:26 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 04 Mar 2011 17:59:26 -0500 Subject: [Freeipa-devel] [PATCH] 749 use hostname consistently in ipa-client-install Message-ID: <4D716ECE.90302@redhat.com> If a hostname was provided it wasn't used to configure either certmonger or sssd. This resulted in a non-working configuration. Additionally on un-enrollment the wrong hostname was unenrolled, it used the value of gethostname() rather than the one that was passed into the installer. We have to modify the CA configuration of certmonger to make it use the right principal when requesting certificates. The filename is unpredicable but it will be in /var/lib/certmonger/cas. We need to hunt for ipa_submit and add -k to it, then undo that on uninstall. These files are created the first time the certmonger service starts, so start and stop it before messing with them. ticket 1029 To test do something like: # ipa-client-install --hostname some_other_host.example.com # ipa-getcert list # id admin If id admin works it means sssd is set up properly, you can confirm by looking at ipa_hostname in /etc/sssd/sssd.conf. The certificate in ipa-getcert should be MONITORING. Now on the IPA server look at the host entry for som_other_host.example.com and it should have Keytab: True Now run: ipa-client-install --uninstall The host entry on the server should have Keytab: False ipa-getcert list should return nothing (you'll need to start the certmonger service to see it) rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-749-hostname.patch Type: application/mbox Size: 9849 bytes Desc: not available URL: From nalin at redhat.com Fri Mar 4 23:30:32 2011 From: nalin at redhat.com (Nalin Dahyabhai) Date: Fri, 4 Mar 2011 18:30:32 -0500 Subject: [Freeipa-devel] [PATCH] 749 use hostname consistently in ipa-client-install In-Reply-To: <4D716ECE.90302@redhat.com> References: <4D716ECE.90302@redhat.com> Message-ID: <20110304233032.GB5261@redhat.com> On Fri, Mar 04, 2011 at 05:59:26PM -0500, Rob Crittenden wrote: > If a hostname was provided it wasn't used to configure either > certmonger or sssd. This resulted in a non-working configuration. [snip] > @@ -241,6 +242,81 @@ def stop_tracking(secdir, request_id=None, nickname=None): > > return (stdout, stderr, returncode) > >+def _find_ipa_submit_ca(): >+ """ >+ Look through all the certmonger CA files to find the one that >+ defines ipa-submit as the ca_external_helper. >+ >+ We can use find_request_value because the ca files have the >+ same file format. >+ """ >+ fileList=os.listdir(CA_DIR) >+ for file in fileList: >+ value = find_request_value('%s/%s' % (CA_DIR, file), 'ca_external_helper') >+ if value is not None and value.startswith('/usr/libexec/certmonger/ipa-submit'): >+ return '%s/%s' % (CA_DIR, file) This should work, but could I get you to change the test here to look for "id=IPA" instead of "ca_external_helper=/usr/libexec/certmonger/ipa-submit"? The "ipa-getcert" command-line tool is hard-coded to ask certmonger to use the CA with an "id" of "IPA", and that's how certmonger figures out which file's settings to use. I can imagine having another CA configuration for certmonger on the system that told it to call its ipa-submit helper with a different set of arguments. In that setup, the one with "id=IPA" would still be the one that certmonger would use on behalf of ipa-getcert. (I don't have a good idea of _why_ someone would do that, but there you go.) Cheers, Nalin From ayoung at redhat.com Sat Mar 5 01:14:58 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 04 Mar 2011 20:14:58 -0500 Subject: [Freeipa-devel] [PATCH] 119, 120, 121, 122: Fixed memory leak caused by dialog boxes In-Reply-To: <4D715A49.6030309@redhat.com> References: <4D715A49.6030309@redhat.com> Message-ID: <4D718E92.7050603@redhat.com> On 03/04/2011 04:31 PM, Endi Sukma Dewata wrote: > These patches fixed most of the problems. There is still a few more. > > Ticket 1054 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Sat Mar 5 01:15:10 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 04 Mar 2011 20:15:10 -0500 Subject: [Freeipa-devel] [PATCH] 123 Fixed memory leak caused by DNS record deleter dialog. In-Reply-To: <4D7166E3.7020507@redhat.com> References: <4D7166E3.7020507@redhat.com> Message-ID: <4D718E9E.1030805@redhat.com> On 03/04/2011 05:25 PM, Endi Sukma Dewata wrote: > Ticket 1054 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Sat Mar 5 06:32:10 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sat, 05 Mar 2011 00:32:10 -0600 Subject: [Freeipa-devel] [PATCH] 124 Fixed memory leak caused by IPA.error_dialog Message-ID: <4D71D8EA.30803@redhat.com> Ticket 1054 -- Endi S. Dewata From edewata at redhat.com Sun Mar 6 04:29:31 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sat, 05 Mar 2011 22:29:31 -0600 Subject: [Freeipa-devel] [PATCH] 124 Fixed memory leak caused by IPA.error_dialog In-Reply-To: <4D71D8EA.30803@redhat.com> References: <4D71D8EA.30803@redhat.com> Message-ID: <4D730DAB.4090305@redhat.com> On 3/5/2011 12:32 AM, Endi Sukma Dewata wrote: > Ticket 1054 Sorry, forgot the patch. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0124-Fixed-memory-leak-caused-by-IPA.error_dialog.patch Type: text/x-patch Size: 5026 bytes Desc: not available URL: From ayoung at redhat.com Mon Mar 7 01:52:07 2011 From: ayoung at redhat.com (Adam Young) Date: Sun, 06 Mar 2011 20:52:07 -0500 Subject: [Freeipa-devel] [PATCH] 124 Fixed memory leak caused by IPA.error_dialog In-Reply-To: <4D730DAB.4090305@redhat.com> References: <4D71D8EA.30803@redhat.com> <4D730DAB.4090305@redhat.com> Message-ID: <4D743A47.9090604@redhat.com> On 03/05/2011 11:29 PM, Endi Sukma Dewata wrote: > On 3/5/2011 12:32 AM, Endi Sukma Dewata wrote: >> Ticket 1054 > > Sorry, forgot the patch. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Mar 7 16:52:59 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 07 Mar 2011 11:52:59 -0500 Subject: [Freeipa-devel] [PATCH] 749 use hostname consistently in ipa-client-install In-Reply-To: <20110304233032.GB5261@redhat.com> References: <4D716ECE.90302@redhat.com> <20110304233032.GB5261@redhat.com> Message-ID: <4D750D6B.2010208@redhat.com> Nalin Dahyabhai wrote: > On Fri, Mar 04, 2011 at 05:59:26PM -0500, Rob Crittenden wrote: >> If a hostname was provided it wasn't used to configure either >> certmonger or sssd. This resulted in a non-working configuration. > [snip] >> @@ -241,6 +242,81 @@ def stop_tracking(secdir, request_id=None, nickname=None): >> >> return (stdout, stderr, returncode) >> >> +def _find_ipa_submit_ca(): >> + """ >> + Look through all the certmonger CA files to find the one that >> + defines ipa-submit as the ca_external_helper. >> + >> + We can use find_request_value because the ca files have the >> + same file format. >> + """ >> + fileList=os.listdir(CA_DIR) >> + for file in fileList: >> + value = find_request_value('%s/%s' % (CA_DIR, file), 'ca_external_helper') >> + if value is not None and value.startswith('/usr/libexec/certmonger/ipa-submit'): >> + return '%s/%s' % (CA_DIR, file) > > This should work, but could I get you to change the test here to look > for "id=IPA" instead of > "ca_external_helper=/usr/libexec/certmonger/ipa-submit"? > > The "ipa-getcert" command-line tool is hard-coded to ask certmonger to > use the CA with an "id" of "IPA", and that's how certmonger figures out > which file's settings to use. > > I can imagine having another CA configuration for certmonger on the > system that told it to call its ipa-submit helper with a different set > of arguments. In that setup, the one with "id=IPA" would still be the > one that certmonger would use on behalf of ipa-getcert. (I don't have a > good idea of _why_ someone would do that, but there you go.) > > Cheers, > > Nalin Good idea, switched to use id=IPA instead. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-749-2-hostname.patch Type: application/mbox Size: 9739 bytes Desc: not available URL: From mkosek at redhat.com Mon Mar 7 17:07:51 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 07 Mar 2011 18:07:51 +0100 Subject: [Freeipa-devel] [PATCH] 037 Improve error handling and return status codes in ipactl Message-ID: <1299517671.16178.0.camel@dhcp-25-52.brq.redhat.com> There are cases when ipactl returns success even when it fails. Plus, when the error really is detected the status codes are not LSB compliant. This may result in consequent issues. This patch improves error handling in ipactl and adds LSB compliant status codes. Namely: 0 program is running or service is OK 3 program is not running 4 program or service status is unknown for "status" action. Status code 4 is issued when IPA is not configured to distinguish this state from not running IPA. For other actions, the following non-zero status codes are implemented: 1 generic or unspecified error 2 invalid or excess argument(s) 4 user had insufficient privilege 6 program is not configured https://fedorahosted.org/freeipa/ticket/1055 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-037-ipactl-error-handling.patch Type: text/x-patch Size: 9312 bytes Desc: not available URL: From edewata at redhat.com Mon Mar 7 19:07:24 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 07 Mar 2011 13:07:24 -0600 Subject: [Freeipa-devel] [PATCH] 125 Fixed memory leak caused by certificate dialogs. Message-ID: <4D752CEC.3050205@redhat.com> Ticket 1054 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0125-Fixed-memory-leak-caused-by-certificate-dialogs.patch Type: text/x-patch Size: 17854 bytes Desc: not available URL: From ayoung at redhat.com Mon Mar 7 19:59:53 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 07 Mar 2011 14:59:53 -0500 Subject: [Freeipa-devel] [PATCH] 125 Fixed memory leak caused by certificate dialogs. In-Reply-To: <4D752CEC.3050205@redhat.com> References: <4D752CEC.3050205@redhat.com> Message-ID: <4D753939.8090406@redhat.com> On 03/07/2011 02:07 PM, Endi Sukma Dewata wrote: > Ticket 1054 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From admin at transifex.net Mon Mar 7 20:56:31 2011 From: admin at transifex.net (admin at transifex.net) Date: Mon, 07 Mar 2011 20:56:31 -0000 Subject: [Freeipa-devel] [www.transifex.net] New Team Added: German Message-ID: <20110307205631.24380.71688@web1.transifex.net> Hello freeipa, this is Transifex at http://www.transifex.net. A new translation team called 'German' was added to the 'FreeIPA' project. Please, visit Transifex at http://www.transifex.net/projects/p/freeipa/team/de/ in order to see this new team. Always at your service. -- Transifex -- Open Translation Platform To change your notification settings, please visit your profile page at http://www.transifex.net/notices/. From jdennis at redhat.com Mon Mar 7 20:59:34 2011 From: jdennis at redhat.com (John Dennis) Date: Mon, 7 Mar 2011 15:59:34 -0500 Subject: [Freeipa-devel] [PATCH 23/23] Add Transifex tx client configuration file Message-ID: <201103072059.p27KxYp5008144@int-mx10.intmail.prod.int.phx2.redhat.com> -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0023-Add-Transifex-tx-client-configuration-file.patch Type: text/x-patch Size: 690 bytes Desc: not available URL: From rcritten at redhat.com Mon Mar 7 21:05:46 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 07 Mar 2011 16:05:46 -0500 Subject: [Freeipa-devel] [PATCH 23/23] Add Transifex tx client configuration file In-Reply-To: <201103072059.p27KxYp5008144@int-mx10.intmail.prod.int.phx2.redhat.com> References: <201103072059.p27KxYp5008144@int-mx10.intmail.prod.int.phx2.redhat.com> Message-ID: <4D7548AA.30009@redhat.com> John Dennis wrote: > > ack, pushed to master From rcritten at redhat.com Mon Mar 7 21:30:29 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 07 Mar 2011 16:30:29 -0500 Subject: [Freeipa-devel] [PATCH] 750 chkconfig ipa off on uninstall Message-ID: <4D754E75.9050807@redhat.com> chkconfig the ipa service to off on unistall ticket 1056 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-750-service.patch Type: application/mbox Size: 730 bytes Desc: not available URL: From rcritten at redhat.com Mon Mar 7 23:17:23 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 07 Mar 2011 18:17:23 -0500 Subject: [Freeipa-devel] [PATCH] 037 Improve error handling and return status codes in ipactl In-Reply-To: <1299517671.16178.0.camel@dhcp-25-52.brq.redhat.com> References: <1299517671.16178.0.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D756783.1090705@redhat.com> Martin Kosek wrote: > There are cases when ipactl returns success even when it fails. Plus, > when the error really is detected the status codes are not LSB > compliant. This may result in consequent issues. > > This patch improves error handling in ipactl and adds LSB compliant > status codes. Namely: > > 0 program is running or service is OK > 3 program is not running > 4 program or service status is unknown > > for "status" action. Status code 4 is issued when IPA is not > configured to distinguish this state from not running IPA. > > For other actions, the following non-zero status codes are > implemented: > > 1 generic or unspecified error > 2 invalid or excess argument(s) > 4 user had insufficient privilege > 6 program is not configured > > https://fedorahosted.org/freeipa/ticket/1055 Nice work, thanks for documenting this so well. Ack, pushed to master rob From mkosek at redhat.com Tue Mar 8 10:08:52 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 08 Mar 2011 11:08:52 +0100 Subject: [Freeipa-devel] [PATCH] 750 chkconfig ipa off on uninstall In-Reply-To: <4D754E75.9050807@redhat.com> References: <4D754E75.9050807@redhat.com> Message-ID: <1299578932.12471.0.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-03-07 at 16:30 -0500, Rob Crittenden wrote: > chkconfig the ipa service to off on unistall > > ticket 1056 > > rob ACK, works fine. Martin From mkosek at redhat.com Tue Mar 8 13:49:32 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 08 Mar 2011 14:49:32 +0100 Subject: [Freeipa-devel] [PATCH] 038 ipa-dns-install script fails Message-ID: <1299592172.12471.1.camel@dhcp-25-52.brq.redhat.com> This patch fixes a typo in class Service, function __get_conn which causes ipa-dns-install script to fail every time. https://fedorahosted.org/freeipa/ticket/1065 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-038-ipa-dns-install-script-fails.patch Type: text/x-patch Size: 1083 bytes Desc: not available URL: From mkosek at redhat.com Tue Mar 8 15:02:58 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 08 Mar 2011 16:02:58 +0100 Subject: [Freeipa-devel] [PATCH] 748 always stop tracking cert on client uninstall In-Reply-To: <4D712C1D.4000808@redhat.com> References: <4D712C1D.4000808@redhat.com> Message-ID: <1299596578.12471.3.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-03-04 at 13:14 -0500, Rob Crittenden wrote: > certmonger stop_tracking() is robust enough to do the right thing if no > certificate exists so go ahead and always call it. If the certificate > failed to be issued for some reason the request will still in certmonger > after uninstalling. This would cause problems when trying to reinstall > the client. This will go ahead and always tell certmonger to stop > tracking it. > > Testing instructions are in the ticket. > > ticket 1028 > > rob ACK. Works fine (verified also with the test case in the ticket). Martin From mkosek at redhat.com Tue Mar 8 15:07:32 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 08 Mar 2011 16:07:32 +0100 Subject: [Freeipa-devel] [PATCH] 749 use hostname consistently in ipa-client-install In-Reply-To: <4D750D6B.2010208@redhat.com> References: <4D716ECE.90302@redhat.com> <20110304233032.GB5261@redhat.com> <4D750D6B.2010208@redhat.com> Message-ID: <1299596852.12471.8.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-03-07 at 11:52 -0500, Rob Crittenden wrote: > Nalin Dahyabhai wrote: > > On Fri, Mar 04, 2011 at 05:59:26PM -0500, Rob Crittenden wrote: > >> If a hostname was provided it wasn't used to configure either > >> certmonger or sssd. This resulted in a non-working configuration. > > [snip] > >> @@ -241,6 +242,81 @@ def stop_tracking(secdir, request_id=None, nickname=None): > >> > >> return (stdout, stderr, returncode) > >> > >> +def _find_ipa_submit_ca(): > >> + """ > >> + Look through all the certmonger CA files to find the one that > >> + defines ipa-submit as the ca_external_helper. > >> + > >> + We can use find_request_value because the ca files have the > >> + same file format. > >> + """ > >> + fileList=os.listdir(CA_DIR) > >> + for file in fileList: > >> + value = find_request_value('%s/%s' % (CA_DIR, file), 'ca_external_helper') > >> + if value is not None and value.startswith('/usr/libexec/certmonger/ipa-submit'): > >> + return '%s/%s' % (CA_DIR, file) > > > > This should work, but could I get you to change the test here to look > > for "id=IPA" instead of > > "ca_external_helper=/usr/libexec/certmonger/ipa-submit"? > > > > The "ipa-getcert" command-line tool is hard-coded to ask certmonger to > > use the CA with an "id" of "IPA", and that's how certmonger figures out > > which file's settings to use. > > > > I can imagine having another CA configuration for certmonger on the > > system that told it to call its ipa-submit helper with a different set > > of arguments. In that setup, the one with "id=IPA" would still be the > > one that certmonger would use on behalf of ipa-getcert. (I don't have a > > good idea of _why_ someone would do that, but there you go.) > > > > Cheers, > > > > Nalin > > Good idea, switched to use id=IPA instead. > > rob ACK, nice work. Tested with ticket 748. Everything worked with both --hostname set and without it, uninstallation was also correct. I just run into an issue (not patch related) when certmonger kept showing me CA_UNCONFIGURED certificate tracking status. As we found out, this was caused by SELinux. However, new SElinux policy selinux-policy-3.9.7-33.fc14 should fix it. Martin From rcritten at redhat.com Tue Mar 8 15:23:23 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 08 Mar 2011 10:23:23 -0500 Subject: [Freeipa-devel] [PATCH] 748 always stop tracking cert on client uninstall In-Reply-To: <1299596578.12471.3.camel@dhcp-25-52.brq.redhat.com> References: <4D712C1D.4000808@redhat.com> <1299596578.12471.3.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D7649EB.8070301@redhat.com> Martin Kosek wrote: > On Fri, 2011-03-04 at 13:14 -0500, Rob Crittenden wrote: >> certmonger stop_tracking() is robust enough to do the right thing if no >> certificate exists so go ahead and always call it. If the certificate >> failed to be issued for some reason the request will still in certmonger >> after uninstalling. This would cause problems when trying to reinstall >> the client. This will go ahead and always tell certmonger to stop >> tracking it. >> >> Testing instructions are in the ticket. >> >> ticket 1028 >> >> rob > > ACK. > Works fine (verified also with the test case in the ticket). > > Martin pushed to master From rcritten at redhat.com Tue Mar 8 15:24:01 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 08 Mar 2011 10:24:01 -0500 Subject: [Freeipa-devel] [PATCH] 749 use hostname consistently in ipa-client-install In-Reply-To: <1299596852.12471.8.camel@dhcp-25-52.brq.redhat.com> References: <4D716ECE.90302@redhat.com> <20110304233032.GB5261@redhat.com> <4D750D6B.2010208@redhat.com> <1299596852.12471.8.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D764A11.8060308@redhat.com> Martin Kosek wrote: > On Mon, 2011-03-07 at 11:52 -0500, Rob Crittenden wrote: >> Nalin Dahyabhai wrote: >>> On Fri, Mar 04, 2011 at 05:59:26PM -0500, Rob Crittenden wrote: >>>> If a hostname was provided it wasn't used to configure either >>>> certmonger or sssd. This resulted in a non-working configuration. >>> [snip] >>>> @@ -241,6 +242,81 @@ def stop_tracking(secdir, request_id=None, nickname=None): >>>> >>>> return (stdout, stderr, returncode) >>>> >>>> +def _find_ipa_submit_ca(): >>>> + """ >>>> + Look through all the certmonger CA files to find the one that >>>> + defines ipa-submit as the ca_external_helper. >>>> + >>>> + We can use find_request_value because the ca files have the >>>> + same file format. >>>> + """ >>>> + fileList=os.listdir(CA_DIR) >>>> + for file in fileList: >>>> + value = find_request_value('%s/%s' % (CA_DIR, file), 'ca_external_helper') >>>> + if value is not None and value.startswith('/usr/libexec/certmonger/ipa-submit'): >>>> + return '%s/%s' % (CA_DIR, file) >>> >>> This should work, but could I get you to change the test here to look >>> for "id=IPA" instead of >>> "ca_external_helper=/usr/libexec/certmonger/ipa-submit"? >>> >>> The "ipa-getcert" command-line tool is hard-coded to ask certmonger to >>> use the CA with an "id" of "IPA", and that's how certmonger figures out >>> which file's settings to use. >>> >>> I can imagine having another CA configuration for certmonger on the >>> system that told it to call its ipa-submit helper with a different set >>> of arguments. In that setup, the one with "id=IPA" would still be the >>> one that certmonger would use on behalf of ipa-getcert. (I don't have a >>> good idea of _why_ someone would do that, but there you go.) >>> >>> Cheers, >>> >>> Nalin >> >> Good idea, switched to use id=IPA instead. >> >> rob > > ACK, nice work. > > Tested with ticket 748. Everything worked with both --hostname set and > without it, uninstallation was also correct. > > I just run into an issue (not patch related) when certmonger kept > showing me CA_UNCONFIGURED certificate tracking status. As we found out, > this was caused by SELinux. However, new SElinux policy > selinux-policy-3.9.7-33.fc14 should fix it. > > Martin I need to do some further investigation to see how this affects other distros, we may need to update the low-bar for selinux policy in our spec file. I'll open a new ticket for that. pushed to master From rcritten at redhat.com Tue Mar 8 15:24:21 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 08 Mar 2011 10:24:21 -0500 Subject: [Freeipa-devel] [PATCH] 750 chkconfig ipa off on uninstall In-Reply-To: <1299578932.12471.0.camel@dhcp-25-52.brq.redhat.com> References: <4D754E75.9050807@redhat.com> <1299578932.12471.0.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D764A25.1050907@redhat.com> Martin Kosek wrote: > On Mon, 2011-03-07 at 16:30 -0500, Rob Crittenden wrote: >> chkconfig the ipa service to off on unistall >> >> ticket 1056 >> >> rob > > ACK, works fine. > > Martin pushed to master From rcritten at redhat.com Tue Mar 8 15:25:13 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 08 Mar 2011 10:25:13 -0500 Subject: [Freeipa-devel] [PATCH] 038 ipa-dns-install script fails In-Reply-To: <1299592172.12471.1.camel@dhcp-25-52.brq.redhat.com> References: <1299592172.12471.1.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D764A59.9090900@redhat.com> Martin Kosek wrote: > This patch fixes a typo in class Service, function __get_conn which > causes ipa-dns-install script to fail every time. > > https://fedorahosted.org/freeipa/ticket/1065 > Ack, pushed to master. From ayoung at redhat.com Tue Mar 8 18:15:30 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 08 Mar 2011 13:15:30 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0212-selfservice-facets Message-ID: <4D767242.3070702@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0212-selfservice-facets.patch Type: text/x-patch Size: 1764 bytes Desc: not available URL: From ayoung at redhat.com Tue Mar 8 19:13:50 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 08 Mar 2011 14:13:50 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0212-selfservice-facets In-Reply-To: <4D767242.3070702@redhat.com> References: <4D767242.3070702@redhat.com> Message-ID: <4D767FEE.9070201@redhat.com> On 03/08/2011 01:15 PM, Adam Young wrote: > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel NACK. WebUI complains that 'uid is required'. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Tue Mar 8 19:15:21 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 08 Mar 2011 14:15:21 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0212-selfservice-facets In-Reply-To: <4D767242.3070702@redhat.com> References: <4D767242.3070702@redhat.com> Message-ID: <4D768049.6050500@redhat.com> On 03/08/2011 01:15 PM, Adam Young wrote: > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Now manages to pre-populate the pkey for the user. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0212-1-selfservice-facets.patch Type: text/x-patch Size: 2355 bytes Desc: not available URL: From edewata at redhat.com Tue Mar 8 19:57:19 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 08 Mar 2011 13:57:19 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0212-selfservice-facets In-Reply-To: <4D768049.6050500@redhat.com> References: <4D767242.3070702@redhat.com> <4D768049.6050500@redhat.com> Message-ID: <4D768A1F.6000406@redhat.com> On 3/8/2011 1:15 PM, Adam Young wrote: > Now manages to pre-populate the pkey for the user. It pops up 'invalid uid: must be Unicode text'. The IPA.whoami is an associative array, not a string. -- Endi S. Dewata From ayoung at redhat.com Tue Mar 8 20:29:52 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 08 Mar 2011 15:29:52 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0212-selfservice-facets In-Reply-To: <4D768A1F.6000406@redhat.com> References: <4D767242.3070702@redhat.com> <4D768049.6050500@redhat.com> <4D768A1F.6000406@redhat.com> Message-ID: <4D7691C0.6070403@redhat.com> On 03/08/2011 02:57 PM, Endi Sukma Dewata wrote: > On 3/8/2011 1:15 PM, Adam Young wrote: >> Now manages to pre-populate the pkey for the user. > > It pops up 'invalid uid: must be Unicode text'. > The IPA.whoami is an associative array, not a string. > -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0212-2-selfservice-facets.patch Type: text/x-patch Size: 2362 bytes Desc: not available URL: From ayoung at redhat.com Tue Mar 8 20:47:12 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 08 Mar 2011 15:47:12 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0212-selfservice-facets In-Reply-To: <4D768A1F.6000406@redhat.com> References: <4D767242.3070702@redhat.com> <4D768049.6050500@redhat.com> <4D768A1F.6000406@redhat.com> Message-ID: <4D7695D0.3060100@redhat.com> On 03/08/2011 02:57 PM, Endi Sukma Dewata wrote: > On 3/8/2011 1:15 PM, Adam Young wrote: >> Now manages to pre-populate the pkey for the user. > > It pops up 'invalid uid: must be Unicode text'. > The IPA.whoami is an associative array, not a string. > -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0212-3-selfservice-facets.patch Type: text/x-patch Size: 3321 bytes Desc: not available URL: From edewata at redhat.com Tue Mar 8 21:44:12 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 08 Mar 2011 15:44:12 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0212-selfservice-facets In-Reply-To: <4D7695D0.3060100@redhat.com> References: <4D767242.3070702@redhat.com> <4D768049.6050500@redhat.com> <4D768A1F.6000406@redhat.com> <4D7695D0.3060100@redhat.com> Message-ID: <4D76A32C.60605@redhat.com> On 3/8/2011 2:47 PM, Adam Young wrote: > On 03/08/2011 02:57 PM, Endi Sukma Dewata wrote: >> On 3/8/2011 1:15 PM, Adam Young wrote: >>> Now manages to pre-populate the pkey for the user. >> >> It pops up 'invalid uid: must be Unicode text'. >> The IPA.whoami is an associative array, not a string. >> > Attached is a new patch based on our discussion. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0126-2-Fixed-self-service-page.patch Type: text/x-patch Size: 3664 bytes Desc: not available URL: From jdennis at redhat.com Tue Mar 8 21:58:26 2011 From: jdennis at redhat.com (John Dennis) Date: Tue, 08 Mar 2011 16:58:26 -0500 Subject: [Freeipa-devel] Transifex i18n translation changes Message-ID: <4D76A682.6000403@redhat.com> Our i18n translations are provided for us by the gracious contributions of translators on transifex.net. Transifex is a translation portal. We've always used transfiex.net but recently Transfex upgraded their software to their first 1.0 version and Fedora's translations have moved from a Fedora transifex 0.7 instance to the larger transifex.net 1.0 instance. This means we've made a few changes with how we manage our translations in IPA. The biggest change is we can now push our pot file changes (a pot file is the english source strings which need translating) to the TX server and we can pull translators updates to a language translation (e.g. a po file) from the TX server into our git repository. Previously I had manually done this work via email with the translators on transifex.net. As a developer you may which to update our pot file (for example if you've added new strings in our source which will need translation) or you may wish to pull any new translations provided by translators into our git repo so that the packages we produce have the latest translations. Both of these can be done with the tx client. I have already added our projects tx configuration file to our git repo (.tx/config) in our top level directory. You will need a personal tx user configuration file (~/.transifexrc) and an account on transifex.net. You will also need to ask me (or someone else with admin permissions for our project on transifex.net to add you to the maintainer access control list). 1) Install the transifex-client package $ sudo yum install transifex-client but because the transifex-client is new you might need to enable the updates-testing repo to find it $ sudo yum --enablerepo=updates-testing install transifex-client There is documentation on using the tx client here: http://help.transifex.net/user-guide/client (Note, I have already created the project files via 'tx init' and 'tx set' do not redo this work. You can find our project config file in our git repo as .tx/config 2) Create an account on transifex.net https://www.transifex.net/accounts/register/ 3) If you want to avoid some typing you can create a personal tx client config file (~/transifexrc) $ cd ~ $ tx init # answer the prompts $ rm -rf .tx # remove the project directory tx init needlessly created 4) Contact me and I'll add you as a maintainer 5) Visit our project page. http://www.transifex.net/projects/p/freeipa/ If you want to update our pot file: 1) cd install/po $ make update-pot $ cd ../.. $ tx push -s If you want to pull new translations $ tx pull $ git commit -a $ # mail your patch to freeipa-devel John -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Tue Mar 8 22:07:49 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 08 Mar 2011 17:07:49 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0212-selfservice-facets In-Reply-To: <4D76A32C.60605@redhat.com> References: <4D767242.3070702@redhat.com> <4D768049.6050500@redhat.com> <4D768A1F.6000406@redhat.com> <4D7695D0.3060100@redhat.com> <4D76A32C.60605@redhat.com> Message-ID: <4D76A8B5.6090902@redhat.com> On 03/08/2011 04:44 PM, Endi Sukma Dewata wrote: > On 3/8/2011 2:47 PM, Adam Young wrote: >> On 03/08/2011 02:57 PM, Endi Sukma Dewata wrote: >>> On 3/8/2011 1:15 PM, Adam Young wrote: >>>> Now manages to pre-populate the pkey for the user. >>> >>> It pops up 'invalid uid: must be Unicode text'. >>> The IPA.whoami is an associative array, not a string. >>> >> > > Attached is a new patch based on our discussion. > ACK for freeipa-edewata-0126-2-Fixed-self-service-page.patch and pushed to master My patches are superceeded by this, and are withdrawn. From rcritten at redhat.com Thu Mar 10 05:10:32 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Mar 2011 00:10:32 -0500 Subject: [Freeipa-devel] [PATCH] 751 dogtag replication Message-ID: <4D785D48.3040700@redhat.com> The replication between dogtag servers wasn't using TLS or SSL. This uses a new option to pkisilent to create replication agreements that use TLS. The SSL cert we will use is the same as the main 389-ds instance via symbolic link. I tested with --selfsign, with dogtag and with dogtag signed by an external CA. ticket 1060 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-751-replication.patch Type: application/mbox Size: 11057 bytes Desc: not available URL: From mkosek at redhat.com Thu Mar 10 14:24:07 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 10 Mar 2011 15:24:07 +0100 Subject: [Freeipa-devel] [PATCH] 751 dogtag replication In-Reply-To: <4D785D48.3040700@redhat.com> References: <4D785D48.3040700@redhat.com> Message-ID: <1299767047.10121.14.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-03-10 at 00:10 -0500, Rob Crittenden wrote: > The replication between dogtag servers wasn't using TLS or SSL. This > uses a new option to pkisilent to create replication agreements that use > TLS. > > The SSL cert we will use is the same as the main 389-ds instance via > symbolic link. > > I tested with --selfsign, with dogtag and with dogtag signed by an > external CA. > > ticket 1060 > > rob ACK. The patch looks OK. I tested the installation process on both F-14 and F-15 (IPA with dogtag + replica, self-signed IPA + replica, IPA with external CA + replica) and the replication was OK. There were some issues during the testing, but they were found irrelevant in our IRC discussion. I am opening a ticket right now to increase a stability of IPA installation (after the DS restart, wait until the ports are open - then do the ldapmodify commands). Martin From rcritten at redhat.com Thu Mar 10 14:57:52 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Mar 2011 09:57:52 -0500 Subject: [Freeipa-devel] [PATCH] 751 dogtag replication In-Reply-To: <1299767047.10121.14.camel@dhcp-25-52.brq.redhat.com> References: <4D785D48.3040700@redhat.com> <1299767047.10121.14.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D78E6F0.9010607@redhat.com> Martin Kosek wrote: > On Thu, 2011-03-10 at 00:10 -0500, Rob Crittenden wrote: >> The replication between dogtag servers wasn't using TLS or SSL. This >> uses a new option to pkisilent to create replication agreements that use >> TLS. >> >> The SSL cert we will use is the same as the main 389-ds instance via >> symbolic link. >> >> I tested with --selfsign, with dogtag and with dogtag signed by an >> external CA. >> >> ticket 1060 >> >> rob > > ACK. > > The patch looks OK. I tested the installation process on both F-14 and > F-15 (IPA with dogtag + replica, self-signed IPA + replica, IPA with > external CA + replica) and the replication was OK. > > There were some issues during the testing, but they were found > irrelevant in our IRC discussion. I am opening a ticket right now to > increase a stability of IPA installation (after the DS restart, wait > until the ports are open - then do the ldapmodify commands). > > Martin pushed to master From rcritten at redhat.com Thu Mar 10 20:52:14 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Mar 2011 15:52:14 -0500 Subject: [Freeipa-devel] Announcing FreeIPA v2 Server Release Candidate 3 Release Message-ID: <4D7939FE.8070100@redhat.com> To all freeipa-interest, freeipa-users and freeipa-devel list members, The FreeIPA project team is pleased to announce the availability of the Release Candidate 3 release of freeIPA 2.0 server [1]. This should be the last release candidate, becoming the final release if no critical problems are found. * Binaries are available for F-14 and F-15. * Please do not hesitate to share feedback, criticism or bugs with us on our mailing list: freeipa-users at redhat.com Main Highlights of the Release Candidate. This release consists primarily of bug fixes and polish across all areas of the project. Modifications include but are not limited to * i18n improvements * Fixed the self-service page in the WebUI * Use TLS for CA replication * Setting up Winsync agreements has been fixed Focus of the Release Candidate Testing * There was a Fedora test day for FreeIPA on Feb 15th [2]. These tests are still relevant and feedback would be appreciated. We are particularly interested to know if there are any problems setting up replication. * The following section outlines the areas that we are mostly interested to test [3]. Significant Changes Since RC 2 To see all the tickets addressed since the rc2 release see [5]. Repositories and Installation * Use the following link to install the RC 3 packages [4]. * FreeIPA relies on the latest versions of the packages currently available from the updates-testing repository. Please make sure to enable this repository before you proceed with installation. Known Issues: * Installing IPA on Fedora-15 works but can take more time than Fedora 14 due to systemd. It is not recognizing some restarts as being successful so only continues after a 3-minute timeout. We are working on a solution. Thank you, The FreeIPA development team [1] http://www.freeipa.org/page/Downloads [2] https://fedoraproject.org/wiki/QA/Fedora_15_test_days [3] https://fedoraproject.org/wiki/Features/FreeIPAv2#How_To_Test [4] http://freeipa.org/downloads/freeipa-devel.repo [5] https://fedorahosted.org/freeipa/milestone/2.0.3.%20Bug%20Fixing%20%28GA%29 Detailed Changelog Adam Young (7): * Revert "Set hard limit on number of commands in batch request to 256." * update API.txt * Use modified entity find commands for associations * fix truncated message * typo in truncation message * type in default text * Better truncated message Endi S. Dewata (13): * Removed association facets based on memberofindirect. * Replaced SUDO with Sudo in UI test data. * Fixed attribute for SUDO command group membership. * Save changes before modifying association. * Fixed host enrollment time * Fixed memory leak caused by IPA.dialog. * Fixed memory leak caused by is_dirty dialogs. * Fixed memory leak caused by reset password dialog. * Fixed memory leak caused by DNS record adder dialog. * Fixed memory leak caused by DNS record deleter dialog. * Fixed memory leak caused by IPA.error_dialog. * Fixed memory leak caused by certificate dialogs. * Fixed self service page. John Dennis (1): * Add Transifex tx client configuration file Martin Kosek (4): * IPA replica/server install does not check for a client * Inconsistent sysrestore file handling by IPA server installer * Improve error handling and return status codes in ipactl * ipa-dns-install script fails Pavel Zuna (10): * Remove deprecated i18n code from ipalib/request and all references to it. * Send Accept-Language header over XML-RPC and translate on server. * Fallback to default locale (en_US) if env. setting is corrupt. * Translate docstrings. * Fix translatable strings in ipalib plugins. * Fix i18n related failures in unit tests. * Use pygettext to generate translatable strings from plugin files. * Final i18n unit test fixes. * Fix error in user plugin email normalizer for empty --setattr=email=. * Use ldapi: instead of unsecured ldap: in ipa core tools. Rob Crittenden (12): * Set SuiteSpotGroup when setting up our 389-ds instances. * Use Sudo rather than SUDO as a label. * Replace only if old and new have nothing in common * Need to restart the dogtag 388-ds instance before using it. * Skip DNS validation checks if we're setting up DNS in ipa-server-install. * Fix style and grammatical issues in built-in command help. * Update API to reflect doc change in force parameter in dnszone_add * Always try to stop tracking the server cert when uninstalling client. * If --hostname is provided for ipa-client-install use it everywhere. * chkconfig the ipa service off when it is uninstalled. * Use TLS for dogtag replication agreements. * Become IPA v2 RC 3 (2.0.0.rc3) Simo Sorce (9): * Set the loginShell attribute on winsynced entries if configured * Fix winsync agreements setup * Unbreak the ipa winsync plugin. * Fix user synchronization. * Make activated/inactivated groups optional * Use wrapper for sasl gssapi binds so it behaves like other binds * Fix replica setup using replication admin kerberos credentials * Fix kinit invocation in ipa-client-install * Store list of non-master replicas in DIT and provide way to list them From bob at glumol.com Fri Mar 11 03:22:15 2011 From: bob at glumol.com (Sylvain Baubeau) Date: Thu, 10 Mar 2011 21:22:15 -0600 Subject: [Freeipa-devel] Wrong timeout parameter in ipapython Message-ID: Hi, I was facing an error with ipapython that caused an NSPRError exception to be raised at line 159 of ipapython/nsslib.py : 157 logging.debug("connecting: %s", net_addr) 158 try: 159 self.sock.connect(net_addr, family) 160 except Exception, e: 161 logging.debug("Could not connect socket to %s, error: %s, retrying..", 162 net_addr, str(e)) The error message was : [Errno -5990] (PR_IO_TIMEOUT_ERROR) I/O operation timed out. It seems like the second argument to 'connect' is a timeout, not the socket family. I attached a patch that just removes the second argument. Or am I missing something ? Regards Sylvain Baubeau -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Removed-wrong-timeout-parameter.patch Type: application/octet-stream Size: 982 bytes Desc: not available URL: From rcritten at redhat.com Fri Mar 11 03:44:12 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Mar 2011 22:44:12 -0500 Subject: [Freeipa-devel] Wrong timeout parameter in ipapython In-Reply-To: References: Message-ID: <4D799A8C.6040501@redhat.com> Sylvain Baubeau wrote: > Hi, > > I was facing an error with ipapython that caused an NSPRError exception to > be raised at line 159 of ipapython/nsslib.py : > > 157 logging.debug("connecting: %s", net_addr) > 158 try: > 159 self.sock.connect(net_addr, family) > 160 except Exception, e: > 161 logging.debug("Could not connect socket to %s, > error: %s, retrying..", > 162 net_addr, str(e)) > > The error message was : [Errno -5990] (PR_IO_TIMEOUT_ERROR) I/O operation > timed out. > > It seems like the second argument to 'connect' is a timeout, not the > socket family. I attached a patch that just removes the second argument. > Or am I missing something ? > > Regards > Sylvain Baubeau I'll do a full review tomorrow but it looks like you are correct, this is timeout not family. Under what conditions were you getting the timeout? Are you using IPv4 or IPv6 addresses? thanks rob From jhrozek at redhat.com Fri Mar 11 09:59:06 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 11 Mar 2011 10:59:06 +0100 Subject: [Freeipa-devel] Wrong timeout parameter in ipapython In-Reply-To: <4D799A8C.6040501@redhat.com> References: <4D799A8C.6040501@redhat.com> Message-ID: <4D79F26A.9020705@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/11/2011 04:44 AM, Rob Crittenden wrote: > Sylvain Baubeau wrote: >> Hi, >> >> I was facing an error with ipapython that caused an NSPRError >> exception to >> be raised at line 159 of ipapython/nsslib.py : >> >> 157 logging.debug("connecting: %s", net_addr) >> 158 try: >> 159 self.sock.connect(net_addr, family) >> 160 except Exception, e: >> 161 logging.debug("Could not connect socket to %s, >> error: %s, retrying..", >> 162 net_addr, str(e)) >> >> The error message was : [Errno -5990] (PR_IO_TIMEOUT_ERROR) I/O operation >> timed out. >> >> It seems like the second argument to 'connect' is a timeout, not the >> socket family. I attached a patch that just removes the second argument. >> Or am I missing something ? >> >> Regards >> Sylvain Baubeau > > I'll do a full review tomorrow but it looks like you are correct, this > is timeout not family. Under what conditions were you getting the > timeout? Are you using IPv4 or IPv6 addresses? > > thanks > > rob > Sylvain's patch is correct, Ack. The address family is correctly passed during socket creation. It should not be used during connection. The code worked for us by accident only as the family is an integer, too. Since he's getting timeouts, I'm guessing he's using IPv4 because AF_INET = 4, AF_INET6 = 10. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk158moACgkQHsardTLnvCWHswCgsgeA9TFajU97l3muzzI41u3P 3r8Anim/lNufnsRWklvsOT2w3O0eq4Rf =CDAl -----END PGP SIGNATURE----- From bob at glumol.com Fri Mar 11 10:20:00 2011 From: bob at glumol.com (Sylvain Baubeau) Date: Fri, 11 Mar 2011 11:20:00 +0100 Subject: [Freeipa-devel] Wrong timeout parameter in ipapython In-Reply-To: <4D79F26A.9020705@redhat.com> References: <4D799A8C.6040501@redhat.com> <4D79F26A.9020705@redhat.com> Message-ID: <4D79F750.6030708@glumol.com> Yes, I'm using IPv4. It's even worse as the constant 'io.PR_AF_INET' (whose value is 2) is used in this case :) Regards Sylvain Le 11/03/2011 10:59, Jakub Hrozek a ?crit : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 03/11/2011 04:44 AM, Rob Crittenden wrote: > >> Sylvain Baubeau wrote: >> >>> Hi, >>> >>> I was facing an error with ipapython that caused an NSPRError >>> exception to >>> be raised at line 159 of ipapython/nsslib.py : >>> >>> 157 logging.debug("connecting: %s", net_addr) >>> 158 try: >>> 159 self.sock.connect(net_addr, family) >>> 160 except Exception, e: >>> 161 logging.debug("Could not connect socket to %s, >>> error: %s, retrying..", >>> 162 net_addr, str(e)) >>> >>> The error message was : [Errno -5990] (PR_IO_TIMEOUT_ERROR) I/O operation >>> timed out. >>> >>> It seems like the second argument to 'connect' is a timeout, not the >>> socket family. I attached a patch that just removes the second argument. >>> Or am I missing something ? >>> >>> Regards >>> Sylvain Baubeau >>> >> I'll do a full review tomorrow but it looks like you are correct, this >> is timeout not family. Under what conditions were you getting the >> timeout? Are you using IPv4 or IPv6 addresses? >> >> thanks >> >> rob >> >> > Sylvain's patch is correct, Ack. > > The address family is correctly passed during socket creation. It should > not be used during connection. The code worked for us by accident only > as the family is an integer, too. > > Since he's getting timeouts, I'm guessing he's using IPv4 because > AF_INET = 4, AF_INET6 = 10. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk158moACgkQHsardTLnvCWHswCgsgeA9TFajU97l3muzzI41u3P > 3r8Anim/lNufnsRWklvsOT2w3O0eq4Rf > =CDAl > -----END PGP SIGNATURE----- > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > From jhrozek at redhat.com Fri Mar 11 10:37:36 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 11 Mar 2011 11:37:36 +0100 Subject: [Freeipa-devel] Wrong timeout parameter in ipapython In-Reply-To: <4D79F750.6030708@glumol.com> References: <4D799A8C.6040501@redhat.com> <4D79F26A.9020705@redhat.com> <4D79F750.6030708@glumol.com> Message-ID: <4D79FB70.5020106@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/11/2011 11:20 AM, Sylvain Baubeau wrote: > Yes, I'm using IPv4. > It's even worse as the constant 'io.PR_AF_INET' (whose value is 2) is > used in this case :) > Right.. Thank you very much for your contribution. I'm guessing we never hit the exception because most of our testing is done or a low-latency network.. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk15+3AACgkQHsardTLnvCXfLgCeNxF9CCeqdV2v9Pi7rLe6XYLB 9mMAnReG7eKMNTJNi83r0j37jojADOBh =fQrk -----END PGP SIGNATURE----- From dpal at redhat.com Fri Mar 11 22:03:15 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 11 Mar 2011 17:03:15 -0500 Subject: [Freeipa-devel] Some observations based on the adhock testing Message-ID: <4D7A9C23.6020002@redhat.com> Hi, 1) I confirmed that capitalization in the host name makes things not work. I had a VM wit ha capital letter in the name. Everything installed fine but then "ipa" command did not work and the httpd error log was complaining that the host principal was not found. I uninstalled, changed the name and installed again - the server worked fine. I think we should fix the ticket or at least do it in release notes. 2) I noticed that the memberOf plugin use changed in IPA. It now lists only direct members and indirect members are stored in the other attribute. Is IPA back end of the SSSD aware of that? 3) Admin is not a part of the ipausers group is this intentional? 4) There is an argument to make a group a posix group: --posix but the group is already a posix group if created by ipa group-add. Questions: how to create a non-posix group? How to make a posix group non-posix? Will continue over the weekend if have more time. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Fri Mar 11 22:29:52 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Mar 2011 17:29:52 -0500 Subject: [Freeipa-devel] Some observations based on the adhock testing In-Reply-To: <4D7A9C23.6020002@redhat.com> References: <4D7A9C23.6020002@redhat.com> Message-ID: <4D7AA260.5080707@redhat.com> Dmitri Pal wrote: > Hi, > > 1) I confirmed that capitalization in the host name makes things not work. > I had a VM wit ha capital letter in the name. > Everything installed fine but then "ipa" command did not work and the > httpd error log was complaining that the host principal was not found. > I uninstalled, changed the name and installed again - the server worked > fine. > I think we should fix the ticket or at least do it in release notes. Yes, we'll need to scope it to see if we can fix it soon. > > 2) I noticed that the memberOf plugin use changed in IPA. It now lists > only direct members and indirect members are stored in the other > attribute. Is IPA back end of the SSSD aware of that? It just appears that way in the framework. Internally they are all still memberOf. > > 3) Admin is not a part of the ipausers group is this intentional? Yes, admin is a special user. > > 4) There is an argument to make a group a posix group: --posix but the > group is already a posix group if created by ipa group-add. > Questions: how to create a non-posix group? How to make a posix group > non-posix? It must be created as non-posix at creation time wth the flag --nonposix. You can't go back. Once a group is posix the only option is to remove it and re-create it. rob From admin at transifex.net Mon Mar 14 10:42:08 2011 From: admin at transifex.net (admin at transifex.net) Date: Mon, 14 Mar 2011 10:42:08 -0000 Subject: [Freeipa-devel] [www.transifex.net] Team Creation Requested: Gujarati Message-ID: <20110314104208.27499.43269@web1.transifex.net> Hello freeipa, this is Transifex at http://www.transifex.net. The creation of a translation team 'Gujarati' was requested for the project 'FreeIPA'. Please visit Transifex at http://www.transifex.net/projects/p/freeipa/teams/ in order to manage the teams of the project. Always at your service. -- Transifex -- Open Translation Platform To change your notification settings, please visit your profile page at http://www.transifex.net/notices/. From admin at transifex.net Mon Mar 14 13:31:03 2011 From: admin at transifex.net (admin at transifex.net) Date: Mon, 14 Mar 2011 13:31:03 -0000 Subject: [Freeipa-devel] [www.transifex.net] New Team Added: Gujarati Message-ID: <20110314133103.29335.74693@web1.transifex.net> Hello freeipa, this is Transifex at http://www.transifex.net. A new translation team called 'Gujarati' was added to the 'FreeIPA' project. Please, visit Transifex at http://www.transifex.net/projects/p/freeipa/team/gu/ in order to see this new team. Always at your service. -- Transifex -- Open Translation Platform To change your notification settings, please visit your profile page at http://www.transifex.net/notices/. From pzuna at redhat.com Mon Mar 14 13:53:45 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 14 Mar 2011 14:53:45 +0100 Subject: [Freeipa-devel] [PATCH] Update translation files (ipa.pot,*po). Message-ID: <4D7E1DE9.10005@redhat.com> This patch updates files for translators mainly with docstrings (ipa help) and a few normal strings added in the past weeks. I'm pretty sure there was a mail by John with instruction on how to get them to transifex, but I can't find it. :( Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-86-updatepot.tar.gz Type: application/x-gzip Size: 837654 bytes Desc: not available URL: From jdennis at redhat.com Mon Mar 14 14:47:08 2011 From: jdennis at redhat.com (John Dennis) Date: Mon, 14 Mar 2011 10:47:08 -0400 Subject: [Freeipa-devel] [PATCH] Update translation files (ipa.pot, *po). In-Reply-To: <4D7E1DE9.10005@redhat.com> References: <4D7E1DE9.10005@redhat.com> Message-ID: <4D7E2A6C.3060304@redhat.com> On 03/14/2011 09:53 AM, Pavel Zuna wrote: > This patch updates files for translators mainly with docstrings (ipa help) and a > few normal strings added in the past weeks. > > I'm pretty sure there was a mail by John with instruction on how to get them to > transifex, but I can't find it. :( The mail probably said we need to do a 'tx push -s' after updating the pot. I've since updated our transifex ipa resource to point to our pot file in our git repo which I believe means we won't need to do a push. Instead I believe the updated pot will automatically be visible to the translators. I also noticed your patch includes updates to each po file, I don't think this is necessary either. When a translator updates a po from our pot we just simply fetch via 'tx pull'. My understanding is the tx server no longer maintains actual po files, rather they are a 'virtual' view of po based on the existing translation and the current pot. A physical po file is generated on demand when you do a 'tx pull' (or grab it from the website). This is the url to our tx resource http://www.transifex.net/projects/p/freeipa/resource/ipa/ Here is what I suggest we do (I can do this if you wish). We print out a copy of the resource page showing the current state of the pot and the po's. We commit the updated pot to git. We wait a little bit for the tx server to detect our git commit. We compare the resource state from before the commit, it should show a larger pot file and the percent translation for each po should have decreased due to the larger pot. I have made a copy of the current resource state. Please redo the patch so it's just the pot file and commit it to git. I don't see a need for review on pot and po file commits. Let me know when the commit has occurred. I'll watch the state on transifex to confirm it's working as expected. Assuming all goes as expected, translators will start updating the po's which we periodically will fetch with 'tx pull'. (All of this would be easier for someone with commit access). -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From mkosek at redhat.com Mon Mar 14 15:02:27 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 14 Mar 2011 16:02:27 +0100 Subject: [Freeipa-devel] Wrong timeout parameter in ipapython In-Reply-To: <4D79FB70.5020106@redhat.com> References: <4D799A8C.6040501@redhat.com> <4D79F26A.9020705@redhat.com> <4D79F750.6030708@glumol.com> <4D79FB70.5020106@redhat.com> Message-ID: <1300114947.17875.2.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-03-11 at 11:37 +0100, Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 03/11/2011 11:20 AM, Sylvain Baubeau wrote: > > Yes, I'm using IPv4. > > It's even worse as the constant 'io.PR_AF_INET' (whose value is 2) is > > used in this case :) > > > > Right.. > > Thank you very much for your contribution. I'm guessing we never hit the > exception because most of our testing is done or a low-latency network.. ACK from me too. I amended the patch to show the ticket number for better tracking in GIT - attached. Rest of the patch left unchanged. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-sbaubeau-001-removed-wrong-timeout-parameter.patch Type: text/x-patch Size: 1026 bytes Desc: not available URL: From pzuna at redhat.com Mon Mar 14 15:28:48 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 14 Mar 2011 16:28:48 +0100 Subject: [Freeipa-devel] [PATCH] Update translation files (ipa.pot, *po). In-Reply-To: <4D7E2A6C.3060304@redhat.com> References: <4D7E1DE9.10005@redhat.com> <4D7E2A6C.3060304@redhat.com> Message-ID: <4D7E3430.8010106@redhat.com> On 03/14/2011 03:47 PM, John Dennis wrote: > On 03/14/2011 09:53 AM, Pavel Zuna wrote: >> This patch updates files for translators mainly with docstrings (ipa >> help) and a >> few normal strings added in the past weeks. >> >> I'm pretty sure there was a mail by John with instruction on how to >> get them to >> transifex, but I can't find it. :( > > The mail probably said we need to do a 'tx push -s' after updating the > pot. I've since updated our transifex ipa resource to point to our pot > file in our git repo which I believe means we won't need to do a push. > Instead I believe the updated pot will automatically be visible to the > translators. > > I also noticed your patch includes updates to each po file, I don't > think this is necessary either. When a translator updates a po from our > pot we just simply fetch via 'tx pull'. My understanding is the tx > server no longer maintains actual po files, rather they are a 'virtual' > view of po based on the existing translation and the current pot. A > physical po file is generated on demand when you do a 'tx pull' (or grab > it from the website). > > This is the url to our tx resource > > http://www.transifex.net/projects/p/freeipa/resource/ipa/ > > Here is what I suggest we do (I can do this if you wish). > > We print out a copy of the resource page showing the current state of > the pot and the po's. We commit the updated pot to git. We wait a little > bit for the tx server to detect our git commit. We compare the resource > state from before the commit, it should show a larger pot file and the > percent translation for each po should have decreased due to the larger > pot. > > I have made a copy of the current resource state. > > Please redo the patch so it's just the pot file and commit it to git. I > don't see a need for review on pot and po file commits. Let me know when > the commit has occurred. I'll watch the state on transifex to confirm > it's working as expected. > > Assuming all goes as expected, translators will start updating the po's > which we periodically will fetch with 'tx pull'. (All of this would be > easier for someone with commit access). > > Thanks for info! I created a new patch with only the ipa.pot file updated as you suggested. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-86-2-updatepot.patch Type: application/mbox Size: 217092 bytes Desc: not available URL: From mkosek at redhat.com Mon Mar 14 17:03:30 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 14 Mar 2011 18:03:30 +0100 Subject: [Freeipa-devel] [PATCH] 039 Wait for Directory Server ports to open Message-ID: <1300122210.17875.5.camel@dhcp-25-52.brq.redhat.com> I know this is a 2.1 ticket, but the patch is probably also a solution of #1047 - a 2.0.5 bucket critical bug. ------------ When Directory Server operation is run right after the server restart the listening ports may not be opened yet. This makes the installation fail. This patch fixes this issue by waiting for both secure and insecure Directory Server ports to open after every restart. https://fedorahosted.org/freeipa/ticket/1076 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-039-wait-for-directory-server-ports-to-open.patch Type: text/x-patch Size: 4170 bytes Desc: not available URL: From adam at younglogic.com Mon Mar 14 19:28:20 2011 From: adam at younglogic.com (Adam Young) Date: Mon, 14 Mar 2011 15:28:20 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-0213-Domain-to-Realm Message-ID: <4D7E6C54.5030900@younglogic.com> Even though my name is on the patch, Simo wrote it and is the author in the patch. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0213-1-Domain-to-Realm.patch Type: text/x-patch Size: 3129 bytes Desc: not available URL: From edewata at redhat.com Mon Mar 14 19:26:32 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 14 Mar 2011 14:26:32 -0500 Subject: [Freeipa-devel] [PATCH] Removed nested role from UI. Message-ID: <4D7E6BE8.3000304@redhat.com> Nested role is not supported in 2.0.x, so the association facet for it should be removed from the UI. The attribute_members in role.py needs to be fixed because it is used to generate the association facet automatically. Ticket 1092. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0127-Removed-nested-role-from-UI.patch Type: text/x-patch Size: 1073 bytes Desc: not available URL: From jdennis at redhat.com Mon Mar 14 19:31:18 2011 From: jdennis at redhat.com (John Dennis) Date: Mon, 14 Mar 2011 15:31:18 -0400 Subject: [Freeipa-devel] [PATCH] Update translation files (ipa.pot, *po). In-Reply-To: <4D7E3430.8010106@redhat.com> References: <4D7E1DE9.10005@redhat.com> <4D7E2A6C.3060304@redhat.com> <4D7E3430.8010106@redhat.com> Message-ID: <4D7E6D06.1000509@redhat.com> On 03/14/2011 11:28 AM, Pavel Zuna wrote: > I created a new patch with only the ipa.pot file updated as you suggested. I haven't seen a commit for this though. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Mon Mar 14 20:33:47 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Mar 2011 16:33:47 -0400 Subject: [Freeipa-devel] [PATCH] 752 fix SELinux AVCs Message-ID: <4D7E7BAB.700@redhat.com> Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance. This fixes 2 AVCS: * One because we are enabling port 7390 because an SSL port must be defined to use TLS On 7389. * We were symlinking to the main IPA 389-ds NSS certificate databsae. Instead generate a separate NSS database and certificate and have certmonger track it separately I also noticed some variable inconsistency in cainstance.py. Everywhere else we use self.fqdn and that was using self.host_name. I found it confusing so I fixed it. ticket 1085 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-752-selinux.patch Type: application/mbox Size: 18896 bytes Desc: not available URL: From ayoung at redhat.com Tue Mar 15 01:37:00 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 14 Mar 2011 21:37:00 -0400 Subject: [Freeipa-devel] [PATCH] Removed nested role from UI. In-Reply-To: <4D7E6BE8.3000304@redhat.com> References: <4D7E6BE8.3000304@redhat.com> Message-ID: <4D7EC2BC.4010805@redhat.com> On 03/14/2011 03:26 PM, Endi Sukma Dewata wrote: > Nested role is not supported in 2.0.x, so the association facet > for it should be removed from the UI. The attribute_members in > role.py needs to be fixed because it is used to generate the > association facet automatically. > > Ticket 1092. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK 1 of 3 Built and tested it on F14. The nested roles are gone from the role facet lists. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Mar 15 01:45:29 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Mar 2011 21:45:29 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-0213-Domain-to-Realm In-Reply-To: <4D7E6C54.5030900@younglogic.com> References: <4D7E6C54.5030900@younglogic.com> Message-ID: <4D7EC4B9.3090505@redhat.com> Adam Young wrote: > Even though my name is on the patch, Simo wrote it and is the author in > the patch. This looks good I just have one question. Is it not safe to assume that the default kerberos realm is the realm? I think that is where any realm that would be passed into this would be determined as well. rob From mkosek at redhat.com Tue Mar 15 09:26:36 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 15 Mar 2011 10:26:36 +0100 Subject: [Freeipa-devel] [PATCH] admiyo-0213-Domain-to-Realm In-Reply-To: <4D7E6C54.5030900@younglogic.com> References: <4D7E6C54.5030900@younglogic.com> Message-ID: <1300181196.3763.2.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-03-14 at 15:28 -0400, Adam Young wrote: > Even though my name is on the patch, Simo wrote it and is the author in > the patch. > Patch looks good. Installation and replication with a realm different to domain name works like a charm now. Martin From ssorce at redhat.com Tue Mar 15 12:11:14 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 15 Mar 2011 08:11:14 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-0213-Domain-to-Realm In-Reply-To: <4D7EC4B9.3090505@redhat.com> References: <4D7E6C54.5030900@younglogic.com> <4D7EC4B9.3090505@redhat.com> Message-ID: <20110315081114.1c19a1b4@willson.li.ssimo.org> On Mon, 14 Mar 2011 21:45:29 -0400 Rob Crittenden wrote: > Adam Young wrote: > > Even though my name is on the patch, Simo wrote it and is the > > author in the patch. > > This looks good I just have one question. Is it not safe to assume > that the default kerberos realm is the realm? I think that is where > any realm that would be passed into this would be determined as well. The problem is that we run the ldap updates code to enable the compat plugin before we run the kerberos instance installation. So the default realm still reflect the pristine contents of krb5.conf (EXAMPLE.COM) and not the final configuration. Simo. -- Simo Sorce * Red Hat, Inc * New York From pzuna at redhat.com Mon Mar 14 12:42:09 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 14 Mar 2011 13:42:09 +0100 Subject: [Freeipa-devel] [PATCH] Update translation files (ipa.pot,*po). Message-ID: <4D7E0D21.8030304@redhat.com> This patch updates files for translators mainly with docstrings (ipa help) and a few normal strings added in the past weeks. I'm pretty sure there was a mail by John with instruction on how to get them to transifex, but I can't find it. :( Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-86-updatepot.patch Type: application/mbox Size: 4230742 bytes Desc: not available URL: From rcritten at redhat.com Tue Mar 15 13:22:25 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 15 Mar 2011 09:22:25 -0400 Subject: [Freeipa-devel] [PATCH] 753 honor domain and server flags in client install Message-ID: <4D7F6811.9000401@redhat.com> We now use TLS for the LDAP connection so need to fetch the IPA CA remotely very early in the process. Because we weren't honoring the server flags when doing DNS discovery we didn't know where to fetch the CA from. ticket 1090 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-753-client.patch Type: application/mbox Size: 1616 bytes Desc: not available URL: From ayoung at redhat.com Tue Mar 15 13:34:54 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 15 Mar 2011 09:34:54 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-0213-Domain-to-Realm In-Reply-To: <1300181196.3763.2.camel@dhcp-25-52.brq.redhat.com> References: <4D7E6C54.5030900@younglogic.com> <1300181196.3763.2.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D7F6AFE.6050400@redhat.com> On 03/15/2011 05:26 AM, Martin Kosek wrote: > On Mon, 2011-03-14 at 15:28 -0400, Adam Young wrote: >> Even though my name is on the patch, Simo wrote it and is the author in >> the patch. >> > Patch looks good. Installation and replication with a realm different to > domain name works like a charm now. > > Martin > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Can I consider that 3 ACKs From dpal at redhat.com Tue Mar 15 13:56:37 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 15 Mar 2011 09:56:37 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-0213-Domain-to-Realm In-Reply-To: <4D7F6AFE.6050400@redhat.com> References: <4D7E6C54.5030900@younglogic.com> <1300181196.3763.2.camel@dhcp-25-52.brq.redhat.com> <4D7F6AFE.6050400@redhat.com> Message-ID: <4D7F7015.8020705@redhat.com> On 03/15/2011 09:34 AM, Adam Young wrote: > On 03/15/2011 05:26 AM, Martin Kosek wrote: >> On Mon, 2011-03-14 at 15:28 -0400, Adam Young wrote: >>> Even though my name is on the patch, Simo wrote it and is the author in >>> the patch. >>> >> Patch looks good. Installation and replication with a realm different to >> domain name works like a charm now. >> >> Martin >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Can I consider that 3 ACKs Please do not push it yet. Do we have a corresponding BZ? > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Tue Mar 15 14:03:51 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 15 Mar 2011 10:03:51 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-0213-Domain-to-Realm In-Reply-To: <4D7F7015.8020705@redhat.com> References: <4D7E6C54.5030900@younglogic.com> <1300181196.3763.2.camel@dhcp-25-52.brq.redhat.com> <4D7F6AFE.6050400@redhat.com> <4D7F7015.8020705@redhat.com> Message-ID: <4D7F71C7.3050806@redhat.com> On 03/15/2011 09:56 AM, Dmitri Pal wrote: > On 03/15/2011 09:34 AM, Adam Young wrote: >> On 03/15/2011 05:26 AM, Martin Kosek wrote: >>> On Mon, 2011-03-14 at 15:28 -0400, Adam Young wrote: >>>> Even though my name is on the patch, Simo wrote it and is the author in >>>> the patch. >>>> >>> Patch looks good. Installation and replication with a realm different to >>> domain name works like a charm now. >>> >>> Martin >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Can I consider that 3 ACKs > Please do not push it yet. > Do we have a corresponding BZ? Yes, and it is linked in the patch: https://bugzilla.redhat.com/show_bug.cgi?id=684690 >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > From dpal at redhat.com Tue Mar 15 14:04:53 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 15 Mar 2011 10:04:53 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-0213-Domain-to-Realm In-Reply-To: <4D7F71C7.3050806@redhat.com> References: <4D7E6C54.5030900@younglogic.com> <1300181196.3763.2.camel@dhcp-25-52.brq.redhat.com> <4D7F6AFE.6050400@redhat.com> <4D7F7015.8020705@redhat.com> <4D7F71C7.3050806@redhat.com> Message-ID: <4D7F7205.2010108@redhat.com> On 03/15/2011 10:03 AM, Adam Young wrote: > On 03/15/2011 09:56 AM, Dmitri Pal wrote: >> On 03/15/2011 09:34 AM, Adam Young wrote: >>> On 03/15/2011 05:26 AM, Martin Kosek wrote: >>>> On Mon, 2011-03-14 at 15:28 -0400, Adam Young wrote: >>>>> Even though my name is on the patch, Simo wrote it and is the >>>>> author in >>>>> the patch. >>>>> >>>> Patch looks good. Installation and replication with a realm >>>> different to >>>> domain name works like a charm now. >>>> >>>> Martin >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> Can I consider that 3 ACKs >> Please do not push it yet. >> Do we have a corresponding BZ? > Yes, and it is linked in the patch: > > https://bugzilla.redhat.com/show_bug.cgi?id=684690 > Sorry got confused with the other UI bug on the list. Please proceed with this one. > > >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Tue Mar 15 14:16:02 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 15 Mar 2011 10:16:02 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-0213-Domain-to-Realm In-Reply-To: <4D7F6AFE.6050400@redhat.com> References: <4D7E6C54.5030900@younglogic.com> <1300181196.3763.2.camel@dhcp-25-52.brq.redhat.com> <4D7F6AFE.6050400@redhat.com> Message-ID: <4D7F74A2.2080902@redhat.com> Adam Young wrote: > On 03/15/2011 05:26 AM, Martin Kosek wrote: >> On Mon, 2011-03-14 at 15:28 -0400, Adam Young wrote: >>> Even though my name is on the patch, Simo wrote it and is the author in >>> the patch. >>> >> Patch looks good. Installation and replication with a realm different to >> domain name works like a charm now. >> >> Martin >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Can I consider that 3 ACKs Yes, push it. rob From ayoung at redhat.com Tue Mar 15 14:51:18 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 15 Mar 2011 10:51:18 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-0213-Domain-to-Realm In-Reply-To: <4D7F74A2.2080902@redhat.com> References: <4D7E6C54.5030900@younglogic.com> <1300181196.3763.2.camel@dhcp-25-52.brq.redhat.com> <4D7F6AFE.6050400@redhat.com> <4D7F74A2.2080902@redhat.com> Message-ID: <4D7F7CE6.1040800@redhat.com> On 03/15/2011 10:16 AM, Rob Crittenden wrote: > Adam Young wrote: >> On 03/15/2011 05:26 AM, Martin Kosek wrote: >>> On Mon, 2011-03-14 at 15:28 -0400, Adam Young wrote: >>>> Even though my name is on the patch, Simo wrote it and is the >>>> author in >>>> the patch. >>>> >>> Patch looks good. Installation and replication with a realm >>> different to >>> domain name works like a charm now. >>> >>> Martin >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Can I consider that 3 ACKs > > Yes, push it. > > rob Pushed to master From ayoung at redhat.com Tue Mar 15 15:03:19 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 15 Mar 2011 11:03:19 -0400 Subject: [Freeipa-devel] [PATCH] 753 honor domain and server flags in client install In-Reply-To: <4D7F6811.9000401@redhat.com> References: <4D7F6811.9000401@redhat.com> Message-ID: <4D7F7FB7.60803@redhat.com> On 03/15/2011 09:22 AM, Rob Crittenden wrote: > We now use TLS for the LDAP connection so need to fetch the IPA CA > remotely very early in the process. Because we weren't honoring the > server flags when doing DNS discovery we didn't know where to fetch > the CA from. > > ticket 1090 > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Patched code can be simplified like this. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-753-1-client.patch Type: text/x-patch Size: 2049 bytes Desc: not available URL: From jdennis at redhat.com Tue Mar 15 15:59:07 2011 From: jdennis at redhat.com (John Dennis) Date: Tue, 15 Mar 2011 11:59:07 -0400 Subject: [Freeipa-devel] [PATCH] 753 honor domain and server flags in client install In-Reply-To: <4D7F7FB7.60803@redhat.com> References: <4D7F6811.9000401@redhat.com> <4D7F7FB7.60803@redhat.com> Message-ID: <4D7F8CCB.8070100@redhat.com> On 03/15/2011 11:03 AM, Adam Young wrote: > On 03/15/2011 09:22 AM, Rob Crittenden wrote: >> We now use TLS for the LDAP connection so need to fetch the IPA CA >> remotely very early in the process. Because we weren't honoring the >> server flags when doing DNS discovery we didn't know where to fetch >> the CA from. >> >> ticket 1090 >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Patched code can be simplified like this. > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Tue Mar 15 16:36:01 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 15 Mar 2011 12:36:01 -0400 Subject: [Freeipa-devel] [PATCH] 753 honor domain and server flags in client install In-Reply-To: <4D7F8CCB.8070100@redhat.com> References: <4D7F6811.9000401@redhat.com> <4D7F7FB7.60803@redhat.com> <4D7F8CCB.8070100@redhat.com> Message-ID: <4D7F9571.3060109@redhat.com> On 03/15/2011 11:59 AM, John Dennis wrote: > On 03/15/2011 11:03 AM, Adam Young wrote: >> On 03/15/2011 09:22 AM, Rob Crittenden wrote: >>> We now use TLS for the LDAP connection so need to fetch the IPA CA >>> remotely very early in the process. Because we weren't honoring the >>> server flags when doing DNS discovery we didn't know where to fetch >>> the CA from. >>> >>> ticket 1090 >>> >>> rob >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Patched code can be simplified like this. >> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > ACK > ACK #2 From ayoung at redhat.com Tue Mar 15 16:49:09 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 15 Mar 2011 12:49:09 -0400 Subject: [Freeipa-devel] [PATCH] 753 honor domain and server flags in client install In-Reply-To: <4D7F9571.3060109@redhat.com> References: <4D7F6811.9000401@redhat.com> <4D7F7FB7.60803@redhat.com> <4D7F8CCB.8070100@redhat.com> <4D7F9571.3060109@redhat.com> Message-ID: <4D7F9885.7050604@redhat.com> On 03/15/2011 12:36 PM, Adam Young wrote: > On 03/15/2011 11:59 AM, John Dennis wrote: >> On 03/15/2011 11:03 AM, Adam Young wrote: >>> On 03/15/2011 09:22 AM, Rob Crittenden wrote: >>>> We now use TLS for the LDAP connection so need to fetch the IPA CA >>>> remotely very early in the process. Because we weren't honoring the >>>> server flags when doing DNS discovery we didn't know where to fetch >>>> the CA from. >>>> >>>> ticket 1090 >>>> >>>> rob >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> Patched code can be simplified like this. >>> >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> ACK >> > ACK #2 > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master From pzuna at redhat.com Tue Mar 15 18:05:50 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 15 Mar 2011 19:05:50 +0100 Subject: [Freeipa-devel] [PATCH] 039 Wait for Directory Server ports to open In-Reply-To: <1300122210.17875.5.camel@dhcp-25-52.brq.redhat.com> References: <1300122210.17875.5.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D7FAA7E.2090103@redhat.com> On 03/14/2011 06:03 PM, Martin Kosek wrote: > I know this is a 2.1 ticket, but the patch is probably also a solution > of #1047 - a 2.0.5 bucket critical bug. > > ------------ > When Directory Server operation is run right after the server restart > the listening ports may not be opened yet. This makes the installation > fail. > > This patch fixes this issue by waiting for both secure and insecure > Directory Server ports to open after every restart. > > https://fedorahosted.org/freeipa/ticket/1076 > ACK. Seems to also fix #1047, as I couldn't reproduce after this patch was applied. Pavel From pzuna at redhat.com Tue Mar 15 18:06:15 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 15 Mar 2011 19:06:15 +0100 Subject: [Freeipa-devel] [PATCH] 752 fix SELinux AVCs In-Reply-To: <4D7E7BAB.700@redhat.com> References: <4D7E7BAB.700@redhat.com> Message-ID: <4D7FAA97.7070106@redhat.com> On 03/14/2011 09:33 PM, Rob Crittenden wrote: > Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance. > > This fixes 2 AVCS: > > * One because we are enabling port 7390 because an SSL port must be > defined to use TLS On 7389. > * We were symlinking to the main IPA 389-ds NSS certificate databsae. > Instead generate a separate NSS database and certificate and have > certmonger track it separately > > I also noticed some variable inconsistency in cainstance.py. Everywhere > else we use self.fqdn and that was using self.host_name. I found it > confusing so I fixed it. > > ticket 1085 > ACK!! Pavel From rcritten at redhat.com Tue Mar 15 18:10:11 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 15 Mar 2011 14:10:11 -0400 Subject: [Freeipa-devel] [PATCH] 752 fix SELinux AVCs In-Reply-To: <4D7FAA97.7070106@redhat.com> References: <4D7E7BAB.700@redhat.com> <4D7FAA97.7070106@redhat.com> Message-ID: <4D7FAB83.7060600@redhat.com> Pavel Zuna wrote: > On 03/14/2011 09:33 PM, Rob Crittenden wrote: >> Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance. >> >> This fixes 2 AVCS: >> >> * One because we are enabling port 7390 because an SSL port must be >> defined to use TLS On 7389. >> * We were symlinking to the main IPA 389-ds NSS certificate databsae. >> Instead generate a separate NSS database and certificate and have >> certmonger track it separately >> >> I also noticed some variable inconsistency in cainstance.py. Everywhere >> else we use self.fqdn and that was using self.host_name. I found it >> confusing so I fixed it. >> >> ticket 1085 >> > > ACK!! > > Pavel Thanks, pushed to master From JR.Aquino at citrix.com Tue Mar 15 18:25:52 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 15 Mar 2011 18:25:52 +0000 Subject: [Freeipa-devel] [PATCH] 039 Wait for Directory Server ports to open In-Reply-To: <4D7FAA7E.2090103@redhat.com> References: <1300122210.17875.5.camel@dhcp-25-52.brq.redhat.com> <4D7FAA7E.2090103@redhat.com> Message-ID: <3E5098B4-E1B4-4C9C-8B21-1A1E21A3EF03@citrixonline.com> On Mar 15, 2011, at 11:05 AM, Pavel Zuna wrote: > On 03/14/2011 06:03 PM, Martin Kosek wrote: >> I know this is a 2.1 ticket, but the patch is probably also a solution >> of #1047 - a 2.0.5 bucket critical bug. >> >> ------------ >> When Directory Server operation is run right after the server restart >> the listening ports may not be opened yet. This makes the installation >> fail. >> >> This patch fixes this issue by waiting for both secure and insecure >> Directory Server ports to open after every restart. >> >> https://fedorahosted.org/freeipa/ticket/1076 >> > > ACK. > > Seems to also fix #1047, as I couldn't reproduce after this patch was applied. > > Pavel RE: 1047, I still seem to have an issue with the patch applied, but let me do a fresh reinstall and report back regarding 1047. From mkosek at redhat.com Tue Mar 15 18:34:45 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 15 Mar 2011 19:34:45 +0100 Subject: [Freeipa-devel] [PATCH] 752 fix SELinux AVCs In-Reply-To: <4D7FAB83.7060600@redhat.com> References: <4D7E7BAB.700@redhat.com> <4D7FAA97.7070106@redhat.com> <4D7FAB83.7060600@redhat.com> Message-ID: <1300214085.3095.7.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-03-15 at 14:10 -0400, Rob Crittenden wrote: > Pavel Zuna wrote: > > On 03/14/2011 09:33 PM, Rob Crittenden wrote: > >> Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance. > >> > >> This fixes 2 AVCS: > >> > >> * One because we are enabling port 7390 because an SSL port must be > >> defined to use TLS On 7389. > >> * We were symlinking to the main IPA 389-ds NSS certificate databsae. > >> Instead generate a separate NSS database and certificate and have > >> certmonger track it separately > >> > >> I also noticed some variable inconsistency in cainstance.py. Everywhere > >> else we use self.fqdn and that was using self.host_name. I found it > >> confusing so I fixed it. > >> > >> ticket 1085 > >> > > > > ACK!! > > > > Pavel > > Thanks, pushed to master > Great, good job with the patch btw. I tested the patch and it worked for me too. Still, I noticed some strange behavior of our installation connected with SELinux context, I may rise a bug for this one. This may have been related to new SELinux policy I used. Are we going to increase a low-bar for selinux-policy when the update selinux-policy-3.9.7-33 is released? It fixes SELinux AVCs related to certmonger. I don't know if Pavel tested certmonger in his review, but I needed to have the selinux-policy-3.9.7-33 to make it work with enforcing SELinux. Martin From mkosek at redhat.com Tue Mar 15 19:45:17 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 15 Mar 2011 20:45:17 +0100 Subject: [Freeipa-devel] [PATCH] 039 Wait for Directory Server ports to open In-Reply-To: <3E5098B4-E1B4-4C9C-8B21-1A1E21A3EF03@citrixonline.com> References: <1300122210.17875.5.camel@dhcp-25-52.brq.redhat.com> <4D7FAA7E.2090103@redhat.com> <3E5098B4-E1B4-4C9C-8B21-1A1E21A3EF03@citrixonline.com> Message-ID: <1300218317.3095.15.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-03-15 at 18:25 +0000, JR Aquino wrote: > On Mar 15, 2011, at 11:05 AM, Pavel Zuna wrote: > > > On 03/14/2011 06:03 PM, Martin Kosek wrote: > >> I know this is a 2.1 ticket, but the patch is probably also a solution > >> of #1047 - a 2.0.5 bucket critical bug. > >> > >> ------------ > >> When Directory Server operation is run right after the server restart > >> the listening ports may not be opened yet. This makes the installation > >> fail. > >> > >> This patch fixes this issue by waiting for both secure and insecure > >> Directory Server ports to open after every restart. > >> > >> https://fedorahosted.org/freeipa/ticket/1076 > >> > > > > ACK. > > > > Seems to also fix #1047, as I couldn't reproduce after this patch was applied. > > > > Pavel > > RE: 1047, I still seem to have an issue with the patch applied, but let me do a fresh reinstall and report back regarding 1047. That's a good idea. Even though this patch fixes #1076, I am now not sure if it fixes #1047 too. We need to know the real root cause of #1047 - if it is really caused by unopened ports 389,636 after the Directory Server restart. If you get some useful logs in your test on a fresh reinstall (different from the ones already attached in the Trac), please send them too. Martin From rcritten at redhat.com Wed Mar 16 22:05:59 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 Mar 2011 18:05:59 -0400 Subject: [Freeipa-devel] [PATCH] 754 ensure hostnames are lower-case Message-ID: <4D813447.5010602@redhat.com> If a hostname has mixed-case in /etc/hosts or a mixed-case name is passed into either the client or host installer we need to prevent installation. The hostname should be lower-case otherwise all sorts of odd problems will happen. ticket 1080 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-754-hostname.patch Type: application/mbox Size: 2623 bytes Desc: not available URL: From mkosek at redhat.com Thu Mar 17 10:02:54 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 17 Mar 2011 11:02:54 +0100 Subject: [Freeipa-devel] [PATCH] 754 ensure hostnames are lower-case In-Reply-To: <4D813447.5010602@redhat.com> References: <4D813447.5010602@redhat.com> Message-ID: <1300356174.29997.6.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-03-16 at 18:05 -0400, Rob Crittenden wrote: > If a hostname has mixed-case in /etc/hosts or a mixed-case name is > passed into either the client or host installer we need to prevent > installation. The hostname should be lower-case otherwise all sorts of > odd problems will happen. > > ticket 1080 > > rob Patch is OK, but I think that "Check /etc/hosts." part of the error message may be confusing. Hostname with mixed-case we are complaining about doesn't have to be read from /etc/hosts. It may be passed for example by --hostname parameter or set on a machine by `hostname` command. Martin From rcritten at redhat.com Thu Mar 17 14:24:17 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 17 Mar 2011 10:24:17 -0400 Subject: [Freeipa-devel] [PATCH] 754 ensure hostnames are lower-case In-Reply-To: <1300356174.29997.6.camel@dhcp-25-52.brq.redhat.com> References: <4D813447.5010602@redhat.com> <1300356174.29997.6.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D821991.5000107@redhat.com> Martin Kosek wrote: > On Wed, 2011-03-16 at 18:05 -0400, Rob Crittenden wrote: >> If a hostname has mixed-case in /etc/hosts or a mixed-case name is >> passed into either the client or host installer we need to prevent >> installation. The hostname should be lower-case otherwise all sorts of >> odd problems will happen. >> >> ticket 1080 >> >> rob > > Patch is OK, but I think that "Check /etc/hosts." part of the error > message may be confusing. > > Hostname with mixed-case we are complaining about doesn't have to be > read from /etc/hosts. It may be passed for example by --hostname > parameter or set on a machine by `hostname` command. > > Martin > Updated patch with the Check part removed. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-754-2-hostname.patch Type: application/mbox Size: 2587 bytes Desc: not available URL: From mkosek at redhat.com Thu Mar 17 14:30:35 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 17 Mar 2011 15:30:35 +0100 Subject: [Freeipa-devel] [PATCH] 754 ensure hostnames are lower-case In-Reply-To: <4D821991.5000107@redhat.com> References: <4D813447.5010602@redhat.com> <1300356174.29997.6.camel@dhcp-25-52.brq.redhat.com> <4D821991.5000107@redhat.com> Message-ID: <1300372235.29997.20.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-03-17 at 10:24 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Wed, 2011-03-16 at 18:05 -0400, Rob Crittenden wrote: > >> If a hostname has mixed-case in /etc/hosts or a mixed-case name is > >> passed into either the client or host installer we need to prevent > >> installation. The hostname should be lower-case otherwise all sorts of > >> odd problems will happen. > >> > >> ticket 1080 > >> > >> rob > > > > Patch is OK, but I think that "Check /etc/hosts." part of the error > > message may be confusing. > > > > Hostname with mixed-case we are complaining about doesn't have to be > > read from /etc/hosts. It may be passed for example by --hostname > > parameter or set on a machine by `hostname` command. > > > > Martin > > > > Updated patch with the Check part removed. > > rob ACK. Martin From rcritten at redhat.com Thu Mar 17 21:10:22 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 17 Mar 2011 17:10:22 -0400 Subject: [Freeipa-devel] [PATCH] 755 upgrade IPA on installation Message-ID: <4D8278BE.7080202@redhat.com> Re-enable ldapi code in ipa-ldap-updater and remove the searchbase restriction when run in --upgrade mode. This allows us to autobind giving root Directory Manager powers. This also: * corrects the ipa-ldap-updater man page * remove automatic --realm, --server, --domain options * handle upgrade errors properly * saves a copy of dse.ldif before we change it so it can be recovered * fixes an error discovered by pylint ticket 1087 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-755-upgrade.patch Type: application/mbox Size: 14223 bytes Desc: not available URL: From ayoung at redhat.com Fri Mar 18 00:03:14 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 17 Mar 2011 20:03:14 -0400 Subject: [Freeipa-devel] Determine KDC for a website Message-ID: <4D82A142.5060506@redhat.com> I'm trying to figure out what should happen in the following case; A user goes to a website that they've never visited before. The site is using Kerberos, and thus the browser gets back a "Negotiate" response. At this point, the browser chops the hostname off the URL and requests the TXT record for "_kerberos."+domain This gives the browser back the REALM. Now, there seems to be an understanding that the default REALM to domain mapping should be REALM.to_lower. Now to find the KDC for the server, I can do a DNS query for the SRV record "_kerberos._udp." + domain. However, when I have a krb5 conf setup that does not explicitly set the kdc value below.... [realms] AYOUNG.BOSTON.DEVEL.REDHAT.COM = { kdc = ipa14.ayoung.boston.devel.redhat.com:88 } ...I cannot kinit against the realm AYOUNG.BOSTON.DEVEL.REDHAT.COM. I've confirmed that I can query my IPA server's DNS server and get the appropriate records. Is there a step I am missing, or is this lookup no supported in the library? Is there some way I can better debug this? From ayoung at redhat.com Fri Mar 18 00:04:08 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 17 Mar 2011 20:04:08 -0400 Subject: [Freeipa-devel] admiyo-0214-1-pwpolicy-priority Message-ID: <4D82A178.1020202@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0214-1-pwpolicy-priority.patch Type: text/x-patch Size: 1706 bytes Desc: not available URL: From edewata at redhat.com Fri Mar 18 02:01:03 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 17 Mar 2011 21:01:03 -0500 Subject: [Freeipa-devel] admiyo-0214-1-pwpolicy-priority In-Reply-To: <4D82A178.1020202@redhat.com> References: <4D82A178.1020202@redhat.com> Message-ID: <4D82BCDF.4060606@redhat.com> On 3/17/2011 7:04 PM, Adam Young wrote: > Some issues: 1. There's a jslint warning. 2. Try creating a new password policy, then edit and change the priority. When you click Update the priority will get updated but the field will become read only. https://fedorahosted.org/freeipa/ticket/1103 3. Try changing another field, then click Update. It will fail saying: invalid 'priority': priority must be a unique ( already by ). https://fedorahosted.org/freeipa/ticket/1104 Issue #2 and #3 will only become a problem if we have a priority field in the details page. If we change the patch to fix only the dialog box and leave the details page without the priority field like before we probably could postpone these bugs into 2.1. -- Endi S. Dewata From mkosek at redhat.com Fri Mar 18 09:04:27 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 18 Mar 2011 10:04:27 +0100 Subject: [Freeipa-devel] Determine KDC for a website In-Reply-To: <4D82A142.5060506@redhat.com> References: <4D82A142.5060506@redhat.com> Message-ID: <1300439067.32656.9.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-03-17 at 20:03 -0400, Adam Young wrote: > I'm trying to figure out what should happen in the following case; > > > A user goes to a website that they've never visited before. > The site is using Kerberos, and thus the browser gets back a "Negotiate" > response. > > At this point, the browser chops the hostname off the URL and requests > the TXT record for "_kerberos."+domain > This gives the browser back the REALM. > > > Now, there seems to be an understanding that the default REALM to domain > mapping should be REALM.to_lower. Yeah, Kerberos does this. This resulted in #1100 yesterday. > > Now to find the KDC for the server, I can do a DNS query for the SRV > record > > "_kerberos._udp." + domain. Correct. > > > However, when I have a krb5 conf setup that does not explicitly set the > kdc value below.... > > [realms] > AYOUNG.BOSTON.DEVEL.REDHAT.COM = { > kdc = ipa14.ayoung.boston.devel.redhat.com:88 > } Hm... This is what a configuration that IPA client installation produces and for which KDC autodiscovery works for me: [libdefaults] default_realm = TESTRELM dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] TESTRELM = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .idm.lab.bos.redhat.com = TESTRELM idm.lab.bos.redhat.com = TESTRELM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } > ...I cannot kinit against the realm AYOUNG.BOSTON.DEVEL.REDHAT.COM. > I've confirmed that I can query my IPA server's DNS server and get the > appropriate records. > > Is there a step I am missing, or is this lookup no supported in the > library? Is there some way I can better debug this? What does your DNS log shows? I enabled DNS queries to be logged in my "named" and `kinit admin at TESTRELM` with the above configuration made the following queries: 18-Mar-2011 10:00:50.617 client 10.16.78.142#51316: query: _kerberos._udp.TESTRELM IN SRV + (10.16.78.111) 18-Mar-2011 10:00:50.621 client 10.16.78.142#60264: query: kdc.testrelm IN A + (10.16.78.111) 18-Mar-2011 10:00:50.621 client 10.16.78.142#60264: query: kdc.testrelm IN AAAA + (10.16.78.111) 18-Mar-2011 10:00:50.622 client 10.16.78.142#35208: query: _kerberos._tcp.TESTRELM IN SRV + (10.16.78.111) 18-Mar-2011 10:00:50.628 client 10.16.78.142#54654: query: _kerberos-master._udp.TESTRELM IN SRV + (10.16.78.111) 18-Mar-2011 10:00:50.630 client 10.16.78.142#54235: query: kdc.testrelm IN A + (10.16.78.111) 18-Mar-2011 10:00:50.649 client 10.16.78.142#49681: query: _kerberos-master._udp.TESTRELM IN SRV + (10.16.78.111) 18-Mar-2011 10:00:50.650 client 10.16.78.142#57950: query: _kerberos-master._tcp.TESTRELM IN SRV + (10.16.78.111) 18-Mar-2011 10:00:51.062 client 10.16.78.142#54733: query: vm-111.idm.lab.bos.redhat.com IN A + (10.16.78.111) 18-Mar-2011 10:00:51.063 client 10.16.78.142#46147: query: 111.78.16.10.in-addr.arpa IN PTR + (10.16.78.111) ... And it successfully logs to Kerberos realm. Martin From mkosek at redhat.com Fri Mar 18 12:52:27 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 18 Mar 2011 13:52:27 +0100 Subject: [Freeipa-devel] [PATCH] 755 upgrade IPA on installation In-Reply-To: <4D8278BE.7080202@redhat.com> References: <4D8278BE.7080202@redhat.com> Message-ID: <1300452747.32656.22.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-03-17 at 17:10 -0400, Rob Crittenden wrote: > Re-enable ldapi code in ipa-ldap-updater and remove the searchbase > restriction when run in --upgrade mode. This allows us to autobind > giving root Directory Manager powers. > > This also: > * corrects the ipa-ldap-updater man page > * remove automatic --realm, --server, --domain options > * handle upgrade errors properly > * saves a copy of dse.ldif before we change it so it can be recovered > * fixes an error discovered by pylint > > ticket 1087 > > rob NACK. Patch is promising, ipa-ldap-updater --upgrade works just fine. The upgrade was also correctly executed after I did the RPM upgrade. But I have hit two issues: 1) When ipa-ldap-updater is run as a regular user on a configured IPA server I get the following error: $ ipa-ldap-updater IPA is not configured on this system. This is because regular user cannot access /var/lib/ipa/sysrestore/. I guess we should either use another method of detecting installed IPA or make the script root-only (as we do with other scripts taking advantage of fstore). 2) I get stacktrace when I run ipa-ldap-updater with --ldapi: $ sudo ipa-ldap-updater --ldapi Traceback (most recent call last): File "/usr/sbin/ipa-ldap-updater", line 125, in sys.exit(main()) File "/usr/sbin/ipa-ldap-updater", line 111, in main ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, live_run=not options.test, ldapi=options.ldapi) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 125, in __init__ conn.do_external_bind(self.pw_name) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 360, in do_external_bind self.__lateinit() File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 260, in __lateinit [ 'nsslapd-directory' ]) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 378, in getEntry raise errors.NotFound(reason=notfound(args)) ipalib.errors.NotFound: * not found I know that --ldapi did not work before the patch either, it just crashed with another stacktrace. But it would be nice to fix this one. Martin From ayoung at redhat.com Fri Mar 18 13:57:54 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 18 Mar 2011 09:57:54 -0400 Subject: [Freeipa-devel] admiyo-0214-1-pwpolicy-priority In-Reply-To: <4D82BCDF.4060606@redhat.com> References: <4D82A178.1020202@redhat.com> <4D82BCDF.4060606@redhat.com> Message-ID: <4D8364E2.7060502@redhat.com> On 03/17/2011 10:01 PM, Endi Sukma Dewata wrote: > On 3/17/2011 7:04 PM, Adam Young wrote: >> > > Some issues: > > 1. There's a jslint warning. > > 2. Try creating a new password policy, then edit and change the > priority. When you click Update the priority will get updated but the > field will become read only. > > https://fedorahosted.org/freeipa/ticket/1103 > > 3. Try changing another field, then click Update. It will fail saying: > invalid 'priority': priority must be a unique ( already by > ). > > https://fedorahosted.org/freeipa/ticket/1104 > > Issue #2 and #3 will only become a problem if we have a priority field > in the details page. If we change the patch to fix only the dialog box > and leave the details page without the priority field like before we > probably could postpone these bugs into 2.1. > This is bascially the same patch as the first one, but without the JSL messages. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0214-2-pwpolicy-priority.patch Type: text/x-patch Size: 1563 bytes Desc: not available URL: From rcritten at redhat.com Fri Mar 18 14:27:25 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 18 Mar 2011 10:27:25 -0400 Subject: [Freeipa-devel] [PATCH] 755 upgrade IPA on installation In-Reply-To: <1300452747.32656.22.camel@dhcp-25-52.brq.redhat.com> References: <4D8278BE.7080202@redhat.com> <1300452747.32656.22.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D836BCD.3000203@redhat.com> Martin Kosek wrote: > On Thu, 2011-03-17 at 17:10 -0400, Rob Crittenden wrote: >> Re-enable ldapi code in ipa-ldap-updater and remove the searchbase >> restriction when run in --upgrade mode. This allows us to autobind >> giving root Directory Manager powers. >> >> This also: >> * corrects the ipa-ldap-updater man page >> * remove automatic --realm, --server, --domain options >> * handle upgrade errors properly >> * saves a copy of dse.ldif before we change it so it can be recovered >> * fixes an error discovered by pylint >> >> ticket 1087 >> >> rob > > NACK. > > Patch is promising, ipa-ldap-updater --upgrade works just fine. The > upgrade was also correctly executed after I did the RPM upgrade. > > But I have hit two issues: > > 1) When ipa-ldap-updater is run as a regular user on a configured IPA > server I get the following error: > > $ ipa-ldap-updater > IPA is not configured on this system. > > This is because regular user cannot access /var/lib/ipa/sysrestore/. I > guess we should either use another method of detecting installed IPA or > make the script root-only (as we do with other scripts taking advantage > of fstore). > > > 2) I get stacktrace when I run ipa-ldap-updater with --ldapi: > > $ sudo ipa-ldap-updater --ldapi > Traceback (most recent call last): > File "/usr/sbin/ipa-ldap-updater", line 125, in > sys.exit(main()) > File "/usr/sbin/ipa-ldap-updater", line 111, in main > ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, live_run=not options.test, ldapi=options.ldapi) > File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 125, in __init__ > conn.do_external_bind(self.pw_name) > File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 360, in do_external_bind > self.__lateinit() > File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 260, in __lateinit > [ 'nsslapd-directory' ]) > File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 378, in getEntry > raise errors.NotFound(reason=notfound(args)) > ipalib.errors.NotFound: * not found > > I know that --ldapi did not work before the patch either, it just > crashed with another stacktrace. But it would be nice to fix this one. > > Martin Issues addressed. I'm going to do a best-possible check for IPA Installation when non-root but stick with the fstore when doing it as root. This is because it is more important because it may be done automatically in rpm. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-755-2-upgrade.patch Type: application/mbox Size: 15774 bytes Desc: not available URL: From edewata at redhat.com Fri Mar 18 14:43:02 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 18 Mar 2011 09:43:02 -0500 Subject: [Freeipa-devel] admiyo-0214-1-pwpolicy-priority In-Reply-To: <4D8364E2.7060502@redhat.com> References: <4D82A178.1020202@redhat.com> <4D82BCDF.4060606@redhat.com> <4D8364E2.7060502@redhat.com> Message-ID: <4D836F76.2000800@redhat.com> On 3/18/2011 8:57 AM, Adam Young wrote: > On 03/17/2011 10:01 PM, Endi Sukma Dewata wrote: >> On 3/17/2011 7:04 PM, Adam Young wrote: >> Some issues: >> >> 1. There's a jslint warning. >> >> 2. Try creating a new password policy, then edit and change the >> priority. When you click Update the priority will get updated but the >> field will become read only. >> >> https://fedorahosted.org/freeipa/ticket/1103 >> >> 3. Try changing another field, then click Update. It will fail saying: >> invalid 'priority': priority must be a unique ( already by >> ). >> >> https://fedorahosted.org/freeipa/ticket/1104 >> >> Issue #2 and #3 will only become a problem if we have a priority field >> in the details page. If we change the patch to fix only the dialog box >> and leave the details page without the priority field like before we >> probably could postpone these bugs into 2.1. >> > This is bascially the same patch as the first one, but without the JSL > messages. ACK. The patch fixes ticket #1102 (adder dialog). We still need to add the priority field into the details page (will open a new ticket), but that can be done in 2.1 after fixing issue #2 and #3 above. -- Endi S. Dewata From nalin at redhat.com Fri Mar 18 14:53:43 2011 From: nalin at redhat.com (Nalin Dahyabhai) Date: Fri, 18 Mar 2011 10:53:43 -0400 Subject: [Freeipa-devel] Determine KDC for a website In-Reply-To: <4D82A142.5060506@redhat.com> References: <4D82A142.5060506@redhat.com> Message-ID: <20110318145343.GA17838@redhat.com> On Thu, Mar 17, 2011 at 08:03:14PM -0400, Adam Young wrote: > I'm trying to figure out what should happen in the following case; > > A user goes to a website that they've never visited before. > The site is using Kerberos, and thus the browser gets back a > "Negotiate" response. > > At this point, the browser chops the hostname off the URL and > requests the TXT record for "_kerberos."+domain > This gives the browser back the REALM. The client will only consult DNS here if "dns_lookup_realm" is enabled in the [libdefaults] section of your krb5.conf. If the client's KDC is capable of issuing referrals and "knows" that the web server host is a member of a particular realm, then the client will trust that its KDC is pointing it in the right direction, regardless of what's in DNS. > Now, there seems to be an understanding that the default REALM to > domain mapping should be REALM.to_lower. > > Now to find the KDC for the server, I can do a DNS query for the > SRV record > > "_kerberos._udp." + domain. Section 7.2.3 of rfc4120 describes this in more detail. > However, when I have a krb5 conf setup that does not explicitly set > the kdc value below.... > > [realms] > AYOUNG.BOSTON.DEVEL.REDHAT.COM = { > kdc = ipa14.ayoung.boston.devel.redhat.com:88 > } > > ...I cannot kinit against the realm AYOUNG.BOSTON.DEVEL.REDHAT.COM. > I've confirmed that I can query my IPA server's DNS server and get > the appropriate records. > > Is there a step I am missing, or is this lookup no supported in the > library? Is there some way I can better debug this? Is your client configured to consult DNS in this way? Specifically, is "dns_lookup_kdc" enabled in the [libdefaults] section? HTH, Nalin From ayoung at redhat.com Fri Mar 18 15:15:26 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 18 Mar 2011 11:15:26 -0400 Subject: [Freeipa-devel] Determine KDC for a website In-Reply-To: <20110318145343.GA17838@redhat.com> References: <4D82A142.5060506@redhat.com> <20110318145343.GA17838@redhat.com> Message-ID: <4D83770E.30807@redhat.com> On 03/18/2011 10:53 AM, Nalin Dahyabhai wrote: > On Thu, Mar 17, 2011 at 08:03:14PM -0400, Adam Young wrote: >> I'm trying to figure out what should happen in the following case; >> >> A user goes to a website that they've never visited before. >> The site is using Kerberos, and thus the browser gets back a >> "Negotiate" response. >> >> At this point, the browser chops the hostname off the URL and >> requests the TXT record for "_kerberos."+domain >> This gives the browser back the REALM. > The client will only consult DNS here if "dns_lookup_realm" is enabled > in the [libdefaults] section of your krb5.conf. > > If the client's KDC is capable of issuing referrals and "knows" that the > web server host is a member of a particular realm, then the client will > trust that its KDC is pointing it in the right direction, regardless of > what's in DNS. > >> Now, there seems to be an understanding that the default REALM to >> domain mapping should be REALM.to_lower. >> >> Now to find the KDC for the server, I can do a DNS query for the >> SRV record >> >> "_kerberos._udp." + domain. > Section 7.2.3 of rfc4120 describes this in more detail. > >> However, when I have a krb5 conf setup that does not explicitly set >> the kdc value below.... >> >> [realms] >> AYOUNG.BOSTON.DEVEL.REDHAT.COM = { >> kdc = ipa14.ayoung.boston.devel.redhat.com:88 >> } >> >> ...I cannot kinit against the realm AYOUNG.BOSTON.DEVEL.REDHAT.COM. >> I've confirmed that I can query my IPA server's DNS server and get >> the appropriate records. >> >> Is there a step I am missing, or is this lookup no supported in the >> library? Is there some way I can better debug this? > Is your client configured to consult DNS in this way? Specifically, is > "dns_lookup_kdc" enabled in the [libdefaults] section? Both dns_lookup_kdc and dns_lookup_realm were set to false. Once I set them to true, it worked. Thanks. > HTH, > > Nalin From rcritten at redhat.com Fri Mar 18 15:21:19 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 18 Mar 2011 11:21:19 -0400 Subject: [Freeipa-devel] [PATCH] 755 upgrade IPA on installation In-Reply-To: <4D836BCD.3000203@redhat.com> References: <4D8278BE.7080202@redhat.com> <1300452747.32656.22.camel@dhcp-25-52.brq.redhat.com> <4D836BCD.3000203@redhat.com> Message-ID: <4D83786F.50501@redhat.com> Rob Crittenden wrote: > Martin Kosek wrote: >> On Thu, 2011-03-17 at 17:10 -0400, Rob Crittenden wrote: >>> Re-enable ldapi code in ipa-ldap-updater and remove the searchbase >>> restriction when run in --upgrade mode. This allows us to autobind >>> giving root Directory Manager powers. >>> >>> This also: >>> * corrects the ipa-ldap-updater man page >>> * remove automatic --realm, --server, --domain options >>> * handle upgrade errors properly >>> * saves a copy of dse.ldif before we change it so it can be recovered >>> * fixes an error discovered by pylint >>> >>> ticket 1087 >>> >>> rob >> >> NACK. >> >> Patch is promising, ipa-ldap-updater --upgrade works just fine. The >> upgrade was also correctly executed after I did the RPM upgrade. >> >> But I have hit two issues: >> >> 1) When ipa-ldap-updater is run as a regular user on a configured IPA >> server I get the following error: >> >> $ ipa-ldap-updater >> IPA is not configured on this system. >> >> This is because regular user cannot access /var/lib/ipa/sysrestore/. I >> guess we should either use another method of detecting installed IPA or >> make the script root-only (as we do with other scripts taking advantage >> of fstore). >> >> >> 2) I get stacktrace when I run ipa-ldap-updater with --ldapi: >> >> $ sudo ipa-ldap-updater --ldapi >> Traceback (most recent call last): >> File "/usr/sbin/ipa-ldap-updater", line 125, in >> sys.exit(main()) >> File "/usr/sbin/ipa-ldap-updater", line 111, in main >> ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, live_run=not >> options.test, ldapi=options.ldapi) >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", >> line 125, in __init__ >> conn.do_external_bind(self.pw_name) >> File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line >> 360, in do_external_bind >> self.__lateinit() >> File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line >> 260, in __lateinit >> [ 'nsslapd-directory' ]) >> File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line >> 378, in getEntry >> raise errors.NotFound(reason=notfound(args)) >> ipalib.errors.NotFound: * not found >> >> I know that --ldapi did not work before the patch either, it just >> crashed with another stacktrace. But it would be nice to fix this one. >> >> Martin > > Issues addressed. > > I'm going to do a best-possible check for IPA Installation when non-root > but stick with the fstore when doing it as root. This is because it is > more important because it may be done automatically in rpm. > > rob fixed a couple more issues Martin discovered: - catch errors if the GSSAPI connection fails - do console logging when doing a password-based update as root rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-755-3-upgrade.patch Type: application/mbox Size: 16352 bytes Desc: not available URL: From rcritten at redhat.com Fri Mar 18 18:54:47 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 18 Mar 2011 14:54:47 -0400 Subject: [Freeipa-devel] [PATCH] 754 ensure hostnames are lower-case In-Reply-To: <1300372235.29997.20.camel@dhcp-25-52.brq.redhat.com> References: <4D813447.5010602@redhat.com> <1300356174.29997.6.camel@dhcp-25-52.brq.redhat.com> <4D821991.5000107@redhat.com> <1300372235.29997.20.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D83AA77.9010201@redhat.com> Martin Kosek wrote: > On Thu, 2011-03-17 at 10:24 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Wed, 2011-03-16 at 18:05 -0400, Rob Crittenden wrote: >>>> If a hostname has mixed-case in /etc/hosts or a mixed-case name is >>>> passed into either the client or host installer we need to prevent >>>> installation. The hostname should be lower-case otherwise all sorts of >>>> odd problems will happen. >>>> >>>> ticket 1080 >>>> >>>> rob >>> >>> Patch is OK, but I think that "Check /etc/hosts." part of the error >>> message may be confusing. >>> >>> Hostname with mixed-case we are complaining about doesn't have to be >>> read from /etc/hosts. It may be passed for example by --hostname >>> parameter or set on a machine by `hostname` command. >>> >>> Martin >>> >> >> Updated patch with the Check part removed. >> >> rob > > ACK. > > Martin > pushed to master From rcritten at redhat.com Fri Mar 18 18:58:30 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 18 Mar 2011 14:58:30 -0400 Subject: [Freeipa-devel] Wrong timeout parameter in ipapython In-Reply-To: <1300114947.17875.2.camel@dhcp-25-52.brq.redhat.com> References: <4D799A8C.6040501@redhat.com> <4D79F26A.9020705@redhat.com> <4D79F750.6030708@glumol.com> <4D79FB70.5020106@redhat.com> <1300114947.17875.2.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D83AB56.6060600@redhat.com> Martin Kosek wrote: > On Fri, 2011-03-11 at 11:37 +0100, Jakub Hrozek wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 03/11/2011 11:20 AM, Sylvain Baubeau wrote: >>> Yes, I'm using IPv4. >>> It's even worse as the constant 'io.PR_AF_INET' (whose value is 2) is >>> used in this case :) >>> >> >> Right.. >> >> Thank you very much for your contribution. I'm guessing we never hit the >> exception because most of our testing is done or a low-latency network.. > > ACK from me too. > > I amended the patch to show the ticket number for better tracking in GIT > - attached. Rest of the patch left unchanged. > > Martin pushed to master. I added Sylvain to Contributors.txt too. rob From rcritten at redhat.com Fri Mar 18 19:00:25 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 18 Mar 2011 15:00:25 -0400 Subject: [Freeipa-devel] [PATCH] Update translation files (ipa.pot, *po). In-Reply-To: <4D7E6D06.1000509@redhat.com> References: <4D7E1DE9.10005@redhat.com> <4D7E2A6C.3060304@redhat.com> <4D7E3430.8010106@redhat.com> <4D7E6D06.1000509@redhat.com> Message-ID: <4D83ABC9.7010108@redhat.com> John Dennis wrote: > On 03/14/2011 11:28 AM, Pavel Zuna wrote: >> I created a new patch with only the ipa.pot file updated as you >> suggested. > > I haven't seen a commit for this though. > Pushed to master From ayoung at redhat.com Fri Mar 18 20:45:19 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 18 Mar 2011 16:45:19 -0400 Subject: [Freeipa-devel] admiyo-0214-1-pwpolicy-priority In-Reply-To: <4D836F76.2000800@redhat.com> References: <4D82A178.1020202@redhat.com> <4D82BCDF.4060606@redhat.com> <4D8364E2.7060502@redhat.com> <4D836F76.2000800@redhat.com> Message-ID: <4D83C45F.9070800@redhat.com> On 03/18/2011 10:43 AM, Endi Sukma Dewata wrote: > On 3/18/2011 8:57 AM, Adam Young wrote: >> On 03/17/2011 10:01 PM, Endi Sukma Dewata wrote: >>> On 3/17/2011 7:04 PM, Adam Young wrote: >>> Some issues: >>> >>> 1. There's a jslint warning. >>> >>> 2. Try creating a new password policy, then edit and change the >>> priority. When you click Update the priority will get updated but the >>> field will become read only. >>> >>> https://fedorahosted.org/freeipa/ticket/1103 >>> >>> 3. Try changing another field, then click Update. It will fail saying: >>> invalid 'priority': priority must be a unique ( already by >>> ). >>> >>> https://fedorahosted.org/freeipa/ticket/1104 >>> >>> Issue #2 and #3 will only become a problem if we have a priority field >>> in the details page. If we change the patch to fix only the dialog box >>> and leave the details page without the priority field like before we >>> probably could postpone these bugs into 2.1. >>> >> This is bascially the same patch as the first one, but without the JSL >> messages. > > ACK. The patch fixes ticket #1102 (adder dialog). We still need to add > the priority field into the details page (will open a new ticket), but > that can be done in 2.1 after fixing issue #2 and #3 above. > Pushed to master From mkosek at redhat.com Mon Mar 21 08:03:25 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 21 Mar 2011 09:03:25 +0100 Subject: [Freeipa-devel] [PATCH] 755 upgrade IPA on installation In-Reply-To: <4D83786F.50501@redhat.com> References: <4D8278BE.7080202@redhat.com> <1300452747.32656.22.camel@dhcp-25-52.brq.redhat.com> <4D836BCD.3000203@redhat.com> <4D83786F.50501@redhat.com> Message-ID: <1300694605.1574.1.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-03-18 at 11:21 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > Martin Kosek wrote: > >> On Thu, 2011-03-17 at 17:10 -0400, Rob Crittenden wrote: > >>> Re-enable ldapi code in ipa-ldap-updater and remove the searchbase > >>> restriction when run in --upgrade mode. This allows us to autobind > >>> giving root Directory Manager powers. > >>> > >>> This also: > >>> * corrects the ipa-ldap-updater man page > >>> * remove automatic --realm, --server, --domain options > >>> * handle upgrade errors properly > >>> * saves a copy of dse.ldif before we change it so it can be recovered > >>> * fixes an error discovered by pylint > >>> > >>> ticket 1087 > >>> > >>> rob > >> > >> NACK. > >> > >> Patch is promising, ipa-ldap-updater --upgrade works just fine. The > >> upgrade was also correctly executed after I did the RPM upgrade. > >> > >> But I have hit two issues: > >> > >> 1) When ipa-ldap-updater is run as a regular user on a configured IPA > >> server I get the following error: > >> > >> $ ipa-ldap-updater > >> IPA is not configured on this system. > >> > >> This is because regular user cannot access /var/lib/ipa/sysrestore/. I > >> guess we should either use another method of detecting installed IPA or > >> make the script root-only (as we do with other scripts taking advantage > >> of fstore). > >> > >> > >> 2) I get stacktrace when I run ipa-ldap-updater with --ldapi: > >> > >> $ sudo ipa-ldap-updater --ldapi > >> Traceback (most recent call last): > >> File "/usr/sbin/ipa-ldap-updater", line 125, in > >> sys.exit(main()) > >> File "/usr/sbin/ipa-ldap-updater", line 111, in main > >> ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, live_run=not > >> options.test, ldapi=options.ldapi) > >> File > >> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", > >> line 125, in __init__ > >> conn.do_external_bind(self.pw_name) > >> File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line > >> 360, in do_external_bind > >> self.__lateinit() > >> File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line > >> 260, in __lateinit > >> [ 'nsslapd-directory' ]) > >> File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line > >> 378, in getEntry > >> raise errors.NotFound(reason=notfound(args)) > >> ipalib.errors.NotFound: * not found > >> > >> I know that --ldapi did not work before the patch either, it just > >> crashed with another stacktrace. But it would be nice to fix this one. > >> > >> Martin > > > > Issues addressed. > > > > I'm going to do a best-possible check for IPA Installation when non-root > > but stick with the fstore when doing it as root. This is because it is > > more important because it may be done automatically in rpm. > > > > rob > > fixed a couple more issues Martin discovered: > > - catch errors if the GSSAPI connection fails > - do console logging when doing a password-based update as root > > rob ACK. Good job, everything works fine. Martin From rcritten at redhat.com Mon Mar 21 17:24:06 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Mar 2011 13:24:06 -0400 Subject: [Freeipa-devel] [PATCH] 755 upgrade IPA on installation In-Reply-To: <1300694605.1574.1.camel@dhcp-25-52.brq.redhat.com> References: <4D8278BE.7080202@redhat.com> <1300452747.32656.22.camel@dhcp-25-52.brq.redhat.com> <4D836BCD.3000203@redhat.com> <4D83786F.50501@redhat.com> <1300694605.1574.1.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D8789B6.40806@redhat.com> Martin Kosek wrote: > On Fri, 2011-03-18 at 11:21 -0400, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Martin Kosek wrote: >>>> On Thu, 2011-03-17 at 17:10 -0400, Rob Crittenden wrote: >>>>> Re-enable ldapi code in ipa-ldap-updater and remove the searchbase >>>>> restriction when run in --upgrade mode. This allows us to autobind >>>>> giving root Directory Manager powers. >>>>> >>>>> This also: >>>>> * corrects the ipa-ldap-updater man page >>>>> * remove automatic --realm, --server, --domain options >>>>> * handle upgrade errors properly >>>>> * saves a copy of dse.ldif before we change it so it can be recovered >>>>> * fixes an error discovered by pylint >>>>> >>>>> ticket 1087 >>>>> >>>>> rob >>>> >>>> NACK. >>>> >>>> Patch is promising, ipa-ldap-updater --upgrade works just fine. The >>>> upgrade was also correctly executed after I did the RPM upgrade. >>>> >>>> But I have hit two issues: >>>> >>>> 1) When ipa-ldap-updater is run as a regular user on a configured IPA >>>> server I get the following error: >>>> >>>> $ ipa-ldap-updater >>>> IPA is not configured on this system. >>>> >>>> This is because regular user cannot access /var/lib/ipa/sysrestore/. I >>>> guess we should either use another method of detecting installed IPA or >>>> make the script root-only (as we do with other scripts taking advantage >>>> of fstore). >>>> >>>> >>>> 2) I get stacktrace when I run ipa-ldap-updater with --ldapi: >>>> >>>> $ sudo ipa-ldap-updater --ldapi >>>> Traceback (most recent call last): >>>> File "/usr/sbin/ipa-ldap-updater", line 125, in >>>> sys.exit(main()) >>>> File "/usr/sbin/ipa-ldap-updater", line 111, in main >>>> ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, live_run=not >>>> options.test, ldapi=options.ldapi) >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", >>>> line 125, in __init__ >>>> conn.do_external_bind(self.pw_name) >>>> File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line >>>> 360, in do_external_bind >>>> self.__lateinit() >>>> File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line >>>> 260, in __lateinit >>>> [ 'nsslapd-directory' ]) >>>> File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line >>>> 378, in getEntry >>>> raise errors.NotFound(reason=notfound(args)) >>>> ipalib.errors.NotFound: * not found >>>> >>>> I know that --ldapi did not work before the patch either, it just >>>> crashed with another stacktrace. But it would be nice to fix this one. >>>> >>>> Martin >>> >>> Issues addressed. >>> >>> I'm going to do a best-possible check for IPA Installation when non-root >>> but stick with the fstore when doing it as root. This is because it is >>> more important because it may be done automatically in rpm. >>> >>> rob >> >> fixed a couple more issues Martin discovered: >> >> - catch errors if the GSSAPI connection fails >> - do console logging when doing a password-based update as root >> >> rob > > ACK. Good job, everything works fine. > > Martin > pushed to master From edewata at redhat.com Mon Mar 21 17:48:57 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 21 Mar 2011 12:48:57 -0500 Subject: [Freeipa-devel] [PATCH] 128 Fixed undefined label in permission adder dialog box. Message-ID: <4D878F89.4050306@redhat.com> The IPA.rights_widget was fixed to invoke the base init() method to load the i18n labels properly. Ticket 1113 I think this patch should be added to 2.0.x because the bug is visible in plain sight and the fix is very simple. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0128-Fixed-undefined-label-in-permission-adder-dialog-box.patch Type: text/x-patch Size: 950 bytes Desc: not available URL: From rcritten at redhat.com Mon Mar 21 18:31:40 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Mar 2011 14:31:40 -0400 Subject: [Freeipa-devel] [PATCH] 039 Wait for Directory Server ports to open In-Reply-To: <1300218317.3095.15.camel@dhcp-25-52.brq.redhat.com> References: <1300122210.17875.5.camel@dhcp-25-52.brq.redhat.com> <4D7FAA7E.2090103@redhat.com> <3E5098B4-E1B4-4C9C-8B21-1A1E21A3EF03@citrixonline.com> <1300218317.3095.15.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D87998C.1020108@redhat.com> Martin Kosek wrote: > On Tue, 2011-03-15 at 18:25 +0000, JR Aquino wrote: >> On Mar 15, 2011, at 11:05 AM, Pavel Zuna wrote: >> >>> On 03/14/2011 06:03 PM, Martin Kosek wrote: >>>> I know this is a 2.1 ticket, but the patch is probably also a solution >>>> of #1047 - a 2.0.5 bucket critical bug. >>>> >>>> ------------ >>>> When Directory Server operation is run right after the server restart >>>> the listening ports may not be opened yet. This makes the installation >>>> fail. >>>> >>>> This patch fixes this issue by waiting for both secure and insecure >>>> Directory Server ports to open after every restart. >>>> >>>> https://fedorahosted.org/freeipa/ticket/1076 >>>> >>> >>> ACK. >>> >>> Seems to also fix #1047, as I couldn't reproduce after this patch was applied. >>> >>> Pavel >> >> RE: 1047, I still seem to have an issue with the patch applied, but let me do a fresh reinstall and report back regarding 1047. > > That's a good idea. Even though this patch fixes #1076, I am now not > sure if it fixes #1047 too. > > We need to know the real root cause of #1047 - if it is really caused by > unopened ports 389,636 after the Directory Server restart. > > If you get some useful logs in your test on a fresh reinstall (different > from the ones already attached in the Trac), please send them too. > > Martin pushed to master From mkosek at redhat.com Tue Mar 22 16:16:51 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 22 Mar 2011 17:16:51 +0100 Subject: [Freeipa-devel] [PATCH] 040 Prevent stacktrace when DNS AAAA record is added Message-ID: <1300810611.21676.7.camel@dhcp-25-52.brq.redhat.com> This patch fixes a stacktrace that is printed out when a IPv6 AAAA record with subnet prefix length (e.g. /64) is added. The same error message as when IPv4 record with subnet prefix length is used. https://fedorahosted.org/freeipa/ticket/1115 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-040-prevent-stacktrace-when-dns-aaaa-record-is-added.patch Type: text/x-patch Size: 1066 bytes Desc: not available URL: From rcritten at redhat.com Tue Mar 22 17:37:51 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 22 Mar 2011 13:37:51 -0400 Subject: [Freeipa-devel] [PATCH] 040 Prevent stacktrace when DNS AAAA record is added In-Reply-To: <1300810611.21676.7.camel@dhcp-25-52.brq.redhat.com> References: <1300810611.21676.7.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D88DE6F.2030602@redhat.com> Martin Kosek wrote: > This patch fixes a stacktrace that is printed out when a IPv6 > AAAA record with subnet prefix length (e.g. /64) is added. > The same error message as when IPv4 record with subnet prefix > length is used. > > https://fedorahosted.org/freeipa/ticket/1115 ack, pushed to master From ssorce at redhat.com Thu Mar 24 18:39:00 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 24 Mar 2011 14:39:00 -0400 Subject: [Freeipa-devel] [PATCHES] Fix some of the issues found by coverity Message-ID: <20110324143900.67d1d17a@willson.li.ssimo.org> One is a memory leak that can happen in some error paths. It is not highly probable to happen, so it can be deferred to post GA The other is a uninitialized variable that could cause a segfault in some cases (not seen on the wild, depends on an error path too). Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0095-Fix-resource-leaks.patch Type: text/x-patch Size: 1307 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0096-Fix-uninitialized-variable.patch Type: text/x-patch Size: 1056 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0095-Fix-resource-leaks.patch Type: text/x-patch Size: 1307 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0096-Fix-uninitialized-variable.patch Type: text/x-patch Size: 1056 bytes Desc: not available URL: From rcritten at redhat.com Thu Mar 24 19:20:38 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 24 Mar 2011 15:20:38 -0400 Subject: [Freeipa-devel] [PATCHES] Fix some of the issues found by coverity In-Reply-To: <20110324143900.67d1d17a@willson.li.ssimo.org> References: <20110324143900.67d1d17a@willson.li.ssimo.org> Message-ID: <4D8B9986.2080508@redhat.com> Simo Sorce wrote: > > One is a memory leak that can happen in some error paths. > It is not highly probable to happen, so it can be deferred to post GA > The other is a uninitialized variable that could cause a segfault in > some cases (not seen on the wild, depends on an error path too). > > Simo. > Ack on both. Only 0095 pushed to master so far, holding into 0096 until post-GA. rob From mkosek at redhat.com Fri Mar 25 15:39:32 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 25 Mar 2011 16:39:32 +0100 Subject: [Freeipa-devel] [PATCH] 041 Replica installation fails for self-signed server Message-ID: <1301067572.7454.5.camel@dhcp-25-52.brq.redhat.com> When IPA server was configured as self-signed (--selfsign option) the replica always failed to install. https://fedorahosted.org/freeipa/ticket/1122 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-041-replica-installation-fails-for-self-signed-server.patch Type: text/x-patch Size: 1076 bytes Desc: not available URL: From rcritten at redhat.com Fri Mar 25 18:22:35 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 25 Mar 2011 14:22:35 -0400 Subject: [Freeipa-devel] Announcing FreeIPA v2 Server Message-ID: <4D8CDD6B.6000703@redhat.com> The FreeIPA Project (http://freeipa.org) is proud to present FreeIPA version 2.0. FreeIPA is an integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos and NTP. FreeIPA binds together a number of technologies and adds a web interface and command-line administration tools. Features of FreeIPA v2.0 include: * Centralized authentication via Kerberos or LDAP * Identity management for users, groups, hosts and services * Pluggable and extensible framework for UI/CLI * Rich CLI * Web-based User Interface * Server X.509 v3 certificate provisioning capabilities * Managing host identities including grouping hosts * Defining host-based access control rules that will be enforced on the client side by the IPA back end for SSSD [1] * Serving netgroups based on user and host objects stored in IPA * Serving sets of automount maps to different clients * Finer-grained management delegation * Group-based password policies * Centrally-managed SUDO * Automatic management of private groups * Compatibility with broad set of clients * Painless password migration * Optional integrated DNS server managed by IPA * Optional integrated Certificate Authority to manage server certificates managed by IPA * Can act as NIS server for legacy systems * Supports multi-server deployment based on the multi-master replication * User and group replication with MS Active Directory We encourage users and developers to start testing and deploying FreeIPA in their environments. A very simple installation procedure is provided and is part of the effort of making these complex technologies simple to use and friendly to administrators. We encourage people to experiment and evaluate the current release, we welcome feedback on the overall experience and bug reports [2]. We also would like to encourage interested users and developers to join our mailing list and discuss features and development directions [3]. The complete source code[4] is available for download here: http://www.freeipa.org/page/Downloads See our git repository at http://git.fedorahosted.org/git/freeipa.git/ for a complete changelog. FreeIPA 2.0 is available in Fedora 15, see Known Issues below. You will need to enable the updates-testing repository, e.g. # yum install freeipa-server --enablerepo=updates-testing Have Fun! The FreeIPA Project Team. --- [1] https://fedorahosted.org/sssd/ [2] https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora (component is ipa) [3] http://freeipa.org/page/Contribute Known Issues * The latest tomcat6 package has not been pushed to updates-testing. You need tomcat6-6-0.30-5 or higher. The packages can be retrieved from koji at http://koji.fedoraproject.org/koji/buildinfo?buildID=231410 . The installation will fail restarting the CA with the current tomcat6 package in Fedora 15. * If the domain and realm do not match you may need to use the --force flag with ipa-client-install. * Dogtag replication is done separately from IPA replication. The ipa-replica-manage tool does not currently operate on dogtag replication agreements. * The OCSP URL encoded in dogtag certificates is by default the CA machine that issued the certificate. Detailed Changlog since FreeIPA v2.0.0 rc3 Adam Young (1): * pwpolicy priority Priority is now a required field in order to add a new password policy. Thus, not having the field present means we cannot create one. Endi S. Dewata (1): * Removed nested role from UI. Martin Kosek (2): * Wait for Directory Server ports to open * Prevent stacktrace when DNS AAAA record is added Pavel Zuna (1): * Update translation file (ipa.pot). Rob Crittenden (4): * Always consider domain and server when doing DNS discovery in client. * Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance. * Ensure that the system hostname is lower-case. * Automatically update IPA LDAP on rpm upgrades Simo Sorce (1): * Domain to Realm Explicitly use the realm specified on the command line. Many places were assuming that the domain and realm were the same. * Fix uninitialized variable. From rcritten at redhat.com Fri Mar 25 19:04:46 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 25 Mar 2011 15:04:46 -0400 Subject: [Freeipa-devel] FreeIPA is branched Message-ID: <4D8CE74E.3010107@redhat.com> I just branched the freeipa source, creating branch ipa-2-0. Be aware of changes that go to master that also need to be merged with the ipa-2-0 branch (cherrypick is your friend). rob From nalin at redhat.com Fri Mar 25 19:07:22 2011 From: nalin at redhat.com (Nalin Dahyabhai) Date: Fri, 25 Mar 2011 15:07:22 -0400 Subject: [Freeipa-devel] FreeIPA is branched In-Reply-To: <4D8CE74E.3010107@redhat.com> References: <4D8CE74E.3010107@redhat.com> Message-ID: <20110325190722.GC21577@redhat.com> On Fri, Mar 25, 2011 at 03:04:46PM -0400, Rob Crittenden wrote: > I just branched the freeipa source, creating branch ipa-2-0. > > Be aware of changes that go to master that also need to be merged > with the ipa-2-0 branch (cherrypick is your friend). Should the development builds start following ipa-2-0 now, or stick with master? Or should we try to do both? Nalin From rcritten at redhat.com Fri Mar 25 20:14:27 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 25 Mar 2011 16:14:27 -0400 Subject: [Freeipa-devel] FreeIPA is branched In-Reply-To: <20110325190722.GC21577@redhat.com> References: <4D8CE74E.3010107@redhat.com> <20110325190722.GC21577@redhat.com> Message-ID: <4D8CF7A3.8020309@redhat.com> Nalin Dahyabhai wrote: > On Fri, Mar 25, 2011 at 03:04:46PM -0400, Rob Crittenden wrote: >> I just branched the freeipa source, creating branch ipa-2-0. >> >> Be aware of changes that go to master that also need to be merged >> with the ipa-2-0 branch (cherrypick is your friend). > > Should the development builds start following ipa-2-0 now, or stick > with master? Or should we try to do both? > > Nalin Interesting question. I think just keep building off master for now as that will contain the interesting UI bits. rob From ayoung at redhat.com Fri Mar 25 21:10:16 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 25 Mar 2011 17:10:16 -0400 Subject: [Freeipa-devel] FreeIPA is branched In-Reply-To: <4D8CF7A3.8020309@redhat.com> References: <4D8CE74E.3010107@redhat.com> <20110325190722.GC21577@redhat.com> <4D8CF7A3.8020309@redhat.com> Message-ID: <4D8D04B8.1060503@redhat.com> On 03/25/2011 04:14 PM, Rob Crittenden wrote: > Nalin Dahyabhai wrote: >> On Fri, Mar 25, 2011 at 03:04:46PM -0400, Rob Crittenden wrote: >>> I just branched the freeipa source, creating branch ipa-2-0. >>> >>> Be aware of changes that go to master that also need to be merged >>> with the ipa-2-0 branch (cherrypick is your friend). >> >> Should the development builds start following ipa-2-0 now, or stick >> with master? Or should we try to do both? >> >> Nalin > > Interesting question. I think just keep building off master for now as > that will contain the interesting UI bits. > > rob > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Agreed. 2.0 should be built on demand. There should be significantly less going into 2.0 than into master. From jcholast at redhat.com Mon Mar 28 10:54:29 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 28 Mar 2011 12:54:29 +0200 Subject: [Freeipa-devel] [PATCH] 3 Add ability to specify netmask with IP addresses during installation Message-ID: <4D9068E5.6090209@redhat.com> This patch enables the user to specify netmask/prefix length with IP addresses (see http://packages.python.org/netaddr/netaddr.ip.IPNetwork-class.html) during installation for proper DNS reverse zone setup. https://fedorahosted.org/freeipa/ticket/910 -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-3-reverse-zone.patch Type: text/x-patch Size: 15711 bytes Desc: not available URL: From pzuna at redhat.com Mon Mar 28 11:23:00 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 28 Mar 2011 13:23:00 +0200 Subject: [Freeipa-devel] [PATCH] Fix gidnumber option of user-add command. Message-ID: <4D906F94.2000709@redhat.com> With this patch, the gidNumber is set automatically only if it wasn't specified explicitly by the user. Ticket #1127 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-87-fixgidnumber.patch Type: application/mbox Size: 2579 bytes Desc: not available URL: From dpal at redhat.com Mon Mar 28 13:15:34 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 28 Mar 2011 09:15:34 -0400 Subject: [Freeipa-devel] [PATCH] Fix gidnumber option of user-add command. In-Reply-To: <4D906F94.2000709@redhat.com> References: <4D906F94.2000709@redhat.com> Message-ID: <4D9089F6.60007@redhat.com> On 03/28/2011 07:23 AM, Pavel Zuna wrote: > With this patch, the gidNumber is set automatically only if it wasn't > specified explicitly by the user. > > Ticket #1127 > > Pavel > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Should we have another option like -noprivategroup to solve the cases when the private group is not needed or has a GID collision with other groups? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Mon Mar 28 13:42:02 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 28 Mar 2011 15:42:02 +0200 Subject: [Freeipa-devel] [PATCH] 4 Fix wording of error message Message-ID: <4D90902A.3030900@redhat.com> Change the wording of the error message "The IPA Server hostname cannot resolve to localhost" to "The IPA Server hostname must not resolve to localhost". https://fedorahosted.org/freeipa/ticket/1009 -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-4-error-message.patch Type: text/x-patch Size: 1186 bytes Desc: not available URL: From ayoung at redhat.com Mon Mar 28 13:50:06 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 28 Mar 2011 09:50:06 -0400 Subject: [Freeipa-devel] [PATCH] 3 Add ability to specify netmask with IP addresses during installation In-Reply-To: <4D9068E5.6090209@redhat.com> References: <4D9068E5.6090209@redhat.com> Message-ID: <4D90920E.3080900@redhat.com> On 03/28/2011 06:54 AM, Jan Cholasta wrote: > This patch enables the user to specify netmask/prefix length with IP > addresses (see > http://packages.python.org/netaddr/netaddr.ip.IPNetwork-class.html) > during installation for proper DNS reverse zone setup. > > https://fedorahosted.org/freeipa/ticket/910 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel The approach makes sense on visual review. Haven't had the chance to test it yet. It appears to work for both IPv4 and V6 with and without netmasks. I'd like to a see a unit test for the parser that confirms that. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgallagh at redhat.com Mon Mar 28 14:54:57 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 28 Mar 2011 10:54:57 -0400 Subject: [Freeipa-devel] [PATCH] Fix gidnumber option of user-add command. In-Reply-To: <4D9089F6.60007@redhat.com> References: <4D906F94.2000709@redhat.com> <4D9089F6.60007@redhat.com> Message-ID: <4D90A141.1080304@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/28/2011 09:15 AM, Dmitri Pal wrote: > On 03/28/2011 07:23 AM, Pavel Zuna wrote: >> With this patch, the gidNumber is set automatically only if it wasn't >> specified explicitly by the user. >> >> Ticket #1127 >> >> Pavel >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Should we have another option like -noprivategroup to solve the cases > when the private group is not needed or has a GID collision with other > groups? > I agree, this would make migration scripts a lot simpler. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2QoUEACgkQeiVVYja6o6MIDwCdHHl0zF42urzaZe3Pb91Wdiy4 ADIAn3Z5LwABA/WI4ngbShj998XtNXrt =GHnf -----END PGP SIGNATURE----- From rcritten at redhat.com Mon Mar 28 15:00:12 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 28 Mar 2011 11:00:12 -0400 Subject: [Freeipa-devel] [PATCH] Fix gidnumber option of user-add command. In-Reply-To: <4D90A141.1080304@redhat.com> References: <4D906F94.2000709@redhat.com> <4D9089F6.60007@redhat.com> <4D90A141.1080304@redhat.com> Message-ID: <4D90A27C.4040301@redhat.com> Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 03/28/2011 09:15 AM, Dmitri Pal wrote: >> On 03/28/2011 07:23 AM, Pavel Zuna wrote: >>> With this patch, the gidNumber is set automatically only if it wasn't >>> specified explicitly by the user. >>> >>> Ticket #1127 >>> >>> Pavel >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> Should we have another option like -noprivategroup to solve the cases >> when the private group is not needed or has a GID collision with other >> groups? >> > > I agree, this would make migration scripts a lot simpler. https://fedorahosted.org/freeipa/ticket/1130 From rcritten at redhat.com Mon Mar 28 15:12:42 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 28 Mar 2011 11:12:42 -0400 Subject: [Freeipa-devel] [PATCH] 756 handle no forwarded TGT Message-ID: <4D90A56A.6010508@redhat.com> We should gracefully handle the case where no TGT has been forwarded. Right now we return a 500 error. ticket 1101 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-756-ccache.patch Type: application/mbox Size: 1468 bytes Desc: not available URL: From mkosek at redhat.com Mon Mar 28 15:36:24 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 28 Mar 2011 17:36:24 +0200 Subject: [Freeipa-devel] [PATCH] 042 Password policy commands do not include cospriority Message-ID: <1301326584.3592.10.camel@dhcp-25-52.brq.redhat.com> Target branches: master, ipa-2-0 --- Most of the pwpolicy_* commands do include cospriority in the result and potentially in the attribute rights (--all --rights). Especially when --raw output is requested. This patch fixes it for all pwpolicy commands. https://fedorahosted.org/freeipa/ticket/1103 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-042-password-policy-commands-do-not-include-cospriority.patch Type: text/x-patch Size: 5240 bytes Desc: not available URL: From mkosek at redhat.com Mon Mar 28 15:40:09 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 28 Mar 2011 17:40:09 +0200 Subject: [Freeipa-devel] [PATCH] 043 Inconsistent error message for duplicate user Message-ID: <1301326809.3592.11.camel@dhcp-25-52.brq.redhat.com> Target branches: master, ipa-2-0 --- When duplicate user is added an inconsistent error message to the rest of the framework is printed. This patch changes this to standard duplicate error message. https://fedorahosted.org/freeipa/ticket/1116 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-043-inconsistent-error-message-for-duplicate-user.patch Type: text/x-patch Size: 1155 bytes Desc: not available URL: From rcritten at redhat.com Mon Mar 28 18:52:39 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 28 Mar 2011 14:52:39 -0400 Subject: [Freeipa-devel] [PATCHES] Fix some of the issues found by coverity In-Reply-To: <4D8B9986.2080508@redhat.com> References: <20110324143900.67d1d17a@willson.li.ssimo.org> <4D8B9986.2080508@redhat.com> Message-ID: <4D90D8F7.2020403@redhat.com> Rob Crittenden wrote: > Simo Sorce wrote: >> >> One is a memory leak that can happen in some error paths. >> It is not highly probable to happen, so it can be deferred to post GA >> The other is a uninitialized variable that could cause a segfault in >> some cases (not seen on the wild, depends on an error path too). >> >> Simo. >> > > Ack on both. > > Only 0095 pushed to master so far, holding into 0096 until post-GA. > > rob I actually had it reversed before, I pushed 0096 and held onto 0095. 0095 now pushed to master and ipa-2-0. rob From adam at younglogic.com Mon Mar 28 19:29:48 2011 From: adam at younglogic.com (Adam Young) Date: Mon, 28 Mar 2011 15:29:48 -0400 Subject: [Freeipa-devel] We really should update our front page. In-Reply-To: <4D909531.9070704@redhat.com> References: <4D8EBC9C.8010008@younglogic.com> <4D909531.9070704@redhat.com> Message-ID: <4D90E1AC.3080905@younglogic.com> On 03/28/2011 10:03 AM, Dmitri Pal wrote: > On 03/27/2011 12:27 AM, Adam Young wrote: >> http://freeipa.org/page/Main_Page > In what way? > Well, the obvious was the 2.0 announcement needed to get up there. I see that has happened. But it also seems so...generic? I'd like to integrate in the look and feel of the Web UI, at least the color scheme and Images. Nothing major, just something to make it look a little more substantial and deliberate. The site is our portal, it is the first thing someone is going to checkout out when they hear about FreeIPA. It needs to sell FreeIPA. From pzuna at redhat.com Mon Mar 28 20:38:31 2011 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Mon, 28 Mar 2011 22:38:31 +0200 Subject: [Freeipa-devel] [PATCH] Add a new user-add flag param to disable the creation of UPG. Message-ID: <4D90F1C7.1090909@redhat.com> This patch handles the issue in a kind of stupid way, but I couldn't think of anything better. It adds a new flag parameter to user-add (--noprivate). With this flag, the command marks the private group about to be created for deletion and is deleted after the user is created. The only exception is when there is a group, that is named the same way as the user, but isn't a private group - then the group is left there. Private groups are created automatically by the managed entry DS plugin and I didn't find a way to disable its creation for a specific user. Ticket #1131 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-88-noprivate.patch Type: text/x-patch Size: 2636 bytes Desc: not available URL: From adam at younglogic.com Mon Mar 28 20:49:44 2011 From: adam at younglogic.com (Adam Young) Date: Mon, 28 Mar 2011 16:49:44 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-0215-Fixed-labels-for-sudo-and-hbac-rules Message-ID: <4D90F468.5090403@younglogic.com> Putting these two patches togetehr because the first changes labels from the server, and the second is only for test data. The second is a separate patch becasue there are other changes from older server side updates. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0215-Fixed-labels-for-sudo-and-hbac-rules.patch Type: text/x-patch Size: 1209 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0216-update-metadata-with-label-changes.patch Type: text/x-patch Size: 54311 bytes Desc: not available URL: From ayoung at redhat.com Mon Mar 28 20:50:35 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 28 Mar 2011 16:50:35 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-0215-Fixed-labels-for-sudo-and-hbac-rules Message-ID: <4D90F49B.4070000@redhat.com> Putting these two patches togetehr because the first changes labels from the server, and the second is only for test data. The second is a separate patch becasue there are other changes from older server side updates. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0215-Fixed-labels-for-sudo-and-hbac-rules.patch Type: text/x-patch Size: 1209 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0216-update-metadata-with-label-changes.patch Type: text/x-patch Size: 54311 bytes Desc: not available URL: From ayoung at redhat.com Mon Mar 28 20:56:36 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 28 Mar 2011 16:56:36 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-0217-define-entities-using-builder-and-more-declarative Message-ID: <4D90F604.2070609@redhat.com> To give a little more context: we are llong to split out the logic used to define the views of the entities from the reusable portion of the toolkit. This patch introduces a builder object which contains the temporary state of the entity build process. In the course of writing it, I realized a few things: 1. HBAC and SUDO have two small entities and a single large one. Thus, it makes sense to group them both into a single file per entity. Both hbac.js and sudo.js should shrink more in the future as the custom code gets better refactored and split into reusable components and configuration data. 2. policy.js was a catch all file. Automount will grow significantly this release, and so should have its own file. DNS is complicated enough that it deserves its own top level js file. policy is now reduced to two small entities, both that are very clearly policy. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0217-define-entities-using-builder-and-more-declarative-s.patch Type: text/x-patch Size: 134788 bytes Desc: not available URL: From rcritten at redhat.com Mon Mar 28 21:05:19 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 28 Mar 2011 17:05:19 -0400 Subject: [Freeipa-devel] [PATCH] Add a new user-add flag param to disable the creation of UPG. In-Reply-To: <4D90F1C7.1090909@redhat.com> References: <4D90F1C7.1090909@redhat.com> Message-ID: <4D90F80F.4020506@redhat.com> Pavel Z?na wrote: > This patch handles the issue in a kind of stupid way, but I couldn't > think of anything better. > > It adds a new flag parameter to user-add (--noprivate). With this flag, > the command marks the private group about to be created for deletion and > is deleted after the user is created. The only exception is when there > is a group, that is named the same way as the user, but isn't a private > group - then the group is left there. > > Private groups are created automatically by the managed entry DS plugin > and I didn't find a way to disable its creation for a specific user. > > Ticket #1131 > > Pavel I wonder if you can modify the originFilter entry in the Managed Entry plugin and set something special so the user gets created w/o a group. The trick would be getting the filter right. Currently it is originFilter: objectclass=posixAccount I wonder if we could stuff something else in there that would cause it to evaluate false when we don't want a managed group. rob From pzuna at redhat.com Mon Mar 28 21:08:47 2011 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Mon, 28 Mar 2011 23:08:47 +0200 Subject: [Freeipa-devel] [PATCH] Add a new user-add flag param to disable the creation of UPG. In-Reply-To: <4D90F80F.4020506@redhat.com> References: <4D90F1C7.1090909@redhat.com> <4D90F80F.4020506@redhat.com> Message-ID: <4D90F8DF.20707@redhat.com> On 2011-03-28 23:05, Rob Crittenden wrote: > Pavel Z?na wrote: >> This patch handles the issue in a kind of stupid way, but I couldn't >> think of anything better. >> >> It adds a new flag parameter to user-add (--noprivate). With this flag, >> the command marks the private group about to be created for deletion and >> is deleted after the user is created. The only exception is when there >> is a group, that is named the same way as the user, but isn't a private >> group - then the group is left there. >> >> Private groups are created automatically by the managed entry DS plugin >> and I didn't find a way to disable its creation for a specific user. >> >> Ticket #1131 >> >> Pavel > > I wonder if you can modify the originFilter entry in the Managed Entry > plugin and set something special so the user gets created w/o a group. > > The trick would be getting the filter right. Currently it is > originFilter: objectclass=posixAccount > > I wonder if we could stuff something else in there that would cause it > to evaluate false when we don't want a managed group. > > rob I thought about it, but changing the filter temporarily isn't an option since more user-add operations can be running at the same time and this entry is global. Maybe adding a special object class or temporary attribute to mark users to be created without UPG. Or creating the user without the posixAccount object class and attributes and adding them later using user-mod. This might be a bit faster than deleting the UPG. Pavel From ayoung at redhat.com Mon Mar 28 21:17:22 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 28 Mar 2011 17:17:22 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-0217-define-entities-using-builder-and-more-declarative In-Reply-To: <4D90F604.2070609@redhat.com> References: <4D90F604.2070609@redhat.com> Message-ID: <4D90FAE2.2090901@redhat.com> On 03/28/2011 04:56 PM, Adam Young wrote: > To give a little more context: we are llong to split out the logic > used to define the views of the entities from the reusable portion of > the toolkit. This patch introduces a builder object which contains > the temporary state of the entity build process. > > In the course of writing it, I realized a few things: > > 1. HBAC and SUDO have two small entities and a single large one. > Thus, it makes sense to group them both into a single file per > entity. Both hbac.js and sudo.js should shrink more in the future as > the custom code gets better refactored and split into reusable > components and configuration data. > > > 2. policy.js was a catch all file. Automount will grow > significantly this release, and so should have its own file. DNS is > complicated enough that it deserves its own top level js file. policy > is now reduced to two small entities, both that are very clearly policy. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Self NACK: jsl and unit test errors need to be fixed first. Still worth reviewing as is, as fixing that will not change the behavior or structure of the end patch. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Mar 28 21:34:52 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 28 Mar 2011 17:34:52 -0400 Subject: [Freeipa-devel] [PATCH] Add a new user-add flag param to disable the creation of UPG. In-Reply-To: <4D90F8DF.20707@redhat.com> References: <4D90F1C7.1090909@redhat.com> <4D90F80F.4020506@redhat.com> <4D90F8DF.20707@redhat.com> Message-ID: <4D90FEFC.3010002@redhat.com> Pavel Z?na wrote: > On 2011-03-28 23:05, Rob Crittenden wrote: >> Pavel Z?na wrote: >>> This patch handles the issue in a kind of stupid way, but I couldn't >>> think of anything better. >>> >>> It adds a new flag parameter to user-add (--noprivate). With this flag, >>> the command marks the private group about to be created for deletion and >>> is deleted after the user is created. The only exception is when there >>> is a group, that is named the same way as the user, but isn't a private >>> group - then the group is left there. >>> >>> Private groups are created automatically by the managed entry DS plugin >>> and I didn't find a way to disable its creation for a specific user. >>> >>> Ticket #1131 >>> >>> Pavel >> >> I wonder if you can modify the originFilter entry in the Managed Entry >> plugin and set something special so the user gets created w/o a group. >> >> The trick would be getting the filter right. Currently it is >> originFilter: objectclass=posixAccount >> >> I wonder if we could stuff something else in there that would cause it >> to evaluate false when we don't want a managed group. >> >> rob > > I thought about it, but changing the filter temporarily isn't an option > since more user-add operations can be running at the same time and this > entry is global. No, leave the filter alone but change it by default to something that is more flexible. > > Maybe adding a special object class or temporary attribute to mark users > to be created without UPG. Right, we could create a sup objectclass to ipaUsers that has no attributes and use it like a flag. Not sure this is a great idea but we could even leave this to avoid the extra operations. > > Or creating the user without the posixAccount object class and > attributes and adding them later using user-mod. This might be a bit > faster than deleting the UPG. Yup, that would probably work too. rob From dpal at redhat.com Mon Mar 28 22:20:15 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 28 Mar 2011 18:20:15 -0400 Subject: [Freeipa-devel] [PATCH] Add a new user-add flag param to disable the creation of UPG. In-Reply-To: <4D90F1C7.1090909@redhat.com> References: <4D90F1C7.1090909@redhat.com> Message-ID: <4D91099F.8070400@redhat.com> On 03/28/2011 04:38 PM, Pavel Z?na wrote: > This patch handles the issue in a kind of stupid way, but I couldn't > think of anything better. > > It adds a new flag parameter to user-add (--noprivate). With this > flag, the command marks the private group about to be created for > deletion and is deleted after the user is created. The only exception > is when there is a group, that is named the same way as the user, but > isn't a private group - then the group is left there. > > Private groups are created automatically by the managed entry DS > plugin and I didn't find a way to disable its creation for a specific > user. The idea that comes to mind is to define some magical attribute that the DS plugin would recognize and skip the creation of the managed entry as well as strip the entry of this magic attribute/value. I remember that other plugins might take advantage of the similar approach. Is something like this possible? > > Ticket #1131 > > Pavel > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Mar 28 22:25:05 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 28 Mar 2011 16:25:05 -0600 Subject: [Freeipa-devel] [PATCH] Add a new user-add flag param to disable the creation of UPG. In-Reply-To: <4D91099F.8070400@redhat.com> References: <4D90F1C7.1090909@redhat.com> <4D91099F.8070400@redhat.com> Message-ID: <4D910AC1.8050105@redhat.com> On 03/28/2011 04:20 PM, Dmitri Pal wrote: > On 03/28/2011 04:38 PM, Pavel Z?na wrote: >> This patch handles the issue in a kind of stupid way, but I couldn't >> think of anything better. >> >> It adds a new flag parameter to user-add (--noprivate). With this >> flag, the command marks the private group about to be created for >> deletion and is deleted after the user is created. The only exception >> is when there is a group, that is named the same way as the user, but >> isn't a private group - then the group is left there. >> >> Private groups are created automatically by the managed entry DS >> plugin and I didn't find a way to disable its creation for a specific >> user. > > The idea that comes to mind is to define some magical attribute that > the DS plugin would recognize and skip the creation of the managed > entry as well as strip the entry of this magic attribute/value. > I remember that other plugins might take advantage of the similar > approach. > > Is something like this possible? winsync does something similar > > >> >> Ticket #1131 >> >> Pavel >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nkinder at redhat.com Mon Mar 28 22:27:46 2011 From: nkinder at redhat.com (Nathan Kinder) Date: Mon, 28 Mar 2011 15:27:46 -0700 Subject: [Freeipa-devel] [PATCH] Add a new user-add flag param to disable the creation of UPG. In-Reply-To: <4D91099F.8070400@redhat.com> References: <4D90F1C7.1090909@redhat.com> <4D91099F.8070400@redhat.com> Message-ID: <4D910B62.4060900@redhat.com> On 03/28/2011 03:20 PM, Dmitri Pal wrote: > On 03/28/2011 04:38 PM, Pavel Z?na wrote: >> This patch handles the issue in a kind of stupid way, but I couldn't >> think of anything better. >> >> It adds a new flag parameter to user-add (--noprivate). With this >> flag, the command marks the private group about to be created for >> deletion and is deleted after the user is created. The only exception >> is when there is a group, that is named the same way as the user, but >> isn't a private group - then the group is left there. >> >> Private groups are created automatically by the managed entry DS >> plugin and I didn't find a way to disable its creation for a specific >> user. > > The idea that comes to mind is to define some magical attribute that > the DS plugin would recognize and skip the creation of the managed > entry as well as strip the entry of this magic attribute/value. > I remember that other plugins might take advantage of the similar > approach. > > Is something like this possible? You are probably thinking of the DNA plug-in and it's use of a magic value used to tell the plug-in to allocate a value from a range. I would not like to use this approach here, as it requires additional coding and complexity that I don't think is needed. I would prefer that we use the originFilter to deal with this. We could have an auxiliary objectclass that IPA usually adds when creating an IPA user. The originFilter can key off of this objectclass to create managed groups. When a user is added with the --noprivate option, this objectclass is not included in the user entry that is added. Rob and I discussed this approach on IRC earlier today. > > >> >> Ticket #1131 >> >> Pavel >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Tue Mar 29 09:10:42 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 29 Mar 2011 11:10:42 +0200 Subject: [Freeipa-devel] [PATCH] admiyo-0215-Fixed-labels-for-sudo-and-hbac-rules In-Reply-To: <4D90F468.5090403@younglogic.com> References: <4D90F468.5090403@younglogic.com> Message-ID: <1301389842.3592.30.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-03-28 at 16:49 -0400, Adam Young wrote: > Putting these two patches togetehr because the first changes labels from > the server, and the second is only for test data. The second is a > separate patch becasue there are other changes from older server side > updates. Patch 215: ACK Patch 216: NACK. It breaks the test suite. Martin From mkosek at redhat.com Tue Mar 29 11:31:04 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 29 Mar 2011 13:31:04 +0200 Subject: [Freeipa-devel] [PATCH] 044 Remove unwanted trimming in text fields Message-ID: <1301398264.3592.34.camel@dhcp-25-52.brq.redhat.com> UI trims whitespace at the beginning or at the end when user data are being saved. This confuses is_dirty function which incorrectly recognizes given field as modified. This patch fixes this issue for both general text fields and ACI filter field. https://fedorahosted.org/freeipa/ticket/1096 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-044-remove-unwanted-trimming-in-text-fields.patch Type: text/x-patch Size: 2525 bytes Desc: not available URL: From jcholast at redhat.com Tue Mar 29 13:22:29 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 29 Mar 2011 15:22:29 +0200 Subject: [Freeipa-devel] [PATCH] 3 Add ability to specify netmask with IP addresses during installation In-Reply-To: <4D90920E.3080900@redhat.com> References: <4D9068E5.6090209@redhat.com> <4D90920E.3080900@redhat.com> Message-ID: <4D91DD15.8020109@redhat.com> Dne 28.3.2011 15:50, Adam Young napsal(a): > On 03/28/2011 06:54 AM, Jan Cholasta wrote: >> This patch enables the user to specify netmask/prefix length with IP >> addresses (see >> http://packages.python.org/netaddr/netaddr.ip.IPNetwork-class.html) >> during installation for proper DNS reverse zone setup. >> >> https://fedorahosted.org/freeipa/ticket/910 >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > The approach makes sense on visual review. Haven't had the chance to > test it yet. > > > It appears to work for both IPv4 and V6 with and without netmasks. I'd > like to a see a unit test for the parser that confirms that. > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Unit test added. -- Jan Cholasta From jcholast at redhat.com Tue Mar 29 13:24:54 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 29 Mar 2011 15:24:54 +0200 Subject: [Freeipa-devel] [PATCH] 3 Add ability to specify netmask with IP addresses during installation In-Reply-To: <4D91DD15.8020109@redhat.com> References: <4D9068E5.6090209@redhat.com> <4D90920E.3080900@redhat.com> <4D91DD15.8020109@redhat.com> Message-ID: <4D91DDA6.2060304@redhat.com> Sorry, forgot to attach the patch. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-3-reverse-zone.patch Type: text/x-patch Size: 17718 bytes Desc: not available URL: From ayoung at redhat.com Tue Mar 29 13:38:54 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 29 Mar 2011 09:38:54 -0400 Subject: [Freeipa-devel] FreeIPA in RN 15 In-Reply-To: <1301393326.1643.15.camel@localhost.localdomain> References: <1301393326.1643.15.camel@localhost.localdomain> Message-ID: <4D91E0EE.7030008@redhat.com> On 03/29/2011 06:08 AM, Luigi Votta wrote: > Hi Adam > we are writing the Release Notes for F15. > I've found your post on the Planet about FreeIPA v2.0 and I have > appended it in the Security Beat for the RN: > https://fedoraproject.org/wiki/Documentation_Security_Beat#FreeIPA_2.0 > > I'm not sure if the issues mentioned will be there or not with F15 GA. > Can you please take a look or say me if they are relevant for GA. > Feel free to change anything in it. > > Many thanks > Luigi > > > Luigi, thanks. I was merely reposting what was sent to the distro list. FreeIPA 2.0 will be going out with F15: From jcholast at redhat.com Tue Mar 29 14:04:15 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 29 Mar 2011 16:04:15 +0200 Subject: [Freeipa-devel] [PATCH] 5 Add note about ipa-dns-install to ipa-server-install man page Message-ID: <4D91E6DF.4000409@redhat.com> Added the note so that users know that they can setup DNS at any time after ipa-server-install. https://fedorahosted.org/freeipa/ticket/1082 -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-5-man.patch Type: text/x-patch Size: 1340 bytes Desc: not available URL: From ayoung at redhat.com Tue Mar 29 14:16:15 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 29 Mar 2011 10:16:15 -0400 Subject: [Freeipa-devel] Turn off "all" for searches Message-ID: <4D91E9AF.2020402@redhat.com> When we do search or details, we blindly add {all: false} to the JSON params. This is a mistake: all triggers far more server side work than we want to do. In the case of SUDO, it is causing enough problems that JrAquino's server errors out. Aside from correctness issues, we want to avoid the additional overhead. Gonna recommend we change: /usr/share/ipa/ui/search.js: line 272 to look like this: IPA.cmd( 'find', [filter], {all: false}, on_success, on_error, that.entity_name); That will break the user search, but should leave the rest of the site untouched (need to confirm). We can over ride search for users to use {all: true} From ayoung at redhat.com Tue Mar 29 14:23:28 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 29 Mar 2011 10:23:28 -0400 Subject: [Freeipa-devel] Turn off "all" for searches In-Reply-To: <4D91E9AF.2020402@redhat.com> References: <4D91E9AF.2020402@redhat.com> Message-ID: <4D91EB60.4090109@redhat.com> On 03/29/2011 10:16 AM, Adam Young wrote: > When we do search or details, we blindly add {all: false} to the JSON > params. This is a mistake: all triggers far more server side work > than we want to do. In the case of SUDO, it is causing enough > problems that JrAquino's server errors out. Aside from correctness > issues, we want to avoid the additional overhead. > > Gonna recommend we change: > > /usr/share/ipa/ui/search.js: line 272 to look like this: > > IPA.cmd( > 'find', [filter], {all: false}, on_success, on_error, > that.entity_name); > > > That will break the user search, but should leave the rest of the site > untouched (need to confirm). We can over ride search for users to use > {all: true} > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Correction: we blindly add {all:True}...recommending we change to all : false for all searches but user. From rcritten at redhat.com Tue Mar 29 17:20:50 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Mar 2011 13:20:50 -0400 Subject: [Freeipa-devel] [PATCH] 757 fix enrollment if otp is set Message-ID: <4D9214F2.70907@redhat.com> If a one-time password is set when a host is created the krbPrincipalName is not created. It will be added when the client enrolls with the password. This means that the host can't enroll with an admin user because we don't allow writing krbPrincipalName. This adds an exception that it can be written when it is blank. ticket 1075 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-757-enroll.patch Type: application/mbox Size: 2779 bytes Desc: not available URL: From rcritten at redhat.com Tue Mar 29 17:36:26 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Mar 2011 13:36:26 -0400 Subject: [Freeipa-devel] [PATCH] 758 make CA retrieval during discovery non-fatal Message-ID: <4D92189A.8090507@redhat.com> This makes the CA retrieval during IPA discovery non-fatal. If we can't get the CA cert then this likely isn't an IPA server so we should just return. ticket 1135 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-758-client.patch Type: application/mbox Size: 1024 bytes Desc: not available URL: From rcritten at redhat.com Tue Mar 29 17:46:31 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Mar 2011 13:46:31 -0400 Subject: [Freeipa-devel] [PATCH] Fix gidnumber option of user-add command. In-Reply-To: <4D906F94.2000709@redhat.com> References: <4D906F94.2000709@redhat.com> Message-ID: <4D921AF7.5050304@redhat.com> Pavel Zuna wrote: > With this patch, the gidNumber is set automatically only if it wasn't > specified explicitly by the user. > > Ticket #1127 > > Pavel ack, pushed to master and ipa-2-0 From rcritten at redhat.com Tue Mar 29 17:49:28 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Mar 2011 13:49:28 -0400 Subject: [Freeipa-devel] [PATCH] 4 Fix wording of error message In-Reply-To: <4D90902A.3030900@redhat.com> References: <4D90902A.3030900@redhat.com> Message-ID: <4D921BA8.2010005@redhat.com> Jan Cholasta wrote: > Change the wording of the error message "The IPA Server hostname cannot > resolve to localhost" to "The IPA Server hostname must not resolve to > localhost". > > https://fedorahosted.org/freeipa/ticket/1009 ack, pushed to master and ipa-2-0 From rcritten at redhat.com Tue Mar 29 17:55:03 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Mar 2011 13:55:03 -0400 Subject: [Freeipa-devel] [PATCH] 043 Inconsistent error message for duplicate user In-Reply-To: <1301326809.3592.11.camel@dhcp-25-52.brq.redhat.com> References: <1301326809.3592.11.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D921CF7.4090104@redhat.com> Martin Kosek wrote: > Target branches: master, ipa-2-0 > --- > > When duplicate user is added an inconsistent error message to the rest > of the framework is printed. This patch changes this to standard > duplicate error message. > > https://fedorahosted.org/freeipa/ticket/1116 ack, pushed to master and ipa-2-0 From rcritten at redhat.com Tue Mar 29 20:15:06 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Mar 2011 16:15:06 -0400 Subject: [Freeipa-devel] [PATCH] 3 Add ability to specify netmask with IP addresses during installation In-Reply-To: <4D91DDA6.2060304@redhat.com> References: <4D9068E5.6090209@redhat.com> <4D90920E.3080900@redhat.com> <4D91DD15.8020109@redhat.com> <4D91DDA6.2060304@redhat.com> Message-ID: <4D923DCA.1030900@redhat.com> Jan Cholasta wrote: > Sorry, forgot to attach the patch. > Is this why you have some blind excepts? installutils._IPAddressWithPrefix('192.168.0.1/33') Traceback (most recent call last): File "", line 1, in File "ipaserver/install/installutils.py", line 167, in __init__ net = netaddr.IPNetwork(addr) File "/usr/lib/python2.7/site-packages/netaddr/ip/__init__.py", line 919, in __init__ implicit_prefix, flags) File "/usr/lib/python2.7/site-packages/netaddr/ip/__init__.py", line 782, in parse_ip_network value = ip._value UnboundLocalError: local variable 'ip' referenced before assignment We should get an upstream bug filed on python-netaddr about this. Shoudl parse_ip_address() raise an exception on bad data rather than returning 0.0.0.0? >>> installutils.parse_ip_address('355.555.3.3') _IPAddressWithPrefix('0.0.0.0') or >>> installutils.parse_ip_address('192.168.0.1/55') _IPAddressWithPrefix('0.0.0.0') Should it disallow net addresses like 192.168.0.0? rob From dpal at redhat.com Tue Mar 29 20:33:26 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 29 Mar 2011 16:33:26 -0400 Subject: [Freeipa-devel] [PATCH] 3 Add ability to specify netmask with IP addresses during installation In-Reply-To: <4D923DCA.1030900@redhat.com> References: <4D9068E5.6090209@redhat.com> <4D90920E.3080900@redhat.com> <4D91DD15.8020109@redhat.com> <4D91DDA6.2060304@redhat.com> <4D923DCA.1030900@redhat.com> Message-ID: <4D924216.9010109@redhat.com> On 03/29/2011 04:15 PM, Rob Crittenden wrote: > Jan Cholasta wrote: >> Sorry, forgot to attach the patch. >> > > Is this why you have some blind excepts? > > installutils._IPAddressWithPrefix('192.168.0.1/33') > Traceback (most recent call last): > File "", line 1, in > File "ipaserver/install/installutils.py", line 167, in __init__ > net = netaddr.IPNetwork(addr) > File "/usr/lib/python2.7/site-packages/netaddr/ip/__init__.py", line > 919, in __init__ > implicit_prefix, flags) > File "/usr/lib/python2.7/site-packages/netaddr/ip/__init__.py", line > 782, in parse_ip_network > value = ip._value > UnboundLocalError: local variable 'ip' referenced before assignment > > We should get an upstream bug filed on python-netaddr about this. > > Shoudl parse_ip_address() raise an exception on bad data rather than > returning 0.0.0.0? > > >>> installutils.parse_ip_address('355.555.3.3') > _IPAddressWithPrefix('0.0.0.0') > > or > > >>> installutils.parse_ip_address('192.168.0.1/55') > _IPAddressWithPrefix('0.0.0.0') > > Should it disallow net addresses like 192.168.0.0? > No, otherwise I would not be able to test at home. > rob > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Tue Mar 29 20:38:03 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Mar 2011 16:38:03 -0400 Subject: [Freeipa-devel] [PATCH] 3 Add ability to specify netmask with IP addresses during installation In-Reply-To: <4D924216.9010109@redhat.com> References: <4D9068E5.6090209@redhat.com> <4D90920E.3080900@redhat.com> <4D91DD15.8020109@redhat.com> <4D91DDA6.2060304@redhat.com> <4D923DCA.1030900@redhat.com> <4D924216.9010109@redhat.com> Message-ID: <4D92432B.3010706@redhat.com> Dmitri Pal wrote: > On 03/29/2011 04:15 PM, Rob Crittenden wrote: >> Jan Cholasta wrote: >>> Sorry, forgot to attach the patch. >>> >> >> Is this why you have some blind excepts? >> >> installutils._IPAddressWithPrefix('192.168.0.1/33') >> Traceback (most recent call last): >> File "", line 1, in >> File "ipaserver/install/installutils.py", line 167, in __init__ >> net = netaddr.IPNetwork(addr) >> File "/usr/lib/python2.7/site-packages/netaddr/ip/__init__.py", line >> 919, in __init__ >> implicit_prefix, flags) >> File "/usr/lib/python2.7/site-packages/netaddr/ip/__init__.py", line >> 782, in parse_ip_network >> value = ip._value >> UnboundLocalError: local variable 'ip' referenced before assignment >> >> We should get an upstream bug filed on python-netaddr about this. >> >> Shoudl parse_ip_address() raise an exception on bad data rather than >> returning 0.0.0.0? >> >>>>> installutils.parse_ip_address('355.555.3.3') >> _IPAddressWithPrefix('0.0.0.0') >> >> or >> >>>>> installutils.parse_ip_address('192.168.0.1/55') >> _IPAddressWithPrefix('0.0.0.0') >> >> Should it disallow net addresses like 192.168.0.0? >> > > No, otherwise I would not be able to test at home. Sorry, I mean that a .0 is considered a valid IP address to use for the server. rob From rcritten at redhat.com Tue Mar 29 20:42:33 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Mar 2011 16:42:33 -0400 Subject: [Freeipa-devel] [PATCH] 041 Replica installation fails for self-signed server In-Reply-To: <1301067572.7454.5.camel@dhcp-25-52.brq.redhat.com> References: <1301067572.7454.5.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D924439.30603@redhat.com> Martin Kosek wrote: > When IPA server was configured as self-signed (--selfsign option) > the replica always failed to install. > > https://fedorahosted.org/freeipa/ticket/1122 > Why not just make install_ca return (None, None) instead if we aren't installing dogtag? rob From ayoung at redhat.com Tue Mar 29 21:53:38 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 29 Mar 2011 17:53:38 -0400 Subject: [Freeipa-devel] [PATCH] 128 Fixed undefined label in permission adder dialog box. In-Reply-To: <4D878F89.4050306@redhat.com> References: <4D878F89.4050306@redhat.com> Message-ID: <4D9254E2.6080305@redhat.com> On 03/21/2011 01:48 PM, Endi Sukma Dewata wrote: > The IPA.rights_widget was fixed to invoke the base init() method > to load the i18n labels properly. > > Ticket 1113 > > I think this patch should be added to 2.0.x because the bug is visible > in plain sight and the fix is very simple. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From davido at redhat.com Tue Mar 29 23:01:39 2011 From: davido at redhat.com (David O'Brien) Date: Wed, 30 Mar 2011 09:01:39 +1000 Subject: [Freeipa-devel] [PATCH] 5 Add note about ipa-dns-install to ipa-server-install man page In-Reply-To: <4D91E6DF.4000409@redhat.com> References: <4D91E6DF.4000409@redhat.com> Message-ID: <4D9264D3.7080400@redhat.com> Jan Cholasta wrote: > Added the note so that users know that they can setup DNS at any time > after ipa-server-install. > > https://fedorahosted.org/freeipa/ticket/1082 > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel NACK Minor English and style fix: s/ "Note that you can setup DNS at any later time by running ipa-dns-install" / "Note that you can set up a DNS at any time after the initial IPA server install by running ipa-dns-install." cheers -- David O'Brien Senior Content Author Engineering Content Services (ECS) Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb From mkosek at redhat.com Wed Mar 30 06:55:42 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 30 Mar 2011 08:55:42 +0200 Subject: [Freeipa-devel] [PATCH] 041 Replica installation fails for self-signed server In-Reply-To: <4D924439.30603@redhat.com> References: <1301067572.7454.5.camel@dhcp-25-52.brq.redhat.com> <4D924439.30603@redhat.com> Message-ID: <1301468142.28351.1.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-03-29 at 16:42 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > When IPA server was configured as self-signed (--selfsign option) > > the replica always failed to install. > > > > https://fedorahosted.org/freeipa/ticket/1122 > > > > Why not just make install_ca return (None, None) instead if we aren't > installing dogtag? > > rob Good point, this will be much more readable. Sending updated patch. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-041-02-replica-installation-fails-for-self-signed-server.patch Type: text/x-patch Size: 1039 bytes Desc: not available URL: From mkosek at redhat.com Wed Mar 30 07:23:08 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 30 Mar 2011 09:23:08 +0200 Subject: [Freeipa-devel] [PATCH] 757 fix enrollment if otp is set In-Reply-To: <4D9214F2.70907@redhat.com> References: <4D9214F2.70907@redhat.com> Message-ID: <1301469788.28351.3.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-03-29 at 13:20 -0400, Rob Crittenden wrote: > If a one-time password is set when a host is created the > krbPrincipalName is not created. It will be added when the client > enrolls with the password. > > This means that the host can't enroll with an admin user because we > don't allow writing krbPrincipalName. This adds an exception that it can > be written when it is blank. > > ticket 1075 > > rob ACK. Both IPA server upgrade and then OTP-free client enrollment went fine. Martin From mkosek at redhat.com Wed Mar 30 08:49:23 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 30 Mar 2011 10:49:23 +0200 Subject: [Freeipa-devel] [PATCH] 758 make CA retrieval during discovery non-fatal In-Reply-To: <4D92189A.8090507@redhat.com> References: <4D92189A.8090507@redhat.com> Message-ID: <1301474963.28351.8.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-03-29 at 13:36 -0400, Rob Crittenden wrote: > This makes the CA retrieval during IPA discovery non-fatal. If we can't > get the CA cert then this likely isn't an IPA server so we should just > return. > > ticket 1135 > > rob ACK from me. I also tried to at least partially simulate the AD by at least changing DNS SRV records in DNS server controlling the domain. I was able to install the client with --server, --domain and --force options then. Martin From jcholast at redhat.com Wed Mar 30 10:17:18 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 30 Mar 2011 12:17:18 +0200 Subject: [Freeipa-devel] [PATCH] 5 Add note about ipa-dns-install to ipa-server-install man page In-Reply-To: <4D9264D3.7080400@redhat.com> References: <4D91E6DF.4000409@redhat.com> <4D9264D3.7080400@redhat.com> Message-ID: <4D93032E.8000703@redhat.com> On 30.3.2011 01:01, David O'Brien wrote: > Jan Cholasta wrote: >> Added the note so that users know that they can setup DNS at any time >> after ipa-server-install. >> >> https://fedorahosted.org/freeipa/ticket/1082 >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > NACK > > Minor English and style fix: > > s/ > "Note that you can setup DNS at any later time by running ipa-dns-install" > / > "Note that you can set up a DNS at any time after the initial IPA server > install by running ipa-dns-install." Thanks, fixed. > > cheers > -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-5-man.patch Type: text/x-patch Size: 1374 bytes Desc: not available URL: From jcholast at redhat.com Wed Mar 30 10:49:17 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 30 Mar 2011 12:49:17 +0200 Subject: [Freeipa-devel] [PATCH] 3 Add ability to specify netmask with IP addresses during installation In-Reply-To: <4D923DCA.1030900@redhat.com> References: <4D9068E5.6090209@redhat.com> <4D90920E.3080900@redhat.com> <4D91DD15.8020109@redhat.com> <4D91DDA6.2060304@redhat.com> <4D923DCA.1030900@redhat.com> Message-ID: <4D930AAD.9020209@redhat.com> On 29.3.2011 22:15, Rob Crittenden wrote: > Jan Cholasta wrote: >> Sorry, forgot to attach the patch. >> > > Is this why you have some blind excepts? > > installutils._IPAddressWithPrefix('192.168.0.1/33') > Traceback (most recent call last): > File "", line 1, in > File "ipaserver/install/installutils.py", line 167, in __init__ > net = netaddr.IPNetwork(addr) > File "/usr/lib/python2.7/site-packages/netaddr/ip/__init__.py", line > 919, in __init__ > implicit_prefix, flags) > File "/usr/lib/python2.7/site-packages/netaddr/ip/__init__.py", line > 782, in parse_ip_network > value = ip._value > UnboundLocalError: local variable 'ip' referenced before assignment > > We should get an upstream bug filed on python-netaddr about this. https://github.com/drkjam/netaddr/issues/closed#issue/5 https://github.com/drkjam/netaddr/issues/closed#issue/6 https://github.com/drkjam/netaddr/issues/closed#issue/8 Apparently it's already been fixed for the next release. IMHO it's not much of an issue for us, because the exception gets caught in parse_ip_address and that's currently the only place where _IPAddressWithPrefix is used. > > Shoudl parse_ip_address() raise an exception on bad data rather than > returning 0.0.0.0? I've been down that road and it would need a rewrite of the fragile IP address handling logic of ipa-server-install, which is something I'd rather avoid. > > >>> installutils.parse_ip_address('355.555.3.3') > _IPAddressWithPrefix('0.0.0.0') > > or > > >>> installutils.parse_ip_address('192.168.0.1/55') > _IPAddressWithPrefix('0.0.0.0') > > Should it disallow net addresses like 192.168.0.0? If you mean network and broadcast addresses, it probably should. It might be a good idea to disallow localhost, multicast and/or link-local addresses too. > > rob -- Jan Cholasta From rcritten at redhat.com Wed Mar 30 14:00:42 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 30 Mar 2011 10:00:42 -0400 Subject: [Freeipa-devel] [PATCH] 041 Replica installation fails for self-signed server In-Reply-To: <1301468142.28351.1.camel@dhcp-25-52.brq.redhat.com> References: <1301067572.7454.5.camel@dhcp-25-52.brq.redhat.com> <4D924439.30603@redhat.com> <1301468142.28351.1.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D93378A.30501@redhat.com> Martin Kosek wrote: > On Tue, 2011-03-29 at 16:42 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> When IPA server was configured as self-signed (--selfsign option) >>> the replica always failed to install. >>> >>> https://fedorahosted.org/freeipa/ticket/1122 >>> >> >> Why not just make install_ca return (None, None) instead if we aren't >> installing dogtag? >> >> rob > > Good point, this will be much more readable. Sending updated patch. > > Martin ack, pushed to master and ipa-2-0 rob From rcritten at redhat.com Wed Mar 30 14:04:40 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 30 Mar 2011 10:04:40 -0400 Subject: [Freeipa-devel] [PATCH] 757 fix enrollment if otp is set In-Reply-To: <1301469788.28351.3.camel@dhcp-25-52.brq.redhat.com> References: <4D9214F2.70907@redhat.com> <1301469788.28351.3.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D933878.6050201@redhat.com> Martin Kosek wrote: > On Tue, 2011-03-29 at 13:20 -0400, Rob Crittenden wrote: >> If a one-time password is set when a host is created the >> krbPrincipalName is not created. It will be added when the client >> enrolls with the password. >> >> This means that the host can't enroll with an admin user because we >> don't allow writing krbPrincipalName. This adds an exception that it can >> be written when it is blank. >> >> ticket 1075 >> >> rob > > ACK. > > Both IPA server upgrade and then OTP-free client enrollment went fine. > > Martin pushed to master and ipa-2-0 From rcritten at redhat.com Wed Mar 30 14:04:52 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 30 Mar 2011 10:04:52 -0400 Subject: [Freeipa-devel] [PATCH] 758 make CA retrieval during discovery non-fatal In-Reply-To: <1301474963.28351.8.camel@dhcp-25-52.brq.redhat.com> References: <4D92189A.8090507@redhat.com> <1301474963.28351.8.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D933884.7070901@redhat.com> Martin Kosek wrote: > On Tue, 2011-03-29 at 13:36 -0400, Rob Crittenden wrote: >> This makes the CA retrieval during IPA discovery non-fatal. If we can't >> get the CA cert then this likely isn't an IPA server so we should just >> return. >> >> ticket 1135 >> >> rob > > ACK from me. > > I also tried to at least partially simulate the AD by at least changing > DNS SRV records in DNS server controlling the domain. I was able to > install the client with --server, --domain and --force options then. > > Martin pushed to master and ipa-2-0 From rcritten at redhat.com Wed Mar 30 14:23:52 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 30 Mar 2011 10:23:52 -0400 Subject: [Freeipa-devel] [PATCH] 759 cache get_ipa_config() output in request context Message-ID: <4D933CF8.1000003@redhat.com> Some requests generate multiple calls to get_ipa_config(). This patch caches the return value for this in the request context. ticket 1023 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-759-cache.patch Type: application/mbox Size: 1564 bytes Desc: not available URL: From rcritten at redhat.com Wed Mar 30 14:42:14 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 30 Mar 2011 10:42:14 -0400 Subject: [Freeipa-devel] [PATCH] 760 don't crash when calculating indirect Message-ID: <4D934146.6020706@redhat.com> This prevents an internal error when calculating direct vs indirect membership. ticket 1133 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-760-member.patch Type: application/mbox Size: 1818 bytes Desc: not available URL: From rcritten at redhat.com Wed Mar 30 14:46:21 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 30 Mar 2011 10:46:21 -0400 Subject: [Freeipa-devel] [PATCH] 760 don't crash when calculating indirect In-Reply-To: <4D934146.6020706@redhat.com> References: <4D934146.6020706@redhat.com> Message-ID: <4D93423D.4040607@redhat.com> Rob Crittenden wrote: > This prevents an internal error when calculating direct vs indirect > membership. > > ticket 1133 > I accidentally included a change from another patch. Updated patch attached. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-760-2-member.patch Type: application/mbox Size: 1093 bytes Desc: not available URL: From mkosek at redhat.com Wed Mar 30 15:13:20 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 30 Mar 2011 17:13:20 +0200 Subject: [Freeipa-devel] [PATCH] 045 Add DNS record modification command Message-ID: <1301498000.28351.11.camel@dhcp-25-52.brq.redhat.com> Since this is a new-feature type patch it should be pushed only to master. ------- The DNS record plugin does not support modification of a record. One can only add A type addresses to a DNS record or remove the current ones. To actually change a DNS record value it has to be removed and then added with a desired value. This patch adds a new DNS plugin command "dnsrecord-mod" which enables user to: - modify a DNS record value (note than DNS record can hold multiple values and those will be overwritten) - remove a DNS record when an empty value is passed New tests for this new command have been added to the CLI test suite. https://fedorahosted.org/freeipa/ticket/1137 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-045-add-dns-record-modification-command.patch Type: text/x-patch Size: 8613 bytes Desc: not available URL: From ayoung at redhat.com Wed Mar 30 16:40:45 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 30 Mar 2011 12:40:45 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-0217-define-entities-using-builder-and-more-declarative In-Reply-To: <4D90FAE2.2090901@redhat.com> References: <4D90F604.2070609@redhat.com> <4D90FAE2.2090901@redhat.com> Message-ID: <4D935D0D.6050503@redhat.com> On 03/28/2011 05:17 PM, Adam Young wrote: > On 03/28/2011 04:56 PM, Adam Young wrote: >> To give a little more context: we are llong to split out the logic >> used to define the views of the entities from the reusable portion of >> the toolkit. This patch introduces a builder object which contains >> the temporary state of the entity build process. >> >> In the course of writing it, I realized a few things: >> >> 1. HBAC and SUDO have two small entities and a single large one. >> Thus, it makes sense to group them both into a single file per >> entity. Both hbac.js and sudo.js should shrink more in the future as >> the custom code gets better refactored and split into reusable >> components and configuration data. >> >> >> 2. policy.js was a catch all file. Automount will grow >> significantly this release, and so should have its own file. DNS is >> complicated enough that it deserves its own top level js file. >> policy is now reduced to two small entities, both that are very >> clearly policy. >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > Self NACK: jsl and unit test errors need to be fixed first. Still > worth reviewing as is, as fixing that will not change the behavior or > structure of the end patch. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Updated with fix for unit tests. Note that this requires the NACKed version of freeipa-admiyo-0216-update-metadata-with-label-changes.patch. The fixes in the unit tests here resolve the test breakage due to the metadata updates. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0217-1-define-entities-using-builder-and-more-declarative-s.patch Type: text/x-patch Size: 148522 bytes Desc: not available URL: From JR.Aquino at citrix.com Wed Mar 30 19:05:39 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 30 Mar 2011 19:05:39 +0000 Subject: [Freeipa-devel] [PATCH] 21 Escape LDAP characters in member and memberof searches Message-ID: <4B31A82A-E139-4A02-A1AC-C8E8D97789AF@citrixonline.com> The FreeIPA framework performs unescaped searches to enumerate group membership. The following patch corrects this behavior. -JR -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0021-Escape-LDAP-characters-in-member-and-memberof-search.patch Type: application/octet-stream Size: 1205 bytes Desc: freeipa-jraquino-0021-Escape-LDAP-characters-in-member-and-memberof-search.patch URL: From JR.Aquino at citrix.com Wed Mar 30 19:53:42 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 30 Mar 2011 19:53:42 +0000 Subject: [Freeipa-devel] [PATCH] 21 Escape LDAP characters in member and memberof searches In-Reply-To: <4B31A82A-E139-4A02-A1AC-C8E8D97789AF@citrixonline.com> References: <4B31A82A-E139-4A02-A1AC-C8E8D97789AF@citrixonline.com> Message-ID: <2D9B2A5E-9ED7-46FE-AD41-DD2164FE633C@citrixonline.com> On Mar 30, 2011, at 12:05 PM, JR Aquino wrote: > The FreeIPA framework performs unescaped searches to enumerate group membership. > > The following patch corrects this behavior. > > -JR > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Self NACK Attached is the corrected patch. search_group_dn = _ldap_filter.escape_filter_chars(search_group_dn) Is now correctly changed to: search_group_dn = _ldap_filter.escape_filter_chars(group_dn) -JR -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0021-Escape-LDAP-characters-in-member-and-memberof-search.patch Type: application/octet-stream Size: 1198 bytes Desc: freeipa-jraquino-0021-Escape-LDAP-characters-in-member-and-memberof-search.patch URL: From sgallagh at redhat.com Wed Mar 30 20:01:52 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 30 Mar 2011 16:01:52 -0400 Subject: [Freeipa-devel] [PATCH] 21 Escape LDAP characters in member and memberof searches In-Reply-To: <2D9B2A5E-9ED7-46FE-AD41-DD2164FE633C@citrixonline.com> References: <4B31A82A-E139-4A02-A1AC-C8E8D97789AF@citrixonline.com> <2D9B2A5E-9ED7-46FE-AD41-DD2164FE633C@citrixonline.com> Message-ID: <4D938C30.3000103@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/30/2011 03:53 PM, JR Aquino wrote: > > On Mar 30, 2011, at 12:05 PM, JR Aquino wrote: > >> The FreeIPA framework performs unescaped searches to enumerate group membership. >> >> The following patch corrects this behavior. >> >> -JR >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Self NACK > > Attached is the corrected patch. > > search_group_dn = _ldap_filter.escape_filter_chars(search_group_dn) > > Is now correctly changed to: > > search_group_dn = _ldap_filter.escape_filter_chars(group_dn) > Nack. This is a step in the right direction, but you're not actually using this value anywhere. I think you wanted to have the next line changed to: searchfilter = "(memberof=%s)" % search_group_dn - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2TjDAACgkQeiVVYja6o6NQIQCfc4x3PqTqwyqNNHcJXTwPrFYo /tEAnR1uEjPYPdqKVU/duw9UG0aZD7hL =nLiN -----END PGP SIGNATURE----- From JR.Aquino at citrix.com Wed Mar 30 20:16:51 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 30 Mar 2011 20:16:51 +0000 Subject: [Freeipa-devel] [PATCH] 22 Add memberHost and memberUser to default indexes Message-ID: The plugin architecture makes a great deal of calls to search for memberUser and memberHost. These attributes are missing from the index and are greatly slowing down the CLI and WebUI. They should be added as Equality Indexes, as the searches that are performed are meant for enumeration after the exact value is known. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0022-Add-memberHost-and-memberUser-to-default-indexes.patch Type: application/octet-stream Size: 1463 bytes Desc: freeipa-jraquino-0022-Add-memberHost-and-memberUser-to-default-indexes.patch URL: From JR.Aquino at citrix.com Wed Mar 30 20:22:24 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 30 Mar 2011 20:22:24 +0000 Subject: [Freeipa-devel] [PATCH] 21 Escape LDAP characters in member and memberof searches In-Reply-To: <4D938C30.3000103@redhat.com> References: <4B31A82A-E139-4A02-A1AC-C8E8D97789AF@citrixonline.com> <2D9B2A5E-9ED7-46FE-AD41-DD2164FE633C@citrixonline.com> <4D938C30.3000103@redhat.com> Message-ID: On Mar 30, 2011, at 1:01 PM, Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 03/30/2011 03:53 PM, JR Aquino wrote: >> >> On Mar 30, 2011, at 12:05 PM, JR Aquino wrote: >> >>> The FreeIPA framework performs unescaped searches to enumerate group membership. >>> >>> The following patch corrects this behavior. >>> >>> -JR >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> Self NACK >> >> Attached is the corrected patch. >> >> search_group_dn = _ldap_filter.escape_filter_chars(search_group_dn) >> >> Is now correctly changed to: >> >> search_group_dn = _ldap_filter.escape_filter_chars(group_dn) >> > > Nack. This is a step in the right direction, but you're not actually > using this value anywhere. > > I think you wanted to have the next line changed to: > > searchfilter = "(memberof=%s)" % search_group_dn > > - -- > Stephen Gallagher > RHCE 804006346421761 Oh! You are right. Attached is the corrected patch. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0021-Escape-LDAP-characters-in-member-and-memberof-search.patch Type: application/octet-stream Size: 1257 bytes Desc: freeipa-jraquino-0021-Escape-LDAP-characters-in-member-and-memberof-search.patch URL: From sgallagh at redhat.com Wed Mar 30 20:26:45 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 30 Mar 2011 16:26:45 -0400 Subject: [Freeipa-devel] [PATCH] 21 Escape LDAP characters in member and memberof searches In-Reply-To: References: <4B31A82A-E139-4A02-A1AC-C8E8D97789AF@citrixonline.com> <2D9B2A5E-9ED7-46FE-AD41-DD2164FE633C@citrixonline.com> <4D938C30.3000103@redhat.com> Message-ID: <4D939205.90300@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/30/2011 04:22 PM, JR Aquino wrote: > On Mar 30, 2011, at 1:01 PM, Stephen Gallagher wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 03/30/2011 03:53 PM, JR Aquino wrote: >>> >>> On Mar 30, 2011, at 12:05 PM, JR Aquino wrote: >>> >>>> The FreeIPA framework performs unescaped searches to enumerate group membership. >>>> >>>> The following patch corrects this behavior. >>>> >>>> -JR >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >>> Self NACK >>> >>> Attached is the corrected patch. >>> >>> search_group_dn = _ldap_filter.escape_filter_chars(search_group_dn) >>> >>> Is now correctly changed to: >>> >>> search_group_dn = _ldap_filter.escape_filter_chars(group_dn) >>> >> >> Nack. This is a step in the right direction, but you're not actually >> using this value anywhere. >> >> I think you wanted to have the next line changed to: >> >> searchfilter = "(memberof=%s)" % search_group_dn >> >> - -- >> Stephen Gallagher >> RHCE 804006346421761 > > Oh! You are right. > > Attached is the corrected patch. Ack - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2TkgQACgkQeiVVYja6o6MFoACgruAs/QgalqNzBLrge9H+k9HE 6dcAn0WL5DDgUWA60wUCYvDDEXlRDNWz =co8G -----END PGP SIGNATURE----- From ayoung at redhat.com Wed Mar 30 20:52:44 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 30 Mar 2011 16:52:44 -0400 Subject: [Freeipa-devel] [PATCH] 045 Add DNS record modification command In-Reply-To: <1301498000.28351.11.camel@dhcp-25-52.brq.redhat.com> References: <1301498000.28351.11.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D93981C.6010403@redhat.com> On 03/30/2011 11:13 AM, Martin Kosek wrote: > Since this is a new-feature type patch it should be pushed only to master. > ------- > The DNS record plugin does not support modification of a record. One > can only add A type addresses to a DNS record or remove the current > ones. To actually change a DNS record value it has to be removed and > then added with a desired value. > > This patch adds a new DNS plugin command "dnsrecord-mod" which enables > user to: > - modify a DNS record value (note than DNS record can hold multiple values > and those will be overwritten) > - remove a DNS record when an empty value is passed > > New tests for this new command have been added to the CLI test suite. > > https://fedorahosted.org/freeipa/ticket/1137 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel NACK, The problem is that if there are 10 A records, and I only want to modify one, I have no way to specify which one. The API should be something like: ipa dnsrecord-mod ayoung.boston.devel.redhat.com testa 10.10.2.3 --a-rec=,10.11.12.13 Alternatively, we can decide that we are not going to do mod, and have the WebUI do a delete and an add: -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Mar 30 21:14:18 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 30 Mar 2011 17:14:18 -0400 Subject: [Freeipa-devel] [PATCH] 761 Sort entries on *-find commands Message-ID: <4D939D2A.40903@redhat.com> Sort output on find commands based on the baseldap LDAPSearch class. A couple tests had to be modified to match the new order. ticket 794 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-761-sort.patch Type: application/mbox Size: 3500 bytes Desc: not available URL: From rcritten at redhat.com Wed Mar 30 22:03:18 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 30 Mar 2011 18:03:18 -0400 Subject: [Freeipa-devel] [PATCH] 21 Escape LDAP characters in member and memberof searches In-Reply-To: References: <4B31A82A-E139-4A02-A1AC-C8E8D97789AF@citrixonline.com> <2D9B2A5E-9ED7-46FE-AD41-DD2164FE633C@citrixonline.com> <4D938C30.3000103@redhat.com> Message-ID: <4D93A8A6.1010105@redhat.com> JR Aquino wrote: > On Mar 30, 2011, at 1:01 PM, Stephen Gallagher wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 03/30/2011 03:53 PM, JR Aquino wrote: >>> >>> On Mar 30, 2011, at 12:05 PM, JR Aquino wrote: >>> >>>> The FreeIPA framework performs unescaped searches to enumerate group membership. >>>> >>>> The following patch corrects this behavior. >>>> >>>> -JR >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >>> Self NACK >>> >>> Attached is the corrected patch. >>> >>> search_group_dn = _ldap_filter.escape_filter_chars(search_group_dn) >>> >>> Is now correctly changed to: >>> >>> search_group_dn = _ldap_filter.escape_filter_chars(group_dn) >>> >> >> Nack. This is a step in the right direction, but you're not actually >> using this value anywhere. >> >> I think you wanted to have the next line changed to: >> >> searchfilter = "(memberof=%s)" % search_group_dn >> >> - -- >> Stephen Gallagher >> RHCE 804006346421761 > > Oh! You are right. > > Attached is the corrected patch. I don't think you need a new variable for search_group_dn. The value is passed in from a tuple so any changes will be silently lost anyway. Or you can leave it, I think it's probably safer this way (since we can't predict how it will be called in the future), but you should then do the same in get_memberof(). rob From JR.Aquino at citrix.com Wed Mar 30 22:19:22 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 30 Mar 2011 22:19:22 +0000 Subject: [Freeipa-devel] [PATCH] 21 Escape LDAP characters in member and memberof searches In-Reply-To: <4D93A8A6.1010105@redhat.com> References: <4B31A82A-E139-4A02-A1AC-C8E8D97789AF@citrixonline.com> <2D9B2A5E-9ED7-46FE-AD41-DD2164FE633C@citrixonline.com> <4D938C30.3000103@redhat.com> <4D93A8A6.1010105@redhat.com> Message-ID: <6ADACF97-A538-4206-8DBD-5E1FD2C07895@citrixonline.com> On Mar 30, 2011, at 3:03 PM, Rob Crittenden wrote: > JR Aquino wrote: >> On Mar 30, 2011, at 1:01 PM, Stephen Gallagher wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> On 03/30/2011 03:53 PM, JR Aquino wrote: >>>> >>>> On Mar 30, 2011, at 12:05 PM, JR Aquino wrote: >>>> >>>>> The FreeIPA framework performs unescaped searches to enumerate group membership. >>>>> >>>>> The following patch corrects this behavior. >>>>> >>>>> -JR >>>>> >>>>> _______________________________________________ >>>>> Freeipa-devel mailing list >>>>> Freeipa-devel at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> >>>> Self NACK >>>> >>>> Attached is the corrected patch. >>>> >>>> search_group_dn = _ldap_filter.escape_filter_chars(search_group_dn) >>>> >>>> Is now correctly changed to: >>>> >>>> search_group_dn = _ldap_filter.escape_filter_chars(group_dn) >>>> >>> >>> Nack. This is a step in the right direction, but you're not actually >>> using this value anywhere. >>> >>> I think you wanted to have the next line changed to: >>> >>> searchfilter = "(memberof=%s)" % search_group_dn >>> >>> - -- >>> Stephen Gallagher >>> RHCE 804006346421761 >> >> Oh! You are right. >> >> Attached is the corrected patch. > > I don't think you need a new variable for search_group_dn. The value is passed in from a tuple so any changes will be silently lost anyway. > > Or you can leave it, I think it's probably safer this way (since we can't predict how it will be called in the future), but you should then do the same in get_memberof(). > > rob I agree with you. For the sake of equality, I have adjusted the patch to address entry_dn with search_entry_dn. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0021-Escape-LDAP-characters-in-member-and-memberof-search.patch Type: application/octet-stream Size: 1453 bytes Desc: freeipa-jraquino-0021-Escape-LDAP-characters-in-member-and-memberof-search.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ATT00001.txt URL: From davido at redhat.com Wed Mar 30 23:18:59 2011 From: davido at redhat.com (David O'Brien) Date: Thu, 31 Mar 2011 09:18:59 +1000 Subject: [Freeipa-devel] [PATCH] 5 Add note about ipa-dns-install to ipa-server-install man page In-Reply-To: <4D93032E.8000703@redhat.com> References: <4D91E6DF.4000409@redhat.com> <4D9264D3.7080400@redhat.com> <4D93032E.8000703@redhat.com> Message-ID: <4D93BA63.1030402@redhat.com> Jan Cholasta wrote: > On 30.3.2011 01:01, David O'Brien wrote: >> Jan Cholasta wrote: >>> Added the note so that users know that they can setup DNS at any time >>> after ipa-server-install. >>> >>> https://fedorahosted.org/freeipa/ticket/1082 >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> NACK >> >> Minor English and style fix: >> >> s/ >> "Note that you can setup DNS at any later time by running >> ipa-dns-install" >> / >> "Note that you can set up a DNS at any time after the initial IPA server >> install by running ipa-dns-install." > > Thanks, fixed. > >> >> cheers >> > ACK -- David O'Brien Senior Content Author Engineering Content Services (ECS) Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb From ayoung at redhat.com Thu Mar 31 01:11:08 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 30 Mar 2011 21:11:08 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-0218-default-all-false. Message-ID: <4D93D4AC.6070108@redhat.com> Requires patch 217 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0218-default-all-false.patch Type: text/x-patch Size: 3374 bytes Desc: not available URL: From mkosek at redhat.com Thu Mar 31 09:27:25 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 31 Mar 2011 11:27:25 +0200 Subject: [Freeipa-devel] [PATCH] 045 Add DNS record modification command In-Reply-To: <4D93981C.6010403@redhat.com> References: <1301498000.28351.11.camel@dhcp-25-52.brq.redhat.com> <4D93981C.6010403@redhat.com> Message-ID: <1301563645.25947.15.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-03-30 at 16:52 -0400, Adam Young wrote: > On 03/30/2011 11:13 AM, Martin Kosek wrote: > > Since this is a new-feature type patch it should be pushed only to master. > > ------- > > The DNS record plugin does not support modification of a record. One > > can only add A type addresses to a DNS record or remove the current > > ones. To actually change a DNS record value it has to be removed and > > then added with a desired value. > > > > This patch adds a new DNS plugin command "dnsrecord-mod" which enables > > user to: > > - modify a DNS record value (note than DNS record can hold multiple values > > and those will be overwritten) > > - remove a DNS record when an empty value is passed > > > > New tests for this new command have been added to the CLI test suite. > > > > https://fedorahosted.org/freeipa/ticket/1137 > > > > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > NACK, > > The problem is that if there are 10 A records, and I only want to > modify one, I have no way to specify which one. > > The API should be something like: > > ipa dnsrecord-mod ayoung.boston.devel.redhat.com testa 10.10.2.3 > --a-rec=,10.11.12.13 > > > Alternatively, we can decide that we are not going to do mod, and have > the WebUI do a delete and an add: Hm, that may be a valid use-case. We should discuss how we want the DNS record modification to behave. The proposed API is not what we want, since we can modify multiple attributes at once, e.g.: ipa dnsrecord-mod DNSZONE DNSRECORD --a-rec=10.0.0.1 --aaaa-rec=::1 I can introduce new option --old--rec for each DNS record type available, e.g. --old-a-rec, --old-aaaa-rec, --old-srv-rec etc. You would be able to do: ipa dnsrecord-mod DNSZONE DNSRECORD --old-a-rec=10.10.2.3 --a-rec=10.11.12.13 This would of course increase the size of this patch. I tried to find how we treat other multi-value LDAP attributes. In most cases the behavior is the same like in my first patch (user mail, mobile...) or the modification is not supported at all (list of privilege permissions). From mkosek at redhat.com Thu Mar 31 10:19:21 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 31 Mar 2011 12:19:21 +0200 Subject: [Freeipa-devel] [PATCH] admiyo-0217-define-entities-using-builder-and-more-declarative In-Reply-To: <4D935D0D.6050503@redhat.com> References: <4D90F604.2070609@redhat.com> <4D90FAE2.2090901@redhat.com> <4D935D0D.6050503@redhat.com> Message-ID: <1301566761.25947.18.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-03-30 at 12:40 -0400, Adam Young wrote: > On 03/28/2011 05:17 PM, Adam Young wrote: > > On 03/28/2011 04:56 PM, Adam Young wrote: > > > To give a little more context: we are llong to split out the > > > logic used to define the views of the entities from the reusable > > > portion of the toolkit. This patch introduces a builder object > > > which contains the temporary state of the entity build process. > > > > > > In the course of writing it, I realized a few things: > > > > > > 1. HBAC and SUDO have two small entities and a single large one. > > > Thus, it makes sense to group them both into a single file per > > > entity. Both hbac.js and sudo.js should shrink more in the future > > > as the custom code gets better refactored and split into reusable > > > components and configuration data. > > > > > > > > > 2. policy.js was a catch all file. Automount will grow > > > significantly this release, and so should have its own file. DNS > > > is complicated enough that it deserves its own top level js file. > > > policy is now reduced to two small entities, both that are very > > > clearly policy. > > > > > > _______________________________________________ > > > Freeipa-devel mailing list > > > Freeipa-devel at redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > > > Self NACK: jsl and unit test errors need to be fixed first. Still > > worth reviewing as is, as fixing that will not change the behavior > > or structure of the end patch. > > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > Updated with fix for unit tests. Note that this requires the NACKed > version of > freeipa-admiyo-0216-update-metadata-with-label-changes.patch. The > fixes in the unit tests here resolve the test breakage due to the > metadata updates. Unfortunately the patch failed to apply to the master, there are some conflicts in policy.js. Can you please send a rebased patch? Martin From mkosek at redhat.com Thu Mar 31 11:11:22 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 31 Mar 2011 13:11:22 +0200 Subject: [Freeipa-devel] [PATCH] 759 cache get_ipa_config() output in request context In-Reply-To: <4D933CF8.1000003@redhat.com> References: <4D933CF8.1000003@redhat.com> Message-ID: <1301569882.25947.20.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-03-30 at 10:23 -0400, Rob Crittenden wrote: > Some requests generate multiple calls to get_ipa_config(). This patch > caches the return value for this in the request context. > > ticket 1023 > > rob ACK. Tested with user mail & config attribute ipadefaultemaildomain. Martin From mkosek at redhat.com Thu Mar 31 11:22:21 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 31 Mar 2011 13:22:21 +0200 Subject: [Freeipa-devel] [PATCH] 760 don't crash when calculating indirect In-Reply-To: <4D93423D.4040607@redhat.com> References: <4D934146.6020706@redhat.com> <4D93423D.4040607@redhat.com> Message-ID: <1301570541.25947.25.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-03-30 at 10:46 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > This prevents an internal error when calculating direct vs indirect > > membership. > > > > ticket 1133 > > > > I accidentally included a change from another patch. Updated patch attached. > > rob I think it is OK. But I would suggest adding some comment to the code - a reason why we pass the ValueError exception. It may not be self-explanatory when we return to this code in the future. Martin From mkosek at redhat.com Thu Mar 31 12:49:42 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 31 Mar 2011 14:49:42 +0200 Subject: [Freeipa-devel] [PATCH] 761 Sort entries on *-find commands In-Reply-To: <4D939D2A.40903@redhat.com> References: <4D939D2A.40903@redhat.com> Message-ID: <1301575782.31691.5.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-03-30 at 17:14 -0400, Rob Crittenden wrote: > Sort output on find commands based on the baseldap LDAPSearch class. > > A couple tests had to be modified to match the new order. > > ticket 794 > > rob The patch works fine except the case when entries are being added in post_callback. Check this search: ipa permission-find --permissions=write The result is not sorted. I suggest moving the sort process after the self.POST_CALLBACKS calls. What about performance issues? May somebody want to disable the sorting? (e.g. --nosort option). Martin From ayoung at redhat.com Thu Mar 31 13:43:43 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 31 Mar 2011 09:43:43 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-0217-define-entities-using-builder-and-more-declarative In-Reply-To: <1301566761.25947.18.camel@dhcp-25-52.brq.redhat.com> References: <4D90F604.2070609@redhat.com> <4D90FAE2.2090901@redhat.com> <4D935D0D.6050503@redhat.com> <1301566761.25947.18.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D94850F.7040508@redhat.com> On 03/31/2011 06:19 AM, Martin Kosek wrote: > On Wed, 2011-03-30 at 12:40 -0400, Adam Young wrote: >> On 03/28/2011 05:17 PM, Adam Young wrote: >>> On 03/28/2011 04:56 PM, Adam Young wrote: >>>> To give a little more context: we are llong to split out the >>>> logic used to define the views of the entities from the reusable >>>> portion of the toolkit. This patch introduces a builder object >>>> which contains the temporary state of the entity build process. >>>> >>>> In the course of writing it, I realized a few things: >>>> >>>> 1. HBAC and SUDO have two small entities and a single large one. >>>> Thus, it makes sense to group them both into a single file per >>>> entity. Both hbac.js and sudo.js should shrink more in the future >>>> as the custom code gets better refactored and split into reusable >>>> components and configuration data. >>>> >>>> >>>> 2. policy.js was a catch all file. Automount will grow >>>> significantly this release, and so should have its own file. DNS >>>> is complicated enough that it deserves its own top level js file. >>>> policy is now reduced to two small entities, both that are very >>>> clearly policy. >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >>> Self NACK: jsl and unit test errors need to be fixed first. Still >>> worth reviewing as is, as fixing that will not change the behavior >>> or structure of the end patch. >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> >> Updated with fix for unit tests. Note that this requires the NACKed >> version of >> freeipa-admiyo-0216-update-metadata-with-label-changes.patch. The >> fixes in the unit tests here resolve the test breakage due to the >> metadata updates. > Unfortunately the patch failed to apply to the master, there are some > conflicts in policy.js. Can you please send a rebased patch? > > Martin > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel rebased both patches -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0217-2-define-entities-using-builder-and-more-declarative-s.patch Type: text/x-patch Size: 148526 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0216-1-update-metadata-with-label-changes.patch Type: text/x-patch Size: 54307 bytes Desc: not available URL: From edewata at redhat.com Thu Mar 31 16:51:59 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 31 Mar 2011 11:51:59 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0217-define-entities-using-builder-and-more-declarative In-Reply-To: <4D94850F.7040508@redhat.com> References: <4D90F604.2070609@redhat.com> <4D90FAE2.2090901@redhat.com> <4D935D0D.6050503@redhat.com> <1301566761.25947.18.camel@dhcp-25-52.brq.redhat.com> <4D94850F.7040508@redhat.com> Message-ID: <4D94B12F.60005@redhat.com> On 3/31/2011 8:43 AM, Adam Young wrote: > rebased both patches I don't see any code change in the rebased patches, only new commit ID's, I hope this is correct. Some comments (some of which had been discussed over IRC): 1. I ran my Selenium test cases against 215, 216, and 217 together, so far there's no failure. 2. There's a IPA.metadata assignment and the like in unit tests, this is redundant. 3. In IPA.entity_builder.section(), the current_section should be added to the current_facet before adding the fields to do incremental construction. 4. In IPA.entity_builder the entity_name can be replaced with entity.name to reduce the number of variables. 5. In IPA.entity_builder the standard_associations() can be replaced standard_association_facets() for consistency. 6. In the permission entity definition, the 'add_fields' is used inconsistently to add a section (i.e. IPA.target_section). The solution is either adding 'add_sections' or converting IPA.target_sections into widgets. I think adding 'add_sections' is simpler because widgets is designed to represent a single attribute. 7. The IPA.entity_builder.details_facet() takes an array of sections instead of a spec object. This limits the expandability of the builder interface. It should take a spec object with a 'sections' attribute containing the array of sections, this would be consistent with the other interfaces. 8. In IPA.entity_builder.search_facet(), there's no need to call current_facet.init() because all facets will be initialized by the entity when IPA.start_entities() is invoked. 9. The IPA.entity_builder could be a singleton because it doesn't take any parameters and there's no multi-threading issue. 10. In IPA.details_refresh() it calls IPA.refresh_devel_hook() to execute a code specifically used by testing. I think ideally the develop.js should modify the entity_builder instance to generate details facet with test-specific code. This requires item #9. But for now at least we should rename IPA.refresh_devel_hook() into IPA.details_refresh_devel_hook() for clarity. -- Endi S. Dewata From rcritten at redhat.com Thu Mar 31 16:57:24 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 31 Mar 2011 12:57:24 -0400 Subject: [Freeipa-devel] [PATCH] 21 Escape LDAP characters in member and memberof searches In-Reply-To: <6ADACF97-A538-4206-8DBD-5E1FD2C07895@citrixonline.com> References: <4B31A82A-E139-4A02-A1AC-C8E8D97789AF@citrixonline.com> <2D9B2A5E-9ED7-46FE-AD41-DD2164FE633C@citrixonline.com> <4D938C30.3000103@redhat.com> <4D93A8A6.1010105@redhat.com> <6ADACF97-A538-4206-8DBD-5E1FD2C07895@citrixonline.com> Message-ID: <4D94B274.3050600@redhat.com> JR Aquino wrote: > On Mar 30, 2011, at 3:03 PM, Rob Crittenden wrote: > >> JR Aquino wrote: >>> On Mar 30, 2011, at 1:01 PM, Stephen Gallagher wrote: >>> >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> On 03/30/2011 03:53 PM, JR Aquino wrote: >>>>> >>>>> On Mar 30, 2011, at 12:05 PM, JR Aquino wrote: >>>>> >>>>>> The FreeIPA framework performs unescaped searches to enumerate group membership. >>>>>> >>>>>> The following patch corrects this behavior. >>>>>> >>>>>> -JR >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-devel mailing list >>>>>> Freeipa-devel at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>> >>>>> Self NACK >>>>> >>>>> Attached is the corrected patch. >>>>> >>>>> search_group_dn = _ldap_filter.escape_filter_chars(search_group_dn) >>>>> >>>>> Is now correctly changed to: >>>>> >>>>> search_group_dn = _ldap_filter.escape_filter_chars(group_dn) >>>>> >>>> >>>> Nack. This is a step in the right direction, but you're not actually >>>> using this value anywhere. >>>> >>>> I think you wanted to have the next line changed to: >>>> >>>> searchfilter = "(memberof=%s)" % search_group_dn >>>> >>>> - -- >>>> Stephen Gallagher >>>> RHCE 804006346421761 >>> >>> Oh! You are right. >>> >>> Attached is the corrected patch. >> >> I don't think you need a new variable for search_group_dn. The value is passed in from a tuple so any changes will be silently lost anyway. >> >> Or you can leave it, I think it's probably safer this way (since we can't predict how it will be called in the future), but you should then do the same in get_memberof(). >> >> rob > > I agree with you. For the sake of equality, I have adjusted the patch to address entry_dn with search_entry_dn. ack, pushed to master and ipa-2-0 rob From edewata at redhat.com Thu Mar 31 17:06:57 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 31 Mar 2011 12:06:57 -0500 Subject: [Freeipa-devel] [PATCH] Initial Selenium test cases. Message-ID: <4D94B4B1.50808@redhat.com> http://www.freeipa.org/page/Selenium -- Endi S. Dewata From rcritten at redhat.com Thu Mar 31 17:08:59 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 31 Mar 2011 13:08:59 -0400 Subject: [Freeipa-devel] [PATCH] 759 cache get_ipa_config() output in request context In-Reply-To: <1301569882.25947.20.camel@dhcp-25-52.brq.redhat.com> References: <4D933CF8.1000003@redhat.com> <1301569882.25947.20.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D94B52B.2080707@redhat.com> Martin Kosek wrote: > On Wed, 2011-03-30 at 10:23 -0400, Rob Crittenden wrote: >> Some requests generate multiple calls to get_ipa_config(). This patch >> caches the return value for this in the request context. >> >> ticket 1023 >> >> rob > > ACK. > > Tested with user mail& config attribute ipadefaultemaildomain. > > Martin pushed to master and ipa-2-0 rob From ayoung at redhat.com Thu Mar 31 18:09:12 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 31 Mar 2011 14:09:12 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-0217-define-entities-using-builder-and-more-declarative In-Reply-To: <4D94B12F.60005@redhat.com> References: <4D90F604.2070609@redhat.com> <4D90FAE2.2090901@redhat.com> <4D935D0D.6050503@redhat.com> <1301566761.25947.18.camel@dhcp-25-52.brq.redhat.com> <4D94850F.7040508@redhat.com> <4D94B12F.60005@redhat.com> Message-ID: <4D94C348.9010700@redhat.com> On 03/31/2011 12:51 PM, Endi Sukma Dewata wrote: > On 3/31/2011 8:43 AM, Adam Young wrote: >> rebased both patches > > I don't see any code change in the rebased patches, only new commit > ID's, I hope this is correct. > > Some comments (some of which had been discussed over IRC): > > 1. I ran my Selenium test cases against 215, 216, and 217 together, > so far there's no failure. Good to know. > > 2. There's a IPA.metadata assignment and the like in unit tests, this > is redundant. yeah, I suspect it was from before I explicitly set async. removed. > > 3. In IPA.entity_builder.section(), the current_section should be added > to the current_facet before adding the fields to do incremental > construction. Done. > > 4. In IPA.entity_builder the entity_name can be replaced with > entity.name to reduce the number of variables. Done > > 5. In IPA.entity_builder the standard_associations() can be replaced > standard_association_facets() for consistency. Done > > 6. In the permission entity definition, the 'add_fields' is used > inconsistently to add a section (i.e. IPA.target_section). The > solution is either adding 'add_sections' or converting > IPA.target_sections into widgets. I think adding 'add_sections' is > simpler because widgets is designed to represent a single attribute. Gonna punt on this for this patch. Not certain on the correct approach, either to make adders have sections, or to convert the one custom section we have to a widget. Either way, beyond the scope of this patch, and it will only affect one entity and the builder when we decide. > > 7. The IPA.entity_builder.details_facet() takes an array of sections > instead of a spec object. This limits the expandability of the > builder interface. It should take a spec object with a 'sections' > attribute containing the array of sections, this would be consistent > with the other interfaces. I thought about it, but there is nothing that we want to customize in the details_facet. We can always do a custom facet to customize. An alternative is to check the type of that is passed in to the details_section method on the builder, check if it is an object or an array, and treat it like a spec or array depending. > > 8. In IPA.entity_builder.search_facet(), there's no need to call > current_facet.init() because all facets will be initialized by > the entity when IPA.start_entities() is invoked. Done. > > 9. The IPA.entity_builder could be a singleton because it doesn't take > any parameters and there's no multi-threading issue. Going to leave it like this for now. That change would be limited to a single file (entity.js) and can be done if we decide we want to with a very small patch. > > 10. In IPA.details_refresh() it calls IPA.refresh_devel_hook() > to execute a code specifically used by testing. I think ideally > the develop.js should modify the entity_builder instance to generate > details facet with test-specific code. This requires item #9. But > for now at least we should rename IPA.refresh_devel_hook() into > IPA.details_refresh_devel_hook() for clarity. Good idea. Done I had already submitted patch freeipa-admiyo-0218-default-all-false. Some of the fixes here would conflict with that patch if rebased. What I've attached is on top of 217-2 and 218-1. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0219-code-review-fixes.patch Type: text/x-patch Size: 13675 bytes Desc: not available URL: From edewata at redhat.com Thu Mar 31 18:09:09 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 31 Mar 2011 13:09:09 -0500 Subject: [Freeipa-devel] [PATCH] Initial Selenium test cases. In-Reply-To: <4D94B4B1.50808@redhat.com> References: <4D94B4B1.50808@redhat.com> Message-ID: <4D94C345.3090304@redhat.com> On 3/31/2011 12:06 PM, Endi Sukma Dewata wrote: > http://www.freeipa.org/page/Selenium Patch included. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0129-Initial-Selenium-test-cases.patch Type: text/x-patch Size: 209439 bytes Desc: not available URL: From ayoung at redhat.com Thu Mar 31 19:12:37 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 31 Mar 2011 15:12:37 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-0217-define-entities-using-builder-and-more-declarative In-Reply-To: <4D94C348.9010700@redhat.com> References: <4D90F604.2070609@redhat.com> <4D90FAE2.2090901@redhat.com> <4D935D0D.6050503@redhat.com> <1301566761.25947.18.camel@dhcp-25-52.brq.redhat.com> <4D94850F.7040508@redhat.com> <4D94B12F.60005@redhat.com> <4D94C348.9010700@redhat.com> Message-ID: <4D94D225.50606@redhat.com> On 03/31/2011 02:09 PM, Adam Young wrote: > On 03/31/2011 12:51 PM, Endi Sukma Dewata wrote: >> On 3/31/2011 8:43 AM, Adam Young wrote: >>> rebased both patches >> >> I don't see any code change in the rebased patches, only new commit >> ID's, I hope this is correct. >> >> Some comments (some of which had been discussed over IRC): >> >> 1. I ran my Selenium test cases against 215, 216, and 217 together, >> so far there's no failure. > Good to know. > >> >> 2. There's a IPA.metadata assignment and the like in unit tests, this >> is redundant. > > yeah, I suspect it was from before I explicitly set async. removed. > >> >> 3. In IPA.entity_builder.section(), the current_section should be added >> to the current_facet before adding the fields to do incremental >> construction. > Done. > >> >> 4. In IPA.entity_builder the entity_name can be replaced with >> entity.name to reduce the number of variables. > > Done >> >> 5. In IPA.entity_builder the standard_associations() can be replaced >> standard_association_facets() for consistency. > Done >> >> 6. In the permission entity definition, the 'add_fields' is used >> inconsistently to add a section (i.e. IPA.target_section). The >> solution is either adding 'add_sections' or converting >> IPA.target_sections into widgets. I think adding 'add_sections' is >> simpler because widgets is designed to represent a single attribute. > > Gonna punt on this for this patch. Not certain on the correct > approach, either to make adders have sections, or to convert the one > custom section we have to a widget. Either way, beyond the scope of > this patch, and it will only affect one entity and the builder when we > decide. > >> >> 7. The IPA.entity_builder.details_facet() takes an array of sections >> instead of a spec object. This limits the expandability of the >> builder interface. It should take a spec object with a 'sections' >> attribute containing the array of sections, this would be consistent >> with the other interfaces. > > I thought about it, but there is nothing that we want to customize in > the details_facet. We can always do a custom facet to customize. An > alternative is to check the type of that is passed in to the > details_section method on the builder, check if it is an object or an > array, and treat it like a spec or array depending. > >> >> 8. In IPA.entity_builder.search_facet(), there's no need to call >> current_facet.init() because all facets will be initialized by >> the entity when IPA.start_entities() is invoked. > > Done. > >> >> 9. The IPA.entity_builder could be a singleton because it doesn't take >> any parameters and there's no multi-threading issue. > Going to leave it like this for now. That change would be limited to > a single file (entity.js) and can be done if we decide we want to with > a very small patch. > > >> >> 10. In IPA.details_refresh() it calls IPA.refresh_devel_hook() >> to execute a code specifically used by testing. I think ideally >> the develop.js should modify the entity_builder instance to generate >> details facet with test-specific code. This requires item #9. But >> for now at least we should rename IPA.refresh_devel_hook() into >> IPA.details_refresh_devel_hook() for clarity. > > Good idea. Done > > > I had already submitted patch freeipa-admiyo-0218-default-all-false. > Some of the fixes here would conflict with that patch if rebased. > What I've attached is on top of 217-2 and 218-1. > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Including Automount -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0219-1-code-review-fixes.patch Type: text/x-patch Size: 13675 bytes Desc: not available URL: From ayoung at redhat.com Thu Mar 31 19:27:14 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 31 Mar 2011 15:27:14 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-0217-define-entities-using-builder-and-more-declarative In-Reply-To: <4D94D225.50606@redhat.com> References: <4D90F604.2070609@redhat.com> <4D90FAE2.2090901@redhat.com> <4D935D0D.6050503@redhat.com> <1301566761.25947.18.camel@dhcp-25-52.brq.redhat.com> <4D94850F.7040508@redhat.com> <4D94B12F.60005@redhat.com> <4D94C348.9010700@redhat.com> <4D94D225.50606@redhat.com> Message-ID: <4D94D592.5020608@redhat.com> On 03/31/2011 03:12 PM, Adam Young wrote: > On 03/31/2011 02:09 PM, Adam Young wrote: >> On 03/31/2011 12:51 PM, Endi Sukma Dewata wrote: >>> On 3/31/2011 8:43 AM, Adam Young wrote: >>>> rebased both patches >>> >>> I don't see any code change in the rebased patches, only new commit >>> ID's, I hope this is correct. >>> >>> Some comments (some of which had been discussed over IRC): >>> >>> 1. I ran my Selenium test cases against 215, 216, and 217 together, >>> so far there's no failure. >> Good to know. >> >>> >>> 2. There's a IPA.metadata assignment and the like in unit tests, this >>> is redundant. >> >> yeah, I suspect it was from before I explicitly set async. removed. >> >>> >>> 3. In IPA.entity_builder.section(), the current_section should be added >>> to the current_facet before adding the fields to do incremental >>> construction. >> Done. >> >>> >>> 4. In IPA.entity_builder the entity_name can be replaced with >>> entity.name to reduce the number of variables. >> >> Done >>> >>> 5. In IPA.entity_builder the standard_associations() can be replaced >>> standard_association_facets() for consistency. >> Done >>> >>> 6. In the permission entity definition, the 'add_fields' is used >>> inconsistently to add a section (i.e. IPA.target_section). The >>> solution is either adding 'add_sections' or converting >>> IPA.target_sections into widgets. I think adding 'add_sections' is >>> simpler because widgets is designed to represent a single attribute. >> >> Gonna punt on this for this patch. Not certain on the correct >> approach, either to make adders have sections, or to convert the one >> custom section we have to a widget. Either way, beyond the scope of >> this patch, and it will only affect one entity and the builder when >> we decide. >> >>> >>> 7. The IPA.entity_builder.details_facet() takes an array of sections >>> instead of a spec object. This limits the expandability of the >>> builder interface. It should take a spec object with a 'sections' >>> attribute containing the array of sections, this would be consistent >>> with the other interfaces. >> >> I thought about it, but there is nothing that we want to customize in >> the details_facet. We can always do a custom facet to customize. An >> alternative is to check the type of that is passed in to the >> details_section method on the builder, check if it is an object or an >> array, and treat it like a spec or array depending. >> >>> >>> 8. In IPA.entity_builder.search_facet(), there's no need to call >>> current_facet.init() because all facets will be initialized by >>> the entity when IPA.start_entities() is invoked. >> >> Done. >> >>> >>> 9. The IPA.entity_builder could be a singleton because it doesn't take >>> any parameters and there's no multi-threading issue. >> Going to leave it like this for now. That change would be limited to >> a single file (entity.js) and can be done if we decide we want to >> with a very small patch. >> >> >>> >>> 10. In IPA.details_refresh() it calls IPA.refresh_devel_hook() >>> to execute a code specifically used by testing. I think ideally >>> the develop.js should modify the entity_builder instance to >>> generate >>> details facet with test-specific code. This requires item #9. But >>> for now at least we should rename IPA.refresh_devel_hook() into >>> IPA.details_refresh_devel_hook() for clarity. >> >> Good idea. Done >> >> >> I had already submitted patch >> freeipa-admiyo-0218-default-all-false. Some of the fixes here would >> conflict with that patch if rebased. What I've attached is on top of >> 217-2 and 218-1. >> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Including Automount > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Hadn't merged in the changes. Updated patch attached. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0219-2-code-review-fixes.patch Type: text/x-patch Size: 14218 bytes Desc: not available URL: From ayoung at redhat.com Thu Mar 31 20:29:03 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 31 Mar 2011 16:29:03 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-0217-define-entities-using-builder-and-more-declarative In-Reply-To: <4D94D592.5020608@redhat.com> References: <4D90F604.2070609@redhat.com> <4D90FAE2.2090901@redhat.com> <4D935D0D.6050503@redhat.com> <1301566761.25947.18.camel@dhcp-25-52.brq.redhat.com> <4D94850F.7040508@redhat.com> <4D94B12F.60005@redhat.com> <4D94C348.9010700@redhat.com> <4D94D225.50606@redhat.com> <4D94D592.5020608@redhat.com> Message-ID: <4D94E40F.8030306@redhat.com> On 03/31/2011 03:27 PM, Adam Young wrote: > On 03/31/2011 03:12 PM, Adam Young wrote: >> On 03/31/2011 02:09 PM, Adam Young wrote: >>> On 03/31/2011 12:51 PM, Endi Sukma Dewata wrote: >>>> On 3/31/2011 8:43 AM, Adam Young wrote: >>>>> rebased both patches >>>> >>>> I don't see any code change in the rebased patches, only new commit >>>> ID's, I hope this is correct. >>>> >>>> Some comments (some of which had been discussed over IRC): >>>> >>>> 1. I ran my Selenium test cases against 215, 216, and 217 together, >>>> so far there's no failure. >>> Good to know. >>> >>>> >>>> 2. There's a IPA.metadata assignment and the like in unit tests, this >>>> is redundant. >>> >>> yeah, I suspect it was from before I explicitly set async. removed. >>> >>>> >>>> 3. In IPA.entity_builder.section(), the current_section should be >>>> added >>>> to the current_facet before adding the fields to do incremental >>>> construction. >>> Done. >>> >>>> >>>> 4. In IPA.entity_builder the entity_name can be replaced with >>>> entity.name to reduce the number of variables. >>> >>> Done >>>> >>>> 5. In IPA.entity_builder the standard_associations() can be replaced >>>> standard_association_facets() for consistency. >>> Done >>>> >>>> 6. In the permission entity definition, the 'add_fields' is used >>>> inconsistently to add a section (i.e. IPA.target_section). The >>>> solution is either adding 'add_sections' or converting >>>> IPA.target_sections into widgets. I think adding 'add_sections' is >>>> simpler because widgets is designed to represent a single >>>> attribute. >>> >>> Gonna punt on this for this patch. Not certain on the correct >>> approach, either to make adders have sections, or to convert the one >>> custom section we have to a widget. Either way, beyond the scope of >>> this patch, and it will only affect one entity and the builder when >>> we decide. >>> >>>> >>>> 7. The IPA.entity_builder.details_facet() takes an array of sections >>>> instead of a spec object. This limits the expandability of the >>>> builder interface. It should take a spec object with a 'sections' >>>> attribute containing the array of sections, this would be >>>> consistent >>>> with the other interfaces. >>> >>> I thought about it, but there is nothing that we want to customize >>> in the details_facet. We can always do a custom facet to >>> customize. An alternative is to check the type of that is passed in >>> to the details_section method on the builder, check if it is an >>> object or an array, and treat it like a spec or array depending. >>> >>>> >>>> 8. In IPA.entity_builder.search_facet(), there's no need to call >>>> current_facet.init() because all facets will be initialized by >>>> the entity when IPA.start_entities() is invoked. >>> >>> Done. >>> >>>> >>>> 9. The IPA.entity_builder could be a singleton because it doesn't take >>>> any parameters and there's no multi-threading issue. >>> Going to leave it like this for now. That change would be limited >>> to a single file (entity.js) and can be done if we decide we want to >>> with a very small patch. >>> >>> >>>> >>>> 10. In IPA.details_refresh() it calls IPA.refresh_devel_hook() >>>> to execute a code specifically used by testing. I think ideally >>>> the develop.js should modify the entity_builder instance to >>>> generate >>>> details facet with test-specific code. This requires item #9. But >>>> for now at least we should rename IPA.refresh_devel_hook() into >>>> IPA.details_refresh_devel_hook() for clarity. >>> >>> Good idea. Done >>> >>> >>> I had already submitted patch >>> freeipa-admiyo-0218-default-all-false. Some of the fixes here would >>> conflict with that patch if rebased. What I've attached is on top >>> of 217-2 and 218-1. >>> >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Including Automount >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Hadn't merged in the changes. Updated patch attached. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel This version uses a spec for the details facet, IAW code review feedback -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0219-3-code-review-fixes.patch Type: text/x-patch Size: 30095 bytes Desc: not available URL: From JR.Aquino at citrix.com Thu Mar 31 20:36:25 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 31 Mar 2011 20:36:25 +0000 Subject: [Freeipa-devel] [PATCH] 23 Optimize and dynamically verify group membership Message-ID: The following patch Removes around 20 lines of code and provides a substantial increase in performance for FreeIPA member/memberof verification searches. The current code base blindly searches static containers for the possible presence of members. This patch provides a method for dynamically identifying the specific objects to verify memberships for. The attached patch addresses ticket: https://fedorahosted.org/freeipa/ticket/1139 ipa hostgroup-find ... ----------------------------- Number of entries returned 52 ----------------------------- real 0m20.054s user 0m0.934s sys 0m0.050s ipa find-hostgroup ... ----------------------------- Number of entries returned 52 ----------------------------- real 0m15.064s user 0m0.945s sys 0m0.057s ------------------------------ Number of entries returned 100 ------------------------------ real 0m16.471s user 0m0.814s sys 0m0.040s ipa host-find ... ------------------------------ Number of entries returned 100 ------------------------------ real 0m41.277s user 0m0.806s sys 0m0.060s ipa host-find ... ------------------------------ Number of entries returned 100 ------------------------------ real 0m16.385s user 0m0.814s sys 0m0.053s -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0023-Optimize-and-dynamically-verify-group-membership.patch Type: application/octet-stream Size: 5025 bytes Desc: freeipa-jraquino-0023-Optimize-and-dynamically-verify-group-membership.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ATT00001.txt URL: From rcritten at redhat.com Thu Mar 31 20:39:35 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 31 Mar 2011 16:39:35 -0400 Subject: [Freeipa-devel] [PATCH] 5 Add note about ipa-dns-install to ipa-server-install man page In-Reply-To: <4D93BA63.1030402@redhat.com> References: <4D91E6DF.4000409@redhat.com> <4D9264D3.7080400@redhat.com> <4D93032E.8000703@redhat.com> <4D93BA63.1030402@redhat.com> Message-ID: <4D94E687.6050201@redhat.com> David O'Brien wrote: > Jan Cholasta wrote: >> On 30.3.2011 01:01, David O'Brien wrote: >>> Jan Cholasta wrote: >>>> Added the note so that users know that they can setup DNS at any time >>>> after ipa-server-install. >>>> >>>> https://fedorahosted.org/freeipa/ticket/1082 >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> NACK >>> >>> Minor English and style fix: >>> >>> s/ >>> "Note that you can setup DNS at any later time by running >>> ipa-dns-install" >>> / >>> "Note that you can set up a DNS at any time after the initial IPA server >>> install by running ipa-dns-install." >> >> Thanks, fixed. >> >>> >>> cheers >>> >> > ACK > Pushed to master and ipa-2-0 From JR.Aquino at citrix.com Thu Mar 31 20:41:21 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 31 Mar 2011 20:41:21 +0000 Subject: [Freeipa-devel] [PATCH] 23 Optimize and dynamically verify group membership In-Reply-To: References: Message-ID: Better formatting for the statistics: -=============================- ipa hostgroup-find ... ----------------------------- Number of entries returned 52 ----------------------------- real 0m20.054s user 0m0.934s sys 0m0.050s -=============================- ipa find-hostgroup ... ----------------------------- Number of entries returned 52 ----------------------------- real 0m15.064s user 0m0.945s sys 0m0.057s -=============================- ipa host-find ... ------------------------------ Number of entries returned 100 ------------------------------ real 0m41.277s user 0m0.806s sys 0m0.060s -=============================- ipa host-find ... ------------------------------ Number of entries returned 100 ------------------------------ real 0m16.385s user 0m0.814s sys 0m0.053s From rcritten at redhat.com Thu Mar 31 20:48:12 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 31 Mar 2011 16:48:12 -0400 Subject: [Freeipa-devel] [PATCH] 23 Optimize and dynamically verify group membership In-Reply-To: References: Message-ID: <4D94E88C.2090004@redhat.com> JR Aquino wrote: > The following patch Removes around 20 lines of code and provides a substantial increase in performance for FreeIPA member/memberof verification searches. > > The current code base blindly searches static containers for the possible presence of members. > > This patch provides a method for dynamically identifying the specific objects to verify memberships for. > > The attached patch addresses ticket: > https://fedorahosted.org/freeipa/ticket/1139 > > > > ipa hostgroup-find > > ... > > ----------------------------- > Number of entries returned 52 > ----------------------------- > > real 0m20.054s > user 0m0.934s > sys 0m0.050s > > > ipa find-hostgroup > > ... > > ----------------------------- > Number of entries returned 52 > ----------------------------- > > real 0m15.064s > user 0m0.945s > sys 0m0.057s > > > ------------------------------ > Number of entries returned 100 > ------------------------------ > > real 0m16.471s > user 0m0.814s > sys 0m0.040s > > > ipa host-find > > ... > > ------------------------------ > Number of entries returned 100 > ------------------------------ > > real 0m41.277s > user 0m0.806s > sys 0m0.060s > > > ipa host-find > > ... > > ------------------------------ > Number of entries returned 100 > ------------------------------ > > real 0m16.385s > user 0m0.814s > sys 0m0.053s There is a typo in the first block, memeber. Wouldn't it be clearer to do a negative test to continue: if not 'member' in r[1]: continue rob From JR.Aquino at citrix.com Thu Mar 31 21:16:57 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 31 Mar 2011 21:16:57 +0000 Subject: [Freeipa-devel] [PATCH] 23 Optimize and dynamically verify group membership In-Reply-To: <4D94E88C.2090004@redhat.com> References: <4D94E88C.2090004@redhat.com> Message-ID: On Mar 31, 2011, at 1:48 PM, Rob Crittenden wrote: > JR Aquino wrote: >> The following patch Removes around 20 lines of code and provides a substantial increase in performance for FreeIPA member/memberof verification searches. >> >> The current code base blindly searches static containers for the possible presence of members. >> >> This patch provides a method for dynamically identifying the specific objects to verify memberships for. >> >> The attached patch addresses ticket: >> https://fedorahosted.org/freeipa/ticket/1139 >> >> >> >> ipa hostgroup-find >> >> ... >> >> ----------------------------- >> Number of entries returned 52 >> ----------------------------- >> >> real 0m20.054s >> user 0m0.934s >> sys 0m0.050s >> >> >> ipa find-hostgroup >> >> ... >> >> ----------------------------- >> Number of entries returned 52 >> ----------------------------- >> >> real 0m15.064s >> user 0m0.945s >> sys 0m0.057s >> >> >> ------------------------------ >> Number of entries returned 100 >> ------------------------------ >> >> real 0m16.471s >> user 0m0.814s >> sys 0m0.040s >> >> >> ipa host-find >> >> ... >> >> ------------------------------ >> Number of entries returned 100 >> ------------------------------ >> >> real 0m41.277s >> user 0m0.806s >> sys 0m0.060s >> >> >> ipa host-find >> >> ... >> >> ------------------------------ >> Number of entries returned 100 >> ------------------------------ >> >> real 0m16.385s >> user 0m0.814s >> sys 0m0.053s > > There is a typo in the first block, memeber. > > Wouldn't it be clearer to do a negative test to continue: > > if not 'member' in r[1]: > continue > > rob You're right! Corrected patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0023-Optimize-and-dynamically-verify-group-membership.patch Type: application/octet-stream Size: 5377 bytes Desc: freeipa-jraquino-0023-Optimize-and-dynamically-verify-group-membership.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ATT00001.txt URL: From ayoung at redhat.com Thu Mar 31 21:30:37 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 31 Mar 2011 17:30:37 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-0217-define-entities-using-builder-and-more-declarative In-Reply-To: <4D94E40F.8030306@redhat.com> References: <4D90F604.2070609@redhat.com> <4D90FAE2.2090901@redhat.com> <4D935D0D.6050503@redhat.com> <1301566761.25947.18.camel@dhcp-25-52.brq.redhat.com> <4D94850F.7040508@redhat.com> <4D94B12F.60005@redhat.com> <4D94C348.9010700@redhat.com> <4D94D225.50606@redhat.com> <4D94D592.5020608@redhat.com> <4D94E40F.8030306@redhat.com> Message-ID: <4D94F27D.5060201@redhat.com> On 03/31/2011 04:29 PM, Adam Young wrote: > On 03/31/2011 03:27 PM, Adam Young wrote: >> On 03/31/2011 03:12 PM, Adam Young wrote: >>> On 03/31/2011 02:09 PM, Adam Young wrote: >>>> On 03/31/2011 12:51 PM, Endi Sukma Dewata wrote: >>>>> On 3/31/2011 8:43 AM, Adam Young wrote: >>>>>> rebased both patches >>>>> >>>>> I don't see any code change in the rebased patches, only new >>>>> commit ID's, I hope this is correct. >>>>> >>>>> Some comments (some of which had been discussed over IRC): >>>>> >>>>> 1. I ran my Selenium test cases against 215, 216, and 217 together, >>>>> so far there's no failure. >>>> Good to know. >>>> >>>>> >>>>> 2. There's a IPA.metadata assignment and the like in unit tests, this >>>>> is redundant. >>>> >>>> yeah, I suspect it was from before I explicitly set async. removed. >>>> >>>>> >>>>> 3. In IPA.entity_builder.section(), the current_section should be >>>>> added >>>>> to the current_facet before adding the fields to do incremental >>>>> construction. >>>> Done. >>>> >>>>> >>>>> 4. In IPA.entity_builder the entity_name can be replaced with >>>>> entity.name to reduce the number of variables. >>>> >>>> Done >>>>> >>>>> 5. In IPA.entity_builder the standard_associations() can be replaced >>>>> standard_association_facets() for consistency. >>>> Done >>>>> >>>>> 6. In the permission entity definition, the 'add_fields' is used >>>>> inconsistently to add a section (i.e. IPA.target_section). The >>>>> solution is either adding 'add_sections' or converting >>>>> IPA.target_sections into widgets. I think adding 'add_sections' is >>>>> simpler because widgets is designed to represent a single >>>>> attribute. >>>> >>>> Gonna punt on this for this patch. Not certain on the correct >>>> approach, either to make adders have sections, or to convert the >>>> one custom section we have to a widget. Either way, beyond the >>>> scope of this patch, and it will only affect one entity and the >>>> builder when we decide. >>>> >>>>> >>>>> 7. The IPA.entity_builder.details_facet() takes an array of sections >>>>> instead of a spec object. This limits the expandability of the >>>>> builder interface. It should take a spec object with a 'sections' >>>>> attribute containing the array of sections, this would be >>>>> consistent >>>>> with the other interfaces. >>>> >>>> I thought about it, but there is nothing that we want to customize >>>> in the details_facet. We can always do a custom facet to >>>> customize. An alternative is to check the type of that is passed >>>> in to the details_section method on the builder, check if it is an >>>> object or an array, and treat it like a spec or array depending. >>>> >>>>> >>>>> 8. In IPA.entity_builder.search_facet(), there's no need to call >>>>> current_facet.init() because all facets will be initialized by >>>>> the entity when IPA.start_entities() is invoked. >>>> >>>> Done. >>>> >>>>> >>>>> 9. The IPA.entity_builder could be a singleton because it doesn't >>>>> take >>>>> any parameters and there's no multi-threading issue. >>>> Going to leave it like this for now. That change would be limited >>>> to a single file (entity.js) and can be done if we decide we want >>>> to with a very small patch. >>>> >>>> >>>>> >>>>> 10. In IPA.details_refresh() it calls IPA.refresh_devel_hook() >>>>> to execute a code specifically used by testing. I think ideally >>>>> the develop.js should modify the entity_builder instance to >>>>> generate >>>>> details facet with test-specific code. This requires item #9. But >>>>> for now at least we should rename IPA.refresh_devel_hook() into >>>>> IPA.details_refresh_devel_hook() for clarity. >>>> >>>> Good idea. Done >>>> >>>> >>>> I had already submitted patch >>>> freeipa-admiyo-0218-default-all-false. Some of the fixes here >>>> would conflict with that patch if rebased. What I've attached is >>>> on top of 217-2 and 218-1. >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> Including Automount >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Hadn't merged in the changes. Updated patch attached. >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > This version uses a spec for the details facet, IAW code review feedback > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACKed after lengthy discussion and minor fix up in IRC Patches 217 and 219 pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu Mar 31 21:31:51 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 31 Mar 2011 17:31:51 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-0218-default-all-false. In-Reply-To: <4D93D4AC.6070108@redhat.com> References: <4D93D4AC.6070108@redhat.com> Message-ID: <4D94F2C7.5090701@redhat.com> On 03/30/2011 09:11 PM, Adam Young wrote: > Requires patch 217 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel rebased, ACKed in IRC and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu Mar 31 21:32:44 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 31 Mar 2011 17:32:44 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-0215-Fixed-labels-for-sudo-and-hbac-rules In-Reply-To: <1301389842.3592.30.camel@dhcp-25-52.brq.redhat.com> References: <4D90F468.5090403@younglogic.com> <1301389842.3592.30.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D94F2FC.8040004@redhat.com> On 03/29/2011 05:10 AM, Martin Kosek wrote: > On Mon, 2011-03-28 at 16:49 -0400, Adam Young wrote: >> Putting these two patches togetehr because the first changes labels from >> the server, and the second is only for test data. The second is a >> separate patch becasue there are other changes from older server side >> updates. > Patch 215: ACK > > Patch 216: NACK. It breaks the test suite. > > Martin > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased, and ACKed in IRC by edewata. Both were pushed. A different patch fixed the Unit tests. From JR.Aquino at citrix.com Thu Mar 31 22:54:17 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 31 Mar 2011 22:54:17 +0000 Subject: [Freeipa-devel] [PATCH] 23 Optimize and dynamically verify group membership In-Reply-To: References: Message-ID: <993EA5A1-F173-4B85-9A28-F4DE2CC777F6@citrixonline.com> To clarify, the high delay times in these stats are due to buffered logging being turned off. The ratio of performance increase is ~the same with buffered logging turned on; e.g 1.9 seconds down to 1.5 On Mar 31, 2011, at 1:43 PM, "JR Aquino" wrote: > Better formatting for the statistics: > > -=============================- > > > > ipa hostgroup-find > > ... > > ----------------------------- > Number of entries returned 52 > ----------------------------- > > real 0m20.054s > user 0m0.934s > sys 0m0.050s > > -=============================- > > > ipa find-hostgroup > > ... > > ----------------------------- > Number of entries returned 52 > ----------------------------- > > real 0m15.064s > user 0m0.945s > sys 0m0.057s > > -=============================- > > > ipa host-find > > ... > > ------------------------------ > Number of entries returned 100 > ------------------------------ > > real 0m41.277s > user 0m0.806s > sys 0m0.060s > > -=============================- > > > ipa host-find > > ... > > ------------------------------ > Number of entries returned 100 > ------------------------------ > > real 0m16.385s > user 0m0.814s > sys 0m0.053s > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel