From mkosek at redhat.com Mon May 2 07:34:40 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 02 May 2011 09:34:40 +0200 Subject: [Freeipa-devel] [PATCH] 14 Run lint during each build In-Reply-To: <4DB9944D.4090307@redhat.com> References: <4DB6AFB6.1010503@redhat.com> <1303834459.21334.5.camel@dhcp-25-52.brq.redhat.com> <4DB7F28F.8040505@redhat.com> <1303903022.15737.10.camel@dhcp-25-52.brq.redhat.com> <4DB8084C.7010902@redhat.com> <4DB81B4E.1030803@redhat.com> <4DB8207D.1080603@redhat.com> <1303914276.15737.19.camel@dhcp-25-52.brq.redhat.com> <4DB8454C.4010400@redhat.com> <4DB857C1.9050407@redhat.com> <1303973847.11310.4.camel@dhcp-25-52.brq.redhat.com> <4DB9944D.4090307@redhat.com> Message-ID: <1304321680.25439.3.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-04-28 at 18:22 +0200, Jan Cholasta wrote: > On 28.4.2011 08:57, Martin Kosek wrote: > > On Wed, 2011-04-27 at 13:52 -0400, Dmitri Pal wrote: > >> On 04/27/2011 12:33 PM, Adam Young wrote: > >>> On 04/27/2011 10:24 AM, Martin Kosek wrote: > >>>> On Wed, 2011-04-27 at 09:56 -0400, Adam Young wrote: > >>>>> On 04/27/2011 09:34 AM, Dmitri Pal wrote: > >>>>>> On 04/27/2011 08:13 AM, Jan Cholasta wrote: > >>>>>>> On 27.4.2011 13:17, Martin Kosek wrote: > >>>>>>>> On Wed, 2011-04-27 at 12:40 +0200, Jan Cholasta wrote: > >>>>>>>>> On 26.4.2011 18:14, Martin Kosek wrote: > >>>>>>>>>> On Tue, 2011-04-26 at 13:42 +0200, Jan Cholasta wrote: > >>>>>>>>>>> Automatically run the lint script during make > >>>>>>>>>>> rpms|client-rpms|srpms. > >>>>>>>>>>> > >>>>>>>>>> NACK until ticket 1184 is resolved and pushed. Currently, > >>>>>>>>>> pylint check > >>>>>>>>>> fails when optional python packages (like python-rhsm) are not > >>>>>>>>>> installed > >>>>>>>>>> on the machine. We should be able to build IPA without those > >>>>>>>>>> packages > >>>>>>>>>> installed. > >>>>>>>>> I think printing a note asking the developer to kindly install the > >>>>>>>>> missing packages would be sufficient. AFAIK there are currently > >>>>>>>>> only 2 > >>>>>>>>> optional packages: python-rhsm and python-krbV. python-krbV is > >>>>>>>>> optional > >>>>>>>>> only for the client part of IPA, so you most likely have it already > >>>>>>>>> installed and installing python-rhsm is not really much of a chore. > >>>>>>>>> That > >>>>>>>>> way all of the code would always be checked and the lint script > >>>>>>>>> would be > >>>>>>>>> free of the unnecessary complexity of handling missing packages. > >>>>>>>> I don't think this is a right approach. When the package is optional > >>>>>>>> (currently it may be python-rhsm and python-krbV only, but there > >>>>>>>> may be > >>>>>>>> others in the future) I shouldn't be obliged to install them in > >>>>>>>> order to > >>>>>>>> build IPA. > >>>>>>> You shouldn't be obliged to install them as a user. As a developer, > >>>>>>> you should be ready for all kinds of crazy stuff IMHO. > >>>>>>> > >>>>>>>> When somebody develops something related with the optional > >>>>>>>> package he has them installed and the lint will check the > >>>>>>>> relevant code > >>>>>>>> too. > >>>>>>> All of the code goes to the package, so it all should be checked > >>>>>>> during the build. > >>>>>>> > >>>>>>> Imagine situation like this: You change something in module A, > >>>>>>> accidentally breaking functionality that module B depends on. > >>>>>>> Module A > >>>>>>> is checked and no error is found (because it's the kind of issue that > >>>>>>> exhibits itself only in certain conditions). Module B isn't checked, > >>>>>>> because it also depends on a not-installed optional package. If it > >>>>>>> was > >>>>>>> checked, it would report an error that would lead you to the error in > >>>>>>> module A. But everything looks fine, so the build succeeds, even when > >>>>>>> the error is there. > >>>>>>> > >>>>>>> The situation might be improbable, but IMO the code should be checked > >>>>>>> in the same ecosystem every time anyway, because weird stuff could > >>>>>>> happen if it wasn't. > >>>>>>> > >>>>>>>> It is not that big deal, I just think it would be an annoyance for > >>>>>>>> developers. But maybe there is a different opinion. > >>>>>>> I know we developers are lazy folk, but this is a matter of writing > >>>>>>> one simple command, just one time. > >>>>>>> > >>>>>>>> Martin > >>>>>>>> > >>>>>> How about a compromise? > >>>>>> By default everything is expected to be installed. > >>>>>> But there is a command line switch that allows to skip modules you > >>>>>> want > >>>>>> to skip. You provide the switch and the list of the modules to skip > >>>>>> and > >>>>>> build will validate only modules that are not in the list. > >>>>>> > >>>>>> Will something like this work? > >>>>>> > >>>>> Actually, make the command line switch just means that a Lint failure > >>>>> doesn't stop the build. That way, by default the build will fail > >>>>> unless > >>>>> everything is there and checked, but there is a way to move forward for > >>>>> building with a subset of packages. > >>>> Yes, I think we will can settle with a compromise. My only concern was > >>>> not to force the developers to install unnecessary packages for build. > >>>> > >>>> I would suggest that the build (or "make lint") succeeds without those > >>>> optional packages installed, but a warning is printed out that some > >>>> packages are missing and not all the code is checked. > >>>> > >>>> Then it is a developers responsibility to handle this and wouldn't be > >>>> force to install those packages for his test builds etc. > >>> > >>> How about instead it fails bny default, but prints the message "to > >>> suppress the lint check stopping the build, run make > >>> --no-fail-on-lint" so that skipping lint is a deliberate decision? > >> > >> > >> Yes this is the approach I prefer. > > > > OK then, I won't go against the crowd here, it's not that big deal :-) > > Honza, please, update the patch accordingly and I will review it. > > I've added two new variables to the makefile: DEVELOPER_MODE and > LINT_OPTIONS. LINT_OPTIONS contains the command line options passed to > make-lint. Setting DEVELOPER_MODE to 1 enables the developer mode, which > currently just presets LINT_OPTIONS to --no-fail (it might be used for > more in future), so you can build your rpms even without python-rhsm > installed by invoking: > > make rpms DEVELOPER_MODE=1 > > > > > When the "make lint" fails because of missing optional package(s), I > > would like the missing package(s) to be printed out for the user. So > > that user can easily do "yum install" and finish the IPA > > build. > > This will be in my next patch, dealing with ticket 1184. > ACK. This should be pushed along with your patch 15 (ticket 1184). Martin From mkosek at redhat.com Mon May 2 07:35:31 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 02 May 2011 09:35:31 +0200 Subject: [Freeipa-devel] [PATCH] 15 Report missing python packages In-Reply-To: <4DB99AC7.4060305@redhat.com> References: <4DB99AC7.4060305@redhat.com> Message-ID: <1304321731.25439.4.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-04-28 at 18:50 +0200, Jan Cholasta wrote: > Improved make-lint to report missing external python packages and fixed > a few little bugs in it. > > I'd like to ask someone (preferably a native English speaker) to go > through the new error messages (at the beginning and end of make-lint) > and rephrase them if necessary. > ACK. Works fine. If there are no objections from native speakers I think we can push it along with your patch 14. Martin From mkosek at redhat.com Mon May 2 09:02:02 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 02 May 2011 11:02:02 +0200 Subject: [Freeipa-devel] [PATCH] 057 Bad return values for ipa-rmkeytab command Message-ID: <1304326922.4271.0.camel@dhcp-25-52.brq.redhat.com> ipa-rmkeytab returns success even when the realm passed to the program is not found in a keytab. This patch adds an explanatory error message and returns error code 5 - Principal or realm not found. https://fedorahosted.org/freeipa/ticket/694 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-057-bad-return-values-for-ipa-rmkeytab-command.patch Type: text/x-patch Size: 2268 bytes Desc: not available URL: From mkosek at redhat.com Mon May 2 09:04:28 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 02 May 2011 11:04:28 +0200 Subject: [Freeipa-devel] [PATCH] 057 Bad return values for ipa-rmkeytab command Message-ID: <1304327068.4345.0.camel@dhcp-25-52.brq.redhat.com> ipa-rmkeytab returns success even when the realm passed to the program is not found in a keytab. This patch adds an explanatory error message and returns error code 5 - Principal or realm not found. https://fedorahosted.org/freeipa/ticket/694 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-057-bad-return-values-for-ipa-rmkeytab-command.patch Type: text/x-patch Size: 2268 bytes Desc: not available URL: From mkosek at redhat.com Mon May 2 11:58:28 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 02 May 2011 13:58:28 +0200 Subject: [Freeipa-devel] [PATCH] 058 LDAP Updater may crash IPA installer Message-ID: <1304337508.3013.1.camel@dhcp-25-52.brq.redhat.com> Kudos to Jan Zeleny who found the bug (or the bug found him) :-) --- Fix a logging error in ipa-ldap-updater which may cause IPA installer to crash. https://fedorahosted.org/freeipa/ticket/1199 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-058-ldap-updater-may-crash-ipa-installer.patch Type: text/x-patch Size: 1172 bytes Desc: not available URL: From rcritten at redhat.com Mon May 2 14:46:08 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 02 May 2011 10:46:08 -0400 Subject: [Freeipa-devel] [PATCH] 058 LDAP Updater may crash IPA installer In-Reply-To: <1304337508.3013.1.camel@dhcp-25-52.brq.redhat.com> References: <1304337508.3013.1.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DBEC3B0.3000208@redhat.com> Martin Kosek wrote: > Kudos to Jan Zeleny who found the bug (or the bug found him) :-) > --- > Fix a logging error in ipa-ldap-updater which may cause IPA > installer to crash. > > https://fedorahosted.org/freeipa/ticket/1199 ack, pushed to master and ipa-2-0 From rcritten at redhat.com Mon May 2 17:59:10 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 02 May 2011 13:59:10 -0400 Subject: [Freeipa-devel] Announcing FreeIPA 2.0.1 Message-ID: <4DBEF0EE.1030003@redhat.com> The FreeIPA Project is proud to announce the latest bugfix release of the FreeIPA. As always, the latest tarball can be found at http://freeipa.org/ == Highlights == * Fixed a number of issues uncovered by pylint in preparation for executing it as part of the freeIPA build process. * Changed the algorithm used for determining indirect membership resulting in significant performance improvement. * Added index for memberHost and memberUser. * Fixed problems in ipa-compat-manage and ipa-nis-manage. * Improved detection of current installation status for both client and server. * The --gidnumber option for users has been fixed. * postalCode is now a string intead of an integer. Older clients will still send this as an Int so upgrade your clients if you need this. * Fix 389-ds crash issue in installer. We could try to shut down the server while it was trying to create an index. * The default groups we create should have ipaUniqueId set == Detailed Changelog == Endi S. Dewata (1): * Fixed undefined label in permission adder dialog box. Jan Cholasta (10): * Fix wording of error message. * Add note about ipa-dns-install to ipa-server-install man page. * Fix typo in ipa-server-install. * Fix uninitialized variables. * Fix double definition of output_for_cli. * Add lint script for static code analysis. * Fix lint false positives. * Remove unused classes. * Fix some minor issues uncovered by pylint. * Fix uninitialized attributes. Jr Aquino (4): * Escape LDAP characters in member and memberof searches * Add memberHost and memberUser to default indexes * Optimize and dynamically verify group membership * Delete the sudoers entry when disabling Schema Compat Martin Kosek (12): * Inconsistent error message for duplicate user * Replica installation fails for self-signed server * Password policy commands do not include cospriority * Improve DNS PTR record validation * IPA replica is not started after the reboot * Improve Directory Service open port checker * Log temporary files in ipa-client-install * Prevent uninstalling client on the IPA server * pwpolicy-mod doesn't accept old attribute values * Forbid reinstallation in ipa-client-install * ipa-client-install uninstall does not work on IPA server * LDAP Updater may crash IPA installer Pavel Zuna (1): * Fix gidnumber option of user-add command. Rob Crittenden (18): * Allow a client to enroll using principal when the host has a OTP * Make retrieval of the CA during DNS discovery non-fatal. * Cache the value of get_ipa_config() in the request context. * Change default gecos from uid to first and last name. * Fix ORDERING in some attributetypes and remove other unnecessary elements. * postalCode should be a string not an integer. * Fix traceback in ipa-nis-manage. * Suppress --on-master from ipa-client-install command-line and man page. * Sort entries returned by *-find by the primary key (if any). * The default groups we create should have ipaUniqueId set * Always ask members in LDAP*ReverseMember commands. * Provide attributelevelrights for the aci components in permission_show. * Wait for memberof task and DS to start before proceeding in installation. * Convert manager from userid to dn for storage and back for displaying. * Modify the default attributes shown in user-find to match the UI design. * Ensure that the zonemgr passed to the installer conforms to IA5String. * Handle principal not found errors when converting replication agreements Simo Sorce (2): * Fix resource leaks. * ipautil: Preserve environment unless explicitly overridden by caller. rob From edewata at redhat.com Tue May 3 01:28:45 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 02 May 2011 20:28:45 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0226-Added-a-container-for-the-facet In-Reply-To: <4DB8D353.9090703@redhat.com> References: <4DB858D5.40204@redhat.com> <4DB87EEB.8030409@redhat.com> <4DB8BE3D.3090905@redhat.com> <4DB8C729.7060308@redhat.com> <4DB8D353.9090703@redhat.com> Message-ID: <4DBF5A4D.3070002@redhat.com> On 4/27/2011 9:39 PM, Endi Sukma Dewata wrote: > On 4/27/2011 8:47 PM, Adam Young wrote: >> The more I think about it, the more I think that this structure can be >> created by the navigation code, and then passed to the entity to >> populate. The entity-header function moves to navigation.js, but does >> not have a reference to the entity yet. When an entity tab gets >> activated, we then populate this structure. everything can get created >> on demand. > > Not sure, I'd have to see how it's implemented. My concern is whether it > would limit entity customization. This is my attempt at restructuring the DOM and the code: http://edewata.fedorapeople.org/freeipa/install/ui/index.html It's still work in progress, but the main changes are: 1. Navigation is modified to use entity names instead of numerical index. 2. Entity content is moved out of the navigation structure into a separate container. 3. Each facet now has separate container, so we don't need to redraw the page every time we open it. 4. Buttons are moved into facet header. They will appear under the facet tab groups. The code is available in the navigation branch in this repository: git://fedorapeople.org/~edewata/repo.git -- Endi S. Dewata From ayoung at redhat.com Tue May 3 01:59:00 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 02 May 2011 21:59:00 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-0226-Added-a-container-for-the-facet In-Reply-To: <4DBF5A4D.3070002@redhat.com> References: <4DB858D5.40204@redhat.com> <4DB87EEB.8030409@redhat.com> <4DB8BE3D.3090905@redhat.com> <4DB8C729.7060308@redhat.com> <4DB8D353.9090703@redhat.com> <4DBF5A4D.3070002@redhat.com> Message-ID: <4DBF6164.20906@redhat.com> On 05/02/2011 09:28 PM, Endi Sukma Dewata wrote: > On 4/27/2011 9:39 PM, Endi Sukma Dewata wrote: >> On 4/27/2011 8:47 PM, Adam Young wrote: >>> The more I think about it, the more I think that this structure can be >>> created by the navigation code, and then passed to the entity to >>> populate. The entity-header function moves to navigation.js, but does >>> not have a reference to the entity yet. When an entity tab gets >>> activated, we then populate this structure. everything can get created >>> on demand. >> >> Not sure, I'd have to see how it's implemented. My concern is whether it >> would limit entity customization. > > This is my attempt at restructuring the DOM and the code: > http://edewata.fedorapeople.org/freeipa/install/ui/index.html > > It's still work in progress, but the main changes are: > 1. Navigation is modified to use entity names instead of numerical > index. Good, ver y good. This will simplify relationships. > 2. Entity content is moved out of the navigation structure into a > separate container. Interesting call. I'm pretty sure I am in favor of it, but I'd like to hear your rartionale. > 3. Each facet now has separate container, so we don't need to > redraw the page every time we open it. > 4. Buttons are moved into facet header. They will appear under the > facet tab groups. > > The code is available in the navigation branch in this repository: > git://fedorapeople.org/~edewata/repo.git I'll wait until you give me the go ahead to review, but the DOM structure looks good. From mkosek at redhat.com Tue May 3 09:38:04 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 03 May 2011 11:38:04 +0200 Subject: [Freeipa-devel] [PATCH] 059 NS records not updated by replica Message-ID: <1304415484.18453.0.camel@dhcp-25-52.brq.redhat.com> When replica with DNS is installed, NS records for the managed zone are not updated with the replica FQDN. The administrator then has to do it manually to enroll the new DNS server to the zone. This patch also removes the newly created NS records when the replica is removed via ipa-replica-manage command. https://fedorahosted.org/freeipa/ticket/1034 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-059-ns-records-not-updated-by-replica.patch Type: text/x-patch Size: 2548 bytes Desc: not available URL: From simo at redhat.com Tue May 3 12:27:00 2011 From: simo at redhat.com (Simo Sorce) Date: Tue, 03 May 2011 08:27:00 -0400 Subject: [Freeipa-devel] [PATCH] 059 NS records not updated by replica In-Reply-To: <1304415484.18453.0.camel@dhcp-25-52.brq.redhat.com> References: <1304415484.18453.0.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1304425620.2886.4.camel@willson.li.ssimo.org> On Tue, 2011-05-03 at 11:38 +0200, Martin Kosek wrote: > When replica with DNS is installed, NS records for the managed zone > are not updated with the replica FQDN. The administrator then has > to do it manually to enroll the new DNS server to the zone. > > This patch also removes the newly created NS records when the > replica is removed via ipa-replica-manage command. > > https://fedorahosted.org/freeipa/ticket/1034 Ack! Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Tue May 3 12:30:28 2011 From: simo at redhat.com (Simo Sorce) Date: Tue, 03 May 2011 08:30:28 -0400 Subject: [Freeipa-devel] [PATCH] 057 Bad return values for ipa-rmkeytab command In-Reply-To: <1304327068.4345.0.camel@dhcp-25-52.brq.redhat.com> References: <1304327068.4345.0.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1304425828.2886.7.camel@willson.li.ssimo.org> On Mon, 2011-05-02 at 11:04 +0200, Martin Kosek wrote: > diff --git a/ipa-client/ipa-rmkeytab.c b/ipa-client/ipa-rmkeytab.c > index > 8afa9e1c4ea822554af436bf4644d717d922f56e..73a74070cf696f1e2b9fe3c8374446b68cc48441 100644 > --- a/ipa-client/ipa-rmkeytab.c > +++ b/ipa-client/ipa-rmkeytab.c > @@ -108,6 +108,7 @@ remove_realm(krb5_context context, krb5_keytab > ktid, const char *realm, int debu > krb5_kt_cursor kt_cursor; > char * entry_princ_s = NULL; > int rval = 0; > + char realm_found = FALSE; -----^^^^^---------------^^^^^^-- > krberr = krb5_kt_start_seq_get(context, ktid, &kt_cursor); > memset(&entry, 0, sizeof(entry)); > @@ -128,6 +129,7 @@ remove_realm(krb5_context context, krb5_keytab > ktid, const char *realm, int debu > krb5_kt_end_seq_get(context, ktid, &kt_cursor); > > if (strstr(entry_princ_s, realm) != NULL) { > + realm_found = TRUE; ---------------------------^^^^^^^ > rval = remove_principal(context, ktid, entry_princ_s, > debug); > if (rval != 0) > goto done; > @@ -136,6 +138,11 @@ remove_realm(krb5_context context, krb5_keytab > ktid, const char *realm, int debu > } > } Nack, please use 'bool', 'false' and 'true' here, not 'char' and uppercase boolean value names. Simo. -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Tue May 3 13:09:23 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 03 May 2011 15:09:23 +0200 Subject: [Freeipa-devel] [PATCH] 057 Bad return values for ipa-rmkeytab command In-Reply-To: <1304425828.2886.7.camel@willson.li.ssimo.org> References: <1304327068.4345.0.camel@dhcp-25-52.brq.redhat.com> <1304425828.2886.7.camel@willson.li.ssimo.org> Message-ID: <1304428163.18453.2.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-05-03 at 08:30 -0400, Simo Sorce wrote: > On Mon, 2011-05-02 at 11:04 +0200, Martin Kosek wrote: > > diff --git a/ipa-client/ipa-rmkeytab.c b/ipa-client/ipa-rmkeytab.c > > index > > 8afa9e1c4ea822554af436bf4644d717d922f56e..73a74070cf696f1e2b9fe3c8374446b68cc48441 100644 > > --- a/ipa-client/ipa-rmkeytab.c > > +++ b/ipa-client/ipa-rmkeytab.c > > @@ -108,6 +108,7 @@ remove_realm(krb5_context context, krb5_keytab > > ktid, const char *realm, int debu > > krb5_kt_cursor kt_cursor; > > char * entry_princ_s = NULL; > > int rval = 0; > > + char realm_found = FALSE; > > -----^^^^^---------------^^^^^^-- > > > krberr = krb5_kt_start_seq_get(context, ktid, &kt_cursor); > > memset(&entry, 0, sizeof(entry)); > > @@ -128,6 +129,7 @@ remove_realm(krb5_context context, krb5_keytab > > ktid, const char *realm, int debu > > krb5_kt_end_seq_get(context, ktid, &kt_cursor); > > > > if (strstr(entry_princ_s, realm) != NULL) { > > + realm_found = TRUE; > > ---------------------------^^^^^^^ > > > rval = remove_principal(context, ktid, entry_princ_s, > > debug); > > if (rval != 0) > > goto done; > > @@ -136,6 +138,11 @@ remove_realm(krb5_context context, krb5_keytab > > ktid, const char *realm, int debu > > } > > } > > Nack, please use 'bool', 'false' and 'true' here, not 'char' and > uppercase boolean value names. > > Simo. > OK. Fixed patch attached. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-057-2-bad-return-values-for-ipa-rmkeytab-command.patch Type: text/x-patch Size: 2413 bytes Desc: not available URL: From simo at redhat.com Tue May 3 13:12:27 2011 From: simo at redhat.com (Simo Sorce) Date: Tue, 03 May 2011 09:12:27 -0400 Subject: [Freeipa-devel] [PATCH] 057 Bad return values for ipa-rmkeytab command In-Reply-To: <1304428163.18453.2.camel@dhcp-25-52.brq.redhat.com> References: <1304327068.4345.0.camel@dhcp-25-52.brq.redhat.com> <1304425828.2886.7.camel@willson.li.ssimo.org> <1304428163.18453.2.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1304428347.2886.14.camel@willson.li.ssimo.org> On Tue, 2011-05-03 at 15:09 +0200, Martin Kosek wrote: > > OK. Fixed patch attached. > Ack. Simo. -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Tue May 3 13:21:36 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 03 May 2011 15:21:36 +0200 Subject: [Freeipa-devel] [PATCH] 057 Bad return values for ipa-rmkeytab command In-Reply-To: <1304428347.2886.14.camel@willson.li.ssimo.org> References: <1304327068.4345.0.camel@dhcp-25-52.brq.redhat.com> <1304425828.2886.7.camel@willson.li.ssimo.org> <1304428163.18453.2.camel@dhcp-25-52.brq.redhat.com> <1304428347.2886.14.camel@willson.li.ssimo.org> Message-ID: <1304428896.18453.3.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-05-03 at 09:12 -0400, Simo Sorce wrote: > On Tue, 2011-05-03 at 15:09 +0200, Martin Kosek wrote: > > > > OK. Fixed patch attached. > > > > Ack. > > Simo. > Pushed to master, ipa-2-0. Martin From mkosek at redhat.com Tue May 3 13:21:47 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 03 May 2011 15:21:47 +0200 Subject: [Freeipa-devel] [PATCH] 059 NS records not updated by replica In-Reply-To: <1304425620.2886.4.camel@willson.li.ssimo.org> References: <1304415484.18453.0.camel@dhcp-25-52.brq.redhat.com> <1304425620.2886.4.camel@willson.li.ssimo.org> Message-ID: <1304428907.18453.4.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-05-03 at 08:27 -0400, Simo Sorce wrote: > On Tue, 2011-05-03 at 11:38 +0200, Martin Kosek wrote: > > When replica with DNS is installed, NS records for the managed zone > > are not updated with the replica FQDN. The administrator then has > > to do it manually to enroll the new DNS server to the zone. > > > > This patch also removes the newly created NS records when the > > replica is removed via ipa-replica-manage command. > > > > https://fedorahosted.org/freeipa/ticket/1034 > > Ack! > > Simo. > Pushed to master, ipa-2-0. Martin From edewata at redhat.com Tue May 3 15:06:00 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 03 May 2011 10:06:00 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0226-Added-a-container-for-the-facet In-Reply-To: <4DBF6164.20906@redhat.com> References: <4DB858D5.40204@redhat.com> <4DB87EEB.8030409@redhat.com> <4DB8BE3D.3090905@redhat.com> <4DB8C729.7060308@redhat.com> <4DB8D353.9090703@redhat.com> <4DBF5A4D.3070002@redhat.com> <4DBF6164.20906@redhat.com> Message-ID: <4DC019D8.2050501@redhat.com> On 5/2/2011 8:59 PM, Adam Young wrote: >> This is my attempt at restructuring the DOM and the code: >> http://edewata.fedorapeople.org/freeipa/install/ui/index.html >> >> It's still work in progress, but the main changes are: >> 1. Navigation is modified to use entity names instead of numerical >> index. > Good, ver y good. This will simplify relationships. > >> 2. Entity content is moved out of the navigation structure into a >> separate container. > Interesting call. I'm pretty sure I am in favor of it, but I'd like to > hear your rartionale. Previously the content and the navigation are entangled in the same structure which is as you know rather complicated. Separating them allows cleaner structure and better reusability, for example suppose another project wants to use another type of navigation instead of nested tab system. >> 3. Each facet now has separate container, so we don't need to >> redraw the page every time we open it. >> 4. Buttons are moved into facet header. They will appear under the >> facet tab groups. >> >> The code is available in the navigation branch in this repository: >> git://fedorapeople.org/~edewata/repo.git > > I'll wait until you give me the go ahead to review, but the DOM > structure looks good. I'll post the patches as usual when they are ready. Thanks. -- Endi S. Dewata From mkosek at redhat.com Wed May 4 08:18:22 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 04 May 2011 10:18:22 +0200 Subject: [Freeipa-devel] [PATCH] 060 Consolidate man pages and IPA tools help Message-ID: <1304497102.21112.3.camel@dhcp-25-52.brq.redhat.com> I'll nack any patch in the future that would spoil this enjoyable effort :-) -- IPA tools options are not consistent with information in man pages. https://fedorahosted.org/freeipa/ticket/1163 https://fedorahosted.org/freeipa/ticket/1178 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-060-consolidate-man-pages-and-ipa-tools-help.patch Type: text/x-patch Size: 12933 bytes Desc: not available URL: From mkosek at redhat.com Wed May 4 08:29:52 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 04 May 2011 10:29:52 +0200 Subject: [Freeipa-devel] [PATCH] 061 Typos in freeIPA messages and man page Message-ID: <1304497792.21112.6.camel@dhcp-25-52.brq.redhat.com> Kudos to Yuri Chornoivan who contributed the patch in Bugzilla (and remains the patch author). Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-061-typos-in-freeipa-messages-and-man-page.patch Type: text/x-patch Size: 7364 bytes Desc: not available URL: From simo at redhat.com Wed May 4 14:28:01 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 04 May 2011 10:28:01 -0400 Subject: [Freeipa-devel] [PATCH] 0097 Avoid --list option of chkconfig Message-ID: <1304519281.4963.13.camel@willson.li.ssimo.org> The chkconfig --list option is not reliable as it works differently on a F15 system with systemd enabled services, avoid using it as we have alternative better ways. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0097-install-scripts-avoid-using-list-with-chkconfig.patch Type: text/x-patch Size: 2759 bytes Desc: not available URL: From mkosek at redhat.com Wed May 4 14:56:42 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 04 May 2011 16:56:42 +0200 Subject: [Freeipa-devel] [PATCH] 0097 Avoid --list option of chkconfig In-Reply-To: <1304519281.4963.13.camel@willson.li.ssimo.org> References: <1304519281.4963.13.camel@willson.li.ssimo.org> Message-ID: <1304521002.21112.17.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-05-04 at 10:28 -0400, Simo Sorce wrote: > The chkconfig --list option is not reliable as it works differently on a > F15 system with systemd enabled services, avoid using it as we have > alternative better ways. > > Simo. > NACK. This breaks the installation: # ipa-server-install ... Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot Unexpected error - see ipaserver-install.log for details: Command '/sbin/chkconfig --level 3 ntpd' returned non-zero exit status 1 I think you want to make use of raiseonerr=False parameter in ipautil.run(). Plus, I would prefer integers to be used in runlevels array instead of a string containing an integer. Makes more sense to do it this way. Martin From simo at redhat.com Wed May 4 15:01:14 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 04 May 2011 11:01:14 -0400 Subject: [Freeipa-devel] [PATCH] 0097 Avoid --list option of chkconfig In-Reply-To: <1304521002.21112.17.camel@dhcp-25-52.brq.redhat.com> References: <1304519281.4963.13.camel@willson.li.ssimo.org> <1304521002.21112.17.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1304521274.4963.14.camel@willson.li.ssimo.org> On Wed, 2011-05-04 at 16:56 +0200, Martin Kosek wrote: > On Wed, 2011-05-04 at 10:28 -0400, Simo Sorce wrote: > > The chkconfig --list option is not reliable as it works differently on a > > F15 system with systemd enabled services, avoid using it as we have > > alternative better ways. > > > > Simo. > > > > NACK. This breaks the installation: > > # ipa-server-install > ... > Configuring ntpd > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > Unexpected error - see ipaserver-install.log for details: > Command '/sbin/chkconfig --level 3 ntpd' returned non-zero exit status 1 > > I think you want to make use of raiseonerr=False parameter in > ipautil.run(). > > Plus, I would prefer integers to be used in runlevels array instead of a > string containing an integer. Makes more sense to do it this way. New patch attached. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0097-2-install-scripts-avoid-using-list-with-chkconfig.patch Type: text/x-patch Size: 2632 bytes Desc: not available URL: From mkosek at redhat.com Wed May 4 15:12:48 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 04 May 2011 17:12:48 +0200 Subject: [Freeipa-devel] [PATCH] 0097 Avoid --list option of chkconfig In-Reply-To: <1304521274.4963.14.camel@willson.li.ssimo.org> References: <1304519281.4963.13.camel@willson.li.ssimo.org> <1304521002.21112.17.camel@dhcp-25-52.brq.redhat.com> <1304521274.4963.14.camel@willson.li.ssimo.org> Message-ID: <1304521968.21112.18.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-05-04 at 11:01 -0400, Simo Sorce wrote: > On Wed, 2011-05-04 at 16:56 +0200, Martin Kosek wrote: > > On Wed, 2011-05-04 at 10:28 -0400, Simo Sorce wrote: > > > The chkconfig --list option is not reliable as it works differently on a > > > F15 system with systemd enabled services, avoid using it as we have > > > alternative better ways. > > > > > > Simo. > > > > > > > NACK. This breaks the installation: > > > > # ipa-server-install > > ... > > Configuring ntpd > > [1/4]: stopping ntpd > > [2/4]: writing configuration > > [3/4]: configuring ntpd to start on boot > > Unexpected error - see ipaserver-install.log for details: > > Command '/sbin/chkconfig --level 3 ntpd' returned non-zero exit status 1 > > > > I think you want to make use of raiseonerr=False parameter in > > ipautil.run(). > > > > Plus, I would prefer integers to be used in runlevels array instead of a > > string containing an integer. Makes more sense to do it this way. > > New patch attached. > > Simo. > ACK. Worked for me on both F-14 and F-15. Martin From edewata at redhat.com Wed May 4 20:38:22 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 04 May 2011 15:38:22 -0500 Subject: [Freeipa-devel] [PATCH] 144 Refactored navigation. Message-ID: <4DC1B93E.3010708@redhat.com> The singular object IPA.nav has been converted into an IPA.navigation class. The admin and self-service navigation tabs have been converted into subclasses of IPA.navigation and will be instantiated according to user authorization. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0144-Refactored-navigation.patch Type: text/x-patch Size: 25250 bytes Desc: not available URL: From edewata at redhat.com Wed May 4 20:39:18 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 04 May 2011 15:39:18 -0500 Subject: [Freeipa-devel] [PATCH] 145 Use entity names for tab state. Message-ID: <4DC1B976.1070405@redhat.com> Previously the tab state is represented using numeric index such as navigation=0&identity=1 which is not very user friendly. Now the code has been modified to use entity names such as navigation=identity&identity=group. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0145-Use-entity-names-for-tab-state.patch Type: text/x-patch Size: 16363 bytes Desc: not available URL: From edewata at redhat.com Wed May 4 20:41:06 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 04 May 2011 15:41:06 -0500 Subject: [Freeipa-devel] [PATCH] 146 Moved entity contents outside navigation. Message-ID: <4DC1B9E2.2020404@redhat.com> Previously the entities and navigation are entangled inside a common DOM structure which limits code reuse. Now they have been moved into separate structures. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0146-Moved-entity-contents-outside-navigation.patch Type: text/x-patch Size: 19632 bytes Desc: not available URL: From edewata at redhat.com Wed May 4 20:46:05 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 04 May 2011 15:46:05 -0500 Subject: [Freeipa-devel] [PATCH] 147 Added facet container. Message-ID: <4DC1BB0D.6090905@redhat.com> Facet container has been added to hold facet header (i.e. title, search fields, buttons, links) and facet content. Each facet now occupies separate container, so it can be shown/hidden without having to redraw the content. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0147-Added-facet-container.patch Type: text/x-patch Size: 76438 bytes Desc: not available URL: From simo at redhat.com Wed May 4 20:57:00 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 04 May 2011 16:57:00 -0400 Subject: [Freeipa-devel] [PATCH] 0097 Avoid --list option of chkconfig In-Reply-To: <1304521968.21112.18.camel@dhcp-25-52.brq.redhat.com> References: <1304519281.4963.13.camel@willson.li.ssimo.org> <1304521002.21112.17.camel@dhcp-25-52.brq.redhat.com> <1304521274.4963.14.camel@willson.li.ssimo.org> <1304521968.21112.18.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1304542620.14451.0.camel@willson.li.ssimo.org> On Wed, 2011-05-04 at 17:12 +0200, Martin Kosek wrote: > On Wed, 2011-05-04 at 11:01 -0400, Simo Sorce wrote: > > On Wed, 2011-05-04 at 16:56 +0200, Martin Kosek wrote: > > > On Wed, 2011-05-04 at 10:28 -0400, Simo Sorce wrote: > > > > The chkconfig --list option is not reliable as it works differently on a > > > > F15 system with systemd enabled services, avoid using it as we have > > > > alternative better ways. > > > > > > > > Simo. > > > > > > > > > > NACK. This breaks the installation: > > > > > > # ipa-server-install > > > ... > > > Configuring ntpd > > > [1/4]: stopping ntpd > > > [2/4]: writing configuration > > > [3/4]: configuring ntpd to start on boot > > > Unexpected error - see ipaserver-install.log for details: > > > Command '/sbin/chkconfig --level 3 ntpd' returned non-zero exit status 1 > > > > > > I think you want to make use of raiseonerr=False parameter in > > > ipautil.run(). > > > > > > Plus, I would prefer integers to be used in runlevels array instead of a > > > string containing an integer. Makes more sense to do it this way. > > > > New patch attached. > > > > Simo. > > > > ACK. Worked for me on both F-14 and F-15. Hold on pushing this one, it seem that chkconfig service and chkconfig service --list were not mututally exchangable in this context as we thought ... Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Wed May 4 21:16:49 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 04 May 2011 17:16:49 -0400 Subject: [Freeipa-devel] [PATCH] 0097 Avoid --list option of chkconfig In-Reply-To: <1304542620.14451.0.camel@willson.li.ssimo.org> References: <1304519281.4963.13.camel@willson.li.ssimo.org> <1304521002.21112.17.camel@dhcp-25-52.brq.redhat.com> <1304521274.4963.14.camel@willson.li.ssimo.org> <1304521968.21112.18.camel@dhcp-25-52.brq.redhat.com> <1304542620.14451.0.camel@willson.li.ssimo.org> Message-ID: <1304543809.14451.7.camel@willson.li.ssimo.org> On Wed, 2011-05-04 at 16:57 -0400, Simo Sorce wrote: > On Wed, 2011-05-04 at 17:12 +0200, Martin Kosek wrote: > > On Wed, 2011-05-04 at 11:01 -0400, Simo Sorce wrote: > > > On Wed, 2011-05-04 at 16:56 +0200, Martin Kosek wrote: > > > > On Wed, 2011-05-04 at 10:28 -0400, Simo Sorce wrote: > > > > > The chkconfig --list option is not reliable as it works differently on a > > > > > F15 system with systemd enabled services, avoid using it as we have > > > > > alternative better ways. > > > > > > > > > > Simo. > > > > > > > > > > > > > NACK. This breaks the installation: > > > > > > > > # ipa-server-install > > > > ... > > > > Configuring ntpd > > > > [1/4]: stopping ntpd > > > > [2/4]: writing configuration > > > > [3/4]: configuring ntpd to start on boot > > > > Unexpected error - see ipaserver-install.log for details: > > > > Command '/sbin/chkconfig --level 3 ntpd' returned non-zero exit status 1 > > > > > > > > I think you want to make use of raiseonerr=False parameter in > > > > ipautil.run(). > > > > > > > > Plus, I would prefer integers to be used in runlevels array instead of a > > > > string containing an integer. Makes more sense to do it this way. > > > > > > New patch attached. > > > > > > Simo. > > > > > > > ACK. Worked for me on both F-14 and F-15. > > Hold on pushing this one, it seem that chkconfig service and chkconfig > service --list were not mututally exchangable in this context as we > thought ... After the conversation here [1] and after looking more closely at how the functions that used --list were actually used in the code I came to the conclusion that the use of chkconfig service --list was not really needed in either cases. In the client we assume all services we need to be present through packaging dependencies anyway, and even if we fail we properly catch any exception so it is never a fatal issue. In the server install we used to check if the service was enabled at all run levels before considering it really enabled, but upon careful consideration I believe we do not really care. In each place we called is_enabled() what we care about is really just if the service is enabled in the current runlevel, not if it is normally enabled at other run levels, and actually checking for other runlevels could cause issue because a service not enabled at runlevel 4 but currently enabled at the one the install is running with would result disabled, and that's not what callers are really expecting from that test. So long story short I have a patch the basically radically strips away the previous code and radically simplifies it to one simple call in the server code and none at all in the client code. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0097-3-install-scripts-avoid-using-list-with-chkconfig.patch Type: text/x-patch Size: 2625 bytes Desc: not available URL: From simo at redhat.com Wed May 4 21:24:30 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 04 May 2011 17:24:30 -0400 Subject: [Freeipa-devel] [PATCH] 0097 Avoid --list option of chkconfig In-Reply-To: <1304543809.14451.7.camel@willson.li.ssimo.org> References: <1304519281.4963.13.camel@willson.li.ssimo.org> <1304521002.21112.17.camel@dhcp-25-52.brq.redhat.com> <1304521274.4963.14.camel@willson.li.ssimo.org> <1304521968.21112.18.camel@dhcp-25-52.brq.redhat.com> <1304542620.14451.0.camel@willson.li.ssimo.org> <1304543809.14451.7.camel@willson.li.ssimo.org> Message-ID: <1304544270.14451.8.camel@willson.li.ssimo.org> On Wed, 2011-05-04 at 17:16 -0400, Simo Sorce wrote: > After the conversation here [1] and after looking more closely at how Here I meant to link to this bug: [1] https://bugzilla.redhat.com/show_bug.cgi?id=702003 -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Thu May 5 09:54:31 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 05 May 2011 11:54:31 +0200 Subject: [Freeipa-devel] [PATCH] 14 Run lint during each build In-Reply-To: <1304321680.25439.3.camel@dhcp-25-52.brq.redhat.com> References: <4DB6AFB6.1010503@redhat.com> <1303834459.21334.5.camel@dhcp-25-52.brq.redhat.com> <4DB7F28F.8040505@redhat.com> <1303903022.15737.10.camel@dhcp-25-52.brq.redhat.com> <4DB8084C.7010902@redhat.com> <4DB81B4E.1030803@redhat.com> <4DB8207D.1080603@redhat.com> <1303914276.15737.19.camel@dhcp-25-52.brq.redhat.com> <4DB8454C.4010400@redhat.com> <4DB857C1.9050407@redhat.com> <1303973847.11310.4.camel@dhcp-25-52.brq.redhat.com> <4DB9944D.4090307@redhat.com> <1304321680.25439.3.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1304589271.7461.3.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-05-02 at 09:34 +0200, Martin Kosek wrote: > On Thu, 2011-04-28 at 18:22 +0200, Jan Cholasta wrote: > > On 28.4.2011 08:57, Martin Kosek wrote: > > > On Wed, 2011-04-27 at 13:52 -0400, Dmitri Pal wrote: > > >> On 04/27/2011 12:33 PM, Adam Young wrote: > > >>> On 04/27/2011 10:24 AM, Martin Kosek wrote: > > >>>> On Wed, 2011-04-27 at 09:56 -0400, Adam Young wrote: > > >>>>> On 04/27/2011 09:34 AM, Dmitri Pal wrote: > > >>>>>> On 04/27/2011 08:13 AM, Jan Cholasta wrote: > > >>>>>>> On 27.4.2011 13:17, Martin Kosek wrote: > > >>>>>>>> On Wed, 2011-04-27 at 12:40 +0200, Jan Cholasta wrote: > > >>>>>>>>> On 26.4.2011 18:14, Martin Kosek wrote: > > >>>>>>>>>> On Tue, 2011-04-26 at 13:42 +0200, Jan Cholasta wrote: > > >>>>>>>>>>> Automatically run the lint script during make > > >>>>>>>>>>> rpms|client-rpms|srpms. > > >>>>>>>>>>> > > >>>>>>>>>> NACK until ticket 1184 is resolved and pushed. Currently, > > >>>>>>>>>> pylint check > > >>>>>>>>>> fails when optional python packages (like python-rhsm) are not > > >>>>>>>>>> installed > > >>>>>>>>>> on the machine. We should be able to build IPA without those > > >>>>>>>>>> packages > > >>>>>>>>>> installed. > > >>>>>>>>> I think printing a note asking the developer to kindly install the > > >>>>>>>>> missing packages would be sufficient. AFAIK there are currently > > >>>>>>>>> only 2 > > >>>>>>>>> optional packages: python-rhsm and python-krbV. python-krbV is > > >>>>>>>>> optional > > >>>>>>>>> only for the client part of IPA, so you most likely have it already > > >>>>>>>>> installed and installing python-rhsm is not really much of a chore. > > >>>>>>>>> That > > >>>>>>>>> way all of the code would always be checked and the lint script > > >>>>>>>>> would be > > >>>>>>>>> free of the unnecessary complexity of handling missing packages. > > >>>>>>>> I don't think this is a right approach. When the package is optional > > >>>>>>>> (currently it may be python-rhsm and python-krbV only, but there > > >>>>>>>> may be > > >>>>>>>> others in the future) I shouldn't be obliged to install them in > > >>>>>>>> order to > > >>>>>>>> build IPA. > > >>>>>>> You shouldn't be obliged to install them as a user. As a developer, > > >>>>>>> you should be ready for all kinds of crazy stuff IMHO. > > >>>>>>> > > >>>>>>>> When somebody develops something related with the optional > > >>>>>>>> package he has them installed and the lint will check the > > >>>>>>>> relevant code > > >>>>>>>> too. > > >>>>>>> All of the code goes to the package, so it all should be checked > > >>>>>>> during the build. > > >>>>>>> > > >>>>>>> Imagine situation like this: You change something in module A, > > >>>>>>> accidentally breaking functionality that module B depends on. > > >>>>>>> Module A > > >>>>>>> is checked and no error is found (because it's the kind of issue that > > >>>>>>> exhibits itself only in certain conditions). Module B isn't checked, > > >>>>>>> because it also depends on a not-installed optional package. If it > > >>>>>>> was > > >>>>>>> checked, it would report an error that would lead you to the error in > > >>>>>>> module A. But everything looks fine, so the build succeeds, even when > > >>>>>>> the error is there. > > >>>>>>> > > >>>>>>> The situation might be improbable, but IMO the code should be checked > > >>>>>>> in the same ecosystem every time anyway, because weird stuff could > > >>>>>>> happen if it wasn't. > > >>>>>>> > > >>>>>>>> It is not that big deal, I just think it would be an annoyance for > > >>>>>>>> developers. But maybe there is a different opinion. > > >>>>>>> I know we developers are lazy folk, but this is a matter of writing > > >>>>>>> one simple command, just one time. > > >>>>>>> > > >>>>>>>> Martin > > >>>>>>>> > > >>>>>> How about a compromise? > > >>>>>> By default everything is expected to be installed. > > >>>>>> But there is a command line switch that allows to skip modules you > > >>>>>> want > > >>>>>> to skip. You provide the switch and the list of the modules to skip > > >>>>>> and > > >>>>>> build will validate only modules that are not in the list. > > >>>>>> > > >>>>>> Will something like this work? > > >>>>>> > > >>>>> Actually, make the command line switch just means that a Lint failure > > >>>>> doesn't stop the build. That way, by default the build will fail > > >>>>> unless > > >>>>> everything is there and checked, but there is a way to move forward for > > >>>>> building with a subset of packages. > > >>>> Yes, I think we will can settle with a compromise. My only concern was > > >>>> not to force the developers to install unnecessary packages for build. > > >>>> > > >>>> I would suggest that the build (or "make lint") succeeds without those > > >>>> optional packages installed, but a warning is printed out that some > > >>>> packages are missing and not all the code is checked. > > >>>> > > >>>> Then it is a developers responsibility to handle this and wouldn't be > > >>>> force to install those packages for his test builds etc. > > >>> > > >>> How about instead it fails bny default, but prints the message "to > > >>> suppress the lint check stopping the build, run make > > >>> --no-fail-on-lint" so that skipping lint is a deliberate decision? > > >> > > >> > > >> Yes this is the approach I prefer. > > > > > > OK then, I won't go against the crowd here, it's not that big deal :-) > > > Honza, please, update the patch accordingly and I will review it. > > > > I've added two new variables to the makefile: DEVELOPER_MODE and > > LINT_OPTIONS. LINT_OPTIONS contains the command line options passed to > > make-lint. Setting DEVELOPER_MODE to 1 enables the developer mode, which > > currently just presets LINT_OPTIONS to --no-fail (it might be used for > > more in future), so you can build your rpms even without python-rhsm > > installed by invoking: > > > > make rpms DEVELOPER_MODE=1 > > > > > > > > When the "make lint" fails because of missing optional package(s), I > > > would like the missing package(s) to be printed out for the user. So > > > that user can easily do "yum install" and finish the IPA > > > build. > > > > This will be in my next patch, dealing with ticket 1184. > > > > ACK. This should be pushed along with your patch 15 (ticket 1184). > > Martin > Pushed to master, ipa-2-0. Martin From mkosek at redhat.com Thu May 5 09:55:24 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 05 May 2011 11:55:24 +0200 Subject: [Freeipa-devel] [PATCH] 15 Report missing python packages In-Reply-To: <1304321731.25439.4.camel@dhcp-25-52.brq.redhat.com> References: <4DB99AC7.4060305@redhat.com> <1304321731.25439.4.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1304589324.7461.4.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-05-02 at 09:35 +0200, Martin Kosek wrote: > On Thu, 2011-04-28 at 18:50 +0200, Jan Cholasta wrote: > > Improved make-lint to report missing external python packages and fixed > > a few little bugs in it. > > > > I'd like to ask someone (preferably a native English speaker) to go > > through the new error messages (at the beginning and end of make-lint) > > and rephrase them if necessary. > > > > ACK. Works fine. If there are no objections from native speakers I think > we can push it along with your patch 14. > > Martin Pushed to master, ipa-2-0. Martin From mkosek at redhat.com Thu May 5 10:29:06 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 05 May 2011 12:29:06 +0200 Subject: [Freeipa-devel] [PATCH] 0097 Avoid --list option of chkconfig In-Reply-To: <1304543809.14451.7.camel@willson.li.ssimo.org> References: <1304519281.4963.13.camel@willson.li.ssimo.org> <1304521002.21112.17.camel@dhcp-25-52.brq.redhat.com> <1304521274.4963.14.camel@willson.li.ssimo.org> <1304521968.21112.18.camel@dhcp-25-52.brq.redhat.com> <1304542620.14451.0.camel@willson.li.ssimo.org> <1304543809.14451.7.camel@willson.li.ssimo.org> Message-ID: <1304591346.7461.9.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-05-04 at 17:16 -0400, Simo Sorce wrote: > On Wed, 2011-05-04 at 16:57 -0400, Simo Sorce wrote: > > On Wed, 2011-05-04 at 17:12 +0200, Martin Kosek wrote: > > > On Wed, 2011-05-04 at 11:01 -0400, Simo Sorce wrote: > > > > On Wed, 2011-05-04 at 16:56 +0200, Martin Kosek wrote: > > > > > On Wed, 2011-05-04 at 10:28 -0400, Simo Sorce wrote: > > > > > > The chkconfig --list option is not reliable as it works differently on a > > > > > > F15 system with systemd enabled services, avoid using it as we have > > > > > > alternative better ways. > > > > > > > > > > > > Simo. > > > > > > > > > > > > > > > > NACK. This breaks the installation: > > > > > > > > > > # ipa-server-install > > > > > ... > > > > > Configuring ntpd > > > > > [1/4]: stopping ntpd > > > > > [2/4]: writing configuration > > > > > [3/4]: configuring ntpd to start on boot > > > > > Unexpected error - see ipaserver-install.log for details: > > > > > Command '/sbin/chkconfig --level 3 ntpd' returned non-zero exit status 1 > > > > > > > > > > I think you want to make use of raiseonerr=False parameter in > > > > > ipautil.run(). > > > > > > > > > > Plus, I would prefer integers to be used in runlevels array instead of a > > > > > string containing an integer. Makes more sense to do it this way. > > > > > > > > New patch attached. > > > > > > > > Simo. > > > > > > > > > > ACK. Worked for me on both F-14 and F-15. > > > > Hold on pushing this one, it seem that chkconfig service and chkconfig > > service --list were not mututally exchangable in this context as we > > thought ... > > After the conversation here [1] and after looking more closely at how > the functions that used --list were actually used in the code I came to > the conclusion that the use of chkconfig service --list was not really > needed in either cases. > > In the client we assume all services we need to be present through > packaging dependencies anyway, and even if we fail we properly catch any > exception so it is never a fatal issue. > > In the server install we used to check if the service was enabled at all > run levels before considering it really enabled, but upon careful > consideration I believe we do not really care. In each place we called > is_enabled() what we care about is really just if the service is enabled > in the current runlevel, not if it is normally enabled at other run > levels, and actually checking for other runlevels could cause issue > because a service not enabled at runlevel 4 but currently enabled at the > one the install is running with would result disabled, and that's not > what callers are really expecting from that test. > > So long story short I have a patch the basically radically strips away > the previous code and radically simplifies it to one simple call in the > server code and none at all in the client code. > > Simo. > The concept looks usable, but I am having some problems with chkconfig $SERVICE for systemd native package (our favorite ntpd): # systemctl disable ntpd.service # chkconfig ntpd; echo $? Note: Forwarding request to 'systemctl is-enabled ntpd.service'. 0 # systemctl enable ntpd.service ln -s '/lib/systemd/system/ntpd.service' '/etc/systemd/system/multi-user.target.wants/ntpd.service' # chkconfig ntpd; echo $? Note: Forwarding request to 'systemctl is-enabled ntpd.service'. 0 Does this work for you? Looks like a bug in `systemctl is-enabled`. I am running systemd-26-1.fc15.x86_64. Martin From jcholast at redhat.com Thu May 5 11:43:59 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 05 May 2011 13:43:59 +0200 Subject: [Freeipa-devel] [PATCH] 17 Fix regressions introduced by pylint false positive fixes Message-ID: <4DC28D7F.7040405@redhat.com> https://fedorahosted.org/freeipa/ticket/1198 Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-17-lint-regressions.patch Type: text/x-patch Size: 5576 bytes Desc: not available URL: From simo at redhat.com Thu May 5 11:56:52 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 05 May 2011 07:56:52 -0400 Subject: [Freeipa-devel] [PATCH] 0097 Avoid --list option of chkconfig In-Reply-To: <1304591346.7461.9.camel@dhcp-25-52.brq.redhat.com> References: <1304519281.4963.13.camel@willson.li.ssimo.org> <1304521002.21112.17.camel@dhcp-25-52.brq.redhat.com> <1304521274.4963.14.camel@willson.li.ssimo.org> <1304521968.21112.18.camel@dhcp-25-52.brq.redhat.com> <1304542620.14451.0.camel@willson.li.ssimo.org> <1304543809.14451.7.camel@willson.li.ssimo.org> <1304591346.7461.9.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1304596612.14451.9.camel@willson.li.ssimo.org> On Thu, 2011-05-05 at 12:29 +0200, Martin Kosek wrote: > On Wed, 2011-05-04 at 17:16 -0400, Simo Sorce wrote: > > On Wed, 2011-05-04 at 16:57 -0400, Simo Sorce wrote: > > > On Wed, 2011-05-04 at 17:12 +0200, Martin Kosek wrote: > > > > On Wed, 2011-05-04 at 11:01 -0400, Simo Sorce wrote: > > > > > On Wed, 2011-05-04 at 16:56 +0200, Martin Kosek wrote: > > > > > > On Wed, 2011-05-04 at 10:28 -0400, Simo Sorce wrote: > > > > > > > The chkconfig --list option is not reliable as it works differently on a > > > > > > > F15 system with systemd enabled services, avoid using it as we have > > > > > > > alternative better ways. > > > > > > > > > > > > > > Simo. > > > > > > > > > > > > > > > > > > > NACK. This breaks the installation: > > > > > > > > > > > > # ipa-server-install > > > > > > ... > > > > > > Configuring ntpd > > > > > > [1/4]: stopping ntpd > > > > > > [2/4]: writing configuration > > > > > > [3/4]: configuring ntpd to start on boot > > > > > > Unexpected error - see ipaserver-install.log for details: > > > > > > Command '/sbin/chkconfig --level 3 ntpd' returned non-zero exit status 1 > > > > > > > > > > > > I think you want to make use of raiseonerr=False parameter in > > > > > > ipautil.run(). > > > > > > > > > > > > Plus, I would prefer integers to be used in runlevels array instead of a > > > > > > string containing an integer. Makes more sense to do it this way. > > > > > > > > > > New patch attached. > > > > > > > > > > Simo. > > > > > > > > > > > > > ACK. Worked for me on both F-14 and F-15. > > > > > > Hold on pushing this one, it seem that chkconfig service and chkconfig > > > service --list were not mututally exchangable in this context as we > > > thought ... > > > > After the conversation here [1] and after looking more closely at how > > the functions that used --list were actually used in the code I came to > > the conclusion that the use of chkconfig service --list was not really > > needed in either cases. > > > > In the client we assume all services we need to be present through > > packaging dependencies anyway, and even if we fail we properly catch any > > exception so it is never a fatal issue. > > > > In the server install we used to check if the service was enabled at all > > run levels before considering it really enabled, but upon careful > > consideration I believe we do not really care. In each place we called > > is_enabled() what we care about is really just if the service is enabled > > in the current runlevel, not if it is normally enabled at other run > > levels, and actually checking for other runlevels could cause issue > > because a service not enabled at runlevel 4 but currently enabled at the > > one the install is running with would result disabled, and that's not > > what callers are really expecting from that test. > > > > So long story short I have a patch the basically radically strips away > > the previous code and radically simplifies it to one simple call in the > > server code and none at all in the client code. > > > > Simo. > > > > The concept looks usable, but I am having some problems with chkconfig > $SERVICE for systemd native package (our favorite ntpd): > > # systemctl disable ntpd.service > # chkconfig ntpd; echo $? > Note: Forwarding request to 'systemctl is-enabled ntpd.service'. > 0 > # systemctl enable ntpd.service > ln -s '/lib/systemd/system/ntpd.service' > '/etc/systemd/system/multi-user.target.wants/ntpd.service' > # chkconfig ntpd; echo $? > Note: Forwarding request to 'systemctl is-enabled ntpd.service'. > 0 > > Does this work for you? Looks like a bug in `systemctl is-enabled`. > > I am running systemd-26-1.fc15.x86_64. See: https://bugzilla.redhat.com/show_bug.cgi?id=699027 Simo. -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Thu May 5 13:09:48 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 05 May 2011 15:09:48 +0200 Subject: [Freeipa-devel] [PATCH] 062 Update spec with missing BuildRequires for pylint check Message-ID: <1304600988.7461.10.camel@dhcp-25-52.brq.redhat.com> https://fedorahosted.org/freeipa/ticket/1203 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-062-pylint-missing-buildrequires.patch Type: text/x-patch Size: 1240 bytes Desc: not available URL: From sgallagh at redhat.com Thu May 5 14:19:41 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 05 May 2011 10:19:41 -0400 Subject: [Freeipa-devel] [PATCH] 062 Update spec with missing BuildRequires for pylint check In-Reply-To: <1304600988.7461.10.camel@dhcp-25-52.brq.redhat.com> References: <1304600988.7461.10.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1304605189.27913.0.camel@sgallagh.bos.redhat.com> On Thu, 2011-05-05 at 15:09 +0200, Martin Kosek wrote: > https://fedorahosted.org/freeipa/ticket/1203 > Ack -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From mkosek at redhat.com Thu May 5 14:32:39 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 05 May 2011 16:32:39 +0200 Subject: [Freeipa-devel] [PATCH] 062 Update spec with missing BuildRequires for pylint check In-Reply-To: <1304605189.27913.0.camel@sgallagh.bos.redhat.com> References: <1304600988.7461.10.camel@dhcp-25-52.brq.redhat.com> <1304605189.27913.0.camel@sgallagh.bos.redhat.com> Message-ID: <1304605959.7461.12.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-05-05 at 10:19 -0400, Stephen Gallagher wrote: > On Thu, 2011-05-05 at 15:09 +0200, Martin Kosek wrote: > > https://fedorahosted.org/freeipa/ticket/1203 > > > > Ack Pushed to master, ipa-2-0. Patch to ipa-2-0 branch had to be merged since the spec file differs between the branches now. Martin From ayoung at redhat.com Thu May 5 16:16:55 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 05 May 2011 12:16:55 -0400 Subject: [Freeipa-devel] [PATCH] 144 Refactored navigation. In-Reply-To: <4DC1B93E.3010708@redhat.com> References: <4DC1B93E.3010708@redhat.com> Message-ID: <4DC2CD77.9030104@redhat.com> On 05/04/2011 04:38 PM, Endi Sukma Dewata wrote: > The singular object IPA.nav has been converted into an IPA.navigation > class. The admin and self-service navigation tabs have been converted > into subclasses of IPA.navigation and will be instantiated according > to user authorization. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu May 5 16:17:07 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 05 May 2011 12:17:07 -0400 Subject: [Freeipa-devel] [PATCH] 145 Use entity names for tab state. In-Reply-To: <4DC1B976.1070405@redhat.com> References: <4DC1B976.1070405@redhat.com> Message-ID: <4DC2CD83.4060500@redhat.com> On 05/04/2011 04:39 PM, Endi Sukma Dewata wrote: > Previously the tab state is represented using numeric index such > as navigation=0&identity=1 which is not very user friendly. Now the > code has been modified to use entity names such as > navigation=identity&identity=group. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu May 5 16:19:15 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 05 May 2011 12:19:15 -0400 Subject: [Freeipa-devel] [PATCH] 146 Moved entity contents outside navigation. In-Reply-To: <4DC1B9E2.2020404@redhat.com> References: <4DC1B9E2.2020404@redhat.com> Message-ID: <4DC2CE03.3090501@redhat.com> On 05/04/2011 04:41 PM, Endi Sukma Dewata wrote: > Previously the entities and navigation are entangled inside a common > DOM structure which limits code reuse. Now they have been moved > into separate structures. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Thu May 5 17:16:59 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 05 May 2011 12:16:59 -0500 Subject: [Freeipa-devel] [PATCH] 144 Refactored navigation. In-Reply-To: <4DC2CD77.9030104@redhat.com> References: <4DC1B93E.3010708@redhat.com> <4DC2CD77.9030104@redhat.com> Message-ID: <4DC2DB8B.5030700@redhat.com> On 5/5/2011 11:16 AM, Adam Young wrote: > On 05/04/2011 04:38 PM, Endi Sukma Dewata wrote: >> The singular object IPA.nav has been converted into an IPA.navigation >> class. The admin and self-service navigation tabs have been converted >> into subclasses of IPA.navigation and will be instantiated according >> to user authorization. > ACK Pushed to master. -- Endi S. Dewata From edewata at redhat.com Thu May 5 17:17:17 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 05 May 2011 12:17:17 -0500 Subject: [Freeipa-devel] [PATCH] 145 Use entity names for tab state. In-Reply-To: <4DC2CD83.4060500@redhat.com> References: <4DC1B976.1070405@redhat.com> <4DC2CD83.4060500@redhat.com> Message-ID: <4DC2DB9D.2010801@redhat.com> On 5/5/2011 11:17 AM, Adam Young wrote: > On 05/04/2011 04:39 PM, Endi Sukma Dewata wrote: >> Previously the tab state is represented using numeric index such >> as navigation=0&identity=1 which is not very user friendly. Now the >> code has been modified to use entity names such as >> navigation=identity&identity=group. > ACK Pushed to master. -- Endi S. Dewata From edewata at redhat.com Thu May 5 17:17:36 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 05 May 2011 12:17:36 -0500 Subject: [Freeipa-devel] [PATCH] 146 Moved entity contents outside navigation. In-Reply-To: <4DC2CE03.3090501@redhat.com> References: <4DC1B9E2.2020404@redhat.com> <4DC2CE03.3090501@redhat.com> Message-ID: <4DC2DBB0.4000207@redhat.com> On 5/5/2011 11:19 AM, Adam Young wrote: > On 05/04/2011 04:41 PM, Endi Sukma Dewata wrote: >> Previously the entities and navigation are entangled inside a common >> DOM structure which limits code reuse. Now they have been moved >> into separate structures. > ACK Pushed to master. -- Endi S. Dewata From ayoung at redhat.com Thu May 5 17:58:58 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 05 May 2011 13:58:58 -0400 Subject: [Freeipa-devel] [PATCH] 147 Added facet container. In-Reply-To: <4DC1BB0D.6090905@redhat.com> References: <4DC1BB0D.6090905@redhat.com> Message-ID: <4DC2E562.2020407@redhat.com> On 05/04/2011 04:46 PM, Endi Sukma Dewata wrote: > Facet container has been added to hold facet header (i.e. title, > search fields, buttons, links) and facet content. Each facet now > occupies separate container, so it can be shown/hidden without > having to redraw the content. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Thu May 5 19:58:50 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 05 May 2011 14:58:50 -0500 Subject: [Freeipa-devel] [PATCH] 147 Added facet container. In-Reply-To: <4DC2E562.2020407@redhat.com> References: <4DC1BB0D.6090905@redhat.com> <4DC2E562.2020407@redhat.com> Message-ID: <4DC3017A.4070608@redhat.com> On 5/5/2011 12:58 PM, Adam Young wrote: > On 05/04/2011 04:46 PM, Endi Sukma Dewata wrote: >> Facet container has been added to hold facet header (i.e. title, >> search fields, buttons, links) and facet content. Each facet now >> occupies separate container, so it can be shown/hidden without >> having to redraw the content. > ACK Pushed to master. -- Endi S. Dewata From mkosek at redhat.com Fri May 6 12:03:01 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 06 May 2011 14:03:01 +0200 Subject: [Freeipa-devel] [PATCH] 063 Let selinux-policy handle port 7390 Message-ID: <1304683381.27463.2.camel@dhcp-25-52.brq.redhat.com> As #1200 patch will raise selinux-policy Requires in the SPEC above this version, it is not necessary to do it in this patch. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-063-let-selinux-policy-handle-port-7390.patch Type: text/x-patch Size: 2015 bytes Desc: not available URL: From mkosek at redhat.com Fri May 6 14:00:28 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 06 May 2011 16:00:28 +0200 Subject: [Freeipa-devel] [PATCH] 0097 Avoid --list option of chkconfig In-Reply-To: <1304596612.14451.9.camel@willson.li.ssimo.org> References: <1304519281.4963.13.camel@willson.li.ssimo.org> <1304521002.21112.17.camel@dhcp-25-52.brq.redhat.com> <1304521274.4963.14.camel@willson.li.ssimo.org> <1304521968.21112.18.camel@dhcp-25-52.brq.redhat.com> <1304542620.14451.0.camel@willson.li.ssimo.org> <1304543809.14451.7.camel@willson.li.ssimo.org> <1304591346.7461.9.camel@dhcp-25-52.brq.redhat.com> <1304596612.14451.9.camel@willson.li.ssimo.org> Message-ID: <1304690428.27463.13.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-05-05 at 07:56 -0400, Simo Sorce wrote: > On Thu, 2011-05-05 at 12:29 +0200, Martin Kosek wrote: > > On Wed, 2011-05-04 at 17:16 -0400, Simo Sorce wrote: > > > On Wed, 2011-05-04 at 16:57 -0400, Simo Sorce wrote: > > > > On Wed, 2011-05-04 at 17:12 +0200, Martin Kosek wrote: > > > > > On Wed, 2011-05-04 at 11:01 -0400, Simo Sorce wrote: > > > > > > On Wed, 2011-05-04 at 16:56 +0200, Martin Kosek wrote: > > > > > > > On Wed, 2011-05-04 at 10:28 -0400, Simo Sorce wrote: > > > > > > > > The chkconfig --list option is not reliable as it works differently on a > > > > > > > > F15 system with systemd enabled services, avoid using it as we have > > > > > > > > alternative better ways. > > > > > > > > > > > > > > > > Simo. > > > > > > > > > > > > > > > > > > > > > > NACK. This breaks the installation: > > > > > > > > > > > > > > # ipa-server-install > > > > > > > ... > > > > > > > Configuring ntpd > > > > > > > [1/4]: stopping ntpd > > > > > > > [2/4]: writing configuration > > > > > > > [3/4]: configuring ntpd to start on boot > > > > > > > Unexpected error - see ipaserver-install.log for details: > > > > > > > Command '/sbin/chkconfig --level 3 ntpd' returned non-zero exit status 1 > > > > > > > > > > > > > > I think you want to make use of raiseonerr=False parameter in > > > > > > > ipautil.run(). > > > > > > > > > > > > > > Plus, I would prefer integers to be used in runlevels array instead of a > > > > > > > string containing an integer. Makes more sense to do it this way. > > > > > > > > > > > > New patch attached. > > > > > > > > > > > > Simo. > > > > > > > > > > > > > > > > ACK. Worked for me on both F-14 and F-15. > > > > > > > > Hold on pushing this one, it seem that chkconfig service and chkconfig > > > > service --list were not mututally exchangable in this context as we > > > > thought ... > > > > > > After the conversation here [1] and after looking more closely at how > > > the functions that used --list were actually used in the code I came to > > > the conclusion that the use of chkconfig service --list was not really > > > needed in either cases. > > > > > > In the client we assume all services we need to be present through > > > packaging dependencies anyway, and even if we fail we properly catch any > > > exception so it is never a fatal issue. > > > > > > In the server install we used to check if the service was enabled at all > > > run levels before considering it really enabled, but upon careful > > > consideration I believe we do not really care. In each place we called > > > is_enabled() what we care about is really just if the service is enabled > > > in the current runlevel, not if it is normally enabled at other run > > > levels, and actually checking for other runlevels could cause issue > > > because a service not enabled at runlevel 4 but currently enabled at the > > > one the install is running with would result disabled, and that's not > > > what callers are really expecting from that test. > > > > > > So long story short I have a patch the basically radically strips away > > > the previous code and radically simplifies it to one simple call in the > > > server code and none at all in the client code. > > > > > > Simo. > > > > > > > The concept looks usable, but I am having some problems with chkconfig > > $SERVICE for systemd native package (our favorite ntpd): > > > > # systemctl disable ntpd.service > > # chkconfig ntpd; echo $? > > Note: Forwarding request to 'systemctl is-enabled ntpd.service'. > > 0 > > # systemctl enable ntpd.service > > ln -s '/lib/systemd/system/ntpd.service' > > '/etc/systemd/system/multi-user.target.wants/ntpd.service' > > # chkconfig ntpd; echo $? > > Note: Forwarding request to 'systemctl is-enabled ntpd.service'. > > 0 > > > > Does this work for you? Looks like a bug in `systemctl is-enabled`. > > > > I am running systemd-26-1.fc15.x86_64. > > See: https://bugzilla.redhat.com/show_bug.cgi?id=699027 > > Simo. Yeah, that's exactly the issue I am experiencing. Anyway, I think we are safe with this change even with the bug 699027 as we don't use `chkconfig $SERVICE` to confirm a change to service boot status. I have found a minor issue with IPA client installation. After you modified ipa-client-install the function does not return when the service is not installed. Thus producing an error message, e.g. with nscd service: # ipa-client-install ... Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm IDM.LAB.BOS.REDHAT.COM Failed to configure automatic startup of the NSCD daemon <==== SSSD enabled Kerberos 5 enabled NTP enabled Client configuration complete. I have created a ticket for this whole issue with chkconfig - #1206. It should be noted in the commit message. Martin From simo at redhat.com Fri May 6 14:06:10 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 06 May 2011 10:06:10 -0400 Subject: [Freeipa-devel] [PATCH] 0097 Avoid --list option of chkconfig In-Reply-To: <1304690428.27463.13.camel@dhcp-25-52.brq.redhat.com> References: <1304519281.4963.13.camel@willson.li.ssimo.org> <1304521002.21112.17.camel@dhcp-25-52.brq.redhat.com> <1304521274.4963.14.camel@willson.li.ssimo.org> <1304521968.21112.18.camel@dhcp-25-52.brq.redhat.com> <1304542620.14451.0.camel@willson.li.ssimo.org> <1304543809.14451.7.camel@willson.li.ssimo.org> <1304591346.7461.9.camel@dhcp-25-52.brq.redhat.com> <1304596612.14451.9.camel@willson.li.ssimo.org> <1304690428.27463.13.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1304690770.28617.2.camel@willson.li.ssimo.org> On Fri, 2011-05-06 at 16:00 +0200, Martin Kosek wrote: > Yeah, that's exactly the issue I am experiencing. Anyway, I think we are > safe with this change even with the bug 699027 as we don't use > `chkconfig $SERVICE` to confirm a change to service boot status. Yep, that's why I am comfortable with the change even if there is still the bug. We may 'restore' the machine to the 'wrong' status on --uninstall until that is fixed, but it is ok, it will become fixed once the systemctl bug is. > I have found a minor issue with IPA client installation. After you > modified ipa-client-install the function does not return when the > service is not installed. Thus producing an error message, e.g. with > nscd service: > > # ipa-client-install > ... > Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM > Created /etc/ipa/default.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm IDM.LAB.BOS.REDHAT.COM > Failed to configure automatic startup of the NSCD daemon <==== > SSSD enabled > Kerberos 5 enabled > NTP enabled > Client configuration complete. Yes I expected this one, and I think it is ok for now. We should probably find a different way to check if an optional package is installed. > I have created a ticket for this whole issue with chkconfig - #1206. It > should be noted in the commit message. Thanks, Simo. -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Fri May 6 14:32:47 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 06 May 2011 16:32:47 +0200 Subject: [Freeipa-devel] [PATCH] 0097 Avoid --list option of chkconfig In-Reply-To: <1304690770.28617.2.camel@willson.li.ssimo.org> References: <1304519281.4963.13.camel@willson.li.ssimo.org> <1304521002.21112.17.camel@dhcp-25-52.brq.redhat.com> <1304521274.4963.14.camel@willson.li.ssimo.org> <1304521968.21112.18.camel@dhcp-25-52.brq.redhat.com> <1304542620.14451.0.camel@willson.li.ssimo.org> <1304543809.14451.7.camel@willson.li.ssimo.org> <1304591346.7461.9.camel@dhcp-25-52.brq.redhat.com> <1304596612.14451.9.camel@willson.li.ssimo.org> <1304690428.27463.13.camel@dhcp-25-52.brq.redhat.com> <1304690770.28617.2.camel@willson.li.ssimo.org> Message-ID: <1304692367.27463.16.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-05-06 at 10:06 -0400, Simo Sorce wrote: > On Fri, 2011-05-06 at 16:00 +0200, Martin Kosek wrote: > > > Yeah, that's exactly the issue I am experiencing. Anyway, I think we are > > safe with this change even with the bug 699027 as we don't use > > `chkconfig $SERVICE` to confirm a change to service boot status. > > Yep, that's why I am comfortable with the change even if there is still > the bug. We may 'restore' the machine to the 'wrong' status on > --uninstall until that is fixed, but it is ok, it will become fixed once > the systemctl bug is. > > > I have found a minor issue with IPA client installation. After you > > modified ipa-client-install the function does not return when the > > service is not installed. Thus producing an error message, e.g. with > > nscd service: > > > > # ipa-client-install > > ... > > Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM > > Created /etc/ipa/default.conf > > Configured /etc/sssd/sssd.conf > > Configured /etc/krb5.conf for IPA realm IDM.LAB.BOS.REDHAT.COM > > Failed to configure automatic startup of the NSCD daemon <==== > > SSSD enabled > > Kerberos 5 enabled > > NTP enabled > > Client configuration complete. > > Yes I expected this one, and I think it is ok for now. > We should probably find a different way to check if an optional package > is installed. > > > I have created a ticket for this whole issue with chkconfig - #1206. It > > should be noted in the commit message. > > Thanks, > Simo. > OK. One error message is lesser evil than a crashing installation. I created a new bug #1207 which should fix this. ACK and pushed to master, ipa-2-0. I have amended a commit message and added a ticket number. Martin From dpal at redhat.com Fri May 6 19:03:36 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 06 May 2011 15:03:36 -0400 Subject: [Freeipa-devel] [PATCH] 060 Consolidate man pages and IPA tools help In-Reply-To: <1304497102.21112.3.camel@dhcp-25-52.brq.redhat.com> References: <1304497102.21112.3.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DC44608.9030408@redhat.com> On 05/04/2011 04:18 AM, Martin Kosek wrote: > I'll nack any patch in the future that would spoil this enjoyable > effort :-) Nicely worded threat :-) Please do. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From edewata at redhat.com Fri May 6 19:43:47 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 06 May 2011 14:43:47 -0500 Subject: [Freeipa-devel] [PATCH] 149 Fixed self-service UI. Message-ID: <4DC44F73.4090009@redhat.com> The Identity tab for self-service UI was missing a label and there was a bug in navigation.js that was exposed because of that. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0149-Fixed-self-service-UI.patch Type: text/x-patch Size: 1581 bytes Desc: not available URL: From ayoung at redhat.com Fri May 6 20:14:49 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 06 May 2011 16:14:49 -0400 Subject: [Freeipa-devel] [PATCH] 149 Fixed self-service UI. In-Reply-To: <4DC44F73.4090009@redhat.com> References: <4DC44F73.4090009@redhat.com> Message-ID: <4DC456B9.3020401@redhat.com> On 05/06/2011 03:43 PM, Endi Sukma Dewata wrote: > The Identity tab for self-service UI was missing a label and there > was a bug in navigation.js that was exposed because of that. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Fri May 6 20:25:55 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 06 May 2011 15:25:55 -0500 Subject: [Freeipa-devel] [PATCH] 150 Updated Selenium tests. Message-ID: <4DC45953.2040408@redhat.com> The following test suites have been updated to use the new DOM structure: user, group, host, hostgroup, netgroup, service, HBAC. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0150-Updated-Selenium-tests.patch Type: text/x-patch Size: 94896 bytes Desc: not available URL: From ayoung at redhat.com Sun May 8 23:48:34 2011 From: ayoung at redhat.com (Adam Young) Date: Sun, 08 May 2011 19:48:34 -0400 Subject: [Freeipa-devel] [PATCH] 150 Updated Selenium tests. In-Reply-To: <4DC45953.2040408@redhat.com> References: <4DC45953.2040408@redhat.com> Message-ID: <4DC72BD2.70005@redhat.com> On 05/06/2011 04:25 PM, Endi Sukma Dewata wrote: > The following test suites have been updated to use the new DOM > structure: user, group, host, hostgroup, netgroup, service, HBAC. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Running functional.sh seems to fail consistently, but it is definitely better than before the patch. User is good except for Passwordreset. Group is fine Host certificate fails on "wait for network activity indicator", rest of the tests were OK hostgroup fails pretty early on, no results posted. HBAC rule activation failed at verifyTextPresent: undo Other HBACs were OK netgroup failed on editnetgroup, rest of the tests were OK service had a failure pretty early on that repeated several times: verifyElementPresent css=.entity[name='service'] .facet[name='search'] input[value='testservice/test.example.com at IDM.LAB.BOS.REDHAT.COM'] false I suspect that many of the issues with service were due to self sign, and we can ignore them...I think that the waiting for network activity indicator to disappear has a race condition in it. I'm going to reinstall the server and run the specific test that failed again. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Mon May 9 00:32:22 2011 From: ayoung at redhat.com (Adam Young) Date: Sun, 08 May 2011 20:32:22 -0400 Subject: [Freeipa-devel] ipa-server-install --uninstall not stopping services Message-ID: <4DC73616.80202@redhat.com> Simo, Something has changed in the init scrip manipulation recently. Now, when I run ipa-server-install --uninstall -U and then ipa-server-install -U -r ` hostname | tr '[:lower:]' '[:upper:]'` -p freeipa4all -a freeipa4all I get IPA requires ports 389 and 636 for the Directory Server. These are currently in use: 389 636 From mkosek at redhat.com Mon May 9 08:20:51 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 09 May 2011 10:20:51 +0200 Subject: [Freeipa-devel] [PATCH] 17 Fix regressions introduced by pylint false positive fixes In-Reply-To: <4DC28D7F.7040405@redhat.com> References: <4DC28D7F.7040405@redhat.com> Message-ID: <1304929251.14905.0.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-05-05 at 13:43 +0200, Jan Cholasta wrote: > https://fedorahosted.org/freeipa/ticket/1198 > > Honza > ACK. I see no suspicious test suite errors. Martin From mkosek at redhat.com Mon May 9 10:22:39 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 09 May 2011 12:22:39 +0200 Subject: [Freeipa-devel] [PATCH] 16 Fixes for issues found by Coverity In-Reply-To: <4DBA9F95.3080308@redhat.com> References: <4DBA9F95.3080308@redhat.com> Message-ID: <1304936559.14905.2.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-04-29 at 13:23 +0200, Jan Cholasta wrote: > https://fedorahosted.org/freeipa/ticket/1166 > https://fedorahosted.org/freeipa/ticket/1167 > https://fedorahosted.org/freeipa/ticket/1168 > https://fedorahosted.org/freeipa/ticket/1169 > ACK, looks good. No additional issues in test suite were discovered. Martin From mkosek at redhat.com Mon May 9 11:19:59 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 09 May 2011 13:19:59 +0200 Subject: [Freeipa-devel] [PATCH] honor --no-reverse option In-Reply-To: <4DB96341.9090700@redhat.com> References: <4DB96341.9090700@redhat.com> Message-ID: <1304939999.14905.5.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-04-28 at 08:53 -0400, Rob Crittenden wrote: > The --no-reverse option was only working in unattended mode resulting in > a reverse zone even if you requested to not create one. > > ticket 1152 > > rob NACK. The patch is fine for the server installation, but we also need the fix for replica. Martin From rcritten at redhat.com Mon May 9 16:01:13 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 09 May 2011 12:01:13 -0400 Subject: [Freeipa-devel] [PATCH] 061 Typos in freeIPA messages and man page In-Reply-To: <1304497792.21112.6.camel@dhcp-25-52.brq.redhat.com> References: <1304497792.21112.6.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DC80FC9.3070307@redhat.com> Martin Kosek wrote: > Kudos to Yuri Chornoivan who contributed the patch in Bugzilla (and > remains the patch author). > > Martin Ack. rob From rcritten at redhat.com Mon May 9 20:24:19 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 09 May 2011 16:24:19 -0400 Subject: [Freeipa-devel] [PATCH] 16 Fixes for issues found by Coverity In-Reply-To: <1304936559.14905.2.camel@dhcp-25-52.brq.redhat.com> References: <4DBA9F95.3080308@redhat.com> <1304936559.14905.2.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DC84D73.9030206@redhat.com> Martin Kosek wrote: > On Fri, 2011-04-29 at 13:23 +0200, Jan Cholasta wrote: >> https://fedorahosted.org/freeipa/ticket/1166 >> https://fedorahosted.org/freeipa/ticket/1167 >> https://fedorahosted.org/freeipa/ticket/1168 >> https://fedorahosted.org/freeipa/ticket/1169 >> > > ACK, looks good. No additional issues in test suite were discovered. > > Martin pushed to master and ipa-2-0. rob From ayoung at redhat.com Tue May 10 01:30:29 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 09 May 2011 21:30:29 -0400 Subject: [Freeipa-devel] [Freeipa-users] FreeIPA questions In-Reply-To: <4DC85C88.9050809@cox.net> References: <4DC84247.3030603@cox.net> <4DC85773.3030604@redhat.com> <4DC85C88.9050809@cox.net> Message-ID: <4DC89535.3030400@redhat.com> My pleasure. I'll forward to the list as well. We do active development on F15, so you should get pretty good responses from the Developers. We're always in #freeipa on freenode. On 05/09/2011 05:28 PM, SR wrote: > Thanks, Adam! I'm going to eval RHEL and will grab a copy of F15 beta > for testing as well. > > --Steve > > Adam Young wrote: >> On 05/09/2011 03:36 PM, SR wrote: >>> I'm new to FreeIPA and this list so please forgive me for the n00b >>> questions. I have what I think is a pretty straight-forward use for >>> FreeIPA. We have an Active Directory environment with a few hundred >>> users. We are starting to increase our number of Macs and need a >>> directory solution. There are some issues with Macs in AD which >>> Apple doesn't seem interested in addressing. Open Directory would be >>> nice if we only had Macs but it doesn't allow for syncing accounts >>> to AD, so it won't work for us. >>> >>> Based on what I've read about FreeIPA, it seems like it would be a >>> good fit for us. >>> >>> The problem I'm having is that I can't seem to even get FreeIPA >>> installed. I've tried using Fedora 10 with all the latest updates. >>> I've tried adding different .repo files I've found on the various >>> FreeIPA pages, but none of them seem to be working for me. >>> >>> So, my questions are: >>> >>> 1) What is the best distro for running FreeIPA. I'd rather not >>> purchase RHEL, so it sounds like Fedora is the way to go. I just >>> finished downloading Fedora 14 and will give that a try unless >>> someone recommends something else. >> >> WHile FreeIPA 2.0 has gone GA, it is only supported in Fedora15, >> which is currently in Beta. I'd start with that. >> >> >>> >>> 2) Is version 2 highly recommended over version 1 or does version 1 >>> have sufficient features to use it in a production environment? >>> Essentially, we have about 30 current Macs users (and growing) that >>> we want to create accounts for in FreeIPA and have sync'd to AD (or >>> vice versa). The users will need the ability to change their passwords. >> >> Yes, there are so many features in 2.0 that you are going to want. >>> >>> 3) What is the best way to install FreeIPA? I'm having problems with >>> yum (see errors below) so I was wondering if there was another way, >>> e.g., RPMs. >> >> If you havea F14 Machine installed for testing, upgrade it to F15 >> Beta, and youi can do yum install freeipa-server. If you want DNS >> support, be sure to install the DNS Bind rpm that makes it talk to >> the LDAP store as well: bind-dyndb-ldap >> >> >>> >>> # yum install freeipa-server >>> Loaded plugins: refresh-packagekit >>> Could not retrieve mirrorlist >>> http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-10&arch=x86_64 >>> error was [Errno 4] IOError: >> unreachable')> >>> http://archive.fedoraproject.org/pub/archive/fedora/linux/releases/10/Everything/x86_64/os/repodata/repomd.xml: >>> [Errno 4] IOError: >>> Trying other mirror. >>> fedora | 2.8kB 00:00 >>> updates | 3.4kB 00:00 >>> Setting up Install Process >>> No package freeipa-server available. >>> Nothing to do >>> >>> Thanks! >>> >>> --Steve >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> From mkosek at redhat.com Tue May 10 06:42:36 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 10 May 2011 08:42:36 +0200 Subject: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname In-Reply-To: <4D95F3AD.2000707@redhat.com> References: <4D95F3AD.2000707@redhat.com> Message-ID: <1305009756.11948.3.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-04-01 at 11:47 -0400, Rob Crittenden wrote: > The hostname is passed in during the server installation. We should use > this hostname for the resulting server as well. It was being discarded > and we always used the system hostname value. > > ticket 1052 > > rob Looks good for both server and a client install with a custom hostname. However, I was unable to install a CA-powered replica, when a master was configured with custom hostname: ipareplica-install.log: ... ############################################# Attempting to connect to: vm-102.idm.lab.bos.redhat.com:9445 Connected. Posting Query = https://vm-102.idm.lab.bos.redhat.com:9445//ca/admin/console/config/wizard?p=5&subsystem=CA&session_id=6792677911037453899&xml=true RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: text/html;charset=UTF-8 RESPONSE HEADER: Date: Mon, 09 May 2011 14:17:46 GMT RESPONSE HEADER: Connection: close Exception in SecurityDomainLoginPanel(): java.lang.Exception: Invalid clone_uri ERROR: ConfigureSubCA: SecurityDomainLoginPanel() failure ERROR: unable to create CA ####################################################################### 2011-05-09 10:17:47,039 DEBUG stderr=java.lang.Exception: Invalid clone_uri at ConfigureCA.SecurityDomainLoginPanel(ConfigureCA.java:384) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1239) at ConfigureCA.main(ConfigureCA.java:1761) 2011-05-09 10:17:47,040 CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname vm-102.idm.lab.bos.redhat.com -cs_port 9445 -client_certdb_dir /tmp/tmp-Ou9Wd4 -client_certdb_pwd 'XXXXXXXX' -preop_pin qTFTDIjO9j9LdtvjLCz1 -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=IDM.LAB.BOS.REDHAT.COM" -ldap_host vm-102.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IDM.LAB.BOS.REDHAT.COM" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IDM.LAB.BOS.REDHAT.COM" -ca_server_cert_subject_name "CN=vm-102.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM" -ca_audit_signing_cert_subject_name "CN=CA Audit,O=IDM.LAB.BOS.REDHAT.COM" -ca_sign_cert_subject_name "CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM" -external false -clone true -clone_p12_file ca.p12 -clone_p12_password 'XXXXXXXX' -sd_hostname ipa.idm.lab.bos.redhat.com -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password 'XXXXXXXX' -clone_start_tls true -clone_uri https://ipa.idm.lab.bos.redhat.com:9444' returned non-zero exit status 255 2011-05-09 10:17:47,070 DEBUG Configuration of CA failed File "/usr/sbin/ipa-replica-install", line 543, in main() File "/usr/sbin/ipa-replica-install", line 486, in main (CA, cs) = install_ca(config) File "/usr/sbin/ipa-replica-install", line 186, in install_ca subject_base=config.subject_base) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 539, in configure_instance self.start_creation("Configuring certificate server", 360) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 289, in start_creation method() ... Did that worked for you? Martin From mkosek at redhat.com Tue May 10 07:05:35 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 10 May 2011 09:05:35 +0200 Subject: [Freeipa-devel] [PATCH] 061 Typos in freeIPA messages and man page In-Reply-To: <4DC80FC9.3070307@redhat.com> References: <1304497792.21112.6.camel@dhcp-25-52.brq.redhat.com> <4DC80FC9.3070307@redhat.com> Message-ID: <1305011135.11948.4.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-05-09 at 12:01 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > Kudos to Yuri Chornoivan who contributed the patch in Bugzilla (and > > remains the patch author). > > > > Martin > > Ack. > > rob Pushed to master, ipa-2-0. Martin From jcholast at redhat.com Tue May 10 09:43:59 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 10 May 2011 11:43:59 +0200 Subject: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname In-Reply-To: <4D95F3AD.2000707@redhat.com> References: <4D95F3AD.2000707@redhat.com> Message-ID: <4DC908DF.6040506@redhat.com> On 1.4.2011 17:47, Rob Crittenden wrote: > The hostname is passed in during the server installation. We should use > this hostname for the resulting server as well. It was being discarded > and we always used the system hostname value. > > ticket 1052 > > rob > It would be nice to use the saved hostname everywhere, instead of socket.gethostname and similar. That would fix ticket 1035 too. -- Jan Cholasta From rcritten at redhat.com Tue May 10 13:48:56 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 10 May 2011 09:48:56 -0400 Subject: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname In-Reply-To: <1305009756.11948.3.camel@dhcp-25-52.brq.redhat.com> References: <4D95F3AD.2000707@redhat.com> <1305009756.11948.3.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DC94248.7010001@redhat.com> Martin Kosek wrote: > On Fri, 2011-04-01 at 11:47 -0400, Rob Crittenden wrote: >> The hostname is passed in during the server installation. We should use >> this hostname for the resulting server as well. It was being discarded >> and we always used the system hostname value. >> >> ticket 1052 >> >> rob > > Looks good for both server and a client install with a custom hostname. > However, I was unable to install a CA-powered replica, when a master was > configured with custom hostname: > > ipareplica-install.log: > ... > ############################################# > Attempting to connect to: vm-102.idm.lab.bos.redhat.com:9445 > Connected. > Posting Query = https://vm-102.idm.lab.bos.redhat.com:9445//ca/admin/console/config/wizard?p=5&subsystem=CA&session_id=6792677911037453899&xml=true > RESPONSE STATUS: HTTP/1.1 200 OK > RESPONSE HEADER: Server: Apache-Coyote/1.1 > RESPONSE HEADER: Content-Type: text/html;charset=UTF-8 > RESPONSE HEADER: Date: Mon, 09 May 2011 14:17:46 GMT > RESPONSE HEADER: Connection: close > Exception in SecurityDomainLoginPanel(): java.lang.Exception: Invalid clone_uri > ERROR: ConfigureSubCA: SecurityDomainLoginPanel() failure > ERROR: unable to create CA > > ####################################################################### > > 2011-05-09 10:17:47,039 DEBUG stderr=java.lang.Exception: Invalid clone_uri > at ConfigureCA.SecurityDomainLoginPanel(ConfigureCA.java:384) > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1239) > at ConfigureCA.main(ConfigureCA.java:1761) > > 2011-05-09 10:17:47,040 CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname vm-102.idm.lab.bos.redhat.com -cs_port 9445 -client_certdb_dir /tmp/tmp-Ou9Wd4 -client_certdb_pwd 'XXXXXXXX' -preop_pin qTFTDIjO9j9LdtvjLCz1 -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=IDM.LAB.BOS.REDHAT.COM" -ldap_host vm-102.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IDM.LAB.BOS.REDHAT.COM" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IDM.LAB.BOS.REDHAT.COM" -ca_server_cert_subject_name "CN=vm-102.idm.lab.bos.redhat.co m,O=IDM.LAB.BOS.REDHAT.COM" -ca_audit_signing_cert_subject_name "CN=CA Audit,O=IDM.LAB.BOS.REDHAT.COM" -ca_sign_cert_subject_name "CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM" -external false -clone true -clone_p12_file ca.p12 -clone_p12_password 'XXXXXXXX' -sd_hostname ipa.idm.lab.bos.redhat.com -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password 'XXXXXXXX' -clone_start_tls true -clone_uri https://ipa.idm.lab.bos.redhat.com:9444' returned non-zero exit status 255 > 2011-05-09 10:17:47,070 DEBUG Configuration of CA failed > File "/usr/sbin/ipa-replica-install", line 543, in > main() > > File "/usr/sbin/ipa-replica-install", line 486, in main > (CA, cs) = install_ca(config) > > File "/usr/sbin/ipa-replica-install", line 186, in install_ca > subject_base=config.subject_base) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 539, in configure_instance > self.start_creation("Configuring certificate server", 360) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 289, in start_creation > method() > ... > > Did that worked for you? It worked for me, I remember testing both. Ade, do you know what would cause dogtag to throw "Invalid clone_uri"? rob From rcritten at redhat.com Tue May 10 13:51:02 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 10 May 2011 09:51:02 -0400 Subject: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname In-Reply-To: <4DC908DF.6040506@redhat.com> References: <4D95F3AD.2000707@redhat.com> <4DC908DF.6040506@redhat.com> Message-ID: <4DC942C6.8020801@redhat.com> Jan Cholasta wrote: > On 1.4.2011 17:47, Rob Crittenden wrote: >> The hostname is passed in during the server installation. We should use >> this hostname for the resulting server as well. It was being discarded >> and we always used the system hostname value. >> >> ticket 1052 >> >> rob >> > > It would be nice to use the saved hostname everywhere, instead of > socket.gethostname and similar. That would fix ticket 1035 too. > If you know of places this doesn't cover please let me know. 1035 is a bit of a different case in that it doesn't validate that the hostname is a FQDN. rob From mkosek at redhat.com Tue May 10 14:02:10 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 10 May 2011 16:02:10 +0200 Subject: [Freeipa-devel] [PATCH] 064 Improve service manipulation in client install Message-ID: <1305036130.11948.11.camel@dhcp-25-52.brq.redhat.com> Remove redundant ipa-client-install error message when optional nscd daemon was not installed. Additionally, use standard IPA functions for service manipulation and improve logging. https://fedorahosted.org/freeipa/ticket/1207 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-064-improve-service-manipulation-in-client-install.patch Type: text/x-patch Size: 10151 bytes Desc: not available URL: From rcritten at redhat.com Tue May 10 14:06:32 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 10 May 2011 10:06:32 -0400 Subject: [Freeipa-devel] [PATCH] 064 Improve service manipulation in client install In-Reply-To: <1305036130.11948.11.camel@dhcp-25-52.brq.redhat.com> References: <1305036130.11948.11.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DC94668.8070808@redhat.com> Martin Kosek wrote: > Remove redundant ipa-client-install error message when optional nscd > daemon was not installed. Additionally, use standard IPA functions > for service manipulation and improve logging. > > https://fedorahosted.org/freeipa/ticket/1207 Nack, a client-only install isn't going to have ipaserver to import from. Ignoring certmonger not starting was for the case where it is already running. Ideally we should check the status of the service and start it if necessary. Some of this could be moved to ipapython as that is where common, non-framework code goes. rob From jcholast at redhat.com Tue May 10 18:06:03 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 10 May 2011 20:06:03 +0200 Subject: [Freeipa-devel] [PATCH] 18 Parse netmasks in IP addresses passed to server install Message-ID: <4DC97E8B.8050904@redhat.com> Split from patch 3. https://fedorahosted.org/freeipa/ticket/1212 Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-18-parse-netmask.patch Type: text/x-patch Size: 10351 bytes Desc: not available URL: From jcholast at redhat.com Tue May 10 18:10:39 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 10 May 2011 20:10:39 +0200 Subject: [Freeipa-devel] [PATCH] 3 Add ability to specify netmask with IP addresses during installation In-Reply-To: <4DAFDE65.5050100@redhat.com> References: <4D9068E5.6090209@redhat.com> <4D90920E.3080900@redhat.com> <4D91DD15.8020109@redhat.com> <4D91DDA6.2060304@redhat.com> <4D923DCA.1030900@redhat.com> <4D930AAD.9020209@redhat.com> <4D9F1AFA.8000305@redhat.com> <4DA2DC6F.1000105@redhat.com> <4DA58644.3020506@redhat.com> <4DAF3D5A.7080300@redhat.com> <4DAFDE65.5050100@redhat.com> Message-ID: <4DC97F9F.5030103@redhat.com> On 21.4.2011 09:36, Jan Cholasta wrote: > On 20.4.2011 22:08, Rob Crittenden wrote: >> Jan Cholasta wrote: >>> On 11.4.2011 12:48, Jan Cholasta wrote: >>>> On 8.4.2011 16:26, Rob Crittenden wrote: >>>>> Jan Cholasta wrote: >>>>>> On 29.3.2011 22:15, Rob Crittenden wrote: >>>>>>> Jan Cholasta wrote: >>>>>>>> Sorry, forgot to attach the patch. >>>>>>>> >>>>>>> >>>>>>> Is this why you have some blind excepts? >>>>>>> >>>>>>> installutils._IPAddressWithPrefix('192.168.0.1/33') >>>>>>> Traceback (most recent call last): >>>>>>> File "", line 1, in >>>>>>> File "ipaserver/install/installutils.py", line 167, in __init__ >>>>>>> net = netaddr.IPNetwork(addr) >>>>>>> File "/usr/lib/python2.7/site-packages/netaddr/ip/__init__.py", line >>>>>>> 919, in __init__ >>>>>>> implicit_prefix, flags) >>>>>>> File "/usr/lib/python2.7/site-packages/netaddr/ip/__init__.py", line >>>>>>> 782, in parse_ip_network >>>>>>> value = ip._value >>>>>>> UnboundLocalError: local variable 'ip' referenced before assignment >>>>>>> >>>>>>> We should get an upstream bug filed on python-netaddr about this. >>>>>> >>>>>> https://github.com/drkjam/netaddr/issues/closed#issue/5 >>>>>> https://github.com/drkjam/netaddr/issues/closed#issue/6 >>>>>> https://github.com/drkjam/netaddr/issues/closed#issue/8 >>>>>> >>>>>> Apparently it's already been fixed for the next release. >>>>>> >>>>>> IMHO it's not much of an issue for us, because the exception gets >>>>>> caught >>>>>> in parse_ip_address and that's currently the only place where >>>>>> _IPAddressWithPrefix is used. >>>>>> >>>>>>> >>>>>>> Shoudl parse_ip_address() raise an exception on bad data rather than >>>>>>> returning 0.0.0.0? >>>>>> >>>>>> I've been down that road and it would need a rewrite of the >>>>>> fragile IP >>>>>> address handling logic of ipa-server-install, which is something I'd >>>>>> rather avoid. >>>>>> >>>>>>> >>>>>>> >>> installutils.parse_ip_address('355.555.3.3') >>>>>>> _IPAddressWithPrefix('0.0.0.0') >>>>>>> >>>>>>> or >>>>>>> >>>>>>> >>> installutils.parse_ip_address('192.168.0.1/55') >>>>>>> _IPAddressWithPrefix('0.0.0.0') >>>>>>> >>>>>>> Should it disallow net addresses like 192.168.0.0? >>>>>> >>>>>> If you mean network and broadcast addresses, it probably should. It >>>>>> might be a good idea to disallow localhost, multicast and/or >>>>>> link-local >>>>>> addresses too. >>>>> >>>>> Are you going to resubmit the patch with these added or should we >>>>> open a >>>>> separate ticket? >>>> >>>> I'm going to resubmit it. Right now it disallows loopback, IANA >>>> reserved, link-local, network, multicast and broadcast IP addresses. >>>> Does it make sense to also allow only IP addresses attached to one of >>>> the local network interfaces? Perhaps it would be sufficient just to >>>> print a warning. Or should we not care about that at all? >>> >>> Sending the updated patch. >> >> This looks ok, just one question. Should we add a dependency on the >> iproute package because of the /sbin/ip package? > > Yes, we should. > >> >> rob > > Split the patch to 3 smaller pieces: Patch 18 adds the ability to parse netmasks in IP addresses passed to server install. https://fedorahosted.org/freeipa/ticket/1212 This patch requires patch 18 and fixes DNS reverse zone setup to honor the netmask. https://fedorahosted.org/freeipa/ticket/910 Patch 19 requires patch 18 and adds stricter checking of IP addresses. https://fedorahosted.org/freeipa/ticket/1213 Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-3.5-reverse-zone.patch Type: text/x-patch Size: 8844 bytes Desc: not available URL: From jcholast at redhat.com Tue May 10 18:11:56 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 10 May 2011 20:11:56 +0200 Subject: [Freeipa-devel] [PATCH] 19 Do stricter checking of IP addressed passed to server install Message-ID: <4DC97FEC.1000005@redhat.com> Split from patch 3, requires patch 18. https://fedorahosted.org/freeipa/ticket/1213 Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-19-strict-ip-address-check.patch Type: text/x-patch Size: 7765 bytes Desc: not available URL: From ayoung at redhat.com Tue May 10 18:32:04 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 10 May 2011 14:32:04 -0400 Subject: [Freeipa-devel] [PATCH] 150 Updated Selenium tests. In-Reply-To: <4DC72BD2.70005@redhat.com> References: <4DC45953.2040408@redhat.com> <4DC72BD2.70005@redhat.com> Message-ID: <4DC984A4.7040200@redhat.com> On 05/08/2011 07:48 PM, Adam Young wrote: > On 05/06/2011 04:25 PM, Endi Sukma Dewata wrote: >> The following test suites have been updated to use the new DOM >> structure: user, group, host, hostgroup, netgroup, service, HBAC. >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Running functional.sh seems to fail consistently, but it is definitely > better than before the patch. > > User is good except for Passwordreset. > Group is fine > Host certificate fails on "wait for network activity indicator", rest > of the tests were OK > hostgroup fails pretty early on, no results posted. > HBAC rule activation failed at verifyTextPresent: undo > Other HBACs were OK > netgroup failed on editnetgroup, rest of the tests were OK > service had a failure pretty early on that repeated several times: > verifyElementPresent css=.entity[name='service'] .facet[name='search'] > input[value='testservice/test.example.com at IDM.LAB.BOS.REDHAT.COM'] false > > > I suspect that many of the issues with service were due to self sign, > and we can ignore them...I think that the waiting for network activity > indicator to disappear has a race condition in it. I'm going to > reinstall the server and run the specific test that failed again. ACK. Pushed to master > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Tue May 10 18:37:18 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 10 May 2011 13:37:18 -0500 Subject: [Freeipa-devel] [PATCH] 151 Updated Selenium tests. Message-ID: <4DC985DE.5050701@redhat.com> The following test suites have been updated to use the new DOM structure: SUDO, password policy, Kerberos Ticket policy, ACI. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0151-Updated-Selenium-tests.patch Type: text/x-patch Size: 65231 bytes Desc: not available URL: From JR.Aquino at citrix.com Tue May 10 20:38:14 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 10 May 2011 20:38:14 +0000 Subject: [Freeipa-devel] [PATCH] 24 Add sudorule and hbacrule to memberof AND indirectmemberof attributes In-Reply-To: <4DB1DCD6.1060606@redhat.com> References: <36AD4E47-C1BE-4603-8578-1823F2C89892@citrixonline.com> <4DB1DCD6.1060606@redhat.com> Message-ID: <0B1CC5CC-F36C-4EA7-B30D-472539E64D7E@citrixonline.com> On Apr 22, 2011, at 12:53 PM, Rob Crittenden wrote: > JR Aquino wrote: >> On Apr 12, 2011, at 9:45 AM, JR Aquino wrote: >> >>> Add HBAC Rule and Sudo Rule to users as indirect member attributes to simplify the auditing of users for their indirect membership to their authorization rights. >>> >>> An Administrator should have the ability to quickly identify the rights a user will have in the system. >>> >>> For example. With the patch added, my user show looks like this: >>> >>> # ipa user-show tester --all >>> dn: uid=builder,cn=users,cn=accounts,dc=example,dc=com >>> User login: tester >>> First name: Tester >>> Last name: Engineering >>> Full name: Tester Engineering >>> Display name: Tester Engineering >>> Initials: TE >>> Home directory: /home/tester >>> GECOS field: Tester Engineering >>> Login shell: /bin/sh >>> Kerberos principal: tester at EXAMPLE.COM >>> UID: 1829800388 >>> GID: 1829800388 >>> Account disabled: False >>> Member of groups: ipausers, auto-dev-deploy-tools, build-integration >>> ipauniqueid: 72fa22c6-6085-11e0-9629-0023aefe4ec0 >>> krbpwdpolicyreference: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com >>> memberofindirect_HBAC rule: development >>> memberofindirect_Sudo Rule: AUTO-dev-deploy-tools_DEPLOY, AUTO-dev-deploy-tools_ZENOSS, build-integration >>> mepmanagedentry: cn=tester,cn=groups,cn=accounts,dc=example,dc=com >>> objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> >> OPPS, forgot to have PATCH in the subject. >> > > I think you need this as well, right? > > - 'memberof': ['group', 'netgroup', 'role'], > + 'memberof': ['group', 'netgroup', 'role', 'sudorule', 'hbacrule'], Some scope change. Added memberof and memberofindirect Added to user.py host.py group.py hostgroup.py When using the --all flag it is now very clear to the administrator what authorization rules these objects are directly or indirectly a memberof. xmlrpc tests check out Please review -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0024-Add-sudorule-and-hbacrule-to-memberof-indirectmemberof-attrib.patch Type: application/octet-stream Size: 3082 bytes Desc: freeipa-jraquino-0024-Add-sudorule-and-hbacrule-to-memberof-indirectmemberof-attrib.patch URL: From edewata at redhat.com Tue May 10 21:12:26 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 10 May 2011 16:12:26 -0500 Subject: [Freeipa-devel] [PATCH] 152 Updated DNS interface. Message-ID: <4DC9AA3A.6080001@redhat.com> The IPA.records_facet has been converted into a subclass of IPA.search_facet. This helps remove duplicate table code and provide consistent DOM element attributes for Selenium tests. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0152-Updated-DNS-interface.patch Type: text/x-patch Size: 20707 bytes Desc: not available URL: From edewata at redhat.com Tue May 10 21:13:36 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 10 May 2011 16:13:36 -0500 Subject: [Freeipa-devel] [PATCH] 153 Added Selenium tests for DNS. Message-ID: <4DC9AA80.8040703@redhat.com> Added Selenium tests for DNS. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0153-Added-Selenium-tests-for-DNS.patch Type: text/x-patch Size: 20104 bytes Desc: not available URL: From edewata at redhat.com Tue May 10 22:54:32 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 10 May 2011 17:54:32 -0500 Subject: [Freeipa-devel] [PATCH] 154 Added UUID field for entitlement registration. Message-ID: <4DC9C228.3040809@redhat.com> The dialog box for entitlement registration has been modified to accept an optional enrollment UUID. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0154-Added-UUID-field-for-entitlement-registration.patch Type: text/x-patch Size: 2194 bytes Desc: not available URL: From edewata at redhat.com Wed May 11 00:49:55 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 10 May 2011 19:49:55 -0500 Subject: [Freeipa-devel] [PATCH] 155 Added Self-Service and Delegation tests. Message-ID: <4DC9DD33.2090509@redhat.com> Added Self-Service and Delegation tests. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0155-Added-Self-Service-and-Delegation-tests.patch Type: text/x-patch Size: 22282 bytes Desc: not available URL: From ayoung at redhat.com Wed May 11 03:07:43 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 10 May 2011 23:07:43 -0400 Subject: [Freeipa-devel] [PATCH] 24 Add sudorule and hbacrule to memberof AND indirectmemberof attributes In-Reply-To: <0B1CC5CC-F36C-4EA7-B30D-472539E64D7E@citrixonline.com> References: <36AD4E47-C1BE-4603-8578-1823F2C89892@citrixonline.com> <4DB1DCD6.1060606@redhat.com> <0B1CC5CC-F36C-4EA7-B30D-472539E64D7E@citrixonline.com> Message-ID: <4DC9FD7F.1090505@redhat.com> On 05/10/2011 04:38 PM, JR Aquino wrote: > On Apr 22, 2011, at 12:53 PM, Rob Crittenden wrote: > >> JR Aquino wrote: >>> On Apr 12, 2011, at 9:45 AM, JR Aquino wrote: >>> >>>> Add HBAC Rule and Sudo Rule to users as indirect member attributes to simplify the auditing of users for their indirect membership to their authorization rights. >>>> >>>> An Administrator should have the ability to quickly identify the rights a user will have in the system. >>>> >>>> For example. With the patch added, my user show looks like this: >>>> >>>> # ipa user-show tester --all >>>> dn: uid=builder,cn=users,cn=accounts,dc=example,dc=com >>>> User login: tester >>>> First name: Tester >>>> Last name: Engineering >>>> Full name: Tester Engineering >>>> Display name: Tester Engineering >>>> Initials: TE >>>> Home directory: /home/tester >>>> GECOS field: Tester Engineering >>>> Login shell: /bin/sh >>>> Kerberos principal: tester at EXAMPLE.COM >>>> UID: 1829800388 >>>> GID: 1829800388 >>>> Account disabled: False >>>> Member of groups: ipausers, auto-dev-deploy-tools, build-integration >>>> ipauniqueid: 72fa22c6-6085-11e0-9629-0023aefe4ec0 >>>> krbpwdpolicyreference: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com >>>> memberofindirect_HBAC rule: development >>>> memberofindirect_Sudo Rule: AUTO-dev-deploy-tools_DEPLOY, AUTO-dev-deploy-tools_ZENOSS, build-integration >>>> mepmanagedentry: cn=tester,cn=groups,cn=accounts,dc=example,dc=com >>>> objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >>> OPPS, forgot to have PATCH in the subject. >>> >> I think you need this as well, right? >> >> - 'memberof': ['group', 'netgroup', 'role'], >> + 'memberof': ['group', 'netgroup', 'role', 'sudorule', 'hbacrule'], > Some scope change. > > Added memberof and memberofindirect > > Added to user.py host.py group.py hostgroup.py > > When using the --all flag it is now very clear to the administrator what authorization rules these objects are directly or indirectly a memberof. > > xmlrpc tests check out > > Please review > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel The reason that this shows up in the UI is that it is generating additional memberof attributes. It has nothing to do with the memberofindirect: "attribute_members": { "memberof": [ "group", "netgroup", "role", "hbacrule", "sudorule" ], "memberofindirect": [ "group", "netgroup", "role", "hbacrule", "sudorule" ] }, -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed May 11 03:14:45 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 10 May 2011 23:14:45 -0400 Subject: [Freeipa-devel] [PATCH] 24 Add sudorule and hbacrule to memberof AND indirectmemberof attributes In-Reply-To: <4DC9FD7F.1090505@redhat.com> References: <36AD4E47-C1BE-4603-8578-1823F2C89892@citrixonline.com> <4DB1DCD6.1060606@redhat.com> <0B1CC5CC-F36C-4EA7-B30D-472539E64D7E@citrixonline.com> <4DC9FD7F.1090505@redhat.com> Message-ID: <4DC9FF25.8070501@redhat.com> On 05/10/2011 11:07 PM, Adam Young wrote: > On 05/10/2011 04:38 PM, JR Aquino wrote: >> On Apr 22, 2011, at 12:53 PM, Rob Crittenden wrote: >> >>> JR Aquino wrote: >>>> On Apr 12, 2011, at 9:45 AM, JR Aquino wrote: >>>> >>>>> Add HBAC Rule and Sudo Rule to users as indirect member attributes to simplify the auditing of users for their indirect membership to their authorization rights. >>>>> >>>>> An Administrator should have the ability to quickly identify the rights a user will have in the system. >>>>> >>>>> For example. With the patch added, my user show looks like this: >>>>> >>>>> # ipa user-show tester --all >>>>> dn: uid=builder,cn=users,cn=accounts,dc=example,dc=com >>>>> User login: tester >>>>> First name: Tester >>>>> Last name: Engineering >>>>> Full name: Tester Engineering >>>>> Display name: Tester Engineering >>>>> Initials: TE >>>>> Home directory: /home/tester >>>>> GECOS field: Tester Engineering >>>>> Login shell: /bin/sh >>>>> Kerberos principal:tester at EXAMPLE.COM >>>>> UID: 1829800388 >>>>> GID: 1829800388 >>>>> Account disabled: False >>>>> Member of groups: ipausers, auto-dev-deploy-tools, build-integration >>>>> ipauniqueid: 72fa22c6-6085-11e0-9629-0023aefe4ec0 >>>>> krbpwdpolicyreference: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com >>>>> memberofindirect_HBAC rule: development >>>>> memberofindirect_Sudo Rule: AUTO-dev-deploy-tools_DEPLOY, AUTO-dev-deploy-tools_ZENOSS, build-integration >>>>> mepmanagedentry: cn=tester,cn=groups,cn=accounts,dc=example,dc=com >>>>> objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount >>>>> >>>>> _______________________________________________ >>>>> Freeipa-devel mailing list >>>>> Freeipa-devel at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> OPPS, forgot to have PATCH in the subject. >>>> >>> I think you need this as well, right? >>> >>> - 'memberof': ['group', 'netgroup', 'role'], >>> + 'memberof': ['group', 'netgroup', 'role', 'sudorule', 'hbacrule'], >> Some scope change. >> >> Added memberof and memberofindirect >> >> Added to user.py host.py group.py hostgroup.py >> >> When using the --all flag it is now very clear to the administrator what authorization rules these objects are directly or indirectly a memberof. >> >> xmlrpc tests check out >> >> Please review >> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > The reason that this shows up in the UI is that it is generating > additional memberof attributes. It has nothing to do with the > memberofindirect: You are also going to want need modify the sudo rule and HBAC rule to use the serial associator on some facets. It looks like group at least has things backwards. The group.js file I think needs a rule like this: association_facet({ name: 'memberof_sudorule', associator: IPA.serial_associator }). THis is because the API is for adding multiple groups to the sudo rule, but the default behaviour is for adding multiple >other entity> to . > > "attribute_members": { > "memberof": [ > "group", > "netgroup", > "role", > "hbacrule", > "sudorule" > ], > "memberofindirect": [ > "group", > "netgroup", > "role", > "hbacrule", > "sudorule" > ] > }, > > > > > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Wed May 11 11:19:48 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 11 May 2011 13:19:48 +0200 Subject: [Freeipa-devel] [PATCH] 064 Improve service manipulation in client install In-Reply-To: <4DC94668.8070808@redhat.com> References: <1305036130.11948.11.camel@dhcp-25-52.brq.redhat.com> <4DC94668.8070808@redhat.com> Message-ID: <1305112788.4961.7.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-05-10 at 10:06 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > Remove redundant ipa-client-install error message when optional nscd > > daemon was not installed. Additionally, use standard IPA functions > > for service manipulation and improve logging. > > > > https://fedorahosted.org/freeipa/ticket/1207 > Nack, a client-only install isn't going to have ipaserver to import from. Good catch, I didn't realize that. Will do next time. I have moved the /sbin/service and /sbin/chkconfig control routines to ipautil library, which are called by ipa-client-install. I have left the interface in ipaserver.install.service as it used through many scripts and we could use this interface later when implementing a native systemd support. The deciding logic what init system to use use can be then hidden behind this interface. > > Ignoring certmonger not starting was for the case where it is already > running. Ideally we should check the status of the service and start it > if necessary. I think I have not touched this logic, I just added few logging statements that we can analyze when future user's will fill us bug reports :-) > > Some of this could be moved to ipapython as that is where common, > non-framework code goes. Yeah, I chose ipapython.ipautil library. Please, take a look at the attached patch. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-064-2-improve-service-manipulation-in-client-install.patch Type: text/x-patch Size: 13467 bytes Desc: not available URL: From jcholast at redhat.com Wed May 11 13:01:10 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 11 May 2011 15:01:10 +0200 Subject: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname In-Reply-To: <4DC942C6.8020801@redhat.com> References: <4D95F3AD.2000707@redhat.com> <4DC908DF.6040506@redhat.com> <4DC942C6.8020801@redhat.com> Message-ID: <4DCA8896.3030909@redhat.com> On 10.5.2011 15:51, Rob Crittenden wrote: > Jan Cholasta wrote: >> On 1.4.2011 17:47, Rob Crittenden wrote: >>> The hostname is passed in during the server installation. We should use >>> this hostname for the resulting server as well. It was being discarded >>> and we always used the system hostname value. >>> >>> ticket 1052 >>> >>> rob >>> >> >> It would be nice to use the saved hostname everywhere, instead of >> socket.gethostname and similar. That would fix ticket 1035 too. >> > > If you know of places this doesn't cover please let me know. 1035 is a > bit of a different case in that it doesn't validate that the hostname is > a FQDN. > > rob Nevermind, I thought for a moment that api.env.host is set to the value from /etc/ipa/default.conf. Honza -- Jan Cholasta From mkosek at redhat.com Wed May 11 13:58:58 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 11 May 2011 15:58:58 +0200 Subject: [Freeipa-devel] [PATCH] 3 Add ability to specify netmask with IP addresses during installation In-Reply-To: <4DC97F9F.5030103@redhat.com> References: <4D9068E5.6090209@redhat.com> <4D90920E.3080900@redhat.com> <4D91DD15.8020109@redhat.com> <4D91DDA6.2060304@redhat.com> <4D923DCA.1030900@redhat.com> <4D930AAD.9020209@redhat.com> <4D9F1AFA.8000305@redhat.com> <4DA2DC6F.1000105@redhat.com> <4DA58644.3020506@redhat.com> <4DAF3D5A.7080300@redhat.com> <4DAFDE65.5050100@redhat.com> <4DC97F9F.5030103@redhat.com> Message-ID: <1305122338.4961.23.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-05-10 at 20:10 +0200, Jan Cholasta wrote: > On 21.4.2011 09:36, Jan Cholasta wrote: > > On 20.4.2011 22:08, Rob Crittenden wrote: > >> Jan Cholasta wrote: > >>> On 11.4.2011 12:48, Jan Cholasta wrote: > >>>> On 8.4.2011 16:26, Rob Crittenden wrote: > >>>>> Jan Cholasta wrote: > >>>>>> On 29.3.2011 22:15, Rob Crittenden wrote: > >>>>>>> Jan Cholasta wrote: > >>>>>>>> Sorry, forgot to attach the patch. > >>>>>>>> > >>>>>>> > >>>>>>> Is this why you have some blind excepts? > >>>>>>> > >>>>>>> installutils._IPAddressWithPrefix('192.168.0.1/33') > >>>>>>> Traceback (most recent call last): > >>>>>>> File "", line 1, in > >>>>>>> File "ipaserver/install/installutils.py", line 167, in __init__ > >>>>>>> net = netaddr.IPNetwork(addr) > >>>>>>> File "/usr/lib/python2.7/site-packages/netaddr/ip/__init__.py", line > >>>>>>> 919, in __init__ > >>>>>>> implicit_prefix, flags) > >>>>>>> File "/usr/lib/python2.7/site-packages/netaddr/ip/__init__.py", line > >>>>>>> 782, in parse_ip_network > >>>>>>> value = ip._value > >>>>>>> UnboundLocalError: local variable 'ip' referenced before assignment > >>>>>>> > >>>>>>> We should get an upstream bug filed on python-netaddr about this. > >>>>>> > >>>>>> https://github.com/drkjam/netaddr/issues/closed#issue/5 > >>>>>> https://github.com/drkjam/netaddr/issues/closed#issue/6 > >>>>>> https://github.com/drkjam/netaddr/issues/closed#issue/8 > >>>>>> > >>>>>> Apparently it's already been fixed for the next release. > >>>>>> > >>>>>> IMHO it's not much of an issue for us, because the exception gets > >>>>>> caught > >>>>>> in parse_ip_address and that's currently the only place where > >>>>>> _IPAddressWithPrefix is used. > >>>>>> > >>>>>>> > >>>>>>> Shoudl parse_ip_address() raise an exception on bad data rather than > >>>>>>> returning 0.0.0.0? > >>>>>> > >>>>>> I've been down that road and it would need a rewrite of the > >>>>>> fragile IP > >>>>>> address handling logic of ipa-server-install, which is something I'd > >>>>>> rather avoid. > >>>>>> > >>>>>>> > >>>>>>> >>> installutils.parse_ip_address('355.555.3.3') > >>>>>>> _IPAddressWithPrefix('0.0.0.0') > >>>>>>> > >>>>>>> or > >>>>>>> > >>>>>>> >>> installutils.parse_ip_address('192.168.0.1/55') > >>>>>>> _IPAddressWithPrefix('0.0.0.0') > >>>>>>> > >>>>>>> Should it disallow net addresses like 192.168.0.0? > >>>>>> > >>>>>> If you mean network and broadcast addresses, it probably should. It > >>>>>> might be a good idea to disallow localhost, multicast and/or > >>>>>> link-local > >>>>>> addresses too. > >>>>> > >>>>> Are you going to resubmit the patch with these added or should we > >>>>> open a > >>>>> separate ticket? > >>>> > >>>> I'm going to resubmit it. Right now it disallows loopback, IANA > >>>> reserved, link-local, network, multicast and broadcast IP addresses. > >>>> Does it make sense to also allow only IP addresses attached to one of > >>>> the local network interfaces? Perhaps it would be sufficient just to > >>>> print a warning. Or should we not care about that at all? > >>> > >>> Sending the updated patch. > >> > >> This looks ok, just one question. Should we add a dependency on the > >> iproute package because of the /sbin/ip package? > > > > Yes, we should. > > > >> > >> rob > > > > > > Split the patch to 3 smaller pieces: > > Patch 18 adds the ability to parse netmasks in IP addresses passed to > server install. > https://fedorahosted.org/freeipa/ticket/1212 > > This patch requires patch 18 and fixes DNS reverse zone setup to honor > the netmask. > https://fedorahosted.org/freeipa/ticket/910 > > Patch 19 requires patch 18 and adds stricter checking of IP addresses. > https://fedorahosted.org/freeipa/ticket/1213 > > Honza Thanks for splitting of the patches, it is now much clearer what is done and where. Please fix pylint errors first before the review, there were several of them when I applied all 3 patches: ./make-lint ipalib/plugins/host.py:122: [E1120, remove_fwd_ptr] No value passed for parameter 'ip_prefix_len' in function call ipalib/plugins/host.py:325: [E1120, host_add.pre_callback] No value passed for parameter 'ip_prefix_len' in function call ipalib/plugins/host.py:384: [E1120, host_add.post_callback] No value passed for parameter 'ip_prefix_len' in function call Martin From mkosek at redhat.com Wed May 11 14:52:24 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 11 May 2011 16:52:24 +0200 Subject: [Freeipa-devel] [PATCH] 17 Fix regressions introduced by pylint false positive fixes In-Reply-To: <1304929251.14905.0.camel@dhcp-25-52.brq.redhat.com> References: <4DC28D7F.7040405@redhat.com> <1304929251.14905.0.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1305125544.4961.27.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-05-09 at 10:20 +0200, Martin Kosek wrote: > On Thu, 2011-05-05 at 13:43 +0200, Jan Cholasta wrote: > > https://fedorahosted.org/freeipa/ticket/1198 > > > > Honza > > > > ACK. I see no suspicious test suite errors. > Pushed to master, ipa-2-0. Martin From ayoung at redhat.com Wed May 11 15:18:19 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 11 May 2011 11:18:19 -0400 Subject: [Freeipa-devel] [PATCH] 155 Added Self-Service and Delegation tests. In-Reply-To: <4DC9DD33.2090509@redhat.com> References: <4DC9DD33.2090509@redhat.com> Message-ID: <4DCAA8BB.2020802@redhat.com> On 05/10/2011 08:49 PM, Endi Sukma Dewata wrote: > Added Self-Service and Delegation tests. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed May 11 15:18:27 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 11 May 2011 11:18:27 -0400 Subject: [Freeipa-devel] [PATCH] 154 Added UUID field for entitlement registration. In-Reply-To: <4DC9C228.3040809@redhat.com> References: <4DC9C228.3040809@redhat.com> Message-ID: <4DCAA8C3.8080301@redhat.com> On 05/10/2011 06:54 PM, Endi Sukma Dewata wrote: > The dialog box for entitlement registration has been modified to > accept an optional enrollment UUID. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed May 11 15:18:36 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 11 May 2011 11:18:36 -0400 Subject: [Freeipa-devel] [PATCH] 153 Added Selenium tests for DNS. In-Reply-To: <4DC9AA80.8040703@redhat.com> References: <4DC9AA80.8040703@redhat.com> Message-ID: <4DCAA8CC.4010702@redhat.com> On 05/10/2011 05:13 PM, Endi Sukma Dewata wrote: > Added Selenium tests for DNS. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed May 11 15:18:43 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 11 May 2011 11:18:43 -0400 Subject: [Freeipa-devel] [PATCH] 152 Updated DNS interface. In-Reply-To: <4DC9AA3A.6080001@redhat.com> References: <4DC9AA3A.6080001@redhat.com> Message-ID: <4DCAA8D3.7030702@redhat.com> On 05/10/2011 05:12 PM, Endi Sukma Dewata wrote: > The IPA.records_facet has been converted into a subclass of > IPA.search_facet. This helps remove duplicate table code and provide > consistent DOM element attributes for Selenium tests. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed May 11 15:18:50 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 11 May 2011 11:18:50 -0400 Subject: [Freeipa-devel] [PATCH] 151 Updated Selenium tests. In-Reply-To: <4DC985DE.5050701@redhat.com> References: <4DC985DE.5050701@redhat.com> Message-ID: <4DCAA8DA.1050201@redhat.com> On 05/10/2011 02:37 PM, Endi Sukma Dewata wrote: > The following test suites have been updated to use the new DOM > structure: SUDO, password policy, Kerberos Ticket policy, ACI. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From kybaker at redhat.com Wed May 11 18:10:33 2011 From: kybaker at redhat.com (Kyle Baker) Date: Wed, 11 May 2011 14:10:33 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] 0013 Background images and tab hover In-Reply-To: <1694282839.461399.1305137368373.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <1666660621.461415.1305137433807.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Modified the background images and added a tab hover. Please ack. Kyle Baker Visual Designer Desk - 978 392 3116 IRC - kylebaker -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-kylebaker-0013-Background-images-and-tab-hover.patch Type: text/x-patch Size: 96805 bytes Desc: not available URL: From ayoung at redhat.com Wed May 11 18:52:17 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 11 May 2011 14:52:17 -0400 Subject: [Freeipa-devel] [PATCH] 0013 Background images and tab hover In-Reply-To: <1666660621.461415.1305137433807.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1666660621.461415.1305137433807.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4DCADAE1.9020209@redhat.com> On 05/11/2011 02:10 PM, Kyle Baker wrote: > Modified the background images and added a tab hover. Please ack. > > Kyle Baker > Visual Designer > Desk - 978 392 3116 > IRC - kylebaker > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed May 11 20:50:52 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 11 May 2011 16:50:52 -0400 Subject: [Freeipa-devel] [PATCH] honor --no-reverse option In-Reply-To: <1304939999.14905.5.camel@dhcp-25-52.brq.redhat.com> References: <4DB96341.9090700@redhat.com> <1304939999.14905.5.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DCAF6AC.3030708@redhat.com> Martin Kosek wrote: > On Thu, 2011-04-28 at 08:53 -0400, Rob Crittenden wrote: >> The --no-reverse option was only working in unattended mode resulting in >> a reverse zone even if you requested to not create one. >> >> ticket 1152 >> >> rob > > NACK. The patch is fine for the server installation, but we also need > the fix for replica. > > Martin > Ok, updated patch attached. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-770-2-reverse.patch Type: application/mbox Size: 2518 bytes Desc: not available URL: From rcritten at redhat.com Wed May 11 20:58:46 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 11 May 2011 16:58:46 -0400 Subject: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname In-Reply-To: <4DCA8896.3030909@redhat.com> References: <4D95F3AD.2000707@redhat.com> <4DC908DF.6040506@redhat.com> <4DC942C6.8020801@redhat.com> <4DCA8896.3030909@redhat.com> Message-ID: <4DCAF886.6090309@redhat.com> Jan Cholasta wrote: > On 10.5.2011 15:51, Rob Crittenden wrote: >> Jan Cholasta wrote: >>> On 1.4.2011 17:47, Rob Crittenden wrote: >>>> The hostname is passed in during the server installation. We should use >>>> this hostname for the resulting server as well. It was being discarded >>>> and we always used the system hostname value. >>>> >>>> ticket 1052 >>>> >>>> rob >>>> >>> >>> It would be nice to use the saved hostname everywhere, instead of >>> socket.gethostname and similar. That would fix ticket 1035 too. >>> >> >> If you know of places this doesn't cover please let me know. 1035 is a >> bit of a different case in that it doesn't validate that the hostname is >> a FQDN. >> >> rob > > Nevermind, I thought for a moment that api.env.host is set to the value > from /etc/ipa/default.conf. > In fact that is what this patch allows. rob From rcritten at redhat.com Wed May 11 21:02:25 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 11 May 2011 17:02:25 -0400 Subject: [Freeipa-devel] [PATCH] Validate/Normalize user attributes if set using krbtpolicy set/add-attr. In-Reply-To: <4D9DBF6F.1030702@redhat.com> References: <4D9C820A.4000201@redhat.com> <4D9DBF6F.1030702@redhat.com> Message-ID: <4DCAF961.6040108@redhat.com> Pavel Zuna wrote: > On 04/06/2011 05:08 PM, Pavel Zuna wrote: >> Ticket #744 >> >> Pavel >> > > New fixed version of patch attached. > > Pavel Nack, I'd prefer we not duplicate this code and actually call the user object validators if possible. That or simply disallow updating user attributes while doing krbtpolicy changes (preferred). rob From rcritten at redhat.com Wed May 11 21:04:05 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 11 May 2011 17:04:05 -0400 Subject: [Freeipa-devel] [PATCH] 048 Remove doc from API.txt In-Reply-To: <1302530167.7619.30.camel@dhcp-25-52.brq.redhat.com> References: <1302530167.7619.30.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DCAF9C5.4030609@redhat.com> Martin Kosek wrote: > Doc parts are not removed from the API completely. This leads to > unnecessary updates to API.txt when the option/argument documentation > is changed. > > This patch replaces unreliable doc stripping function with a regular > expression. It works for all current doc strings (simple string or > GetText). The only limitation is that the RE supports only up to > 2 levels of nested parentheses in doc string. > > https://fedorahosted.org/freeipa/ticket/1057 The approach looks good, can you rebase this? thanks rob From rcritten at redhat.com Wed May 11 21:55:20 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 11 May 2011 17:55:20 -0400 Subject: [Freeipa-devel] [PATCH] 063 Let selinux-policy handle port 7390 In-Reply-To: <1304683381.27463.2.camel@dhcp-25-52.brq.redhat.com> References: <1304683381.27463.2.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DCB05C8.2070602@redhat.com> Martin Kosek wrote: > As #1200 patch will raise selinux-policy Requires in the SPEC above this > version, it is not necessary to do it in this patch. Ack, pushed to master and ipa-2-0 rob From mgregg at redhat.com Wed May 11 23:23:06 2011 From: mgregg at redhat.com (Michael Gregg) Date: Wed, 11 May 2011 16:23:06 -0700 Subject: [Freeipa-devel] ipa-replica-manage help Message-ID: <4DCB1A5A.7010402@redhat.com> I'm having problem using ipa-replica-manage. Can anybody help? I have this setup with a master and a replica. [root at ipaqavmf ~]# ipa-replica-manage list ipaqavmh.testrelm: master ipaqavmf.testrelm: master First off, I cannot disconnect a replica: From ipaqavmh: [root at ipaqavmh ~]# ipa-replica-manage disconnect ipaqavmf.testrelm Cannot remove the last replication link of 'ipaqavmh.testrelm' Please use the 'del' command to remove it from the domain So, I try "del": [root at ipaqavmh ~]# ipa-replica-manage del ipaqavmf.testrelm Unable to delete replica ipaqavmf.testrelm: {'desc': "Can't contact LDAP server"} How do I delete ipaqavmf from this agreement? Is disconnecting and re-connecting a replica server what ipa-replica-manage for? Help please. Michael- From dpal at redhat.com Wed May 11 23:52:41 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 11 May 2011 19:52:41 -0400 Subject: [Freeipa-devel] ipa-replica-manage help In-Reply-To: <4DCB1A5A.7010402@redhat.com> References: <4DCB1A5A.7010402@redhat.com> Message-ID: <4DCB2149.1040402@redhat.com> On 05/11/2011 07:23 PM, Michael Gregg wrote: > > I'm having problem using ipa-replica-manage. Can anybody help? > > I have this setup with a master and a replica. > > [root at ipaqavmf ~]# ipa-replica-manage list > ipaqavmh.testrelm: master > ipaqavmf.testrelm: master > > First off, I cannot disconnect a replica: > > From ipaqavmh: > [root at ipaqavmh ~]# ipa-replica-manage disconnect ipaqavmf.testrelm > Cannot remove the last replication link of 'ipaqavmh.testrelm' > Please use the 'del' command to remove it from the domain > > So, I try "del": > > [root at ipaqavmh ~]# ipa-replica-manage del ipaqavmf.testrelm > Unable to delete replica ipaqavmf.testrelm: {'desc': "Can't contact > LDAP server"} > > How do I delete ipaqavmf from this agreement? > > Is disconnecting and re-connecting a replica server what > ipa-replica-manage for? > > Help please. > Any logs? It seems that there is a problem accessing the DS server. Is it running? There is probably a bug somewhere there in the logic, but the question is: are you allowed to orphan a replica and remove the last replication agreement? Based on the output above the assumption seems to be that it is not allowed but this might be a wrong assumption. Thoughts? > Michael- > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Thu May 12 00:56:39 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 11 May 2011 20:56:39 -0400 Subject: [Freeipa-devel] Automount API consistancy and WebUI searchs Message-ID: <4DCB3047.30805@redhat.com> The general pattern for finding something is _find FILTER And for nested entities is _find PARENTKEY FILTER So for Automount it is automountlocation_find FILTER automountmap_find LOC FILTER So Key should be automountkey_find LOC MAP FILTER The show command should then be _show PKEY _show PARENTKEY PKEY So for Automount it should be automountlocation_show LOC automountmap_show LOC MAP so key should be automountkey_show LOC MAP KEY For the key, in both cases it is not this. Instead, the whole keyand the whole --info (mountpoint) must be specified for the show command. On the find side there is an indication that the parameters should be --info and --key, but FILTER seems to work correctly. It seems that the key should be unique within a map. Is there any good reason to require the --info parameter when showing keys? Instead, it only enforces that a pair be unique. Since automount triggers if someone browsers to a specific directory, I thought that the option of which to choose would have to be deterministic: if I go to /home/ayoung, It ought to always mount nfsserver:/home/ayoung. What am I missing. From mkosek at redhat.com Thu May 12 06:31:24 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 12 May 2011 08:31:24 +0200 Subject: [Freeipa-devel] [PATCH] 048 Remove doc from API.txt In-Reply-To: <4DCAF9C5.4030609@redhat.com> References: <1302530167.7619.30.camel@dhcp-25-52.brq.redhat.com> <4DCAF9C5.4030609@redhat.com> Message-ID: <1305181884.31973.1.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-05-11 at 17:04 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > Doc parts are not removed from the API completely. This leads to > > unnecessary updates to API.txt when the option/argument documentation > > is changed. > > > > This patch replaces unreliable doc stripping function with a regular > > expression. It works for all current doc strings (simple string or > > GetText). The only limitation is that the RE supports only up to > > 2 levels of nested parentheses in doc string. > > > > https://fedorahosted.org/freeipa/ticket/1057 > > The approach looks good, can you rebase this? > > thanks > > rob Sure, here it goes. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-048-2-remove-doc-from-api.txt.patch Type: text/x-patch Size: 168733 bytes Desc: not available URL: From mkosek at redhat.com Thu May 12 07:19:25 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 12 May 2011 09:19:25 +0200 Subject: [Freeipa-devel] ipa-replica-manage help In-Reply-To: <4DCB1A5A.7010402@redhat.com> References: <4DCB1A5A.7010402@redhat.com> Message-ID: <1305184765.31973.17.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-05-11 at 16:23 -0700, Michael Gregg wrote: > I'm having problem using ipa-replica-manage. Can anybody help? > > I have this setup with a master and a replica. > > [root at ipaqavmf ~]# ipa-replica-manage list > ipaqavmh.testrelm: master > ipaqavmf.testrelm: master > > First off, I cannot disconnect a replica: > > From ipaqavmh: > [root at ipaqavmh ~]# ipa-replica-manage disconnect ipaqavmf.testrelm > Cannot remove the last replication link of 'ipaqavmh.testrelm' > Please use the 'del' command to remove it from the domain This is OK, there is only one replication link between those 2 replicas. Disconnect command would block replication between these 2 master, which is not allowed. If you would like to play with replica topology, you can create a second replica and try the connect/disconnect commands. > > So, I try "del": > > [root at ipaqavmh ~]# ipa-replica-manage del ipaqavmf.testrelm > Unable to delete replica ipaqavmf.testrelm: {'desc': "Can't contact LDAP > server"} Master ipaqavmf.testrelm is unreachable, I guess you uninstalled it before removing it from replication. There is an easy fix for that, just run the command with --force flag: ipa-replica-manage del ipaqavmf.testrelm --force > > How do I delete ipaqavmf from this agreement? > > Is disconnecting and re-connecting a replica server what > ipa-replica-manage for? > > Help please. > > Michael- > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From jcholast at redhat.com Thu May 12 09:10:51 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 12 May 2011 11:10:51 +0200 Subject: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname In-Reply-To: <4DCAF886.6090309@redhat.com> References: <4D95F3AD.2000707@redhat.com> <4DC908DF.6040506@redhat.com> <4DC942C6.8020801@redhat.com> <4DCA8896.3030909@redhat.com> <4DCAF886.6090309@redhat.com> Message-ID: <4DCBA41B.3000409@redhat.com> On 11.5.2011 22:58, Rob Crittenden wrote: > Jan Cholasta wrote: >> On 10.5.2011 15:51, Rob Crittenden wrote: >>> Jan Cholasta wrote: >>>> On 1.4.2011 17:47, Rob Crittenden wrote: >>>>> The hostname is passed in during the server installation. We should >>>>> use >>>>> this hostname for the resulting server as well. It was being discarded >>>>> and we always used the system hostname value. >>>>> >>>>> ticket 1052 >>>>> >>>>> rob >>>>> >>>> >>>> It would be nice to use the saved hostname everywhere, instead of >>>> socket.gethostname and similar. That would fix ticket 1035 too. >>>> >>> >>> If you know of places this doesn't cover please let me know. 1035 is a >>> bit of a different case in that it doesn't validate that the hostname is >>> a FQDN. >>> >>> rob >> >> Nevermind, I thought for a moment that api.env.host is set to the value >> from /etc/ipa/default.conf. >> > > In fact that is what this patch allows. > > rob Strange, it didn't work for me yesterday but it does now. I must have missed something. Anyway, when you s/socket.gethostname()/api.env.host/ in ipactl after applying your patch, IPA starts fine even when the hostname is changed to non-FQDN after the install, which I believe fixes the aforementioned ticket 1035. Honza -- Jan Cholasta From mkosek at redhat.com Thu May 12 11:05:03 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 12 May 2011 13:05:03 +0200 Subject: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname In-Reply-To: <4DC94248.7010001@redhat.com> References: <4D95F3AD.2000707@redhat.com> <1305009756.11948.3.camel@dhcp-25-52.brq.redhat.com> <4DC94248.7010001@redhat.com> Message-ID: <1305198303.31973.21.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-05-10 at 09:48 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Fri, 2011-04-01 at 11:47 -0400, Rob Crittenden wrote: > >> The hostname is passed in during the server installation. We should use > >> this hostname for the resulting server as well. It was being discarded > >> and we always used the system hostname value. > >> > >> ticket 1052 > >> > >> rob > > > > Looks good for both server and a client install with a custom hostname. > > However, I was unable to install a CA-powered replica, when a master was > > configured with custom hostname: > > > > ipareplica-install.log: > > ... > > ############################################# > > Attempting to connect to: vm-102.idm.lab.bos.redhat.com:9445 > > Connected. > > Posting Query = https://vm-102.idm.lab.bos.redhat.com:9445//ca/admin/console/config/wizard?p=5&subsystem=CA&session_id=6792677911037453899&xml=true > > RESPONSE STATUS: HTTP/1.1 200 OK > > RESPONSE HEADER: Server: Apache-Coyote/1.1 > > RESPONSE HEADER: Content-Type: text/html;charset=UTF-8 > > RESPONSE HEADER: Date: Mon, 09 May 2011 14:17:46 GMT > > RESPONSE HEADER: Connection: close > > Exception in SecurityDomainLoginPanel(): java.lang.Exception: Invalid clone_uri > > ERROR: ConfigureSubCA: SecurityDomainLoginPanel() failure > > ERROR: unable to create CA > > > > ####################################################################### > > > > 2011-05-09 10:17:47,039 DEBUG stderr=java.lang.Exception: Invalid clone_uri > > at ConfigureCA.SecurityDomainLoginPanel(ConfigureCA.java:384) > > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1239) > > at ConfigureCA.main(ConfigureCA.java:1761) > > > > 2011-05-09 10:17:47,040 CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname vm-102.idm.lab.bos.redhat.com -cs_port 9445 -client_certdb_dir /tmp/tmp-Ou9Wd4 -client_certdb_pwd 'XXXXXXXX' -preop_pin qTFTDIjO9j9LdtvjLCz1 -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=IDM.LAB.BOS.REDHAT.COM" -ldap_host vm-102.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IDM.LAB.BOS.REDHAT.COM" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IDM.LAB.BOS.REDHAT.COM" -ca_server_cert_subject_name "CN=vm-102.idm.lab.bos.redhat! .co > m,O=IDM.LAB.BOS.REDHAT.COM" -ca_audit_signing_cert_subject_name "CN=CA Audit,O=IDM.LAB.BOS.REDHAT.COM" -ca_sign_cert_subject_name "CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM" -external false -clone true -clone_p12_file ca.p12 -clone_p12_password 'XXXXXXXX' -sd_hostname ipa.idm.lab.bos.redhat.com -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password 'XXXXXXXX' -clone_start_tls true -clone_uri https://ipa.idm.lab.bos.redhat.com:9444' returned non-zero exit status 255 > > 2011-05-09 10:17:47,070 DEBUG Configuration of CA failed > > File "/usr/sbin/ipa-replica-install", line 543, in > > main() > > > > File "/usr/sbin/ipa-replica-install", line 486, in main > > (CA, cs) = install_ca(config) > > > > File "/usr/sbin/ipa-replica-install", line 186, in install_ca > > subject_base=config.subject_base) > > > > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 539, in configure_instance > > self.start_creation("Configuring certificate server", 360) > > > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 289, in start_creation > > method() > > ... > > > > Did that worked for you? > > It worked for me, I remember testing both. Ade, do you know what would > cause dogtag to throw "Invalid clone_uri"? > > rob I can provide a VM with reproduced problem if that would help. However, the reproduction scenario is simple (I tried that again just right now): 1) Install IPA server with CA,DNS support with custom --hostname 2) Try to install replica on another F-15 -> installation fails My dogtag version: pki-ca-9.0.7-1.fc15.noarch Martin From mkosek at redhat.com Thu May 12 11:28:10 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 12 May 2011 13:28:10 +0200 Subject: [Freeipa-devel] [PATCH] 065 Running ipa-replica-manage as non-root cause errors Message-ID: <1305199690.31973.22.camel@dhcp-25-52.brq.redhat.com> Logging errors are printed out when ipa-replica-manage is run as a non-root user. Log has been disabled in such case to prevent such messages. https://fedorahosted.org/freeipa/ticket/1046 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-065-running-ipa-replica-manage-as-non-root-cause-errors.patch Type: text/x-patch Size: 1367 bytes Desc: not available URL: From rcritten at redhat.com Thu May 12 12:43:29 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 12 May 2011 08:43:29 -0400 Subject: [Freeipa-devel] ipa-replica-manage help In-Reply-To: <4DCB1A5A.7010402@redhat.com> References: <4DCB1A5A.7010402@redhat.com> Message-ID: <4DCBD5F1.60102@redhat.com> Michael Gregg wrote: > > I'm having problem using ipa-replica-manage. Can anybody help? > > I have this setup with a master and a replica. > > [root at ipaqavmf ~]# ipa-replica-manage list > ipaqavmh.testrelm: master > ipaqavmf.testrelm: master > > First off, I cannot disconnect a replica: > > From ipaqavmh: > [root at ipaqavmh ~]# ipa-replica-manage disconnect ipaqavmf.testrelm > Cannot remove the last replication link of 'ipaqavmh.testrelm' > Please use the 'del' command to remove it from the domain > > So, I try "del": > > [root at ipaqavmh ~]# ipa-replica-manage del ipaqavmf.testrelm > Unable to delete replica ipaqavmf.testrelm: {'desc': "Can't contact LDAP > server"} > > How do I delete ipaqavmf from this agreement? Since the remote replica is not running you need to use the --force flag. > > Is disconnecting and re-connecting a replica server what > ipa-replica-manage for? If you are removing the last replication agreement from one of the servers you have to delete it instead. connect/disconnect is for managing topology only. rob From jcholast at redhat.com Thu May 12 12:47:59 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 12 May 2011 14:47:59 +0200 Subject: [Freeipa-devel] [PATCH] 3 Add ability to specify netmask with IP addresses during installation In-Reply-To: <1305122338.4961.23.camel@dhcp-25-52.brq.redhat.com> References: <4D9068E5.6090209@redhat.com> <4D90920E.3080900@redhat.com> <4D91DD15.8020109@redhat.com> <4D91DDA6.2060304@redhat.com> <4D923DCA.1030900@redhat.com> <4D930AAD.9020209@redhat.com> <4D9F1AFA.8000305@redhat.com> <4DA2DC6F.1000105@redhat.com> <4DA58644.3020506@redhat.com> <4DAF3D5A.7080300@redhat.com> <4DAFDE65.5050100@redhat.com> <4DC97F9F.5030103@redhat.com> <1305122338.4961.23.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DCBD6FF.7050103@redhat.com> On 11.5.2011 15:58, Martin Kosek wrote: > On Tue, 2011-05-10 at 20:10 +0200, Jan Cholasta wrote: >> On 21.4.2011 09:36, Jan Cholasta wrote: >>> On 20.4.2011 22:08, Rob Crittenden wrote: >>>> Jan Cholasta wrote: >>>>> On 11.4.2011 12:48, Jan Cholasta wrote: >>>>>> On 8.4.2011 16:26, Rob Crittenden wrote: >>>>>>> Jan Cholasta wrote: >>>>>>>> On 29.3.2011 22:15, Rob Crittenden wrote: >>>>>>>>> Jan Cholasta wrote: >>>>>>>>>> Sorry, forgot to attach the patch. >>>>>>>>>> >>>>>>>>> >>>>>>>>> Is this why you have some blind excepts? >>>>>>>>> >>>>>>>>> installutils._IPAddressWithPrefix('192.168.0.1/33') >>>>>>>>> Traceback (most recent call last): >>>>>>>>> File "", line 1, in >>>>>>>>> File "ipaserver/install/installutils.py", line 167, in __init__ >>>>>>>>> net = netaddr.IPNetwork(addr) >>>>>>>>> File "/usr/lib/python2.7/site-packages/netaddr/ip/__init__.py", line >>>>>>>>> 919, in __init__ >>>>>>>>> implicit_prefix, flags) >>>>>>>>> File "/usr/lib/python2.7/site-packages/netaddr/ip/__init__.py", line >>>>>>>>> 782, in parse_ip_network >>>>>>>>> value = ip._value >>>>>>>>> UnboundLocalError: local variable 'ip' referenced before assignment >>>>>>>>> >>>>>>>>> We should get an upstream bug filed on python-netaddr about this. >>>>>>>> >>>>>>>> https://github.com/drkjam/netaddr/issues/closed#issue/5 >>>>>>>> https://github.com/drkjam/netaddr/issues/closed#issue/6 >>>>>>>> https://github.com/drkjam/netaddr/issues/closed#issue/8 >>>>>>>> >>>>>>>> Apparently it's already been fixed for the next release. >>>>>>>> >>>>>>>> IMHO it's not much of an issue for us, because the exception gets >>>>>>>> caught >>>>>>>> in parse_ip_address and that's currently the only place where >>>>>>>> _IPAddressWithPrefix is used. >>>>>>>> >>>>>>>>> >>>>>>>>> Shoudl parse_ip_address() raise an exception on bad data rather than >>>>>>>>> returning 0.0.0.0? >>>>>>>> >>>>>>>> I've been down that road and it would need a rewrite of the >>>>>>>> fragile IP >>>>>>>> address handling logic of ipa-server-install, which is something I'd >>>>>>>> rather avoid. >>>>>>>> >>>>>>>>> >>>>>>>>>>>> installutils.parse_ip_address('355.555.3.3') >>>>>>>>> _IPAddressWithPrefix('0.0.0.0') >>>>>>>>> >>>>>>>>> or >>>>>>>>> >>>>>>>>>>>> installutils.parse_ip_address('192.168.0.1/55') >>>>>>>>> _IPAddressWithPrefix('0.0.0.0') >>>>>>>>> >>>>>>>>> Should it disallow net addresses like 192.168.0.0? >>>>>>>> >>>>>>>> If you mean network and broadcast addresses, it probably should. It >>>>>>>> might be a good idea to disallow localhost, multicast and/or >>>>>>>> link-local >>>>>>>> addresses too. >>>>>>> >>>>>>> Are you going to resubmit the patch with these added or should we >>>>>>> open a >>>>>>> separate ticket? >>>>>> >>>>>> I'm going to resubmit it. Right now it disallows loopback, IANA >>>>>> reserved, link-local, network, multicast and broadcast IP addresses. >>>>>> Does it make sense to also allow only IP addresses attached to one of >>>>>> the local network interfaces? Perhaps it would be sufficient just to >>>>>> print a warning. Or should we not care about that at all? >>>>> >>>>> Sending the updated patch. >>>> >>>> This looks ok, just one question. Should we add a dependency on the >>>> iproute package because of the /sbin/ip package? >>> >>> Yes, we should. >>> >>>> >>>> rob >>> >>> >> >> Split the patch to 3 smaller pieces: >> >> Patch 18 adds the ability to parse netmasks in IP addresses passed to >> server install. >> https://fedorahosted.org/freeipa/ticket/1212 >> >> This patch requires patch 18 and fixes DNS reverse zone setup to honor >> the netmask. >> https://fedorahosted.org/freeipa/ticket/910 >> >> Patch 19 requires patch 18 and adds stricter checking of IP addresses. >> https://fedorahosted.org/freeipa/ticket/1213 >> >> Honza > > Thanks for splitting of the patches, it is now much clearer what is done > and where. Please fix pylint errors first before the review, there were > several of them when I applied all 3 patches: > > ./make-lint > ipalib/plugins/host.py:122: [E1120, remove_fwd_ptr] No value passed for parameter 'ip_prefix_len' in function call > ipalib/plugins/host.py:325: [E1120, host_add.pre_callback] No value passed for parameter 'ip_prefix_len' in function call > ipalib/plugins/host.py:384: [E1120, host_add.post_callback] No value passed for parameter 'ip_prefix_len' in function call > > Martin > Rewrote host.py so that it doesn't use get_reverse_zone from ipaserver.bindinstance (which fixes the pylint errors). Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-3.6-reverse-zone.patch Type: text/x-patch Size: 11721 bytes Desc: not available URL: From mkosek at redhat.com Thu May 12 12:59:46 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 12 May 2011 14:59:46 +0200 Subject: [Freeipa-devel] [PATCH] 066 Limit passwd plugin to user container Message-ID: <1305205186.7070.0.camel@dhcp-25-52.brq.redhat.com> Improve performance by specifying basedn to find_entry_by_attr() function in ldap2 and passwd plugins. https://fedorahosted.org/freeipa/ticket/1165 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-066-limit-passwd-plugin-to-user-container.patch Type: text/x-patch Size: 2082 bytes Desc: not available URL: From mkosek at redhat.com Thu May 12 13:20:35 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 12 May 2011 15:20:35 +0200 Subject: [Freeipa-devel] [PATCH] honor --no-reverse option In-Reply-To: <4DCAF6AC.3030708@redhat.com> References: <4DB96341.9090700@redhat.com> <1304939999.14905.5.camel@dhcp-25-52.brq.redhat.com> <4DCAF6AC.3030708@redhat.com> Message-ID: <1305206435.7070.1.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-05-11 at 16:50 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Thu, 2011-04-28 at 08:53 -0400, Rob Crittenden wrote: > >> The --no-reverse option was only working in unattended mode resulting in > >> a reverse zone even if you requested to not create one. > >> > >> ticket 1152 > >> > >> rob > > > > NACK. The patch is fine for the server installation, but we also need > > the fix for replica. > > > > Martin > > > > Ok, updated patch attached. > > rob ACK. Pushed to master, ipa-2-0. Martin From rcritten at redhat.com Thu May 12 15:08:40 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 12 May 2011 11:08:40 -0400 Subject: [Freeipa-devel] [PATCH] 066 Limit passwd plugin to user container In-Reply-To: <1305205186.7070.0.camel@dhcp-25-52.brq.redhat.com> References: <1305205186.7070.0.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DCBF7F8.1040105@redhat.com> Martin Kosek wrote: > Improve performance by specifying basedn to find_entry_by_attr() > function in ldap2 and passwd plugins. > > https://fedorahosted.org/freeipa/ticket/1165 Nack, it is possible to bind as an object other than a user, say a host. I think just the first part of the patch is needed. rob From mkosek at redhat.com Thu May 12 15:12:54 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 12 May 2011 17:12:54 +0200 Subject: [Freeipa-devel] [PATCH] 066 Limit passwd plugin to user container In-Reply-To: <4DCBF7F8.1040105@redhat.com> References: <1305205186.7070.0.camel@dhcp-25-52.brq.redhat.com> <4DCBF7F8.1040105@redhat.com> Message-ID: <1305213174.10620.1.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-05-12 at 11:08 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > Improve performance by specifying basedn to find_entry_by_attr() > > function in ldap2 and passwd plugins. > > > > https://fedorahosted.org/freeipa/ticket/1165 > > Nack, it is possible to bind as an object other than a user, say a host. > I think just the first part of the patch is needed. > > rob Thanks for the catch. In that case lets only do the proposed change. Updated patch attached. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-066-2-limit-passwd-plugin-to-user-container.patch Type: text/x-patch Size: 1098 bytes Desc: not available URL: From rcritten at redhat.com Thu May 12 15:17:52 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 12 May 2011 11:17:52 -0400 Subject: [Freeipa-devel] [PATCH] 065 Running ipa-replica-manage as non-root cause errors In-Reply-To: <1305199690.31973.22.camel@dhcp-25-52.brq.redhat.com> References: <1305199690.31973.22.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DCBFA20.5080905@redhat.com> Martin Kosek wrote: > Logging errors are printed out when ipa-replica-manage is run > as a non-root user. Log has been disabled in such case to > prevent such messages. > > https://fedorahosted.org/freeipa/ticket/1046 Less than ideal but the logging here is rather inconsequential, so ack. rob From edewata at redhat.com Thu May 12 15:20:07 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 12 May 2011 10:20:07 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0220-update-ipa-init In-Reply-To: <4D95F60D.3000108@redhat.com> References: <4D95F60D.3000108@redhat.com> Message-ID: <4DCBFAA7.6020909@redhat.com> On 4/1/2011 10:58 AM, Adam Young wrote: > ACK. This can be pushed after removing the -x from the script header. -- Endi S. Dewata From rcritten at redhat.com Thu May 12 15:27:05 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 12 May 2011 11:27:05 -0400 Subject: [Freeipa-devel] [PATCH] 048 Remove doc from API.txt In-Reply-To: <1305181884.31973.1.camel@dhcp-25-52.brq.redhat.com> References: <1302530167.7619.30.camel@dhcp-25-52.brq.redhat.com> <4DCAF9C5.4030609@redhat.com> <1305181884.31973.1.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DCBFC49.4020202@redhat.com> Martin Kosek wrote: > On Wed, 2011-05-11 at 17:04 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> Doc parts are not removed from the API completely. This leads to >>> unnecessary updates to API.txt when the option/argument documentation >>> is changed. >>> >>> This patch replaces unreliable doc stripping function with a regular >>> expression. It works for all current doc strings (simple string or >>> GetText). The only limitation is that the RE supports only up to >>> 2 levels of nested parentheses in doc string. >>> >>> https://fedorahosted.org/freeipa/ticket/1057 >> >> The approach looks good, can you rebase this? >> >> thanks >> >> rob > > Sure, here it goes. > > Martin Ack From rcritten at redhat.com Thu May 12 15:40:59 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 12 May 2011 11:40:59 -0400 Subject: [Freeipa-devel] [PATCH] 064 Improve service manipulation in client install In-Reply-To: <1305112788.4961.7.camel@dhcp-25-52.brq.redhat.com> References: <1305036130.11948.11.camel@dhcp-25-52.brq.redhat.com> <4DC94668.8070808@redhat.com> <1305112788.4961.7.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DCBFF8B.9080905@redhat.com> Martin Kosek wrote: > On Tue, 2011-05-10 at 10:06 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> Remove redundant ipa-client-install error message when optional nscd >>> daemon was not installed. Additionally, use standard IPA functions >>> for service manipulation and improve logging. >>> >>> https://fedorahosted.org/freeipa/ticket/1207 >> Nack, a client-only install isn't going to have ipaserver to import from. > > Good catch, I didn't realize that. Will do next time. > > I have moved the /sbin/service and /sbin/chkconfig control routines to > ipautil library, which are called by ipa-client-install. > > I have left the interface in ipaserver.install.service as it used > through many scripts and we could use this interface later when > implementing a native systemd support. The deciding logic what init > system to use use can be then hidden behind this interface. > >> >> Ignoring certmonger not starting was for the case where it is already >> running. Ideally we should check the status of the service and start it >> if necessary. > > I think I have not touched this logic, I just added few logging > statements that we can analyze when future user's will fill us bug > reports :-) > >> >> Some of this could be moved to ipapython as that is where common, >> non-framework code goes. > > Yeah, I chose ipapython.ipautil library. Please, take a look at the > attached patch. > > Martin Ack From ayoung at redhat.com Thu May 12 16:31:31 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 12 May 2011 12:31:31 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-0220-update-ipa-init In-Reply-To: <4DCBFAA7.6020909@redhat.com> References: <4D95F60D.3000108@redhat.com> <4DCBFAA7.6020909@redhat.com> Message-ID: <4DCC0B63.2050001@redhat.com> On 05/12/2011 11:20 AM, Endi Sukma Dewata wrote: > On 4/1/2011 10:58 AM, Adam Young wrote: >> > > ACK. This can be pushed after removing the -x from the script header. > removed -x and whitespace, and pushed to master From rcritten at redhat.com Thu May 12 20:22:45 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 12 May 2011 16:22:45 -0400 Subject: [Freeipa-devel] [PATCH] 066 Limit passwd plugin to user container In-Reply-To: <1305213174.10620.1.camel@dhcp-25-52.brq.redhat.com> References: <1305205186.7070.0.camel@dhcp-25-52.brq.redhat.com> <4DCBF7F8.1040105@redhat.com> <1305213174.10620.1.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DCC4195.7040605@redhat.com> Martin Kosek wrote: > On Thu, 2011-05-12 at 11:08 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> Improve performance by specifying basedn to find_entry_by_attr() >>> function in ldap2 and passwd plugins. >>> >>> https://fedorahosted.org/freeipa/ticket/1165 >> >> Nack, it is possible to bind as an object other than a user, say a host. >> I think just the first part of the patch is needed. >> >> rob > > Thanks for the catch. In that case lets only do the proposed change. > Updated patch attached. > > Martin ack, pushed to master and ipa-2-0 rob From rcritten at redhat.com Thu May 12 20:57:37 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 12 May 2011 16:57:37 -0400 Subject: [Freeipa-devel] [PATCH] 060 Consolidate man pages and IPA tools help In-Reply-To: <1304497102.21112.3.camel@dhcp-25-52.brq.redhat.com> References: <1304497102.21112.3.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DCC49C1.3030206@redhat.com> Martin Kosek wrote: > I'll nack any patch in the future that would spoil this enjoyable > effort :-) > > -- > IPA tools options are not consistent with information in man > pages. > > https://fedorahosted.org/freeipa/ticket/1163 > https://fedorahosted.org/freeipa/ticket/1178 > ack, pushed to master and ipa-2-0 From JR.Aquino at citrix.com Thu May 12 22:14:22 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 12 May 2011 22:14:22 +0000 Subject: [Freeipa-devel] [PATCH] 27 Make sure ipa_config is read only when caching Message-ID: <6DFD2E79-051D-4C31-ACC7-019CE81AF728@citrixonline.com> It was discovered that using the batch plugin it was possible to store duplicate data in parts of the ipa_config during iterations. This was causing a cascading exec failures if any one of the batch executions failed. https://fedorahosted.org/freeipa/ticket/1220 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0027-Make-sure-ipa_config-is-read-only-when-caching.patch Type: application/octet-stream Size: 1525 bytes Desc: freeipa-jraquino-0027-Make-sure-ipa_config-is-read-only-when-caching.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ATT00001.txt URL: From rcritten at redhat.com Fri May 13 02:47:22 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 12 May 2011 22:47:22 -0400 Subject: [Freeipa-devel] [PATCH] 782 update nvr for selinux-policy and pki-ca Message-ID: <4DCC9BBA.10901@redhat.com> Update min nvr for selinux-policy and pki-ca for F-15+ Done with conditionals so still installable on F-14. ticket 1200 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-782-spec.patch Type: application/mbox Size: 1586 bytes Desc: not available URL: From mkosek at redhat.com Fri May 13 09:22:29 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 13 May 2011 11:22:29 +0200 Subject: [Freeipa-devel] [PATCH] 782 update nvr for selinux-policy and pki-ca In-Reply-To: <4DCC9BBA.10901@redhat.com> References: <4DCC9BBA.10901@redhat.com> Message-ID: <1305278549.21459.22.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-05-12 at 22:47 -0400, Rob Crittenden wrote: > Update min nvr for selinux-policy and pki-ca for F-15+ > > Done with conditionals so still installable on F-14. > > ticket 1200 > > rob ACK. Good job, the conditional and the rpm build as a whole works fine for both F-14 and F-15. I will leave the push to you, a merge is needed on ipa-2-0 as the spec file has diverged between those 2 branches. Martin From mkosek at redhat.com Fri May 13 11:29:16 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 13 May 2011 13:29:16 +0200 Subject: [Freeipa-devel] [PATCH] 048 Remove doc from API.txt In-Reply-To: <4DCBFC49.4020202@redhat.com> References: <1302530167.7619.30.camel@dhcp-25-52.brq.redhat.com> <4DCAF9C5.4030609@redhat.com> <1305181884.31973.1.camel@dhcp-25-52.brq.redhat.com> <4DCBFC49.4020202@redhat.com> Message-ID: <1305286156.21459.23.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-05-12 at 11:27 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Wed, 2011-05-11 at 17:04 -0400, Rob Crittenden wrote: > >> Martin Kosek wrote: > >>> Doc parts are not removed from the API completely. This leads to > >>> unnecessary updates to API.txt when the option/argument documentation > >>> is changed. > >>> > >>> This patch replaces unreliable doc stripping function with a regular > >>> expression. It works for all current doc strings (simple string or > >>> GetText). The only limitation is that the RE supports only up to > >>> 2 levels of nested parentheses in doc string. > >>> > >>> https://fedorahosted.org/freeipa/ticket/1057 > >> > >> The approach looks good, can you rebase this? > >> > >> thanks > >> > >> rob > > > > Sure, here it goes. > > > > Martin > > Ack Pushed to master, ipa-2-0. I had to re-generate API.txt for ipa-2-0 branch, the file was diverged between the branches. Martin From mkosek at redhat.com Fri May 13 11:29:40 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 13 May 2011 13:29:40 +0200 Subject: [Freeipa-devel] [PATCH] 064 Improve service manipulation in client install In-Reply-To: <4DCBFF8B.9080905@redhat.com> References: <1305036130.11948.11.camel@dhcp-25-52.brq.redhat.com> <4DC94668.8070808@redhat.com> <1305112788.4961.7.camel@dhcp-25-52.brq.redhat.com> <4DCBFF8B.9080905@redhat.com> Message-ID: <1305286180.21459.24.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-05-12 at 11:40 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Tue, 2011-05-10 at 10:06 -0400, Rob Crittenden wrote: > >> Martin Kosek wrote: > >>> Remove redundant ipa-client-install error message when optional nscd > >>> daemon was not installed. Additionally, use standard IPA functions > >>> for service manipulation and improve logging. > >>> > >>> https://fedorahosted.org/freeipa/ticket/1207 > >> Nack, a client-only install isn't going to have ipaserver to import from. > > > > Good catch, I didn't realize that. Will do next time. > > > > I have moved the /sbin/service and /sbin/chkconfig control routines to > > ipautil library, which are called by ipa-client-install. > > > > I have left the interface in ipaserver.install.service as it used > > through many scripts and we could use this interface later when > > implementing a native systemd support. The deciding logic what init > > system to use use can be then hidden behind this interface. > > > >> > >> Ignoring certmonger not starting was for the case where it is already > >> running. Ideally we should check the status of the service and start it > >> if necessary. > > > > I think I have not touched this logic, I just added few logging > > statements that we can analyze when future user's will fill us bug > > reports :-) > > > >> > >> Some of this could be moved to ipapython as that is where common, > >> non-framework code goes. > > > > Yeah, I chose ipapython.ipautil library. Please, take a look at the > > attached patch. > > > > Martin > > Ack Pushed to master, ipa-2-0. Martin From mkosek at redhat.com Fri May 13 11:31:34 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 13 May 2011 13:31:34 +0200 Subject: [Freeipa-devel] [PATCH] 065 Running ipa-replica-manage as non-root cause errors In-Reply-To: <4DCBFA20.5080905@redhat.com> References: <1305199690.31973.22.camel@dhcp-25-52.brq.redhat.com> <4DCBFA20.5080905@redhat.com> Message-ID: <1305286294.21459.26.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-05-12 at 11:17 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > Logging errors are printed out when ipa-replica-manage is run > > as a non-root user. Log has been disabled in such case to > > prevent such messages. > > > > https://fedorahosted.org/freeipa/ticket/1046 > > Less than ideal but the logging here is rather inconsequential, so ack. > > rob Yes, at this point, the patch only gets rid of the annoying message. The logging is not critical here. Pushed to master, ipa-2-0. Martin From simo at redhat.com Fri May 13 12:28:02 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 13 May 2011 08:28:02 -0400 Subject: [Freeipa-devel] [PATCH] 048 Remove doc from API.txt In-Reply-To: <1305286156.21459.23.camel@dhcp-25-52.brq.redhat.com> References: <1302530167.7619.30.camel@dhcp-25-52.brq.redhat.com> <4DCAF9C5.4030609@redhat.com> <1305181884.31973.1.camel@dhcp-25-52.brq.redhat.com> <4DCBFC49.4020202@redhat.com> <1305286156.21459.23.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1305289682.5330.4.camel@willson.li.ssimo.org> On Fri, 2011-05-13 at 13:29 +0200, Martin Kosek wrote: > On Thu, 2011-05-12 at 11:27 -0400, Rob Crittenden wrote: > > Martin Kosek wrote: > > > On Wed, 2011-05-11 at 17:04 -0400, Rob Crittenden wrote: > > >> Martin Kosek wrote: > > >>> Doc parts are not removed from the API completely. This leads to > > >>> unnecessary updates to API.txt when the option/argument documentation > > >>> is changed. > > >>> > > >>> This patch replaces unreliable doc stripping function with a regular > > >>> expression. It works for all current doc strings (simple string or > > >>> GetText). The only limitation is that the RE supports only up to > > >>> 2 levels of nested parentheses in doc string. > > >>> > > >>> https://fedorahosted.org/freeipa/ticket/1057 > > >> > > >> The approach looks good, can you rebase this? > > >> > > >> thanks > > >> > > >> rob > > > > > > Sure, here it goes. > > > > > > Martin > > > > Ack > > Pushed to master, ipa-2-0. > > I had to re-generate API.txt for ipa-2-0 branch, the file was diverged > between the branches. Is this a safe change for 2.0.x ? Simo. -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Fri May 13 12:36:47 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 13 May 2011 14:36:47 +0200 Subject: [Freeipa-devel] [PATCH] 048 Remove doc from API.txt In-Reply-To: <1305289682.5330.4.camel@willson.li.ssimo.org> References: <1302530167.7619.30.camel@dhcp-25-52.brq.redhat.com> <4DCAF9C5.4030609@redhat.com> <1305181884.31973.1.camel@dhcp-25-52.brq.redhat.com> <4DCBFC49.4020202@redhat.com> <1305286156.21459.23.camel@dhcp-25-52.brq.redhat.com> <1305289682.5330.4.camel@willson.li.ssimo.org> Message-ID: <1305290207.21459.27.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-05-13 at 08:28 -0400, Simo Sorce wrote: > On Fri, 2011-05-13 at 13:29 +0200, Martin Kosek wrote: > > On Thu, 2011-05-12 at 11:27 -0400, Rob Crittenden wrote: > > > Martin Kosek wrote: > > > > On Wed, 2011-05-11 at 17:04 -0400, Rob Crittenden wrote: > > > >> Martin Kosek wrote: > > > >>> Doc parts are not removed from the API completely. This leads to > > > >>> unnecessary updates to API.txt when the option/argument documentation > > > >>> is changed. > > > >>> > > > >>> This patch replaces unreliable doc stripping function with a regular > > > >>> expression. It works for all current doc strings (simple string or > > > >>> GetText). The only limitation is that the RE supports only up to > > > >>> 2 levels of nested parentheses in doc string. > > > >>> > > > >>> https://fedorahosted.org/freeipa/ticket/1057 > > > >> > > > >> The approach looks good, can you rebase this? > > > >> > > > >> thanks > > > >> > > > >> rob > > > > > > > > Sure, here it goes. > > > > > > > > Martin > > > > > > Ack > > > > Pushed to master, ipa-2-0. > > > > I had to re-generate API.txt for ipa-2-0 branch, the file was diverged > > between the branches. > > Is this a safe change for 2.0.x ? > > Simo. > I think so. I did not change the API itself, I just had to regenerate the API because of changes in makeapi script. Martin From jcholast at redhat.com Fri May 13 12:48:50 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 13 May 2011 14:48:50 +0200 Subject: [Freeipa-devel] [PATCH] 20 Assume ipa help for plugins Message-ID: <4DCD28B2.4010507@redhat.com> Show help for plugin when the user runs 'ipa ', instead of printing an error message about unknown command. https://fedorahosted.org/freeipa/ticket/914 Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-20-assume-ipa-help.patch Type: text/x-patch Size: 909 bytes Desc: not available URL: From JR.Aquino at citrix.com Fri May 13 15:23:27 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Fri, 13 May 2011 15:23:27 +0000 Subject: [Freeipa-devel] [PATCH] 20 Assume ipa help for plugins In-Reply-To: <4DCD28B2.4010507@redhat.com> References: <4DCD28B2.4010507@redhat.com> Message-ID: <18B8203B-EA00-49B5-945C-7800EB5EE940@citrixonline.com> On May 13, 2011, at 5:48 AM, Jan Cholasta wrote: > Show help for plugin when the user runs 'ipa ', instead of printing an error message about unknown command. > > https://fedorahosted.org/freeipa/ticket/914 > > Honza > > -- > Jan Cholasta > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Looks Good! ACK From adam at younglogic.com Fri May 13 15:47:18 2011 From: adam at younglogic.com (Adam Young) Date: Fri, 13 May 2011 11:47:18 -0400 Subject: [Freeipa-devel] Move DNS to the Identity Tab? Message-ID: <4DCD5286.6090800@younglogic.com> One minor piece of Feedback I got from people at the Summit was surprise that DNS was on the Policy tab and not on the Identity tab. Moving this is trivial. Does anyone object to me making that change? From JR.Aquino at citrix.com Fri May 13 16:00:31 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Fri, 13 May 2011 16:00:31 +0000 Subject: [Freeipa-devel] Move DNS to the Identity Tab? In-Reply-To: <4DCD5286.6090800@younglogic.com> References: <4DCD5286.6090800@younglogic.com> Message-ID: <7D07C567-F649-4486-9C5A-12372B37089D@citrixonline.com> On May 13, 2011, at 8:47 AM, Adam Young wrote: > One minor piece of Feedback I got from people at the Summit was surprise that DNS was on the Policy tab and not on the Identity tab. Moving this is trivial. Does anyone object to me making that change? > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Makes sense. It defines the Identity of the hosts etc... It's more an Identity than it is a Policy ;) From rcritten at redhat.com Fri May 13 17:07:53 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 13 May 2011 13:07:53 -0400 Subject: [Freeipa-devel] [PATCH] 782 update nvr for selinux-policy and pki-ca In-Reply-To: <1305278549.21459.22.camel@dhcp-25-52.brq.redhat.com> References: <4DCC9BBA.10901@redhat.com> <1305278549.21459.22.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DCD6569.2080108@redhat.com> Martin Kosek wrote: > On Thu, 2011-05-12 at 22:47 -0400, Rob Crittenden wrote: >> Update min nvr for selinux-policy and pki-ca for F-15+ >> >> Done with conditionals so still installable on F-14. >> >> ticket 1200 >> >> rob > > ACK. Good job, the conditional and the rpm build as a whole works fine > for both F-14 and F-15. > > I will leave the push to you, a merge is needed on ipa-2-0 as the spec > file has diverged between those 2 branches. > > Martin > pushed to master and ipa-2-0 From rcritten at redhat.com Fri May 13 17:18:29 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 13 May 2011 13:18:29 -0400 Subject: [Freeipa-devel] [PATCH] 27 Make sure ipa_config is read only when caching In-Reply-To: <6DFD2E79-051D-4C31-ACC7-019CE81AF728@citrixonline.com> References: <6DFD2E79-051D-4C31-ACC7-019CE81AF728@citrixonline.com> Message-ID: <4DCD67E5.1060602@redhat.com> JR Aquino wrote: > It was discovered that using the batch plugin it was possible to > store duplicate data in parts of the ipa_config during iterations. > This was causing a cascading exec failures if any one of the batch > executions failed. > https://fedorahosted.org/freeipa/ticket/1220 ack, pushed to master and ipa-2-0 From rcritten at redhat.com Fri May 13 17:27:42 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 13 May 2011 13:27:42 -0400 Subject: [Freeipa-devel] [PATCH] 20 Assume ipa help for plugins In-Reply-To: <18B8203B-EA00-49B5-945C-7800EB5EE940@citrixonline.com> References: <4DCD28B2.4010507@redhat.com> <18B8203B-EA00-49B5-945C-7800EB5EE940@citrixonline.com> Message-ID: <4DCD6A0E.6020509@redhat.com> JR Aquino wrote: > On May 13, 2011, at 5:48 AM, Jan Cholasta wrote: > >> Show help for plugin when the user runs 'ipa', instead of printing an error message about unknown command. >> >> https://fedorahosted.org/freeipa/ticket/914 >> >> Honza >> >> -- >> Jan Cholasta >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Looks Good! > > ACK 2nd ack, pushed to master and ipa-2-0 From JR.Aquino at citrix.com Fri May 13 18:08:15 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Fri, 13 May 2011 18:08:15 +0000 Subject: [Freeipa-devel] [PATCH] 24 Add sudorule and hbacrule to memberof AND indirectmemberof attributes In-Reply-To: <4DC9FF25.8070501@redhat.com> References: <36AD4E47-C1BE-4603-8578-1823F2C89892@citrixonline.com> <4DB1DCD6.1060606@redhat.com> <0B1CC5CC-F36C-4EA7-B30D-472539E64D7E@citrixonline.com> <4DC9FD7F.1090505@redhat.com> <4DC9FF25.8070501@redhat.com> Message-ID: <7D243923-B3F9-4284-9FAF-550AC9E86AEE@citrixonline.com> On May 10, 2011, at 8:14 PM, Adam Young wrote: > On 05/10/2011 11:07 PM, Adam Young wrote: >> On 05/10/2011 04:38 PM, JR Aquino wrote: >>> On Apr 22, 2011, at 12:53 PM, Rob Crittenden wrote: >>> >>> >>>> JR Aquino wrote: >>>> >>>>> On Apr 12, 2011, at 9:45 AM, JR Aquino wrote: >>>>> >>>>> >>>>>> Add HBAC Rule and Sudo Rule to users as indirect member attributes to simplify the auditing of users for their indirect membership to their authorization rights. >>>>>> >>>>>> An Administrator should have the ability to quickly identify the rights a user will have in the system. >>>>>> >>>>>> For example. With the patch added, my user show looks like this: >>>>>> >>>>>> # ipa user-show tester --all >>>>>> dn: uid=builder,cn=users,cn=accounts,dc=example,dc=com >>>>>> User login: tester >>>>>> First name: Tester >>>>>> Last name: Engineering >>>>>> Full name: Tester Engineering >>>>>> Display name: Tester Engineering >>>>>> Initials: TE >>>>>> Home directory: /home/tester >>>>>> GECOS field: Tester Engineering >>>>>> Login shell: /bin/sh >>>>>> Kerberos principal: >>>>>> tester at EXAMPLE.COM >>>>>> >>>>>> UID: 1829800388 >>>>>> GID: 1829800388 >>>>>> Account disabled: False >>>>>> Member of groups: ipausers, auto-dev-deploy-tools, build-integration >>>>>> ipauniqueid: 72fa22c6-6085-11e0-9629-0023aefe4ec0 >>>>>> krbpwdpolicyreference: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com >>>>>> memberofindirect_HBAC rule: development >>>>>> memberofindirect_Sudo Rule: AUTO-dev-deploy-tools_DEPLOY, AUTO-dev-deploy-tools_ZENOSS, build-integration >>>>>> mepmanagedentry: cn=tester,cn=groups,cn=accounts,dc=example,dc=com >>>>>> objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-devel mailing list >>>>>> >>>>>> Freeipa-devel at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>> OPPS, forgot to have PATCH in the subject. >>>>> >>>>> >>>> I think you need this as well, right? >>>> >>>> - 'memberof': ['group', 'netgroup', 'role'], >>>> + 'memberof': ['group', 'netgroup', 'role', 'sudorule', 'hbacrule'], >>>> >>> Some scope change. >>> >>> Added memberof and memberofindirect >>> >>> Added to user.py host.py group.py hostgroup.py >>> >>> When using the --all flag it is now very clear to the administrator what authorization rules these objects are directly or indirectly a memberof. >>> >>> xmlrpc tests check out >>> >>> Please review >>> >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> >> The reason that this shows up in the UI is that it is generating additional memberof attributes. It has nothing to do with the memberofindirect: > > You are also going to want need modify the sudo rule and HBAC rule to use the serial associator on some facets. It looks like group at least has things backwards. The group.js file I think needs a rule like this: > > > association_facet({ > name: 'memberof_sudorule', > associator: IPA.serial_associator > }). > > THis is because the API is for adding multiple groups to the sudo rule, but the default behaviour is for adding multiple >other entity> to . The above comment is regarding ticket: https://fedorahosted.org/freeipa/ticket/1218 which is dependent on this patch and ticket 1170 As for Patch 24 and ticket 1170, are there any other questions or does this look ready to go? From rcritten at redhat.com Fri May 13 18:12:19 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 13 May 2011 14:12:19 -0400 Subject: [Freeipa-devel] Automount API consistancy and WebUI searchs In-Reply-To: <4DCB3047.30805@redhat.com> References: <4DCB3047.30805@redhat.com> Message-ID: <4DCD7483.7030401@redhat.com> Adam Young wrote: > The general pattern for finding something is > > _find FILTER > > And for nested entities is > > _find PARENTKEY FILTER > > So for Automount it is > > automountlocation_find FILTER > > automountmap_find LOC FILTER > > So Key should be > > automountkey_find LOC MAP FILTER > > > The show command should then be > > _show PKEY > > _show PARENTKEY PKEY > > So for Automount it should be > > automountlocation_show LOC > > automountmap_show LOC MAP > > so key should be > > automountkey_show LOC MAP KEY > > > > For the key, in both cases it is not this. Instead, the whole keyand the > whole --info (mountpoint) must be specified for the show command. On the > find side there is an indication that the parameters should be --info > and --key, but FILTER seems to work correctly. > > It seems that the key should be unique within a map. Is there any good > reason to require the --info parameter when showing keys? Instead, it > only enforces that a pair be unique. Since automount triggers if someone > browsers to a specific directory, I thought that the option of which to > choose would have to be deterministic: if I go to /home/ayoung, It ought > to always mount nfsserver:/home/ayoung. What am I missing. Yes, it looks like the dn for keys is wrong. It uses description as part of the dn when it should use automountkey instead. I think this slipped in when we added locations, but that is represented as cn. It should be relatively easy to fix, the question is how we rename any existing entries. I opened ticket https://fedorahosted.org/freeipa/ticket/1229 rob From rcritten at redhat.com Fri May 13 20:10:57 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 13 May 2011 16:10:57 -0400 Subject: [Freeipa-devel] [PATCH] 783 get group info when showing user Message-ID: <4DCD9051.3040908@redhat.com> The UI team had asked that we provide some group info (GID, description) when showing users. This ads a special call to group_find to get this information. It is returned as a list of dicts. ticket 107 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-783-groupinfo.patch Type: text/x-patch Size: 5185 bytes Desc: not available URL: From ayoung at redhat.com Fri May 13 22:07:37 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 13 May 2011 18:07:37 -0400 Subject: [Freeipa-devel] [PATCH] 783 get group info when showing user In-Reply-To: <4DCD9051.3040908@redhat.com> References: <4DCD9051.3040908@redhat.com> Message-ID: <4DCDABA9.1030802@redhat.com> On 05/13/2011 04:10 PM, Rob Crittenden wrote: > The UI team had asked that we provide some group info (GID, > description) when showing users. This ads a special call to group_find > to get this information. It is returned as a list of dicts. > > ticket 107 > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel I wonder if this is the wrong abstraction. As we discussed today, we need to do many of these types of cross referential searches. Bascially, we need to be able to filter on 'member' and 'memberof' type relationships. So if we did a group_find --member_user=ayoung it would return all groups that I am a member of. This would work across the board for association facets -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri May 13 23:52:15 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 13 May 2011 19:52:15 -0400 Subject: [Freeipa-devel] [PATCH] 783 get group info when showing user In-Reply-To: <4DCDABA9.1030802@redhat.com> References: <4DCD9051.3040908@redhat.com> <4DCDABA9.1030802@redhat.com> Message-ID: <4DCDC42F.7080107@redhat.com> Adam Young wrote: > On 05/13/2011 04:10 PM, Rob Crittenden wrote: >> The UI team had asked that we provide some group info (GID, >> description) when showing users. This ads a special call to group_find >> to get this information. It is returned as a list of dicts. >> >> ticket 107 >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > I wonder if this is the wrong abstraction. As we discussed today, we > need to do many of these types of cross referential searches. Bascially, > we need to be able to filter on 'member' and 'memberof' type relationships. > > So if we did a group_find --member_user=ayoung it would return all > groups that I am a member of. This would work across the board for > association facets That works now, as specified in the ticket. I was under the impression this was rejected which is why I embedded it into user-show. What you suggested works now with: ipa group-find --users=ayoung memberof doesn't exist in the group, you have to look at the end entity. rob From adam at younglogic.com Sat May 14 01:27:12 2011 From: adam at younglogic.com (Adam Young) Date: Fri, 13 May 2011 21:27:12 -0400 Subject: [Freeipa-devel] Ticket #293 Message-ID: <4DCDDA70.6050804@younglogic.com> I'm tripping over the solution to this ticket: https://fedorahosted.org/freeipa/ticket/293 I don't understand the statement: "The key for a direct map is /- so only one can be in auto.master" auto.master is the map. Do you mean that there cannot be more than one direct map in a location? The key for a direct map should be the fully qualified path name down to the mount point. If it is a direct map, the mount point is specified from /-, but the key will be unique: For example /home/ayoung exporter:/altlocation/ayoung /home/* exporter:/home/& That would allow a different location for my home directory (ayoung) than everyone else. I've reverted the patch in my tree and the original behavior seems sensible. What was the impetus for pushing this patch through, and can we cleanly revert it? Rob stated that that there will be a data porting issue due to the values we put in to Dir Srv for the dn. A related issue that may be moot: I tested an indirect map, and can't see where the key gets stored. I haven't tried it without the reverted patch, so it may be something that got fixed later. From ayoung at redhat.com Sat May 14 03:28:24 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 13 May 2011 23:28:24 -0400 Subject: [Freeipa-devel] Fwd: Re: [Freeipa-users] FreeIPA for Linux desktop deployment Message-ID: <4DCDF6D8.60306@redhat.com> Beyond my knowledge. Any help here? -------- Original Message -------- Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment Date: Fri, 13 May 2011 18:38:07 -0700 (PDT) From: nasir nasir To: Adam Young I did this. Now my ipa automountlocation-tofiles default shows, */etc/auto.master:* */- /etc/auto.direct* */share /etc/auto.share* */home /etc/auto.home* *---------------------------* */etc/auto.direct:* *---------------------------* */etc/auto.share:* *---------------------------* */etc/auto.home:* ** -rw,sec=krb5,soft,rsize=8192,wsize=8192 hugayat.cohort.org:/xtra/home/&* Also my /etc/export looks like this, */xtra/home *(rw,fsid=0,insecure,no_root_squash,no_subtree_check)* */xtra/home gss/krb5(rw,fsid=0,insecure,no_root_squash,no_subtree_check)* */xtra/home gss/krb5i(rw,fsid=0,insecure,no_root_squash,no_subtree_check)* */xtra/home gss/krb5p(rw,fsid=0,insecure,no_root_squash,no_subtree_check)* Still it is not working. I tested to login from the server(as I don't have another test machine with IPA, I added mkhomedir line in the pam files to test in this machine only). It is NOT mounting the NFS home partition from the remote NFS server. Instead it is creating /home/USER on the local partition. Now if you think this is some problem due to testing from IPA server, I will install IPA client on a new machine with mkhomedir switch and try to test from there. Please suggest. Thanks and regards, Nidal A simple test, change the automount map to just mount /home completely, and then create a new user. I'm guessing that will work. Basically */etc/auto.home:* */home -rw,sec=krb5,soft,rsize=8192,wsize=8192 nfsserver.cohort.org:/xtra/home/* > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Mon May 16 08:01:23 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 16 May 2011 10:01:23 +0200 Subject: [Freeipa-devel] Ticket #293 In-Reply-To: <4DCDDA70.6050804@younglogic.com> References: <4DCDDA70.6050804@younglogic.com> Message-ID: <4DD0D9D3.6060806@redhat.com> On 05/14/2011 03:27 AM, Adam Young wrote: > I'm tripping over the solution to this ticket: > > https://fedorahosted.org/freeipa/ticket/293 > I don't understand the statement: > "The key for a direct map is /- so only one can be in auto.master" > auto.master is the map. Do you mean that there cannot be more than one > direct map in a location? > auto.master is the default map that is consulted for the list of maps. The problem was that we were storing the map key (automountkey attribute) as RDN, so in effect you could not have duplicate keys. For indirect maps, it is usually OK, but the problem is storing something like this in LDAP: /etc/auto.master: /- /etc/auto.direct /- /etc/auto.direct2 The patch for #293 worked around the uniqueness constraint by not storing the automountkey in the DN but rather storing the (automountkey, automountinformation) tuple in the description attribute and using description for the RDN. So instead of requiring the key to be unique we require the (key,info) tuple to be unique. Automounter does not care about DNs of keys, so this approach was safe. > The key for a direct map should be the fully qualified path name down to > the mount point. If it is a direct map, the mount point is specified > from /-, but the key will be unique: > You are describing the contents of the direct map. The problem is linking the direct map into the master map. > For example > > /home/ayoung exporter:/altlocation/ayoung > /home/* exporter:/home/& > > That would allow a different location for my home directory (ayoung) > than everyone else. > > I've reverted the patch in my tree and the original behavior seems > sensible. What was the impetus for pushing this patch through, and can > we cleanly revert it? Rob stated that that there will be a data porting > issue due to the values we put in to Dir Srv for the dn. > I fail to see what is the problem with the patch and why do you suggest reverting it? > A related issue that may be moot: I tested an indirect map, and can't > see where the key gets stored. I haven't tried it without the reverted > patch, so it may be something that got fixed later. > > In the automountkey attribute, which is the same as with the reverted patch. The patch only changes the DNs, nothing else. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From mkosek at redhat.com Mon May 16 11:05:42 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 16 May 2011 13:05:42 +0200 Subject: [Freeipa-devel] [PATCH] 067 A new flag to disable creation of UPG Message-ID: <1305543942.30122.4.camel@dhcp-25-52.brq.redhat.com> This patch is based on old Pavel's patch. I am considering applying the patch for master branch only as it changes an API (adds a new flag) and is a sort of new-functionality-ish. -- Automatic creation may of User Private Groups (UPG) may not be wanted at all times. This patch adds a new flag --noprivate to ipa user-add command to disable it. https://fedorahosted.org/freeipa/ticket/1131 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-067-a-new-flag-to-disable-creation-of-upg.patch Type: text/x-patch Size: 8834 bytes Desc: not available URL: From ayoung at redhat.com Mon May 16 13:40:33 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 16 May 2011 09:40:33 -0400 Subject: [Freeipa-devel] Ticket #293 In-Reply-To: <4DD0D9D3.6060806@redhat.com> References: <4DCDDA70.6050804@younglogic.com> <4DD0D9D3.6060806@redhat.com> Message-ID: <4DD12951.2060307@redhat.com> On 05/16/2011 04:01 AM, Jakub Hrozek wrote: > On 05/14/2011 03:27 AM, Adam Young wrote: >> I'm tripping over the solution to this ticket: >> >> https://fedorahosted.org/freeipa/ticket/293 >> I don't understand the statement: >> "The key for a direct map is /- so only one can be in auto.master" >> auto.master is the map. Do you mean that there cannot be more than one >> direct map in a location? >> > auto.master is the default map that is consulted for the list of maps. > > The problem was that we were storing the map key (automountkey > attribute) as RDN, so in effect you could not have duplicate keys. For > indirect maps, it is usually OK, but the problem is storing something > like this in LDAP: > > /etc/auto.master: > /- /etc/auto.direct > /- /etc/auto.direct2 > > > The patch for #293 worked around the uniqueness constraint by not > storing the automountkey in the DN but rather storing the (automountkey, > automountinformation) tuple in the description attribute and using > description for the RDN. So instead of requiring the key to be unique we > require the (key,info) tuple to be unique. > > Automounter does not care about DNs of keys, so this approach was safe. > >> The key for a direct map should be the fully qualified path name down to >> the mount point. If it is a direct map, the mount point is specified >> from /-, but the key will be unique: >> > You are describing the contents of the direct map. The problem is > linking the direct map into the master map. > >> For example >> >> /home/ayoung exporter:/altlocation/ayoung >> /home/* exporter:/home/& >> >> That would allow a different location for my home directory (ayoung) >> than everyone else. >> >> I've reverted the patch in my tree and the original behavior seems >> sensible. What was the impetus for pushing this patch through, and can >> we cleanly revert it? Rob stated that that there will be a data porting >> issue due to the values we put in to Dir Srv for the dn. >> > I fail to see what is the problem with the patch and why do you suggest > reverting it? It has to do with managing the keys. The entire key/info has to be unique, as opposed to just the key. This makes the logic for the UI very convoluted, and it makes the SHOW command difficult to use, as you bascially need all of the information to show, not just the key. We broke the the normal case for a corner case, and there is a better solution. From a uniqueness perspective, the location itself should be uniquye, the combination of location and mapname should be the unique key for the map, and the tripart key location, mapname, keyname should be the unique key for the key. For default maps , I agree that you should not be using the key as the unique identifier, and I can see why that caused problems. >> A related issue that may be moot: I tested an indirect map, and can't >> see where the key gets stored. I haven't tried it without the reverted >> patch, so it may be something that got fixed later. >> >> > In the automountkey attribute, which is the same as with the reverted > patch. The patch only changes the DNs, nothing else. > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon May 16 13:59:04 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 16 May 2011 09:59:04 -0400 Subject: [Freeipa-devel] Ticket #293 In-Reply-To: <4DCDDA70.6050804@younglogic.com> References: <4DCDDA70.6050804@younglogic.com> Message-ID: <4DD12DA8.9070009@redhat.com> Adam Young wrote: > I'm tripping over the solution to this ticket: > > https://fedorahosted.org/freeipa/ticket/293 > I don't understand the statement: > "The key for a direct map is /- so only one can be in auto.master" > auto.master is the map. Do you mean that there cannot be more than one > direct map in a location? Right. > > The key for a direct map should be the fully qualified path name down to > the mount point. If it is a direct map, the mount point is specified > from /-, but the key will be unique: > > For example > > /home/ayoung exporter:/altlocation/ayoung > /home/* exporter:/home/& > > That would allow a different location for my home directory (ayoung) > than everyone else. > > I've reverted the patch in my tree and the original behavior seems > sensible. What was the impetus for pushing this patch through, and can > we cleanly revert it? Rob stated that that there will be a data porting > issue due to the values we put in to Dir Srv for the dn. > > A related issue that may be moot: I tested an indirect map, and can't > see where the key gets stored. I haven't tried it without the reverted > patch, so it may be something that got fixed later. This was needed to support a text-based auto.master that looks like: /- /etc/auto_direct1 /- /etc/auto_direct2 /- /etc/auto_direct3 These three would all generate the same DN: automountkey=/-,automountmapname=auto.master,cn=default,cn=automount,dc=example,dc=com rob From mkosek at redhat.com Mon May 16 15:26:48 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 16 May 2011 17:26:48 +0200 Subject: [Freeipa-devel] [PATCH] 19 Do stricter checking of IP addressed passed to server install In-Reply-To: <4DC97FEC.1000005@redhat.com> References: <4DC97FEC.1000005@redhat.com> Message-ID: <1305559608.30122.30.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-05-10 at 20:11 +0200, Jan Cholasta wrote: > Split from patch 3, requires patch 18. > > https://fedorahosted.org/freeipa/ticket/1213 > > Honza > I tested all patches (3.6, 18, 19), but I think some work still needs to be done: 1) What about adding /sbin/ip package to Requires in spec? I thought there was an agreement to do it. 2) When I run `ipa-server-install --ip-address=$ADDR`, and $ADDR is invalid address (e.g. $ADDR==foo), loopback address (e.g. $ADDR==127.0.0.1) or just another that the local address (e.g. $ADDR==123.123.123.123) the installer always fails with "the hostname resolves to an IP address that is different from the one provided on the command line". I think we may want a different error message in those 3 cases - it should be easy to do it now, with the improved IP handling. 3) When I pass netmask to ipa-server-install --ip-address=$ADDR, the installation always fails with the above message. Even though I took the addr+netmask from "/sbin/ip address" output. 4) I miss IP address checks in --ip-address and --forwarder parameters of ipa-dns-install script. I can pass invalid or local addresses to these parameters. This breaks Bind configuration. 5) I think we may want to check also for local address in #ipa host-add $HOST --ip-address=127.0.0.1 6) I couldn't add IP address with netmask in host module: # ipa host-add $HOST --ip-address=10.16.78.102/22 ipa: ERROR: invalid 'ip_address': invalid IP address 7) Why is the _ParsedIPAddress named with a leading underscore? It's not really an internal use since it is returned by new IP handling functions and used in other modules. Martin From jhrozek at redhat.com Mon May 16 15:51:38 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 16 May 2011 17:51:38 +0200 Subject: [Freeipa-devel] [PATCH] 19 Do stricter checking of IP addressed passed to server install In-Reply-To: <1305559608.30122.30.camel@dhcp-25-52.brq.redhat.com> References: <4DC97FEC.1000005@redhat.com> <1305559608.30122.30.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DD1480A.8010003@redhat.com> On 05/16/2011 05:26 PM, Martin Kosek wrote: > 5) I think we may want to check also for local address in > #ipa host-add $HOST --ip-address=127.0.0.1 Just a note - IPAddress.check is_link_local() from python-netaddr can do the check for you -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From edewata at redhat.com Mon May 16 16:23:36 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 16 May 2011 11:23:36 -0500 Subject: [Freeipa-devel] [PATCH] 156 Customizable facet groups. Message-ID: <4DD14F88.8000009@redhat.com> The IPA.entity has been modified to support customizable facet groups. The default list of facet groups is defined in IPA.entity_header and can be overridden in the entity definition. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0156-Customizable-facet-groups.patch Type: text/x-patch Size: 29215 bytes Desc: not available URL: From edewata at redhat.com Mon May 16 16:56:01 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 16 May 2011 11:56:01 -0500 Subject: [Freeipa-devel] [PATCH] 156 Customizable facet groups. In-Reply-To: <4DD14F88.8000009@redhat.com> References: <4DD14F88.8000009@redhat.com> Message-ID: <4DD15721.3050002@redhat.com> On 5/16/2011 11:23 AM, Endi Sukma Dewata wrote: > The IPA.entity has been modified to support customizable facet groups. > The default list of facet groups is defined in IPA.entity_header and can > be overridden in the entity definition. The patch has been fixed to handle missing relationships in selfservice and delegation entity. The indirect tabs have been removed and will be added back in patch for ticket 1030. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0156-2-Customizable-facet-groups.patch Type: text/x-patch Size: 29355 bytes Desc: not available URL: From jcholast at redhat.com Mon May 16 17:15:13 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 16 May 2011 19:15:13 +0200 Subject: [Freeipa-devel] [PATCH] 19 Do stricter checking of IP addressed passed to server install In-Reply-To: <1305559608.30122.30.camel@dhcp-25-52.brq.redhat.com> References: <4DC97FEC.1000005@redhat.com> <1305559608.30122.30.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DD15BA1.5080004@redhat.com> On 16.5.2011 17:26, Martin Kosek wrote: > On Tue, 2011-05-10 at 20:11 +0200, Jan Cholasta wrote: >> Split from patch 3, requires patch 18. >> >> https://fedorahosted.org/freeipa/ticket/1213 >> >> Honza >> > > I tested all patches (3.6, 18, 19), but I think some work still needs to > be done: > > 1) What about adding /sbin/ip package to Requires in spec? I thought > there was an agreement to do it. Will do. > > 2) When I run `ipa-server-install --ip-address=$ADDR`, and $ADDR is > invalid address (e.g. $ADDR==foo), loopback address (e.g. > $ADDR==127.0.0.1) or just another that the local address (e.g. > $ADDR==123.123.123.123) the installer always fails with "the hostname > resolves to an IP address that is different from the one provided on the > command line". > > I think we may want a different error message in those 3 cases - it > should be easy to do it now, with the improved IP handling. It looks like the print statements from verify_ip_address doesn't actually print anything to the user. Will look onto that. > > 3) When I pass netmask to ipa-server-install --ip-address=$ADDR, the > installation always fails with the above message. Even though I took the > addr+netmask from "/sbin/ip address" output. Works for me. Please make sure you've added your hostname to /etc/hosts. > > 4) I miss IP address checks in --ip-address and --forwarder parameters > of ipa-dns-install script. I can pass invalid or local addresses to > these parameters. This breaks Bind configuration. --ip-address is checked, but --forwarder is not. Will fix that. > > 5) I think we may want to check also for local address in > #ipa host-add $HOST --ip-address=127.0.0.1 > > 6) I couldn't add IP address with netmask in host module: > # ipa host-add $HOST --ip-address=10.16.78.102/22 > ipa: ERROR: invalid 'ip_address': invalid IP address The patches are for the installer, as are the tickets they fix, so these issues are out of scope. A new ticket should be opened for them. > > 7) Why is the _ParsedIPAddress named with a leading underscore? It's not > really an internal use since it is returned by new IP handling functions > and used in other modules. _ParsedIPAddress is not for public use. The fact that object of this class is returned by parse_ip_address doesn't really matter - this is Python, not C++ or Java. > > > Martin > Honza -- Jan Cholasta From ayoung at redhat.com Mon May 16 18:42:59 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 16 May 2011 14:42:59 -0400 Subject: [Freeipa-devel] [PATCH] 156 Customizable facet groups. In-Reply-To: <4DD15721.3050002@redhat.com> References: <4DD14F88.8000009@redhat.com> <4DD15721.3050002@redhat.com> Message-ID: <4DD17033.9050908@redhat.com> On 05/16/2011 12:56 PM, Endi Sukma Dewata wrote: > On 5/16/2011 11:23 AM, Endi Sukma Dewata wrote: >> The IPA.entity has been modified to support customizable facet groups. >> The default list of facet groups is defined in IPA.entity_header and can >> be overridden in the entity definition. > > The patch has been fixed to handle missing relationships in > selfservice and delegation entity. The indirect tabs have been removed > and will be added back in patch for ticket 1030. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Mon May 16 20:47:43 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 16 May 2011 15:47:43 -0500 Subject: [Freeipa-devel] [PATCH] 157 Read-only association facet. Message-ID: <4DD18D6F.7070401@redhat.com> The IPA.association_facet has been modified to take a read_only parameters. If the parameter is set to true, the Enroll and Delete buttons will not be shown. All facets under the memberindirect and memberofindirect facet groups are marked as read-only. Ticket #1030 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0157-Read-only-association-facet.patch Type: text/x-patch Size: 15357 bytes Desc: not available URL: From rcritten at redhat.com Mon May 16 21:46:50 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 16 May 2011 17:46:50 -0400 Subject: [Freeipa-devel] [PATCH] 784 limit what attributes may be modified Message-ID: <4DD19B4A.4090203@redhat.com> Add option to limit the attributes allowed in an entry. Kerberos ticket policy can update policy in a user entry. This allowed set/addattr to be used to modify attributes outside of the ticket policy perview, also bypassing all validation/normalization. Likewise the ticket policy was updatable by the user plugin bypassing all validation. Add two new LDAPObject values to control this behavior: limit_object_classes: only attributes in these are allowed disallow_object_classes: attributes in these are disallowed By default both of these lists are empty so are skipped. ticket 744 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-784-krbtpolicy.patch Type: application/mbox Size: 11339 bytes Desc: not available URL: From rcritten at redhat.com Tue May 17 02:12:19 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 16 May 2011 22:12:19 -0400 Subject: [Freeipa-devel] [PATCH] 067 A new flag to disable creation of UPG In-Reply-To: <1305543942.30122.4.camel@dhcp-25-52.brq.redhat.com> References: <1305543942.30122.4.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DD1D983.4080102@redhat.com> Martin Kosek wrote: > This patch is based on old Pavel's patch. > > I am considering applying the patch for master branch only as it changes > an API (adds a new flag) and is a sort of new-functionality-ish. > > -- > Automatic creation may of User Private Groups (UPG) may not be > wanted at all times. This patch adds a new flag --noprivate to > ipa user-add command to disable it. > > https://fedorahosted.org/freeipa/ticket/1131 Nack, setattr and addattr are removed from API.txt. I'm guessing it's a side-effect of some change here. The approach generally looks good. rob From ayoung at redhat.com Tue May 17 02:28:41 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 16 May 2011 22:28:41 -0400 Subject: [Freeipa-devel] [PATCH] 157 Read-only association facet. In-Reply-To: <4DD18D6F.7070401@redhat.com> References: <4DD18D6F.7070401@redhat.com> Message-ID: <4DD1DD59.2070106@redhat.com> On 05/16/2011 04:47 PM, Endi Sukma Dewata wrote: > The IPA.association_facet has been modified to take a read_only > parameters. If the parameter is set to true, the Enroll and Delete > buttons will not be shown. All facets under the memberindirect and > memberofindirect facet groups are marked as read-only. > > Ticket #1030 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue May 17 03:01:19 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 16 May 2011 23:01:19 -0400 Subject: [Freeipa-devel] [PATCH] 050 KDC autodiscovery may fail when domain is not realm In-Reply-To: <1303824486.9340.23.camel@dhcp-25-52.brq.redhat.com> References: <1303824486.9340.23.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DD1E4FF.3020903@redhat.com> Martin Kosek wrote: > How to test: > > 1) Install IPA server with DNS support with --realm=TESTRELM (different > from DOMAIN) > 2) Configure client machine to use this DNS server > 3) Run "ipa-client-install" on the client machine > - Unpatched installer fails because it cannot find KDC for DNS domain > "testrelm" > - Patched installer turns off KDC DNS autodiscovery and installation > succeeds > > If DNS zone "testrelm" with appropriate SRV records is configured, > installer allows KDC DNS autodiscovery. > > Hint for new zone configuration: > # ipa dnszone-add TESTRELM --name-server=vm-057.idm.lab.bos.redhat.com. --admin-email=root at testrelm > # ipa dnsrecord-add testrelm _kerberos --txt-rec=TESTRELM > # ipa dnsrecord-add testrelm _kerberos-master._tcp --srv-rec="0 100 88 vm-057" > # ipa dnsrecord-add testrelm _kerberos-master._udp --srv-rec="0 100 88 vm-057" > # ipa dnsrecord-add testrelm _kerberos._udp --srv-rec="0 100 88 vm-057" > # ipa dnsrecord-add testrelm _kerberos._tcp --srv-rec="0 100 88 vm-057" > # ipa dnsrecord-add idm.lab.bos.redhat.com gordo --a-rec=10.16.78.1 > # ipa dnsrecord-add testrelm vm-057 --cname-rec="vm-057.idm.lab.bos.redhat.com." > # service named reload > > Martin ack, works great. rob From mkosek at redhat.com Tue May 17 06:58:30 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 17 May 2011 08:58:30 +0200 Subject: [Freeipa-devel] [PATCH] 050 KDC autodiscovery may fail when domain is not realm In-Reply-To: <4DD1E4FF.3020903@redhat.com> References: <1303824486.9340.23.camel@dhcp-25-52.brq.redhat.com> <4DD1E4FF.3020903@redhat.com> Message-ID: <1305615510.22796.0.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-05-16 at 23:01 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > How to test: > > > > 1) Install IPA server with DNS support with --realm=TESTRELM (different > > from DOMAIN) > > 2) Configure client machine to use this DNS server > > 3) Run "ipa-client-install" on the client machine > > - Unpatched installer fails because it cannot find KDC for DNS domain > > "testrelm" > > - Patched installer turns off KDC DNS autodiscovery and installation > > succeeds > > > > If DNS zone "testrelm" with appropriate SRV records is configured, > > installer allows KDC DNS autodiscovery. > > > > Hint for new zone configuration: > > # ipa dnszone-add TESTRELM --name-server=vm-057.idm.lab.bos.redhat.com. --admin-email=root at testrelm > > # ipa dnsrecord-add testrelm _kerberos --txt-rec=TESTRELM > > # ipa dnsrecord-add testrelm _kerberos-master._tcp --srv-rec="0 100 88 vm-057" > > # ipa dnsrecord-add testrelm _kerberos-master._udp --srv-rec="0 100 88 vm-057" > > # ipa dnsrecord-add testrelm _kerberos._udp --srv-rec="0 100 88 vm-057" > > # ipa dnsrecord-add testrelm _kerberos._tcp --srv-rec="0 100 88 vm-057" > > # ipa dnsrecord-add idm.lab.bos.redhat.com gordo --a-rec=10.16.78.1 > > # ipa dnsrecord-add testrelm vm-057 --cname-rec="vm-057.idm.lab.bos.redhat.com." > > # service named reload > > > > Martin > > ack, works great. > > rob Pushed to master, ipa-2-0. Martin From mkosek at redhat.com Tue May 17 07:59:18 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 17 May 2011 09:59:18 +0200 Subject: [Freeipa-devel] [PATCH] 067 A new flag to disable creation of UPG In-Reply-To: <4DD1D983.4080102@redhat.com> References: <1305543942.30122.4.camel@dhcp-25-52.brq.redhat.com> <4DD1D983.4080102@redhat.com> Message-ID: <1305619158.22796.3.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-05-16 at 22:12 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > This patch is based on old Pavel's patch. > > > > I am considering applying the patch for master branch only as it changes > > an API (adds a new flag) and is a sort of new-functionality-ish. > > > > -- > > Automatic creation may of User Private Groups (UPG) may not be > > wanted at all times. This patch adds a new flag --noprivate to > > ipa user-add command to disable it. > > > > https://fedorahosted.org/freeipa/ticket/1131 > > Nack, setattr and addattr are removed from API.txt. I'm guessing it's a > side-effect of some change here. > > The approach generally looks good. > > rob You are right, this was a side-effect in user.py. I fixed the problem, updated patch is attached. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-067-2-a-new-flag-to-disable-creation-of-upg.patch Type: text/x-patch Size: 8538 bytes Desc: not available URL: From mkosek at redhat.com Tue May 17 12:23:29 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 17 May 2011 14:23:29 +0200 Subject: [Freeipa-devel] [PATCH] 756 handle no forwarded TGT In-Reply-To: <4D90A56A.6010508@redhat.com> References: <4D90A56A.6010508@redhat.com> Message-ID: <1305635009.22796.14.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-03-28 at 11:12 -0400, Rob Crittenden wrote: > We should gracefully handle the case where no TGT has been forwarded. > Right now we return a 500 error. > > ticket 1101 > > rob This works fine on the server, nice error response from RPC server is returned. However, I was wondering if we could print this error response also to the CLI user? Right now, all I get are general error messages that would not lead me to actual root cause of this problem: $ ipa user-show admin ipa: ERROR: cannot connect to 'any of the configured servers': https://vm-027.idm.lab.bos.redhat.com/ipa/xml, https://vm-027.idm.lab.bos.redhat.com/ipa/xml Martin From atkac at redhat.com Tue May 17 12:52:38 2011 From: atkac at redhat.com (Adam Tkac) Date: Tue, 17 May 2011 14:52:38 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap] Code cleanup Message-ID: <4DD26F96.2040300@redhat.com> Hello, attached series of patches cleans code a little (mostly removes unused variables) and makes locking inside bind-dyndb-ldap more readable and understandable. Most of the cleanup series gets rid of the ldap_connection->database reference because there is a reference from "database" variable to ldap_connection. This "double link" makes current locking hard-to-understand. I tested this series well, it shouldn't cause any regression. Regards, Adam -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Remove-unused-lock-from-ldapdb_t.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0002-Use-LOCK-instead-of-CONTROLED_LOCK-in-destroy_ldap_c.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0003-Remove-ldap_connection-database-mctx-refs-use-direct.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0004-Don-t-use-ldap_connection-database-fake_mnape-refere.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0005-Don-t-reference-ldap_connection-database-conn_semaph.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0006-ldap_connection_t-has-now-it-s-own-reference-to-memo.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0007-Remove-the-rest-of-ldap_connection-database-referenc.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0008-Store-connections-to-LDAP-in-array-instead-of-in-lis.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0009-Remove-unused-ldap_connection.base-variable.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0010-Add-note-about-locking-in-ldap_helper.c.patch URL: From atkac at redhat.com Tue May 17 12:57:34 2011 From: atkac at redhat.com (Adam Tkac) Date: Tue, 17 May 2011 14:57:34 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap] Add support for loading new zones from LDAP Message-ID: <4DD270BE.4010300@redhat.com> Hello all, this series adds support for loading newly-added zones from LDAP. Currently you must set `arg "zone_refresh ";` in your named.conf to enable this feature because by default the plugin doesn't check for new zones. "rndc reload" is no longer needed to pick new zones. Note when you delete zone from LDAP, plugin still doesn't recognize it. Regards, Adam -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0011-Freeze-server-when-changing-zones-and-don-t-hold-ins.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0012-Publish-zones-only-when-all-ACLs-are-set-correctly.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0013-Allow-to-load-new-zones-from-LDAP-runtime.patch URL: From mkosek at redhat.com Tue May 17 13:11:42 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 17 May 2011 15:11:42 +0200 Subject: [Freeipa-devel] [PATCH] 769 enable SSL hostname checking In-Reply-To: <4DA36D1C.9000702@redhat.com> References: <4DA36D1C.9000702@redhat.com> Message-ID: <1305637902.22796.20.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-04-11 at 17:05 -0400, Rob Crittenden wrote: > Enable 389-ds SSL host checking by defauilt > > Enforce that the remote hostname matches the remote SSL server > certificate when 389-ds operates as an SSL client. > > Also add an update file to turn this off for existing installations. > > ticket 1069 > > rob NACK. 10-config.update fails to upgrade existing installation: # ipa-ldap-updater --upgrade Upgrading IPA: [1/8]: stopping directory server [2/8]: saving configuration [3/8]: disabling listeners [4/8]: starting directory server [5/8]: upgrading server ERROR:root:Update failed: Server is unwilling to perform: Deleting attributes is not allowed [6/8]: stopping directory server [7/8]: restoring configuration [8/8]: starting directory server done configuring dirsrv. Martin From kybaker at redhat.com Tue May 17 17:22:15 2011 From: kybaker at redhat.com (Kyle Baker) Date: Tue, 17 May 2011 13:22:15 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] 0014 Search Box Style In-Reply-To: <1720078729.82266.1305652920693.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <1920184382.82273.1305652935194.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Please review and ACK. Kyle Baker Visual Designer Desk - 978 392 3116 IRC - kylebaker -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-kybaker-0014-Search-Box.patch Type: text/x-patch Size: 6018 bytes Desc: not available URL: From rcritten at redhat.com Tue May 17 17:47:29 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 17 May 2011 13:47:29 -0400 Subject: [Freeipa-devel] [PATCH] 756 handle no forwarded TGT In-Reply-To: <1305635009.22796.14.camel@dhcp-25-52.brq.redhat.com> References: <4D90A56A.6010508@redhat.com> <1305635009.22796.14.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DD2B4B1.2050901@redhat.com> Martin Kosek wrote: > On Mon, 2011-03-28 at 11:12 -0400, Rob Crittenden wrote: >> We should gracefully handle the case where no TGT has been forwarded. >> Right now we return a 500 error. >> >> ticket 1101 >> >> rob > > This works fine on the server, nice error response from RPC server is > returned. However, I was wondering if we could print this error response > also to the CLI user? > > Right now, all I get are general error messages that would not lead me > to actual root cause of this problem: > > $ ipa user-show admin > ipa: ERROR: cannot connect to 'any of the configured servers': > https://vm-027.idm.lab.bos.redhat.com/ipa/xml, > https://vm-027.idm.lab.bos.redhat.com/ipa/xml > > Martin > The problem seems to be that the exception is Fault, not KerberosError. I'll take another look. rob From ayoung at redhat.com Tue May 17 17:56:44 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 17 May 2011 13:56:44 -0400 Subject: [Freeipa-devel] Streamline client use cases Message-ID: <4DD2B6DC.2040207@redhat.com> There are a wide variety of install scenarios, so we don't get too specific on some scenarios. One that is pretty common in the test and acceptance phase that might not be a real issue in a live deployment deals with DHCP values for nameservers. For example, when coding on my laptop, the DHCP server provides a bogus value for the nameserver. Additionally, we have a Lab setup at our office that is managed by another team, and it certainly won't provide the nameserver value for a development IPA server. What I'd like to see is a workflow based approach to the ipa-client setup that does basic configuration and troubleshooting. If the user runs ipa-client, attempt autodiscovery. If autodiscovery fails, the first thing we should do is get the name or IP address of the nameserver, and then retry autodiscovery. If it fails again, we can potentially test for firewall ports etc. For example, if we attempt to do an xmlrpc to the IPA server, get back a "Negotiate" response, and yet we can't talk to the KDC, it is likely a firewall issue. These are probably the most common issues on client install. Second deals with adding users. We have a catch 22 regarding automount. Ideally, an NFS server will contain the automounted home directories for the users. For a small organization, automounted /home in its entirety is probably fine. However, far more common is to autmount the separate directories for each user using a matching rule. In this case, there is no easy way to create the users home directory on demand. I'm not sure that there is a single 'right' solution, but one possible approach is to provide a "call this script after user creation' hook. I can open tickets for these, but I'd like to vet the concepts first. Perhaps there is something I'm missing in both cases. From rcritten at redhat.com Tue May 17 19:12:05 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 17 May 2011 15:12:05 -0400 Subject: [Freeipa-devel] [PATCH] 756 handle no forwarded TGT In-Reply-To: <4DD2B4B1.2050901@redhat.com> References: <4D90A56A.6010508@redhat.com> <1305635009.22796.14.camel@dhcp-25-52.brq.redhat.com> <4DD2B4B1.2050901@redhat.com> Message-ID: <4DD2C885.6050902@redhat.com> Rob Crittenden wrote: > Martin Kosek wrote: >> On Mon, 2011-03-28 at 11:12 -0400, Rob Crittenden wrote: >>> We should gracefully handle the case where no TGT has been forwarded. >>> Right now we return a 500 error. >>> >>> ticket 1101 >>> >>> rob >> >> This works fine on the server, nice error response from RPC server is >> returned. However, I was wondering if we could print this error response >> also to the CLI user? >> >> Right now, all I get are general error messages that would not lead me >> to actual root cause of this problem: >> >> $ ipa user-show admin >> ipa: ERROR: cannot connect to 'any of the configured servers': >> https://vm-027.idm.lab.bos.redhat.com/ipa/xml, >> https://vm-027.idm.lab.bos.redhat.com/ipa/xml >> >> Martin >> > > The problem seems to be that the exception is Fault, not KerberosError. > I'll take another look. > > rob Updated patch attached. You can test with: % kinit -F admin % ipa user-show admin % kdestroy % ipa user-show admin You should get reasonable errors back. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-756-2-ccache.patch Type: application/mbox Size: 2593 bytes Desc: not available URL: From mkosek at redhat.com Wed May 18 07:37:17 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 18 May 2011 09:37:17 +0200 Subject: [Freeipa-devel] [PATCH] 756 handle no forwarded TGT In-Reply-To: <4DD2C885.6050902@redhat.com> References: <4D90A56A.6010508@redhat.com> <1305635009.22796.14.camel@dhcp-25-52.brq.redhat.com> <4DD2B4B1.2050901@redhat.com> <4DD2C885.6050902@redhat.com> Message-ID: <1305704237.22796.27.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-05-17 at 15:12 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > Martin Kosek wrote: > >> On Mon, 2011-03-28 at 11:12 -0400, Rob Crittenden wrote: > >>> We should gracefully handle the case where no TGT has been forwarded. > >>> Right now we return a 500 error. > >>> > >>> ticket 1101 > >>> > >>> rob > >> > >> This works fine on the server, nice error response from RPC server is > >> returned. However, I was wondering if we could print this error response > >> also to the CLI user? > >> > >> Right now, all I get are general error messages that would not lead me > >> to actual root cause of this problem: > >> > >> $ ipa user-show admin > >> ipa: ERROR: cannot connect to 'any of the configured servers': > >> https://vm-027.idm.lab.bos.redhat.com/ipa/xml, > >> https://vm-027.idm.lab.bos.redhat.com/ipa/xml > >> > >> Martin > >> > > > > The problem seems to be that the exception is Fault, not KerberosError. > > I'll take another look. > > > > rob > > Updated patch attached. > > You can test with: > > % kinit -F admin > % ipa user-show admin > % kdestroy > % ipa user-show admin > > You should get reasonable errors back. > > rob Yeah, now its much more clear what happened. ACK and pushed to master, ipa-2-0. Martin From mkosek at redhat.com Wed May 18 08:51:34 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 18 May 2011 10:51:34 +0200 Subject: [Freeipa-devel] [PATCH] 19 Do stricter checking of IP addressed passed to server install In-Reply-To: <4DD15BA1.5080004@redhat.com> References: <4DC97FEC.1000005@redhat.com> <1305559608.30122.30.camel@dhcp-25-52.brq.redhat.com> <4DD15BA1.5080004@redhat.com> Message-ID: <1305708694.22796.60.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-05-16 at 19:15 +0200, Jan Cholasta wrote: > On 16.5.2011 17:26, Martin Kosek wrote: > > On Tue, 2011-05-10 at 20:11 +0200, Jan Cholasta wrote: > >> Split from patch 3, requires patch 18. > >> > >> https://fedorahosted.org/freeipa/ticket/1213 > >> > >> Honza > >> > > > > I tested all patches (3.6, 18, 19), but I think some work still needs to > > be done: > > > > 1) What about adding /sbin/ip package to Requires in spec? I thought > > there was an agreement to do it. > > Will do. Ok. > > > > > 2) When I run `ipa-server-install --ip-address=$ADDR`, and $ADDR is > > invalid address (e.g. $ADDR==foo), loopback address (e.g. > > $ADDR==127.0.0.1) or just another that the local address (e.g. > > $ADDR==123.123.123.123) the installer always fails with "the hostname > > resolves to an IP address that is different from the one provided on the > > command line". > > > > I think we may want a different error message in those 3 cases - it > > should be easy to do it now, with the improved IP handling. > > It looks like the print statements from verify_ip_address doesn't > actually print anything to the user. Will look onto that. Ok. > > > > > 3) When I pass netmask to ipa-server-install --ip-address=$ADDR, the > > installation always fails with the above message. Even though I took the > > addr+netmask from "/sbin/ip address" output. > > Works for me. Please make sure you've added your hostname to /etc/hosts. I think I had. But I will recheck when you send a fix. > > > > > 4) I miss IP address checks in --ip-address and --forwarder parameters > > of ipa-dns-install script. I can pass invalid or local addresses to > > these parameters. This breaks Bind configuration. > > --ip-address is checked, but --forwarder is not. Will fix that. Ok, I will recheck both of them when you do. > > > > > 5) I think we may want to check also for local address in > > #ipa host-add $HOST --ip-address=127.0.0.1 > > > > 6) I couldn't add IP address with netmask in host module: > > # ipa host-add $HOST --ip-address=10.16.78.102/22 > > ipa: ERROR: invalid 'ip_address': invalid IP address > > The patches are for the installer, as are the tickets they fix, so these > issues are out of scope. A new ticket should be opened for them. > You touched this parameter in your patches, that's why I tested it. I created a new ticket for it: https://fedorahosted.org/freeipa/ticket/1234 Ticket 1234, yey :-) > > > > 7) Why is the _ParsedIPAddress named with a leading underscore? It's not > > really an internal use since it is returned by new IP handling functions > > and used in other modules. > > _ParsedIPAddress is not for public use. The fact that object of this > class is returned by parse_ip_address doesn't really matter - this is > Python, not C++ or Java. Hm, snappy... And I was wondering why my /usr/bin/java doesn't want to run FreeIPA, now I know - it's because its Python. Martin From mkosek at redhat.com Wed May 18 11:20:32 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 18 May 2011 13:20:32 +0200 Subject: [Freeipa-devel] [PATCH] 774 configure nss properly with --no-sssd In-Reply-To: <4DB08D93.20703@redhat.com> References: <4DB08D93.20703@redhat.com> Message-ID: <1305717632.22796.64.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-04-21 at 16:03 -0400, Rob Crittenden wrote: > nss wasn't being configured properly with the --no-sssd argument. It is > supposed to fall back to nss_ldap. We needed the --enableforcelegacy option. > > Also always back up sssd.conf, it gets updated regardless of whether it > is used in nss (by --enablekrb5). > > rob ACK. Pushed to master, ipa-2-0. During the review I have found out ipa-client-install does not configure correctly nss-pam-ldapd based client machine. I found a root cause of this, I plan to fix it. You can check the ticket I have opened for this issue: https://fedorahosted.org/freeipa/ticket/1235 Martin From mkosek at redhat.com Wed May 18 11:58:40 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 18 May 2011 13:58:40 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap] Add support for loading new zones from LDAP In-Reply-To: <4DD270BE.4010300@redhat.com> References: <4DD270BE.4010300@redhat.com> Message-ID: <1305719920.22796.75.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-05-17 at 14:57 +0200, Adam Tkac wrote: > Hello all, > > this series adds support for loading newly-added zones from LDAP. > Currently you must set `arg "zone_refresh ";` in your > named.conf to enable this feature because by default the plugin doesn't > check for new zones. "rndc reload" is no longer needed to pick new zones. > > Note when you delete zone from LDAP, plugin still doesn't recognize it. > > Regards, Adam Hello Adam, that's great, this will help us solve many DNS related issues. The related DNS tickets are planned for resolution in sprint in June, but until then we can test the integration with FreeIPA server in both single master and replica scenario so that the new bind-dyndb-ldap may be released. Martin From edewata at redhat.com Wed May 18 14:21:15 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 18 May 2011 09:21:15 -0500 Subject: [Freeipa-devel] [PATCH] 158 JavaScript ordered map. Message-ID: <4DD3D5DB.3080307@redhat.com> A utility class has been added to store objects which can be accessed both as an ordered list and as a map. This class is used to store various objects including entities, fields, columns, and dialogs. The class needs to be defined in a new file called util.js to avoid circular dependency problem. A test suite for this class has been added as well. Ticket #1232 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0158-JavaScript-ordered-map.patch Type: text/x-patch Size: 53627 bytes Desc: not available URL: From simo at redhat.com Wed May 18 15:03:17 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 18 May 2011 11:03:17 -0400 Subject: [Freeipa-devel] Streamline client use cases In-Reply-To: <4DD2B6DC.2040207@redhat.com> References: <4DD2B6DC.2040207@redhat.com> Message-ID: <1305730997.8582.20.camel@willson.li.ssimo.org> On Tue, 2011-05-17 at 13:56 -0400, Adam Young wrote: > There are a wide variety of install scenarios, so we don't get too > specific on some scenarios. One that is pretty common in the test and > acceptance phase that might not be a real issue in a live deployment > deals with DHCP values for nameservers. For example, when coding on my > laptop, the DHCP server provides a bogus value for the nameserver. > Additionally, we have a Lab setup at our office that is managed by > another team, and it certainly won't provide the nameserver value for a > development IPA server. I am not sure how this can be fixed, have a cron job that test the config is right ? > What I'd like to see is a workflow based approach to the ipa-client > setup that does basic configuration and troubleshooting. > > If the user runs ipa-client, attempt autodiscovery. If autodiscovery > fails, the first thing we should do is get the name or IP address of the > nameserver, and then retry autodiscovery. If it fails again, we can > potentially test for firewall ports etc. For example, if we attempt to > do an xmlrpc to the IPA server, get back a "Negotiate" response, and yet > we can't talk to the KDC, it is likely a firewall issue. These are > probably the most common issues on client install. This could be valuable beyond mere development so it would be anice to have. > Second deals with adding users. We have a catch 22 regarding > automount. Ideally, an NFS server will contain the automounted home > directories for the users. For a small organization, automounted /home > in its entirety is probably fine. However, far more common is to > autmount the separate directories for each user using a matching rule. > In this case, there is no easy way to create the users home directory on > demand. I'm not sure that there is a single 'right' solution, but one > possible approach is to provide a "call this script after user creation' > hook. We have thought about this earlier, the problem is that the UI runs as the apache user, so running a script is not going to be really helpful to run a script straight from the web server. And having a setuid binary to run scripts makes me a little nervous. In general we have considered the admin duty to create appropriate storage resources for user's home directories. The thinking was that they can create their own scripts that use the XML-RPC interface to deal with the IPA part and whatever they like to deal with any other operation they need to do when enrolling new users/ > I can open tickets for these, but I'd like to vet the concepts first. > Perhaps there is something I'm missing in both cases. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed May 18 15:21:38 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 18 May 2011 11:21:38 -0400 Subject: [Freeipa-devel] [PATCH] 785 data type of certificates Message-ID: <4DD3E402.1050606@redhat.com> Make data type of certificates more obvious/predictable internally. For the most part certificates will be treated as being in DER format. When we load a certificate we will generally accept it in any format but will convert it to DER before proceeding in normalize_certificate(). This also re-arranges a bit of code to pull some certificate-specific functions out of ipalib/plugins/service.py into ipalib/x509.py. This also tries to use variable names to indicate what format the certificate is in at any given point: dercert: DER cert: PEM nsscert: a python-nss Certificate object rawcert: unknown format ticket 32 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-785-pem.patch Type: application/mbox Size: 30854 bytes Desc: not available URL: From edewata at redhat.com Wed May 18 17:51:21 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 18 May 2011 12:51:21 -0500 Subject: [Freeipa-devel] [PATCH] 159 Fixed problem disabling HBAC and SUDO rules. Message-ID: <4DD40719.4020603@redhat.com> The method names for disabling HBAC and SUDO rules have been fixed. Ticket #1237. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0159-Fixed-problem-disabling-HBAC-and-SUDO-rules.patch Type: text/x-patch Size: 1763 bytes Desc: not available URL: From ayoung at redhat.com Wed May 18 18:13:26 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 18 May 2011 14:13:26 -0400 Subject: [Freeipa-devel] Streamline client use cases In-Reply-To: <1305730997.8582.20.camel@willson.li.ssimo.org> References: <4DD2B6DC.2040207@redhat.com> <1305730997.8582.20.camel@willson.li.ssimo.org> Message-ID: <4DD40C46.5000001@redhat.com> On 05/18/2011 11:03 AM, Simo Sorce wrote: > On Tue, 2011-05-17 at 13:56 -0400, Adam Young wrote: >> There are a wide variety of install scenarios, so we don't get too >> specific on some scenarios. One that is pretty common in the test and >> acceptance phase that might not be a real issue in a live deployment >> deals with DHCP values for nameservers. For example, when coding on my >> laptop, the DHCP server provides a bogus value for the nameserver. >> Additionally, we have a Lab setup at our office that is managed by >> another team, and it certainly won't provide the nameserver value for a >> development IPA server. > I am not sure how this can be fixed, have a cron job that test the > config is right ? > >> What I'd like to see is a workflow based approach to the ipa-client >> setup that does basic configuration and troubleshooting. >> >> If the user runs ipa-client, attempt autodiscovery. If autodiscovery >> fails, the first thing we should do is get the name or IP address of the >> nameserver, and then retry autodiscovery. If it fails again, we can >> potentially test for firewall ports etc. For example, if we attempt to >> do an xmlrpc to the IPA server, get back a "Negotiate" response, and yet >> we can't talk to the KDC, it is likely a firewall issue. These are >> probably the most common issues on client install. > This could be valuable beyond mere development so it would be anice to > have. Agreed. Should I open an enhancement request for this? >> Second deals with adding users. We have a catch 22 regarding >> automount. Ideally, an NFS server will contain the automounted home >> directories for the users. For a small organization, automounted /home >> in its entirety is probably fine. However, far more common is to >> autmount the separate directories for each user using a matching rule. >> In this case, there is no easy way to create the users home directory on >> demand. I'm not sure that there is a single 'right' solution, but one >> possible approach is to provide a "call this script after user creation' >> hook. > We have thought about this earlier, the problem is that the UI runs as > the apache user, so running a script is not going to be really helpful > to run a script straight from the web server. True, although you could do something where the NFS /home directory gets mounted such that the httpd user has very limited rights on it, basically mkdir and chown. But I agree, that is not a good approach for the general case. > And having a setuid binary to run scripts makes me a little nervous. > > In general we have considered the admin duty to create appropriate > storage resources for user's home directories. Yeah. But it might be a problem of scale. For large organizations, there should be some (optional) support built in for managing user directories. > The thinking was that they can create their own scripts that use the > XML-RPC interface to deal with the IPA part and whatever they like to > deal with any other operation they need to do when enrolling new users/ The more I think about it, the more I realize that it has to be either a standalone process, something done asynchronously, or something done on demand when the user logs in. Take the case where we do a winsync/passsync, we'd want to only create the home dirs at a minimum upon "migrate." Possibly not even then. Take the case where a lab system has its own set of home directories, or a worldwide company where home directoreis are created on local drives and not-necessarily synced. Still, I'd like to have a solution documented for some of the simple cases. >> I can open tickets for these, but I'd like to vet the concepts first. >> Perhaps there is something I'm missing in both cases. > Simo. > From simo at redhat.com Wed May 18 18:30:48 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 18 May 2011 14:30:48 -0400 Subject: [Freeipa-devel] Streamline client use cases In-Reply-To: <4DD40C46.5000001@redhat.com> References: <4DD2B6DC.2040207@redhat.com> <1305730997.8582.20.camel@willson.li.ssimo.org> <4DD40C46.5000001@redhat.com> Message-ID: <1305743448.8582.34.camel@willson.li.ssimo.org> On Wed, 2011-05-18 at 14:13 -0400, Adam Young wrote: > On 05/18/2011 11:03 AM, Simo Sorce wrote: > > On Tue, 2011-05-17 at 13:56 -0400, Adam Young wrote: > >> There are a wide variety of install scenarios, so we don't get too > >> specific on some scenarios. One that is pretty common in the test and > >> acceptance phase that might not be a real issue in a live deployment > >> deals with DHCP values for nameservers. For example, when coding on my > >> laptop, the DHCP server provides a bogus value for the nameserver. > >> Additionally, we have a Lab setup at our office that is managed by > >> another team, and it certainly won't provide the nameserver value for a > >> development IPA server. > > I am not sure how this can be fixed, have a cron job that test the > > config is right ? > > > >> What I'd like to see is a workflow based approach to the ipa-client > >> setup that does basic configuration and troubleshooting. > >> > >> If the user runs ipa-client, attempt autodiscovery. If autodiscovery > >> fails, the first thing we should do is get the name or IP address of the > >> nameserver, and then retry autodiscovery. If it fails again, we can > >> potentially test for firewall ports etc. For example, if we attempt to > >> do an xmlrpc to the IPA server, get back a "Negotiate" response, and yet > >> we can't talk to the KDC, it is likely a firewall issue. These are > >> probably the most common issues on client install. > > This could be valuable beyond mere development so it would be anice to > > have. > > Agreed. Should I open an enhancement request for this? Yeah please do. > >> Second deals with adding users. We have a catch 22 regarding > >> automount. Ideally, an NFS server will contain the automounted home > >> directories for the users. For a small organization, automounted /home > >> in its entirety is probably fine. However, far more common is to > >> autmount the separate directories for each user using a matching rule. > >> In this case, there is no easy way to create the users home directory on > >> demand. I'm not sure that there is a single 'right' solution, but one > >> possible approach is to provide a "call this script after user creation' > >> hook. > > We have thought about this earlier, the problem is that the UI runs as > > the apache user, so running a script is not going to be really helpful > > to run a script straight from the web server. > > True, although you could do something where the NFS /home directory gets > mounted such that the httpd user has very limited rights on it, > basically mkdir and chown. But I agree, that is not a good approach > for the general case. "just" mkdir and chown ? :) The problem is that we may not even have a nfs mount with the home directories. In large domains that span though the globe, home directories may be local to the zone the users are created and simply not exist elsewhere. > > And having a setuid binary to run scripts makes me a little nervous. > > > > In general we have considered the admin duty to create appropriate > > storage resources for user's home directories. > Yeah. But it might be a problem of scale. For large organizations, > there should be some (optional) support built in for managing user > directories. The larger the org, the more complex and less common the configuration. I think we can help at most small shop with straightforward configurations, anything else is simply unpredictable. > > The thinking was that they can create their own scripts that use the > > XML-RPC interface to deal with the IPA part and whatever they like to > > deal with any other operation they need to do when enrolling new users/ > > The more I think about it, the more I realize that it has to be either a > standalone process, something done asynchronously, or something done on > demand when the user logs in. At login time it is very unlikely to be possible if you think of NFS mounts. A cron job process is a distinct possibility that admins can easily set up. > Take the case where we do a > winsync/passsync, we'd want to only create the home dirs at a minimum > upon "migrate." Possibly not even then. Take the case where a lab > system has its own set of home directories, or a worldwide company where > home directoreis are created on local drives and not-necessarily synced. For local homes clients can be configured to use pam_oddjob_mkhomedir > Still, I'd like to have a solution documented for some of the simple cases. Then go for pam_oddjob_mkhomedir it is the easiest one. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed May 18 19:15:53 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 18 May 2011 15:15:53 -0400 Subject: [Freeipa-devel] [PATCH] 786 Configure Managed Entries on replicas. Message-ID: <4DD41AE9.1060200@redhat.com> The Managed Entries plugin configurations weren't being created on replica installs. The templates were there but the cn=config portions were not. This patch adds them as updates. The template portion will be added in the initial replication. ticket 1222 To test: Install a master Install a replica On replica: kinit On replica: ipa user-add --first=timmy --last=test ttest On replica: ipa group-show ttest On master: ipa group-show ttest rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-786-replica.patch Type: application/mbox Size: 4659 bytes Desc: not available URL: From JR.Aquino at citrix.com Wed May 18 19:46:51 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 18 May 2011 19:46:51 +0000 Subject: [Freeipa-devel] [PATCH] 28 One Liner: Typo in host_nis_groups has been creating 2 CN's Message-ID: <5B8EA673-11F9-43FB-A2BC-8D7FD59598C5@citrixonline.com> This effects Ticket 1222 and Rob's patch 786 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0028-One-Liner-Typo-in-host_nis_groups-has-been-creating.patch Type: application/octet-stream Size: 1013 bytes Desc: freeipa-jraquino-0028-One-Liner-Typo-in-host_nis_groups-has-been-creating.patch URL: From JR.Aquino at citrix.com Wed May 18 20:04:18 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 18 May 2011 20:04:18 +0000 Subject: [Freeipa-devel] [PATCH] 28 One Liner: Typo in host_nis_groups has been creating 2 CN's In-Reply-To: <5B8EA673-11F9-43FB-A2BC-8D7FD59598C5@citrixonline.com> References: <5B8EA673-11F9-43FB-A2BC-8D7FD59598C5@citrixonline.com> Message-ID: <0D613602-E082-4CBB-9A39-AC33B4DE20F9@citrixonline.com> On May 18, 2011, at 12:46 PM, JR Aquino wrote: > This effects Ticket 1222 and Rob's patch 786 Per IRC Conversation with Simo and Rob, take the path of least change. The patch has been modified to correct the CN to match the DN rather than changing both. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0028-One-Liner-Typo-in-host_nis_groups-has-been-creating.patch Type: application/octet-stream Size: 878 bytes Desc: freeipa-jraquino-0028-One-Liner-Typo-in-host_nis_groups-has-been-creating.patch URL: From rcritten at redhat.com Wed May 18 21:52:23 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 18 May 2011 17:52:23 -0400 Subject: [Freeipa-devel] [PATCH] 786 Configure Managed Entries on replicas. In-Reply-To: <4DD41AE9.1060200@redhat.com> References: <4DD41AE9.1060200@redhat.com> Message-ID: <4DD43F97.704@redhat.com> Rob Crittenden wrote: > The Managed Entries plugin configurations weren't being created on > replica installs. The templates were there but the cn=config portions > were not. > > This patch adds them as updates. The template portion will be added in > the initial replication. > > ticket 1222 > > To test: > > Install a master > Install a replica > On replica: kinit > On replica: ipa user-add --first=timmy --last=test ttest > On replica: ipa group-show ttest > On master: ipa group-show ttest > > rob Updated patch attached. This requires jraquino patch 28 to work as expected. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-786-2-replica.patch Type: application/mbox Size: 4804 bytes Desc: not available URL: From rcritten at redhat.com Wed May 18 21:52:51 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 18 May 2011 17:52:51 -0400 Subject: [Freeipa-devel] [PATCH] 28 One Liner: Typo in host_nis_groups has been creating 2 CN's In-Reply-To: <0D613602-E082-4CBB-9A39-AC33B4DE20F9@citrixonline.com> References: <5B8EA673-11F9-43FB-A2BC-8D7FD59598C5@citrixonline.com> <0D613602-E082-4CBB-9A39-AC33B4DE20F9@citrixonline.com> Message-ID: <4DD43FB3.6030908@redhat.com> JR Aquino wrote: > On May 18, 2011, at 12:46 PM, JR Aquino wrote: > >> This effects Ticket 1222 and Rob's patch 786 > > Per IRC Conversation with Simo and Rob, take the path of least change. > > The patch has been modified to correct the CN to match the DN rather than changing both. This looks good. I'm going to wait to push it at the same time as 786. rob From JR.Aquino at citrix.com Wed May 18 21:59:06 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 18 May 2011 21:59:06 +0000 Subject: [Freeipa-devel] [PATCH] 28 One Liner: Typo in host_nis_groups has been creating 2 CN's In-Reply-To: <4DD43FB3.6030908@redhat.com> References: <5B8EA673-11F9-43FB-A2BC-8D7FD59598C5@citrixonline.com> <0D613602-E082-4CBB-9A39-AC33B4DE20F9@citrixonline.com> <4DD43FB3.6030908@redhat.com> Message-ID: <62F9181C-B4A8-464C-807B-0880FA203E47@citrixonline.com> On May 18, 2011, at 2:52 PM, Rob Crittenden wrote: > JR Aquino wrote: >> On May 18, 2011, at 12:46 PM, JR Aquino wrote: >> >>> This effects Ticket 1222 and Rob's patch 786 >> >> Per IRC Conversation with Simo and Rob, take the path of least change. >> >> The patch has been modified to correct the CN to match the DN rather than changing both. > > This looks good. I'm going to wait to push it at the same time as 786. Simo mentioned that I need to create the .update in the patch so that we remove the previous typo laden entry during updates. From rcritten at redhat.com Thu May 19 13:16:56 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 19 May 2011 09:16:56 -0400 Subject: [Freeipa-devel] [PATCH] 28 One Liner: Typo in host_nis_groups has been creating 2 CN's In-Reply-To: <62F9181C-B4A8-464C-807B-0880FA203E47@citrixonline.com> References: <5B8EA673-11F9-43FB-A2BC-8D7FD59598C5@citrixonline.com> <0D613602-E082-4CBB-9A39-AC33B4DE20F9@citrixonline.com> <4DD43FB3.6030908@redhat.com> <62F9181C-B4A8-464C-807B-0880FA203E47@citrixonline.com> Message-ID: <4DD51848.6030201@redhat.com> JR Aquino wrote: > On May 18, 2011, at 2:52 PM, Rob Crittenden wrote: > >> JR Aquino wrote: >>> On May 18, 2011, at 12:46 PM, JR Aquino wrote: >>> >>>> This effects Ticket 1222 and Rob's patch 786 >>> >>> Per IRC Conversation with Simo and Rob, take the path of least change. >>> >>> The patch has been modified to correct the CN to match the DN rather than changing both. >> >> This looks good. I'm going to wait to push it at the same time as 786. > > Simo mentioned that I need to create the .update in the patch so that we remove the previous typo laden entry during updates. I added that to my patch. rob From ayoung at redhat.com Thu May 19 16:28:48 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 19 May 2011 12:28:48 -0400 Subject: [Freeipa-devel] [PATCH] 158 JavaScript ordered map. In-Reply-To: <4DD3D5DB.3080307@redhat.com> References: <4DD3D5DB.3080307@redhat.com> Message-ID: <4DD54540.8020909@redhat.com> On 05/18/2011 10:21 AM, Endi Sukma Dewata wrote: > A utility class has been added to store objects which can be accessed > both as an ordered list and as a map. This class is used to store > various objects including entities, fields, columns, and dialogs. The > class needs to be defined in a new file called util.js to avoid > circular dependency problem. A test suite for this class has been > added as well. > > Ticket #1232 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Good. The only thing I don't like about it is the Util namespace. I think this should be a JQuery plugin instead. Adding a Util namespace is just ignoring the problem of namespace pollution. Can you move it to JQuery, and rename the file and class ordered_map? Put some documentation in the file as to the contract: we explicitly don't hide access to the internals, but if you don't use the manipulator functions, you will corrupt the map etc. This is where Javascript would really benefit from a macro language. -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Thu May 19 19:18:45 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 19 May 2011 14:18:45 -0500 Subject: [Freeipa-devel] [PATCH] 158 JavaScript ordered map. In-Reply-To: <4DD54540.8020909@redhat.com> References: <4DD3D5DB.3080307@redhat.com> <4DD54540.8020909@redhat.com> Message-ID: <4DD56D15.30300@redhat.com> On 5/19/2011 11:28 AM, Adam Young wrote: > On 05/18/2011 10:21 AM, Endi Sukma Dewata wrote: >> A utility class has been added to store objects which can be accessed >> both as an ordered list and as a map. This class is used to store >> various objects including entities, fields, columns, and dialogs. The >> class needs to be defined in a new file called util.js to avoid >> circular dependency problem. A test suite for this class has been >> added as well. >> >> Ticket #1232 > Good. The only thing I don't like about it is the Util namespace. I > think this should be a JQuery plugin instead. Adding a Util namespace is > just ignoring the problem of namespace pollution. > > Can you move it to JQuery, and rename the file and class ordered_map? > > Put some documentation in the file as to the contract: we explicitly > don't hide access to the internals, but if you don't use the manipulator > functions, you will corrupt the map etc. > > This is where Javascript would really benefit from a macro language. Attached is a new patch that includes the above changes. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0158-2-jQuery-ordered-map.patch Type: text/x-patch Size: 54291 bytes Desc: not available URL: From rcritten at redhat.com Thu May 19 19:47:19 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 19 May 2011 15:47:19 -0400 Subject: [Freeipa-devel] [PATCH] Don't load the LDAP schema during startup In-Reply-To: <201102241345.55447.jzeleny@redhat.com> References: <201102151524.59018.jzeleny@redhat.com> <201102231424.52464.jzeleny@redhat.com> <201102241332.15515.jzeleny@redhat.com> <201102241345.55447.jzeleny@redhat.com> Message-ID: <4DD573C7.9090308@redhat.com> Jan Zelen? wrote: > Jan Zelen? wrote: >> Jan Zeleny wrote: >>> Jan Zelen? wrote: >>>> Jan Zelen? wrote: >>>>> Rob Crittenden wrote: >>>>>> Jan Zelen? wrote: >>>>>>> Rob Crittenden wrote: >>>>>>>> Jan Zelen? wrote: >>>>>>>>> Loading of the schema is now performed in the first request >>>>>>>>> that requires it. >>>>>>>>> >>>>>>>>> https://fedorahosted.org/freeipa/ticket/583 >>>>>>>>> >>>>>>>>> Jan >>>>>>>> >>>>>>>> We still need to enforce that we get the schema, some low-level >>>>>>>> functions depend on it. Also, if the UI doesn't get its aciattrs >>>>>>>> (which are derived from the schema) then nothing will be >>>>>>>> editable. >>>>>>>> >>>>>>>> I'm getting this backtrace if I force no schema by disabling >>>> >>>> get_schema: >>>>>>> Ok, I'm sending new version, it should handle these exceptions >>>>>>> better and the operation should fail if it needs the schema and >>>>>>> the schema is not available for some reason. >>>>>> >>>>>> This breaks the XML-RPC server. I fixed one problem: >>>>>> --- a/ipaserver/plugins/ldap2.py >>>>>> +++ b/ipaserver/plugins/ldap2.py >>>>>> >>>>>> @@ -253,9 +253,10 @@ class ldap2(CrudBackend, Encoder): >>>>>> def get_syntax(self, attr, value): >>>>>> if not self.schema: >>>>>> - self.schema = get_schema(self.ldap_uri, self.conn) >>>>>> - if not self.schema: >>>>>> + schema = get_schema(self.ldap_uri, self.conn) >>>>>> >>>>>> + if not schema: >>>>>> return None >>>>>> >>>>>> + object.__setattr__(self, 'schema', schema) >>>>>> >>>>>> obj = self.schema.get_obj(_ldap.schema.AttributeType, >>>>>> attr) >>>>>> >>>>>> if obj is not None: >>>>>> return obj.syntax >>>>>> >>>>>> But simply things like get_entry() return an InternalError now. I'm >>>>>> not sure where you were going by adding this. >>>>>> >>>>>> rob >>>>> >>>>> Ok, no problem. It's possible that I simply did a mistake thinking I >>>>> can do something in Python what is not really possible. >>>>> >>>>> About that InternalError: I think raising InternalError when we >>>>> cannot load the schema to do the decoding is the right thing to do. >>>>> Do you have a better solution? I thought about returning empty >>>>> result, but that would mean we have to check the result in every >>>>> funtction that is calling them and raising InternalError there. >>>> >>>> I'm sending updated patch. I modified the get_syntax() as you suggested >>>> and I slightly modified raising that InternalError - currently it isn't >>>> raised when results from get_entry() are not required by calling >>>> method. Currently I'm running some tests, preliminary results looked >>>> ok. >>> >>> self-nack >>> >>> I discovered some issues discovered by internal test suite, I'm working >>> on them >>> >>> Jan >> >> Ok, everything is solved, I'm sending final version of the patch in the >> attachment. But I still think this should go to 2.1, since it's quite >> extensive patch in the core of IPA server and it has potential to break >> many things. >> >> Jan > > Rebased against master > > Jan I came up with an alternate patch that just does lazy retrieval of the schema rather than getting it at start up. Without the schema we can do very little required enforcement so we shouldn't proceed. See my patch 787 Don't load LDAP schema at startup rob From rcritten at redhat.com Thu May 19 19:47:24 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 19 May 2011 15:47:24 -0400 Subject: [Freeipa-devel] [PATCH] 787 Don't load LDAP schema at startup Message-ID: <4DD573CC.6080107@redhat.com> Do a lazy retrieval of the LDAP schema rather than at module load. Attempt to retrieve the schema the first time it is needed rather than when Apache is started. A global copy is cached for future requests for performance reasons. The schema will be retrieved once per Apache child process. ticket 583 This replaces Jan's patch titled "Don't load the LDAP schema during startup" rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-787-schema.patch Type: application/mbox Size: 4037 bytes Desc: not available URL: From mkosek at redhat.com Thu May 19 19:54:06 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 19 May 2011 21:54:06 +0200 Subject: [Freeipa-devel] Ticket #1107 - firewall troubles Message-ID: <1305834846.21313.46.camel@dhcp-25-52.brq.redhat.com> Hello, I am working on ticket #1107 and I am looking for some ideas hot to deal with it. The problem is that when we are installing a replica and have firewall on, the installation may fail or (even worse) hang. There question is how to deal with this situation since we cannot test if the ports are not blocked locally. It must be done from the remote master. I discussed this with Rob and I see two solutions here: 1) Don't complicate this and limit our user handholding (my favorite) - just tell him what ports he should open before proceeding with the installation. If he doesn't, the installation will fail later. The problem is when the installation hangs - its hard to detect. This is the easy way. 2) Implement and register a mod_wsgi application on a master server and let it test remotely if the ports on the replica are open. We would have to open and listen them in ipa-replica-install as we cannot tell if port is not-yet-opened or firewalled just from the network error code. If the application would report a firewalled port, we would throw an error in the ipa-replica-install. However, as Rob pointed out, it would open a possible security hole as we would basically behave as port scanner. Any opinions, suggestions, ideas on this? Thanks, Martin From simo at redhat.com Thu May 19 20:41:10 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 19 May 2011 16:41:10 -0400 Subject: [Freeipa-devel] Ticket #1107 - firewall troubles In-Reply-To: <1305834846.21313.46.camel@dhcp-25-52.brq.redhat.com> References: <1305834846.21313.46.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1305837670.13113.71.camel@willson.li.ssimo.org> On Thu, 2011-05-19 at 21:54 +0200, Martin Kosek wrote: > Hello, > > I am working on ticket #1107 and I am looking for some ideas hot to deal > with it. > > The problem is that when we are installing a replica and have firewall > on, the installation may fail or (even worse) hang. There question is > how to deal with this situation since we cannot test if the ports are > not blocked locally. It must be done from the remote master. > > I discussed this with Rob and I see two solutions here: > > 1) Don't complicate this and limit our user handholding (my favorite) - > just tell him what ports he should open before proceeding with the > installation. If he doesn't, the installation will fail later. The > problem is when the installation hangs - its hard to detect. This is the > easy way. > > 2) Implement and register a mod_wsgi application on a master server and > let it test remotely if the ports on the replica are open. We would have > to open and listen them in ipa-replica-install as we cannot tell if port > is not-yet-opened or firewalled just from the network error code. If the > application would report a firewalled port, we would throw an error in > the ipa-replica-install. > > However, as Rob pointed out, it would open a possible security hole as > we would basically behave as port scanner. It may also create SELinux issues as I think apache is not allowed to contact random ports normally. > Any opinions, suggestions, ideas on this? I think a much better solution is to create a simple program pair one for the master and one for the wannabe replica. The one on the replica opens all relevant ports. The one to be run on the master tries to connect to all these ports. Each side will report port,service name,success/failure Bonus points if we create the replica program so that it can use admin credentials to ssh into the master and run the master side automatically properly merging the output of that side. Simo. -- Simo Sorce * Red Hat, Inc * New York From JR.Aquino at citrix.com Thu May 19 22:20:40 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 19 May 2011 22:20:40 +0000 Subject: [Freeipa-devel] [PATCH] 786 Configure Managed Entries on replicas. In-Reply-To: <4DD43F97.704@redhat.com> References: <4DD41AE9.1060200@redhat.com> <4DD43F97.704@redhat.com> Message-ID: <53617265-3063-4B6F-A846-D4C8DF110120@citrixonline.com> On May 18, 2011, at 2:52 PM, Rob Crittenden wrote: > Rob Crittenden wrote: >> The Managed Entries plugin configurations weren't being created on >> replica installs. The templates were there but the cn=config portions >> were not. >> >> This patch adds them as updates. The template portion will be added in >> the initial replication. >> >> ticket 1222 >> >> To test: >> >> Install a master >> Install a replica >> On replica: kinit >> On replica: ipa user-add --first=timmy --last=test ttest >> On replica: ipa group-show ttest >> On master: ipa group-show ttest >> >> rob > > Updated patch attached. This requires jraquino patch 28 to work as expected. > > rob > NACK This patch is not applying to Master? error: patch failed: install/updates/Makefile.am:8 error: install/updates/Makefile.am: patch does not apply From dpal at redhat.com Thu May 19 22:32:13 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 19 May 2011 18:32:13 -0400 Subject: [Freeipa-devel] Ticket #1107 - firewall troubles In-Reply-To: <1305837670.13113.71.camel@willson.li.ssimo.org> References: <1305834846.21313.46.camel@dhcp-25-52.brq.redhat.com> <1305837670.13113.71.camel@willson.li.ssimo.org> Message-ID: <4DD59A6D.7060709@redhat.com> On 05/19/2011 04:41 PM, Simo Sorce wrote: > On Thu, 2011-05-19 at 21:54 +0200, Martin Kosek wrote: >> Hello, >> >> I am working on ticket #1107 and I am looking for some ideas hot to deal >> with it. >> >> The problem is that when we are installing a replica and have firewall >> on, the installation may fail or (even worse) hang. There question is >> how to deal with this situation since we cannot test if the ports are >> not blocked locally. It must be done from the remote master. >> >> I discussed this with Rob and I see two solutions here: >> >> 1) Don't complicate this and limit our user handholding (my favorite) - >> just tell him what ports he should open before proceeding with the >> installation. If he doesn't, the installation will fail later. The >> problem is when the installation hangs - its hard to detect. This is the >> easy way. >> >> 2) Implement and register a mod_wsgi application on a master server and >> let it test remotely if the ports on the replica are open. We would have >> to open and listen them in ipa-replica-install as we cannot tell if port >> is not-yet-opened or firewalled just from the network error code. If the >> application would report a firewalled port, we would throw an error in >> the ipa-replica-install. >> >> However, as Rob pointed out, it would open a possible security hole as >> we would basically behave as port scanner. > It may also create SELinux issues as I think apache is not allowed to > contact random ports normally. > >> Any opinions, suggestions, ideas on this? > I think a much better solution is to create a simple program pair one > for the master and one for the wannabe replica. > > The one on the replica opens all relevant ports. > The one to be run on the master tries to connect to all these ports. > Each side will report port,service name,success/failure > > Bonus points if we create the replica program so that it can use admin > credentials to ssh into the master and run the master side automatically > properly merging the output of that side. > > Simo. > I think Simo has a point but it is too much for now. IMO it is Ok to fail and report a meaningful error message on either side. Installation hanging is what we should address here in the scope of 2.1. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Fri May 20 02:36:38 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 19 May 2011 22:36:38 -0400 Subject: [Freeipa-devel] [PATCH] 769 enable SSL hostname checking In-Reply-To: <1305637902.22796.20.camel@dhcp-25-52.brq.redhat.com> References: <4DA36D1C.9000702@redhat.com> <1305637902.22796.20.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DD5D3B6.5030506@redhat.com> Martin Kosek wrote: > On Mon, 2011-04-11 at 17:05 -0400, Rob Crittenden wrote: >> Enable 389-ds SSL host checking by defauilt >> >> Enforce that the remote hostname matches the remote SSL server >> certificate when 389-ds operates as an SSL client. >> >> Also add an update file to turn this off for existing installations. >> >> ticket 1069 >> >> rob > > NACK. 10-config.update fails to upgrade existing installation: > > # ipa-ldap-updater --upgrade > Upgrading IPA: > [1/8]: stopping directory server > [2/8]: saving configuration > [3/8]: disabling listeners > [4/8]: starting directory server > [5/8]: upgrading server > ERROR:root:Update failed: Server is unwilling to perform: Deleting attributes is not allowed > [6/8]: stopping directory server > [7/8]: restoring configuration > [8/8]: starting directory server > done configuring dirsrv. > > Martin > Updated patch attached. I had to make the ldap updater do REPLACE operations. I went ahead and made this code similar to the code in ldap2.py for consistency. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-769-2-ssl.patch Type: application/mbox Size: 6005 bytes Desc: not available URL: From edewata at redhat.com Fri May 20 04:32:38 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 19 May 2011 23:32:38 -0500 Subject: [Freeipa-devel] [PATCH] 160 Development page for DataTables. Message-ID: <4DD5EEE6.6080901@redhat.com> NOTE: This patch is intended for development only. It should not be committed into IPA repository. An HTML page has been created to explore DataTables integration strategy into IPA WebUI. To use the page, open dataTables.html either in static mode or with live server. Select one of the entities from the list, it will show the entries in a table. The IPA command is shown underneath the table. Below it is a list of parameters generated by DataTables that can be used to specify the search filter, pagination, and sorting on the IPA command. Current status: - Search filter works in live mode. Each keystroke in the search filter field will trigger an IPA command that uses the specified filter. The content of the table will be updated immediately. - Pagination can be configured by selecting the number of entries shown per page, but the content is unchanged because there is no server support. - Sorting order can be changed by clicking the column header, but the content is unchanged because there is no server support. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0160-Development-page-for-DataTables.patch Type: text/x-patch Size: 256754 bytes Desc: not available URL: From mkosek at redhat.com Fri May 20 06:28:02 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 20 May 2011 08:28:02 +0200 Subject: [Freeipa-devel] [PATCH] 769 enable SSL hostname checking In-Reply-To: <4DD5D3B6.5030506@redhat.com> References: <4DA36D1C.9000702@redhat.com> <1305637902.22796.20.camel@dhcp-25-52.brq.redhat.com> <4DD5D3B6.5030506@redhat.com> Message-ID: <1305872882.3630.1.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-05-19 at 22:36 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Mon, 2011-04-11 at 17:05 -0400, Rob Crittenden wrote: > >> Enable 389-ds SSL host checking by defauilt > >> > >> Enforce that the remote hostname matches the remote SSL server > >> certificate when 389-ds operates as an SSL client. > >> > >> Also add an update file to turn this off for existing installations. > >> > >> ticket 1069 > >> > >> rob > > > > NACK. 10-config.update fails to upgrade existing installation: > > > > # ipa-ldap-updater --upgrade > > Upgrading IPA: > > [1/8]: stopping directory server > > [2/8]: saving configuration > > [3/8]: disabling listeners > > [4/8]: starting directory server > > [5/8]: upgrading server > > ERROR:root:Update failed: Server is unwilling to perform: Deleting attributes is not allowed > > [6/8]: stopping directory server > > [7/8]: restoring configuration > > [8/8]: starting directory server > > done configuring dirsrv. > > > > Martin > > > > Updated patch attached. I had to make the ldap updater do REPLACE > operations. I went ahead and made this code similar to the code in > ldap2.py for consistency. > > rob ACK. Both LDAP upgrade and a fresh installation work fine. Martin From jhrozek at redhat.com Fri May 20 06:36:15 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 20 May 2011 08:36:15 +0200 Subject: [Freeipa-devel] Ticket #1107 - firewall troubles In-Reply-To: <1305837670.13113.71.camel@willson.li.ssimo.org> References: <1305834846.21313.46.camel@dhcp-25-52.brq.redhat.com> <1305837670.13113.71.camel@willson.li.ssimo.org> Message-ID: <4DD60BDF.6090507@redhat.com> On 05/19/2011 10:41 PM, Simo Sorce wrote: > On Thu, 2011-05-19 at 21:54 +0200, Martin Kosek wrote: >> Hello, >> >> I am working on ticket #1107 and I am looking for some ideas hot to deal >> with it. >> >> The problem is that when we are installing a replica and have firewall >> on, the installation may fail or (even worse) hang. There question is >> how to deal with this situation since we cannot test if the ports are >> not blocked locally. It must be done from the remote master. >> >> I discussed this with Rob and I see two solutions here: >> >> 1) Don't complicate this and limit our user handholding (my favorite) - >> just tell him what ports he should open before proceeding with the >> installation. If he doesn't, the installation will fail later. The >> problem is when the installation hangs - its hard to detect. This is the >> easy way. >> >> 2) Implement and register a mod_wsgi application on a master server and >> let it test remotely if the ports on the replica are open. We would have >> to open and listen them in ipa-replica-install as we cannot tell if port >> is not-yet-opened or firewalled just from the network error code. If the >> application would report a firewalled port, we would throw an error in >> the ipa-replica-install. >> >> However, as Rob pointed out, it would open a possible security hole as >> we would basically behave as port scanner. > > It may also create SELinux issues as I think apache is not allowed to > contact random ports normally. > >> Any opinions, suggestions, ideas on this? > > I think a much better solution is to create a simple program pair one > for the master and one for the wannabe replica. > > The one on the replica opens all relevant ports. > The one to be run on the master tries to connect to all these ports. > Each side will report port,service name,success/failure > > Bonus points if we create the replica program so that it can use admin > credentials to ssh into the master and run the master side automatically > properly merging the output of that side. > And even more bonus points if we write a simple SELinux policy that only allows the listening program to just bind to the set of ports and nothing else. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From mkosek at redhat.com Fri May 20 07:36:51 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 20 May 2011 09:36:51 +0200 Subject: [Freeipa-devel] Ticket #1107 - firewall troubles In-Reply-To: <1305837670.13113.71.camel@willson.li.ssimo.org> References: <1305834846.21313.46.camel@dhcp-25-52.brq.redhat.com> <1305837670.13113.71.camel@willson.li.ssimo.org> Message-ID: <1305877011.3630.8.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-05-19 at 16:41 -0400, Simo Sorce wrote: > On Thu, 2011-05-19 at 21:54 +0200, Martin Kosek wrote: > > Hello, > > > > I am working on ticket #1107 and I am looking for some ideas hot to deal > > with it. > > > > The problem is that when we are installing a replica and have firewall > > on, the installation may fail or (even worse) hang. There question is > > how to deal with this situation since we cannot test if the ports are > > not blocked locally. It must be done from the remote master. > > > > I discussed this with Rob and I see two solutions here: > > > > 1) Don't complicate this and limit our user handholding (my favorite) - > > just tell him what ports he should open before proceeding with the > > installation. If he doesn't, the installation will fail later. The > > problem is when the installation hangs - its hard to detect. This is the > > easy way. > > > > 2) Implement and register a mod_wsgi application on a master server and > > let it test remotely if the ports on the replica are open. We would have > > to open and listen them in ipa-replica-install as we cannot tell if port > > is not-yet-opened or firewalled just from the network error code. If the > > application would report a firewalled port, we would throw an error in > > the ipa-replica-install. > > > > However, as Rob pointed out, it would open a possible security hole as > > we would basically behave as port scanner. > > It may also create SELinux issues as I think apache is not allowed to > contact random ports normally. > > > Any opinions, suggestions, ideas on this? > > I think a much better solution is to create a simple program pair one > for the master and one for the wannabe replica. > > The one on the replica opens all relevant ports. > The one to be run on the master tries to connect to all these ports. > Each side will report port,service name,success/failure So you are saying this program would be optional and user could run it if he would be unsure if firewall setting is OK? Like running for example: $ ipa-replica-check-connection --on-replica on the replica which would listen on our set of ports (and as Jakub said, it may be secured by SELinux policy) and then he would run $ ipa-replica-check-connection --on-master on the master server which would test the ports and print a result. > > Bonus points if we create the replica program so that it can use admin > credentials to ssh into the master and run the master side automatically > properly merging the output of that side. I am not sure if we can count on having admin credentials for ssh or even ssh connection at all. Martin From mkosek at redhat.com Fri May 20 07:43:58 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 20 May 2011 09:43:58 +0200 Subject: [Freeipa-devel] Ticket #1107 - firewall troubles In-Reply-To: <4DD59A6D.7060709@redhat.com> References: <1305834846.21313.46.camel@dhcp-25-52.brq.redhat.com> <1305837670.13113.71.camel@willson.li.ssimo.org> <4DD59A6D.7060709@redhat.com> Message-ID: <1305877438.3630.16.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-05-19 at 18:32 -0400, Dmitri Pal wrote: > On 05/19/2011 04:41 PM, Simo Sorce wrote: > > On Thu, 2011-05-19 at 21:54 +0200, Martin Kosek wrote: > >> Hello, > >> > >> I am working on ticket #1107 and I am looking for some ideas hot to deal > >> with it. > >> > >> The problem is that when we are installing a replica and have firewall > >> on, the installation may fail or (even worse) hang. There question is > >> how to deal with this situation since we cannot test if the ports are > >> not blocked locally. It must be done from the remote master. > >> > >> I discussed this with Rob and I see two solutions here: > >> > >> 1) Don't complicate this and limit our user handholding (my favorite) - > >> just tell him what ports he should open before proceeding with the > >> installation. If he doesn't, the installation will fail later. The > >> problem is when the installation hangs - its hard to detect. This is the > >> easy way. > >> > >> 2) Implement and register a mod_wsgi application on a master server and > >> let it test remotely if the ports on the replica are open. We would have > >> to open and listen them in ipa-replica-install as we cannot tell if port > >> is not-yet-opened or firewalled just from the network error code. If the > >> application would report a firewalled port, we would throw an error in > >> the ipa-replica-install. > >> > >> However, as Rob pointed out, it would open a possible security hole as > >> we would basically behave as port scanner. > > It may also create SELinux issues as I think apache is not allowed to > > contact random ports normally. > > > >> Any opinions, suggestions, ideas on this? > > I think a much better solution is to create a simple program pair one > > for the master and one for the wannabe replica. > > > > The one on the replica opens all relevant ports. > > The one to be run on the master tries to connect to all these ports. > > Each side will report port,service name,success/failure > > > > Bonus points if we create the replica program so that it can use admin > > credentials to ssh into the master and run the master side automatically > > properly merging the output of that side. > > > > Simo. > > > I think Simo has a point but it is too much for now. > IMO it is Ok to fail and report a meaningful error message on either > side. Installation hanging is what we should address here in the scope > of 2.1. > I am thinking about implementing a watchdog for this critical installation step (`/usr/bin/pkisilent ConfigureCA`), where replica is known to hang. We could set a safe timeout, say 5-10 minutes for the pkisilent process and if it doesn't finish in given time, we would kill the process and inform the user + ask him to check the if the ports are opened. The list of our ports to check could be printed to user almost every time the installation fails so that he would have a hint where to investigate. Martin From simo at redhat.com Fri May 20 12:05:20 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 20 May 2011 08:05:20 -0400 Subject: [Freeipa-devel] Ticket #1107 - firewall troubles In-Reply-To: <1305877011.3630.8.camel@dhcp-25-52.brq.redhat.com> References: <1305834846.21313.46.camel@dhcp-25-52.brq.redhat.com> <1305837670.13113.71.camel@willson.li.ssimo.org> <1305877011.3630.8.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1305893120.13113.79.camel@willson.li.ssimo.org> On Fri, 2011-05-20 at 09:36 +0200, Martin Kosek wrote: > On Thu, 2011-05-19 at 16:41 -0400, Simo Sorce wrote: > > On Thu, 2011-05-19 at 21:54 +0200, Martin Kosek wrote: > > > Hello, > > > > > > I am working on ticket #1107 and I am looking for some ideas hot to deal > > > with it. > > > > > > The problem is that when we are installing a replica and have firewall > > > on, the installation may fail or (even worse) hang. There question is > > > how to deal with this situation since we cannot test if the ports are > > > not blocked locally. It must be done from the remote master. > > > > > > I discussed this with Rob and I see two solutions here: > > > > > > 1) Don't complicate this and limit our user handholding (my favorite) - > > > just tell him what ports he should open before proceeding with the > > > installation. If he doesn't, the installation will fail later. The > > > problem is when the installation hangs - its hard to detect. This is the > > > easy way. > > > > > > 2) Implement and register a mod_wsgi application on a master server and > > > let it test remotely if the ports on the replica are open. We would have > > > to open and listen them in ipa-replica-install as we cannot tell if port > > > is not-yet-opened or firewalled just from the network error code. If the > > > application would report a firewalled port, we would throw an error in > > > the ipa-replica-install. > > > > > > However, as Rob pointed out, it would open a possible security hole as > > > we would basically behave as port scanner. > > > > It may also create SELinux issues as I think apache is not allowed to > > contact random ports normally. > > > > > Any opinions, suggestions, ideas on this? > > > > I think a much better solution is to create a simple program pair one > > for the master and one for the wannabe replica. > > > > The one on the replica opens all relevant ports. > > The one to be run on the master tries to connect to all these ports. > > Each side will report port,service name,success/failure > > So you are saying this program would be optional and user could run it > if he would be unsure if firewall setting is OK? Like running for > example: > > $ ipa-replica-check-connection --on-replica > > on the replica which would listen on our set of ports (and as Jakub > said, it may be secured by SELinux policy) and then he would run > > $ ipa-replica-check-connection --on-master This one would actually be : $ ipa-replica-check-connection --on-master fqdn.of.replica > on the master server which would test the ports and print a result. Yes. > > > > Bonus points if we create the replica program so that it can use admin > > credentials to ssh into the master and run the master side automatically > > properly merging the output of that side. > > I am not sure if we can count on having admin credentials for ssh or > even ssh connection at all. We certainly create the admin account by default, it is available as a user account on the server and ssh is configured to accept gssapi credentials or password authentication through pam. It is quite unlikely that the user running the replica install doesn't know those credentials but know directory manager credentials, if that's the case we could provide for parameters to tell which user to use instead of admin as an optional set of arguments. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri May 20 13:45:36 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 20 May 2011 09:45:36 -0400 Subject: [Freeipa-devel] Ticket #1107 - firewall troubles In-Reply-To: <4DD59A6D.7060709@redhat.com> References: <1305834846.21313.46.camel@dhcp-25-52.brq.redhat.com> <1305837670.13113.71.camel@willson.li.ssimo.org> <4DD59A6D.7060709@redhat.com> Message-ID: <4DD67080.6040500@redhat.com> Dmitri Pal wrote: > I think Simo has a point but it is too much for now. > IMO it is Ok to fail and report a meaningful error message on either > side. Installation hanging is what we should address here in the scope > of 2.1. The problem is we currently have no way of telling if the master can talk to the replica on a given port. When replication begins a connection is made from the master to the replica and this is what is failing. replication is rather robust so it assumes this is a temporary condition and waits for things to change (they won't). From the user's perspective the installation has hung. Without doing active port checking from the master side we have no way of knowing this may happen (because it can be a firewall somewhere in between too). So there is no way to fail and report a meaningful error message. If we could we would catch it up front. We can't even put a timeout on this because whatever number we choose will be wrong (640k anyone?) Simo's idea of ssh'ing to the master may be our only real alternative. I don't think admin credentials are required though, any user should be able to run the remote command. rob From rcritten at redhat.com Fri May 20 14:10:09 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 20 May 2011 10:10:09 -0400 Subject: [Freeipa-devel] [PATCH] 769 enable SSL hostname checking In-Reply-To: <1305872882.3630.1.camel@dhcp-25-52.brq.redhat.com> References: <4DA36D1C.9000702@redhat.com> <1305637902.22796.20.camel@dhcp-25-52.brq.redhat.com> <4DD5D3B6.5030506@redhat.com> <1305872882.3630.1.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DD67641.1010700@redhat.com> Martin Kosek wrote: > On Thu, 2011-05-19 at 22:36 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Mon, 2011-04-11 at 17:05 -0400, Rob Crittenden wrote: >>>> Enable 389-ds SSL host checking by defauilt >>>> >>>> Enforce that the remote hostname matches the remote SSL server >>>> certificate when 389-ds operates as an SSL client. >>>> >>>> Also add an update file to turn this off for existing installations. >>>> >>>> ticket 1069 >>>> >>>> rob >>> >>> NACK. 10-config.update fails to upgrade existing installation: >>> >>> # ipa-ldap-updater --upgrade >>> Upgrading IPA: >>> [1/8]: stopping directory server >>> [2/8]: saving configuration >>> [3/8]: disabling listeners >>> [4/8]: starting directory server >>> [5/8]: upgrading server >>> ERROR:root:Update failed: Server is unwilling to perform: Deleting attributes is not allowed >>> [6/8]: stopping directory server >>> [7/8]: restoring configuration >>> [8/8]: starting directory server >>> done configuring dirsrv. >>> >>> Martin >>> >> >> Updated patch attached. I had to make the ldap updater do REPLACE >> operations. I went ahead and made this code similar to the code in >> ldap2.py for consistency. >> >> rob > > ACK. Both LDAP upgrade and a fresh installation work fine. > > Martin > pushed to master and ipa-2-0 From rcritten at redhat.com Fri May 20 14:14:12 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 20 May 2011 10:14:12 -0400 Subject: [Freeipa-devel] [PATCH] 786 Configure Managed Entries on replicas. In-Reply-To: <53617265-3063-4B6F-A846-D4C8DF110120@citrixonline.com> References: <4DD41AE9.1060200@redhat.com> <4DD43F97.704@redhat.com> <53617265-3063-4B6F-A846-D4C8DF110120@citrixonline.com> Message-ID: <4DD67734.2000403@redhat.com> JR Aquino wrote: > On May 18, 2011, at 2:52 PM, Rob Crittenden wrote: > >> Rob Crittenden wrote: >>> The Managed Entries plugin configurations weren't being created on >>> replica installs. The templates were there but the cn=config portions >>> were not. >>> >>> This patch adds them as updates. The template portion will be added in >>> the initial replication. >>> >>> ticket 1222 >>> >>> To test: >>> >>> Install a master >>> Install a replica >>> On replica: kinit >>> On replica: ipa user-add --first=timmy --last=test ttest >>> On replica: ipa group-show ttest >>> On master: ipa group-show ttest >>> >>> rob >> >> Updated patch attached. This requires jraquino patch 28 to work as expected. >> >> rob >> > > NACK > > This patch is not applying to Master? > > error: patch failed: install/updates/Makefile.am:8 > error: install/updates/Makefile.am: patch does not apply > Rebased, it depended on my patch 769. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-786-3-replica.patch Type: application/mbox Size: 4802 bytes Desc: not available URL: From rcritten at redhat.com Fri May 20 14:21:00 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 20 May 2011 10:21:00 -0400 Subject: [Freeipa-devel] [PATCH] 783 get group info when showing user In-Reply-To: <4DCDC42F.7080107@redhat.com> References: <4DCD9051.3040908@redhat.com> <4DCDABA9.1030802@redhat.com> <4DCDC42F.7080107@redhat.com> Message-ID: <4DD678CC.5020301@redhat.com> Rob Crittenden wrote: > Adam Young wrote: >> On 05/13/2011 04:10 PM, Rob Crittenden wrote: >>> The UI team had asked that we provide some group info (GID, >>> description) when showing users. This ads a special call to group_find >>> to get this information. It is returned as a list of dicts. >>> >>> ticket 107 >>> >>> rob >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> >> I wonder if this is the wrong abstraction. As we discussed today, we >> need to do many of these types of cross referential searches. Bascially, >> we need to be able to filter on 'member' and 'memberof' type >> relationships. >> >> So if we did a group_find --member_user=ayoung it would return all >> groups that I am a member of. This would work across the board for >> association facets > > That works now, as specified in the ticket. I was under the impression > this was rejected which is why I embedded it into user-show. What you > suggested works now with: ipa group-find --users=ayoung > > memberof doesn't exist in the group, you have to look at the end entity. > > rob So what shall I do with this? Dump the patch and re-assign the ticket to the UI? rob From rcritten at redhat.com Fri May 20 14:55:26 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 20 May 2011 10:55:26 -0400 Subject: [Freeipa-devel] [PATCH] 067 A new flag to disable creation of UPG In-Reply-To: <1305619158.22796.3.camel@dhcp-25-52.brq.redhat.com> References: <1305543942.30122.4.camel@dhcp-25-52.brq.redhat.com> <4DD1D983.4080102@redhat.com> <1305619158.22796.3.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DD680DE.3070709@redhat.com> Martin Kosek wrote: > On Mon, 2011-05-16 at 22:12 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> This patch is based on old Pavel's patch. >>> >>> I am considering applying the patch for master branch only as it changes >>> an API (adds a new flag) and is a sort of new-functionality-ish. >>> >>> -- >>> Automatic creation may of User Private Groups (UPG) may not be >>> wanted at all times. This patch adds a new flag --noprivate to >>> ipa user-add command to disable it. >>> >>> https://fedorahosted.org/freeipa/ticket/1131 >> >> Nack, setattr and addattr are removed from API.txt. I'm guessing it's a >> side-effect of some change here. >> >> The approach generally looks good. >> >> rob > > You are right, this was a side-effect in user.py. I fixed the problem, > updated patch is attached. > > Martin This looks good, just a couple of requests: 1. Bump the minor API version since we are adding a new flag 2. Add a self-test for not creating a private group rob From rcritten at redhat.com Fri May 20 15:32:08 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 20 May 2011 11:32:08 -0400 Subject: [Freeipa-devel] [PATCH] 24 Add sudorule and hbacrule to memberof AND indirectmemberof attributes In-Reply-To: <7D243923-B3F9-4284-9FAF-550AC9E86AEE@citrixonline.com> References: <36AD4E47-C1BE-4603-8578-1823F2C89892@citrixonline.com> <4DB1DCD6.1060606@redhat.com> <0B1CC5CC-F36C-4EA7-B30D-472539E64D7E@citrixonline.com> <4DC9FD7F.1090505@redhat.com> <4DC9FF25.8070501@redhat.com> <7D243923-B3F9-4284-9FAF-550AC9E86AEE@citrixonline.com> Message-ID: <4DD68978.3040409@redhat.com> JR Aquino wrote: > On May 10, 2011, at 8:14 PM, Adam Young wrote: > >> On 05/10/2011 11:07 PM, Adam Young wrote: >>> On 05/10/2011 04:38 PM, JR Aquino wrote: >>>> On Apr 22, 2011, at 12:53 PM, Rob Crittenden wrote: >>>> >>>> >>>>> JR Aquino wrote: >>>>> >>>>>> On Apr 12, 2011, at 9:45 AM, JR Aquino wrote: >>>>>> >>>>>> >>>>>>> Add HBAC Rule and Sudo Rule to users as indirect member attributes to simplify the auditing of users for their indirect membership to their authorization rights. >>>>>>> >>>>>>> An Administrator should have the ability to quickly identify the rights a user will have in the system. >>>>>>> >>>>>>> For example. With the patch added, my user show looks like this: >>>>>>> >>>>>>> # ipa user-show tester --all >>>>>>> dn: uid=builder,cn=users,cn=accounts,dc=example,dc=com >>>>>>> User login: tester >>>>>>> First name: Tester >>>>>>> Last name: Engineering >>>>>>> Full name: Tester Engineering >>>>>>> Display name: Tester Engineering >>>>>>> Initials: TE >>>>>>> Home directory: /home/tester >>>>>>> GECOS field: Tester Engineering >>>>>>> Login shell: /bin/sh >>>>>>> Kerberos principal: >>>>>>> tester at EXAMPLE.COM >>>>>>> >>>>>>> UID: 1829800388 >>>>>>> GID: 1829800388 >>>>>>> Account disabled: False >>>>>>> Member of groups: ipausers, auto-dev-deploy-tools, build-integration >>>>>>> ipauniqueid: 72fa22c6-6085-11e0-9629-0023aefe4ec0 >>>>>>> krbpwdpolicyreference: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com >>>>>>> memberofindirect_HBAC rule: development >>>>>>> memberofindirect_Sudo Rule: AUTO-dev-deploy-tools_DEPLOY, AUTO-dev-deploy-tools_ZENOSS, build-integration >>>>>>> mepmanagedentry: cn=tester,cn=groups,cn=accounts,dc=example,dc=com >>>>>>> objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Freeipa-devel mailing list >>>>>>> >>>>>>> Freeipa-devel at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>>> OPPS, forgot to have PATCH in the subject. >>>>>> >>>>>> >>>>> I think you need this as well, right? >>>>> >>>>> - 'memberof': ['group', 'netgroup', 'role'], >>>>> + 'memberof': ['group', 'netgroup', 'role', 'sudorule', 'hbacrule'], >>>>> >>>> Some scope change. >>>> >>>> Added memberof and memberofindirect >>>> >>>> Added to user.py host.py group.py hostgroup.py >>>> >>>> When using the --all flag it is now very clear to the administrator what authorization rules these objects are directly or indirectly a memberof. >>>> >>>> xmlrpc tests check out >>>> >>>> Please review >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >>> >>> The reason that this shows up in the UI is that it is generating additional memberof attributes. It has nothing to do with the memberofindirect: >> >> You are also going to want need modify the sudo rule and HBAC rule to use the serial associator on some facets. It looks like group at least has things backwards. The group.js file I think needs a rule like this: >> >> >> association_facet({ >> name: 'memberof_sudorule', >> associator: IPA.serial_associator >> }). >> >> THis is because the API is for adding multiple groups to the sudo rule, but the default behaviour is for adding multiple>other entity> to. > > The above comment is regarding ticket: https://fedorahosted.org/freeipa/ticket/1218 which is dependent on this patch and ticket 1170 > > As for Patch 24 and ticket 1170, are there any other questions or does this look ready to go? Nack, this adds some additional API that isn't in API.txt. It would be nice to add test cases for this as well, perhaps in the sudo and hbac tests (create a rule, add a user to it, make sure when showing the user you can see the rule). rob From ayoung at redhat.com Fri May 20 15:46:25 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 20 May 2011 11:46:25 -0400 Subject: [Freeipa-devel] [PATCH] 0014 Search Box Style In-Reply-To: <1920184382.82273.1305652935194.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1920184382.82273.1305652935194.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4DD68CD1.5030304@redhat.com> On 05/17/2011 01:22 PM, Kyle Baker wrote: > Please review and ACK. > > Kyle Baker > Visual Designer > Desk - 978 392 3116 > IRC - kylebaker > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel NACK. Needs rebase. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri May 20 16:10:01 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 20 May 2011 12:10:01 -0400 Subject: [Freeipa-devel] [PATCH] 160 Development page for DataTables. In-Reply-To: <4DD5EEE6.6080901@redhat.com> References: <4DD5EEE6.6080901@redhat.com> Message-ID: <4DD69259.5080004@redhat.com> Works well on a liver server, but didn't work with my static checkout. The keystroke filtering is very nice, and would be useful. The number of results returned can be changed with the additional parameter. Sorting can be done on the client side if needs be. array.sort(/sortfunction/) where the sortfunction parameter would be able to compare two rows based on the specified field. I'd like to disable the sorting feature until less than 200 results are returned, so as not to give the impression that we are doing server side sorting. On 05/20/2011 12:32 AM, Endi Sukma Dewata wrote: > NOTE: This patch is intended for development only. It should not be > committed into IPA repository. > > An HTML page has been created to explore DataTables integration strategy > into IPA WebUI. To use the page, open dataTables.html either in static > mode or with live server. Select one of the entities from the list, it > will show the entries in a table. The IPA command is shown underneath > the table. Below it is a list of parameters generated by DataTables that > can be used to specify the search filter, pagination, and sorting on the > IPA command. > > Current status: > > - Search filter works in live mode. Each keystroke in the search filter > field will trigger an IPA command that uses the specified filter. The > content of the table will be updated immediately. > > - Pagination can be configured by selecting the number of entries shown > per page, but the content is unchanged because there is no server > support. > > - Sorting order can be changed by clicking the column header, but the > content is unchanged because there is no server support. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Fri May 20 17:12:51 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 20 May 2011 12:12:51 -0500 Subject: [Freeipa-devel] [PATCH] 161 Fixed Ajax error handling. Message-ID: <4DD6A113.8010502@redhat.com> The IPA.command has been modified not to insert a title into the error object thrown by Ajax operation because the object could be immutable. Ticket #1240 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0161-Fixed-Ajax-error-handling.patch Type: text/x-patch Size: 7476 bytes Desc: not available URL: From ayoung at redhat.com Fri May 20 17:34:02 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 20 May 2011 13:34:02 -0400 Subject: [Freeipa-devel] [PATCH] 158 JavaScript ordered map. In-Reply-To: <4DD56D15.30300@redhat.com> References: <4DD3D5DB.3080307@redhat.com> <4DD54540.8020909@redhat.com> <4DD56D15.30300@redhat.com> Message-ID: <4DD6A60A.9090001@redhat.com> On 05/19/2011 03:18 PM, Endi Sukma Dewata wrote: > On 5/19/2011 11:28 AM, Adam Young wrote: >> On 05/18/2011 10:21 AM, Endi Sukma Dewata wrote: >>> A utility class has been added to store objects which can be accessed >>> both as an ordered list and as a map. This class is used to store >>> various objects including entities, fields, columns, and dialogs. The >>> class needs to be defined in a new file called util.js to avoid >>> circular dependency problem. A test suite for this class has been >>> added as well. >>> >>> Ticket #1232 > >> Good. The only thing I don't like about it is the Util namespace. I >> think this should be a JQuery plugin instead. Adding a Util namespace is >> just ignoring the problem of namespace pollution. >> >> Can you move it to JQuery, and rename the file and class ordered_map? >> >> Put some documentation in the file as to the contract: we explicitly >> don't hide access to the internals, but if you don't use the manipulator >> functions, you will corrupt the map etc. >> >> This is where Javascript would really benefit from a macro language. > > Attached is a new patch that includes the above changes. > ACK. Pushed to master From edewata at redhat.com Fri May 20 17:43:24 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 20 May 2011 12:43:24 -0500 Subject: [Freeipa-devel] [PATCH] 160 Development page for DataTables. In-Reply-To: <4DD69259.5080004@redhat.com> References: <4DD5EEE6.6080901@redhat.com> <4DD69259.5080004@redhat.com> Message-ID: <4DD6A83C.5020702@redhat.com> On 5/20/2011 11:10 AM, Adam Young wrote: > Works well on a liver server, but didn't work with my static checkout. The filter wouldn't work with static checkout because it expects the server to return filtered data, but you should still be able to view the contents for different entities. > The keystroke filtering is very nice, and would be useful. I'm not sure this is a good thing because it will trigger many unnecessary queries. It might be better if we can use some kind of time delay (e.g. 1 second after the last keystroke). > The number of results returned can be changed with the additional > parameter. Do you mean the sizelimit? Without the ability to specify the starting index (i.e. pagination) it's usage will be rather limited. > Sorting can be done on the client side if needs be. > array.sort(/sortfunction/) where the sortfunction parameter would be > able to compare two rows based on the specified field. I'd like to > disable the sorting feature until less than 200 results are returned, so > as not to give the impression that we are doing server side sorting. Client-side sorting will only work if the client has the entire data. If the data is only partially returned (because of pagination or truncation), the client can only sort that subset of data, not the entire database, which is probably not what people would expect. -- Endi S. Dewata From ayoung at redhat.com Fri May 20 18:00:24 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 20 May 2011 14:00:24 -0400 Subject: [Freeipa-devel] [PATCH] 159 Fixed problem disabling HBAC and SUDO rules. In-Reply-To: <4DD40719.4020603@redhat.com> References: <4DD40719.4020603@redhat.com> Message-ID: <4DD6AC38.8010002@redhat.com> On 05/18/2011 01:51 PM, Endi Sukma Dewata wrote: > The method names for disabling HBAC and SUDO rules have been fixed. > > Ticket #1237. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri May 20 18:05:55 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 20 May 2011 14:05:55 -0400 Subject: [Freeipa-devel] [PATCH] 161 Fixed Ajax error handling. In-Reply-To: <4DD6A113.8010502@redhat.com> References: <4DD6A113.8010502@redhat.com> Message-ID: <4DD6AD83.309@redhat.com> On 05/20/2011 01:12 PM, Endi Sukma Dewata wrote: > The IPA.command has been modified not to insert a title into the error > object thrown by Ajax operation because the object could be immutable. > > Ticket #1240 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Fri May 20 18:27:49 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 20 May 2011 20:27:49 +0200 Subject: [Freeipa-devel] [PATCH] 18 Parse netmasks in IP addresses passed to server install In-Reply-To: <4DC97E8B.8050904@redhat.com> References: <4DC97E8B.8050904@redhat.com> Message-ID: <4DD6B2A5.3010507@redhat.com> On 10.5.2011 20:06, Jan Cholasta wrote: > Parse netmasks in IP addresses passed to server install. > > ticket 1212 Patch updated. TODO: Write unit test for ipapython.ipautil.CheckedIPAddress TODO: Clean unreachable code paths off of ipa-server-install (?) TODO: Workarounds for netaddr bugs (?) -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-18.1-parse-netmask.patch Type: text/x-patch Size: 15243 bytes Desc: not available URL: From jcholast at redhat.com Fri May 20 18:29:17 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 20 May 2011 20:29:17 +0200 Subject: [Freeipa-devel] [PATCH] 3 Add ability to specify netmask with IP addresses during installation In-Reply-To: <4DCBD6FF.7050103@redhat.com> References: <4D9068E5.6090209@redhat.com> <4D90920E.3080900@redhat.com> <4D91DD15.8020109@redhat.com> <4D91DDA6.2060304@redhat.com> <4D923DCA.1030900@redhat.com> <4D930AAD.9020209@redhat.com> <4D9F1AFA.8000305@redhat.com> <4DA2DC6F.1000105@redhat.com> <4DA58644.3020506@redhat.com> <4DAF3D5A.7080300@redhat.com> <4DAFDE65.5050100@redhat.com> <4DC97F9F.5030103@redhat.com> <1305122338.4961.23.camel@dhcp-25-52.brq.redhat.com> <4DCBD6FF.7050103@redhat.com> Message-ID: <4DD6B2FD.80204@redhat.com> On 12.5.2011 14:47, Jan Cholasta wrote: > > Rewrote host.py so that it doesn't use get_reverse_zone from > ipaserver.bindinstance (which fixes the pylint errors). > > Honza > Patch updated. Requires patch 18.1. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-3.7-reverse-zone.patch Type: text/x-patch Size: 12641 bytes Desc: not available URL: From jcholast at redhat.com Fri May 20 18:34:23 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 20 May 2011 20:34:23 +0200 Subject: [Freeipa-devel] [PATCH] 19 Do stricter checking of IP addressed passed to server install In-Reply-To: <1305708694.22796.60.camel@dhcp-25-52.brq.redhat.com> References: <4DC97FEC.1000005@redhat.com> <1305559608.30122.30.camel@dhcp-25-52.brq.redhat.com> <4DD15BA1.5080004@redhat.com> <1305708694.22796.60.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DD6B42F.6040507@redhat.com> On 18.5.2011 10:51, Martin Kosek wrote: > On Mon, 2011-05-16 at 19:15 +0200, Jan Cholasta wrote: >> On 16.5.2011 17:26, Martin Kosek wrote: >>> On Tue, 2011-05-10 at 20:11 +0200, Jan Cholasta wrote: >>>> Split from patch 3, requires patch 18. >>>> >>>> https://fedorahosted.org/freeipa/ticket/1213 >>>> >>>> Honza >>>> >>> >>> I tested all patches (3.6, 18, 19), but I think some work still needs to >>> be done: >>> >>> 1) What about adding /sbin/ip package to Requires in spec? I thought >>> there was an agreement to do it. >> >> Will do. > > Ok. > >> >>> >>> 2) When I run `ipa-server-install --ip-address=$ADDR`, and $ADDR is >>> invalid address (e.g. $ADDR==foo), loopback address (e.g. >>> $ADDR==127.0.0.1) or just another that the local address (e.g. >>> $ADDR==123.123.123.123) the installer always fails with "the hostname >>> resolves to an IP address that is different from the one provided on the >>> command line". >>> >>> I think we may want a different error message in those 3 cases - it >>> should be easy to do it now, with the improved IP handling. >> >> It looks like the print statements from verify_ip_address doesn't >> actually print anything to the user. Will look onto that. > > Ok. > >> >>> >>> 3) When I pass netmask to ipa-server-install --ip-address=$ADDR, the >>> installation always fails with the above message. Even though I took the >>> addr+netmask from "/sbin/ip address" output. >> >> Works for me. Please make sure you've added your hostname to /etc/hosts. > > I think I had. But I will recheck when you send a fix. > >> >>> >>> 4) I miss IP address checks in --ip-address and --forwarder parameters >>> of ipa-dns-install script. I can pass invalid or local addresses to >>> these parameters. This breaks Bind configuration. >> >> --ip-address is checked, but --forwarder is not. Will fix that. > > Ok, I will recheck both of them when you do. > >> >>> >>> 5) I think we may want to check also for local address in >>> #ipa host-add $HOST --ip-address=127.0.0.1 >>> >>> 6) I couldn't add IP address with netmask in host module: >>> # ipa host-add $HOST --ip-address=10.16.78.102/22 >>> ipa: ERROR: invalid 'ip_address': invalid IP address >> >> The patches are for the installer, as are the tickets they fix, so these >> issues are out of scope. A new ticket should be opened for them. >> > > You touched this parameter in your patches, that's why I tested it. I > created a new ticket for it: > > https://fedorahosted.org/freeipa/ticket/1234 > > Ticket 1234, yey :-) > >>> >>> 7) Why is the _ParsedIPAddress named with a leading underscore? It's not >>> really an internal use since it is returned by new IP handling functions >>> and used in other modules. >> >> _ParsedIPAddress is not for public use. The fact that object of this >> class is returned by parse_ip_address doesn't really matter - this is >> Python, not C++ or Java. > > Hm, snappy... And I was wondering why my /usr/bin/java doesn't want to > run FreeIPA, now I know - it's because its Python. > > Martin > Patch updated. Requires patch 18.1 Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-19.1-strict-ip-address-check.patch Type: text/x-patch Size: 1612 bytes Desc: not available URL: From JR.Aquino at citrix.com Fri May 20 21:28:51 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Fri, 20 May 2011 21:28:51 +0000 Subject: [Freeipa-devel] [PATCH] 28 Move Managed Entries into their own container In-Reply-To: <4DD51848.6030201@redhat.com> References: <5B8EA673-11F9-43FB-A2BC-8D7FD59598C5@citrixonline.com> <0D613602-E082-4CBB-9A39-AC33B4DE20F9@citrixonline.com> <4DD43FB3.6030908@redhat.com> <62F9181C-B4A8-464C-807B-0880FA203E47@citrixonline.com> <4DD51848.6030201@redhat.com> Message-ID: <9723636C-66F5-4C16-9CD0-E9FB4331555D@citrixonline.com> On May 19, 2011, at 6:16 AM, Rob Crittenden wrote: > JR Aquino wrote: >> On May 18, 2011, at 2:52 PM, Rob Crittenden wrote: >> >>> JR Aquino wrote: >>>> On May 18, 2011, at 12:46 PM, JR Aquino wrote: >>>> >>>>> This effects Ticket 1222 and Rob's patch 786 >>>> >>>> Per IRC Conversation with Simo and Rob, take the path of least change. >>>> >>>> The patch has been modified to correct the CN to match the DN rather than changing both. >>> >>> This looks good. I'm going to wait to push it at the same time as 786. >> >> Simo mentioned that I need to create the .update in the patch so that we remove the previous typo laden entry during updates. > > I added that to my patch. > > rob NACK both 28 and 786. Please see attached, and have a look at this new patch and ticket 1182 for a better understanding of the impact they have on these patches. Move Managed Entries into their own container in the replicated space. Create: cn=Managed Entries,cn=etc,$SUFFIX Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX Create method for migrating any and all custom Managed Entries from the cn=config space into the new container. The Managed Entries plugin configurations weren't being created on replica installs. This patch addresses two seperate tickets and accounts for new installs, replica installs, and upgrades. https://fedorahosted.org/freeipa/ticket/1181 - Managed Entry Tool / New Container https://fedorahosted.org/freeipa/ticket/1222 - Add Managed Entries during Replica installation -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0028-Move-Managed-Entries-into-their-own-container.patch Type: application/octet-stream Size: 14576 bytes Desc: freeipa-jraquino-0028-Move-Managed-Entries-into-their-own-container.patch URL: From mkosek at redhat.com Sun May 22 13:57:43 2011 From: mkosek at redhat.com (Martin Kosek) Date: Sun, 22 May 2011 15:57:43 +0200 Subject: [Freeipa-devel] [PATCH] 067 A new flag to disable creation of UPG In-Reply-To: <4DD68188.20706@redhat.com> References: <1305543942.30122.4.camel@dhcp-25-52.brq.redhat.com> <4DD1D983.4080102@redhat.com> <1305619158.22796.3.camel@dhcp-25-52.brq.redhat.com> <4DD680DE.3070709@redhat.com> <4DD68188.20706@redhat.com> Message-ID: <1306072666.2395.4.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-05-20 at 10:58 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > Martin Kosek wrote: > >> On Mon, 2011-05-16 at 22:12 -0400, Rob Crittenden wrote: > >>> Martin Kosek wrote: > >>>> This patch is based on old Pavel's patch. > >>>> > >>>> I am considering applying the patch for master branch only as it > >>>> changes > >>>> an API (adds a new flag) and is a sort of new-functionality-ish. > >>>> > >>>> -- > >>>> Automatic creation may of User Private Groups (UPG) may not be > >>>> wanted at all times. This patch adds a new flag --noprivate to > >>>> ipa user-add command to disable it. > >>>> > >>>> https://fedorahosted.org/freeipa/ticket/1131 > >>> > >>> Nack, setattr and addattr are removed from API.txt. I'm guessing it's a > >>> side-effect of some change here. > >>> > >>> The approach generally looks good. > >>> > >>> rob > >> > >> You are right, this was a side-effect in user.py. I fixed the problem, > >> updated patch is attached. > >> > >> Martin > > > > This looks good, just a couple of requests: > > > > 1. Bump the minor API version since we are adding a new flag > > 2. Add a self-test for not creating a private group > > > > rob > > Oh, and looking back at the user I create it still has the UPG magic in > the description attribute. > > rob Thanks for careful review, I missed this bug in the original patch. UPG magic has been removed from the description and a test checking all this has been added. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-067-3-a-new-flag-to-disable-creation-of-upg.patch Type: text/x-patch Size: 11109 bytes Desc: not available URL: From jhrozek at redhat.com Sun May 22 16:28:51 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sun, 22 May 2011 18:28:51 +0200 Subject: [Freeipa-devel] [PATCH] 18 Parse netmasks in IP addresses passed to server install In-Reply-To: <4DD6B2A5.3010507@redhat.com> References: <4DC97E8B.8050904@redhat.com> <4DD6B2A5.3010507@redhat.com> Message-ID: <4DD939C3.5080106@redhat.com> On 05/20/2011 08:27 PM, Jan Cholasta wrote: > TODO: Clean unreachable code paths off of ipa-server-install (?) In general I agree even though I don't know exactly what code you have in mind -- if the code is dead there's no reason to keep it. > TODO: Workarounds for netaddr bugs (?) Are these bugs reported upstream? I know you mentioned some in an earlier e-mail, just wondering if they are the same. Long term, it might be better to fix them in netaddr rather than working around them. Jakub From jcholast at redhat.com Mon May 23 06:00:06 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 23 May 2011 08:00:06 +0200 Subject: [Freeipa-devel] [PATCH] 18 Parse netmasks in IP addresses passed to server install In-Reply-To: <4DD939C3.5080106@redhat.com> References: <4DC97E8B.8050904@redhat.com> <4DD6B2A5.3010507@redhat.com> <4DD939C3.5080106@redhat.com> Message-ID: <4DD9F7E6.7070607@redhat.com> On 22.5.2011 18:28, Jakub Hrozek wrote: > On 05/20/2011 08:27 PM, Jan Cholasta wrote: >> TODO: Clean unreachable code paths off of ipa-server-install (?) > > In general I agree even though I don't know exactly what code you have > in mind -- if the code is dead there's no reason to keep it. I've noticed that e.g. if the hostname can't be resolved, verify_fqdn raises an exception, so some of the checks below the "ip = resolve_host(host_name)" line in ipa-server-install are unnecessary, but I'm not yet sure if I'm not missing something. > >> TODO: Workarounds for netaddr bugs (?) > > Are these bugs reported upstream? I know you mentioned some in an > earlier e-mail, just wondering if they are the same. > > Long term, it might be better to fix them in netaddr rather than working > around them. Yes, they're the same and are already fixed (according to the netaddr bug tracker), but there's no release with the fixes yet (or it's not in Fedora). There are not any big issues that I'm aware of, it's just that if you specify incorrect netmask with an IPv4 address, the error message isn't very helpful to the user: netaddr.IPNetwork('192.168.1.1/33') ... UnboundLocalError: local variable 'ip' referenced before assignment > > Jakub > Honza -- Jan Cholasta From mkosek at redhat.com Mon May 23 13:39:14 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 23 May 2011 15:39:14 +0200 Subject: [Freeipa-devel] [PATCH] 068 Connection check program for replica installation Message-ID: <1306157956.2514.9.camel@dhcp-25-52.brq.redhat.com> This is a first version of connection checking program for replica installation. See patch for program purpose description. Currently, there is no man pages for the program. Note to Simo and Rob: I use password for logging as admin. Btw would it be safe to have an admin keytab in the replica file? Replica file contents are lying freely in /tmp after the replica installation. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-068-connection-check-program-for-replica-installation.patch Type: text/x-patch Size: 22283 bytes Desc: not available URL: From ayoung at redhat.com Mon May 23 14:42:35 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 23 May 2011 10:42:35 -0400 Subject: [Freeipa-devel] [PATCH] 0228-create-entities-on-demand Message-ID: <4DDA725B.5020603@redhat.com> Patch 227 is the automount patch that I still am not ready to submit. This patch stands alone. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0228-create-entities-on-demand.patch Type: text/x-patch Size: 2224 bytes Desc: not available URL: From edewata at redhat.com Mon May 23 16:06:15 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 23 May 2011 11:06:15 -0500 Subject: [Freeipa-devel] [PATCH] 0228-create-entities-on-demand In-Reply-To: <4DDA725B.5020603@redhat.com> References: <4DDA725B.5020603@redhat.com> Message-ID: <4DDA85F7.7050307@redhat.com> On 5/23/2011 9:42 AM, Adam Young wrote: > Patch 227 is the automount patch that I still am not ready to submit. > This patch stands alone. A few issues in IPA.get_entity(): 1. It executes that.entities.get() twice. The result of the first invocation can be stored in a variable and reused later. The result of the factory() invocation can be assigned to the same variable. 2. It executes factory = that.entity_factories[name] twice. The second one can be removed. Other than that it's ACKed and can be pushed after fixing the above issues. -- Endi S. Dewata From ayoung at redhat.com Mon May 23 16:38:22 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 23 May 2011 12:38:22 -0400 Subject: [Freeipa-devel] [PATCH] 0228-create-entities-on-demand In-Reply-To: <4DDA85F7.7050307@redhat.com> References: <4DDA725B.5020603@redhat.com> <4DDA85F7.7050307@redhat.com> Message-ID: <4DDA8D7E.9030204@redhat.com> On 05/23/2011 12:06 PM, Endi Sukma Dewata wrote: > On 5/23/2011 9:42 AM, Adam Young wrote: >> Patch 227 is the automount patch that I still am not ready to submit. >> This patch stands alone. > > A few issues in IPA.get_entity(): > > 1. It executes that.entities.get() twice. The result of the first > invocation can be stored in a variable and reused later. The result > of the factory() invocation can be assigned to the same variable. > > 2. It executes factory = that.entity_factories[name] twice. The second > one can be removed. > > Other than that it's ACKed and can be pushed after fixing the above > issues. > Now with fixed unit tests -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0228-1-create-entities-on-demand.patch Type: text/x-patch Size: 3636 bytes Desc: not available URL: From ayoung at redhat.com Mon May 23 17:13:20 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 23 May 2011 13:13:20 -0400 Subject: [Freeipa-devel] [PATCH] 0228-create-entities-on-demand In-Reply-To: <4DDA8D7E.9030204@redhat.com> References: <4DDA725B.5020603@redhat.com> <4DDA85F7.7050307@redhat.com> <4DDA8D7E.9030204@redhat.com> Message-ID: <4DDA95B0.6000603@redhat.com> On 05/23/2011 12:38 PM, Adam Young wrote: > On 05/23/2011 12:06 PM, Endi Sukma Dewata wrote: >> On 5/23/2011 9:42 AM, Adam Young wrote: >>> Patch 227 is the automount patch that I still am not ready to submit. >>> This patch stands alone. >> >> A few issues in IPA.get_entity(): >> >> 1. It executes that.entities.get() twice. The result of the first >> invocation can be stored in a variable and reused later. The result >> of the factory() invocation can be assigned to the same variable. >> >> 2. It executes factory = that.entity_factories[name] twice. The second >> one can be removed. >> >> Other than that it's ACKed and can be pushed after fixing the above >> issues. >> > Now with fixed unit tests > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Better navigation test -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0228-2-create-entities-on-demand.patch Type: text/x-patch Size: 4255 bytes Desc: not available URL: From ayoung at redhat.com Mon May 23 17:31:49 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 23 May 2011 13:31:49 -0400 Subject: [Freeipa-devel] [PATCH] 0228-create-entities-on-demand In-Reply-To: <4DDA95B0.6000603@redhat.com> References: <4DDA725B.5020603@redhat.com> <4DDA85F7.7050307@redhat.com> <4DDA8D7E.9030204@redhat.com> <4DDA95B0.6000603@redhat.com> Message-ID: <4DDA9A05.4050605@redhat.com> On 05/23/2011 01:13 PM, Adam Young wrote: > On 05/23/2011 12:38 PM, Adam Young wrote: >> On 05/23/2011 12:06 PM, Endi Sukma Dewata wrote: >>> On 5/23/2011 9:42 AM, Adam Young wrote: >>>> Patch 227 is the automount patch that I still am not ready to submit. >>>> This patch stands alone. >>> >>> A few issues in IPA.get_entity(): >>> >>> 1. It executes that.entities.get() twice. The result of the first >>> invocation can be stored in a variable and reused later. The result >>> of the factory() invocation can be assigned to the same variable. >>> >>> 2. It executes factory = that.entity_factories[name] twice. The second >>> one can be removed. >>> >>> Other than that it's ACKed and can be pushed after fixing the above >>> issues. >>> >> Now with fixed unit tests >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Better navigation test > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0228-3-create-entities-on-demand.patch Type: text/x-patch Size: 4865 bytes Desc: not available URL: From ayoung at redhat.com Mon May 23 17:51:16 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 23 May 2011 13:51:16 -0400 Subject: [Freeipa-devel] [PATCH] 0228-create-entities-on-demand In-Reply-To: <4DDA9A05.4050605@redhat.com> References: <4DDA725B.5020603@redhat.com> <4DDA85F7.7050307@redhat.com> <4DDA8D7E.9030204@redhat.com> <4DDA95B0.6000603@redhat.com> <4DDA9A05.4050605@redhat.com> Message-ID: <4DDA9E94.1060202@redhat.com> On 05/23/2011 01:31 PM, Adam Young wrote: > On 05/23/2011 01:13 PM, Adam Young wrote: >> On 05/23/2011 12:38 PM, Adam Young wrote: >>> On 05/23/2011 12:06 PM, Endi Sukma Dewata wrote: >>>> On 5/23/2011 9:42 AM, Adam Young wrote: >>>>> Patch 227 is the automount patch that I still am not ready to submit. >>>>> This patch stands alone. >>>> >>>> A few issues in IPA.get_entity(): >>>> >>>> 1. It executes that.entities.get() twice. The result of the first >>>> invocation can be stored in a variable and reused later. The result >>>> of the factory() invocation can be assigned to the same variable. >>>> >>>> 2. It executes factory = that.entity_factories[name] twice. The second >>>> one can be removed. >>>> >>>> Other than that it's ACKed and can be pushed after fixing the above >>>> issues. >>>> >>> Now with fixed unit tests >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Better navigation test >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACKed in IRC by edewata and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon May 23 18:38:31 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 23 May 2011 14:38:31 -0400 Subject: [Freeipa-devel] [PATCH] 788 remove automountinformation from automount dns Message-ID: <4DDAA9A7.6050302@redhat.com> In an attempt to support multiple direct maps we always included the automountinformation in the key dn. This makes showing keys impossible a bit of a catch-22. You want to get the mount info but to get it you need the mount info. This patch drops requiring automountinfo but if provided it'll use it to make the dn. This way we can have backwards compatibility for any existing maps but going forward only direct maps will have the info in it. --key is still required when dealing with keys, no way around that without doing a major API change, migrating data, etc. ticket 1229 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-788-automount.patch Type: application/mbox Size: 11576 bytes Desc: not available URL: From rcritten at redhat.com Mon May 23 19:09:44 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 23 May 2011 15:09:44 -0400 Subject: [Freeipa-devel] [PATCH] 787 Don't load LDAP schema at startup In-Reply-To: <4DD573CC.6080107@redhat.com> References: <4DD573CC.6080107@redhat.com> Message-ID: <4DDAB0F8.2090205@redhat.com> Rob Crittenden wrote: > Do a lazy retrieval of the LDAP schema rather than at module load. > > Attempt to retrieve the schema the first time it is needed rather than > when Apache is started. A global copy is cached for future requests for > performance reasons. > > The schema will be retrieved once per Apache child process. > > ticket 583 > > This replaces Jan's patch titled "Don't load the LDAP schema during > startup" > > rob Updated patch. This removes a debugging statement I left in and forces a schema load in a couple of other places in baseldap. This relies on patch 784 to apply. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-787-2-schema.patch Type: application/mbox Size: 5196 bytes Desc: not available URL: From edewata at redhat.com Mon May 23 19:52:17 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 23 May 2011 14:52:17 -0500 Subject: [Freeipa-devel] [PATCH] 162 Fixed details tests. Message-ID: <4DDABAF1.7080703@redhat.com> Pushed under one-liner rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0162-Fixed-details-tests.patch Type: text/x-patch Size: 834 bytes Desc: not available URL: From rcritten at redhat.com Mon May 23 20:41:02 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 23 May 2011 16:41:02 -0400 Subject: [Freeipa-devel] [PATCH] 068 Connection check program for replica installation In-Reply-To: <1306157956.2514.9.camel@dhcp-25-52.brq.redhat.com> References: <1306157956.2514.9.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DDAC65E.7080300@redhat.com> Martin Kosek wrote: > This is a first version of connection checking program for replica > installation. See patch for program purpose description. Currently, > there is no man pages for the program. > > Note to Simo and Rob: I use password for logging as admin. Btw would it > be safe to have an admin keytab in the replica file? Replica file > contents are lying freely in /tmp after the replica installation. > > Martin nack, you aren't including the new binary in the spec. You should also: - set KRB5CCNAME to a temporary ccache and remove that when the install exists (successful or not) - remove the temporary krb5.conf you create - be a bit more explicit what we are doing, at least more than "Run connection check to master". - yes, we should remove the replica file contents rob From edewata at redhat.com Mon May 23 21:32:12 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 23 May 2011 16:32:12 -0500 Subject: [Freeipa-devel] [PATCH] 163 Fixed adder dialog title. Message-ID: <4DDAD25C.4060709@redhat.com> The IPA.entity_builder has been fixed to use the correct title for the entity's adder dialog. Ticket #1239 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0163-Fixed-adder-dialog-title.patch Type: text/x-patch Size: 11577 bytes Desc: not available URL: From rcritten at redhat.com Mon May 23 21:32:32 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 23 May 2011 17:32:32 -0400 Subject: [Freeipa-devel] [PATCH] 067 A new flag to disable creation of UPG In-Reply-To: <1306072666.2395.4.camel@dhcp-25-52.brq.redhat.com> References: <1305543942.30122.4.camel@dhcp-25-52.brq.redhat.com> <4DD1D983.4080102@redhat.com> <1305619158.22796.3.camel@dhcp-25-52.brq.redhat.com> <4DD680DE.3070709@redhat.com> <4DD68188.20706@redhat.com> <1306072666.2395.4.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DDAD270.1060703@redhat.com> Martin Kosek wrote: > On Fri, 2011-05-20 at 10:58 -0400, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Martin Kosek wrote: >>>> On Mon, 2011-05-16 at 22:12 -0400, Rob Crittenden wrote: >>>>> Martin Kosek wrote: >>>>>> This patch is based on old Pavel's patch. >>>>>> >>>>>> I am considering applying the patch for master branch only as it >>>>>> changes >>>>>> an API (adds a new flag) and is a sort of new-functionality-ish. >>>>>> >>>>>> -- >>>>>> Automatic creation may of User Private Groups (UPG) may not be >>>>>> wanted at all times. This patch adds a new flag --noprivate to >>>>>> ipa user-add command to disable it. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/1131 >>>>> >>>>> Nack, setattr and addattr are removed from API.txt. I'm guessing it's a >>>>> side-effect of some change here. >>>>> >>>>> The approach generally looks good. >>>>> >>>>> rob >>>> >>>> You are right, this was a side-effect in user.py. I fixed the problem, >>>> updated patch is attached. >>>> >>>> Martin >>> >>> This looks good, just a couple of requests: >>> >>> 1. Bump the minor API version since we are adding a new flag >>> 2. Add a self-test for not creating a private group >>> >>> rob >> >> Oh, and looking back at the user I create it still has the UPG magic in >> the description attribute. >> >> rob > > Thanks for careful review, I missed this bug in the original patch. UPG > magic has been removed from the description and a test checking all this > has been added. > > Martin I'm getting this on output, not sure if it is a bug in my tree or not: # ipa user-add --first=tim --last=user tuser3 --all --noprivate ------------------- Added user "tuser3" ------------------- dn: uid=tuser3,cn=users,cn=accounts,dc=greyoak,dc=com User login: tuser3 First name: tim Last name: user Full name: tim user Display name: tim user Initials: tu Home directory: /home/tuser3 GECOS field: tim user Login shell: /bin/sh Kerberos principal: tuser3 at GREYOAK.COM UID: 204000006 GID: 204000001 ipa: ERROR: IndexError: tuple index out of range Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1103, in run sys.exit(api.Backend.cli.run(argv)) File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 930, in run rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 956, in output_for_cli textui.print_entry(result, order, labels, flags, print_all) File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 388, in print_entry if type(entry[key]) in (tuple, list) and isinstance(entry[key][0], dict): IndexError: tuple index out of range ipa: ERROR: an internal error has occurred Otherwise things look ok. rob From edewata at redhat.com Mon May 23 21:41:07 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 23 May 2011 16:41:07 -0500 Subject: [Freeipa-devel] [PATCH] 164 Fixed Add and Edit without primary key. Message-ID: <4DDAD473.7040308@redhat.com> The IPA.add_dialog has been modified such that if the user clicks the Add and Edit button it will read the primary key returned by the add operation and use it to open the details page. Ticket #1108 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0164-Fixed-Add-and-Edit-without-primary-key.patch Type: text/x-patch Size: 2205 bytes Desc: not available URL: From rcritten at redhat.com Mon May 23 21:42:21 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 23 May 2011 17:42:21 -0400 Subject: [Freeipa-devel] [PATCH] 28 Move Managed Entries into their own container In-Reply-To: <9723636C-66F5-4C16-9CD0-E9FB4331555D@citrixonline.com> References: <5B8EA673-11F9-43FB-A2BC-8D7FD59598C5@citrixonline.com> <0D613602-E082-4CBB-9A39-AC33B4DE20F9@citrixonline.com> <4DD43FB3.6030908@redhat.com> <62F9181C-B4A8-464C-807B-0880FA203E47@citrixonline.com> <4DD51848.6030201@redhat.com> <9723636C-66F5-4C16-9CD0-E9FB4331555D@citrixonline.com> Message-ID: <4DDAD4BD.2070208@redhat.com> JR Aquino wrote: > On May 19, 2011, at 6:16 AM, Rob Crittenden wrote: > >> JR Aquino wrote: >>> On May 18, 2011, at 2:52 PM, Rob Crittenden wrote: >>> >>>> JR Aquino wrote: >>>>> On May 18, 2011, at 12:46 PM, JR Aquino wrote: >>>>> >>>>>> This effects Ticket 1222 and Rob's patch 786 >>>>> >>>>> Per IRC Conversation with Simo and Rob, take the path of least change. >>>>> >>>>> The patch has been modified to correct the CN to match the DN rather than changing both. >>>> >>>> This looks good. I'm going to wait to push it at the same time as 786. >>> >>> Simo mentioned that I need to create the .update in the patch so that we remove the previous typo laden entry during updates. >> >> I added that to my patch. >> >> rob > > NACK both 28 and 786. > > Please see attached, and have a look at this new patch and ticket 1182 for a better understanding of the impact they have on these patches. > > Move Managed Entries into their own container in the > replicated space. Create: cn=Managed Entries,cn=etc,$SUFFIX > Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX > Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX > > Create method for migrating any and all custom Managed Entries from > the cn=config space into the new container. > > The Managed Entries plugin configurations weren't being created on > replica installs. > > This patch addresses two seperate tickets and accounts for > new installs, replica installs, and upgrades. > > https://fedorahosted.org/freeipa/ticket/1181 - Managed Entry Tool / New Container > https://fedorahosted.org/freeipa/ticket/1222 - Add Managed Entries during Replica installation > Well, I like this in spirit but this requires a yet-unreleased version of 389-ds, right? Should we take the intermediate step of your previous 28 patch and my 786 and then address moving entries once 389-ds is released? rob From JR.Aquino at citrix.com Mon May 23 22:19:03 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Mon, 23 May 2011 22:19:03 +0000 Subject: [Freeipa-devel] [PATCH] 28 Move Managed Entries into their own container In-Reply-To: <4DDAD4BD.2070208@redhat.com> References: <5B8EA673-11F9-43FB-A2BC-8D7FD59598C5@citrixonline.com> <0D613602-E082-4CBB-9A39-AC33B4DE20F9@citrixonline.com> <4DD43FB3.6030908@redhat.com> <62F9181C-B4A8-464C-807B-0880FA203E47@citrixonline.com> <4DD51848.6030201@redhat.com> <9723636C-66F5-4C16-9CD0-E9FB4331555D@citrixonline.com> <4DDAD4BD.2070208@redhat.com> Message-ID: <8E746E35-DCB9-48CF-9DB3-C40D30AEF888@citrix.com> On May 23, 2011, at 2:42 PM, "Rob Crittenden" wrote: > JR Aquino wrote: >> On May 19, 2011, at 6:16 AM, Rob Crittenden wrote: >> >>> JR Aquino wrote: >>>> On May 18, 2011, at 2:52 PM, Rob Crittenden wrote: >>>> >>>>> JR Aquino wrote: >>>>>> On May 18, 2011, at 12:46 PM, JR Aquino wrote: >>>>>> >>>>>>> This effects Ticket 1222 and Rob's patch 786 >>>>>> >>>>>> Per IRC Conversation with Simo and Rob, take the path of least change. >>>>>> >>>>>> The patch has been modified to correct the CN to match the DN rather than changing both. >>>>> >>>>> This looks good. I'm going to wait to push it at the same time as 786. >>>> >>>> Simo mentioned that I need to create the .update in the patch so that we remove the previous typo laden entry during updates. >>> >>> I added that to my patch. >>> >>> rob >> >> NACK both 28 and 786. >> >> Please see attached, and have a look at this new patch and ticket 1182 for a better understanding of the impact they have on these patches. >> >> Move Managed Entries into their own container in the >> replicated space. Create: cn=Managed Entries,cn=etc,$SUFFIX >> Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX >> Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX >> >> Create method for migrating any and all custom Managed Entries from >> the cn=config space into the new container. >> >> The Managed Entries plugin configurations weren't being created on >> replica installs. >> >> This patch addresses two seperate tickets and accounts for >> new installs, replica installs, and upgrades. >> >> https://fedorahosted.org/freeipa/ticket/1181 - Managed Entry Tool / New Container >> https://fedorahosted.org/freeipa/ticket/1222 - Add Managed Entries during Replica installation >> > > Well, I like this in spirit but this requires a yet-unreleased version of 389-ds, right? > > Should we take the intermediate step of your previous 28 patch and my 786 and then address moving entries once 389-ds is released? > Hrm. You have a good point... Should I plan on deleting the .update files for user private groups and nis/host groups in the separate patch that institutes the container move? > rob From rcritten at redhat.com Tue May 24 02:33:01 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 23 May 2011 22:33:01 -0400 Subject: [Freeipa-devel] [PATCH] 789 improve label when prompting for members Message-ID: <4DDB18DD.7030000@redhat.com> Include the word 'member' with autogenerated optional member labels. There were reports of confusion over what was being prompted for, hopefully adding member will make things clearer. This has a big API.txt change but it is all labels so minor in nature, just affecting the CLI. ticket 1062 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-789-label.patch Type: application/mbox Size: 45683 bytes Desc: not available URL: From mkosek at redhat.com Tue May 24 08:14:44 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 24 May 2011 10:14:44 +0200 Subject: [Freeipa-devel] [PATCH] 068 Connection check program for replica installation In-Reply-To: <4DDAC65E.7080300@redhat.com> References: <1306157956.2514.9.camel@dhcp-25-52.brq.redhat.com> <4DDAC65E.7080300@redhat.com> Message-ID: <1306224886.2514.24.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-05-23 at 16:41 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > This is a first version of connection checking program for replica > > installation. See patch for program purpose description. Currently, > > there is no man pages for the program. > > > > Note to Simo and Rob: I use password for logging as admin. Btw would it > > be safe to have an admin keytab in the replica file? Replica file > > contents are lying freely in /tmp after the replica installation. > > > > Martin > > nack, you aren't including the new binary in the spec. Oh, thanks for this one. > > You should also: > > - set KRB5CCNAME to a temporary ccache and remove that when the install > exists (successful or not) Done. > - remove the temporary krb5.conf you create Done. > - be a bit more explicit what we are doing, at least more than "Run > connection check to master". Actually, I am if you run the new script separately. I removed "--quiet" parameter passed to the script in ipa-replica-install so that it is more verbose. Plus, I improved texts sent to the user. > - yes, we should remove the replica file contents I enhanced ipa-replica-install to do that. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-068-2-connection-check-program-for-replica-installation.patch Type: text/x-patch Size: 24325 bytes Desc: not available URL: From mkosek at redhat.com Tue May 24 08:42:42 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 24 May 2011 10:42:42 +0200 Subject: [Freeipa-devel] [PATCH] 067 A new flag to disable creation of UPG In-Reply-To: <4DDAD270.1060703@redhat.com> References: <1305543942.30122.4.camel@dhcp-25-52.brq.redhat.com> <4DD1D983.4080102@redhat.com> <1305619158.22796.3.camel@dhcp-25-52.brq.redhat.com> <4DD680DE.3070709@redhat.com> <4DD68188.20706@redhat.com> <1306072666.2395.4.camel@dhcp-25-52.brq.redhat.com> <4DDAD270.1060703@redhat.com> Message-ID: <1306226564.2514.29.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-05-23 at 17:32 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Fri, 2011-05-20 at 10:58 -0400, Rob Crittenden wrote: > >> Rob Crittenden wrote: > >>> Martin Kosek wrote: > >>>> On Mon, 2011-05-16 at 22:12 -0400, Rob Crittenden wrote: > >>>>> Martin Kosek wrote: > >>>>>> This patch is based on old Pavel's patch. > >>>>>> > >>>>>> I am considering applying the patch for master branch only as it > >>>>>> changes > >>>>>> an API (adds a new flag) and is a sort of new-functionality-ish. > >>>>>> > >>>>>> -- > >>>>>> Automatic creation may of User Private Groups (UPG) may not be > >>>>>> wanted at all times. This patch adds a new flag --noprivate to > >>>>>> ipa user-add command to disable it. > >>>>>> > >>>>>> https://fedorahosted.org/freeipa/ticket/1131 > >>>>> > >>>>> Nack, setattr and addattr are removed from API.txt. I'm guessing it's a > >>>>> side-effect of some change here. > >>>>> > >>>>> The approach generally looks good. > >>>>> > >>>>> rob > >>>> > >>>> You are right, this was a side-effect in user.py. I fixed the problem, > >>>> updated patch is attached. > >>>> > >>>> Martin > >>> > >>> This looks good, just a couple of requests: > >>> > >>> 1. Bump the minor API version since we are adding a new flag > >>> 2. Add a self-test for not creating a private group > >>> > >>> rob > >> > >> Oh, and looking back at the user I create it still has the UPG magic in > >> the description attribute. > >> > >> rob > > > > Thanks for careful review, I missed this bug in the original patch. UPG > > magic has been removed from the description and a test checking all this > > has been added. > > > > Martin > > I'm getting this on output, not sure if it is a bug in my tree or not: > > # ipa user-add --first=tim --last=user tuser3 --all --noprivate > ------------------- > Added user "tuser3" > ------------------- > dn: uid=tuser3,cn=users,cn=accounts,dc=greyoak,dc=com > User login: tuser3 > First name: tim > Last name: user > Full name: tim user > Display name: tim user > Initials: tu > Home directory: /home/tuser3 > GECOS field: tim user > Login shell: /bin/sh > Kerberos principal: tuser3 at GREYOAK.COM > UID: 204000006 > GID: 204000001 > ipa: ERROR: IndexError: tuple index out of range > Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1103, in run > sys.exit(api.Backend.cli.run(argv)) > File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 930, in run > rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, > **options) > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 956, > in output_for_cli > textui.print_entry(result, order, labels, flags, print_all) > File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 388, in > print_entry > if type(entry[key]) in (tuple, list) and isinstance(entry[key][0], > dict): > IndexError: tuple index out of range > ipa: ERROR: an internal error has occurred > > Otherwise things look ok. > > rob Hmm, that's strange. Doesn't happen for me: $ ipa user-add --first=tim --last=user tuser3 --all --noprivate ------------------- Added user "tuser3" ------------------- dn: uid=tuser3,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com User login: tuser3 First name: tim Last name: user Full name: tim user Display name: tim user Initials: tu Home directory: /home/tuser3 GECOS field: tim user Login shell: /bin/sh Kerberos principal: tuser3 at IDM.LAB.BOS.REDHAT.COM UID: 557200036 GID: 557200001 ipauniqueid: 07b2864e-85e1-11e0-957d-00163e0605ff krbpwdpolicyreference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject Can you please try again with a clean tree and only my patch applied? I have a one more question. Bumping minor API version makes the client incompatible and it fails to operate. Is this OK? I thought it would be incompatible only when a major version changes: $ ipa user-add --first=tim --last=user tuser3 --all --noprivate ipa: ERROR: 2.2 client incompatible with 2.1 server at u'https://vm-027.idm.lab.bos.redhat.com/ipa/xml' Martin From appatsekhar at gmail.com Tue May 24 09:11:31 2011 From: appatsekhar at gmail.com (sekhar appat) Date: Tue, 24 May 2011 14:41:31 +0530 Subject: [Freeipa-devel] (no subject) Message-ID: <-2270739110339948743@unknownmsgid> Hi Sent from my Phone. From mkosek at redhat.com Tue May 24 12:43:36 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 24 May 2011 14:43:36 +0200 Subject: [Freeipa-devel] [PATCH] 19 Do stricter checking of IP addressed passed to server install In-Reply-To: <4DD6B42F.6040507@redhat.com> References: <4DC97FEC.1000005@redhat.com> <1305559608.30122.30.camel@dhcp-25-52.brq.redhat.com> <4DD15BA1.5080004@redhat.com> <1305708694.22796.60.camel@dhcp-25-52.brq.redhat.com> <4DD6B42F.6040507@redhat.com> Message-ID: <1306241018.2514.54.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-05-20 at 20:34 +0200, Jan Cholasta wrote: > On 18.5.2011 10:51, Martin Kosek wrote: > > On Mon, 2011-05-16 at 19:15 +0200, Jan Cholasta wrote: > >> On 16.5.2011 17:26, Martin Kosek wrote: > >>> On Tue, 2011-05-10 at 20:11 +0200, Jan Cholasta wrote: > >>>> Split from patch 3, requires patch 18. > >>>> > >>>> https://fedorahosted.org/freeipa/ticket/1213 > >>>> > >>>> Honza > >>>> > >>> > >>> I tested all patches (3.6, 18, 19), but I think some work still needs to > >>> be done: > >>> > >>> 1) What about adding /sbin/ip package to Requires in spec? I thought > >>> there was an agreement to do it. > >> > >> Will do. > > > > Ok. > > > >> > >>> > >>> 2) When I run `ipa-server-install --ip-address=$ADDR`, and $ADDR is > >>> invalid address (e.g. $ADDR==foo), loopback address (e.g. > >>> $ADDR==127.0.0.1) or just another that the local address (e.g. > >>> $ADDR==123.123.123.123) the installer always fails with "the hostname > >>> resolves to an IP address that is different from the one provided on the > >>> command line". > >>> > >>> I think we may want a different error message in those 3 cases - it > >>> should be easy to do it now, with the improved IP handling. > >> > >> It looks like the print statements from verify_ip_address doesn't > >> actually print anything to the user. Will look onto that. > > > > Ok. > > > >> > >>> > >>> 3) When I pass netmask to ipa-server-install --ip-address=$ADDR, the > >>> installation always fails with the above message. Even though I took the > >>> addr+netmask from "/sbin/ip address" output. > >> > >> Works for me. Please make sure you've added your hostname to /etc/hosts. > > > > I think I had. But I will recheck when you send a fix. > > > >> > >>> > >>> 4) I miss IP address checks in --ip-address and --forwarder parameters > >>> of ipa-dns-install script. I can pass invalid or local addresses to > >>> these parameters. This breaks Bind configuration. > >> > >> --ip-address is checked, but --forwarder is not. Will fix that. > > > > Ok, I will recheck both of them when you do. > > > >> > >>> > >>> 5) I think we may want to check also for local address in > >>> #ipa host-add $HOST --ip-address=127.0.0.1 > >>> > >>> 6) I couldn't add IP address with netmask in host module: > >>> # ipa host-add $HOST --ip-address=10.16.78.102/22 > >>> ipa: ERROR: invalid 'ip_address': invalid IP address > >> > >> The patches are for the installer, as are the tickets they fix, so these > >> issues are out of scope. A new ticket should be opened for them. > >> > > > > You touched this parameter in your patches, that's why I tested it. I > > created a new ticket for it: > > > > https://fedorahosted.org/freeipa/ticket/1234 > > > > Ticket 1234, yey :-) > > > >>> > >>> 7) Why is the _ParsedIPAddress named with a leading underscore? It's not > >>> really an internal use since it is returned by new IP handling functions > >>> and used in other modules. > >> > >> _ParsedIPAddress is not for public use. The fact that object of this > >> class is returned by parse_ip_address doesn't really matter - this is > >> Python, not C++ or Java. > > > > Hm, snappy... And I was wondering why my /usr/bin/java doesn't want to > > run FreeIPA, now I know - it's because its Python. > > > > Martin > > > > Patch updated. Requires patch 18.1 > > Honza > All reported issues were fixed, good idea with a new type for our IPAOptionParser. Still, NACK from me: ipa-replica-install doesn't use IPAOptionParser, but the good old OptionParser which doesn't know the new type. This makes ipa-replica-prepare crash all the time. I know, I am nitpicker :-) Martin From jcholast at redhat.com Tue May 24 12:44:31 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 24 May 2011 14:44:31 +0200 Subject: [Freeipa-devel] [PATCH] 19 Do stricter checking of IP addressed passed to server install In-Reply-To: <1306241018.2514.54.camel@dhcp-25-52.brq.redhat.com> References: <4DC97FEC.1000005@redhat.com> <1305559608.30122.30.camel@dhcp-25-52.brq.redhat.com> <4DD15BA1.5080004@redhat.com> <1305708694.22796.60.camel@dhcp-25-52.brq.redhat.com> <4DD6B42F.6040507@redhat.com> <1306241018.2514.54.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DDBA82F.8040105@redhat.com> On 24.5.2011 14:43, Martin Kosek wrote: > On Fri, 2011-05-20 at 20:34 +0200, Jan Cholasta wrote: >> On 18.5.2011 10:51, Martin Kosek wrote: >>> On Mon, 2011-05-16 at 19:15 +0200, Jan Cholasta wrote: >>>> On 16.5.2011 17:26, Martin Kosek wrote: >>>>> On Tue, 2011-05-10 at 20:11 +0200, Jan Cholasta wrote: >>>>>> Split from patch 3, requires patch 18. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/1213 >>>>>> >>>>>> Honza >>>>>> >>>>> >>>>> I tested all patches (3.6, 18, 19), but I think some work still needs to >>>>> be done: >>>>> >>>>> 1) What about adding /sbin/ip package to Requires in spec? I thought >>>>> there was an agreement to do it. >>>> >>>> Will do. >>> >>> Ok. >>> >>>> >>>>> >>>>> 2) When I run `ipa-server-install --ip-address=$ADDR`, and $ADDR is >>>>> invalid address (e.g. $ADDR==foo), loopback address (e.g. >>>>> $ADDR==127.0.0.1) or just another that the local address (e.g. >>>>> $ADDR==123.123.123.123) the installer always fails with "the hostname >>>>> resolves to an IP address that is different from the one provided on the >>>>> command line". >>>>> >>>>> I think we may want a different error message in those 3 cases - it >>>>> should be easy to do it now, with the improved IP handling. >>>> >>>> It looks like the print statements from verify_ip_address doesn't >>>> actually print anything to the user. Will look onto that. >>> >>> Ok. >>> >>>> >>>>> >>>>> 3) When I pass netmask to ipa-server-install --ip-address=$ADDR, the >>>>> installation always fails with the above message. Even though I took the >>>>> addr+netmask from "/sbin/ip address" output. >>>> >>>> Works for me. Please make sure you've added your hostname to /etc/hosts. >>> >>> I think I had. But I will recheck when you send a fix. >>> >>>> >>>>> >>>>> 4) I miss IP address checks in --ip-address and --forwarder parameters >>>>> of ipa-dns-install script. I can pass invalid or local addresses to >>>>> these parameters. This breaks Bind configuration. >>>> >>>> --ip-address is checked, but --forwarder is not. Will fix that. >>> >>> Ok, I will recheck both of them when you do. >>> >>>> >>>>> >>>>> 5) I think we may want to check also for local address in >>>>> #ipa host-add $HOST --ip-address=127.0.0.1 >>>>> >>>>> 6) I couldn't add IP address with netmask in host module: >>>>> # ipa host-add $HOST --ip-address=10.16.78.102/22 >>>>> ipa: ERROR: invalid 'ip_address': invalid IP address >>>> >>>> The patches are for the installer, as are the tickets they fix, so these >>>> issues are out of scope. A new ticket should be opened for them. >>>> >>> >>> You touched this parameter in your patches, that's why I tested it. I >>> created a new ticket for it: >>> >>> https://fedorahosted.org/freeipa/ticket/1234 >>> >>> Ticket 1234, yey :-) >>> >>>>> >>>>> 7) Why is the _ParsedIPAddress named with a leading underscore? It's not >>>>> really an internal use since it is returned by new IP handling functions >>>>> and used in other modules. >>>> >>>> _ParsedIPAddress is not for public use. The fact that object of this >>>> class is returned by parse_ip_address doesn't really matter - this is >>>> Python, not C++ or Java. >>> >>> Hm, snappy... And I was wondering why my /usr/bin/java doesn't want to >>> run FreeIPA, now I know - it's because its Python. >>> >>> Martin >>> >> >> Patch updated. Requires patch 18.1 >> >> Honza >> > > All reported issues were fixed, good idea with a new type for our > IPAOptionParser. > > Still, NACK from me: > > ipa-replica-install doesn't use IPAOptionParser, but the good old > OptionParser which doesn't know the new type. This makes > ipa-replica-prepare crash all the time. I know, I am nitpicker :-) > > Martin > Thanks, I missed that. Honza -- Jan Cholasta From rcritten at redhat.com Tue May 24 13:37:44 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 24 May 2011 09:37:44 -0400 Subject: [Freeipa-devel] [PATCH] 067 A new flag to disable creation of UPG In-Reply-To: <1306226564.2514.29.camel@dhcp-25-52.brq.redhat.com> References: <1305543942.30122.4.camel@dhcp-25-52.brq.redhat.com> <4DD1D983.4080102@redhat.com> <1305619158.22796.3.camel@dhcp-25-52.brq.redhat.com> <4DD680DE.3070709@redhat.com> <4DD68188.20706@redhat.com> <1306072666.2395.4.camel@dhcp-25-52.brq.redhat.com> <4DDAD270.1060703@redhat.com> <1306226564.2514.29.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DDBB4A8.8080402@redhat.com> Martin Kosek wrote: > On Mon, 2011-05-23 at 17:32 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Fri, 2011-05-20 at 10:58 -0400, Rob Crittenden wrote: >>>> Rob Crittenden wrote: >>>>> Martin Kosek wrote: >>>>>> On Mon, 2011-05-16 at 22:12 -0400, Rob Crittenden wrote: >>>>>>> Martin Kosek wrote: >>>>>>>> This patch is based on old Pavel's patch. >>>>>>>> >>>>>>>> I am considering applying the patch for master branch only as it >>>>>>>> changes >>>>>>>> an API (adds a new flag) and is a sort of new-functionality-ish. >>>>>>>> >>>>>>>> -- >>>>>>>> Automatic creation may of User Private Groups (UPG) may not be >>>>>>>> wanted at all times. This patch adds a new flag --noprivate to >>>>>>>> ipa user-add command to disable it. >>>>>>>> >>>>>>>> https://fedorahosted.org/freeipa/ticket/1131 >>>>>>> >>>>>>> Nack, setattr and addattr are removed from API.txt. I'm guessing it's a >>>>>>> side-effect of some change here. >>>>>>> >>>>>>> The approach generally looks good. >>>>>>> >>>>>>> rob >>>>>> >>>>>> You are right, this was a side-effect in user.py. I fixed the problem, >>>>>> updated patch is attached. >>>>>> >>>>>> Martin >>>>> >>>>> This looks good, just a couple of requests: >>>>> >>>>> 1. Bump the minor API version since we are adding a new flag >>>>> 2. Add a self-test for not creating a private group >>>>> >>>>> rob >>>> >>>> Oh, and looking back at the user I create it still has the UPG magic in >>>> the description attribute. >>>> >>>> rob >>> >>> Thanks for careful review, I missed this bug in the original patch. UPG >>> magic has been removed from the description and a test checking all this >>> has been added. >>> >>> Martin >> >> I'm getting this on output, not sure if it is a bug in my tree or not: >> >> # ipa user-add --first=tim --last=user tuser3 --all --noprivate >> ------------------- >> Added user "tuser3" >> ------------------- >> dn: uid=tuser3,cn=users,cn=accounts,dc=greyoak,dc=com >> User login: tuser3 >> First name: tim >> Last name: user >> Full name: tim user >> Display name: tim user >> Initials: tu >> Home directory: /home/tuser3 >> GECOS field: tim user >> Login shell: /bin/sh >> Kerberos principal: tuser3 at GREYOAK.COM >> UID: 204000006 >> GID: 204000001 >> ipa: ERROR: IndexError: tuple index out of range >> Traceback (most recent call last): >> File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1103, in run >> sys.exit(api.Backend.cli.run(argv)) >> File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 930, in run >> rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, >> **options) >> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 956, >> in output_for_cli >> textui.print_entry(result, order, labels, flags, print_all) >> File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 388, in >> print_entry >> if type(entry[key]) in (tuple, list) and isinstance(entry[key][0], >> dict): >> IndexError: tuple index out of range >> ipa: ERROR: an internal error has occurred >> >> Otherwise things look ok. >> >> rob > > Hmm, that's strange. Doesn't happen for me: > > $ ipa user-add --first=tim --last=user tuser3 --all --noprivate > ------------------- > Added user "tuser3" > ------------------- > dn: uid=tuser3,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > User login: tuser3 > First name: tim > Last name: user > Full name: tim user > Display name: tim user > Initials: tu > Home directory: /home/tuser3 > GECOS field: tim user > Login shell: /bin/sh > Kerberos principal: tuser3 at IDM.LAB.BOS.REDHAT.COM > UID: 557200036 > GID: 557200001 > ipauniqueid: 07b2864e-85e1-11e0-957d-00163e0605ff > krbpwdpolicyreference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, > krbprincipalaux, krbticketpolicyaux, ipaobject > > > Can you please try again with a clean tree and only my patch applied? Sure, I'll give it a fresh look this morning. > > I have a one more question. Bumping minor API version makes the client > incompatible and it fails to operate. Is this OK? I thought it would be > incompatible only when a major version changes: > > $ ipa user-add --first=tim --last=user tuser3 --all --noprivate > ipa: ERROR: 2.2 client incompatible with 2.1 server at u'https://vm-027.idm.lab.bos.redhat.com/ipa/xml' > > Martin > Right, you've added a flag that an API 2.1 server won't understand. So a lower minor version can talk to a higher minor version but not the other way around. rob From jcholast at redhat.com Tue May 24 13:38:57 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 24 May 2011 15:38:57 +0200 Subject: [Freeipa-devel] [PATCH] 18 Parse netmasks in IP addresses passed to server install In-Reply-To: <4DD6B2A5.3010507@redhat.com> References: <4DC97E8B.8050904@redhat.com> <4DD6B2A5.3010507@redhat.com> Message-ID: <4DDBB4F1.1050909@redhat.com> On 20.5.2011 20:27, Jan Cholasta wrote: > On 10.5.2011 20:06, Jan Cholasta wrote: >> Parse netmasks in IP addresses passed to server install. >> >> ticket 1212 > > Patch updated. > > TODO: Write unit test for ipapython.ipautil.CheckedIPAddress > TODO: Clean unreachable code paths off of ipa-server-install (?) > TODO: Workarounds for netaddr bugs (?) > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Fixed ipa-replica-prepare and added a unit test. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-18.2-parse-netmask.patch Type: text/x-patch Size: 19628 bytes Desc: not available URL: From jcholast at redhat.com Tue May 24 13:42:55 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 24 May 2011 15:42:55 +0200 Subject: [Freeipa-devel] [PATCH] 19 Do stricter checking of IP addressed passed to server install In-Reply-To: <4DDBA82F.8040105@redhat.com> References: <4DC97FEC.1000005@redhat.com> <1305559608.30122.30.camel@dhcp-25-52.brq.redhat.com> <4DD15BA1.5080004@redhat.com> <1305708694.22796.60.camel@dhcp-25-52.brq.redhat.com> <4DD6B42F.6040507@redhat.com> <1306241018.2514.54.camel@dhcp-25-52.brq.redhat.com> <4DDBA82F.8040105@redhat.com> Message-ID: <4DDBB5DF.2080908@redhat.com> On 24.5.2011 14:44, Jan Cholasta wrote: > On 24.5.2011 14:43, Martin Kosek wrote: >> On Fri, 2011-05-20 at 20:34 +0200, Jan Cholasta wrote: >>> On 18.5.2011 10:51, Martin Kosek wrote: >>>> On Mon, 2011-05-16 at 19:15 +0200, Jan Cholasta wrote: >>>>> On 16.5.2011 17:26, Martin Kosek wrote: >>>>>> On Tue, 2011-05-10 at 20:11 +0200, Jan Cholasta wrote: >>>>>>> Split from patch 3, requires patch 18. >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/1213 >>>>>>> >>>>>>> Honza >>>>>>> >>>>>> >>>>>> I tested all patches (3.6, 18, 19), but I think some work still >>>>>> needs to >>>>>> be done: >>>>>> >>>>>> 1) What about adding /sbin/ip package to Requires in spec? I thought >>>>>> there was an agreement to do it. >>>>> >>>>> Will do. >>>> >>>> Ok. >>>> >>>>> >>>>>> >>>>>> 2) When I run `ipa-server-install --ip-address=$ADDR`, and $ADDR is >>>>>> invalid address (e.g. $ADDR==foo), loopback address (e.g. >>>>>> $ADDR==127.0.0.1) or just another that the local address (e.g. >>>>>> $ADDR==123.123.123.123) the installer always fails with "the hostname >>>>>> resolves to an IP address that is different from the one provided >>>>>> on the >>>>>> command line". >>>>>> >>>>>> I think we may want a different error message in those 3 cases - it >>>>>> should be easy to do it now, with the improved IP handling. >>>>> >>>>> It looks like the print statements from verify_ip_address doesn't >>>>> actually print anything to the user. Will look onto that. >>>> >>>> Ok. >>>> >>>>> >>>>>> >>>>>> 3) When I pass netmask to ipa-server-install --ip-address=$ADDR, the >>>>>> installation always fails with the above message. Even though I >>>>>> took the >>>>>> addr+netmask from "/sbin/ip address" output. >>>>> >>>>> Works for me. Please make sure you've added your hostname to >>>>> /etc/hosts. >>>> >>>> I think I had. But I will recheck when you send a fix. >>>> >>>>> >>>>>> >>>>>> 4) I miss IP address checks in --ip-address and --forwarder >>>>>> parameters >>>>>> of ipa-dns-install script. I can pass invalid or local addresses to >>>>>> these parameters. This breaks Bind configuration. >>>>> >>>>> --ip-address is checked, but --forwarder is not. Will fix that. >>>> >>>> Ok, I will recheck both of them when you do. >>>> >>>>> >>>>>> >>>>>> 5) I think we may want to check also for local address in >>>>>> #ipa host-add $HOST --ip-address=127.0.0.1 >>>>>> >>>>>> 6) I couldn't add IP address with netmask in host module: >>>>>> # ipa host-add $HOST --ip-address=10.16.78.102/22 >>>>>> ipa: ERROR: invalid 'ip_address': invalid IP address >>>>> >>>>> The patches are for the installer, as are the tickets they fix, so >>>>> these >>>>> issues are out of scope. A new ticket should be opened for them. >>>>> >>>> >>>> You touched this parameter in your patches, that's why I tested it. I >>>> created a new ticket for it: >>>> >>>> https://fedorahosted.org/freeipa/ticket/1234 >>>> >>>> Ticket 1234, yey :-) >>>> >>>>>> >>>>>> 7) Why is the _ParsedIPAddress named with a leading underscore? >>>>>> It's not >>>>>> really an internal use since it is returned by new IP handling >>>>>> functions >>>>>> and used in other modules. >>>>> >>>>> _ParsedIPAddress is not for public use. The fact that object of this >>>>> class is returned by parse_ip_address doesn't really matter - this is >>>>> Python, not C++ or Java. >>>> >>>> Hm, snappy... And I was wondering why my /usr/bin/java doesn't want to >>>> run FreeIPA, now I know - it's because its Python. >>>> >>>> Martin >>>> >>> >>> Patch updated. Requires patch 18.1 >>> >>> Honza >>> >> >> All reported issues were fixed, good idea with a new type for our >> IPAOptionParser. >> >> Still, NACK from me: >> >> ipa-replica-install doesn't use IPAOptionParser, but the good old >> OptionParser which doesn't know the new type. This makes >> ipa-replica-prepare crash all the time. I know, I am nitpicker :-) >> >> Martin >> > > Thanks, I missed that. > > Honza > Fixed and added a unit test. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-19.2-strict-ip-address-check.patch Type: text/x-patch Size: 2479 bytes Desc: not available URL: From ayoung at redhat.com Tue May 24 14:43:10 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 24 May 2011 10:43:10 -0400 Subject: [Freeipa-devel] [PATCH] 163 Fixed adder dialog title. In-Reply-To: <4DDAD25C.4060709@redhat.com> References: <4DDAD25C.4060709@redhat.com> Message-ID: <4DDBC3FE.30403@redhat.com> On 05/23/2011 05:32 PM, Endi Sukma Dewata wrote: > The IPA.entity_builder has been fixed to use the correct title > for the entity's adder dialog. > > Ticket #1239 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Seems like a lot of duplication in the messages. Shouldn't it be more along the lines of the other ones that are: "Add " + Entity.label. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue May 24 15:17:17 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 24 May 2011 11:17:17 -0400 Subject: [Freeipa-devel] [PATCH] 28 Move Managed Entries into their own container In-Reply-To: <8E746E35-DCB9-48CF-9DB3-C40D30AEF888@citrix.com> References: <5B8EA673-11F9-43FB-A2BC-8D7FD59598C5@citrixonline.com> <0D613602-E082-4CBB-9A39-AC33B4DE20F9@citrixonline.com> <4DD43FB3.6030908@redhat.com> <62F9181C-B4A8-464C-807B-0880FA203E47@citrixonline.com> <4DD51848.6030201@redhat.com> <9723636C-66F5-4C16-9CD0-E9FB4331555D@citrixonline.com> <4DDAD4BD.2070208@redhat.com> <8E746E35-DCB9-48CF-9DB3-C40D30AEF888@citrix.com> Message-ID: <4DDBCBFD.7090905@redhat.com> JR Aquino wrote: > On May 23, 2011, at 2:42 PM, "Rob Crittenden" wrote: > >> JR Aquino wrote: >>> On May 19, 2011, at 6:16 AM, Rob Crittenden wrote: >>> >>>> JR Aquino wrote: >>>>> On May 18, 2011, at 2:52 PM, Rob Crittenden wrote: >>>>> >>>>>> JR Aquino wrote: >>>>>>> On May 18, 2011, at 12:46 PM, JR Aquino wrote: >>>>>>> >>>>>>>> This effects Ticket 1222 and Rob's patch 786 >>>>>>> >>>>>>> Per IRC Conversation with Simo and Rob, take the path of least change. >>>>>>> >>>>>>> The patch has been modified to correct the CN to match the DN rather than changing both. >>>>>> >>>>>> This looks good. I'm going to wait to push it at the same time as 786. >>>>> >>>>> Simo mentioned that I need to create the .update in the patch so that we remove the previous typo laden entry during updates. >>>> >>>> I added that to my patch. >>>> >>>> rob >>> >>> NACK both 28 and 786. >>> >>> Please see attached, and have a look at this new patch and ticket 1182 for a better understanding of the impact they have on these patches. >>> >>> Move Managed Entries into their own container in the >>> replicated space. Create: cn=Managed Entries,cn=etc,$SUFFIX >>> Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX >>> Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX >>> >>> Create method for migrating any and all custom Managed Entries from >>> the cn=config space into the new container. >>> >>> The Managed Entries plugin configurations weren't being created on >>> replica installs. >>> >>> This patch addresses two seperate tickets and accounts for >>> new installs, replica installs, and upgrades. >>> >>> https://fedorahosted.org/freeipa/ticket/1181 - Managed Entry Tool / New Container >>> https://fedorahosted.org/freeipa/ticket/1222 - Add Managed Entries during Replica installation >>> >> >> Well, I like this in spirit but this requires a yet-unreleased version of 389-ds, right? >> >> Should we take the intermediate step of your previous 28 patch and my 786 and then address moving entries once 389-ds is released? >> > > Hrm. You have a good point... > > Should I plan on deleting the .update files for user private groups and nis/host groups in the separate patch that institutes the container move? Not sure I follow. What I'd like to do is take an incremental approach. Lets get managed entries working at all on replicas first, then deal with moving the configuration once this functionality is widely available. rob rob From edewata at redhat.com Tue May 24 15:17:33 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 24 May 2011 10:17:33 -0500 Subject: [Freeipa-devel] [PATCH] 163 Fixed adder dialog title. In-Reply-To: <4DDBC3FE.30403@redhat.com> References: <4DDAD25C.4060709@redhat.com> <4DDBC3FE.30403@redhat.com> Message-ID: <4DDBCC0D.1040809@redhat.com> On 5/24/2011 9:43 AM, Adam Young wrote: > On 05/23/2011 05:32 PM, Endi Sukma Dewata wrote: >> The IPA.entity_builder has been fixed to use the correct title >> for the entity's adder dialog. >> >> Ticket #1239 > Seems like a lot of duplication in the messages. Shouldn't it be more > along the lines of the other ones that are: > > "Add " + Entity.label. Two problems with that: 1. The entity labels are plurals, we don't have singular labels for entity. 2. The word order could be different in some languages. We should use a translatable template: "Add ${entity}". This depends on #1. I think the current patch is sufficient. We can improve it later when #1 is addressed. -- Endi S. Dewata From rcritten at redhat.com Tue May 24 16:09:49 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 24 May 2011 12:09:49 -0400 Subject: [Freeipa-devel] [PATCH] 067 A new flag to disable creation of UPG In-Reply-To: <4DDBB4A8.8080402@redhat.com> References: <1305543942.30122.4.camel@dhcp-25-52.brq.redhat.com> <4DD1D983.4080102@redhat.com> <1305619158.22796.3.camel@dhcp-25-52.brq.redhat.com> <4DD680DE.3070709@redhat.com> <4DD68188.20706@redhat.com> <1306072666.2395.4.camel@dhcp-25-52.brq.redhat.com> <4DDAD270.1060703@redhat.com> <1306226564.2514.29.camel@dhcp-25-52.brq.redhat.com> <4DDBB4A8.8080402@redhat.com> Message-ID: <4DDBD84D.80503@redhat.com> Rob Crittenden wrote: > Martin Kosek wrote: >> On Mon, 2011-05-23 at 17:32 -0400, Rob Crittenden wrote: >>> Martin Kosek wrote: >>>> On Fri, 2011-05-20 at 10:58 -0400, Rob Crittenden wrote: >>>>> Rob Crittenden wrote: >>>>>> Martin Kosek wrote: >>>>>>> On Mon, 2011-05-16 at 22:12 -0400, Rob Crittenden wrote: >>>>>>>> Martin Kosek wrote: >>>>>>>>> This patch is based on old Pavel's patch. >>>>>>>>> >>>>>>>>> I am considering applying the patch for master branch only as it >>>>>>>>> changes >>>>>>>>> an API (adds a new flag) and is a sort of new-functionality-ish. >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Automatic creation may of User Private Groups (UPG) may not be >>>>>>>>> wanted at all times. This patch adds a new flag --noprivate to >>>>>>>>> ipa user-add command to disable it. >>>>>>>>> >>>>>>>>> https://fedorahosted.org/freeipa/ticket/1131 >>>>>>>> >>>>>>>> Nack, setattr and addattr are removed from API.txt. I'm guessing >>>>>>>> it's a >>>>>>>> side-effect of some change here. >>>>>>>> >>>>>>>> The approach generally looks good. >>>>>>>> >>>>>>>> rob >>>>>>> >>>>>>> You are right, this was a side-effect in user.py. I fixed the >>>>>>> problem, >>>>>>> updated patch is attached. >>>>>>> >>>>>>> Martin >>>>>> >>>>>> This looks good, just a couple of requests: >>>>>> >>>>>> 1. Bump the minor API version since we are adding a new flag >>>>>> 2. Add a self-test for not creating a private group >>>>>> >>>>>> rob >>>>> >>>>> Oh, and looking back at the user I create it still has the UPG >>>>> magic in >>>>> the description attribute. >>>>> >>>>> rob >>>> >>>> Thanks for careful review, I missed this bug in the original patch. UPG >>>> magic has been removed from the description and a test checking all >>>> this >>>> has been added. >>>> >>>> Martin >>> >>> I'm getting this on output, not sure if it is a bug in my tree or not: >>> >>> # ipa user-add --first=tim --last=user tuser3 --all --noprivate >>> ------------------- >>> Added user "tuser3" >>> ------------------- >>> dn: uid=tuser3,cn=users,cn=accounts,dc=greyoak,dc=com >>> User login: tuser3 >>> First name: tim >>> Last name: user >>> Full name: tim user >>> Display name: tim user >>> Initials: tu >>> Home directory: /home/tuser3 >>> GECOS field: tim user >>> Login shell: /bin/sh >>> Kerberos principal: tuser3 at GREYOAK.COM >>> UID: 204000006 >>> GID: 204000001 >>> ipa: ERROR: IndexError: tuple index out of range >>> Traceback (most recent call last): >>> File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1103, in run >>> sys.exit(api.Backend.cli.run(argv)) >>> File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 930, in run >>> rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, >>> **options) >>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 956, >>> in output_for_cli >>> textui.print_entry(result, order, labels, flags, print_all) >>> File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 388, in >>> print_entry >>> if type(entry[key]) in (tuple, list) and isinstance(entry[key][0], >>> dict): >>> IndexError: tuple index out of range >>> ipa: ERROR: an internal error has occurred >>> >>> Otherwise things look ok. >>> >>> rob >> >> Hmm, that's strange. Doesn't happen for me: >> >> $ ipa user-add --first=tim --last=user tuser3 --all --noprivate >> ------------------- >> Added user "tuser3" >> ------------------- >> dn: uid=tuser3,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com >> User login: tuser3 >> First name: tim >> Last name: user >> Full name: tim user >> Display name: tim user >> Initials: tu >> Home directory: /home/tuser3 >> GECOS field: tim user >> Login shell: /bin/sh >> Kerberos principal: tuser3 at IDM.LAB.BOS.REDHAT.COM >> UID: 557200036 >> GID: 557200001 >> ipauniqueid: 07b2864e-85e1-11e0-957d-00163e0605ff >> krbpwdpolicyreference: >> cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com >> >> objectclass: top, person, organizationalperson, inetorgperson, >> inetuser, posixaccount, >> krbprincipalaux, krbticketpolicyaux, ipaobject >> >> >> Can you please try again with a clean tree and only my patch applied? > > Sure, I'll give it a fresh look this morning. Tried with a fresh tree, looks good. ack rob From JR.Aquino at citrix.com Tue May 24 16:26:03 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 24 May 2011 16:26:03 +0000 Subject: [Freeipa-devel] [PATCH] 28 Move Managed Entries into their own container In-Reply-To: <4DDBCBFD.7090905@redhat.com> References: <5B8EA673-11F9-43FB-A2BC-8D7FD59598C5@citrixonline.com> <0D613602-E082-4CBB-9A39-AC33B4DE20F9@citrixonline.com> <4DD43FB3.6030908@redhat.com> <62F9181C-B4A8-464C-807B-0880FA203E47@citrixonline.com> <4DD51848.6030201@redhat.com> <9723636C-66F5-4C16-9CD0-E9FB4331555D@citrixonline.com> <4DDAD4BD.2070208@redhat.com> <8E746E35-DCB9-48CF-9DB3-C40D30AEF888@citrix.com> <4DDBCBFD.7090905@redhat.com> Message-ID: <2536C536-D751-4C2D-B4B1-30289096E448@citrixonline.com> On May 24, 2011, at 8:17 AM, Rob Crittenden wrote: > JR Aquino wrote: >> On May 23, 2011, at 2:42 PM, "Rob Crittenden" wrote: >> >>> JR Aquino wrote: >>>> On May 19, 2011, at 6:16 AM, Rob Crittenden wrote: >>>> >>>>> JR Aquino wrote: >>>>>> On May 18, 2011, at 2:52 PM, Rob Crittenden wrote: >>>>>> >>>>>>> JR Aquino wrote: >>>>>>>> On May 18, 2011, at 12:46 PM, JR Aquino wrote: >>>>>>>> >>>>>>>>> This effects Ticket 1222 and Rob's patch 786 >>>>>>>> >>>>>>>> Per IRC Conversation with Simo and Rob, take the path of least change. >>>>>>>> >>>>>>>> The patch has been modified to correct the CN to match the DN rather than changing both. >>>>>>> >>>>>>> This looks good. I'm going to wait to push it at the same time as 786. >>>>>> >>>>>> Simo mentioned that I need to create the .update in the patch so that we remove the previous typo laden entry during updates. >>>>> >>>>> I added that to my patch. >>>>> >>>>> rob >>>> >>>> NACK both 28 and 786. >>>> >>>> Please see attached, and have a look at this new patch and ticket 1182 for a better understanding of the impact they have on these patches. >>>> >>>> Move Managed Entries into their own container in the >>>> replicated space. Create: cn=Managed Entries,cn=etc,$SUFFIX >>>> Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX >>>> Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX >>>> >>>> Create method for migrating any and all custom Managed Entries from >>>> the cn=config space into the new container. >>>> >>>> The Managed Entries plugin configurations weren't being created on >>>> replica installs. >>>> >>>> This patch addresses two seperate tickets and accounts for >>>> new installs, replica installs, and upgrades. >>>> >>>> https://fedorahosted.org/freeipa/ticket/1181 - Managed Entry Tool / New Container >>>> https://fedorahosted.org/freeipa/ticket/1222 - Add Managed Entries during Replica installation >>>> >>> >>> Well, I like this in spirit but this requires a yet-unreleased version of 389-ds, right? >>> >>> Should we take the intermediate step of your previous 28 patch and my 786 and then address moving entries once 389-ds is released? >>> >> >> Hrm. You have a good point... >> >> Should I plan on deleting the .update files for user private groups and nis/host groups in the separate patch that institutes the container move? > > Not sure I follow. Let me try to be more clear. > What I'd like to do is take an incremental approach. Yes I agree. > Lets get managed entries working at all on replicas first, then deal with moving the configuration once this functionality is widely available. My new method performs an ldap lookup to query the contents of the legacy configuration objects, and actually moves them to the new locations which are replica friendly. Thus, I was suggesting, yes, let us move forward with baby steps, fix the cn naming oversight, fix the replica install oversight with the .update files. Then once ns-slapd 1.2.9 is available, implement the newer patch, which makes the .update files for host/nis and user private groups obsolete. (Since it will read the data, and any additional custom user created configs, and move them) That's what I had meant about having the future patch provide an updated method for handling the 'upgrade' and migration and remove those .update files as they would no longer be relevant. -JR From ayoung at redhat.com Tue May 24 16:42:29 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 24 May 2011 12:42:29 -0400 Subject: [Freeipa-devel] [PATCH] 163 Fixed adder dialog title. In-Reply-To: <4DDBCC0D.1040809@redhat.com> References: <4DDAD25C.4060709@redhat.com> <4DDBC3FE.30403@redhat.com> <4DDBCC0D.1040809@redhat.com> Message-ID: <4DDBDFF5.4060606@redhat.com> On 05/24/2011 11:17 AM, Endi Sukma Dewata wrote: > On 5/24/2011 9:43 AM, Adam Young wrote: >> On 05/23/2011 05:32 PM, Endi Sukma Dewata wrote: >>> The IPA.entity_builder has been fixed to use the correct title >>> for the entity's adder dialog. >>> >>> Ticket #1239 > >> Seems like a lot of duplication in the messages. Shouldn't it be more >> along the lines of the other ones that are: >> >> "Add " + Entity.label. > > Two problems with that: > > 1. The entity labels are plurals, we don't have singular labels for > entity. > > 2. The word order could be different in some languages. We should use > a translatable template: "Add ${entity}". This depends on #1. > > I think the current patch is sufficient. We can improve it later when > #1 is addressed. > ACK. Pushed to master From ayoung at redhat.com Tue May 24 16:49:57 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 24 May 2011 12:49:57 -0400 Subject: [Freeipa-devel] [PATCH] 164 Fixed Add and Edit without primary key. In-Reply-To: <4DDAD473.7040308@redhat.com> References: <4DDAD473.7040308@redhat.com> Message-ID: <4DDBE1B5.6010005@redhat.com> On 05/23/2011 05:41 PM, Endi Sukma Dewata wrote: > The IPA.add_dialog has been modified such that if the user clicks the > Add and Edit button it will read the primary key returned by the add > operation and use it to open the details page. > > Ticket #1108 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From JR.Aquino at citrix.com Tue May 24 17:08:15 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 24 May 2011 17:08:15 +0000 Subject: [Freeipa-devel] [PATCH] 28 Move Managed Entries into their own container In-Reply-To: <4DDBCBFD.7090905@redhat.com> References: <5B8EA673-11F9-43FB-A2BC-8D7FD59598C5@citrixonline.com> <0D613602-E082-4CBB-9A39-AC33B4DE20F9@citrixonline.com> <4DD43FB3.6030908@redhat.com> <62F9181C-B4A8-464C-807B-0880FA203E47@citrixonline.com> <4DD51848.6030201@redhat.com> <9723636C-66F5-4C16-9CD0-E9FB4331555D@citrixonline.com> <4DDAD4BD.2070208@redhat.com> <8E746E35-DCB9-48CF-9DB3-C40D30AEF888@citrix.com> <4DDBCBFD.7090905@redhat.com> Message-ID: On May 24, 2011, at 8:17 AM, Rob Crittenden wrote: > JR Aquino wrote: >> On May 23, 2011, at 2:42 PM, "Rob Crittenden" wrote: >> >>> JR Aquino wrote: >>>> On May 19, 2011, at 6:16 AM, Rob Crittenden wrote: >>>> >>>>> JR Aquino wrote: >>>>>> On May 18, 2011, at 2:52 PM, Rob Crittenden wrote: >>>>>> >>>>>>> JR Aquino wrote: >>>>>>>> On May 18, 2011, at 12:46 PM, JR Aquino wrote: >>>>>>>> >>>>>>>>> This effects Ticket 1222 and Rob's patch 786 >>>>>>>> >>>>>>>> Per IRC Conversation with Simo and Rob, take the path of least change. >>>>>>>> >>>>>>>> The patch has been modified to correct the CN to match the DN rather than changing both. >>>>>>> >>>>>>> This looks good. I'm going to wait to push it at the same time as 786. >>>>>> >>>>>> Simo mentioned that I need to create the .update in the patch so that we remove the previous typo laden entry during updates. >>>>> >>>>> I added that to my patch. >>>>> >>>>> rob >>>> >>>> NACK both 28 and 786. >>>> >>>> Please see attached, and have a look at this new patch and ticket 1182 for a better understanding of the impact they have on these patches. >>>> >>>> Move Managed Entries into their own container in the >>>> replicated space. Create: cn=Managed Entries,cn=etc,$SUFFIX >>>> Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX >>>> Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX >>>> >>>> Create method for migrating any and all custom Managed Entries from >>>> the cn=config space into the new container. >>>> >>>> The Managed Entries plugin configurations weren't being created on >>>> replica installs. >>>> >>>> This patch addresses two seperate tickets and accounts for >>>> new installs, replica installs, and upgrades. >>>> >>>> https://fedorahosted.org/freeipa/ticket/1181 - Managed Entry Tool / New Container >>>> https://fedorahosted.org/freeipa/ticket/1222 - Add Managed Entries during Replica installation >>>> >>> >>> Well, I like this in spirit but this requires a yet-unreleased version of 389-ds, right? >>> >>> Should we take the intermediate step of your previous 28 patch and my 786 and then address moving entries once 389-ds is released? >>> >> >> Hrm. You have a good point... >> >> Should I plan on deleting the .update files for user private groups and nis/host groups in the separate patch that institutes the container move? > > Not sure I follow. > > What I'd like to do is take an incremental approach. Lets get managed entries working at all on replicas first, then deal with moving the configuration once this functionality is widely available. I hereby retract the big patch in favor of the incremental approach. Patch 786 and 28 are sane. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0028-One-Liner-Typo-in-host_nis_groups-has-been-creating.patch Type: application/octet-stream Size: 878 bytes Desc: freeipa-jraquino-0028-One-Liner-Typo-in-host_nis_groups-has-been-creating.patch URL: From rcritten at redhat.com Tue May 24 17:48:15 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 24 May 2011 13:48:15 -0400 Subject: [Freeipa-devel] [PATCH] 28 Move Managed Entries into their own container In-Reply-To: References: <5B8EA673-11F9-43FB-A2BC-8D7FD59598C5@citrixonline.com> <0D613602-E082-4CBB-9A39-AC33B4DE20F9@citrixonline.com> <4DD43FB3.6030908@redhat.com> <62F9181C-B4A8-464C-807B-0880FA203E47@citrixonline.com> <4DD51848.6030201@redhat.com> <9723636C-66F5-4C16-9CD0-E9FB4331555D@citrixonline.com> <4DDAD4BD.2070208@redhat.com> <8E746E35-DCB9-48CF-9DB3-C40D30AEF888@citrix.com> <4DDBCBFD.7090905@redhat.com> Message-ID: <4DDBEF5F.1090600@redhat.com> JR Aquino wrote: > On May 24, 2011, at 8:17 AM, Rob Crittenden wrote: > >> JR Aquino wrote: >>> On May 23, 2011, at 2:42 PM, "Rob Crittenden" wrote: >>> >>>> JR Aquino wrote: >>>>> On May 19, 2011, at 6:16 AM, Rob Crittenden wrote: >>>>> >>>>>> JR Aquino wrote: >>>>>>> On May 18, 2011, at 2:52 PM, Rob Crittenden wrote: >>>>>>> >>>>>>>> JR Aquino wrote: >>>>>>>>> On May 18, 2011, at 12:46 PM, JR Aquino wrote: >>>>>>>>> >>>>>>>>>> This effects Ticket 1222 and Rob's patch 786 >>>>>>>>> >>>>>>>>> Per IRC Conversation with Simo and Rob, take the path of least change. >>>>>>>>> >>>>>>>>> The patch has been modified to correct the CN to match the DN rather than changing both. >>>>>>>> >>>>>>>> This looks good. I'm going to wait to push it at the same time as 786. >>>>>>> >>>>>>> Simo mentioned that I need to create the .update in the patch so that we remove the previous typo laden entry during updates. >>>>>> >>>>>> I added that to my patch. >>>>>> >>>>>> rob >>>>> >>>>> NACK both 28 and 786. >>>>> >>>>> Please see attached, and have a look at this new patch and ticket 1182 for a better understanding of the impact they have on these patches. >>>>> >>>>> Move Managed Entries into their own container in the >>>>> replicated space. Create: cn=Managed Entries,cn=etc,$SUFFIX >>>>> Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX >>>>> Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX >>>>> >>>>> Create method for migrating any and all custom Managed Entries from >>>>> the cn=config space into the new container. >>>>> >>>>> The Managed Entries plugin configurations weren't being created on >>>>> replica installs. >>>>> >>>>> This patch addresses two seperate tickets and accounts for >>>>> new installs, replica installs, and upgrades. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/1181 - Managed Entry Tool / New Container >>>>> https://fedorahosted.org/freeipa/ticket/1222 - Add Managed Entries during Replica installation >>>>> >>>> >>>> Well, I like this in spirit but this requires a yet-unreleased version of 389-ds, right? >>>> >>>> Should we take the intermediate step of your previous 28 patch and my 786 and then address moving entries once 389-ds is released? >>>> >>> >>> Hrm. You have a good point... >>> >>> Should I plan on deleting the .update files for user private groups and nis/host groups in the separate patch that institutes the container move? >> >> Not sure I follow. >> >> What I'd like to do is take an incremental approach. Lets get managed entries working at all on replicas first, then deal with moving the configuration once this functionality is widely available. > > I hereby retract the big patch in favor of the incremental approach. > > Patch 786 and 28 are sane. > Ok, but is this an ack ;-) rob From ayoung at redhat.com Tue May 24 18:11:43 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 24 May 2011 14:11:43 -0400 Subject: [Freeipa-devel] [PATCH] 0227-2-automount-UI Message-ID: <4DDBF4DF.9050603@redhat.com> Known issues: the back to list links are broken. Add and delete for keys not working due to API issues discussed elsewhere. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0227-2-automount-UI.patch Type: text/x-patch Size: 371830 bytes Desc: not available URL: From edewata at redhat.com Tue May 24 18:11:12 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 24 May 2011 13:11:12 -0500 Subject: [Freeipa-devel] [PATCH] 165 Fixed Selenium tests. Message-ID: <4DDBF4C0.6020205@redhat.com> Fixed some validation and synchronization problems in Selenium tests. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0165-Fixed-Selenium-tests.patch Type: text/x-patch Size: 4879 bytes Desc: not available URL: From ayoung at redhat.com Tue May 24 18:53:26 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 24 May 2011 14:53:26 -0400 Subject: [Freeipa-devel] [PATCH] 165 Fixed Selenium tests. In-Reply-To: <4DDBF4C0.6020205@redhat.com> References: <4DDBF4C0.6020205@redhat.com> Message-ID: <4DDBFEA6.9070908@redhat.com> On 05/24/2011 02:11 PM, Endi Sukma Dewata wrote: > Fixed some validation and synchronization problems in Selenium tests. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue May 24 20:21:36 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 24 May 2011 16:21:36 -0400 Subject: [Freeipa-devel] [PATCH] 790 document problems re-adding a replication Message-ID: <4DDC1350.8010802@redhat.com> If you create a replica, remove it, then re-add it and try to re-initialize the database it will fail because the remote master has the old service principal cached. The remote dirsrv needs to be restarted. This is really only an issue when testing and doing an initial set up but it was rather confusing so I added it to the ipa-replica-manage man page. ticket 1077 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-790-replica.patch Type: application/mbox Size: 3919 bytes Desc: not available URL: From dpal at redhat.com Tue May 24 20:56:46 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 24 May 2011 16:56:46 -0400 Subject: [Freeipa-devel] [PATCH] 790 document problems re-adding a replication In-Reply-To: <4DDC1350.8010802@redhat.com> References: <4DDC1350.8010802@redhat.com> Message-ID: <4DDC1B8E.2050704@redhat.com> On 05/24/2011 04:21 PM, Rob Crittenden wrote: > If you create a replica, remove it, then re-add it and try to > re-initialize the database it will fail because the remote master has > the old service principal cached. The remote dirsrv needs to be > restarted. > This is the issue in the disaster recovery case too, right? > This is really only an issue when testing and doing an initial set up > but it was rather confusing so I added it to the ipa-replica-manage > man page. > > ticket 1077 > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Tue May 24 21:06:25 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 24 May 2011 16:06:25 -0500 Subject: [Freeipa-devel] [PATCH] 0227-2-automount-UI In-Reply-To: <4DDBF4DF.9050603@redhat.com> References: <4DDBF4DF.9050603@redhat.com> Message-ID: <4DDC1DD1.9090005@redhat.com> On 5/24/2011 1:11 PM, Adam Young wrote: > Known issues: the back to list links are broken. Add and delete for keys > not working due to API issues discussed elsewhere. Some issues: 1. The 3rd level tabs (Location, Maps, Keys) can be removed because there's already a breadcrumb which provides the functionality needed. It's not possible to go to a map or key directly without selecting a location, so having a tab for Maps or Keys doesn't quite make sense. Also if you click the Maps or Keys it will go to an empty maps page and clicking the browser's back button doesn't work. 2. The prefix in the page title keeps changing which forces you to re-read the title to make sure you're in the right page. - Automount Location:BOS - Automount Maps:BOS > auto.direct - Automount Keys:BOS > auto.direct > nfsserver:/var/log/dirsrv /var/log/dirsrv This can be simplified by removing the entity name: - Automount: BOS - Automount: BOS > auto.direct - Automount: BOS > auto.direct > nfsserver:/var/log/dirsrv /var/log/dirsrv This way it will look more like a breadcrumb and be less confusing. The "Automount" itself could be made a link to go to locations. 3. There should be a space after the colon, e.g. "Automount: BOS". 4. The "Add" button is broken for all entities. It adds the entry but fails to refresh the table. The other Add buttons work fine. 5. The search filter for maps and keys doesn't work, the results don't change. 6. Update operation is broken for all entities because in details.js line 325 the slice() returns an array which is incorrectly inserted into the array of primary keys. -- Endi S. Dewata From ayoung at redhat.com Tue May 24 22:32:44 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 24 May 2011 18:32:44 -0400 Subject: [Freeipa-devel] [PATCH] 0227-2-automount-UI In-Reply-To: <4DDC1DD1.9090005@redhat.com> References: <4DDBF4DF.9050603@redhat.com> <4DDC1DD1.9090005@redhat.com> Message-ID: <4DDC320C.905@redhat.com> On 05/24/2011 05:06 PM, Endi Sukma Dewata wrote: > On 5/24/2011 1:11 PM, Adam Young wrote: >> Known issues: the back to list links are broken. Add and delete for keys >> not working due to API issues discussed elsewhere. > > Some issues: > > 1. The 3rd level tabs (Location, Maps, Keys) can be removed because > there's already a breadcrumb which provides the functionality needed. > It's not possible to go to a map or key directly without selecting a > location, so having a tab for Maps or Keys doesn't quite make sense. Tabs are necessary for navigation. IN the future, we can add nested settings and deeply nested search facets that should allow us to navigate on down, but that is a lot more work. > Also if you click the Maps or Keys it will go to an empty maps page > and clicking the browser's back button doesn't work. Fixed > > 2. The prefix in the page title keeps changing which forces you to > re-read the title to make sure you're in the right page. > - Automount Location:BOS > - Automount Maps:BOS > auto.direct > - Automount Keys:BOS > auto.direct > nfsserver:/var/log/dirsrv > /var/log/dirsrv > > This can be simplified by removing the entity name: > - Automount: BOS > - Automount: BOS > auto.direct > - Automount: BOS > auto.direct > nfsserver:/var/log/dirsrv > /var/log/dirsrv > > This way it will look more like a breadcrumb and be less confusing. > The "Automount" itself could be made a link to go to locations. Agreed, but for now, the only way to make that happen is to modify the lable fields for location, keys, and maps. That will mess things up elsewhere. Alternative is a lot of messy one-off code. > > 3. There should be a space after the colon, e.g. "Automount: BOS". OK > > 4. The "Add" button is broken for all entities. It adds the entry but > fails to refresh the table. The other Add buttons work fine. Fixed. Needed to make the same change for add that I made for add and add another. > > 5. The search filter for maps and keys doesn't work, the results don't > change. Yeah, that was tied in with the "back to list " link. Still broken > > 6. Update operation is broken for all entities because in details.js > line 325 the slice() returns an array which is incorrectly inserted > into the array of primary keys. Fixed -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0227-3-automount-UI.patch Type: text/x-patch Size: 375861 bytes Desc: not available URL: From edewata at redhat.com Wed May 25 04:28:00 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 24 May 2011 23:28:00 -0500 Subject: [Freeipa-devel] [PATCH] 0227-2-automount-UI In-Reply-To: <4DDC320C.905@redhat.com> References: <4DDBF4DF.9050603@redhat.com> <4DDC1DD1.9090005@redhat.com> <4DDC320C.905@redhat.com> Message-ID: <4DDC8550.10103@redhat.com> On 5/24/2011 5:32 PM, Adam Young wrote: > On 05/24/2011 05:06 PM, Endi Sukma Dewata wrote: >> On 5/24/2011 1:11 PM, Adam Young wrote: >>> Known issues: the back to list links are broken. Add and delete for keys >>> not working due to API issues discussed elsewhere. >> 1. The 3rd level tabs (Location, Maps, Keys) can be removed because >> there's already a breadcrumb which provides the functionality needed. >> It's not possible to go to a map or key directly without selecting a >> location, so having a tab for Maps or Keys doesn't quite make sense. > Tabs are necessary for navigation. IN the future, we can add nested > settings and deeply nested search facets that should allow us to > navigate on down, but that is a lot more work. I think the breadcrumb is sufficient for navigation, but I'll leave the final decision to UXD. Would it be difficult to remove the 3rd level tabs if we decide not to use it? Or is this tied to the nested entity definition? >> 2. The prefix in the page title keeps changing which forces you to >> re-read the title to make sure you're in the right page. >> - Automount Location:BOS >> - Automount Maps:BOS > auto.direct >> - Automount Keys:BOS > auto.direct > nfsserver:/var/log/dirsrv >> /var/log/dirsrv >> >> This can be simplified by removing the entity name: >> - Automount: BOS >> - Automount: BOS > auto.direct >> - Automount: BOS > auto.direct > nfsserver:/var/log/dirsrv >> /var/log/dirsrv >> >> This way it will look more like a breadcrumb and be less confusing. >> The "Automount" itself could be made a link to go to locations. > > Agreed, but for now, the only way to make that happen is to modify the > lable fields for location, keys, and maps. That will mess things up > elsewhere. Alternative is a lot of messy one-off code. One way to do this cleanly is to explicitly specify the 'Automount' label in the factory and store it as a member variable in the entity, then modify the entity_header to use this variable in the page title instead of taking the entity label directly from metadata. 7. The automount key in the breadcrumb is capitalized. Since the key contains a Unix path it should preserve the case. 8. The column in the maps search facet doesn't have a title. 9. The keys search facet only has one column: description. It would be better to use key and mount information since those are the fields that you entered during add. 10. The code assumes that the primary keys will be specified as command arguments, which we know doesn't match the API for automount keys. Suppose we decide not to change the API, there should be a way to invoke the current API without writing one-off code in the common code. I think this can be done by defining a generic finder method for all entities, then override this method in the subclass for automount keys. What do you think? -- Endi S. Dewata From mkosek at redhat.com Wed May 25 06:41:38 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 25 May 2011 08:41:38 +0200 Subject: [Freeipa-devel] [PATCH] 067 A new flag to disable creation of UPG In-Reply-To: <4DDBD84D.80503@redhat.com> References: <1305543942.30122.4.camel@dhcp-25-52.brq.redhat.com> <4DD1D983.4080102@redhat.com> <1305619158.22796.3.camel@dhcp-25-52.brq.redhat.com> <4DD680DE.3070709@redhat.com> <4DD68188.20706@redhat.com> <1306072666.2395.4.camel@dhcp-25-52.brq.redhat.com> <4DDAD270.1060703@redhat.com> <1306226564.2514.29.camel@dhcp-25-52.brq.redhat.com> <4DDBB4A8.8080402@redhat.com> <4DDBD84D.80503@redhat.com> Message-ID: <1306305700.18222.0.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-05-24 at 12:09 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > Martin Kosek wrote: > >> On Mon, 2011-05-23 at 17:32 -0400, Rob Crittenden wrote: > >>> Martin Kosek wrote: > >>>> On Fri, 2011-05-20 at 10:58 -0400, Rob Crittenden wrote: > >>>>> Rob Crittenden wrote: > >>>>>> Martin Kosek wrote: > >>>>>>> On Mon, 2011-05-16 at 22:12 -0400, Rob Crittenden wrote: > >>>>>>>> Martin Kosek wrote: > >>>>>>>>> This patch is based on old Pavel's patch. > >>>>>>>>> > >>>>>>>>> I am considering applying the patch for master branch only as it > >>>>>>>>> changes > >>>>>>>>> an API (adds a new flag) and is a sort of new-functionality-ish. > >>>>>>>>> > >>>>>>>>> -- > >>>>>>>>> Automatic creation may of User Private Groups (UPG) may not be > >>>>>>>>> wanted at all times. This patch adds a new flag --noprivate to > >>>>>>>>> ipa user-add command to disable it. > >>>>>>>>> > >>>>>>>>> https://fedorahosted.org/freeipa/ticket/1131 > >>>>>>>> > >>>>>>>> Nack, setattr and addattr are removed from API.txt. I'm guessing > >>>>>>>> it's a > >>>>>>>> side-effect of some change here. > >>>>>>>> > >>>>>>>> The approach generally looks good. > >>>>>>>> > >>>>>>>> rob > >>>>>>> > >>>>>>> You are right, this was a side-effect in user.py. I fixed the > >>>>>>> problem, > >>>>>>> updated patch is attached. > >>>>>>> > >>>>>>> Martin > >>>>>> > >>>>>> This looks good, just a couple of requests: > >>>>>> > >>>>>> 1. Bump the minor API version since we are adding a new flag > >>>>>> 2. Add a self-test for not creating a private group > >>>>>> > >>>>>> rob > >>>>> > >>>>> Oh, and looking back at the user I create it still has the UPG > >>>>> magic in > >>>>> the description attribute. > >>>>> > >>>>> rob > >>>> > >>>> Thanks for careful review, I missed this bug in the original patch. UPG > >>>> magic has been removed from the description and a test checking all > >>>> this > >>>> has been added. > >>>> > >>>> Martin > >>> > >>> I'm getting this on output, not sure if it is a bug in my tree or not: > >>> > >>> # ipa user-add --first=tim --last=user tuser3 --all --noprivate > >>> ------------------- > >>> Added user "tuser3" > >>> ------------------- > >>> dn: uid=tuser3,cn=users,cn=accounts,dc=greyoak,dc=com > >>> User login: tuser3 > >>> First name: tim > >>> Last name: user > >>> Full name: tim user > >>> Display name: tim user > >>> Initials: tu > >>> Home directory: /home/tuser3 > >>> GECOS field: tim user > >>> Login shell: /bin/sh > >>> Kerberos principal: tuser3 at GREYOAK.COM > >>> UID: 204000006 > >>> GID: 204000001 > >>> ipa: ERROR: IndexError: tuple index out of range > >>> Traceback (most recent call last): > >>> File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1103, in run > >>> sys.exit(api.Backend.cli.run(argv)) > >>> File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 930, in run > >>> rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, > >>> **options) > >>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 956, > >>> in output_for_cli > >>> textui.print_entry(result, order, labels, flags, print_all) > >>> File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 388, in > >>> print_entry > >>> if type(entry[key]) in (tuple, list) and isinstance(entry[key][0], > >>> dict): > >>> IndexError: tuple index out of range > >>> ipa: ERROR: an internal error has occurred > >>> > >>> Otherwise things look ok. > >>> > >>> rob > >> > >> Hmm, that's strange. Doesn't happen for me: > >> > >> $ ipa user-add --first=tim --last=user tuser3 --all --noprivate > >> ------------------- > >> Added user "tuser3" > >> ------------------- > >> dn: uid=tuser3,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > >> User login: tuser3 > >> First name: tim > >> Last name: user > >> Full name: tim user > >> Display name: tim user > >> Initials: tu > >> Home directory: /home/tuser3 > >> GECOS field: tim user > >> Login shell: /bin/sh > >> Kerberos principal: tuser3 at IDM.LAB.BOS.REDHAT.COM > >> UID: 557200036 > >> GID: 557200001 > >> ipauniqueid: 07b2864e-85e1-11e0-957d-00163e0605ff > >> krbpwdpolicyreference: > >> cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > >> > >> objectclass: top, person, organizationalperson, inetorgperson, > >> inetuser, posixaccount, > >> krbprincipalaux, krbticketpolicyaux, ipaobject > >> > >> > >> Can you please try again with a clean tree and only my patch applied? > > > > Sure, I'll give it a fresh look this morning. > > Tried with a fresh tree, looks good. > > ack > > rob Pushed to master only. Martin From mkosek at redhat.com Wed May 25 07:46:51 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 25 May 2011 09:46:51 +0200 Subject: [Freeipa-devel] [PATCH] 19 Do stricter checking of IP addressed passed to server install In-Reply-To: <4DDBB5DF.2080908@redhat.com> References: <4DC97FEC.1000005@redhat.com> <1305559608.30122.30.camel@dhcp-25-52.brq.redhat.com> <4DD15BA1.5080004@redhat.com> <1305708694.22796.60.camel@dhcp-25-52.brq.redhat.com> <4DD6B42F.6040507@redhat.com> <1306241018.2514.54.camel@dhcp-25-52.brq.redhat.com> <4DDBA82F.8040105@redhat.com> <4DDBB5DF.2080908@redhat.com> Message-ID: <1306309613.18222.10.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-05-24 at 15:42 +0200, Jan Cholasta wrote: > On 24.5.2011 14:44, Jan Cholasta wrote: > > On 24.5.2011 14:43, Martin Kosek wrote: > >> On Fri, 2011-05-20 at 20:34 +0200, Jan Cholasta wrote: > >>> On 18.5.2011 10:51, Martin Kosek wrote: > >>>> On Mon, 2011-05-16 at 19:15 +0200, Jan Cholasta wrote: > >>>>> On 16.5.2011 17:26, Martin Kosek wrote: > >>>>>> On Tue, 2011-05-10 at 20:11 +0200, Jan Cholasta wrote: > >>>>>>> Split from patch 3, requires patch 18. > >>>>>>> > >>>>>>> https://fedorahosted.org/freeipa/ticket/1213 > >>>>>>> > >>>>>>> Honza > >>>>>>> > >>>>>> > >>>>>> I tested all patches (3.6, 18, 19), but I think some work still > >>>>>> needs to > >>>>>> be done: > >>>>>> > >>>>>> 1) What about adding /sbin/ip package to Requires in spec? I thought > >>>>>> there was an agreement to do it. > >>>>> > >>>>> Will do. > >>>> > >>>> Ok. > >>>> > >>>>> > >>>>>> > >>>>>> 2) When I run `ipa-server-install --ip-address=$ADDR`, and $ADDR is > >>>>>> invalid address (e.g. $ADDR==foo), loopback address (e.g. > >>>>>> $ADDR==127.0.0.1) or just another that the local address (e.g. > >>>>>> $ADDR==123.123.123.123) the installer always fails with "the hostname > >>>>>> resolves to an IP address that is different from the one provided > >>>>>> on the > >>>>>> command line". > >>>>>> > >>>>>> I think we may want a different error message in those 3 cases - it > >>>>>> should be easy to do it now, with the improved IP handling. > >>>>> > >>>>> It looks like the print statements from verify_ip_address doesn't > >>>>> actually print anything to the user. Will look onto that. > >>>> > >>>> Ok. > >>>> > >>>>> > >>>>>> > >>>>>> 3) When I pass netmask to ipa-server-install --ip-address=$ADDR, the > >>>>>> installation always fails with the above message. Even though I > >>>>>> took the > >>>>>> addr+netmask from "/sbin/ip address" output. > >>>>> > >>>>> Works for me. Please make sure you've added your hostname to > >>>>> /etc/hosts. > >>>> > >>>> I think I had. But I will recheck when you send a fix. > >>>> > >>>>> > >>>>>> > >>>>>> 4) I miss IP address checks in --ip-address and --forwarder > >>>>>> parameters > >>>>>> of ipa-dns-install script. I can pass invalid or local addresses to > >>>>>> these parameters. This breaks Bind configuration. > >>>>> > >>>>> --ip-address is checked, but --forwarder is not. Will fix that. > >>>> > >>>> Ok, I will recheck both of them when you do. > >>>> > >>>>> > >>>>>> > >>>>>> 5) I think we may want to check also for local address in > >>>>>> #ipa host-add $HOST --ip-address=127.0.0.1 > >>>>>> > >>>>>> 6) I couldn't add IP address with netmask in host module: > >>>>>> # ipa host-add $HOST --ip-address=10.16.78.102/22 > >>>>>> ipa: ERROR: invalid 'ip_address': invalid IP address > >>>>> > >>>>> The patches are for the installer, as are the tickets they fix, so > >>>>> these > >>>>> issues are out of scope. A new ticket should be opened for them. > >>>>> > >>>> > >>>> You touched this parameter in your patches, that's why I tested it. I > >>>> created a new ticket for it: > >>>> > >>>> https://fedorahosted.org/freeipa/ticket/1234 > >>>> > >>>> Ticket 1234, yey :-) > >>>> > >>>>>> > >>>>>> 7) Why is the _ParsedIPAddress named with a leading underscore? > >>>>>> It's not > >>>>>> really an internal use since it is returned by new IP handling > >>>>>> functions > >>>>>> and used in other modules. > >>>>> > >>>>> _ParsedIPAddress is not for public use. The fact that object of this > >>>>> class is returned by parse_ip_address doesn't really matter - this is > >>>>> Python, not C++ or Java. > >>>> > >>>> Hm, snappy... And I was wondering why my /usr/bin/java doesn't want to > >>>> run FreeIPA, now I know - it's because its Python. > >>>> > >>>> Martin > >>>> > >>> > >>> Patch updated. Requires patch 18.1 > >>> > >>> Honza > >>> > >> > >> All reported issues were fixed, good idea with a new type for our > >> IPAOptionParser. > >> > >> Still, NACK from me: > >> > >> ipa-replica-install doesn't use IPAOptionParser, but the good old > >> OptionParser which doesn't know the new type. This makes > >> ipa-replica-prepare crash all the time. I know, I am nitpicker :-) > >> > >> Martin > >> > > > > Thanks, I missed that. > > > > Honza > > > > Fixed and added a unit test. > NACK. Please test your patches before you send them for a review. It saves reviewer's time. 1) Unwanted warning about unmatching network interface when replica is installed: # ipa-replica-prepare vm-059.idm.lab.bos.redhat.com --ip-address=10.16.78.59 Warning: No network interface matches IP address 10.16.78.59 Directory Manager (existing master) password: ... 2) ipa-replica-install crashes # ipa-replica-install /home/mkosek/replica-info-vm-059.idm.lab.bos.redhat.com.gpg Directory Manager (existing master) password: Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. creation of replica failed: unsupported operand type(s) for /: 'NoneType' and 'int' Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa-replica-install log: 2011-05-25 03:36:18,503 DEBUG unsupported operand type(s) for /: 'NoneType' and 'int' File "/usr/sbin/ipa-replica-install", line 550, in main() File "/usr/sbin/ipa-replica-install", line 496, in main install_dns_records(config, options) File "/usr/sbin/ipa-replica-install", line 329, in install_dns_records options.conf_ntp) File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 469, in add_master_dns_records self.__add_self() File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 399, in __add_self if dns_zone_exists(get_reverse_zone(self.ip_address, self.ip_prefix_len)[0]): File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 106, in get_reverse_zone pos = 4 - ip_prefix_len / 8 Martin From mkosek at redhat.com Wed May 25 10:49:31 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 25 May 2011 12:49:31 +0200 Subject: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname In-Reply-To: <4D95F3AD.2000707@redhat.com> References: <4D95F3AD.2000707@redhat.com> Message-ID: <1306320574.18222.20.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-04-01 at 11:47 -0400, Rob Crittenden wrote: > The hostname is passed in during the server installation. We should use > this hostname for the resulting server as well. It was being discarded > and we always used the system hostname value. > > ticket 1052 > > rob I have to NACK this again. I have a problem communicating with IPA on a master machine. I reproduced in on 2 different machines. Please, correct my steps if I am wrong, I do the following procedure 1) I prepare a fresh minimal F-15 2) Install freeipa-server (current master with your patches) 3) Add custom hostname to /etc/hosts 4) Install IPA server: ipa-server-install -p secret123 -a secret123 --hostname ipa.idm.lab.bos.redhat.com --setup-dns --forwarder=10.16.255.2 5) # kinit admin Password for admin at IDM.LAB.BOS.REDHAT.COM: 6) # ipa user-show admin ipa: ERROR: cannot connect to 'any of the configured servers': https://ipa.idm.lab.bos.redhat.com/ipa/xml, https://ipa.idm.lab.bos.redhat.com/ipa/xml # ping -c 1 ipa.idm.lab.bos.redhat.com PING ipa.idm.lab.bos.redhat.com (10.16.78.140) 56(84) bytes of data. 64 bytes from ipa.idm.lab.bos.redhat.com (10.16.78.140): icmp_req=1 ttl=64 time=0.049 ms Apache error_log shows relevant errors: [Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to retrieve LDAP schema: Invalid credentials: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied) [Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to retrieve LDAP schema: Invalid credentials: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied) [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored [Wed May 25 06:43:56 2011] [notice] caught SIGTERM, shutting down [Wed May 25 06:43:56 2011] [notice] SELinux policy enabled; httpd running as context system_u:system_r:kernel_t:s0 [Wed May 25 06:43:57 2011] [notice] Digest: generating secret for digest authentication ... [Wed May 25 06:43:57 2011] [notice] Digest: done [Wed May 25 06:43:57 2011] [notice] Apache/2.2.17 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.17 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.7.1 configured -- resuming normal operations [Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START *** [Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START *** [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] mod_wsgi (pid=5192): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] Traceback (most recent call last): [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/share/ipa/wsgi.py", line 48, in application [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] return api.Backend.session(environ, start_response) [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 141, in __call__ [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] self.create_context(ccache=environ.get('KRB5CCNAME')) [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 110, in create_context [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] self.Backend.ldap2.connect(ccache=ccache) [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 62, in connect [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] conn = self.create_connection(*args, **kw) [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 188, in new_f [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] return f(*new_args, **kwargs) [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 337, in create_connection [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] _handle_errors(e, **{}) [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 118, in _handle_errors [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] raise errors.DatabaseError(desc=desc, info=info) [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] DatabaseError: Local error: SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Hostname cannot be canonicalized) [Wed May 25 06:45:26 2011] [error] [client 10.16.78.140] mod_wsgi (pid=5193): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. You can check the problem on vm-140.idm.lab.bos.redhat.com if you want to. Martin From mkosek at redhat.com Wed May 25 12:44:17 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 25 May 2011 14:44:17 +0200 Subject: [Freeipa-devel] [PATCH] 768 fix migration between v2 servers In-Reply-To: <4D9F1A88.3030204@redhat.com> References: <4D9F1A88.3030204@redhat.com> Message-ID: <1306327459.18222.23.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-04-08 at 10:24 -0400, Rob Crittenden wrote: > Migration from a v2 server would fail because of our fake > memberofindirect attribute. This isn't in any objectclass so would cause > entries to fail to migrate. We can safely just remove it. > > Also remove any limits on time/size when searching for entries on the > remote server. Otherwise only the number of entries configured in the > local IPA server can be migrated. > > ticket 1124 > > rob Looks good, ACK. I tested a migration with users with memberofindirect + there were 700+ users. Even though the migration took quite a long time, all users were correctly migrated. Martin From rcritten at redhat.com Wed May 25 13:09:43 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 25 May 2011 09:09:43 -0400 Subject: [Freeipa-devel] [PATCH] 790 document problems re-adding a replication In-Reply-To: <4DDC1B8E.2050704@redhat.com> References: <4DDC1350.8010802@redhat.com> <4DDC1B8E.2050704@redhat.com> Message-ID: <4DDCFF97.8000506@redhat.com> Dmitri Pal wrote: > On 05/24/2011 04:21 PM, Rob Crittenden wrote: >> If you create a replica, remove it, then re-add it and try to >> re-initialize the database it will fail because the remote master has >> the old service principal cached. The remote dirsrv needs to be >> restarted. >> > This is the issue in the disaster recovery case too, right? Yes, any time a replica is removed and re-added. rob > > >> This is really only an issue when testing and doing an initial set up >> but it was rather confusing so I added it to the ipa-replica-manage >> man page. >> >> ticket 1077 >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From ayoung at redhat.com Wed May 25 13:57:53 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 25 May 2011 09:57:53 -0400 Subject: [Freeipa-devel] [PATCH] 0227-2-automount-UI In-Reply-To: <4DDC8550.10103@redhat.com> References: <4DDBF4DF.9050603@redhat.com> <4DDC1DD1.9090005@redhat.com> <4DDC320C.905@redhat.com> <4DDC8550.10103@redhat.com> Message-ID: <4DDD0AE1.8060804@redhat.com> On 05/25/2011 12:28 AM, Endi Sukma Dewata wrote: > On 5/24/2011 5:32 PM, Adam Young wrote: >> On 05/24/2011 05:06 PM, Endi Sukma Dewata wrote: >>> On 5/24/2011 1:11 PM, Adam Young wrote: >>>> Known issues: the back to list links are broken. Add and delete for >>>> keys >>>> not working due to API issues discussed elsewhere. > >>> 1. The 3rd level tabs (Location, Maps, Keys) can be removed because >>> there's already a breadcrumb which provides the functionality needed. >>> It's not possible to go to a map or key directly without selecting a >>> location, so having a tab for Maps or Keys doesn't quite make sense. > >> Tabs are necessary for navigation. IN the future, we can add nested >> settings and deeply nested search facets that should allow us to >> navigate on down, but that is a lot more work. > > I think the breadcrumb is sufficient for navigation, but I'll leave the > final decision to UXD. Would it be difficult to remove the 3rd level > tabs if we decide not to use it? Or is this tied to the nested entity > definition? Yes, I agree the breadcrumb it sufficient. This is a case of the navigation tag being tied I to one with entity. This made sense for all of the other entities, but not automount. I think we open a ticket for doing "nested settings" or even a generic "nested facet" approach, and if we get to it in Sprint 2, do it then. > >>> 2. The prefix in the page title keeps changing which forces you to >>> re-read the title to make sure you're in the right page. >>> - Automount Location:BOS >>> - Automount Maps:BOS > auto.direct >>> - Automount Keys:BOS > auto.direct > nfsserver:/var/log/dirsrv >>> /var/log/dirsrv >>> >>> This can be simplified by removing the entity name: >>> - Automount: BOS >>> - Automount: BOS > auto.direct >>> - Automount: BOS > auto.direct > nfsserver:/var/log/dirsrv >>> /var/log/dirsrv >>> >>> This way it will look more like a breadcrumb and be less confusing. >>> The "Automount" itself could be made a link to go to locations. >> >> Agreed, but for now, the only way to make that happen is to modify the >> lable fields for location, keys, and maps. That will mess things up >> elsewhere. Alternative is a lot of messy one-off code. > > One way to do this cleanly is to explicitly specify the 'Automount' > label in the factory and store it as a member variable in the entity, > then modify the entity_header to use this variable in the page title > instead of taking the entity label directly from metadata. OK, I can do that. > > 7. The automount key in the breadcrumb is capitalized. Since the key > contains a Unix path it should preserve the case. Ah..this is a transform in the style sheet. Yeah, we can drop that transform. I'm guessing this isn't the only place it will mess things up. > > 8. The column in the maps search facet doesn't have a title. > > 9. The keys search facet only has one column: description. It would be > better to use key and mount information since those are the fields > that you entered during add. Yeah, but right now the description field has both of those others encapsulated in it, and is the primary key. > > 10. The code assumes that the primary keys will be specified as command > arguments, which we know doesn't match the API for automount keys. > Suppose we decide not to change the API, there should be a way to > invoke the current API without writing one-off code in the common > code. I think this can be done by defining a generic finder method > for all entities, then override this method in the subclass for > automount keys. What do you think? > From ayoung at redhat.com Wed May 25 14:37:55 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 25 May 2011 10:37:55 -0400 Subject: [Freeipa-devel] [PATCH] 0227-2-automount-UI In-Reply-To: <4DDC8550.10103@redhat.com> References: <4DDBF4DF.9050603@redhat.com> <4DDC1DD1.9090005@redhat.com> <4DDC320C.905@redhat.com> <4DDC8550.10103@redhat.com> Message-ID: <4DDD1443.9050106@redhat.com> On 05/25/2011 12:28 AM, Endi Sukma Dewata wrote: > > 10. The code assumes that the primary keys will be specified as command > arguments, which we know doesn't match the API for automount keys. > Suppose we decide not to change the API, there should be a way to > invoke the current API without writing one-off code in the common > code. I think this can be done by defining a generic finder method > for all entities, then override this method in the subclass for > automount keys. What do you think? > In general I am in favor of it. I think that we'll need to do something along this line for future prijects anyway. There are going to be two degrees of customization required: 1. Defining how to do a finder for different RPC approaches. We do JSON RPC, but for a different project that does things with a REST API we'll have to customize the URL used. 2. WIth in a given project we'll need to be able to customize how a specific entity is found if it varies from the norm for that project. This is an implementation of the strategy pattern. So we'll have, by default IPA.entity_finders.nested_key, and for automountkeys we'll have a hybrid /nested_keys + parameter finder. From simo at redhat.com Wed May 25 15:08:24 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 25 May 2011 11:08:24 -0400 Subject: [Freeipa-devel] [PATCH] 790 document problems re-adding a replication In-Reply-To: <4DDCFF97.8000506@redhat.com> References: <4DDC1350.8010802@redhat.com> <4DDC1B8E.2050704@redhat.com> <4DDCFF97.8000506@redhat.com> Message-ID: <1306336104.9511.0.camel@willson.li.ssimo.org> On Wed, 2011-05-25 at 09:09 -0400, Rob Crittenden wrote: > Dmitri Pal wrote: > > On 05/24/2011 04:21 PM, Rob Crittenden wrote: > >> If you create a replica, remove it, then re-add it and try to > >> re-initialize the database it will fail because the remote master has > >> the old service principal cached. The remote dirsrv needs to be > >> restarted. > >> > > This is the issue in the disaster recovery case too, right? > > Yes, any time a replica is removed and re-added. I would add: "within a short time frame" If the replica is removed today and readded in one week there should be no problem because any ticket will have been expired so libgssapi will acquire a new one. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed May 25 15:29:14 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 25 May 2011 11:29:14 -0400 Subject: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname In-Reply-To: <1306320574.18222.20.camel@dhcp-25-52.brq.redhat.com> References: <4D95F3AD.2000707@redhat.com> <1306320574.18222.20.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DDD204A.8010009@redhat.com> Martin Kosek wrote: > On Fri, 2011-04-01 at 11:47 -0400, Rob Crittenden wrote: >> The hostname is passed in during the server installation. We should use >> this hostname for the resulting server as well. It was being discarded >> and we always used the system hostname value. >> >> ticket 1052 >> >> rob > > I have to NACK this again. I have a problem communicating with IPA on a > master machine. I reproduced in on 2 different machines. Please, correct > my steps if I am wrong, I do the following procedure > > 1) I prepare a fresh minimal F-15 > 2) Install freeipa-server (current master with your patches) > 3) Add custom hostname to /etc/hosts > 4) Install IPA server: > ipa-server-install -p secret123 -a secret123 --hostname ipa.idm.lab.bos.redhat.com --setup-dns --forwarder=10.16.255.2 > 5) # kinit admin > Password for admin at IDM.LAB.BOS.REDHAT.COM: > 6) # ipa user-show admin > ipa: ERROR: cannot connect to 'any of the configured servers': > https://ipa.idm.lab.bos.redhat.com/ipa/xml, > https://ipa.idm.lab.bos.redhat.com/ipa/xml > > # ping -c 1 ipa.idm.lab.bos.redhat.com > PING ipa.idm.lab.bos.redhat.com (10.16.78.140) 56(84) bytes of data. > 64 bytes from ipa.idm.lab.bos.redhat.com (10.16.78.140): icmp_req=1 > ttl=64 time=0.049 ms > > Apache error_log shows relevant errors: > > [Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to retrieve LDAP schema: Invalid credentials: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied) > [Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to retrieve LDAP schema: Invalid credentials: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied) > [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored > [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored > [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored > [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored > [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored > [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored > [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored > [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored > [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored > [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored > [Wed May 25 06:43:56 2011] [notice] caught SIGTERM, shutting down > [Wed May 25 06:43:56 2011] [notice] SELinux policy enabled; httpd running as context system_u:system_r:kernel_t:s0 > [Wed May 25 06:43:57 2011] [notice] Digest: generating secret for digest authentication ... > [Wed May 25 06:43:57 2011] [notice] Digest: done > [Wed May 25 06:43:57 2011] [notice] Apache/2.2.17 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.17 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.7.1 configured -- resuming normal operations > [Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START *** > [Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START *** > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] mod_wsgi (pid=5192): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] Traceback (most recent call last): > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/share/ipa/wsgi.py", line 48, in application > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] return api.Backend.session(environ, start_response) > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 141, in __call__ > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] self.create_context(ccache=environ.get('KRB5CCNAME')) > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 110, in create_context > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] self.Backend.ldap2.connect(ccache=ccache) > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 62, in connect > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] conn = self.create_connection(*args, **kw) > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 188, in new_f > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] return f(*new_args, **kwargs) > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 337, in create_connection > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] _handle_errors(e, **{}) > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 118, in _handle_errors > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] raise errors.DatabaseError(desc=desc, info=info) > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] DatabaseError: Local error: SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Hostname cannot be canonicalized) > [Wed May 25 06:45:26 2011] [error] [client 10.16.78.140] mod_wsgi (pid=5193): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. > > > You can check the problem on vm-140.idm.lab.bos.redhat.com if you want to. > > Martin > The LDAP connection was still using the system hostname value. I added a conn.set_option(_ldap.OPT_HOST_NAME, api.env.host) in the two places we initialize an LDAP connection and that seems to have fixed it. Updated patch attached rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-762-2-host.patch Type: text/x-patch Size: 5104 bytes Desc: not available URL: From ayoung at redhat.com Wed May 25 16:31:55 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 25 May 2011 12:31:55 -0400 Subject: [Freeipa-devel] [PATCH] 0227-2-automount-UI In-Reply-To: <4DDC8550.10103@redhat.com> References: <4DDBF4DF.9050603@redhat.com> <4DDC1DD1.9090005@redhat.com> <4DDC320C.905@redhat.com> <4DDC8550.10103@redhat.com> Message-ID: <4DDD2EFB.6030509@redhat.com> On 05/25/2011 12:28 AM, Endi Sukma Dewata wrote: > On 5/24/2011 5:32 PM, Adam Young wrote: >> On 05/24/2011 05:06 PM, Endi Sukma Dewata wrote: >>> On 5/24/2011 1:11 PM, Adam Young wrote: >>>> Known issues: the back to list links are broken. Add and delete for >>>> keys >>>> not working due to API issues discussed elsewhere. > >>> 1. The 3rd level tabs (Location, Maps, Keys) can be removed because >>> there's already a breadcrumb which provides the functionality needed. >>> It's not possible to go to a map or key directly without selecting a >>> location, so having a tab for Maps or Keys doesn't quite make sense. > >> Tabs are necessary for navigation. IN the future, we can add nested >> settings and deeply nested search facets that should allow us to >> navigate on down, but that is a lot more work. > > I think the breadcrumb is sufficient for navigation, but I'll leave the > final decision to UXD. Would it be difficult to remove the 3rd level > tabs if we decide not to use it? Or is this tied to the nested entity > definition? Left alone for now > >>> 2. The prefix in the page title keeps changing which forces you to >>> re-read the title to make sure you're in the right page. >>> - Automount Location:BOS >>> - Automount Maps:BOS > auto.direct >>> - Automount Keys:BOS > auto.direct > nfsserver:/var/log/dirsrv >>> /var/log/dirsrv >>> >>> This can be simplified by removing the entity name: >>> - Automount: BOS >>> - Automount: BOS > auto.direct >>> - Automount: BOS > auto.direct > nfsserver:/var/log/dirsrv >>> /var/log/dirsrv >>> >>> This way it will look more like a breadcrumb and be less confusing. >>> The "Automount" itself could be made a link to go to locations. >> >> Agreed, but for now, the only way to make that happen is to modify the >> lable fields for location, keys, and maps. That will mess things up >> elsewhere. Alternative is a lot of messy one-off code. > > One way to do this cleanly is to explicitly specify the 'Automount' > label in the factory and store it as a member variable in the entity, > then modify the entity_header to use this variable in the page title > instead of taking the entity label directly from metadata. Done > > 7. The automount key in the breadcrumb is capitalized. Since the key > contains a Unix path it should preserve the case. Done > > 8. The column in the maps search facet doesn't have a title. Done. This actually was an indication of a deeper problem, that the columns were pointing to the wrong entity for param info. > > 9. The keys search facet only has one column: description. It would be > better to use key and mount information since those are the fields > that you entered during add. Will fix post API change. > > 10. The code assumes that the primary keys will be specified as command > arguments, which we know doesn't match the API for automount keys. > Suppose we decide not to change the API, there should be a way to > invoke the current API without writing one-off code in the common > code. I think this can be done by defining a generic finder method > for all entities, then override this method in the subclass for > automount keys. What do you think? Larger change than should be done in this patch. GOing to leave it as is, and will adjust the automount code after the API change, or will add this in a second patch if the API is not going to change. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0227-4-automount-UI.patch Type: text/x-patch Size: 377724 bytes Desc: not available URL: From rcritten at redhat.com Wed May 25 16:39:48 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 25 May 2011 12:39:48 -0400 Subject: [Freeipa-devel] [PATCH] 790 document problems re-adding a replication In-Reply-To: <1306336104.9511.0.camel@willson.li.ssimo.org> References: <4DDC1350.8010802@redhat.com> <4DDC1B8E.2050704@redhat.com> <4DDCFF97.8000506@redhat.com> <1306336104.9511.0.camel@willson.li.ssimo.org> Message-ID: <4DDD30D4.5070402@redhat.com> Simo Sorce wrote: > On Wed, 2011-05-25 at 09:09 -0400, Rob Crittenden wrote: >> Dmitri Pal wrote: >>> On 05/24/2011 04:21 PM, Rob Crittenden wrote: >>>> If you create a replica, remove it, then re-add it and try to >>>> re-initialize the database it will fail because the remote master has >>>> the old service principal cached. The remote dirsrv needs to be >>>> restarted. >>>> >>> This is the issue in the disaster recovery case too, right? >> >> Yes, any time a replica is removed and re-added. > > I would add: "within a short time frame" > > If the replica is removed today and readded in one week there should be > no problem because any ticket will have been expired so libgssapi will > acquire a new one. > > Simo. > Sure, makes sense. Patch revised. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-790-2-replica.patch Type: text/x-patch Size: 3946 bytes Desc: not available URL: From simo at redhat.com Wed May 25 17:17:46 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 25 May 2011 13:17:46 -0400 Subject: [Freeipa-devel] [PATCH] 790 document problems re-adding a replication In-Reply-To: <4DDD30D4.5070402@redhat.com> References: <4DDC1350.8010802@redhat.com> <4DDC1B8E.2050704@redhat.com> <4DDCFF97.8000506@redhat.com> <1306336104.9511.0.camel@willson.li.ssimo.org> <4DDD30D4.5070402@redhat.com> Message-ID: <1306343866.9511.1.camel@willson.li.ssimo.org> On Wed, 2011-05-25 at 12:39 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > On Wed, 2011-05-25 at 09:09 -0400, Rob Crittenden wrote: > >> Dmitri Pal wrote: > >>> On 05/24/2011 04:21 PM, Rob Crittenden wrote: > >>>> If you create a replica, remove it, then re-add it and try to > >>>> re-initialize the database it will fail because the remote master has > >>>> the old service principal cached. The remote dirsrv needs to be > >>>> restarted. > >>>> > >>> This is the issue in the disaster recovery case too, right? > >> > >> Yes, any time a replica is removed and re-added. > > > > I would add: "within a short time frame" > > > > If the replica is removed today and readded in one week there should be > > no problem because any ticket will have been expired so libgssapi will > > acquire a new one. > > > > Simo. > > > > Sure, makes sense. Patch revised. ACK Simo. -- Simo Sorce * Red Hat, Inc * New York From JR.Aquino at citrix.com Wed May 25 17:22:04 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 25 May 2011 17:22:04 +0000 Subject: [Freeipa-devel] [PATCH] 28 Move Managed Entries into their own container In-Reply-To: <4DDBEF5F.1090600@redhat.com> References: <5B8EA673-11F9-43FB-A2BC-8D7FD59598C5@citrixonline.com> <0D613602-E082-4CBB-9A39-AC33B4DE20F9@citrixonline.com> <4DD43FB3.6030908@redhat.com> <62F9181C-B4A8-464C-807B-0880FA203E47@citrixonline.com> <4DD51848.6030201@redhat.com> <9723636C-66F5-4C16-9CD0-E9FB4331555D@citrixonline.com> <4DDAD4BD.2070208@redhat.com> <8E746E35-DCB9-48CF-9DB3-C40D30AEF888@citrix.com> <4DDBCBFD.7090905@redhat.com> <4DDBEF5F.1090600@redhat.com> Message-ID: <1A502115-EF11-4E39-BCA7-95EA9C1D4113@citrixonline.com> On May 24, 2011, at 10:48 AM, Rob Crittenden wrote: > JR Aquino wrote: >> On May 24, 2011, at 8:17 AM, Rob Crittenden wrote: >> >>> JR Aquino wrote: >>>> On May 23, 2011, at 2:42 PM, "Rob Crittenden" wrote: >>>> >>>>> JR Aquino wrote: >>>>>> On May 19, 2011, at 6:16 AM, Rob Crittenden wrote: >>>>>> >>>>>>> JR Aquino wrote: >>>>>>>> On May 18, 2011, at 2:52 PM, Rob Crittenden wrote: >>>>>>>> >>>>>>>>> JR Aquino wrote: >>>>>>>>>> On May 18, 2011, at 12:46 PM, JR Aquino wrote: >>>>>>>>>> >>>>>>>>>>> This effects Ticket 1222 and Rob's patch 786 >>>>>>>>>> >>>>>>>>>> Per IRC Conversation with Simo and Rob, take the path of least change. >>>>>>>>>> >>>>>>>>>> The patch has been modified to correct the CN to match the DN rather than changing both. >>>>>>>>> >>>>>>>>> This looks good. I'm going to wait to push it at the same time as 786. >>>>>>>> >>>>>>>> Simo mentioned that I need to create the .update in the patch so that we remove the previous typo laden entry during updates. >>>>>>> >>>>>>> I added that to my patch. >>>>>>> >>>>>>> rob >>>>>> >>>>>> NACK both 28 and 786. >>>>>> >>>>>> Please see attached, and have a look at this new patch and ticket 1182 for a better understanding of the impact they have on these patches. >>>>>> >>>>>> Move Managed Entries into their own container in the >>>>>> replicated space. Create: cn=Managed Entries,cn=etc,$SUFFIX >>>>>> Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX >>>>>> Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX >>>>>> >>>>>> Create method for migrating any and all custom Managed Entries from >>>>>> the cn=config space into the new container. >>>>>> >>>>>> The Managed Entries plugin configurations weren't being created on >>>>>> replica installs. >>>>>> >>>>>> This patch addresses two seperate tickets and accounts for >>>>>> new installs, replica installs, and upgrades. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/1181 - Managed Entry Tool / New Container >>>>>> https://fedorahosted.org/freeipa/ticket/1222 - Add Managed Entries during Replica installation >>>>>> >>>>> >>>>> Well, I like this in spirit but this requires a yet-unreleased version of 389-ds, right? >>>>> >>>>> Should we take the intermediate step of your previous 28 patch and my 786 and then address moving entries once 389-ds is released? >>>>> >>>> >>>> Hrm. You have a good point... >>>> >>>> Should I plan on deleting the .update files for user private groups and nis/host groups in the separate patch that institutes the container move? >>> >>> Not sure I follow. >>> >>> What I'd like to do is take an incremental approach. Lets get managed entries working at all on replicas first, then deal with moving the configuration once this functionality is widely available. >> >> I hereby retract the big patch in favor of the incremental approach. >> >> Patch 786 and 28 are sane. >> > > Ok, but is this an ack ;-) ACK From JR.Aquino at citrix.com Wed May 25 17:22:28 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 25 May 2011 17:22:28 +0000 Subject: [Freeipa-devel] [PATCH] 786 Configure Managed Entries on replicas. In-Reply-To: <4DD67734.2000403@redhat.com> References: <4DD41AE9.1060200@redhat.com> <4DD43F97.704@redhat.com> <53617265-3063-4B6F-A846-D4C8DF110120@citrixonline.com> <4DD67734.2000403@redhat.com> Message-ID: <4D750F21-E238-4703-9202-592964100D9A@citrixonline.com> On May 20, 2011, at 7:14 AM, Rob Crittenden wrote: > JR Aquino wrote: >> On May 18, 2011, at 2:52 PM, Rob Crittenden wrote: >> >>> Rob Crittenden wrote: >>>> The Managed Entries plugin configurations weren't being created on >>>> replica installs. The templates were there but the cn=config portions >>>> were not. >>>> >>>> This patch adds them as updates. The template portion will be added in >>>> the initial replication. >>>> >>>> ticket 1222 >>>> >>>> To test: >>>> >>>> Install a master >>>> Install a replica >>>> On replica: kinit >>>> On replica: ipa user-add --first=timmy --last=test ttest >>>> On replica: ipa group-show ttest >>>> On master: ipa group-show ttest >>>> >>>> rob >>> >>> Updated patch attached. This requires jraquino patch 28 to work as expected. >>> >>> rob >>> >> >> NACK >> >> This patch is not applying to Master? >> >> error: patch failed: install/updates/Makefile.am:8 >> error: install/updates/Makefile.am: patch does not apply >> > > Rebased, it depended on my patch 769. ACK From mkosek at redhat.com Wed May 25 17:50:46 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 25 May 2011 19:50:46 +0200 Subject: [Freeipa-devel] [PATCH] 786 Configure Managed Entries on replicas. In-Reply-To: <4D750F21-E238-4703-9202-592964100D9A@citrixonline.com> References: <4DD41AE9.1060200@redhat.com> <4DD43F97.704@redhat.com> <53617265-3063-4B6F-A846-D4C8DF110120@citrixonline.com> <4DD67734.2000403@redhat.com> <4D750F21-E238-4703-9202-592964100D9A@citrixonline.com> Message-ID: <1306345848.2541.6.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-05-25 at 17:22 +0000, JR Aquino wrote: > On May 20, 2011, at 7:14 AM, Rob Crittenden wrote: > > > JR Aquino wrote: > >> On May 18, 2011, at 2:52 PM, Rob Crittenden wrote: > >> > >>> Rob Crittenden wrote: > >>>> The Managed Entries plugin configurations weren't being created on > >>>> replica installs. The templates were there but the cn=config portions > >>>> were not. > >>>> > >>>> This patch adds them as updates. The template portion will be added in > >>>> the initial replication. > >>>> > >>>> ticket 1222 > >>>> > >>>> To test: > >>>> > >>>> Install a master > >>>> Install a replica > >>>> On replica: kinit > >>>> On replica: ipa user-add --first=timmy --last=test ttest > >>>> On replica: ipa group-show ttest > >>>> On master: ipa group-show ttest > >>>> > >>>> rob > >>> > >>> Updated patch attached. This requires jraquino patch 28 to work as expected. > >>> > >>> rob > >>> > >> > >> NACK > >> > >> This patch is not applying to Master? > >> > >> error: patch failed: install/updates/Makefile.am:8 > >> error: install/updates/Makefile.am: patch does not apply > >> > > > > Rebased, it depended on my patch 769. > > ACK Please keep in mind that the configuration for UPG plugin needs to be updated. My patch 67 with new --noprivate option for suppressing UPG creation for new user changed the originFilter configuration: originFilter: (&(objectclass=posixAccount)(!(description=__no_upg__))) This patch is not in ipa-2-0 branch, so the originFilter for this branch is the same as in this patch. Martin From edewata at redhat.com Wed May 25 19:26:09 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 25 May 2011 14:26:09 -0500 Subject: [Freeipa-devel] [PATCH] 0227-2-automount-UI In-Reply-To: <4DDD2EFB.6030509@redhat.com> References: <4DDBF4DF.9050603@redhat.com> <4DDC1DD1.9090005@redhat.com> <4DDC320C.905@redhat.com> <4DDC8550.10103@redhat.com> <4DDD2EFB.6030509@redhat.com> Message-ID: <4DDD57D1.7030606@redhat.com> On 5/25/2011 11:31 AM, Adam Young wrote: >> 8. The column in the maps search facet doesn't have a title. > Done. This actually was an indication of a deeper problem, that the > columns were pointing to the wrong entity for param info. This is because the nested_search_facet is defined in the containing entity so it tries to look for the column title in the wrong entity. The fact that search_facet and nested_search_facet are very similar and most changes like this one involve changing that.entity into that.nested_entity indicates that they should have been the same class. The actual value of the entity should be specified as a parameter in the factory/builder. Ideally the same search_facet should be used in the nested entity so most code will work naturally like before except for the primary keys of the containing entities. However this probably require significant rewrite. Due to time constraint this is ok for now but keep in mind that it's subject to further refactoring. A few more issues: 11. The select_changed() in nested_search_facet is missing some code. The Delete button is not enabled/disabled when the selection is changed. 12. The automount map has a description field which can be specified during add & modify. The UI doesn't have this. 13. The entity's breadcrumb_label could be renamed to 'title' and all references to entity's metadata.label that will be used as page title can be replaced with this 'title' variable. This can be done later. 14. In entity_builder.facet() the code sets the facet's facet_group and name. It doesn't seem to be necessary since they have been set in the IPA.facet. 15. The changes in ipa_init.json undo recent changes for the Add dialog box titles. 16. In widget.js line 1053 there should be a space between that.entity_name and that.name. -- Endi S. Dewata From mkosek at redhat.com Wed May 25 19:30:55 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 25 May 2011 21:30:55 +0200 Subject: [Freeipa-devel] [PATCH] 786 Configure Managed Entries on replicas. In-Reply-To: <1306345848.2541.6.camel@dhcp-25-52.brq.redhat.com> References: <4DD41AE9.1060200@redhat.com> <4DD43F97.704@redhat.com> <53617265-3063-4B6F-A846-D4C8DF110120@citrixonline.com> <4DD67734.2000403@redhat.com> <4D750F21-E238-4703-9202-592964100D9A@citrixonline.com> <1306345848.2541.6.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1306351857.2541.8.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-05-25 at 19:50 +0200, Martin Kosek wrote: > On Wed, 2011-05-25 at 17:22 +0000, JR Aquino wrote: > > On May 20, 2011, at 7:14 AM, Rob Crittenden wrote: > > > > > JR Aquino wrote: > > >> On May 18, 2011, at 2:52 PM, Rob Crittenden wrote: > > >> > > >>> Rob Crittenden wrote: > > >>>> The Managed Entries plugin configurations weren't being created on > > >>>> replica installs. The templates were there but the cn=config portions > > >>>> were not. > > >>>> > > >>>> This patch adds them as updates. The template portion will be added in > > >>>> the initial replication. > > >>>> > > >>>> ticket 1222 > > >>>> > > >>>> To test: > > >>>> > > >>>> Install a master > > >>>> Install a replica > > >>>> On replica: kinit > > >>>> On replica: ipa user-add --first=timmy --last=test ttest > > >>>> On replica: ipa group-show ttest > > >>>> On master: ipa group-show ttest > > >>>> > > >>>> rob > > >>> > > >>> Updated patch attached. This requires jraquino patch 28 to work as expected. > > >>> > > >>> rob > > >>> > > >> > > >> NACK > > >> > > >> This patch is not applying to Master? > > >> > > >> error: patch failed: install/updates/Makefile.am:8 > > >> error: install/updates/Makefile.am: patch does not apply > > >> > > > > > > Rebased, it depended on my patch 769. > > > > ACK > > Please keep in mind that the configuration for UPG plugin needs to be > updated. My patch 67 with new --noprivate option for suppressing UPG > creation for new user changed the originFilter configuration: > > originFilter: (&(objectclass=posixAccount)(!(description=__no_upg__))) > > This patch is not in ipa-2-0 branch, so the originFilter for this branch > is the same as in this patch. > > Martin > Second ACK from me. I tested upgrading replica and it worked. Still, my statement above is valid - this should be fixed before pushing. As we spoke with Rob today, I wonder if we would want --noprivate option also for ipa-2-0 branch. It may be useful. Martin From ayoung at redhat.com Wed May 25 19:54:22 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 25 May 2011 15:54:22 -0400 Subject: [Freeipa-devel] [PATCH] 0227-2-automount-UI In-Reply-To: <4DDD57D1.7030606@redhat.com> References: <4DDBF4DF.9050603@redhat.com> <4DDC1DD1.9090005@redhat.com> <4DDC320C.905@redhat.com> <4DDC8550.10103@redhat.com> <4DDD2EFB.6030509@redhat.com> <4DDD57D1.7030606@redhat.com> Message-ID: <4DDD5E6E.5080607@redhat.com> On 05/25/2011 03:26 PM, Endi Sukma Dewata wrote: > On 5/25/2011 11:31 AM, Adam Young wrote: > >>> 8. The column in the maps search facet doesn't have a title. >> Done. This actually was an indication of a deeper problem, that the >> columns were pointing to the wrong entity for param info. > > This is because the nested_search_facet is defined in the containing > entity so it tries to look for the column title in the wrong entity. > The fact that search_facet and nested_search_facet are very similar > and most changes like this one involve changing that.entity into > that.nested_entity indicates that they should have been the same class. > The actual value of the entity should be specified as a parameter in > the factory/builder. > > Ideally the same search_facet should be used in the nested entity so > most code will work naturally like before except for the primary keys > of the containing entities. However this probably require significant > rewrite. Due to time constraint this is ok for now but keep in mind > that it's subject to further refactoring. > > A few more issues: > > 11. The select_changed() in nested_search_facet is missing some code. > The Delete button is not enabled/disabled when the selection is > changed. Fixed. Removed over ride, should not have been there in the first place. > > 12. The automount map has a description field which can be specified > during add & modify. The UI doesn't have this. Fixed > > 13. The entity's breadcrumb_label could be renamed to 'title' and all > references to entity's metadata.label that will be used as page > title can be replaced with this 'title' variable. This can be done > later. OK. We'll do this later. > > 14. In entity_builder.facet() the code sets the facet's facet_group and > name. It doesn't seem to be necessary since they have been set in > the IPA.facet. Fixed > > 15. The changes in ipa_init.json undo recent changes for the Add dialog > box titles. Fixed > > 16. In widget.js line 1053 there should be a space between > that.entity_name and that.name. > Fixed -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0227-5-automount-UI.patch Type: text/x-patch Size: 356119 bytes Desc: not available URL: From dpal at redhat.com Wed May 25 19:51:32 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 25 May 2011 15:51:32 -0400 Subject: [Freeipa-devel] [PATCH] 786 Configure Managed Entries on replicas. In-Reply-To: <1306351857.2541.8.camel@dhcp-25-52.brq.redhat.com> References: <4DD41AE9.1060200@redhat.com> <4DD43F97.704@redhat.com> <53617265-3063-4B6F-A846-D4C8DF110120@citrixonline.com> <4DD67734.2000403@redhat.com> <4D750F21-E238-4703-9202-592964100D9A@citrixonline.com> <1306345848.2541.6.camel@dhcp-25-52.brq.redhat.com> <1306351857.2541.8.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DDD5DC4.7080806@redhat.com> On 05/25/2011 03:30 PM, Martin Kosek wrote: > On Wed, 2011-05-25 at 19:50 +0200, Martin Kosek wrote: >> On Wed, 2011-05-25 at 17:22 +0000, JR Aquino wrote: >>> On May 20, 2011, at 7:14 AM, Rob Crittenden wrote: >>> >>>> JR Aquino wrote: >>>>> On May 18, 2011, at 2:52 PM, Rob Crittenden wrote: >>>>> >>>>>> Rob Crittenden wrote: >>>>>>> The Managed Entries plugin configurations weren't being created on >>>>>>> replica installs. The templates were there but the cn=config portions >>>>>>> were not. >>>>>>> >>>>>>> This patch adds them as updates. The template portion will be added in >>>>>>> the initial replication. >>>>>>> >>>>>>> ticket 1222 >>>>>>> >>>>>>> To test: >>>>>>> >>>>>>> Install a master >>>>>>> Install a replica >>>>>>> On replica: kinit >>>>>>> On replica: ipa user-add --first=timmy --last=test ttest >>>>>>> On replica: ipa group-show ttest >>>>>>> On master: ipa group-show ttest >>>>>>> >>>>>>> rob >>>>>> Updated patch attached. This requires jraquino patch 28 to work as expected. >>>>>> >>>>>> rob >>>>>> >>>>> NACK >>>>> >>>>> This patch is not applying to Master? >>>>> >>>>> error: patch failed: install/updates/Makefile.am:8 >>>>> error: install/updates/Makefile.am: patch does not apply >>>>> >>>> Rebased, it depended on my patch 769. >>> ACK >> Please keep in mind that the configuration for UPG plugin needs to be >> updated. My patch 67 with new --noprivate option for suppressing UPG >> creation for new user changed the originFilter configuration: >> >> originFilter: (&(objectclass=posixAccount)(!(description=__no_upg__))) >> >> This patch is not in ipa-2-0 branch, so the originFilter for this branch >> is the same as in this patch. >> >> Martin >> > Second ACK from me. I tested upgrading replica and it worked. Still, my > statement above is valid - this should be fixed before pushing. > > As we spoke with Rob today, I wonder if we would want --noprivate option > also for ipa-2-0 branch. It may be useful. > > Martin > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel I just checked with Jenny. She is Ok with pulling your patch in. I think this is ticket https://fedorahosted.org/freeipa/ticket/1131 But it is already marked as fixed in 2.1. I am confused. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From mkosek at redhat.com Wed May 25 20:24:52 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 25 May 2011 22:24:52 +0200 Subject: [Freeipa-devel] [PATCH] 786 Configure Managed Entries on replicas. In-Reply-To: <4DDD5DC4.7080806@redhat.com> References: <4DD41AE9.1060200@redhat.com> <4DD43F97.704@redhat.com> <53617265-3063-4B6F-A846-D4C8DF110120@citrixonline.com> <4DD67734.2000403@redhat.com> <4D750F21-E238-4703-9202-592964100D9A@citrixonline.com> <1306345848.2541.6.camel@dhcp-25-52.brq.redhat.com> <1306351857.2541.8.camel@dhcp-25-52.brq.redhat.com> <4DDD5DC4.7080806@redhat.com> Message-ID: <1306355094.2541.12.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-05-25 at 15:51 -0400, Dmitri Pal wrote: > On 05/25/2011 03:30 PM, Martin Kosek wrote: > > On Wed, 2011-05-25 at 19:50 +0200, Martin Kosek wrote: > >> On Wed, 2011-05-25 at 17:22 +0000, JR Aquino wrote: > >>> On May 20, 2011, at 7:14 AM, Rob Crittenden wrote: > >>> > >>>> JR Aquino wrote: > >>>>> On May 18, 2011, at 2:52 PM, Rob Crittenden wrote: > >>>>> > >>>>>> Rob Crittenden wrote: > >>>>>>> The Managed Entries plugin configurations weren't being created on > >>>>>>> replica installs. The templates were there but the cn=config portions > >>>>>>> were not. > >>>>>>> > >>>>>>> This patch adds them as updates. The template portion will be added in > >>>>>>> the initial replication. > >>>>>>> > >>>>>>> ticket 1222 > >>>>>>> > >>>>>>> To test: > >>>>>>> > >>>>>>> Install a master > >>>>>>> Install a replica > >>>>>>> On replica: kinit > >>>>>>> On replica: ipa user-add --first=timmy --last=test ttest > >>>>>>> On replica: ipa group-show ttest > >>>>>>> On master: ipa group-show ttest > >>>>>>> > >>>>>>> rob > >>>>>> Updated patch attached. This requires jraquino patch 28 to work as expected. > >>>>>> > >>>>>> rob > >>>>>> > >>>>> NACK > >>>>> > >>>>> This patch is not applying to Master? > >>>>> > >>>>> error: patch failed: install/updates/Makefile.am:8 > >>>>> error: install/updates/Makefile.am: patch does not apply > >>>>> > >>>> Rebased, it depended on my patch 769. > >>> ACK > >> Please keep in mind that the configuration for UPG plugin needs to be > >> updated. My patch 67 with new --noprivate option for suppressing UPG > >> creation for new user changed the originFilter configuration: > >> > >> originFilter: (&(objectclass=posixAccount)(!(description=__no_upg__))) > >> > >> This patch is not in ipa-2-0 branch, so the originFilter for this branch > >> is the same as in this patch. > >> > >> Martin > >> > > Second ACK from me. I tested upgrading replica and it worked. Still, my > > statement above is valid - this should be fixed before pushing. > > > > As we spoke with Rob today, I wonder if we would want --noprivate option > > also for ipa-2-0 branch. It may be useful. > > > > Martin > > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > I just checked with Jenny. > She is Ok with pulling your patch in. > I think this is ticket https://fedorahosted.org/freeipa/ticket/1131 > But it is already marked as fixed in 2.1. > I am confused. > Yes, it was fixed and I pushed it to master branch. Since this patch implements a new option and thus changes an API (in term of addition) I was cautious pushing this to branch ipa-2-0. We should decide if we want this feature in our IPA 2.0 stable branch. Martin From rcritten at redhat.com Wed May 25 20:42:00 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 25 May 2011 16:42:00 -0400 Subject: [Freeipa-devel] [PATCH] 786 Configure Managed Entries on replicas. In-Reply-To: <1306351857.2541.8.camel@dhcp-25-52.brq.redhat.com> References: <4DD41AE9.1060200@redhat.com> <4DD43F97.704@redhat.com> <53617265-3063-4B6F-A846-D4C8DF110120@citrixonline.com> <4DD67734.2000403@redhat.com> <4D750F21-E238-4703-9202-592964100D9A@citrixonline.com> <1306345848.2541.6.camel@dhcp-25-52.brq.redhat.com> <1306351857.2541.8.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DDD6998.1000105@redhat.com> Martin Kosek wrote: > On Wed, 2011-05-25 at 19:50 +0200, Martin Kosek wrote: >> On Wed, 2011-05-25 at 17:22 +0000, JR Aquino wrote: >>> On May 20, 2011, at 7:14 AM, Rob Crittenden wrote: >>> >>>> JR Aquino wrote: >>>>> On May 18, 2011, at 2:52 PM, Rob Crittenden wrote: >>>>> >>>>>> Rob Crittenden wrote: >>>>>>> The Managed Entries plugin configurations weren't being created on >>>>>>> replica installs. The templates were there but the cn=config portions >>>>>>> were not. >>>>>>> >>>>>>> This patch adds them as updates. The template portion will be added in >>>>>>> the initial replication. >>>>>>> >>>>>>> ticket 1222 >>>>>>> >>>>>>> To test: >>>>>>> >>>>>>> Install a master >>>>>>> Install a replica >>>>>>> On replica: kinit >>>>>>> On replica: ipa user-add --first=timmy --last=test ttest >>>>>>> On replica: ipa group-show ttest >>>>>>> On master: ipa group-show ttest >>>>>>> >>>>>>> rob >>>>>> >>>>>> Updated patch attached. This requires jraquino patch 28 to work as expected. >>>>>> >>>>>> rob >>>>>> >>>>> >>>>> NACK >>>>> >>>>> This patch is not applying to Master? >>>>> >>>>> error: patch failed: install/updates/Makefile.am:8 >>>>> error: install/updates/Makefile.am: patch does not apply >>>>> >>>> >>>> Rebased, it depended on my patch 769. >>> >>> ACK >> >> Please keep in mind that the configuration for UPG plugin needs to be >> updated. My patch 67 with new --noprivate option for suppressing UPG >> creation for new user changed the originFilter configuration: >> >> originFilter: (&(objectclass=posixAccount)(!(description=__no_upg__))) >> >> This patch is not in ipa-2-0 branch, so the originFilter for this branch >> is the same as in this patch. >> >> Martin >> > > Second ACK from me. I tested upgrading replica and it worked. Still, my > statement above is valid - this should be fixed before pushing. > > As we spoke with Rob today, I wonder if we would want --noprivate option > also for ipa-2-0 branch. It may be useful. > > Martin pushed to ipa-2-0 and master For master I updated the update file to include the new originFilter. For the ipa-2-0 branch I left the patch as-is. rob From edewata at redhat.com Wed May 25 21:19:11 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 25 May 2011 16:19:11 -0500 Subject: [Freeipa-devel] [PATCH] 0227-2-automount-UI In-Reply-To: <4DDD5E6E.5080607@redhat.com> References: <4DDBF4DF.9050603@redhat.com> <4DDC1DD1.9090005@redhat.com> <4DDC320C.905@redhat.com> <4DDC8550.10103@redhat.com> <4DDD2EFB.6030509@redhat.com> <4DDD57D1.7030606@redhat.com> <4DDD5E6E.5080607@redhat.com> Message-ID: <4DDD724F.2060403@redhat.com> A few more minor problems: On 5/25/2011 2:54 PM, Adam Young wrote: >> 12. The automount map has a description field which can be specified >> during add & modify. The UI doesn't have this. > Fixed It's still missing from the map's adder dialog box. 17. The adder dialog boxes for map and key don't have a title. The titles should be defined in internal.py and the ipa_init.json needs to be regenerated. 18. The location's label in automount.py line 189 should be plural. I think that's it. Feel free to push once these are fixed. Thanks. -- Endi S. Dewata From ayoung at redhat.com Thu May 26 00:58:22 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 25 May 2011 20:58:22 -0400 Subject: [Freeipa-devel] [PATCH] 0227-2-automount-UI In-Reply-To: <4DDD724F.2060403@redhat.com> References: <4DDBF4DF.9050603@redhat.com> <4DDC1DD1.9090005@redhat.com> <4DDC320C.905@redhat.com> <4DDC8550.10103@redhat.com> <4DDD2EFB.6030509@redhat.com> <4DDD57D1.7030606@redhat.com> <4DDD5E6E.5080607@redhat.com> <4DDD724F.2060403@redhat.com> Message-ID: <4DDDA5AE.9080103@redhat.com> On 05/25/2011 05:19 PM, Endi Sukma Dewata wrote: > A few more minor problems: > > On 5/25/2011 2:54 PM, Adam Young wrote: >>> 12. The automount map has a description field which can be specified >>> during add & modify. The UI doesn't have this. >> Fixed > > It's still missing from the map's adder dialog box. > > 17. The adder dialog boxes for map and key don't have a title. The > titles should be defined in internal.py and the ipa_init.json needs > to be regenerated. Fixed > > 18. The location's label in automount.py line 189 should be plural. > > I think that's it. Feel free to push once these are fixed. Thanks. > Fixed. More changes in this patch. I combined most of the search and nested search facet into a single fact, by adding a field : managed_entity. THat way, the facet can still track the entity to which it belongs, but it performs searches on the managed entity. Most of the code from nested_entity_facet could then be removed. I also fixed search and the back to list links. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0227-6-automount-UI.patch Type: text/x-patch Size: 356901 bytes Desc: not available URL: From mkosek at redhat.com Thu May 26 07:45:57 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 26 May 2011 09:45:57 +0200 Subject: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname In-Reply-To: <4DDD204A.8010009@redhat.com> References: <4D95F3AD.2000707@redhat.com> <1306320574.18222.20.camel@dhcp-25-52.brq.redhat.com> <4DDD204A.8010009@redhat.com> Message-ID: <1306395960.2330.7.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-05-25 at 11:29 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Fri, 2011-04-01 at 11:47 -0400, Rob Crittenden wrote: > >> The hostname is passed in during the server installation. We should use > >> this hostname for the resulting server as well. It was being discarded > >> and we always used the system hostname value. > >> > >> ticket 1052 > >> > >> rob > > > > I have to NACK this again. I have a problem communicating with IPA on a > > master machine. I reproduced in on 2 different machines. Please, correct > > my steps if I am wrong, I do the following procedure > > > > 1) I prepare a fresh minimal F-15 > > 2) Install freeipa-server (current master with your patches) > > 3) Add custom hostname to /etc/hosts > > 4) Install IPA server: > > ipa-server-install -p secret123 -a secret123 --hostname ipa.idm.lab.bos.redhat.com --setup-dns --forwarder=10.16.255.2 > > 5) # kinit admin > > Password for admin at IDM.LAB.BOS.REDHAT.COM: > > 6) # ipa user-show admin > > ipa: ERROR: cannot connect to 'any of the configured servers': > > https://ipa.idm.lab.bos.redhat.com/ipa/xml, > > https://ipa.idm.lab.bos.redhat.com/ipa/xml > > > > # ping -c 1 ipa.idm.lab.bos.redhat.com > > PING ipa.idm.lab.bos.redhat.com (10.16.78.140) 56(84) bytes of data. > > 64 bytes from ipa.idm.lab.bos.redhat.com (10.16.78.140): icmp_req=1 > > ttl=64 time=0.049 ms > > > > Apache error_log shows relevant errors: > > > > [Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to retrieve LDAP schema: Invalid credentials: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied) > > [Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to retrieve LDAP schema: Invalid credentials: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied) > > [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored > > [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored > > [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored > > [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored > > [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored > > [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored > > [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored > > [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored > > [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored > > [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored > > [Wed May 25 06:43:56 2011] [notice] caught SIGTERM, shutting down > > [Wed May 25 06:43:56 2011] [notice] SELinux policy enabled; httpd running as context system_u:system_r:kernel_t:s0 > > [Wed May 25 06:43:57 2011] [notice] Digest: generating secret for digest authentication ... > > [Wed May 25 06:43:57 2011] [notice] Digest: done > > [Wed May 25 06:43:57 2011] [notice] Apache/2.2.17 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.17 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.7.1 configured -- resuming normal operations > > [Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START *** > > [Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START *** > > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] mod_wsgi (pid=5192): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. > > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] Traceback (most recent call last): > > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/share/ipa/wsgi.py", line 48, in application > > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] return api.Backend.session(environ, start_response) > > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 141, in __call__ > > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] self.create_context(ccache=environ.get('KRB5CCNAME')) > > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 110, in create_context > > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] self.Backend.ldap2.connect(ccache=ccache) > > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 62, in connect > > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] conn = self.create_connection(*args, **kw) > > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 188, in new_f > > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] return f(*new_args, **kwargs) > > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 337, in create_connection > > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] _handle_errors(e, **{}) > > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 118, in _handle_errors > > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] raise errors.DatabaseError(desc=desc, info=info) > > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] DatabaseError: Local error: SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Hostname cannot be canonicalized) > > [Wed May 25 06:45:26 2011] [error] [client 10.16.78.140] mod_wsgi (pid=5193): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. > > > > > > You can check the problem on vm-140.idm.lab.bos.redhat.com if you want to. > > > > Martin > > > > The LDAP connection was still using the system hostname value. I added a > conn.set_option(_ldap.OPT_HOST_NAME, api.env.host) in the two places we > initialize an LDAP connection and that seems to have fixed it. > > Updated patch attached > > rob NACK. The problem on a master is gone. However, now ipa-replica-install is failing: # ipa-replica-install /home/mkosek/replica-info-vm-027.idm.lab.bos.redhat.com.gpg Directory Manager (existing master) password: creation of replica failed: Can't contact LDAP server: I found out that the root cause of the failure is in the change you just made in ldap2.py: def create_connection(self, ccache=None, bind_dn='', bind_pw='', tls_cacertfile=None, tls_certfile=None, tls_keyfile=None, debug_level=0): ... try: conn = _ldap.initialize(self.ldap_uri) conn.set_option(_ldap.OPT_HOST_NAME, api.env.host) <-- if ccache is not None: os.environ['KRB5CCNAME'] = ccache ... because api.env.host points to the local host and not the remote master. When I commented this line out, installation continued OK. Then, it crashed again with our "favorite" dogtag's "invalid clone_uri" exception. Since we see this error also in other scenarios (not only custom --hostname) and the root cause is not in your patch I can ACK you patch 762 once the replica install bug is fixed. Martin From mkosek at redhat.com Thu May 26 12:32:26 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 26 May 2011 14:32:26 +0200 Subject: [Freeipa-devel] [PATCH] 069 Improve interactive mode for DNS plugin Message-ID: <1306413148.2330.8.camel@dhcp-25-52.brq.redhat.com> Interactive mode for commands manipulating with DNS records (dnsrecord-add, dnsrecord-del) is not usable. This patch enhances the server framework with new callback for interactive mode, which can be used by commands to inject their own interactive handling. The callback is then used to improve aforementioned commands' interactive mode. https://fedorahosted.org/freeipa/ticket/1018 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-069-improve-interactive-mode-for-dns-plugin.patch Type: text/x-patch Size: 16144 bytes Desc: not available URL: From edewata at redhat.com Thu May 26 13:30:40 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 26 May 2011 08:30:40 -0500 Subject: [Freeipa-devel] [PATCH] 0227-2-automount-UI In-Reply-To: <4DDDA5AE.9080103@redhat.com> References: <4DDBF4DF.9050603@redhat.com> <4DDC1DD1.9090005@redhat.com> <4DDC320C.905@redhat.com> <4DDC8550.10103@redhat.com> <4DDD2EFB.6030509@redhat.com> <4DDD57D1.7030606@redhat.com> <4DDD5E6E.5080607@redhat.com> <4DDD724F.2060403@redhat.com> <4DDDA5AE.9080103@redhat.com> Message-ID: <4DDE5600.1020809@redhat.com> On 5/25/2011 7:58 PM, Adam Young wrote: >> 17. The adder dialog boxes for map and key don't have a title. The >> titles should be defined in internal.py and the ipa_init.json needs >> to be regenerated. > Fixed The ipa_init.json doesn't seem to be updated yet. > More changes in this patch. I combined most of the search and nested > search facet into a single fact, by adding a field : managed_entity. > THat way, the facet can still track the entity to which it belongs, but > it performs searches on the managed entity. Most of the code from > nested_entity_facet could then be removed. > > I also fixed search and the back to list links. 19. The unit test failed. 20. When viewing a map, 'back to list' will bring you to locations instead of maps. 21. Please see the attached patch. The managed_entity variable and neseted_search_facet can be removed. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: search_facet.patch Type: text/x-patch Size: 3548 bytes Desc: not available URL: From rcritten at redhat.com Thu May 26 13:50:15 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 26 May 2011 09:50:15 -0400 Subject: [Freeipa-devel] [PATCH] 790 document problems re-adding a replication In-Reply-To: <1306343866.9511.1.camel@willson.li.ssimo.org> References: <4DDC1350.8010802@redhat.com> <4DDC1B8E.2050704@redhat.com> <4DDCFF97.8000506@redhat.com> <1306336104.9511.0.camel@willson.li.ssimo.org> <4DDD30D4.5070402@redhat.com> <1306343866.9511.1.camel@willson.li.ssimo.org> Message-ID: <4DDE5A97.1090609@redhat.com> Simo Sorce wrote: > On Wed, 2011-05-25 at 12:39 -0400, Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Wed, 2011-05-25 at 09:09 -0400, Rob Crittenden wrote: >>>> Dmitri Pal wrote: >>>>> On 05/24/2011 04:21 PM, Rob Crittenden wrote: >>>>>> If you create a replica, remove it, then re-add it and try to >>>>>> re-initialize the database it will fail because the remote master has >>>>>> the old service principal cached. The remote dirsrv needs to be >>>>>> restarted. >>>>>> >>>>> This is the issue in the disaster recovery case too, right? >>>> >>>> Yes, any time a replica is removed and re-added. >>> >>> I would add: "within a short time frame" >>> >>> If the replica is removed today and readded in one week there should be >>> no problem because any ticket will have been expired so libgssapi will >>> acquire a new one. >>> >>> Simo. >>> >> >> Sure, makes sense. Patch revised. > > ACK > > Simo. > pushed to master and ipa-2-0 From ayoung at redhat.com Thu May 26 16:53:18 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 26 May 2011 12:53:18 -0400 Subject: [Freeipa-devel] Summary of Session discussion Message-ID: <4DDE857E.8090304@redhat.com> There are four cases where we've discussed using sessions for optimizations. During today's phone discussion we analysed them. 1. Avoiding the negotiate round trip. Requesting a page protected by Kerberos requires two round trips to the server: 1 for the initializ request, which gets denied with the negotiate challenge, and one for the negotiate response. mod_auth_kerb can fall back to userid/password. THe suggestion was t hat we allow mod_auth_kerb to set a session cookie after a successful negotiate request. Future requests can use that cookie to bypass the negotiate handshake. The problem with this approach is NFS home directories, and root users being able to get access to the session cookies, allowing a replay attack. Note that this is a problem with the userid/password fall-back as well. We are not going to pursue this right now. 2. Caching the service ticket. Once the http request has gone through, the ipa web server needs to request a service ticket for LDAP. If the session contained the service ticket, the could be bypassed for additional requests. Since the request has to be validated by Kerberos for the initial negotiate call, there is no additional loss of security in caching the ticket. A potential alternative to server side caching is for the client to request the service ticket and send it in the negotiate handshake. There is some question as to whether the web server would be able to acces this ticket, and also whether the client can somehow request a ticket that the server can use, and still comply with the Kerberos standards. 3. File Upload. Session time out provides a means to automate the clean up of files that might otherwise be orphaned. 4. Windowing search results. the 'find' APIs as implemented by LDAP limit the responses to 200 records by default. One request we've had is to provide sorting and windowing. Windowing here is defined as, for a sorted response, return a delimited number of records starting at an offset greater than 0. The LDAP implementation requires the equivalent of a cursor from the requester, in this case the Apache server. To maintain association between the user and the cursor, the cursor identifier would be stored in the session. Implementing this correctly will require further design. It will likely be done in the future. In summary, the caching of the service ticket alone provides a compelling reason to implement sessions. File upload will take advantage of them. Other uses may be found over time. From simo at redhat.com Thu May 26 18:01:44 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 26 May 2011 14:01:44 -0400 Subject: [Freeipa-devel] Summary of Session discussion In-Reply-To: <4DDE857E.8090304@redhat.com> References: <4DDE857E.8090304@redhat.com> Message-ID: <1306432904.9511.49.camel@willson.li.ssimo.org> On Thu, 2011-05-26 at 12:53 -0400, Adam Young wrote: > There are four cases where we've discussed using sessions for > optimizations. During today's phone discussion we analysed them. > > 1. Avoiding the negotiate round trip. > > Requesting a page protected by Kerberos requires two round trips to the > server: 1 for the initializ request, which gets denied with the > negotiate challenge, and one for the negotiate response. mod_auth_kerb > can fall back to userid/password. THe suggestion was t hat we allow > mod_auth_kerb to set a session cookie after a successful negotiate > request. Future requests can use that cookie to bypass the negotiate > handshake. The problem with this approach is NFS home directories, Can you expand the reasoning about NFS home directories ? > and > root users being able to get access to the session cookies, allowing a > replay attack. Root can simply steal your TGT, that is not a concern we have any reason to raise here. > Note that this is a problem with the userid/password > fall-back as well. We are not going to pursue this right now. We are not going to pursue using sessions ? Or concerning ourselves with these issues ? :) > 2. Caching the service ticket. Once the http request has gone through, > the ipa web server needs to request a service ticket for LDAP. If the > session contained the service ticket, the could be bypassed for > additional requests. Since the request has to be validated by Kerberos > for the initial negotiate call, there is no additional loss of security > in caching the ticket. Indeed. > A potential alternative to server side caching is for the client to > request the service ticket and send it in the negotiate handshake. > There is some question as to whether the web server would be able to > acces this ticket, and also whether the client can somehow request a > ticket that the server can use, and still comply with the Kerberos > standards. This should be possible, but there is no client that can do that right now, and changing clients is simply out of our reach in most cases. > 3. File Upload. Session time out provides a means to automate the > clean up of files that might otherwise be orphaned. What kind of files ? > 4. Windowing search results. the 'find' APIs as implemented by LDAP > limit the responses to 200 records by default. One request we've had is > to provide sorting and windowing. Windowing here is defined as, for a > sorted response, return a delimited number of records starting at an > offset greater than 0. The LDAP implementation requires the equivalent > of a cursor from the requester, in this case the Apache server. To > maintain association between the user and the cursor, the cursor > identifier would be stored in the session. Implementing this correctly > will require further design. It will likely be done in the future. The cursor need also to be associated to a specific query, cannot be just a session-global variable. > In summary, the caching of the service ticket alone provides a > compelling reason to implement sessions. File upload will take > advantage of them. Other uses may be found over time. Very good, thanks for taking up on this analysis task. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Thu May 26 18:19:38 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 26 May 2011 14:19:38 -0400 Subject: [Freeipa-devel] Summary of Session discussion In-Reply-To: <1306432904.9511.49.camel@willson.li.ssimo.org> References: <4DDE857E.8090304@redhat.com> <1306432904.9511.49.camel@willson.li.ssimo.org> Message-ID: <4DDE99BA.9030405@redhat.com> On 05/26/2011 02:01 PM, Simo Sorce wrote: > On Thu, 2011-05-26 at 12:53 -0400, Adam Young wrote: >> There are four cases where we've discussed using sessions for >> optimizations. During today's phone discussion we analysed them. >> >> 1. Avoiding the negotiate round trip. >> >> Requesting a page protected by Kerberos requires two round trips to the >> server: 1 for the initializ request, which gets denied with the >> negotiate challenge, and one for the negotiate response. mod_auth_kerb >> can fall back to userid/password. THe suggestion was t hat we allow >> mod_auth_kerb to set a session cookie after a successful negotiate >> request. Future requests can use that cookie to bypass the negotiate >> handshake. The problem with this approach is NFS home directories, > Can you expand the reasoning about NFS home directories ? Cookie can be stored on the home directory of the user and user home directory can be NFS mounted so if we save anything important in the cookie the NFS root would be able to impersonate the user. It assumes that TGTs are not stored on the NFS in this case so replacing the TGT auth with fast session cookie auth would be a security issue. I hope I understand the issue correctly. >> and >> root users being able to get access to the session cookies, allowing a >> replay attack. > Root can simply steal your TGT, that is not a concern we have any reason > to raise here. NFS root? >> Note that this is a problem with the userid/password >> fall-back as well. We are not going to pursue this right now. > We are not going to pursue using sessions ? Or concerning ourselves with > these issues ? :) We are not going to try to avoid kerberos renegotiation on every request. Hm should we consider something like Oauth in this case? >> 2. Caching the service ticket. Once the http request has gone through, >> the ipa web server needs to request a service ticket for LDAP. If the >> session contained the service ticket, the could be bypassed for >> additional requests. Since the request has to be validated by Kerberos >> for the initial negotiate call, there is no additional loss of security >> in caching the ticket. > Indeed. > In any case if we cache the ldap ticket we need to get it from the cache before finishing the request. The question came up: is the python-kerberos/krbV packages provide the interface to the CC to get the ticket. >> A potential alternative to server side caching is for the client to >> request the service ticket and send it in the negotiate handshake. >> There is some question as to whether the web server would be able to >> acces this ticket, and also whether the client can somehow request a >> ticket that the server can use, and still comply with the Kerberos >> standards. > This should be possible, but there is no client that can do that right > now, and changing clients is simply out of our reach in most cases. > We can do it in the XML-RPC/JSON outside of kerberos but is it worth it? We need to extract the ticket first. >> 3. File Upload. Session time out provides a means to automate the >> clean up of files that might otherwise be orphaned. > What kind of files ? Entitlements >> 4. Windowing search results. the 'find' APIs as implemented by LDAP >> limit the responses to 200 records by default. One request we've had is >> to provide sorting and windowing. Windowing here is defined as, for a >> sorted response, return a delimited number of records starting at an >> offset greater than 0. The LDAP implementation requires the equivalent >> of a cursor from the requester, in this case the Apache server. To >> maintain association between the user and the cursor, the cursor >> identifier would be stored in the session. Implementing this correctly >> will require further design. It will likely be done in the future. > The cursor need also to be associated to a specific query, cannot be > just a session-global variable. You can limit it to have one cursor open per session at a time so you can use it as session global. You do not need to have to queries paginated at the same time from UI so there is no need to keep more than one cursor. >> In summary, the caching of the service ticket alone provides a >> compelling reason to implement sessions. File upload will take >> advantage of them. Other uses may be found over time. > Very good, thanks for taking up on this analysis task. > > Simo. > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From simo at redhat.com Thu May 26 18:43:07 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 26 May 2011 14:43:07 -0400 Subject: [Freeipa-devel] Summary of Session discussion In-Reply-To: <4DDE99BA.9030405@redhat.com> References: <4DDE857E.8090304@redhat.com> <1306432904.9511.49.camel@willson.li.ssimo.org> <4DDE99BA.9030405@redhat.com> Message-ID: <1306435387.9511.62.camel@willson.li.ssimo.org> On Thu, 2011-05-26 at 14:19 -0400, Dmitri Pal wrote: > On 05/26/2011 02:01 PM, Simo Sorce wrote: > > On Thu, 2011-05-26 at 12:53 -0400, Adam Young wrote: > >> There are four cases where we've discussed using sessions for > >> optimizations. During today's phone discussion we analysed them. > >> > >> 1. Avoiding the negotiate round trip. > >> > >> Requesting a page protected by Kerberos requires two round trips to the > >> server: 1 for the initializ request, which gets denied with the > >> negotiate challenge, and one for the negotiate response. mod_auth_kerb > >> can fall back to userid/password. THe suggestion was t hat we allow > >> mod_auth_kerb to set a session cookie after a successful negotiate > >> request. Future requests can use that cookie to bypass the negotiate > >> handshake. The problem with this approach is NFS home directories, > > Can you expand the reasoning about NFS home directories ? > > Cookie can be stored on the home directory of the user and user home > directory can be NFS mounted so if we save anything important in the > cookie the NFS root would be able to impersonate the user. It assumes > that TGTs are not stored on the NFS in this case so replacing the TGT > auth with fast session cookie auth would be a security issue. > I hope I understand the issue correctly. We can store the the cookie in the ccache, so that we have it in the same place the TGT is. We shouldn't save it in the home, as it is insecure indeed. > >> and > >> root users being able to get access to the session cookies, allowing a > >> replay attack. > > Root can simply steal your TGT, that is not a concern we have any reason > > to raise here. > > NFS root? if by "NFS root" you mean the root user on the NFS server serving out your home directories the answer is no. As the ccache is stored in files local to the system. > >> Note that this is a problem with the userid/password > >> fall-back as well. We are not going to pursue this right now. > > We are not going to pursue using sessions ? Or concerning ourselves with > > these issues ? :) > > We are not going to try to avoid kerberos renegotiation on every request. Why not ? Unless you have other concerns the one expressed above are all non-issues. > Hm should we consider something like Oauth in this case? It would have exactly the same issues except it will be more complex to implement, so if you can do one you can do the other. > >> 2. Caching the service ticket. Once the http request has gone through, > >> the ipa web server needs to request a service ticket for LDAP. If the > >> session contained the service ticket, the could be bypassed for > >> additional requests. Since the request has to be validated by Kerberos > >> for the initial negotiate call, there is no additional loss of security > >> in caching the ticket. > > Indeed. > > > > In any case if we cache the ldap ticket we need to get it from the cache > before finishing the request. EPARSE. > The question came up: is the python-kerberos/krbV packages provide the > interface to the CC to get the ticket. If python-krbV doesn't yet it should be relatively easy to add,l I expect no more than a couple days work to add enough functionality if it is not there. > >> A potential alternative to server side caching is for the client to > >> request the service ticket and send it in the negotiate handshake. > >> There is some question as to whether the web server would be able to > >> acces this ticket, and also whether the client can somehow request a > >> ticket that the server can use, and still comply with the Kerberos > >> standards. > > This should be possible, but there is no client that can do that right > > now, and changing clients is simply out of our reach in most cases. > > > > We can do it in the XML-RPC/JSON outside of kerberos but is it worth it? No, we do not want to get in the business of forwarding credential caches outside of the standard protocols, *that* is asking for trouble. > We need to extract the ticket first. You do not have direct access to the credential cache from within the browser so you wouldn't be able to do that for the WebUI anyway. Building a whole mechanism like that just to optimized the CLI when we can do a much better job server side looks like a waste, plus it would force third party implementations that want to use the XML-RPC channel to do things they may possible not be able to do either, forcing them to the less efficient way. Not good. > >> 3. File Upload. Session time out provides a means to automate the > >> clean up of files that might otherwise be orphaned. > > What kind of files ? > > Entitlements I guess I miss too many details to understand this point, but given it doesn't seem to be relevant to the security aspect I think I'll just ignore for now. > >> 4. Windowing search results. the 'find' APIs as implemented by LDAP > >> limit the responses to 200 records by default. One request we've had is > >> to provide sorting and windowing. Windowing here is defined as, for a > >> sorted response, return a delimited number of records starting at an > >> offset greater than 0. The LDAP implementation requires the equivalent > >> of a cursor from the requester, in this case the Apache server. To > >> maintain association between the user and the cursor, the cursor > >> identifier would be stored in the session. Implementing this correctly > >> will require further design. It will likely be done in the future. > > The cursor need also to be associated to a specific query, cannot be > > just a session-global variable. > > You can limit it to have one cursor open per session at a time so you > can use it as session global. Dangerous. > You do not need to have to queries paginated at the same time from UI so > there is no need to keep more than one cursor. We might not do that now, not sure in future. We should at least have a key/cursor pair to allow UIs to keep multiple cursors. It's easy to do (just a hash table). Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Thu May 26 18:47:09 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 26 May 2011 14:47:09 -0400 Subject: [Freeipa-devel] Summary of Session discussion In-Reply-To: <1306432904.9511.49.camel@willson.li.ssimo.org> References: <4DDE857E.8090304@redhat.com> <1306432904.9511.49.camel@willson.li.ssimo.org> Message-ID: <4DDEA02D.2020406@redhat.com> On 05/26/2011 02:01 PM, Simo Sorce wrote: > On Thu, 2011-05-26 at 12:53 -0400, Adam Young wrote: >> There are four cases where we've discussed using sessions for >> optimizations. During today's phone discussion we analysed them. >> >> 1. Avoiding the negotiate round trip. >> >> Requesting a page protected by Kerberos requires two round trips to the >> server: 1 for the initializ request, which gets denied with the >> negotiate challenge, and one for the negotiate response. mod_auth_kerb >> can fall back to userid/password. THe suggestion was t hat we allow >> mod_auth_kerb to set a session cookie after a successful negotiate >> request. Future requests can use that cookie to bypass the negotiate >> handshake. The problem with this approach is NFS home directories, > Can you expand the reasoning about NFS home directories ? As Stephen Gallagher points out, Secure cookies are held in memory, not on disk. However, the ipa client is a complete process, and it would need to be able to store the cookie somewhere for CLI to use. >> and >> root users being able to get access to the session cookies, allowing a >> replay attack. > Root can simply steal your TGT, that is not a concern we have any reason > to raise here. I might have root on a machine that can mount via NFS, and thus allow me to su to your account, and get read access to your home directory. I don't need root on your machine. BBut again, only an issue if the session cookie got written to disk, which shouldn't happen with session cookies. >> Note that this is a problem with the userid/password >> fall-back as well. We are not going to pursue this right now. > We are not going to pursue using sessions ? Or concerning ourselves with > these issues ? :) I think we are not going to pursue the mod_auth_kerb streamlining I outline, at least not in the short term. An additional issue is getting the update to mod_auth_kerb accepted. I'd say we can purse this in parallel, as I think it will be a valuable performance optimisation, but it does not have to be part of the IPA work per-se. >> 2. Caching the service ticket. Once the http request has gone through, >> the ipa web server needs to request a service ticket for LDAP. If the >> session contained the service ticket, the could be bypassed for >> additional requests. Since the request has to be validated by Kerberos >> for the initial negotiate call, there is no additional loss of security >> in caching the ticket. > Indeed. > >> A potential alternative to server side caching is for the client to >> request the service ticket and send it in the negotiate handshake. >> There is some question as to whether the web server would be able to >> acces this ticket, and also whether the client can somehow request a >> ticket that the server can use, and still comply with the Kerberos >> standards. > This should be possible, but there is no client that can do that right > now, and changing clients is simply out of our reach in most cases. Yes, and thus we are not going to pursue that approach. >> 3. File Upload. Session time out provides a means to automate the >> clean up of files that might otherwise be orphaned. > What kind of files ? Certificates and automount maps are the two we've discussed recently. >> 4. Windowing search results. the 'find' APIs as implemented by LDAP >> limit the responses to 200 records by default. One request we've had is >> to provide sorting and windowing. Windowing here is defined as, for a >> sorted response, return a delimited number of records starting at an >> offset greater than 0. The LDAP implementation requires the equivalent >> of a cursor from the requester, in this case the Apache server. To >> maintain association between the user and the cursor, the cursor >> identifier would be stored in the session. Implementing this correctly >> will require further design. It will likely be done in the future. > The cursor need also to be associated to a specific query, cannot be > just a session-global variable. Agreed. It means that subsequent API calls can reuse a specific query. But we want it to be optional, or there would be significant overhead, and thus we'll postpone this approach for now. >> In summary, the caching of the service ticket alone provides a >> compelling reason to implement sessions. File upload will take >> advantage of them. Other uses may be found over time. > Very good, thanks for taking up on this analysis task. > > Simo. > From ayoung at redhat.com Thu May 26 18:49:31 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 26 May 2011 14:49:31 -0400 Subject: [Freeipa-devel] Summary of Session discussion In-Reply-To: <4DDE99BA.9030405@redhat.com> References: <4DDE857E.8090304@redhat.com> <1306432904.9511.49.camel@willson.li.ssimo.org> <4DDE99BA.9030405@redhat.com> Message-ID: <4DDEA0BB.7090204@redhat.com> On 05/26/2011 02:19 PM, Dmitri Pal wrote: > On 05/26/2011 02:01 PM, Simo Sorce wrote: >> On Thu, 2011-05-26 at 12:53 -0400, Adam Young wrote: >>> There are four cases where we've discussed using sessions for >>> optimizations. During today's phone discussion we analysed them. >>> >>> 1. Avoiding the negotiate round trip. >>> >>> Requesting a page protected by Kerberos requires two round trips to the >>> server: 1 for the initializ request, which gets denied with the >>> negotiate challenge, and one for the negotiate response. mod_auth_kerb >>> can fall back to userid/password. THe suggestion was t hat we allow >>> mod_auth_kerb to set a session cookie after a successful negotiate >>> request. Future requests can use that cookie to bypass the negotiate >>> handshake. The problem with this approach is NFS home directories, >> Can you expand the reasoning about NFS home directories ? > Cookie can be stored on the home directory of the user and user home > directory can be NFS mounted so if we save anything important in the > cookie the NFS root would be able to impersonate the user. It assumes > that TGTs are not stored on the NFS in this case so replacing the TGT > auth with fast session cookie auth would be a security issue. > I hope I understand the issue correctly. NOt secure cookies, so it is only an issue for the CLI. If the CLI can store the cookine in the key store, then we don't havea problem. >>> and >>> root users being able to get access to the session cookies, allowing a >>> replay attack. >> Root can simply steal your TGT, that is not a concern we have any reason >> to raise here. > NFS root? Root user on a different machine that is allowed to mount NFS has pretty much complete access to the NFS directories. The root user can su to an user on the system. >>> Note that this is a problem with the userid/password >>> fall-back as well. We are not going to pursue this right now. >> We are not going to pursue using sessions ? Or concerning ourselves with >> these issues ? :) > We are not going to try to avoid kerberos renegotiation on every request. > Hm should we consider something like Oauth in this case? OAuth suffers from the same issues. >>> 2. Caching the service ticket. Once the http request has gone through, >>> the ipa web server needs to request a service ticket for LDAP. If the >>> session contained the service ticket, the could be bypassed for >>> additional requests. Since the request has to be validated by Kerberos >>> for the initial negotiate call, there is no additional loss of security >>> in caching the ticket. >> Indeed. >> > In any case if we cache the ldap ticket we need to get it from the cache > before finishing the request. > The question came up: is the python-kerberos/krbV packages provide the > interface to the CC to get the ticket. > >>> A potential alternative to server side caching is for the client to >>> request the service ticket and send it in the negotiate handshake. >>> There is some question as to whether the web server would be able to >>> acces this ticket, and also whether the client can somehow request a >>> ticket that the server can use, and still comply with the Kerberos >>> standards. >> This should be possible, but there is no client that can do that right >> now, and changing clients is simply out of our reach in most cases. >> > We can do it in the XML-RPC/JSON outside of kerberos but is it worth it? > We need to extract the ticket first. > >>> 3. File Upload. Session time out provides a means to automate the >>> clean up of files that might otherwise be orphaned. >> What kind of files ? > Entitlements > >>> 4. Windowing search results. the 'find' APIs as implemented by LDAP >>> limit the responses to 200 records by default. One request we've had is >>> to provide sorting and windowing. Windowing here is defined as, for a >>> sorted response, return a delimited number of records starting at an >>> offset greater than 0. The LDAP implementation requires the equivalent >>> of a cursor from the requester, in this case the Apache server. To >>> maintain association between the user and the cursor, the cursor >>> identifier would be stored in the session. Implementing this correctly >>> will require further design. It will likely be done in the future. >> The cursor need also to be associated to a specific query, cannot be >> just a session-global variable. > You can limit it to have one cursor open per session at a time so you > can use it as session global. > You do not need to have to queries paginated at the same time from UI so > there is no need to keep more than one cursor. > >>> In summary, the caching of the service ticket alone provides a >>> compelling reason to implement sessions. File upload will take >>> advantage of them. Other uses may be found over time. >> Very good, thanks for taking up on this analysis task. >> >> Simo. >> > From ayoung at redhat.com Thu May 26 18:55:49 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 26 May 2011 14:55:49 -0400 Subject: [Freeipa-devel] [PATCH] 0227-2-automount-UI In-Reply-To: <4DDE5600.1020809@redhat.com> References: <4DDBF4DF.9050603@redhat.com> <4DDC1DD1.9090005@redhat.com> <4DDC320C.905@redhat.com> <4DDC8550.10103@redhat.com> <4DDD2EFB.6030509@redhat.com> <4DDD57D1.7030606@redhat.com> <4DDD5E6E.5080607@redhat.com> <4DDD724F.2060403@redhat.com> <4DDDA5AE.9080103@redhat.com> <4DDE5600.1020809@redhat.com> Message-ID: <4DDEA235.5050504@redhat.com> On 05/26/2011 09:30 AM, Endi Sukma Dewata wrote: > On 5/25/2011 7:58 PM, Adam Young wrote: >>> 17. The adder dialog boxes for map and key don't have a title. The >>> titles should be defined in internal.py and the ipa_init.json needs >>> to be regenerated. > >> Fixed > > The ipa_init.json doesn't seem to be updated yet. > >> More changes in this patch. I combined most of the search and nested >> search facet into a single fact, by adding a field : managed_entity. >> THat way, the facet can still track the entity to which it belongs, but >> it performs searches on the managed entity. Most of the code from >> nested_entity_facet could then be removed. >> >> I also fixed search and the back to list links. > > 19. The unit test failed. Fixed in pushed version > > 20. When viewing a map, 'back to list' will bring you to locations > instead of maps. Deliberate. This is the right behaviour. What is questionable is the placement on the screen > > 21. Please see the attached patch. The managed_entity variable and > neseted_search_facet can be removed. Will do in a future patch. ACKed in IRC by edewata and pushed to master From sgallagh at redhat.com Thu May 26 18:59:16 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 26 May 2011 14:59:16 -0400 Subject: [Freeipa-devel] Summary of Session discussion In-Reply-To: <1306435387.9511.62.camel@willson.li.ssimo.org> References: <4DDE857E.8090304@redhat.com> <1306432904.9511.49.camel@willson.li.ssimo.org> <4DDE99BA.9030405@redhat.com> <1306435387.9511.62.camel@willson.li.ssimo.org> Message-ID: <1306436357.2189.31.camel@sgallagh.bos.redhat.com> On Thu, 2011-05-26 at 14:43 -0400, Simo Sorce wrote: > On Thu, 2011-05-26 at 14:19 -0400, Dmitri Pal wrote: > > Cookie can be stored on the home directory of the user and user home > > directory can be NFS mounted so if we save anything important in the > > cookie the NFS root would be able to impersonate the user. It assumes > > that TGTs are not stored on the NFS in this case so replacing the TGT > > auth with fast session cookie auth would be a security issue. > > I hope I understand the issue correctly. > > We can store the the cookie in the ccache, so that we have it in the > same place the TGT is. We shouldn't save it in the home, as it is > insecure indeed. I'd like to point out that this is a strong argument for adding the SSSD/LDB Kerberos credential cache. It's unsafe to store the user's credential cache in their home directory (because it may be an NFS mount and therefore vulnerable to root on another machine). However, the other common location for a credential cache is in /tmp, which becomes an issue for systems running with pam_namespace or sandboxing (where different processes have different views of the contents of /tmp). To avoid both of these situations, it might be best for us to store the credential cache in SSSD. For more information, see https://fedorahosted.org/sssd/ticket/652 and https://bugzilla.redhat.com/show_bug.cgi?id=618689 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From jcholast at redhat.com Thu May 26 19:00:46 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 26 May 2011 21:00:46 +0200 Subject: [Freeipa-devel] [PATCH] 069 Improve interactive mode for DNS plugin In-Reply-To: <1306413148.2330.8.camel@dhcp-25-52.brq.redhat.com> References: <1306413148.2330.8.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DDEA35E.5060903@redhat.com> On 26.5.2011 14:32, Martin Kosek wrote: > Interactive mode for commands manipulating with DNS records > (dnsrecord-add, dnsrecord-del) is not usable. This patch enhances > the server framework with new callback for interactive mode, which > can be used by commands to inject their own interactive handling. > > The callback is then used to improve aforementioned commands' > interactive mode. > > https://fedorahosted.org/freeipa/ticket/1018 > ACK, works fine. Just a minor thing: $ git apply freeipa-mkosek-069-improve-interactive-mode-for-dns-plugin.patch freeipa-mkosek-069-improve-interactive-mode-for-dns-plugin.patch:33: trailing whitespace. freeipa-mkosek-069-improve-interactive-mode-for-dns-plugin.patch:41: trailing whitespace. freeipa-mkosek-069-improve-interactive-mode-for-dns-plugin.patch:289: trailing whitespace. freeipa-mkosek-069-improve-interactive-mode-for-dns-plugin.patch:193: new blank line at EOF. + warning: 4 lines add whitespace errors. Honza -- Jan Cholasta From rcritten at redhat.com Thu May 26 19:11:01 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 26 May 2011 15:11:01 -0400 Subject: [Freeipa-devel] [PATCH] 791 don't add IP address when creating zone Message-ID: <4DDEA5C5.1080101@redhat.com> When creating a DNS zone if an IP address was passed in that address was added to the record of the IPA server. This was causing problems when creating new reverse zones for different subnets with ipa-replica-prepare. If you padded in --ip_address then a new reverse DNS zone would be created and the new IP would be added to the IPA master. Installing the replica file would fail with odd errors. ticket 1223 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-791-dns.patch Type: text/x-diff Size: 1263 bytes Desc: not available URL: From rcritten at redhat.com Thu May 26 20:38:18 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 26 May 2011 16:38:18 -0400 Subject: [Freeipa-devel] [PATCH] 768 fix migration between v2 servers In-Reply-To: <1306327459.18222.23.camel@dhcp-25-52.brq.redhat.com> References: <4D9F1A88.3030204@redhat.com> <1306327459.18222.23.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DDEBA3A.3090903@redhat.com> Martin Kosek wrote: > On Fri, 2011-04-08 at 10:24 -0400, Rob Crittenden wrote: >> Migration from a v2 server would fail because of our fake >> memberofindirect attribute. This isn't in any objectclass so would cause >> entries to fail to migrate. We can safely just remove it. >> >> Also remove any limits on time/size when searching for entries on the >> remote server. Otherwise only the number of entries configured in the >> local IPA server can be migrated. >> >> ticket 1124 >> >> rob > > Looks good, ACK. > > I tested a migration with users with memberofindirect + there were 700+ > users. Even though the migration took quite a long time, all users were > correctly migrated. > > Martin > pushed to master and ipa-2-0 From ayoung at redhat.com Thu May 26 20:51:14 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 26 May 2011 16:51:14 -0400 Subject: [Freeipa-devel] [PATCH] 788 remove automountinformation from automount dns In-Reply-To: <4DDAA9A7.6050302@redhat.com> References: <4DDAA9A7.6050302@redhat.com> Message-ID: <4DDEBD42.2000602@redhat.com> On 05/23/2011 02:38 PM, Rob Crittenden wrote: > In an attempt to support multiple direct maps we always included the > automountinformation in the key dn. This makes showing keys impossible > a bit of a catch-22. You want to get the mount info but to get it you > need the mount info. > > This patch drops requiring automountinfo but if provided it'll use it > to make the dn. This way we can have backwards compatibility for any > existing maps but going forward only direct maps will have the info in > it. > > --key is still required when dealing with keys, no way around that > without doing a major API change, migrating data, etc. > > ticket 1229 > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel This approach still breaks many of the assumptions that the UI is built upon. First, the primary key is now description, which is will look odd to people. Second, the methods for show, add, and delete will require custom code. I think that, if ever there was a time to break the automount scheme, it is up front now when we don't have that embedded a user base. I'd rather get it right this time around then have to support an difficult implementation for a long time. The error doesn't get marshalled properly in JSON. u May 26 15:44:44 2011] [error] ipa: INFO: admin at SERVER15.AYOUNG.BOSTON.DEVEL.REDHAT.COM: automountkey_find(u'default', u'auto.mnt', u'', all=False): SUCCESS [Thu May 26 15:44:46 2011] [error] ipa: ERROR: jsonserver.__call__(): [Thu May 26 15:44:46 2011] [error] Traceback (most recent call last): [Thu May 26 15:44:46 2011] [error] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 248, in __call__ [Thu May 26 15:44:46 2011] [error] response = self.wsgi_execute(environ) [Thu May 26 15:44:46 2011] [error] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 230, in wsgi_execute [Thu May 26 15:44:46 2011] [error] params = self.Command[name].args_options_2_params(*args, **options) [Thu May 26 15:44:46 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 483, in args_options_2_params [Thu May 26 15:44:46 2011] [error] raise MaxArgumentError(name=self.name, count=self.max_args) [Thu May 26 15:44:46 2011] [error] MaxArgumentError: command 'automountkey_show' takes at most 2 arguments (END) -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Thu May 26 20:54:22 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 26 May 2011 16:54:22 -0400 Subject: [Freeipa-devel] Summary of Session discussion In-Reply-To: <1306435387.9511.62.camel@willson.li.ssimo.org> References: <4DDE857E.8090304@redhat.com> <1306432904.9511.49.camel@willson.li.ssimo.org> <4DDE99BA.9030405@redhat.com> <1306435387.9511.62.camel@willson.li.ssimo.org> Message-ID: <4DDEBDFE.4080608@redhat.com> On 05/26/2011 02:43 PM, Simo Sorce wrote: >> We need to extract the ticket first. > You do not have direct access to the credential cache from within the > browser so you wouldn't be able to do that for the WebUI anyway. I was talking about the server side. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Thu May 26 20:56:37 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 26 May 2011 16:56:37 -0400 Subject: [Freeipa-devel] Summary of Session discussion In-Reply-To: <1306435387.9511.62.camel@willson.li.ssimo.org> References: <4DDE857E.8090304@redhat.com> <1306432904.9511.49.camel@willson.li.ssimo.org> <4DDE99BA.9030405@redhat.com> <1306435387.9511.62.camel@willson.li.ssimo.org> Message-ID: <4DDEBE85.7030503@redhat.com> On 05/26/2011 02:43 PM, Simo Sorce wrote: >> You can limit it to have one cursor open per session at a time so you >> > can use it as session global. > Dangerous. > I have seen Adam's response. This functionality is easily extensible. You can start with one and then add hash. I do not see a use case in near future that would require more than one cursor to be open at a time per session. I am just voting for less work here as it can be enhanced when we need more than one. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Thu May 26 21:01:02 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 26 May 2011 17:01:02 -0400 Subject: [Freeipa-devel] [PATCH] 788 remove automountinformation from automount dns In-Reply-To: <4DDEBD42.2000602@redhat.com> References: <4DDAA9A7.6050302@redhat.com> <4DDEBD42.2000602@redhat.com> Message-ID: <4DDEBF8E.2010101@redhat.com> On 05/26/2011 04:51 PM, Adam Young wrote: > On 05/23/2011 02:38 PM, Rob Crittenden wrote: >> In an attempt to support multiple direct maps we always included the >> automountinformation in the key dn. This makes showing keys >> impossible a bit of a catch-22. You want to get the mount info but to >> get it you need the mount info. >> >> This patch drops requiring automountinfo but if provided it'll use it >> to make the dn. This way we can have backwards compatibility for any >> existing maps but going forward only direct maps will have the info >> in it. >> >> --key is still required when dealing with keys, no way around that >> without doing a major API change, migrating data, etc. >> >> ticket 1229 >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > This approach still breaks many of the assumptions that the UI is > built upon. First, the primary key is now description, which is will > look odd to people. Second, the methods for show, add, and delete > will require custom code. I think that, if ever there was a time to > break the automount scheme, it is up front now when we don't have that > embedded a user base. I'd rather get it right this time around then > have to support an difficult implementation for a long time. I thought we are clear about this. The patch needs to be reworked to allow --key or key as 3rd parameter and one of the two is required. Am I missing something? Adam didn't you just test the old patch that should have been withdrawn? > > > > The error doesn't get marshalled properly in JSON. > > u May 26 15:44:44 2011] [error] ipa: INFO: > admin at SERVER15.AYOUNG.BOSTON.DEVEL.REDHAT.COM: > automountkey_find(u'default', u'auto.mnt', u'', all=False): SUCCESS > [Thu May 26 15:44:46 2011] [error] ipa: ERROR: jsonserver.__call__(): > [Thu May 26 15:44:46 2011] [error] Traceback (most recent call last): > [Thu May 26 15:44:46 2011] [error] File > "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 248, > in __call__ > [Thu May 26 15:44:46 2011] [error] response = > self.wsgi_execute(environ) > [Thu May 26 15:44:46 2011] [error] File > "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 230, > in wsgi_execute > [Thu May 26 15:44:46 2011] [error] params = > self.Command[name].args_options_2_params(*args, **options) > [Thu May 26 15:44:46 2011] [error] File > "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 483, in > args_options_2_params > [Thu May 26 15:44:46 2011] [error] raise > MaxArgumentError(name=self.name, count=self.max_args) > [Thu May 26 15:44:46 2011] [error] MaxArgumentError: command > 'automountkey_show' takes at most 2 arguments > (END) > > > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu May 26 21:12:59 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 26 May 2011 17:12:59 -0400 Subject: [Freeipa-devel] [PATCH] 788 remove automountinformation from automount dns In-Reply-To: <4DDEBF8E.2010101@redhat.com> References: <4DDAA9A7.6050302@redhat.com> <4DDEBD42.2000602@redhat.com> <4DDEBF8E.2010101@redhat.com> Message-ID: <4DDEC25B.8010904@redhat.com> On 05/26/2011 05:01 PM, Dmitri Pal wrote: > On 05/26/2011 04:51 PM, Adam Young wrote: >> On 05/23/2011 02:38 PM, Rob Crittenden wrote: >>> In an attempt to support multiple direct maps we always included the >>> automountinformation in the key dn. This makes showing keys >>> impossible a bit of a catch-22. You want to get the mount info but >>> to get it you need the mount info. >>> >>> This patch drops requiring automountinfo but if provided it'll use >>> it to make the dn. This way we can have backwards compatibility for >>> any existing maps but going forward only direct maps will have the >>> info in it. >>> >>> --key is still required when dealing with keys, no way around that >>> without doing a major API change, migrating data, etc. >>> >>> ticket 1229 >>> >>> rob >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> This approach still breaks many of the assumptions that the UI is >> built upon. First, the primary key is now description, which is will >> look odd to people. Second, the methods for show, add, and delete >> will require custom code. I think that, if ever there was a time to >> break the automount scheme, it is up front now when we don't have >> that embedded a user base. I'd rather get it right this time around >> then have to support an difficult implementation for a long time. > > I thought we are clear about this. > The patch needs to be reworked to allow --key or key as 3rd parameter > and one of the two is required. > Am I missing something? > Adam didn't you just test the old patch that should have been withdrawn? There was nothing on the list under this patch, so I posted this. I decided to test it out to also see what happened. I told rcrit out of channel that I would see if I could make it work with this patch. The issue is not just the arguments, but also the fact that the pkey is the whole --key + --info combined into the description field. Thus, I think that just making the --key parameter optional is not sufficient. > >> >> >> >> The error doesn't get marshalled properly in JSON. >> >> u May 26 15:44:44 2011] [error] ipa: INFO: >> admin at SERVER15.AYOUNG.BOSTON.DEVEL.REDHAT.COM: >> automountkey_find(u'default', u'auto.mnt', u'', all=False): SUCCESS >> [Thu May 26 15:44:46 2011] [error] ipa: ERROR: jsonserver.__call__(): >> [Thu May 26 15:44:46 2011] [error] Traceback (most recent call last): >> [Thu May 26 15:44:46 2011] [error] File >> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 248, >> in __call__ >> [Thu May 26 15:44:46 2011] [error] response = >> self.wsgi_execute(environ) >> [Thu May 26 15:44:46 2011] [error] File >> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 230, >> in wsgi_execute >> [Thu May 26 15:44:46 2011] [error] params = >> self.Command[name].args_options_2_params(*args, **options) >> [Thu May 26 15:44:46 2011] [error] File >> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 483, in >> args_options_2_params >> [Thu May 26 15:44:46 2011] [error] raise >> MaxArgumentError(name=self.name, count=self.max_args) >> [Thu May 26 15:44:46 2011] [error] MaxArgumentError: command >> 'automountkey_show' takes at most 2 arguments >> (END) >> >> >> >> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu May 26 21:19:25 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 26 May 2011 17:19:25 -0400 Subject: [Freeipa-devel] Summary of Session discussion In-Reply-To: <4DDEBE85.7030503@redhat.com> References: <4DDE857E.8090304@redhat.com> <1306432904.9511.49.camel@willson.li.ssimo.org> <4DDE99BA.9030405@redhat.com> <1306435387.9511.62.camel@willson.li.ssimo.org> <4DDEBE85.7030503@redhat.com> Message-ID: <4DDEC3DD.1060608@redhat.com> On 05/26/2011 04:56 PM, Dmitri Pal wrote: > On 05/26/2011 02:43 PM, Simo Sorce wrote: >>> You can limit it to have one cursor open per session at a time so you >>>> can use it as session global. >> Dangerous. >> > I have seen Adam's response. > This functionality is easily extensible. You can start with one and then > add hash. > I do not see a use case in near future that would require more than one > cursor to be open at a time per session. > I am just voting for less work here as it can be enhanced when we need > more than one. > The term "Session global" is a little weird. If you mean that multiple requests in the same session can talk to the same cursor, then yes. Global implies multiple people can talk to it at once, and I do not mean that. So long as the cursor is "read only" it will not be a problem to share. If the user does a write, or wants to see changes that were made by other people, they need to explicitly refresh the cursor. As I said, getting this right requires thought, and should not be in the next release. From dpal at redhat.com Thu May 26 21:23:40 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 26 May 2011 17:23:40 -0400 Subject: [Freeipa-devel] Summary of Session discussion In-Reply-To: <4DDEC3DD.1060608@redhat.com> References: <4DDE857E.8090304@redhat.com> <1306432904.9511.49.camel@willson.li.ssimo.org> <4DDE99BA.9030405@redhat.com> <1306435387.9511.62.camel@willson.li.ssimo.org> <4DDEBE85.7030503@redhat.com> <4DDEC3DD.1060608@redhat.com> Message-ID: <4DDEC4DC.5010005@redhat.com> On 05/26/2011 05:19 PM, Adam Young wrote: > The term "Session global" is a little weird. If you mean that > multiple requests in the same session can talk to the same cursor, > then yes. Global implies multiple people can talk to it at once, and > I do not mean that. One cursor per session. The session is per user per connection. It is one global cursor for a session not a hash table or list of different cursors within a session. The latter IMO is not needed and an overhead. If you can't have session per connection then you would have to do what Simo suggests. So this brings me to the next point: Are all connections from one host started by the same user share the same session? If this is the case then .... uh ... bad ... than the hash is in fact needed. But this is really scary... -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Thu May 26 21:36:31 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 26 May 2011 17:36:31 -0400 Subject: [Freeipa-devel] Summary of Session discussion In-Reply-To: <4DDEC4DC.5010005@redhat.com> References: <4DDE857E.8090304@redhat.com> <1306432904.9511.49.camel@willson.li.ssimo.org> <4DDE99BA.9030405@redhat.com> <1306435387.9511.62.camel@willson.li.ssimo.org> <4DDEBE85.7030503@redhat.com> <4DDEC3DD.1060608@redhat.com> <4DDEC4DC.5010005@redhat.com> Message-ID: <4DDEC7DF.6030602@redhat.com> On 05/26/2011 05:23 PM, Dmitri Pal wrote: > On 05/26/2011 05:19 PM, Adam Young wrote: >> The term "Session global" is a little weird. If you mean that >> multiple requests in the same session can talk to the same cursor, >> then yes. Global implies multiple people can talk to it at once, and >> I do not mean that. > One cursor per session. The session is per user per connection. It is > one global cursor for a session not a hash table or list of different > cursors within a session. The latter IMO is not needed and an overhead. > If you can't have session per connection then you would have to do what > Simo suggests. > > So this brings me to the next point: Are all connections from one host > started by the same user share the same session? If this is the case > then .... uh ... bad ... than the hash is in fact needed. But this is > really scary... > That is the usual implementation. If I have a browser open, I want all of the requests made from that browser to go through the same session. If I have two browsers, say firefox and chrome, then they will have two different sessions. HTTP does not maintain a connection across mutliple requests...with a few exceptions, mostly to streamline the download of graphics etc for a single page. From a WebUI perspective, each JSON request would want to use the same session. From rcritten at redhat.com Thu May 26 21:34:19 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 26 May 2011 17:34:19 -0400 Subject: [Freeipa-devel] Summary of Session discussion In-Reply-To: <4DDEC4DC.5010005@redhat.com> References: <4DDE857E.8090304@redhat.com> <1306432904.9511.49.camel@willson.li.ssimo.org> <4DDE99BA.9030405@redhat.com> <1306435387.9511.62.camel@willson.li.ssimo.org> <4DDEBE85.7030503@redhat.com> <4DDEC3DD.1060608@redhat.com> <4DDEC4DC.5010005@redhat.com> Message-ID: <4DDEC75B.5080805@redhat.com> Dmitri Pal wrote: > On 05/26/2011 05:19 PM, Adam Young wrote: >> The term "Session global" is a little weird. If you mean that >> multiple requests in the same session can talk to the same cursor, >> then yes. Global implies multiple people can talk to it at once, and >> I do not mean that. > > One cursor per session. The session is per user per connection. It is > one global cursor for a session not a hash table or list of different > cursors within a session. The latter IMO is not needed and an overhead. > If you can't have session per connection then you would have to do what > Simo suggests. > > So this brings me to the next point: Are all connections from one host > started by the same user share the same session? If this is the case > then .... uh ... bad ... than the hash is in fact needed. But this is > really scary... > Each new connection gets its own cookie (e.g. you don't pass a cookie in then you get one once you authenticate). To be honest, I was thinking about using the mod_session module but since we have only Apache 2.2.x it isn't available. We'll need to see what is available in the 2.x line. rob From edewata at redhat.com Thu May 26 22:24:35 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 26 May 2011 17:24:35 -0500 Subject: [Freeipa-devel] [PATCH] 166 Fixed URL parameter parsing. Message-ID: <4DDED323.705@redhat.com> The $.bbq.getState() invocations have been modified not to coerce URL parameter values to avoid parsing error. Ticket #1208 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0166-Fixed-URL-parameter-parsing.patch Type: text/x-patch Size: 20856 bytes Desc: not available URL: From ayoung at redhat.com Fri May 27 00:30:45 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 26 May 2011 20:30:45 -0400 Subject: [Freeipa-devel] [PATCH] 166 Fixed URL parameter parsing. In-Reply-To: <4DDED323.705@redhat.com> References: <4DDED323.705@redhat.com> Message-ID: <4DDEF0B5.3030308@redhat.com> On 05/26/2011 06:24 PM, Endi Sukma Dewata wrote: > The $.bbq.getState() invocations have been modified not to coerce > URL parameter values to avoid parsing error. > > Ticket #1208 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Shouldn't we replace most of these with something along the lines of: that.entity.get_primary_key() -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri May 27 00:44:10 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 26 May 2011 20:44:10 -0400 Subject: [Freeipa-devel] [PATCH] 166 Fixed URL parameter parsing. In-Reply-To: <4DDEF0B5.3030308@redhat.com> References: <4DDED323.705@redhat.com> <4DDEF0B5.3030308@redhat.com> Message-ID: <4DDEF3DA.7010703@redhat.com> On 05/26/2011 08:30 PM, Adam Young wrote: > On 05/26/2011 06:24 PM, Endi Sukma Dewata wrote: >> The $.bbq.getState() invocations have been modified not to coerce >> URL parameter values to avoid parsing error. >> >> Ticket #1208 >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Shouldn't we replace most of these with something along the lines of: > > that.entity.get_primary_key() > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Regardless, it works, and that fix could be done later. ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri May 27 00:44:55 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 26 May 2011 20:44:55 -0400 Subject: [Freeipa-devel] [PATCH] 166 Fixed URL parameter parsing. In-Reply-To: <4DDEF0B5.3030308@redhat.com> References: <4DDED323.705@redhat.com> <4DDEF0B5.3030308@redhat.com> Message-ID: <4DDEF407.4000209@redhat.com> On 05/26/2011 08:30 PM, Adam Young wrote: > On 05/26/2011 06:24 PM, Endi Sukma Dewata wrote: >> The $.bbq.getState() invocations have been modified not to coerce >> URL parameter values to avoid parsing error. >> >> Ticket #1208 >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Shouldn't we replace most of these with something along the lines of: > > that.entity.get_primary_key() > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to Master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri May 27 01:39:14 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 26 May 2011 21:39:14 -0400 Subject: [Freeipa-devel] See key for indirect map? Message-ID: <4DDF00C2.3090101@redhat.com> I created an indirect map, but it seems to have no keys associated with it. What am I missing? How do I see the mount point? [root at server15 freeipa]# ipa automountmap-add-indirect BOS auto.media Mount point: /mnt Map: auto.media [root at server15 freeipa]# ipa automountmap-show BOS auto.media Map: auto.media [root at server15 freeipa]# ipa automountmap-show BOS auto.media --all dn: automountmapname=auto.media,cn=bos,cn=automount,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com Map: auto.media objectclass: automountmap, top [root at server15 freeipa]# ipa automountkey-find BOS auto.media --all ---------------------------- Number of entries returned 0 ---------------------------- [root at server15 freeipa]# From rcritten at redhat.com Fri May 27 02:39:17 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 26 May 2011 22:39:17 -0400 Subject: [Freeipa-devel] [PATCH] 069 Improve interactive mode for DNS plugin In-Reply-To: <1306413148.2330.8.camel@dhcp-25-52.brq.redhat.com> References: <1306413148.2330.8.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DDF0ED5.20904@redhat.com> Martin Kosek wrote: > Interactive mode for commands manipulating with DNS records > (dnsrecord-add, dnsrecord-del) is not usable. This patch enhances > the server framework with new callback for interactive mode, which > can be used by commands to inject their own interactive handling. > > The callback is then used to improve aforementioned commands' > interactive mode. > > https://fedorahosted.org/freeipa/ticket/1018 This works pretty nicely but it seems like with just a bit more it can be great. Can you add some doc examples for how this works? And you display the records now and then prompt for each to delete. Can you combine the two? For example: ipa dnsrecord-del greyoak.com lion No option to delete specific record provided. Delete all? Yes/No (default No): Current DNS record contents: A record: 192.168.166.32 Enter value(s) to remove: [A record]: If we know there is an record why not just prompt for each value yes/no to delete? The yes/no function needs more documentation on what default does too. It appears that the possible values are None/True/False and that None means that '' can be returned (which could still be evaluated as False if this isn't used right). rob From mkosek at redhat.com Fri May 27 07:40:54 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 27 May 2011 09:40:54 +0200 Subject: [Freeipa-devel] [PATCH] 069 Improve interactive mode for DNS plugin In-Reply-To: <4DDF0ED5.20904@redhat.com> References: <1306413148.2330.8.camel@dhcp-25-52.brq.redhat.com> <4DDF0ED5.20904@redhat.com> Message-ID: <1306482057.3416.7.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-05-26 at 22:39 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > Interactive mode for commands manipulating with DNS records > > (dnsrecord-add, dnsrecord-del) is not usable. This patch enhances > > the server framework with new callback for interactive mode, which > > can be used by commands to inject their own interactive handling. > > > > The callback is then used to improve aforementioned commands' > > interactive mode. > > > > https://fedorahosted.org/freeipa/ticket/1018 > > This works pretty nicely but it seems like with just a bit more it can > be great. > > Can you add some doc examples for how this works? Done. At least user will know that we have a feature like that to offer. > > And you display the records now and then prompt for each to delete. Can > you combine the two? > > For example: > > ipa dnsrecord-del greyoak.com lion > No option to delete specific record provided. > Delete all? Yes/No (default No): > Current DNS record contents: > > A record: 192.168.166.32 > > Enter value(s) to remove: > [A record]: > > If we know there is an record why not just prompt for each value yes/no > to delete? Actually, this is a very good idea, I like it. I updated the patch so that the user can only do yes/no decision in ipa dnsrecord-del interactive mode. This makes dnsrecord-del interactive mode very usable. > > The yes/no function needs more documentation on what default does too. > It appears that the possible values are None/True/False and that None > means that '' can be returned (which could still be evaluated as False > if this isn't used right). Done. '' shouldn't be returned as I return the value of "default" if it is not None. But yes, it needed more documenting. Updated patch is attached. It may need some language corrections, I am no native speaker. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-069-2-improve-interactive-mode-for-dns-plugin.patch Type: text/x-patch Size: 18138 bytes Desc: not available URL: From mkosek at redhat.com Fri May 27 07:53:14 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 27 May 2011 09:53:14 +0200 Subject: [Freeipa-devel] [PATCH] 069 Improve interactive mode for DNS plugin In-Reply-To: <4DDEA35E.5060903@redhat.com> References: <1306413148.2330.8.camel@dhcp-25-52.brq.redhat.com> <4DDEA35E.5060903@redhat.com> Message-ID: <1306482796.3416.11.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-05-26 at 21:00 +0200, Jan Cholasta wrote: > On 26.5.2011 14:32, Martin Kosek wrote: > > Interactive mode for commands manipulating with DNS records > > (dnsrecord-add, dnsrecord-del) is not usable. This patch enhances > > the server framework with new callback for interactive mode, which > > can be used by commands to inject their own interactive handling. > > > > The callback is then used to improve aforementioned commands' > > interactive mode. > > > > https://fedorahosted.org/freeipa/ticket/1018 > > > > ACK, works fine. > > Just a minor thing: > > $ git apply > freeipa-mkosek-069-improve-interactive-mode-for-dns-plugin.patch > freeipa-mkosek-069-improve-interactive-mode-for-dns-plugin.patch:33: > trailing whitespace. > > freeipa-mkosek-069-improve-interactive-mode-for-dns-plugin.patch:41: > trailing whitespace. > > freeipa-mkosek-069-improve-interactive-mode-for-dns-plugin.patch:289: > trailing whitespace. > > freeipa-mkosek-069-improve-interactive-mode-for-dns-plugin.patch:193: > new blank line at EOF. > + > warning: 4 lines add whitespace errors. > > Honza > Yeah, I fixed these. Nothing in my workflow reports me such errors, I must enhance my .vimrc to do it for me. Martin From mkosek at redhat.com Fri May 27 10:06:08 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 27 May 2011 12:06:08 +0200 Subject: [Freeipa-devel] [PATCH] 791 don't add IP address when creating zone In-Reply-To: <4DDEA5C5.1080101@redhat.com> References: <4DDEA5C5.1080101@redhat.com> Message-ID: <1306490775.3416.25.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-05-26 at 15:11 -0400, Rob Crittenden wrote: > When creating a DNS zone if an IP address was passed in that address was > added to the record of the IPA server. > > This was causing problems when creating new reverse zones for different > subnets with ipa-replica-prepare. If you padded in --ip_address then a > new reverse DNS zone would be created and the new IP would be added to > the IPA master. Installing the replica file would fail with odd errors. > > ticket 1223 > > rob NACK. This breaks current --ip-address option functionality for dnszone-add added in ticket #838. It is a shortcut to add a new zone with a non-resolvable name server and the A/AAAA record of the new name server at the same time. This is behavior with your patch (ns.example.com is not resolvable): # ipa dnszone-add example.com --name-server=ns.example.com --admin-email=admin at example.com --ip-address=1.2.3.4 Zone name: example.com Authoritative nameserver: ns.example.com. Administrator e-mail address: admin.example.com. SOA serial: 2011270501 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Dynamic update: FALSE # ipa dnsrecord-show example.com ns ipa: ERROR: ns: DNS resource record not found And without it: # ipa dnszone-add example2.com --name-server=ns.example2.com --admin-email=admin at example2.com --ip-address=1.2.3.4 Zone name: example2.com Authoritative nameserver: ns.example2.com. Administrator e-mail address: admin.example2.com. SOA serial: 2011270501 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Dynamic update: FALSE # ipa dnsrecord-show example2.com ns Record name: ns A record: 1.2.3.4 I think all we have to do is to fix ipa-replica-prepare: ... if options.ip_address: print "Adding DNS records for %s" % replica_fqdn api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw=dirman_password) domain = replica_fqdn.split(".") name = domain.pop(0) domain = ".".join(domain) zone = add_zone(domain, nsaddr=options.ip_address) add_rr(zone, name, "A", options.ip_address) add_reverse_zone(options.ip_address) <== BUG add_ptr_rr(options.ip_address, replica_fqdn) Currently, we are adding a reverse zone with a name server IP address pointing to the new replica instead of the current master. And this is just wrong. Martin From mkosek at redhat.com Fri May 27 13:24:48 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 27 May 2011 15:24:48 +0200 Subject: [Freeipa-devel] [PATCH] 784 limit what attributes may be modified In-Reply-To: <4DD19B4A.4090203@redhat.com> References: <4DD19B4A.4090203@redhat.com> Message-ID: <1306502690.10180.8.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-05-16 at 17:46 -0400, Rob Crittenden wrote: > Add option to limit the attributes allowed in an entry. > > Kerberos ticket policy can update policy in a user entry. This allowed > set/addattr to be used to modify attributes outside of the ticket policy > perview, also bypassing all validation/normalization. Likewise the > ticket policy was updatable by the user plugin bypassing all validation. > > Add two new LDAPObject values to control this behavior: > > limit_object_classes: only attributes in these are allowed > disallow_object_classes: attributes in these are disallowed > > By default both of these lists are empty so are skipped. > > ticket 744 > > rob NACK. I have some concerns with this patch. In function _check_limit_object_class: 1) You change input attribute 'attrs' by removing the items from it. If user passes the same list of attrs to be checked and the function is run twice, the 'attrs' parameter in second run is corrupt. You can try it by running e.g. `ipa krbtpolicy-mod --maxrenew=24044' and checking the value of this parameter in the function. 2) The purpose of this statement is not clear to me: + if len(attrs) > 0 and allow_only: + raise errors.ObjectclassViolation(info='attribute "%(attribute)s" not allowed' % dict(attribute=attrs[0])) Maybe just the exception text is misleading. Otherways it's good, it correctly raised an exception when I tried to misuse --setattr option. Martin From mkosek at redhat.com Fri May 27 13:43:50 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 27 May 2011 15:43:50 +0200 Subject: [Freeipa-devel] [PATCH] 787 Don't load LDAP schema at startup In-Reply-To: <4DDAB0F8.2090205@redhat.com> References: <4DD573CC.6080107@redhat.com> <4DDAB0F8.2090205@redhat.com> Message-ID: <1306503833.10180.9.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-05-23 at 15:09 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > Do a lazy retrieval of the LDAP schema rather than at module load. > > > > Attempt to retrieve the schema the first time it is needed rather than > > when Apache is started. A global copy is cached for future requests for > > performance reasons. > > > > The schema will be retrieved once per Apache child process. > > > > ticket 583 > > > > This replaces Jan's patch titled "Don't load the LDAP schema during > > startup" > > > > rob > > Updated patch. This removes a debugging statement I left in and forces a > schema load in a couple of other places in baseldap. > > This relies on patch 784 to apply. > > rob ACK. Looks good to me. No suspicious test failures too. Martin From jcholast at redhat.com Fri May 27 14:47:33 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 27 May 2011 16:47:33 +0200 Subject: [Freeipa-devel] [PATCH] 18 Parse netmasks in IP addresses passed to server install In-Reply-To: <4DDBB4F1.1050909@redhat.com> References: <4DC97E8B.8050904@redhat.com> <4DD6B2A5.3010507@redhat.com> <4DDBB4F1.1050909@redhat.com> Message-ID: <4DDFB985.2040706@redhat.com> On 24.5.2011 15:38, Jan Cholasta wrote: > On 20.5.2011 20:27, Jan Cholasta wrote: >> On 10.5.2011 20:06, Jan Cholasta wrote: >>> Parse netmasks in IP addresses passed to server install. >>> >>> ticket 1212 >> >> Patch updated. >> >> TODO: Write unit test for ipapython.ipautil.CheckedIPAddress >> TODO: Clean unreachable code paths off of ipa-server-install (?) >> TODO: Workarounds for netaddr bugs (?) >> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Fixed ipa-replica-prepare and added a unit test. > Another update. Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-18.3-parse-netmask.patch Type: text/x-patch Size: 20542 bytes Desc: not available URL: From jcholast at redhat.com Fri May 27 14:49:34 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 27 May 2011 16:49:34 +0200 Subject: [Freeipa-devel] [PATCH] 3 Add ability to specify netmask with IP addresses during installation In-Reply-To: <4DD6B2FD.80204@redhat.com> References: <4D9068E5.6090209@redhat.com> <4D90920E.3080900@redhat.com> <4D91DD15.8020109@redhat.com> <4D91DDA6.2060304@redhat.com> <4D923DCA.1030900@redhat.com> <4D930AAD.9020209@redhat.com> <4D9F1AFA.8000305@redhat.com> <4DA2DC6F.1000105@redhat.com> <4DA58644.3020506@redhat.com> <4DAF3D5A.7080300@redhat.com> <4DAFDE65.5050100@redhat.com> <4DC97F9F.5030103@redhat.com> <1305122338.4961.23.camel@dhcp-25-52.brq.redhat.com> <4DCBD6FF.7050103@redhat.com> <4DD6B2FD.80204@redhat.com> Message-ID: <4DDFB9FE.6080006@redhat.com> On 20.5.2011 20:29, Jan Cholasta wrote: > On 12.5.2011 14:47, Jan Cholasta wrote: >> >> Rewrote host.py so that it doesn't use get_reverse_zone from >> ipaserver.bindinstance (which fixes the pylint errors). >> >> Honza >> > > Patch updated. Requires patch 18.1. > Another update, requires patch 18.3. Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-3.8-reverse-zone.patch Type: text/x-patch Size: 15269 bytes Desc: not available URL: From jcholast at redhat.com Fri May 27 14:50:59 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 27 May 2011 16:50:59 +0200 Subject: [Freeipa-devel] [PATCH] 19 Do stricter checking of IP addressed passed to server install In-Reply-To: <1306309613.18222.10.camel@dhcp-25-52.brq.redhat.com> References: <4DC97FEC.1000005@redhat.com> <1305559608.30122.30.camel@dhcp-25-52.brq.redhat.com> <4DD15BA1.5080004@redhat.com> <1305708694.22796.60.camel@dhcp-25-52.brq.redhat.com> <4DD6B42F.6040507@redhat.com> <1306241018.2514.54.camel@dhcp-25-52.brq.redhat.com> <4DDBA82F.8040105@redhat.com> <4DDBB5DF.2080908@redhat.com> <1306309613.18222.10.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DDFBA53.1060703@redhat.com> On 25.5.2011 09:46, Martin Kosek wrote: > On Tue, 2011-05-24 at 15:42 +0200, Jan Cholasta wrote: >> On 24.5.2011 14:44, Jan Cholasta wrote: >>> On 24.5.2011 14:43, Martin Kosek wrote: >>>> On Fri, 2011-05-20 at 20:34 +0200, Jan Cholasta wrote: >>>>> On 18.5.2011 10:51, Martin Kosek wrote: >>>>>> On Mon, 2011-05-16 at 19:15 +0200, Jan Cholasta wrote: >>>>>>> On 16.5.2011 17:26, Martin Kosek wrote: >>>>>>>> On Tue, 2011-05-10 at 20:11 +0200, Jan Cholasta wrote: >>>>>>>>> Split from patch 3, requires patch 18. >>>>>>>>> >>>>>>>>> https://fedorahosted.org/freeipa/ticket/1213 >>>>>>>>> >>>>>>>>> Honza >>>>>>>>> >>>>>>>> >>>>>>>> I tested all patches (3.6, 18, 19), but I think some work still >>>>>>>> needs to >>>>>>>> be done: >>>>>>>> >>>>>>>> 1) What about adding /sbin/ip package to Requires in spec? I thought >>>>>>>> there was an agreement to do it. >>>>>>> >>>>>>> Will do. >>>>>> >>>>>> Ok. >>>>>> >>>>>>> >>>>>>>> >>>>>>>> 2) When I run `ipa-server-install --ip-address=$ADDR`, and $ADDR is >>>>>>>> invalid address (e.g. $ADDR==foo), loopback address (e.g. >>>>>>>> $ADDR==127.0.0.1) or just another that the local address (e.g. >>>>>>>> $ADDR==123.123.123.123) the installer always fails with "the hostname >>>>>>>> resolves to an IP address that is different from the one provided >>>>>>>> on the >>>>>>>> command line". >>>>>>>> >>>>>>>> I think we may want a different error message in those 3 cases - it >>>>>>>> should be easy to do it now, with the improved IP handling. >>>>>>> >>>>>>> It looks like the print statements from verify_ip_address doesn't >>>>>>> actually print anything to the user. Will look onto that. >>>>>> >>>>>> Ok. >>>>>> >>>>>>> >>>>>>>> >>>>>>>> 3) When I pass netmask to ipa-server-install --ip-address=$ADDR, the >>>>>>>> installation always fails with the above message. Even though I >>>>>>>> took the >>>>>>>> addr+netmask from "/sbin/ip address" output. >>>>>>> >>>>>>> Works for me. Please make sure you've added your hostname to >>>>>>> /etc/hosts. >>>>>> >>>>>> I think I had. But I will recheck when you send a fix. >>>>>> >>>>>>> >>>>>>>> >>>>>>>> 4) I miss IP address checks in --ip-address and --forwarder >>>>>>>> parameters >>>>>>>> of ipa-dns-install script. I can pass invalid or local addresses to >>>>>>>> these parameters. This breaks Bind configuration. >>>>>>> >>>>>>> --ip-address is checked, but --forwarder is not. Will fix that. >>>>>> >>>>>> Ok, I will recheck both of them when you do. >>>>>> >>>>>>> >>>>>>>> >>>>>>>> 5) I think we may want to check also for local address in >>>>>>>> #ipa host-add $HOST --ip-address=127.0.0.1 >>>>>>>> >>>>>>>> 6) I couldn't add IP address with netmask in host module: >>>>>>>> # ipa host-add $HOST --ip-address=10.16.78.102/22 >>>>>>>> ipa: ERROR: invalid 'ip_address': invalid IP address >>>>>>> >>>>>>> The patches are for the installer, as are the tickets they fix, so >>>>>>> these >>>>>>> issues are out of scope. A new ticket should be opened for them. >>>>>>> >>>>>> >>>>>> You touched this parameter in your patches, that's why I tested it. I >>>>>> created a new ticket for it: >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/1234 >>>>>> >>>>>> Ticket 1234, yey :-) >>>>>> >>>>>>>> >>>>>>>> 7) Why is the _ParsedIPAddress named with a leading underscore? >>>>>>>> It's not >>>>>>>> really an internal use since it is returned by new IP handling >>>>>>>> functions >>>>>>>> and used in other modules. >>>>>>> >>>>>>> _ParsedIPAddress is not for public use. The fact that object of this >>>>>>> class is returned by parse_ip_address doesn't really matter - this is >>>>>>> Python, not C++ or Java. >>>>>> >>>>>> Hm, snappy... And I was wondering why my /usr/bin/java doesn't want to >>>>>> run FreeIPA, now I know - it's because its Python. >>>>>> >>>>>> Martin >>>>>> >>>>> >>>>> Patch updated. Requires patch 18.1 >>>>> >>>>> Honza >>>>> >>>> >>>> All reported issues were fixed, good idea with a new type for our >>>> IPAOptionParser. >>>> >>>> Still, NACK from me: >>>> >>>> ipa-replica-install doesn't use IPAOptionParser, but the good old >>>> OptionParser which doesn't know the new type. This makes >>>> ipa-replica-prepare crash all the time. I know, I am nitpicker :-) >>>> >>>> Martin >>>> >>> >>> Thanks, I missed that. >>> >>> Honza >>> >> >> Fixed and added a unit test. >> > > NACK. Please test your patches before you send them for a review. It > saves reviewer's time. Sorry, I'll do better next time. > > 1) Unwanted warning about unmatching network interface when replica is > installed: > > # ipa-replica-prepare vm-059.idm.lab.bos.redhat.com > --ip-address=10.16.78.59 > Warning: No network interface matches IP address 10.16.78.59 > Directory Manager (existing master) password: > ... Fixed. > > 2) ipa-replica-install crashes > # ipa-replica-install /home/mkosek/replica-info-vm-059.idm.lab.bos.redhat.com.gpg > Directory Manager (existing master) password: > > Configuring ntpd > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > done configuring ntpd. > creation of replica failed: unsupported operand type(s) for /: 'NoneType' and 'int' > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > > ipa-replica-install log: > 2011-05-25 03:36:18,503 DEBUG unsupported operand type(s) for /: 'NoneType' and 'int' > File "/usr/sbin/ipa-replica-install", line 550, in > main() > > File "/usr/sbin/ipa-replica-install", line 496, in main > install_dns_records(config, options) > > File "/usr/sbin/ipa-replica-install", line 329, in install_dns_records > options.conf_ntp) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 469, in add_master_dns_records > self.__add_self() > > File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 399, in __add_self > if dns_zone_exists(get_reverse_zone(self.ip_address, self.ip_prefix_len)[0]): > > File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 106, in get_reverse_zone > pos = 4 - ip_prefix_len / 8 Also fixed. > > > Martin > Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-19.3-strict-ip-address-check.patch Type: text/x-patch Size: 2481 bytes Desc: not available URL: From rcritten at redhat.com Fri May 27 15:10:58 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 27 May 2011 11:10:58 -0400 Subject: [Freeipa-devel] [PATCH] 784 limit what attributes may be modified In-Reply-To: <1306502690.10180.8.camel@dhcp-25-52.brq.redhat.com> References: <4DD19B4A.4090203@redhat.com> <1306502690.10180.8.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DDFBF02.4030503@redhat.com> Martin Kosek wrote: > On Mon, 2011-05-16 at 17:46 -0400, Rob Crittenden wrote: >> Add option to limit the attributes allowed in an entry. >> >> Kerberos ticket policy can update policy in a user entry. This allowed >> set/addattr to be used to modify attributes outside of the ticket policy >> perview, also bypassing all validation/normalization. Likewise the >> ticket policy was updatable by the user plugin bypassing all validation. >> >> Add two new LDAPObject values to control this behavior: >> >> limit_object_classes: only attributes in these are allowed >> disallow_object_classes: attributes in these are disallowed >> >> By default both of these lists are empty so are skipped. >> >> ticket 744 >> >> rob > > NACK. I have some concerns with this patch. In function > _check_limit_object_class: > > 1) You change input attribute 'attrs' by removing the items from it. If > user passes the same list of attrs to be checked and the function is run > twice, the 'attrs' parameter in second run is corrupt. > > You can try it by running e.g. `ipa krbtpolicy-mod --maxrenew=24044' and > checking the value of this parameter in the function. Good catch, updated patch attached. > > 2) The purpose of this statement is not clear to me: > + if len(attrs)> 0 and allow_only: > + raise errors.ObjectclassViolation(info='attribute "%(attribute)s" not allowed' % dict(attribute=attrs[0])) > Maybe just the exception text is misleading. This function has 2 modes: "allow only the attributes in these objectclasses" or "specifically deny the attributes in these objectclasses". This enforces the first type. If when we've gone through all the attributes there are any left over they must not be allowed so raise an error. This is documented in the function header. > > Otherways it's good, it correctly raised an exception when I tried to > misuse --setattr option. > > Martin > -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-784-2-krbtpolicy.patch Type: text/x-diff Size: 11405 bytes Desc: not available URL: From mkosek at redhat.com Fri May 27 15:12:43 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 27 May 2011 17:12:43 +0200 Subject: [Freeipa-devel] [PATCH] 070 Fix reverse zone creation in ipa-replica-prepare Message-ID: <1306509165.10180.12.camel@dhcp-25-52.brq.redhat.com> This patch replaces Rob's patch 791. --- When a new reverse zone was created in ipa-replica-prepare (this may happen when a new replica is from different subnet), the master DNS address was corrupted by invalid A/AAAA record. This caused problems for example in installing replica. https://fedorahosted.org/freeipa/ticket/1223 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-070-fix-reverse-zone-creation-in-ipa-replica-prepare.patch Type: text/x-patch Size: 10380 bytes Desc: not available URL: From jcholast at redhat.com Fri May 27 15:32:56 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 27 May 2011 17:32:56 +0200 Subject: [Freeipa-devel] [PATCH] 789 improve label when prompting for members In-Reply-To: <4DDB18DD.7030000@redhat.com> References: <4DDB18DD.7030000@redhat.com> Message-ID: <4DDFC428.8060901@redhat.com> On 24.5.2011 04:33, Rob Crittenden wrote: > Include the word 'member' with autogenerated optional member labels. > > There were reports of confusion over what was being prompted for, > hopefully adding member will make things clearer. > > This has a big API.txt change but it is all labels so minor in nature, > just affecting the CLI. > > ticket 1062 > > rob > ACK, works as expected. Honza -- Jan Cholasta From rcritten at redhat.com Fri May 27 15:58:19 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 27 May 2011 11:58:19 -0400 Subject: [Freeipa-devel] [PATCH] 070 Fix reverse zone creation in ipa-replica-prepare In-Reply-To: <1306509165.10180.12.camel@dhcp-25-52.brq.redhat.com> References: <1306509165.10180.12.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DDFCA1B.5000304@redhat.com> Martin Kosek wrote: > This patch replaces Rob's patch 791. > --- > When a new reverse zone was created in ipa-replica-prepare (this > may happen when a new replica is from different subnet), the master > DNS address was corrupted by invalid A/AAAA record. This caused > problems for example in installing replica. > > https://fedorahosted.org/freeipa/ticket/1223 ack From edewata at redhat.com Fri May 27 16:43:24 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 27 May 2011 11:43:24 -0500 Subject: [Freeipa-devel] [PATCH] 167 Added Update and Reset buttons into Dirty dialog. Message-ID: <4DDFD4AC.5070609@redhat.com> The Dirty dialogs have been combined into IPA.dirty_dialog. It provides the Update and Reset buttons with customizable callback. Previously the widget's dirty status is computed by comparing the old values with the new values. This method is sometimes inaccurate, so the is_dirty() method has been modified to simply return a flag which is set to true if the widget is changed. Ticket #896. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0167-Added-Update-and-Reset-buttons-into-Dirty-dialog.patch Type: text/x-patch Size: 23059 bytes Desc: not available URL: From mkosek at redhat.com Fri May 27 16:59:52 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 27 May 2011 18:59:52 +0200 Subject: [Freeipa-devel] [PATCH] 18 Parse netmasks in IP addresses passed to server install In-Reply-To: <4DDFB985.2040706@redhat.com> References: <4DC97E8B.8050904@redhat.com> <4DD6B2A5.3010507@redhat.com> <4DDBB4F1.1050909@redhat.com> <4DDFB985.2040706@redhat.com> Message-ID: <1306515594.10180.17.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-05-27 at 16:47 +0200, Jan Cholasta wrote: > On 24.5.2011 15:38, Jan Cholasta wrote: > > On 20.5.2011 20:27, Jan Cholasta wrote: > >> On 10.5.2011 20:06, Jan Cholasta wrote: > >>> Parse netmasks in IP addresses passed to server install. > >>> > >>> ticket 1212 > >> > >> Patch updated. > >> > >> TODO: Write unit test for ipapython.ipautil.CheckedIPAddress > >> TODO: Clean unreachable code paths off of ipa-server-install (?) > >> TODO: Workarounds for netaddr bugs (?) > >> > >> > >> > >> _______________________________________________ > >> Freeipa-devel mailing list > >> Freeipa-devel at redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > Fixed ipa-replica-prepare and added a unit test. > > > > Another update. > > Honza Can you please rebase your patches? My patch 070 fixing add_reverse_zone() function was pushed today. Unfortunately, it made your patches 18 and 3 not applicable. You may want to look closer at the patch 070 as it is relevant to your patch set and also to make sure the fix is still functional after your set of patches. Thanks, Martin From ayoung at redhat.com Fri May 27 17:08:07 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 27 May 2011 13:08:07 -0400 Subject: [Freeipa-devel] [PATCH] 167 Added Update and Reset buttons into Dirty dialog. In-Reply-To: <4DDFD4AC.5070609@redhat.com> References: <4DDFD4AC.5070609@redhat.com> Message-ID: <4DDFDA77.4080203@redhat.com> On 05/27/2011 12:43 PM, Endi Sukma Dewata wrote: > The Dirty dialogs have been combined into IPA.dirty_dialog. It > provides the Update and Reset buttons with customizable callback. > > Previously the widget's dirty status is computed by comparing the > old values with the new values. This method is sometimes inaccurate, > so the is_dirty() method has been modified to simply return a flag > which is set to true if the widget is changed. > > Ticket #896. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Fri May 27 17:21:47 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 27 May 2011 19:21:47 +0200 Subject: [Freeipa-devel] [PATCH] 784 limit what attributes may be modified In-Reply-To: <4DDFBF02.4030503@redhat.com> References: <4DD19B4A.4090203@redhat.com> <1306502690.10180.8.camel@dhcp-25-52.brq.redhat.com> <4DDFBF02.4030503@redhat.com> Message-ID: <1306516909.10180.21.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-05-27 at 11:10 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Mon, 2011-05-16 at 17:46 -0400, Rob Crittenden wrote: > >> Add option to limit the attributes allowed in an entry. > >> > >> Kerberos ticket policy can update policy in a user entry. This allowed > >> set/addattr to be used to modify attributes outside of the ticket policy > >> perview, also bypassing all validation/normalization. Likewise the > >> ticket policy was updatable by the user plugin bypassing all validation. > >> > >> Add two new LDAPObject values to control this behavior: > >> > >> limit_object_classes: only attributes in these are allowed > >> disallow_object_classes: attributes in these are disallowed > >> > >> By default both of these lists are empty so are skipped. > >> > >> ticket 744 > >> > >> rob > > > > NACK. I have some concerns with this patch. In function > > _check_limit_object_class: > > > > 1) You change input attribute 'attrs' by removing the items from it. If > > user passes the same list of attrs to be checked and the function is run > > twice, the 'attrs' parameter in second run is corrupt. > > > > You can try it by running e.g. `ipa krbtpolicy-mod --maxrenew=24044' and > > checking the value of this parameter in the function. > > Good catch, updated patch attached. > > > > > 2) The purpose of this statement is not clear to me: > > + if len(attrs)> 0 and allow_only: > > + raise errors.ObjectclassViolation(info='attribute "%(attribute)s" not allowed' % dict(attribute=attrs[0])) > > Maybe just the exception text is misleading. > > This function has 2 modes: "allow only the attributes in these > objectclasses" or "specifically deny the attributes in these > objectclasses". This enforces the first type. If when we've gone through > all the attributes there are any left over they must not be allowed so > raise an error. This is documented in the function header. Thanks for explanation, now I get it. It all looks OK, ACK. Martin From mkosek at redhat.com Fri May 27 17:26:31 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 27 May 2011 19:26:31 +0200 Subject: [Freeipa-devel] [PATCH] 070 Fix reverse zone creation in ipa-replica-prepare In-Reply-To: <4DDFCA1B.5000304@redhat.com> References: <1306509165.10180.12.camel@dhcp-25-52.brq.redhat.com> <4DDFCA1B.5000304@redhat.com> Message-ID: <1306517193.10180.22.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-05-27 at 11:58 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > This patch replaces Rob's patch 791. > > --- > > When a new reverse zone was created in ipa-replica-prepare (this > > may happen when a new replica is from different subnet), the master > > DNS address was corrupted by invalid A/AAAA record. This caused > > problems for example in installing replica. > > > > https://fedorahosted.org/freeipa/ticket/1223 > > ack Pushed to master, ipa-2-0. Martin From edewata at redhat.com Fri May 27 17:44:14 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 27 May 2011 12:44:14 -0500 Subject: [Freeipa-devel] [PATCH] 168 Fixed problem deleting value in text field. Message-ID: <4DDFE2EE.6020702@redhat.com> Previously deleting a value in a text field did not work because the field is not included in the modify operation when the value is empty. The details facet's update() method has been modified to update only dirty fields. The section lists in details facet and dialog have been converted into ordered maps. Ticket #1256 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0168-Fixed-problem-deleting-value-in-text-field.patch Type: text/x-patch Size: 20557 bytes Desc: not available URL: From rcritten at redhat.com Fri May 27 17:52:49 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 27 May 2011 13:52:49 -0400 Subject: [Freeipa-devel] [PATCH] 784 limit what attributes may be modified In-Reply-To: <1306516909.10180.21.camel@dhcp-25-52.brq.redhat.com> References: <4DD19B4A.4090203@redhat.com> <1306502690.10180.8.camel@dhcp-25-52.brq.redhat.com> <4DDFBF02.4030503@redhat.com> <1306516909.10180.21.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DDFE4F1.80406@redhat.com> Martin Kosek wrote: > On Fri, 2011-05-27 at 11:10 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Mon, 2011-05-16 at 17:46 -0400, Rob Crittenden wrote: >>>> Add option to limit the attributes allowed in an entry. >>>> >>>> Kerberos ticket policy can update policy in a user entry. This allowed >>>> set/addattr to be used to modify attributes outside of the ticket policy >>>> perview, also bypassing all validation/normalization. Likewise the >>>> ticket policy was updatable by the user plugin bypassing all validation. >>>> >>>> Add two new LDAPObject values to control this behavior: >>>> >>>> limit_object_classes: only attributes in these are allowed >>>> disallow_object_classes: attributes in these are disallowed >>>> >>>> By default both of these lists are empty so are skipped. >>>> >>>> ticket 744 >>>> >>>> rob >>> >>> NACK. I have some concerns with this patch. In function >>> _check_limit_object_class: >>> >>> 1) You change input attribute 'attrs' by removing the items from it. If >>> user passes the same list of attrs to be checked and the function is run >>> twice, the 'attrs' parameter in second run is corrupt. >>> >>> You can try it by running e.g. `ipa krbtpolicy-mod --maxrenew=24044' and >>> checking the value of this parameter in the function. >> >> Good catch, updated patch attached. >> >>> >>> 2) The purpose of this statement is not clear to me: >>> + if len(attrs)> 0 and allow_only: >>> + raise errors.ObjectclassViolation(info='attribute "%(attribute)s" not allowed' % dict(attribute=attrs[0])) >>> Maybe just the exception text is misleading. >> >> This function has 2 modes: "allow only the attributes in these >> objectclasses" or "specifically deny the attributes in these >> objectclasses". This enforces the first type. If when we've gone through >> all the attributes there are any left over they must not be allowed so >> raise an error. This is documented in the function header. > > Thanks for explanation, now I get it. It all looks OK, ACK. > > Martin > > pushed to master and ipa-2-0 From rcritten at redhat.com Fri May 27 17:55:00 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 27 May 2011 13:55:00 -0400 Subject: [Freeipa-devel] [PATCH] 789 improve label when prompting for members In-Reply-To: <4DDFC428.8060901@redhat.com> References: <4DDB18DD.7030000@redhat.com> <4DDFC428.8060901@redhat.com> Message-ID: <4DDFE574.4090803@redhat.com> Jan Cholasta wrote: > On 24.5.2011 04:33, Rob Crittenden wrote: >> Include the word 'member' with autogenerated optional member labels. >> >> There were reports of confusion over what was being prompted for, >> hopefully adding member will make things clearer. >> >> This has a big API.txt change but it is all labels so minor in nature, >> just affecting the CLI. >> >> ticket 1062 >> >> rob >> > > ACK, works as expected. > > Honza > pushed to master and ipa-2-0 From rcritten at redhat.com Fri May 27 19:39:10 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 27 May 2011 15:39:10 -0400 Subject: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname In-Reply-To: <1306395960.2330.7.camel@dhcp-25-52.brq.redhat.com> References: <4D95F3AD.2000707@redhat.com> <1306320574.18222.20.camel@dhcp-25-52.brq.redhat.com> <4DDD204A.8010009@redhat.com> <1306395960.2330.7.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DDFFDDE.2040908@redhat.com> Martin Kosek wrote: > On Wed, 2011-05-25 at 11:29 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Fri, 2011-04-01 at 11:47 -0400, Rob Crittenden wrote: >>>> The hostname is passed in during the server installation. We should use >>>> this hostname for the resulting server as well. It was being discarded >>>> and we always used the system hostname value. >>>> >>>> ticket 1052 >>>> >>>> rob >>> >>> I have to NACK this again. I have a problem communicating with IPA on a >>> master machine. I reproduced in on 2 different machines. Please, correct >>> my steps if I am wrong, I do the following procedure >>> >>> 1) I prepare a fresh minimal F-15 >>> 2) Install freeipa-server (current master with your patches) >>> 3) Add custom hostname to /etc/hosts >>> 4) Install IPA server: >>> ipa-server-install -p secret123 -a secret123 --hostname ipa.idm.lab.bos.redhat.com --setup-dns --forwarder=10.16.255.2 >>> 5) # kinit admin >>> Password for admin at IDM.LAB.BOS.REDHAT.COM: >>> 6) # ipa user-show admin >>> ipa: ERROR: cannot connect to 'any of the configured servers': >>> https://ipa.idm.lab.bos.redhat.com/ipa/xml, >>> https://ipa.idm.lab.bos.redhat.com/ipa/xml >>> >>> # ping -c 1 ipa.idm.lab.bos.redhat.com >>> PING ipa.idm.lab.bos.redhat.com (10.16.78.140) 56(84) bytes of data. >>> 64 bytes from ipa.idm.lab.bos.redhat.com (10.16.78.140): icmp_req=1 >>> ttl=64 time=0.049 ms >>> >>> Apache error_log shows relevant errors: >>> >>> [Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to retrieve LDAP schema: Invalid credentials: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied) >>> [Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to retrieve LDAP schema: Invalid credentials: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied) >>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored >>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored >>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored >>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored >>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored >>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored >>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored >>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored >>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored >>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored >>> [Wed May 25 06:43:56 2011] [notice] caught SIGTERM, shutting down >>> [Wed May 25 06:43:56 2011] [notice] SELinux policy enabled; httpd running as context system_u:system_r:kernel_t:s0 >>> [Wed May 25 06:43:57 2011] [notice] Digest: generating secret for digest authentication ... >>> [Wed May 25 06:43:57 2011] [notice] Digest: done >>> [Wed May 25 06:43:57 2011] [notice] Apache/2.2.17 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.17 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.7.1 configured -- resuming normal operations >>> [Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START *** >>> [Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START *** >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] mod_wsgi (pid=5192): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] Traceback (most recent call last): >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/share/ipa/wsgi.py", line 48, in application >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] return api.Backend.session(environ, start_response) >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 141, in __call__ >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] self.create_context(ccache=environ.get('KRB5CCNAME')) >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 110, in create_context >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] self.Backend.ldap2.connect(ccache=ccache) >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 62, in connect >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] conn = self.create_connection(*args, **kw) >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 188, in new_f >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] return f(*new_args, **kwargs) >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 337, in create_connection >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] _handle_errors(e, **{}) >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 118, in _handle_errors >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] raise errors.DatabaseError(desc=desc, info=info) >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] DatabaseError: Local error: SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Hostname cannot be canonicalized) >>> [Wed May 25 06:45:26 2011] [error] [client 10.16.78.140] mod_wsgi (pid=5193): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. >>> >>> >>> You can check the problem on vm-140.idm.lab.bos.redhat.com if you want to. >>> >>> Martin >>> >> >> The LDAP connection was still using the system hostname value. I added a >> conn.set_option(_ldap.OPT_HOST_NAME, api.env.host) in the two places we >> initialize an LDAP connection and that seems to have fixed it. >> >> Updated patch attached >> >> rob > > NACK. The problem on a master is gone. However, now ipa-replica-install > is failing: > > # ipa-replica-install /home/mkosek/replica-info-vm-027.idm.lab.bos.redhat.com.gpg > Directory Manager (existing master) password: > > creation of replica failed: Can't contact LDAP server: > > > I found out that the root cause of the failure is in the change you just > made in ldap2.py: > > def create_connection(self, ccache=None, bind_dn='', bind_pw='', > tls_cacertfile=None, tls_certfile=None, tls_keyfile=None, > debug_level=0): > ... > try: > conn = _ldap.initialize(self.ldap_uri) > conn.set_option(_ldap.OPT_HOST_NAME, api.env.host)<-- > if ccache is not None: > os.environ['KRB5CCNAME'] = ccache > ... > > because api.env.host points to the local host and not the remote master. > When I commented this line out, installation continued OK. Then, it > crashed again with our "favorite" dogtag's "invalid clone_uri" > exception. > > Since we see this error also in other scenarios (not only custom > --hostname) and the root cause is not in your patch I can ACK you patch > 762 once the replica install bug is fixed. > > Martin > Fixed both of these. We only need to set the hostname when using an ldapi URI, so fixed both of those. I also fixed the Invalid clone_uri bug. The problem was we weren't passing our new hostname to pkicreate so it was creating a CA for whatever the value of `hostname` was. There is an environment variable in pkicreate to pass in the hostname and doing that has fixed the problem. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-762-3-host.patch Type: text/x-diff Size: 5782 bytes Desc: not available URL: From jcholast at redhat.com Fri May 27 20:09:52 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 27 May 2011 22:09:52 +0200 Subject: [Freeipa-devel] [PATCH] 18 Parse netmasks in IP addresses passed to server install In-Reply-To: <1306515594.10180.17.camel@dhcp-25-52.brq.redhat.com> References: <4DC97E8B.8050904@redhat.com> <4DD6B2A5.3010507@redhat.com> <4DDBB4F1.1050909@redhat.com> <4DDFB985.2040706@redhat.com> <1306515594.10180.17.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DE00510.6050400@redhat.com> On 27.5.2011 18:59, Martin Kosek wrote: > On Fri, 2011-05-27 at 16:47 +0200, Jan Cholasta wrote: >> On 24.5.2011 15:38, Jan Cholasta wrote: >>> On 20.5.2011 20:27, Jan Cholasta wrote: >>>> On 10.5.2011 20:06, Jan Cholasta wrote: >>>>> Parse netmasks in IP addresses passed to server install. >>>>> >>>>> ticket 1212 >>>> >>>> Patch updated. >>>> >>>> TODO: Write unit test for ipapython.ipautil.CheckedIPAddress >>>> TODO: Clean unreachable code paths off of ipa-server-install (?) >>>> TODO: Workarounds for netaddr bugs (?) >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >>> Fixed ipa-replica-prepare and added a unit test. >>> >> >> Another update. >> >> Honza > > Can you please rebase your patches? My patch 070 fixing > add_reverse_zone() function was pushed today. Unfortunately, it made > your patches 18 and 3 not applicable. Done. > > You may want to look closer at the patch 070 as it is relevant to your > patch set and also to make sure the fix is still functional after your > set of patches. It seems it's ok. > > Thanks, > Martin > Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-18.4-parse-netmask.patch Type: text/x-patch Size: 20574 bytes Desc: not available URL: From jcholast at redhat.com Fri May 27 20:09:59 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 27 May 2011 22:09:59 +0200 Subject: [Freeipa-devel] [PATCH] 3 Add ability to specify netmask with IP addresses during installation In-Reply-To: <4DDFB9FE.6080006@redhat.com> References: <4D9068E5.6090209@redhat.com> <4D90920E.3080900@redhat.com> <4D91DD15.8020109@redhat.com> <4D91DDA6.2060304@redhat.com> <4D923DCA.1030900@redhat.com> <4D930AAD.9020209@redhat.com> <4D9F1AFA.8000305@redhat.com> <4DA2DC6F.1000105@redhat.com> <4DA58644.3020506@redhat.com> <4DAF3D5A.7080300@redhat.com> <4DAFDE65.5050100@redhat.com> <4DC97F9F.5030103@redhat.com> <1305122338.4961.23.camel@dhcp-25-52.brq.redhat.com> <4DCBD6FF.7050103@redhat.com> <4DD6B2FD.80204@redhat.com> <4DDFB9FE.6080006@redhat.com> Message-ID: <4DE00517.6080802@redhat.com> On 27.5.2011 16:49, Jan Cholasta wrote: > On 20.5.2011 20:29, Jan Cholasta wrote: >> On 12.5.2011 14:47, Jan Cholasta wrote: >>> >>> Rewrote host.py so that it doesn't use get_reverse_zone from >>> ipaserver.bindinstance (which fixes the pylint errors). >>> >>> Honza >>> >> >> Patch updated. Requires patch 18.1. >> > > Another update, requires patch 18.3. > > Honza > Updated, requires 18.4. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-3.9-reverse-zone.patch Type: text/x-patch Size: 15429 bytes Desc: not available URL: From rcritten at redhat.com Fri May 27 20:25:53 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 27 May 2011 16:25:53 -0400 Subject: [Freeipa-devel] [PATCH] 069 Improve interactive mode for DNS plugin In-Reply-To: <1306482057.3416.7.camel@dhcp-25-52.brq.redhat.com> References: <1306413148.2330.8.camel@dhcp-25-52.brq.redhat.com> <4DDF0ED5.20904@redhat.com> <1306482057.3416.7.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DE008D1.1020002@redhat.com> Martin Kosek wrote: > On Thu, 2011-05-26 at 22:39 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> Interactive mode for commands manipulating with DNS records >>> (dnsrecord-add, dnsrecord-del) is not usable. This patch enhances >>> the server framework with new callback for interactive mode, which >>> can be used by commands to inject their own interactive handling. >>> >>> The callback is then used to improve aforementioned commands' >>> interactive mode. >>> >>> https://fedorahosted.org/freeipa/ticket/1018 >> >> This works pretty nicely but it seems like with just a bit more it can >> be great. >> >> Can you add some doc examples for how this works? > > Done. At least user will know that we have a feature like that to offer. > >> >> And you display the records now and then prompt for each to delete. Can >> you combine the two? >> >> For example: >> >> ipa dnsrecord-del greyoak.com lion >> No option to delete specific record provided. >> Delete all? Yes/No (default No): >> Current DNS record contents: >> >> A record: 192.168.166.32 >> >> Enter value(s) to remove: >> [A record]: >> >> If we know there is an record why not just prompt for each value yes/no >> to delete? > > Actually, this is a very good idea, I like it. I updated the patch so > that the user can only do yes/no decision in ipa dnsrecord-del > interactive mode. This makes dnsrecord-del interactive mode very usable. > >> >> The yes/no function needs more documentation on what default does too. >> It appears that the possible values are None/True/False and that None >> means that '' can be returned (which could still be evaluated as False >> if this isn't used right). > > Done. '' shouldn't be returned as I return the value of "default" if it > is not None. But yes, it needed more documenting. > > Updated patch is attached. It may need some language corrections, I am > no native speaker. > > Martin Not to be too pedantic but... The result variable isn't really used, a while True: would suffice. I'm not really sure what the purpose of default = None is. I think a True/False is more appropriate, this 3rd answer of a binary question is confusing. rob From mkosek at redhat.com Fri May 27 21:27:04 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 27 May 2011 23:27:04 +0200 Subject: [Freeipa-devel] [PATCH] 069 Improve interactive mode for DNS plugin In-Reply-To: <4DE008D1.1020002@redhat.com> References: <1306413148.2330.8.camel@dhcp-25-52.brq.redhat.com> <4DDF0ED5.20904@redhat.com> <1306482057.3416.7.camel@dhcp-25-52.brq.redhat.com> <4DE008D1.1020002@redhat.com> Message-ID: <1306531626.31086.6.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-05-27 at 16:25 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Thu, 2011-05-26 at 22:39 -0400, Rob Crittenden wrote: > >> Martin Kosek wrote: > >>> Interactive mode for commands manipulating with DNS records > >>> (dnsrecord-add, dnsrecord-del) is not usable. This patch enhances > >>> the server framework with new callback for interactive mode, which > >>> can be used by commands to inject their own interactive handling. > >>> > >>> The callback is then used to improve aforementioned commands' > >>> interactive mode. > >>> > >>> https://fedorahosted.org/freeipa/ticket/1018 > >> > >> This works pretty nicely but it seems like with just a bit more it can > >> be great. > >> > >> Can you add some doc examples for how this works? > > > > Done. At least user will know that we have a feature like that to offer. > > > >> > >> And you display the records now and then prompt for each to delete. Can > >> you combine the two? > >> > >> For example: > >> > >> ipa dnsrecord-del greyoak.com lion > >> No option to delete specific record provided. > >> Delete all? Yes/No (default No): > >> Current DNS record contents: > >> > >> A record: 192.168.166.32 > >> > >> Enter value(s) to remove: > >> [A record]: > >> > >> If we know there is an record why not just prompt for each value yes/no > >> to delete? > > > > Actually, this is a very good idea, I like it. I updated the patch so > > that the user can only do yes/no decision in ipa dnsrecord-del > > interactive mode. This makes dnsrecord-del interactive mode very usable. > > > >> > >> The yes/no function needs more documentation on what default does too. > >> It appears that the possible values are None/True/False and that None > >> means that '' can be returned (which could still be evaluated as False > >> if this isn't used right). > > > > Done. '' shouldn't be returned as I return the value of "default" if it > > is not None. But yes, it needed more documenting. > > > > Updated patch is attached. It may need some language corrections, I am > > no native speaker. > > > > Martin > > Not to be too pedantic but... > > The result variable isn't really used, a while True: would suffice. > > I'm not really sure what the purpose of default = None is. I think a > True/False is more appropriate, this 3rd answer of a binary question is > confusing. I fixed the result variable. This was a left-over from function evolution. I am not sure why is the yes/no function still confusing. Maybe I miss something. I improved function help a bit. But let me explain: If default is None, that means that there is no default answer to yes/no question and user has to answer either "y" or "n". He cannot skip the answer and is prompted until the answer is given. When default is True, user can just enter empty answer, which is treated as "yes" and True is returned. When default is False and user enters empty answer, it is treated as "no" and False is returned. None shouldn't be returned at all... (Maybe only in a case of an error) Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-069-3-improve-interactive-mode-for-dns-plugin.patch Type: text/x-patch Size: 18280 bytes Desc: not available URL: From ayoung at redhat.com Sat May 28 01:44:30 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 27 May 2011 21:44:30 -0400 Subject: [Freeipa-devel] [PATCH] 168 Fixed problem deleting value in text field. In-Reply-To: <4DDFE2EE.6020702@redhat.com> References: <4DDFE2EE.6020702@redhat.com> Message-ID: <4DE0537E.2060908@redhat.com> On 05/27/2011 01:44 PM, Endi Sukma Dewata wrote: > Previously deleting a value in a text field did not work because > the field is not included in the modify operation when the value > is empty. The details facet's update() method has been modified > to update only dirty fields. > > The section lists in details facet and dialog have been converted > into ordered maps. > > Ticket #1256 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Sat May 28 04:10:00 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Sat, 28 May 2011 00:10:00 -0400 Subject: [Freeipa-devel] [PATCH] 068 Connection check program for replica installation In-Reply-To: <1306224886.2514.24.camel@dhcp-25-52.brq.redhat.com> References: <1306157956.2514.9.camel@dhcp-25-52.brq.redhat.com> <4DDAC65E.7080300@redhat.com> <1306224886.2514.24.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DE07598.4050000@redhat.com> Martin Kosek wrote: > On Mon, 2011-05-23 at 16:41 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> This is a first version of connection checking program for replica >>> installation. See patch for program purpose description. Currently, >>> there is no man pages for the program. >>> >>> Note to Simo and Rob: I use password for logging as admin. Btw would it >>> be safe to have an admin keytab in the replica file? Replica file >>> contents are lying freely in /tmp after the replica installation. >>> >>> Martin >> >> nack, you aren't including the new binary in the spec. > > Oh, thanks for this one. > >> >> You should also: >> >> - set KRB5CCNAME to a temporary ccache and remove that when the install >> exists (successful or not) > > Done. > >> - remove the temporary krb5.conf you create > > Done. > >> - be a bit more explicit what we are doing, at least more than "Run >> connection check to master". > > Actually, I am if you run the new script separately. I removed "--quiet" > parameter passed to the script in ipa-replica-install so that it is more > verbose. Plus, I improved texts sent to the user. > >> - yes, we should remove the replica file contents > > I enhanced ipa-replica-install to do that. > > Martin > Works great until the very end: ... ... Execute check on remote master Check connection from master to remote replica 'slinky.greyoak.com': Directory Service: unsecure port (389): FAILED Directory Service: secure port (636): FAILED Kerberos (88): OK Remote master check failed with following error message(s): Could not chdir to home directory /home/admin: No such file or directory Port check failed! Unaccessible port(s): 389, 636 Connection check failed with following error: None rob From mkosek at redhat.com Sat May 28 08:13:09 2011 From: mkosek at redhat.com (Martin Kosek) Date: Sat, 28 May 2011 10:13:09 +0200 Subject: [Freeipa-devel] [PATCH] 068 Connection check program for replica installation In-Reply-To: <4DE07598.4050000@redhat.com> References: <1306157956.2514.9.camel@dhcp-25-52.brq.redhat.com> <4DDAC65E.7080300@redhat.com> <1306224886.2514.24.camel@dhcp-25-52.brq.redhat.com> <4DE07598.4050000@redhat.com> Message-ID: <1306570392.2433.2.camel@dhcp-25-52.brq.redhat.com> On Sat, 2011-05-28 at 00:10 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Mon, 2011-05-23 at 16:41 -0400, Rob Crittenden wrote: > >> Martin Kosek wrote: > >>> This is a first version of connection checking program for replica > >>> installation. See patch for program purpose description. Currently, > >>> there is no man pages for the program. > >>> > >>> Note to Simo and Rob: I use password for logging as admin. Btw would it > >>> be safe to have an admin keytab in the replica file? Replica file > >>> contents are lying freely in /tmp after the replica installation. > >>> > >>> Martin > >> > >> nack, you aren't including the new binary in the spec. > > > > Oh, thanks for this one. > > > >> > >> You should also: > >> > >> - set KRB5CCNAME to a temporary ccache and remove that when the install > >> exists (successful or not) > > > > Done. > > > >> - remove the temporary krb5.conf you create > > > > Done. > > > >> - be a bit more explicit what we are doing, at least more than "Run > >> connection check to master". > > > > Actually, I am if you run the new script separately. I removed "--quiet" > > parameter passed to the script in ipa-replica-install so that it is more > > verbose. Plus, I improved texts sent to the user. > > > >> - yes, we should remove the replica file contents > > > > I enhanced ipa-replica-install to do that. > > > > Martin > > > > Works great until the very end: > ... > ... > > Execute check on remote master > Check connection from master to remote replica 'slinky.greyoak.com': > Directory Service: unsecure port (389): FAILED > Directory Service: secure port (636): FAILED > Kerberos (88): OK > > Remote master check failed with following error message(s): > Could not chdir to home directory /home/admin: No such file or directory > Port check failed! Unaccessible port(s): 389, 636 > > Connection check failed with following error: None > > rob Right, I introduced this wrong error message in the last patch. I fixed this one and also one typo. Updated patch attached. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-068-3-connection-check-program-for-replica-installation.patch Type: text/x-patch Size: 24504 bytes Desc: not available URL: From ayoung at redhat.com Sun May 29 00:54:49 2011 From: ayoung at redhat.com (Adam Young) Date: Sat, 28 May 2011 20:54:49 -0400 Subject: [Freeipa-devel] [PATCH] 0229-automount-delete-key Message-ID: <4DE19959.4030405@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0229-automount-delete-key.patch Type: text/x-patch Size: 5214 bytes Desc: not available URL: From gsr at redhat.com Mon May 30 07:05:58 2011 From: gsr at redhat.com (Gowrishankar Rajaiyan) Date: Mon, 30 May 2011 12:35:58 +0530 Subject: [Freeipa-devel] [PATCH] Fix typos in help of sudorule and sudocmd Message-ID: <4DE341D6.7080002@redhat.com> Hi, Fixed the following typos: 1. # ipa help sudorule [...] sudorule-show Dispaly Sudo Rule. 2. # ipa help sudocmd [...] Create a new commnad -- Regards, Shanks Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Fixes-typos-in-help-of-sudorule-and-sudocmd-add.patch URL: From mkosek at redhat.com Mon May 30 07:20:17 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 30 May 2011 09:20:17 +0200 Subject: [Freeipa-devel] [PATCH] 784 limit what attributes may be modified In-Reply-To: <1306516909.10180.21.camel@dhcp-25-52.brq.redhat.com> References: <4DD19B4A.4090203@redhat.com> <1306502690.10180.8.camel@dhcp-25-52.brq.redhat.com> <4DDFBF02.4030503@redhat.com> <1306516909.10180.21.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1306740019.2427.0.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-05-27 at 19:21 +0200, Martin Kosek wrote: > On Fri, 2011-05-27 at 11:10 -0400, Rob Crittenden wrote: > > Martin Kosek wrote: > > > On Mon, 2011-05-16 at 17:46 -0400, Rob Crittenden wrote: > > >> Add option to limit the attributes allowed in an entry. > > >> > > >> Kerberos ticket policy can update policy in a user entry. This allowed > > >> set/addattr to be used to modify attributes outside of the ticket policy > > >> perview, also bypassing all validation/normalization. Likewise the > > >> ticket policy was updatable by the user plugin bypassing all validation. > > >> > > >> Add two new LDAPObject values to control this behavior: > > >> > > >> limit_object_classes: only attributes in these are allowed > > >> disallow_object_classes: attributes in these are disallowed > > >> > > >> By default both of these lists are empty so are skipped. > > >> > > >> ticket 744 > > >> > > >> rob > > > > > > NACK. I have some concerns with this patch. In function > > > _check_limit_object_class: > > > > > > 1) You change input attribute 'attrs' by removing the items from it. If > > > user passes the same list of attrs to be checked and the function is run > > > twice, the 'attrs' parameter in second run is corrupt. > > > > > > You can try it by running e.g. `ipa krbtpolicy-mod --maxrenew=24044' and > > > checking the value of this parameter in the function. > > > > Good catch, updated patch attached. > > > > > > > > 2) The purpose of this statement is not clear to me: > > > + if len(attrs)> 0 and allow_only: > > > + raise errors.ObjectclassViolation(info='attribute "%(attribute)s" not allowed' % dict(attribute=attrs[0])) > > > Maybe just the exception text is misleading. > > > > This function has 2 modes: "allow only the attributes in these > > objectclasses" or "specifically deny the attributes in these > > objectclasses". This enforces the first type. If when we've gone through > > all the attributes there are any left over they must not be allowed so > > raise an error. This is documented in the function header. > > Thanks for explanation, now I get it. It all looks OK, ACK. > > Martin > Checked again as I had some second thoughts. But no problem found. Pushed to master, ipa-2-0. Martin From mkosek at redhat.com Mon May 30 11:44:02 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 30 May 2011 13:44:02 +0200 Subject: [Freeipa-devel] [PATCH] 18 Parse netmasks in IP addresses passed to server install In-Reply-To: <4DE00510.6050400@redhat.com> References: <4DC97E8B.8050904@redhat.com> <4DD6B2A5.3010507@redhat.com> <4DDBB4F1.1050909@redhat.com> <4DDFB985.2040706@redhat.com> <1306515594.10180.17.camel@dhcp-25-52.brq.redhat.com> <4DE00510.6050400@redhat.com> Message-ID: <1306755844.2427.1.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-05-27 at 22:09 +0200, Jan Cholasta wrote: > On 27.5.2011 18:59, Martin Kosek wrote: > > On Fri, 2011-05-27 at 16:47 +0200, Jan Cholasta wrote: > >> On 24.5.2011 15:38, Jan Cholasta wrote: > >>> On 20.5.2011 20:27, Jan Cholasta wrote: > >>>> On 10.5.2011 20:06, Jan Cholasta wrote: > >>>>> Parse netmasks in IP addresses passed to server install. > >>>>> > >>>>> ticket 1212 > >>>> > >>>> Patch updated. > >>>> > >>>> TODO: Write unit test for ipapython.ipautil.CheckedIPAddress > >>>> TODO: Clean unreachable code paths off of ipa-server-install (?) > >>>> TODO: Workarounds for netaddr bugs (?) > >>>> > >>>> > >>>> > >>>> _______________________________________________ > >>>> Freeipa-devel mailing list > >>>> Freeipa-devel at redhat.com > >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel > >>> > >>> Fixed ipa-replica-prepare and added a unit test. > >>> > >> > >> Another update. > >> > >> Honza > > > > Can you please rebase your patches? My patch 070 fixing > > add_reverse_zone() function was pushed today. Unfortunately, it made > > your patches 18 and 3 not applicable. > > Done. > > > > > You may want to look closer at the patch 070 as it is relevant to your > > patch set and also to make sure the fix is still functional after your > > set of patches. > > It seems it's ok. > > > > > Thanks, > > Martin > > > > Honza > Everything seems to work fine, ACK. Pushed to master. Martin From mkosek at redhat.com Mon May 30 11:44:40 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 30 May 2011 13:44:40 +0200 Subject: [Freeipa-devel] [PATCH] 19 Do stricter checking of IP addressed passed to server install In-Reply-To: <4DDFBA53.1060703@redhat.com> References: <4DC97FEC.1000005@redhat.com> <1305559608.30122.30.camel@dhcp-25-52.brq.redhat.com> <4DD15BA1.5080004@redhat.com> <1305708694.22796.60.camel@dhcp-25-52.brq.redhat.com> <4DD6B42F.6040507@redhat.com> <1306241018.2514.54.camel@dhcp-25-52.brq.redhat.com> <4DDBA82F.8040105@redhat.com> <4DDBB5DF.2080908@redhat.com> <1306309613.18222.10.camel@dhcp-25-52.brq.redhat.com> <4DDFBA53.1060703@redhat.com> Message-ID: <1306755882.2427.2.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-05-27 at 16:50 +0200, Jan Cholasta wrote: > On 25.5.2011 09:46, Martin Kosek wrote: > > On Tue, 2011-05-24 at 15:42 +0200, Jan Cholasta wrote: > >> On 24.5.2011 14:44, Jan Cholasta wrote: > >>> On 24.5.2011 14:43, Martin Kosek wrote: > >>>> On Fri, 2011-05-20 at 20:34 +0200, Jan Cholasta wrote: > >>>>> On 18.5.2011 10:51, Martin Kosek wrote: > >>>>>> On Mon, 2011-05-16 at 19:15 +0200, Jan Cholasta wrote: > >>>>>>> On 16.5.2011 17:26, Martin Kosek wrote: > >>>>>>>> On Tue, 2011-05-10 at 20:11 +0200, Jan Cholasta wrote: > >>>>>>>>> Split from patch 3, requires patch 18. > >>>>>>>>> > >>>>>>>>> https://fedorahosted.org/freeipa/ticket/1213 > >>>>>>>>> > >>>>>>>>> Honza > >>>>>>>>> > >>>>>>>> > >>>>>>>> I tested all patches (3.6, 18, 19), but I think some work still > >>>>>>>> needs to > >>>>>>>> be done: > >>>>>>>> > >>>>>>>> 1) What about adding /sbin/ip package to Requires in spec? I thought > >>>>>>>> there was an agreement to do it. > >>>>>>> > >>>>>>> Will do. > >>>>>> > >>>>>> Ok. > >>>>>> > >>>>>>> > >>>>>>>> > >>>>>>>> 2) When I run `ipa-server-install --ip-address=$ADDR`, and $ADDR is > >>>>>>>> invalid address (e.g. $ADDR==foo), loopback address (e.g. > >>>>>>>> $ADDR==127.0.0.1) or just another that the local address (e.g. > >>>>>>>> $ADDR==123.123.123.123) the installer always fails with "the hostname > >>>>>>>> resolves to an IP address that is different from the one provided > >>>>>>>> on the > >>>>>>>> command line". > >>>>>>>> > >>>>>>>> I think we may want a different error message in those 3 cases - it > >>>>>>>> should be easy to do it now, with the improved IP handling. > >>>>>>> > >>>>>>> It looks like the print statements from verify_ip_address doesn't > >>>>>>> actually print anything to the user. Will look onto that. > >>>>>> > >>>>>> Ok. > >>>>>> > >>>>>>> > >>>>>>>> > >>>>>>>> 3) When I pass netmask to ipa-server-install --ip-address=$ADDR, the > >>>>>>>> installation always fails with the above message. Even though I > >>>>>>>> took the > >>>>>>>> addr+netmask from "/sbin/ip address" output. > >>>>>>> > >>>>>>> Works for me. Please make sure you've added your hostname to > >>>>>>> /etc/hosts. > >>>>>> > >>>>>> I think I had. But I will recheck when you send a fix. > >>>>>> > >>>>>>> > >>>>>>>> > >>>>>>>> 4) I miss IP address checks in --ip-address and --forwarder > >>>>>>>> parameters > >>>>>>>> of ipa-dns-install script. I can pass invalid or local addresses to > >>>>>>>> these parameters. This breaks Bind configuration. > >>>>>>> > >>>>>>> --ip-address is checked, but --forwarder is not. Will fix that. > >>>>>> > >>>>>> Ok, I will recheck both of them when you do. > >>>>>> > >>>>>>> > >>>>>>>> > >>>>>>>> 5) I think we may want to check also for local address in > >>>>>>>> #ipa host-add $HOST --ip-address=127.0.0.1 > >>>>>>>> > >>>>>>>> 6) I couldn't add IP address with netmask in host module: > >>>>>>>> # ipa host-add $HOST --ip-address=10.16.78.102/22 > >>>>>>>> ipa: ERROR: invalid 'ip_address': invalid IP address > >>>>>>> > >>>>>>> The patches are for the installer, as are the tickets they fix, so > >>>>>>> these > >>>>>>> issues are out of scope. A new ticket should be opened for them. > >>>>>>> > >>>>>> > >>>>>> You touched this parameter in your patches, that's why I tested it. I > >>>>>> created a new ticket for it: > >>>>>> > >>>>>> https://fedorahosted.org/freeipa/ticket/1234 > >>>>>> > >>>>>> Ticket 1234, yey :-) > >>>>>> > >>>>>>>> > >>>>>>>> 7) Why is the _ParsedIPAddress named with a leading underscore? > >>>>>>>> It's not > >>>>>>>> really an internal use since it is returned by new IP handling > >>>>>>>> functions > >>>>>>>> and used in other modules. > >>>>>>> > >>>>>>> _ParsedIPAddress is not for public use. The fact that object of this > >>>>>>> class is returned by parse_ip_address doesn't really matter - this is > >>>>>>> Python, not C++ or Java. > >>>>>> > >>>>>> Hm, snappy... And I was wondering why my /usr/bin/java doesn't want to > >>>>>> run FreeIPA, now I know - it's because its Python. > >>>>>> > >>>>>> Martin > >>>>>> > >>>>> > >>>>> Patch updated. Requires patch 18.1 > >>>>> > >>>>> Honza > >>>>> > >>>> > >>>> All reported issues were fixed, good idea with a new type for our > >>>> IPAOptionParser. > >>>> > >>>> Still, NACK from me: > >>>> > >>>> ipa-replica-install doesn't use IPAOptionParser, but the good old > >>>> OptionParser which doesn't know the new type. This makes > >>>> ipa-replica-prepare crash all the time. I know, I am nitpicker :-) > >>>> > >>>> Martin > >>>> > >>> > >>> Thanks, I missed that. > >>> > >>> Honza > >>> > >> > >> Fixed and added a unit test. > >> > > > > NACK. Please test your patches before you send them for a review. It > > saves reviewer's time. > > Sorry, I'll do better next time. > > > > > 1) Unwanted warning about unmatching network interface when replica is > > installed: > > > > # ipa-replica-prepare vm-059.idm.lab.bos.redhat.com > > --ip-address=10.16.78.59 > > Warning: No network interface matches IP address 10.16.78.59 > > Directory Manager (existing master) password: > > ... > > Fixed. > > > > > 2) ipa-replica-install crashes > > # ipa-replica-install /home/mkosek/replica-info-vm-059.idm.lab.bos.redhat.com.gpg > > Directory Manager (existing master) password: > > > > Configuring ntpd > > [1/4]: stopping ntpd > > [2/4]: writing configuration > > [3/4]: configuring ntpd to start on boot > > [4/4]: starting ntpd > > done configuring ntpd. > > creation of replica failed: unsupported operand type(s) for /: 'NoneType' and 'int' > > > > Your system may be partly configured. > > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > > > > > ipa-replica-install log: > > 2011-05-25 03:36:18,503 DEBUG unsupported operand type(s) for /: 'NoneType' and 'int' > > File "/usr/sbin/ipa-replica-install", line 550, in > > main() > > > > File "/usr/sbin/ipa-replica-install", line 496, in main > > install_dns_records(config, options) > > > > File "/usr/sbin/ipa-replica-install", line 329, in install_dns_records > > options.conf_ntp) > > > > File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 469, in add_master_dns_records > > self.__add_self() > > > > File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 399, in __add_self > > if dns_zone_exists(get_reverse_zone(self.ip_address, self.ip_prefix_len)[0]): > > > > File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 106, in get_reverse_zone > > pos = 4 - ip_prefix_len / 8 > > Also fixed. > > > > > > > Martin > > > > Honza > ACK, pushed to master. Martin From mkosek at redhat.com Mon May 30 11:45:06 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 30 May 2011 13:45:06 +0200 Subject: [Freeipa-devel] [PATCH] 3 Add ability to specify netmask with IP addresses during installation In-Reply-To: <4DE00517.6080802@redhat.com> References: <4D9068E5.6090209@redhat.com> <4D90920E.3080900@redhat.com> <4D91DD15.8020109@redhat.com> <4D91DDA6.2060304@redhat.com> <4D923DCA.1030900@redhat.com> <4D930AAD.9020209@redhat.com> <4D9F1AFA.8000305@redhat.com> <4DA2DC6F.1000105@redhat.com> <4DA58644.3020506@redhat.com> <4DAF3D5A.7080300@redhat.com> <4DAFDE65.5050100@redhat.com> <4DC97F9F.5030103@redhat.com> <1305122338.4961.23.camel@dhcp-25-52.brq.redhat.com> <4DCBD6FF.7050103@redhat.com> <4DD6B2FD.80204@redhat.com> <4DDFB9FE.6080006@redhat.com> <4DE00517.6080802@redhat.com> Message-ID: <1306755907.2427.3.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-05-27 at 22:09 +0200, Jan Cholasta wrote: > On 27.5.2011 16:49, Jan Cholasta wrote: > > On 20.5.2011 20:29, Jan Cholasta wrote: > >> On 12.5.2011 14:47, Jan Cholasta wrote: > >>> > >>> Rewrote host.py so that it doesn't use get_reverse_zone from > >>> ipaserver.bindinstance (which fixes the pylint errors). > >>> > >>> Honza > >>> > >> > >> Patch updated. Requires patch 18.1. > >> > > > > Another update, requires patch 18.3. > > > > Honza > > > > Updated, requires 18.4. > ACK, pushed to master. Martin From mkosek at redhat.com Mon May 30 12:05:48 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 30 May 2011 14:05:48 +0200 Subject: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname In-Reply-To: <4DDFFDDE.2040908@redhat.com> References: <4D95F3AD.2000707@redhat.com> <1306320574.18222.20.camel@dhcp-25-52.brq.redhat.com> <4DDD204A.8010009@redhat.com> <1306395960.2330.7.camel@dhcp-25-52.brq.redhat.com> <4DDFFDDE.2040908@redhat.com> Message-ID: <1306757151.2427.16.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-05-27 at 15:39 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Wed, 2011-05-25 at 11:29 -0400, Rob Crittenden wrote: > >> Martin Kosek wrote: > >>> On Fri, 2011-04-01 at 11:47 -0400, Rob Crittenden wrote: > >>>> The hostname is passed in during the server installation. We should use > >>>> this hostname for the resulting server as well. It was being discarded > >>>> and we always used the system hostname value. > >>>> > >>>> ticket 1052 > >>>> > >>>> rob > >>> > >>> I have to NACK this again. I have a problem communicating with IPA on a > >>> master machine. I reproduced in on 2 different machines. Please, correct > >>> my steps if I am wrong, I do the following procedure > >>> > >>> 1) I prepare a fresh minimal F-15 > >>> 2) Install freeipa-server (current master with your patches) > >>> 3) Add custom hostname to /etc/hosts > >>> 4) Install IPA server: > >>> ipa-server-install -p secret123 -a secret123 --hostname ipa.idm.lab.bos.redhat.com --setup-dns --forwarder=10.16.255.2 > >>> 5) # kinit admin > >>> Password for admin at IDM.LAB.BOS.REDHAT.COM: > >>> 6) # ipa user-show admin > >>> ipa: ERROR: cannot connect to 'any of the configured servers': > >>> https://ipa.idm.lab.bos.redhat.com/ipa/xml, > >>> https://ipa.idm.lab.bos.redhat.com/ipa/xml > >>> > >>> # ping -c 1 ipa.idm.lab.bos.redhat.com > >>> PING ipa.idm.lab.bos.redhat.com (10.16.78.140) 56(84) bytes of data. > >>> 64 bytes from ipa.idm.lab.bos.redhat.com (10.16.78.140): icmp_req=1 > >>> ttl=64 time=0.049 ms > >>> > >>> Apache error_log shows relevant errors: > >>> > >>> [Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to retrieve LDAP schema: Invalid credentials: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied) > >>> [Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to retrieve LDAP schema: Invalid credentials: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied) > >>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored > >>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored > >>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored > >>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored > >>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored > >>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored > >>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored > >>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored > >>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored > >>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored > >>> [Wed May 25 06:43:56 2011] [notice] caught SIGTERM, shutting down > >>> [Wed May 25 06:43:56 2011] [notice] SELinux policy enabled; httpd running as context system_u:system_r:kernel_t:s0 > >>> [Wed May 25 06:43:57 2011] [notice] Digest: generating secret for digest authentication ... > >>> [Wed May 25 06:43:57 2011] [notice] Digest: done > >>> [Wed May 25 06:43:57 2011] [notice] Apache/2.2.17 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.17 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.7.1 configured -- resuming normal operations > >>> [Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START *** > >>> [Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START *** > >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] mod_wsgi (pid=5192): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. > >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] Traceback (most recent call last): > >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/share/ipa/wsgi.py", line 48, in application > >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] return api.Backend.session(environ, start_response) > >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 141, in __call__ > >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] self.create_context(ccache=environ.get('KRB5CCNAME')) > >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 110, in create_context > >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] self.Backend.ldap2.connect(ccache=ccache) > >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 62, in connect > >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] conn = self.create_connection(*args, **kw) > >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 188, in new_f > >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] return f(*new_args, **kwargs) > >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 337, in create_connection > >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] _handle_errors(e, **{}) > >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 118, in _handle_errors > >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] raise errors.DatabaseError(desc=desc, info=info) > >>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] DatabaseError: Local error: SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Hostname cannot be canonicalized) > >>> [Wed May 25 06:45:26 2011] [error] [client 10.16.78.140] mod_wsgi (pid=5193): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. > >>> > >>> > >>> You can check the problem on vm-140.idm.lab.bos.redhat.com if you want to. > >>> > >>> Martin > >>> > >> > >> The LDAP connection was still using the system hostname value. I added a > >> conn.set_option(_ldap.OPT_HOST_NAME, api.env.host) in the two places we > >> initialize an LDAP connection and that seems to have fixed it. > >> > >> Updated patch attached > >> > >> rob > > > > NACK. The problem on a master is gone. However, now ipa-replica-install > > is failing: > > > > # ipa-replica-install /home/mkosek/replica-info-vm-027.idm.lab.bos.redhat.com.gpg > > Directory Manager (existing master) password: > > > > creation of replica failed: Can't contact LDAP server: > > > > > > I found out that the root cause of the failure is in the change you just > > made in ldap2.py: > > > > def create_connection(self, ccache=None, bind_dn='', bind_pw='', > > tls_cacertfile=None, tls_certfile=None, tls_keyfile=None, > > debug_level=0): > > ... > > try: > > conn = _ldap.initialize(self.ldap_uri) > > conn.set_option(_ldap.OPT_HOST_NAME, api.env.host)<-- > > if ccache is not None: > > os.environ['KRB5CCNAME'] = ccache > > ... > > > > because api.env.host points to the local host and not the remote master. > > When I commented this line out, installation continued OK. Then, it > > crashed again with our "favorite" dogtag's "invalid clone_uri" > > exception. > > > > Since we see this error also in other scenarios (not only custom > > --hostname) and the root cause is not in your patch I can ACK you patch > > 762 once the replica install bug is fixed. > > > > Martin > > > > Fixed both of these. We only need to set the hostname when using an > ldapi URI, so fixed both of those. > > I also fixed the Invalid clone_uri bug. The problem was we weren't > passing our new hostname to pkicreate so it was creating a CA for > whatever the value of `hostname` was. There is an environment variable > in pkicreate to pass in the hostname and doing that has fixed the problem. > > rob Yes, this issue was fixed. It's good you find a way how to deal with clone_uri problem. However, I still hit some issues: 1) I think we have some Kerberos related problems when the custom hostname is used (ipa.idm.lab.bos.redhat.com on a vm-096.idm.lab.bos.redhat.com). Named and SSSD refuses to start on the system. /var/log/messages: May 30 05:04:35 vm-096 named[13932]: listening on IPv4 interface eth0, 10.16.78.96#53 May 30 05:04:35 vm-096 named[13932]: generating session key for dynamic DNS May 30 05:04:36 vm-096 named[13932]: Failed to init credentials (Preauthentication failed) May 30 05:04:36 vm-096 named[13932]: loading configuration: failure May 30 05:04:36 vm-096 named[13932]: exiting (due to fatal error) May 30 05:04:36 vm-096 systemd[1]: named.service: control process exited, code=exited status=7 May 30 05:04:36 vm-096 systemd[1]: Unit named.service entered failed state. May 30 05:07:41 vm-096 sssd: Starting up May 30 05:07:41 vm-096 sssd[be[idm.lab.bos.redhat.com]]: Starting up May 30 05:07:41 vm-096 sssd[be[idm.lab.bos.redhat.com]]: Error processing keytab file [(null)]: Principal [host/vm-096.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM] was not found. Unable to create GSSAPI-encrypted LDAP connection. 2) My dogtag powered replica still refuses to install (happened to me on 2 fresh VMs) with "creation of replica failed: Configuration of CA failed". I investigated the ipareplica-install.log, I found a error that may be relevant. Maybe Ade will recognize some of them. ############################################# Attempting to connect to: vm-028.idm.lab.bos.redhat.com:9445 Connected. Posting Query = https://vm-028.idm.lab.bos.redhat.com:9445//ca/admin/console/config/wizard?p=9&op=next&xml=true&host=vm-028.idm.lab.bos.redhat.com&port=7389&binddn=cn%3DDirectory+Manager&__bindpwd=XXXXXXXX&basedn=o%3Dipaca&database=ipaca&display=%24displayStr&cloneStartTLS=on RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Mon, 30 May 2011 11:26:29 GMT RESPONSE HEADER: Connection: close ... admin/console/config/databasepanel.vm clone 7389 (sensitive) on vm-028.idm.lab.bos.redhat.com Master and clone should have the same base DN The CA installation fails few error messages later. Providing excerpt of CA logs as they may be relevant: /var/log/pki-ca/catalina.out: ... CMS Warning: FAILURE: Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate|FAILURE: authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value| ... [Fatal Error] :2:15: Open quote is expected for attribute "BGCOLOR" associated with an element type "BODY". /var/log/pki-ca/system: 2893.main - [30/May/2011:07:25:47 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate 2893.main - [30/May/2011:07:25:47 EDT] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value Martin From mkosek at redhat.com Mon May 30 12:57:25 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 30 May 2011 14:57:25 +0200 Subject: [Freeipa-devel] [PATCH] 071 Fix forward zone creation in ipa-replica-prepare Message-ID: <1306760247.2427.21.camel@dhcp-25-52.brq.redhat.com> This case was missed in patch 070 Fix reverse zone creation in ipa-replica-prepare. There are 2 patches, one for master and one for stable ipa-2-0 (without the newest IP address enhancement). Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-071-fix-forward-zone-creation-in-ipa-replica-prepare.patch Type: text/x-patch Size: 1481 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-071-ipa-2-0.patch Type: text/x-patch Size: 1247 bytes Desc: not available URL: From ayoung at redhat.com Tue May 31 13:57:33 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 31 May 2011 09:57:33 -0400 Subject: [Freeipa-devel] [PATCH] 0229-automount-delete-key In-Reply-To: <4DE19959.4030405@redhat.com> References: <4DE19959.4030405@redhat.com> Message-ID: <4DE4F3CD.9020705@redhat.com> On 05/28/2011 08:54 PM, Adam Young wrote: > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel JSL lint cleanup -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0229-1-automount-delete-key.patch Type: text/x-patch Size: 6938 bytes Desc: not available URL: From ayoung at redhat.com Tue May 31 14:00:15 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 31 May 2011 10:00:15 -0400 Subject: [Freeipa-devel] [PATCH] 0229-automount-delete-key In-Reply-To: <4DE4F3CD.9020705@redhat.com> References: <4DE19959.4030405@redhat.com> <4DE4F3CD.9020705@redhat.com> Message-ID: <4DE4F46F.9010204@redhat.com> On 05/31/2011 09:57 AM, Adam Young wrote: > On 05/28/2011 08:54 PM, Adam Young wrote: >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > JSL lint cleanup > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel rebased on top of recent changes -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0229-2-automount-delete-key.patch Type: text/x-patch Size: 6938 bytes Desc: not available URL: From ayoung at redhat.com Tue May 31 16:58:52 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 31 May 2011 12:58:52 -0400 Subject: [Freeipa-devel] [PATCH] 0229-automount-delete-key In-Reply-To: <4DE4F46F.9010204@redhat.com> References: <4DE19959.4030405@redhat.com> <4DE4F3CD.9020705@redhat.com> <4DE4F46F.9010204@redhat.com> Message-ID: <4DE51E4C.4020301@redhat.com> I thought I had posted my work for indirect maps as a different patch, but it appears not. This patch merged in delete key and indirect maps. On 05/31/2011 10:00 AM, Adam Young wrote: > On 05/31/2011 09:57 AM, Adam Young wrote: >> On 05/28/2011 08:54 PM, Adam Young wrote: >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> JSL lint cleanup >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > rebased on top of recent changes > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Tue May 31 16:59:35 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 31 May 2011 12:59:35 -0400 Subject: [Freeipa-devel] [PATCH] 0229-automount-delete-key In-Reply-To: <4DE4F46F.9010204@redhat.com> References: <4DE19959.4030405@redhat.com> <4DE4F3CD.9020705@redhat.com> <4DE4F46F.9010204@redhat.com> Message-ID: <4DE51E77.6040303@redhat.com> On 05/31/2011 10:00 AM, Adam Young wrote: > On 05/31/2011 09:57 AM, Adam Young wrote: >> On 05/28/2011 08:54 PM, Adam Young wrote: >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> JSL lint cleanup >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > rebased on top of recent changes > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0229-4-automount-delete-key.patch Type: text/x-patch Size: 9754 bytes Desc: not available URL: From edewata at redhat.com Tue May 31 19:08:09 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 31 May 2011 14:08:09 -0500 Subject: [Freeipa-devel] [PATCH] 0229-automount-delete-key In-Reply-To: <4DE51E77.6040303@redhat.com> References: <4DE19959.4030405@redhat.com> <4DE4F3CD.9020705@redhat.com> <4DE4F46F.9010204@redhat.com> <4DE51E77.6040303@redhat.com> Message-ID: <4DE53C99.7060405@redhat.com> On 5/31/2011 11:59 AM, Adam Young wrote: > Some issues: 1. The labels for mount and parentmap fields in automount map are missing. 2. The mount and parentmap fields in automount map adder dialog shows undo button. This can be fixed by adding "undo: false" parameter. 3. The Delete button remains disabled after selecting some automount keys to be deleted. 4. Clicking 'Back to List' when viewing a map brings you back to list of locations. Is this still intentional? Perhaps the label should be changed to 'Back to Locations' or simply hidden. 5. The conditional fields in IPA.dialog are a little bit limited because there is only one set of conditional fields which has to be enabled/disabled together. It might be better to replace the 'conditional' boolean paramter into 'field_group' then replace the enable/disable methods to accept a field group. This could be done later. 6. The add() in IPA.automountmap_adder_dialog is probably unnecessary because it's only calling the superclass's add() method. 7. The following assignment in automount.js line 158: var input = $('input[name="'+that.name+'"]', that.container); could be moved to the beginning of the method to avoid reexecuting the same jQuery selector. 8. In dialog.js line 626 and search.js line 253, the hasOwnProperty() invocations are probably redundant because the key is obtained from the object itself, so that method will always return true. 9. The "if (first)" statement in dialog.js line 628 will only append a comma after the first key-value pair and nothing after that. This statement probably should have been "if (!first)" and moved to the beginning of the loop. 10. The 3rd level tab for automount key was removed. At this point does it makes sense to remove the 3rd level tabs completely? 11. The option values for automount map adder dialog could be simplified to "direct" and "indirect". -- Endi S. Dewata From edewata at redhat.com Tue May 31 19:18:18 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 31 May 2011 14:18:18 -0500 Subject: [Freeipa-devel] [PATCH] 169 Added pagination for associations. Message-ID: <4DE53EFA.2030407@redhat.com> The association facet has been modified to support pagination. The UI will show 20 members per page. There are buttons to go to a previous or next page. There is also an input text to jump directly to a certain page. Ticket #1011 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0169-Added-pagination-for-associations.patch Type: text/x-patch Size: 15877 bytes Desc: not available URL: From edewata at redhat.com Tue May 31 20:38:59 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 31 May 2011 15:38:59 -0500 Subject: [Freeipa-devel] [PATCH] 169 Added pagination for associations. In-Reply-To: <4DE53EFA.2030407@redhat.com> References: <4DE53EFA.2030407@redhat.com> Message-ID: <4DE551E3.7050108@redhat.com> On 5/31/2011 2:18 PM, Endi Sukma Dewata wrote: > The association facet has been modified to support pagination. The > UI will show 20 members per page. There are buttons to go to a > previous or next page. There is also an input text to jump directly > to a certain page. > > Ticket #1011 Attached is a new patch based on Adam's feedback. Fixed performance issue by not requesting rights and all attributes for associations. Postpone table.empty() invocation until the data for the new page becomes available. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0169-2-Added-pagination-for-associations.patch Type: text/x-patch Size: 16555 bytes Desc: not available URL: From edewata at redhat.com Tue May 31 21:18:31 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 31 May 2011 16:18:31 -0500 Subject: [Freeipa-devel] [PATCH] 169 Added pagination for associations. In-Reply-To: <4DE551E3.7050108@redhat.com> References: <4DE53EFA.2030407@redhat.com> <4DE551E3.7050108@redhat.com> Message-ID: <4DE55B27.6030804@redhat.com> On 5/31/2011 3:38 PM, Endi Sukma Dewata wrote: > On 5/31/2011 2:18 PM, Endi Sukma Dewata wrote: >> The association facet has been modified to support pagination. The >> UI will show 20 members per page. There are buttons to go to a >> previous or next page. There is also an input text to jump directly >> to a certain page. >> >> Ticket #1011 > > Attached is a new patch based on Adam's feedback. > > Fixed performance issue by not requesting rights and all attributes for > associations. Postpone table.empty() invocation until the data for the > new page becomes available. Attached is a new patch. Due to a separate issue (the show command returns incomplete set of attributes) the 'all' option is required for now. This option can be removed later when the issue is addressed. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0169-3-Added-pagination-for-associations.patch Type: text/x-patch Size: 16597 bytes Desc: not available URL: From ayoung at redhat.com Tue May 31 21:29:29 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 31 May 2011 17:29:29 -0400 Subject: [Freeipa-devel] [PATCH] 169 Added pagination for associations. In-Reply-To: <4DE55B27.6030804@redhat.com> References: <4DE53EFA.2030407@redhat.com> <4DE551E3.7050108@redhat.com> <4DE55B27.6030804@redhat.com> Message-ID: <4DE55DB9.3000306@redhat.com> On 05/31/2011 05:18 PM, Endi Sukma Dewata wrote: > On 5/31/2011 3:38 PM, Endi Sukma Dewata wrote: >> On 5/31/2011 2:18 PM, Endi Sukma Dewata wrote: >>> The association facet has been modified to support pagination. The >>> UI will show 20 members per page. There are buttons to go to a >>> previous or next page. There is also an input text to jump directly >>> to a certain page. >>> >>> Ticket #1011 >> >> Attached is a new patch based on Adam's feedback. >> >> Fixed performance issue by not requesting rights and all attributes for >> associations. Postpone table.empty() invocation until the data for the >> new page becomes available. > > Attached is a new patch. Due to a separate issue (the show command > returns incomplete set of attributes) the 'all' option is required for > now. This option can be removed later when the issue is addressed. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From adam at younglogic.com Tue May 31 21:50:00 2011 From: adam at younglogic.com (Adam Young) Date: Tue, 31 May 2011 17:50:00 -0400 Subject: [Freeipa-devel] [PATCH] 0230-redirect-on-show-erro Message-ID: <4DE56288.1030002@younglogic.com> https://fedorahosted.org/freeipa/ticket/1227 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0230-redirect-on-show-error.patch Type: text/x-patch Size: 1545 bytes Desc: not available URL: From JR.Aquino at citrix.com Tue May 31 22:03:10 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 31 May 2011 22:03:10 +0000 Subject: [Freeipa-devel] [PATCH] 24 Add sudorule and hbacrule to memberof AND indirectmemberof attributes In-Reply-To: <4DD68978.3040409@redhat.com> References: <36AD4E47-C1BE-4603-8578-1823F2C89892@citrixonline.com> <4DB1DCD6.1060606@redhat.com> <0B1CC5CC-F36C-4EA7-B30D-472539E64D7E@citrixonline.com> <4DC9FD7F.1090505@redhat.com> <4DC9FF25.8070501@redhat.com> <7D243923-B3F9-4284-9FAF-550AC9E86AEE@citrixonline.com> <4DD68978.3040409@redhat.com> Message-ID: <35CEAC43-88AD-4D93-A2D3-BFD6EA13E8AD@citrixonline.com> On May 20, 2011, at 8:32 AM, Rob Crittenden wrote: > JR Aquino wrote: >> On May 10, 2011, at 8:14 PM, Adam Young wrote: >> >>> On 05/10/2011 11:07 PM, Adam Young wrote: >>>> On 05/10/2011 04:38 PM, JR Aquino wrote: >>>>> On Apr 22, 2011, at 12:53 PM, Rob Crittenden wrote: >>>>> >>>>> >>>>>> JR Aquino wrote: >>>>>> >>>>>>> On Apr 12, 2011, at 9:45 AM, JR Aquino wrote: >>>>>>> >>>>>>> >>>>>>>> Add HBAC Rule and Sudo Rule to users as indirect member attributes to simplify the auditing of users for their indirect membership to their authorization rights. >>>>>>>> >>>>>>>> An Administrator should have the ability to quickly identify the rights a user will have in the system. >>>>>>>> >>>>>>>> For example. With the patch added, my user show looks like this: >>>>>>>> >>>>>>>> # ipa user-show tester --all >>>>>>>> dn: uid=builder,cn=users,cn=accounts,dc=example,dc=com >>>>>>>> User login: tester >>>>>>>> First name: Tester >>>>>>>> Last name: Engineering >>>>>>>> Full name: Tester Engineering >>>>>>>> Display name: Tester Engineering >>>>>>>> Initials: TE >>>>>>>> Home directory: /home/tester >>>>>>>> GECOS field: Tester Engineering >>>>>>>> Login shell: /bin/sh >>>>>>>> Kerberos principal: >>>>>>>> tester at EXAMPLE.COM >>>>>>>> >>>>>>>> UID: 1829800388 >>>>>>>> GID: 1829800388 >>>>>>>> Account disabled: False >>>>>>>> Member of groups: ipausers, auto-dev-deploy-tools, build-integration >>>>>>>> ipauniqueid: 72fa22c6-6085-11e0-9629-0023aefe4ec0 >>>>>>>> krbpwdpolicyreference: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com >>>>>>>> memberofindirect_HBAC rule: development >>>>>>>> memberofindirect_Sudo Rule: AUTO-dev-deploy-tools_DEPLOY, AUTO-dev-deploy-tools_ZENOSS, build-integration >>>>>>>> mepmanagedentry: cn=tester,cn=groups,cn=accounts,dc=example,dc=com >>>>>>>> objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Freeipa-devel mailing list >>>>>>>> >>>>>>>> Freeipa-devel at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>>>> OPPS, forgot to have PATCH in the subject. >>>>>>> >>>>>>> >>>>>> I think you need this as well, right? >>>>>> >>>>>> - 'memberof': ['group', 'netgroup', 'role'], >>>>>> + 'memberof': ['group', 'netgroup', 'role', 'sudorule', 'hbacrule'], >>>>>> >>>>> Some scope change. >>>>> >>>>> Added memberof and memberofindirect >>>>> >>>>> Added to user.py host.py group.py hostgroup.py >>>>> >>>>> When using the --all flag it is now very clear to the administrator what authorization rules these objects are directly or indirectly a memberof. >>>>> >>>>> xmlrpc tests check out >>>>> >>>>> Please review >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-devel mailing list >>>>> >>>>> Freeipa-devel at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> >>>> >>>> The reason that this shows up in the UI is that it is generating additional memberof attributes. It has nothing to do with the memberofindirect: >>> >>> You are also going to want need modify the sudo rule and HBAC rule to use the serial associator on some facets. It looks like group at least has things backwards. The group.js file I think needs a rule like this: >>> >>> >>> association_facet({ >>> name: 'memberof_sudorule', >>> associator: IPA.serial_associator >>> }). >>> >>> THis is because the API is for adding multiple groups to the sudo rule, but the default behaviour is for adding multiple>other entity> to. >> >> The above comment is regarding ticket: https://fedorahosted.org/freeipa/ticket/1218 which is dependent on this patch and ticket 1170 >> >> As for Patch 24 and ticket 1170, are there any other questions or does this look ready to go? > > Nack, this adds some additional API that isn't in API.txt. > > It would be nice to add test cases for this as well, perhaps in the sudo and hbac tests (create a rule, add a user to it, make sure when showing the user you can see the rule). New patch attached to address API and Tests. (Please note Ticket# 1263 incase there are problems testing) Please review and ack -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0024-Add-sudorule-and-hbacrule-to-memberof-indirectmemberof-attrib.patch Type: application/octet-stream Size: 15977 bytes Desc: freeipa-jraquino-0024-Add-sudorule-and-hbacrule-to-memberof-indirectmemberof-attrib.patch URL: From edewata at redhat.com Tue May 31 22:14:00 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 31 May 2011 17:14:00 -0500 Subject: [Freeipa-devel] [PATCH] 170 Fixed pagination problem. Message-ID: <4DE56828.4030502@redhat.com> The association table needs to be emptied if there is no entries. Pushed under one-liner rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0170-Fixed-pagination-problem.patch Type: text/x-patch Size: 847 bytes Desc: not available URL: From edewata at redhat.com Tue May 31 22:33:09 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 31 May 2011 17:33:09 -0500 Subject: [Freeipa-devel] [PATCH] 0230-redirect-on-show-erro In-Reply-To: <4DE56288.1030002@younglogic.com> References: <4DE56288.1030002@younglogic.com> Message-ID: <4DE56CA5.9000900@redhat.com> On 5/31/2011 4:50 PM, Adam Young wrote: > https://fedorahosted.org/freeipa/ticket/1227 ACK and pushed to master. This patch fixes the details page, but for some entities the default facet is association instead of details. It can be fixed in another patch. -- Endi S. Dewata