From edewata at redhat.com  Sat Oct  1 03:38:22 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Fri, 30 Sep 2011 22:38:22 -0500
Subject: [Freeipa-devel] [PATCH] 285 Added confirmation when adding
	multiple entries.
In-Reply-To: <4E8256AA.3040507@redhat.com>
References: <4E823994.7020604@redhat.com> <4E8256AA.3040507@redhat.com>
Message-ID: <4E868B2E.7060604@redhat.com>

On 9/27/2011 6:05 PM, Endi Sukma Dewata wrote:
> On 9/27/2011 4:01 PM, Endi Sukma Dewata wrote:
>> The adder dialog has been modified to show a confirmation message
>> after each successful addition.
>>
>> Ticket #1786
>
> Rebased on top of 286 (because 286 needs to go to ipa-2-1 branch).

Rebased on top of 292.


-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-edewata-0285-3-Added-confirmation-when-adding-multiple-entries.patch
Type: text/x-patch
Size: 10920 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110930/a8d30791/attachment.bin>

From edewata at redhat.com  Sat Oct  1 03:42:17 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Fri, 30 Sep 2011 22:42:17 -0500
Subject: [Freeipa-devel] [PATCH] 293 Added selectable labels for radio
	buttons.
Message-ID: <4E868C19.6040001@redhat.com>

The radio buttons in association facet and radio widget are now
linked to their labels so that they can be selected by clicking
the labels.

Ticket #1782

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-edewata-0293-Added-selectable-labels-for-radio-buttons.patch
Type: text/x-patch
Size: 3602 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110930/b031c67f/attachment.bin>

From jcholast at redhat.com  Sat Oct  1 17:45:27 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Sat, 01 Oct 2011 19:45:27 +0200
Subject: [Freeipa-devel] [PATCH] 129 migrate process cannot handle
 multivalued pkey attribute
In-Reply-To: <1317290498.13820.5.camel@dhcp-25-52.brq.redhat.com>
References: <1317290498.13820.5.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <4E8751B7.9090408@redhat.com>

On 29.9.2011 12:01, Martin Kosek wrote:
> When group/user is migrated, the attribute used for RDN may be
> multivalued. Make sure that we pick the value used in the RDN
> which should be the unique one and not just the first one.
>
> https://fedorahosted.org/freeipa/ticket/1892
>

Every time you do "import *", god kills a kitten. Also, it pollutes the 
module namespace with unnecessary symbols and decreases code readability.

I'm a bit puzzled why do you do this:
+                    try:
+                        pkey = dn[ldap_obj.primary_key.name].lower()
+                    except KeyError:
+                        failed[ldap_obj_name][str(dn)] = 
unicode(_rdn_err_msg)
+                        continue

and not just this:
+                    pkey = ava.value.lower()

Besides that, the issue seems to be fixed.

Honza

-- 
Jan Cholasta



From pvoborni at redhat.com  Mon Oct  3 07:48:40 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Mon, 03 Oct 2011 09:48:40 +0200
Subject: [Freeipa-devel] [PATCH] 291 I18n clean-up.
In-Reply-To: <4E863E18.1040803@redhat.com>
References: <4E863E18.1040803@redhat.com>
Message-ID: <4E8968D8.8030708@redhat.com>

On 10/01/2011 12:09 AM, Endi Sukma Dewata wrote:
> The hard-coded 'undo' and 'undo all' labels have been moved into
> internal.py to allow translation.
>
> Ticket #1897

ACK

-- 
Petr Vobornik



From mkosek at redhat.com  Mon Oct  3 07:54:49 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Mon, 03 Oct 2011 09:54:49 +0200
Subject: [Freeipa-devel] [PATCH] 129 migrate process cannot handle
 multivalued pkey attribute
In-Reply-To: <4E8751B7.9090408@redhat.com>
References: <1317290498.13820.5.camel@dhcp-25-52.brq.redhat.com>
	<4E8751B7.9090408@redhat.com>
Message-ID: <1317628491.5905.13.camel@dhcp-25-52.brq.redhat.com>

On Sat, 2011-10-01 at 19:45 +0200, Jan Cholasta wrote:
> On 29.9.2011 12:01, Martin Kosek wrote:
> > When group/user is migrated, the attribute used for RDN may be
> > multivalued. Make sure that we pick the value used in the RDN
> > which should be the unique one and not just the first one.
> >
> > https://fedorahosted.org/freeipa/ticket/1892
> >
> 
> Every time you do "import *", god kills a kitten. Also, it pollutes the 
> module namespace with unnecessary symbols and decreases code readability.

World is not just black and white. In this case I think its OK since
ipalib/dn.py has a nice maintained __all__ list with all 3 DN related
classes. Thus. I see no namespace pollution.

> 
> I'm a bit puzzled why do you do this:
> +                    try:
> +                        pkey = dn[ldap_obj.primary_key.name].lower()
> +                    except KeyError:
> +                        failed[ldap_obj_name][str(dn)] = 
> unicode(_rdn_err_msg)
> +                        continue
> 
> and not just this:
> +                    pkey = ava.value.lower()

Good point. Updated patch attached.

Martin

> 
> Besides that, the issue seems to be fixed.
> 
> Honza
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-129-2-migrate-process-cannot-handle-multivalued-pkey-attri.patch
Type: text/x-patch
Size: 2517 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111003/402f561d/attachment.bin>

From jcholast at redhat.com  Mon Oct  3 08:10:25 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Mon, 03 Oct 2011 10:10:25 +0200
Subject: [Freeipa-devel] [PATCH] 129 migrate process cannot handle
 multivalued pkey attribute
In-Reply-To: <1317628491.5905.13.camel@dhcp-25-52.brq.redhat.com>
References: <1317290498.13820.5.camel@dhcp-25-52.brq.redhat.com>
	<4E8751B7.9090408@redhat.com>
	<1317628491.5905.13.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <4E896DF1.7050300@redhat.com>

On 3.10.2011 09:54, Martin Kosek wrote:
> On Sat, 2011-10-01 at 19:45 +0200, Jan Cholasta wrote:
>> On 29.9.2011 12:01, Martin Kosek wrote:
>>> When group/user is migrated, the attribute used for RDN may be
>>> multivalued. Make sure that we pick the value used in the RDN
>>> which should be the unique one and not just the first one.
>>>
>>> https://fedorahosted.org/freeipa/ticket/1892
>>>
>>
>> Every time you do "import *", god kills a kitten. Also, it pollutes the
>> module namespace with unnecessary symbols and decreases code readability.
>
> World is not just black and white. In this case I think its OK since
> ipalib/dn.py has a nice maintained __all__ list with all 3 DN related
> classes. Thus. I see no namespace pollution.

IMO it still somewhat decreases code readability. But, whatever, it's no 
showstopper.

>
>>
>> I'm a bit puzzled why do you do this:
>> +                    try:
>> +                        pkey = dn[ldap_obj.primary_key.name].lower()
>> +                    except KeyError:
>> +                        failed[ldap_obj_name][str(dn)] =
>> unicode(_rdn_err_msg)
>> +                        continue
>>
>> and not just this:
>> +                    pkey = ava.value.lower()
>
> Good point. Updated patch attached.
>
> Martin
>
>>
>> Besides that, the issue seems to be fixed.
>>
>> Honza
>>
>

ACK.

Honza

-- 
Jan Cholasta



From pvoborni at redhat.com  Mon Oct  3 08:33:32 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Mon, 03 Oct 2011 10:33:32 +0200
Subject: [Freeipa-devel] [PATCH] 292 Disable sudo options Delete button
 if nothing selected.
In-Reply-To: <4E863E60.1070401@redhat.com>
References: <4E863E60.1070401@redhat.com>
Message-ID: <4E89735C.8010407@redhat.com>

On 10/01/2011 12:10 AM, Endi Sukma Dewata wrote:
> The Delete button for sudo options in sudo rule details page now
> will only work if there is at least one row selected.
>
> Ticket #1896

ACK


-- 
Petr Vobornik



From mkosek at redhat.com  Mon Oct  3 08:49:31 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Mon, 03 Oct 2011 10:49:31 +0200
Subject: [Freeipa-devel] [PATCH] 129 migrate process cannot handle
 multivalued pkey attribute
In-Reply-To: <4E896DF1.7050300@redhat.com>
References: <1317290498.13820.5.camel@dhcp-25-52.brq.redhat.com>
	<4E8751B7.9090408@redhat.com>
	<1317628491.5905.13.camel@dhcp-25-52.brq.redhat.com>
	<4E896DF1.7050300@redhat.com>
Message-ID: <1317631773.5905.36.camel@dhcp-25-52.brq.redhat.com>

On Mon, 2011-10-03 at 10:10 +0200, Jan Cholasta wrote:
> On 3.10.2011 09:54, Martin Kosek wrote:
> > On Sat, 2011-10-01 at 19:45 +0200, Jan Cholasta wrote:
> >> On 29.9.2011 12:01, Martin Kosek wrote:
> >>> When group/user is migrated, the attribute used for RDN may be
> >>> multivalued. Make sure that we pick the value used in the RDN
> >>> which should be the unique one and not just the first one.
> >>>
> >>> https://fedorahosted.org/freeipa/ticket/1892
> >>>
> >>
> >> Every time you do "import *", god kills a kitten. Also, it pollutes the
> >> module namespace with unnecessary symbols and decreases code readability.
> >
> > World is not just black and white. In this case I think its OK since
> > ipalib/dn.py has a nice maintained __all__ list with all 3 DN related
> > classes. Thus. I see no namespace pollution.
> 
> IMO it still somewhat decreases code readability. But, whatever, it's no 
> showstopper.
> 
> >
> >>
> >> I'm a bit puzzled why do you do this:
> >> +                    try:
> >> +                        pkey = dn[ldap_obj.primary_key.name].lower()
> >> +                    except KeyError:
> >> +                        failed[ldap_obj_name][str(dn)] =
> >> unicode(_rdn_err_msg)
> >> +                        continue
> >>
> >> and not just this:
> >> +                    pkey = ava.value.lower()
> >
> > Good point. Updated patch attached.
> >
> > Martin
> >
> >>
> >> Besides that, the issue seems to be fixed.
> >>
> >> Honza
> >>
> >
> 
> ACK.
> 
> Honza
> 

Pushed to master, ipa-2-1.

Martin



From mkosek at redhat.com  Mon Oct  3 10:36:47 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Mon, 03 Oct 2011 12:36:47 +0200
Subject: [Freeipa-devel] [PATCH] 133 Be more clear about selfsign option
Message-ID: <1317638208.5905.37.camel@dhcp-25-52.brq.redhat.com>

Installing IPA server --selfsign option is currently a one-way ticket
to server with limited certificate capabilities. Make sure that user
really want to install it by implementing the following steps:

- moving the option to the bottom of certificate options section
- adding a warning to ipa-server-install man page
- adding a warning to ipa-server-install help
- adding a warning to ipa-server-install configuration summary
  when one runs ipa-server-install

https://fedorahosted.org/freeipa/ticket/1908

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-133-be-more-clear-about-selfsign-option.patch
Type: text/x-patch
Size: 4033 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111003/104f720d/attachment.bin>

From mkosek at redhat.com  Mon Oct  3 13:18:47 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Mon, 03 Oct 2011 15:18:47 +0200
Subject: [Freeipa-devel] [PATCH] 291 I18n clean-up.
In-Reply-To: <4E8968D8.8030708@redhat.com>
References: <4E863E18.1040803@redhat.com> <4E8968D8.8030708@redhat.com>
Message-ID: <1317647929.5905.39.camel@dhcp-25-52.brq.redhat.com>

On Mon, 2011-10-03 at 09:48 +0200, Petr Vobornik wrote:
> On 10/01/2011 12:09 AM, Endi Sukma Dewata wrote:
> > The hard-coded 'undo' and 'undo all' labels have been moved into
> > internal.py to allow translation.
> >
> > Ticket #1897
> 
> ACK
> 

Pushed to master, ipa-2-1.

Martin



From mkosek at redhat.com  Mon Oct  3 13:19:19 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Mon, 03 Oct 2011 15:19:19 +0200
Subject: [Freeipa-devel] [PATCH] 292 Disable sudo options Delete button
 if nothing selected.
In-Reply-To: <4E89735C.8010407@redhat.com>
References: <4E863E60.1070401@redhat.com> <4E89735C.8010407@redhat.com>
Message-ID: <1317647961.5905.40.camel@dhcp-25-52.brq.redhat.com>

On Mon, 2011-10-03 at 10:33 +0200, Petr Vobornik wrote:
> On 10/01/2011 12:10 AM, Endi Sukma Dewata wrote:
> > The Delete button for sudo options in sudo rule details page now
> > will only work if there is at least one row selected.
> >
> > Ticket #1896
> 
> ACK
> 

Pushed to master, ipa-2-1.

Martin



From abokovoy at redhat.com  Mon Oct  3 13:44:23 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Mon, 3 Oct 2011 16:44:23 +0300
Subject: [Freeipa-devel] Fedora 16 support (systemd)
Message-ID: <20111003134422.GA7270@redhat.com>

Hi,

I was working for a month on systemd support for FreeIPA and now there 
is something you may try -- 
http://koji.fedoraproject.org/koji/taskinfo?taskID=3399157

Provided you have Fedora 16 + updates-testing install, provided that 
you get FreeIPA packages from the Koji task above, FreeIPA can be 
installed and configured on Fedora 16.

Note that systemd support *will not work* for anything before Fedora 
16 + current updates-testing as it requires very recent systemd 
version (at least 36-3 build in F16) and depends on very recent 
dogtag, 389ds, and tomcat6 packages.

Attached is also current patch to introduce systemd/fedora16 support. 
The patch is against ipa-2-1 branch, I have not checked how it applies 
to master yet.
-- 
/ Alexander Bokovoy
-------------- next part --------------
diff --git a/Makefile b/Makefile
index 9d88025..3cd08e2 100644
--- a/Makefile
+++ b/Makefile
@@ -8,7 +8,7 @@ PRJ_PREFIX=freeipa
 RPMBUILD ?= $(PWD)/rpmbuild
 TARGET ?= master
 
-SUPPORTED_PLATFORM=redhat
+SUPPORTED_PLATFORM ?= redhat
 
 # After updating the version in VERSION you should run the version-update
 # target.
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 8ebe189..2458eaa 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -28,6 +28,9 @@ BuildRequires:  389-ds-base-devel >= 1.2.9
 BuildRequires:  svrcore-devel
 BuildRequires:  /usr/share/selinux/devel/Makefile
 BuildRequires:  policycoreutils >= %{POLICYCOREUTILSVER}
+%if 0%{?fedora} >= 16
+BuildRequires:  systemd-units 
+%endif
 %endif
 BuildRequires:  nspr-devel
 BuildRequires:  nss-devel
@@ -89,7 +92,11 @@ Requires(pre): 389-ds-base >= 1.2.9.7-1
 Requires: openldap-clients
 Requires: nss
 Requires: nss-tools
+%if 0%{?fedora} >= 16
+Requires: krb5-server >= 1.9.1-15
+%else
 Requires: krb5-server
+%endif
 Requires: krb5-server-ldap
 Requires: krb5-pkinit-openssl
 Requires: cyrus-sasl-gssapi%{?_isa}
@@ -102,6 +109,11 @@ Requires: python-ldap
 Requires: python-krbV
 Requires: acl
 Requires: python-pyasn1 >= 0.0.9a
+%if 0%{?fedora} >= 16
+Requires: systemd-units >= 36-3
+Requires(pre): systemd-units
+Requires(post): systemd-units
+%endif
 %if 0%{?fedora} >= 15
 Requires: selinux-policy >= 3.9.16-18
 %else
@@ -109,6 +121,12 @@ Requires: selinux-policy >= 3.9.7-27
 %endif
 Requires(post): selinux-policy-base
 Requires: slapi-nis >= 0.21
+%if 0%{?fedora} >= 16
+Requires: pki-ca >= 9.0.14-1
+Requires: pki-silent >= 9.0.14-1
+# Only tomcat6 greater than this version provides proper systemd support
+Requires: tomcat6 >= 6.0.32-17
+%else
 %if 0%{?fedora} >= 15
 Requires: pki-ca >= 9.0.12
 Requires: pki-silent >= 9.0.12
@@ -116,13 +134,19 @@ Requires: pki-silent >= 9.0.12
 Requires: pki-ca >= 9.0.5
 Requires: pki-silent >= 9.0.5
 %endif
+%endif
 Requires: dogtag-pki-common-theme
 Requires: dogtag-pki-ca-theme
 %if 0%{?rhel}
 Requires: subscription-manager
 %endif
+%if 0%{?fedora} >= 16
+Requires(preun): python systemd-units
+Requires(postun): python systemd-units
+%else
 Requires(preun):  python initscripts chkconfig
 Requires(postun): python initscripts chkconfig
+%endif
 
 # We have a soft-requires on bind. It is an optional part of
 # IPA but if it is configured we need a way to require versions
@@ -251,6 +275,9 @@ package.
 %build
 export CFLAGS="$CFLAGS %{optflags}"
 export CPPFLAGS="$CPPFLAGS %{optflags}"
+%if 0%{?fedora} >= 16
+export SUPPORTED_PLATFORM=fedora16
+%endif
 make version-update
 cd ipa-client; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd ..
 %if ! %{ONLY_CLIENT}
@@ -312,7 +339,16 @@ mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
 /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf
 /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
 /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
-install -m755 ipa.init %{buildroot}%{_initrddir}/ipa
+%if 0%{?fedora} >= 16
+# Default to systemd initscripts for F16 and above
+mkdir -p %{buildroot}%{_unitdir}
+for i in ipa.service ipa_kpasswd.service ; do
+	install -m 644 init/systemd/$i %{buildroot}%{_unitdir}/$i
+done
+rm -f %{buildroot}%{_initrddir}/ipa_kpasswd
+%else
+install -m755 init/SystemV/ipa.init %{buildroot}%{_initrddir}/ipa
+%endif
 %endif
 
 mkdir -p %{buildroot}%{_sysconfdir}/ipa/
@@ -332,8 +368,14 @@ rm -rf %{buildroot}
 %if ! %{ONLY_CLIENT}
 %post server
 if [ $1 = 1 ]; then
+%if 0%{?fedora} >= 16
+# Use systemd scheme
+    /bin/systemctl --system daemon-reload 2>&1 || :
+%else
+# Use SystemV scheme only before F16
     /sbin/chkconfig --add ipa
     /sbin/chkconfig --add ipa_kpasswd
+%endif
 fi
 if [ $1 -gt 1 ] ; then
     /usr/sbin/ipa-upgradeconfig || :
@@ -342,14 +384,28 @@ fi
 
 %preun server
 if [ $1 = 0 ]; then
+%if 0%{?fedora} >= 16
+# Use systemd scheme
+    /bin/systemctl --quiet stop ipa.service || :
+    /bin/systemctl --quiet disable ipa.service || :
+%else
+# Use SystemV scheme only before F16
     /sbin/chkconfig --del ipa
     /sbin/chkconfig --del ipa_kpasswd
     /sbin/service ipa stop >/dev/null 2>&1 || :
+%endif
 fi
 
 %postun server
 if [ "$1" -ge "1" ]; then
+%if 0%{?fedora} >= 16
+# Use systemd scheme
+    /bin/systemctl --quiet is-active ipa.service >/dev/null && \
+    /bin/systemctl try-restart ipa.service >/dev/null 2>&1 || :
+%else
+# Use SystemV scheme only before F16
     /sbin/service ipa condrestart >/dev/null 2>&1 || :
+%endif
 fi
 
 %pre server-selinux
@@ -418,8 +474,15 @@ fi
 %{_sbindir}/ipa-upgradeconfig
 %{_sbindir}/ipa-compliance
 %{_sysconfdir}/cron.d/ipa-compliance
+%if 0%{?fedora} >= 16
+# Use systemd scheme
+%attr(644,root,root) %{_unitdir}/ipa.service
+%attr(644,root,root) %{_unitdir}/ipa_kpasswd.service
+%else
+# Use SystemV scheme only before F16
 %attr(755,root,root) %{_initrddir}/ipa
 %attr(755,root,root) %{_initrddir}/ipa_kpasswd
+%endif
 %dir %{python_sitelib}/ipaserver
 %{python_sitelib}/ipaserver/*
 %dir %{_usr}/share/ipa
@@ -550,6 +613,9 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
 
 %changelog
+* Mon Oct 3 2011 Alexander Bokovoy <abokovoy at redhat.com> - 2.1.1-2
+- Default to systemd for Fedora 16 and onwards
+
 * Mon Sep 12 2011 Alexander Bokovoy <abokovoy at redhat.com> - 2.1.1-1
 - Make sure platform adaptation is packaged in -python sub-package
 
diff --git a/init/SystemV/ipa.init b/init/SystemV/ipa.init
new file mode 100644
index 0000000..ead7df0
--- /dev/null
+++ b/init/SystemV/ipa.init
@@ -0,0 +1,40 @@
+#!/bin/sh
+#
+# ipa    This starts and stops ipa controlled daemons
+#
+# chkconfig:   - 21 79
+# description: IPA Server
+# configdir:   /etc/ipa/
+#
+
+export SYSTEMCTL_SKIP_REDIRECT=1
+
+# Source function library.
+if [ -f /etc/rc.d/init.d/functions ] ; then
+. /etc/rc.d/init.d/functions
+fi
+# Source networking configuration.
+if [ -f /etc/sysconfig/network ] ; then
+. /etc/sysconfig/network
+fi
+
+# Check that networking is up.
+if [ "${NETWORKING}" = "no" ]
+then
+    echo "Networking is down"
+    exit 0
+fi
+
+case "$1" in
+    start|stop|restart|status)
+        /usr/sbin/ipactl $1
+        ;;
+    condrestart)
+        /sbin/service dirsrv status
+        RETVAL=$?
+        [ $RETVAL = 0 ] && /usr/sbin/ipactl restart
+        ;;
+    *)
+        echo "Usage: $0 {start|stop|status|restart|condrestart}"
+        exit 2
+esac
diff --git a/init/systemd/ipa.service b/init/systemd/ipa.service
new file mode 100644
index 0000000..ba27d1d
--- /dev/null
+++ b/init/systemd/ipa.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Identity, Policy, Audit
+Requires=syslog.target network.target
+After=syslog.target network.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/ipactl start
+ExecStop=/usr/sbin/ipactl stop
+RemainAfterExit=yes
+TimeoutSec=0
+
+[Install]
+WantedBy=multi-user.target
diff --git a/init/systemd/ipa_kpasswd.service b/init/systemd/ipa_kpasswd.service
new file mode 100644
index 0000000..17aa463
--- /dev/null
+++ b/init/systemd/ipa_kpasswd.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=IPA Kerberos password service
+Requires=krb5kdc.service
+Wants=krb5kdc.service
+
+[Service]
+Type=forking
+PIDFile=/var/run/ipa_kpasswd.pid
+ExecStart=/usr/sbin/ipa_kpasswd
+
diff --git a/install/tools/ipactl b/install/tools/ipactl
index 4055cf9..13e4b00 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -24,7 +24,7 @@ try:
     from ipaserver.install import service
     from ipapython import services as ipaservices
     from ipaserver.install.dsinstance import config_dirname, realm_to_serverid
-    from ipaserver.install.installutils import is_ipa_configured
+    from ipaserver.install.installutils import is_ipa_configured, wait_for_open_ports, wait_for_open_socket
     from ipapython import sysrestore
     from ipapython import config
     from ipalib import api, errors
@@ -32,6 +32,7 @@ try:
     import logging
     import ldap
     import ldap.sasl
+    import ldapurl
     import socket
 except ImportError:
     print >> sys.stderr, """\
@@ -117,6 +118,15 @@ def get_config():
     attrs = ['cn', 'ipaConfigString']
 
     try:
+        # systemd services are so fast that we come here before
+        # Directory Server actually starts listening. Wait for
+        # the socket/port be really available.
+        lurl = ldapurl.LDAPUrl(api.env.ldap_uri)
+        if lurl.urlscheme == 'ldapi':
+            wait_for_open_socket(lurl.hostport, timeout=6)
+        else:
+            (host,port) = lurl.hostport.split(':')
+            wait_for_open_ports(host, [port], timeout=6)
         con = ldap.initialize(api.env.ldap_uri)
         con.sasl_interactive_bind_s('', SASL_EXTERNAL)
         res = con.search_st(base,
diff --git a/ipa.init b/ipa.init
deleted file mode 100755
index ead7df0..0000000
--- a/ipa.init
+++ /dev/null
@@ -1,40 +0,0 @@
-#!/bin/sh
-#
-# ipa    This starts and stops ipa controlled daemons
-#
-# chkconfig:   - 21 79
-# description: IPA Server
-# configdir:   /etc/ipa/
-#
-
-export SYSTEMCTL_SKIP_REDIRECT=1
-
-# Source function library.
-if [ -f /etc/rc.d/init.d/functions ] ; then
-. /etc/rc.d/init.d/functions
-fi
-# Source networking configuration.
-if [ -f /etc/sysconfig/network ] ; then
-. /etc/sysconfig/network
-fi
-
-# Check that networking is up.
-if [ "${NETWORKING}" = "no" ]
-then
-    echo "Networking is down"
-    exit 0
-fi
-
-case "$1" in
-    start|stop|restart|status)
-        /usr/sbin/ipactl $1
-        ;;
-    condrestart)
-        /sbin/service dirsrv status
-        RETVAL=$?
-        [ $RETVAL = 0 ] && /usr/sbin/ipactl restart
-        ;;
-    *)
-        echo "Usage: $0 {start|stop|status|restart|condrestart}"
-        exit 2
-esac
diff --git a/ipapython/config.py b/ipapython/config.py
index 051e39f..4e0fb11 100644
--- a/ipapython/config.py
+++ b/ipapython/config.py
@@ -178,7 +178,7 @@ def __discover_config(discover_server = True):
 
         if not config.default_domain:
             #try once with REALM -> domain
-            dom_name = config.default_realm.lower()
+            dom_name = config.default_realm.lower() #pylint: disable=E1103
             name = "_ldap._tcp."+dom_name+"."
             rs = ipapython.dnsclient.query(name, ipapython.dnsclient.DNS_C_IN, ipapython.dnsclient.DNS_T_SRV)
             rl = len(rs)
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index cfc979e..52ff9e2 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -1163,3 +1163,93 @@ def get_ipa_basedn(conn):
 
     return None
 
+def config_replace_variables(filepath, replacevars=dict(), appendvars=dict()):
+    """
+    Take a key=value based configuration file, and write new version 
+    with certain values replaced or appended 
+
+    All (key,value) pairs from replacevars and appendvars that were not found 
+    in the configuration file, will be added there.
+
+    It is responsibility of a caller to ensure that replacevars and
+    appendvars do not overlap.
+
+    It is responsibility of a caller to back up file.
+
+    returns dictionary of affected keys and their previous values
+
+    One have to run restore_context(filepath) afterwards or
+    security context of the file will not be correct after modification
+    """
+    pattern = re.compile('''
+(^
+                        \s*
+        (?P<option>     [^\#;]+?)
+                        (\s*=\s*)
+        (?P<value>      .+?)?
+                        (\s*((\#|;).*)?)?
+$)''', re.VERBOSE)
+    orig_stat = os.stat(filepath)
+    old_values = dict()
+    temp_filename = None
+    with tempfile.NamedTemporaryFile(delete=False) as new_config:
+        temp_filename = new_config.name
+        with open(filepath, 'r') as f:
+            for line in f:
+                new_line = line
+                m = pattern.match(line)
+                if m:
+                    option, value = m.group('option', 'value')
+                    if option is not None:
+                        if replacevars and option in replacevars:
+                            # replace value completely
+                            new_line = u"%s=%s\n" % (option, replacevars[option])
+                            old_values[option] = value
+                        if appendvars and option in appendvars:
+                            # append new value unless it is already existing in the original one
+                            if value.find(appendvars[option]) == -1:
+                                new_line = u"%s=%s %s\n" % (option, value, appendvars[option])
+                            old_values[option] = value
+                new_config.write(new_line)
+        # Now add all options from replacevars and appendvars that were not found in the file
+        new_vars = replacevars.copy()
+        new_vars.update(appendvars)
+        newvars_view = new_vars.viewkeys() - old_values.viewkeys()
+        append_view = (appendvars.viewkeys() - replacevars.viewkeys()) - old_values.viewkeys()
+        for item in newvars_view:
+            new_config.write("%s=%s\n" % (item,new_vars[item]))
+        for item in append_view:
+            new_config.write("%s=%s\n" % (item,appendvars[item]))
+        new_config.flush()
+        # Make sure the resulting file is readable by others before installing it
+        os.fchmod(new_config.fileno(), orig_stat.st_mode)
+        os.fchown(new_config.fileno(), orig_stat.st_uid, orig_stat.st_gid)
+
+    # At this point new_config is closed but not removed due to 'delete=False' above
+    # Now, install the temporary file as configuration and ensure old version is available as .orig
+    # While .orig file is not used during uninstall, it is left there for administrator.
+    install_file(temp_filename, filepath)
+
+    return old_values
+
+def backup_config_and_replace_variables(fstore, filepath, replacevars=dict(), appendvars=dict()):
+    """
+    Take a key=value based configuration file, back up it, and
+    write new version with certain values replaced or appended 
+
+    All (key,value) pairs from replacevars and appendvars that
+    were not found in the configuration file, will be added there.
+
+    It is responsibility of a caller to ensure that replacevars and
+    appendvars do not overlap.
+
+    returns dictionary of affected keys and their previous values
+
+    One have to run restore_context(filepath) afterwards or
+    security context of the file will not be correct after modification
+    """
+    # Backup original filepath
+    fstore.backup_file(filepath)
+    old_values = config_replace_variables(filepath, replacevars, appendvars)
+
+    return old_values
diff --git a/ipapython/platform/base.py b/ipapython/platform/base.py
index f9d4099..7e03f48 100644
--- a/ipapython/platform/base.py
+++ b/ipapython/platform/base.py
@@ -22,7 +22,7 @@ from ipalib.plugable import MagicDict
 # set them as in Red Hat distributions. Actual implementation should make them available
 # through knownservices.<name> and take care of remapping internally, if needed
 wellknownservices = ['certmonger', 'dirsrv', 'httpd', 'ipa', 'krb5kdc', 'messagebus',
-                     'nslcd', 'nscd', 'ntpd', 'portmap', 'rpcbind']
+                     'nslcd', 'nscd', 'ntpd', 'portmap', 'rpcbind', 'ipa_kpasswd']
 
 class AuthConfig(object):
     """
@@ -120,25 +120,25 @@ class PlatformService(object):
     def restart(self, instance_name="", capture_output=True):
         return
 
-    def is_running(self):
+    def is_running(self, instance_name=""):
         return False
 
     def is_installed(self):
         return False
 
-    def is_enabled(self):
+    def is_enabled(self, instance_name=""):
         return False
 
-    def enable(self):
+    def enable(self, instance_name=""):
         return
 
-    def disable(self):
+    def disable(self, instance_name=""):
         return
 
-    def install(self):
+    def install(self, instance_name=""):
         return
 
-    def remove(self):
+    def remove(self, instance_name=""):
         return
 
 class KnownServices(MagicDict):
diff --git a/ipapython/platform/fedora16.py b/ipapython/platform/fedora16.py
new file mode 100644
index 0000000..bad1fac
--- /dev/null
+++ b/ipapython/platform/fedora16.py
@@ -0,0 +1,113 @@
+# Author: Alexander Bokovoy <abokovoy at redhat.com>
+#
+# Copyright (C) 2011   Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.    See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+from ipapython import ipautil
+from ipapython.platform import base, redhat, systemd
+import os
+
+# All what we allow exporting directly from this module
+# Everything else is made available through these symbols when they directly imported into ipapython.services:
+# authconfig -- class reference for platform-specific implementation of authconfig(8)
+# service    -- class reference for platform-specific implementation of a PlatformService class
+# knownservices -- factory instance to access named services IPA cares about, names are ipapython.services.wellknownservices
+# backup_and_replace_hostname -- platform-specific way to set hostname and make it persistent over reboots
+# restore_context -- platform-sepcific way to restore security context, if applicable
+__all__ = ['authconfig', 'service', 'knownservices', 'backup_and_replace_hostname', 'restore_context']
+
+# For beginning just remap names to add .service
+# As more services will migrate to systemd, unit names will deviate and
+# mapping will be kept in this dictionary
+system_units = dict(map(lambda x: (x, "%s.service" % (x)), base.wellknownservices))
+
+# Rewrite dirsrv and pki-cad services as they support instances via separate service generator
+# To make this working, one needs to have both foo at .service and foo.target -- the latter is used
+# when request should be coming for all instances (like stop). systemd, unfortunately, does not allow
+# to request action for all service instances at once if only foo at .service unit is available.
+# To add more, if any of those services need to be started/stopped automagically, one needs to manually
+# create symlinks in /etc/systemd/system/foo.target.wants/ (look into systemd.py's enable() code).
+system_units['dirsrv'] = 'dirsrv at .service'
+# Our directory server instance for PKI is dirsrv at PKI-IPA.service
+system_units['pkids'] = 'dirsrv at PKI-IPA.service'
+# Our PKI instance is pki-cad at pki-ca.service
+system_units['pki-cad'] = 'pki-cad at pki-ca.service'
+
+class Fedora16Service(systemd.SystemdService):
+    def __init__(self, service_name):
+        if service_name in system_units:
+            service_name = system_units[service_name]
+        else:
+            if len(service_name.split('.')) == 1:
+                # if service_name does not have a dot, it is not foo.service and not a foo.target
+                # Thus, not correct service name for systemd, default to foo.service style then
+                service_name = "%s.service" % (service_name)
+        super(Fedora16Service, self).__init__(service_name)
+
+# Special handling of directory server service
+# LimitNOFILE needs to be increased or any value set in the directory for this value will fail
+# Read /lib/systemd/system/dirsrv at .service for details.
+# We do modification of LimitNOFILE on service.enable() but we also need to explicitly enable instances
+# to install proper symlinks as dirsrv.target.wants/ dependencies. Unfortunately, ipa-server-install
+# does not do explicit dirsrv.enable() because the service startup is handled by ipactl.
+# If we wouldn't do this, our instances will not be started as systemd would not have any clue
+# about instances (PKI-IPA and the domain we serve) at all. Thus, hook into dirsrv.restart().
+class Fedora16DirectoryService(Fedora16Service):
+    def enable(self, instance_name=""):
+        super(Fedora16DirectoryService, self).enable(instance_name)
+        srv_etc = os.path.join(self.SYSTEMD_ETC_PATH, self.service_name)
+        if os.path.exists(srv_etc):
+            # We need to enable LimitNOFILE=8192 in the dirsrv at .service
+            # We rely on the fact that [Service] section is the last one
+            # and if variable is not there, it will be added as the last line
+            replacevars = {'LimitNOFILE':'8192'}
+            ipautil.config_replace_variables(srv_etc, replacevars=replacevars)
+            redhat.restore_context(srv_etc)
+            ipautil.run(["/bin/systemctl", "--system", "daemon-reload"],raiseonerr=False)
+
+    def restart(self, instance_name="", capture_output=True):
+        if len(instance_name) > 0:
+            elements = self.service_name.split("@")
+            srv_etc = os.path.join(self.SYSTEMD_ETC_PATH, self.service_name)
+            srv_tgt = os.path.join(self.SYSTEMD_ETC_PATH, self.SYSTEMD_SRV_TARGET % (elements[0]))
+            srv_lnk = os.path.join(srv_tgt, self.service_instance(instance_name))
+            if not os.path.exists(srv_etc):
+                self.enable(instance_name)
+            elif not os.path.samefile(srv_etc, srv_lnk):
+                os.unlink(srv_lnk)
+                os.symlink(srv_etc, srv_lnk)
+        super(Fedora16DirectoryService, self).restart(instance_name, capture_output=capture_output)
+
+# Redirect directory server service through special sub-class due to its special handling of instances
+def f16_service(name):
+    if name == 'dirsrv':
+        return Fedora16DirectoryService(name)
+    return Fedora16Service(name)
+
+class Fedora16Services(base.KnownServices):
+    def __init__(self):
+        services = dict()
+        for s in base.wellknownservices:
+            services[s] = f16_service(s)
+        # Call base class constructor. This will lock services to read-only
+        super(Fedora16Services, self).__init__(services)
+
+authconfig = redhat.authconfig
+service = f16_service
+knownservices = Fedora16Services()
+restore_context = redhat.restore_context
+backup_and_replace_hostname = redhat.backup_and_replace_hostname
diff --git a/ipapython/platform/redhat.py b/ipapython/platform/redhat.py
index 6bf8bf3..d9de3ab 100644
--- a/ipapython/platform/redhat.py
+++ b/ipapython/platform/redhat.py
@@ -65,20 +65,20 @@ class RedHatService(base.PlatformService):
                 installed = False
         return installed
 
-    def is_enabled(self):
+    def is_enabled(self, instance_name=""):
         (stdout, stderr, returncode) = ipautil.run(["/sbin/chkconfig", self.service_name],raiseonerr=False)
         return (returncode == 0)
 
-    def enable(self):
+    def enable(self, instance_name=""):
         ipautil.run(["/sbin/chkconfig", self.service_name, "on"])
 
-    def disable(self):
+    def disable(self, instance_name=""):
         ipautil.run(["/sbin/chkconfig", self.service_name, "off"])
 
-    def install(self):
+    def install(self, instance_name=""):
         ipautil.run(["/sbin/chkconfig", "--add", self.service_name])
 
-    def remove(self):
+    def remove(self, instance_name=""):
         ipautil.run(["/sbin/chkconfig", "--del", self.service_name])
 
 class RedHatAuthConfig(base.AuthConfig):
@@ -133,48 +133,11 @@ def restore_context(filepath):
     ipautil.run(["/sbin/restorecon", filepath], raiseonerr=False)
 
 def backup_and_replace_hostname(fstore, statestore, hostname):
-    network_filename = "/etc/sysconfig/network"
-    # Backup original /etc/sysconfig/network
-    fstore.backup_file(network_filename)
-    hostname_pattern = re.compile('''
-(^
-                        \s*
-        (?P<option>     [^\#;]+?)
-                        (\s*=\s*)
-        (?P<value>      .+?)?
-                        (\s*((\#|;).*)?)?
-$)''', re.VERBOSE)
-    temp_filename = None
-    with tempfile.NamedTemporaryFile(delete=False) as new_config:
-        temp_filename = new_config.name
-        with open(network_filename, 'r') as f:
-            for line in f:
-                new_line = line
-                m = hostname_pattern.match(line)
-                if m:
-                    option, value = m.group('option', 'value')
-                    if option is not None and option == 'HOSTNAME':
-                        if value is not None and hostname != value:
-                            new_line = u"HOSTNAME=%s\n" % (hostname)
-                            statestore.backup_state('network', 'hostname', value)
-                new_config.write(new_line)
-        new_config.flush()
-        # Make sure the resulting file is readable by others before installing it
-        os.fchmod(new_config.fileno(), stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
-        os.fchown(new_config.fileno(), 0, 0)
-
-    # At this point new_config is closed but not removed due to 'delete=False' above
-    # Now, install the temporary file as configuration and ensure old version is available as .orig
-    # While .orig file is not used during uninstall, it is left there for administrator.
-    ipautil.install_file(temp_filename, network_filename)
-    try:
-        ipautil.run(['/bin/hostname', hostname])
-    except ipautil.CalledProcessError, e:
-        print >>sys.stderr, "Failed to set this machine hostname to %s (%s)." % (hostname, str(e))
-
-    # For SE Linux environments it is important to reset SE labels to the expected ones
-    try:
-        restore_context(network_filename)
-    except ipautil.CalledProcessError, e:
-        print >>sys.stderr, "Failed to set permissions for %s (%s)." % (network_filename, str(e))
+    replacevars = {'HOSTNAME':hostname}
+    old_values = ipautil.backup_config_and_replace_variables(fstore,
+                                                          "/etc/sysconfig/network", 
+                                                          replacevars=replacevars)
+    restore_context("/etc/sysconfig/network")
+    if old_values['HOSTNAME']:
+        statestore.backup_state('network', 'hostname', old_values['HOSTNAME'])
 
diff --git a/ipapython/platform/systemd.py b/ipapython/platform/systemd.py
new file mode 100644
index 0000000..e9990ab
--- /dev/null
+++ b/ipapython/platform/systemd.py
@@ -0,0 +1,204 @@
+# Author: Alexander Bokovoy <abokovoy at redhat.com>
+#
+# Copyright (C) 2011   Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.    See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+from ipapython import ipautil
+from ipapython.platform import base
+import sys, os, shutil
+
+class SystemdService(base.PlatformService):
+    SYSTEMD_ETC_PATH = "/etc/systemd/system/"
+    SYSTEMD_LIB_PATH = "/lib/systemd/system/"
+    SYSTEMD_SRV_TARGET = "%s.target.wants"
+
+    def __init__(self, service_name):
+        super(SystemdService, self).__init__(service_name)
+        self.lib_path = os.path.join(self.SYSTEMD_LIB_PATH, self.service_name)
+        self.lib_path_exists = None
+
+    def service_instance(self, instance_name):
+        if self.lib_path_exists is None:
+            self.lib_path_exists = os.path.exists(self.lib_path)
+
+        elements = self.service_name.split("@")
+
+        # Short-cut: if there is already exact service name, return it
+        if self.lib_path_exists and len(instance_name) == 0:
+            if len(elements) == 1:
+                # service name is like pki-cad.target or krb5kdc.service
+                return self.service_name
+            if len(elements) > 1 and elements[1][0] != '.':
+                # Service name is like pki-cad at pki-ca.service and that file exists
+                return self.service_name
+
+        if len(elements) > 1:
+            # We have dynamic service
+            if len(instance_name) > 0:
+                # Instanciate dynamic service
+                return "%s@%s.service" % (elements[0], instance_name)
+            else:
+                # No instance name, try with target
+                tgt_name = "%s.target" % (elements[0])
+                srv_lib = os.path.join(self.SYSTEMD_LIB_PATH, tgt_name)
+                if os.path.exists(srv_lib):
+                    return tgt_name
+
+        return self.service_name
+
+    def parse_variables(self, text, separator=None):
+        """
+        Parses 'systemctl show' output and returns a dict[variable]=value
+        Arguments: text -- 'systemctl show' output as string
+                   separator -- optional (defaults to None), what separates the key/value pairs in the text
+        """
+        def splitter(x, separator=None):
+            if len(x) > 1:
+                y = x.split(separator)
+                return (y[0], y[-1])
+            return (None,None)
+        return dict(map(lambda x: splitter(x, separator=separator), text.split("\n")))
+
+    def stop(self, instance_name="", capture_output=True):
+        ipautil.run(["/bin/systemctl", "stop", self.service_instance(instance_name)], capture_output=capture_output)
+
+    def start(self, instance_name="", capture_output=True):
+        ipautil.run(["/bin/systemctl", "start", self.service_instance(instance_name)], capture_output=capture_output)
+
+    def restart(self, instance_name="", capture_output=True):
+        # Restart command is broken before systemd-36-3.fc16
+        # If you have older systemd version, restart of dependent services will hang systemd indefinetly
+        ipautil.run(["/bin/systemctl", "restart", self.service_instance(instance_name)], capture_output=capture_output)
+
+    def is_running(self, instance_name=""):
+        ret = True
+        try:
+            (sout, serr, rcode) = ipautil.run(["/bin/systemctl", "is-active", self.service_instance(instance_name)],capture_output=True)
+            if rcode != 0:
+                ret = False
+        except ipautil.CalledProcessError:
+                ret = False
+        return ret
+
+    def is_installed(self):
+        installed = True
+        try:
+            (sout,serr,rcode) = ipautil.run(["/bin/systemctl", "list-unit-files", "--full"])
+            if rcode != 0:
+                installed = False
+            else:
+                svar = self.parse_variables(sout)
+                if not self.service_instance("") in svar:
+                    # systemd doesn't show the service
+                    installed = False
+        except ipautil.CalledProcessError, e:
+                installed = False
+        return installed
+
+    def is_enabled(self, instance_name=""):
+        enabled = True
+        try:
+            (sout,serr,rcode) = ipautil.run(["/bin/systemctl", "is-enabled", self.service_instance(instance_name)])
+            if rcode != 0:
+                enabled = False
+        except ipautil.CalledProcessError, e:
+                enabled = False
+        return enabled
+
+    def enable(self, instance_name=""):
+        if self.lib_path_exists is None:
+            self.lib_path_exists = os.path.exists(self.lib_path)
+        elements = self.service_name.split("@")
+        l = len(elements)
+
+        if self.lib_path_exists and (l > 1 and elements[1][0] != '.'):
+            # There is explicit service unit supporting this instance, follow normal systemd enabler
+            self.__enable(instance_name)
+            return
+
+        if self.lib_path_exists and (l == 1):
+            # There is explicit service unit which does not support the instances, ignore instance
+            self.__enable()
+            return
+
+        if len(instance_name) > 0 and l > 1:
+            # New instance, we need to do following:
+            # 1. Copy <service>@.service to /etc/systemd/system/ if it is not there
+            # 2. Make /etc/systemd/system/<service>.target.wants/ if it is not there
+            # 3. Link /etc/systemd/system/<service>.target.wants/<service>@<instance_name>.service to
+            #    /etc/systemd/system/<service>@.service
+            srv_etc = os.path.join(self.SYSTEMD_ETC_PATH, self.service_name)
+            srv_tgt = os.path.join(self.SYSTEMD_ETC_PATH, self.SYSTEMD_SRV_TARGET % (elements[0]))
+            srv_lnk = os.path.join(srv_tgt, self.service_instance(instance_name))
+            try:
+                if not ipautil.file_exists(srv_etc):
+                    shutil.copy(self.lib_path, srv_etc)
+                if not ipautil.dir_exists(srv_tgt):
+                    os.mkdir(srv_tgt)
+                if os.path.exists(srv_lnk):
+                    # Remove old link
+                    os.unlink(srv_lnk)
+                if not os.path.exists(srv_lnk):
+                    # object does not exist _or_ is a broken link
+                    if not os.path.islink(srv_lnk):
+                        # if it truly does not exist, make a link
+                        os.symlink(srv_etc, srv_lnk)
+                    else:
+                        # Link exists and it is broken, make new one
+                        os.unlink(srv_lnk)
+                        os.symlink(srv_etc, srv_lnk)
+                ipautil.run(["/bin/systemctl", "--system", "daemon-reload"])
+            except:
+                pass
+        else:
+            self.__enable(instance_name)
+
+    def disable(self, instance_name=""):
+        elements = self.service_name.split("@")
+        if instance_name != "" and len(elements) > 1:
+            # Remove instance, we need to do following:
+            #  Remove link from /etc/systemd/system/<service>.target.wants/<service>@<instance_name>.service 
+            #  to /etc/systemd/system/<service>@.service
+            srv_tgt = os.path.join(self.SYSTEMD_ETC_PATH, self.SYSTEMD_SRV_TARGET % (elements[0]))
+            srv_lnk = os.path.join(srv_tgt, self.service_instance(instance_name))
+            try:
+                if ipautil.dir_exists(srv_tgt):
+                    if os.path.islink(srv_lnk):
+                        os.unlink(srv_lnk)
+                ipautil.run(["/bin/systemctl", "--system", "daemon-reload"])
+            except:
+                pass
+        else:
+            self.__disable(instance_name)
+
+    def __enable(self, instance_name=""):
+        try:
+            ipautil.run(["/bin/systemctl", "enable", self.service_instance(instance_name)])
+        except ipautil.CalledProcessError, e:
+            pass
+
+    def __disable(self, instance_name=""):
+        try:
+            ipautil.run(["/bin/systemctl", "disable", self.service_instance(instance_name)])
+        except ipautil.CalledProcessError, e:
+            pass
+
+    def install(self):
+        self.enable()
+
+    def remove(self):
+        self.disable()
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 6a86e8c..385710d 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -375,7 +375,7 @@ class CADSInstance(service.Service):
     def restart_instance(self):
         try:
             ipaservices.knownservices.dirsrv.restart(self.serverid)
-            if not dsinstance.is_ds_running():
+            if not dsinstance.is_ds_running(self.serverid):
                 logging.critical("Failed to restart the directory server. See the installation log for details.")
                 sys.exit(1)
         except Exception:
@@ -690,7 +690,7 @@ class CAInstance(service.Service):
 
     def __restart_instance(self):
         try:
-            self.restart()
+            self.restart(PKI_INSTANCE_NAME)
             installutils.wait_for_open_ports('localhost', 9180, 300)
         except Exception:
             # TODO: roll back here?
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index ca93fe9..60d0a43 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -107,8 +107,8 @@ def check_ports():
     ds_secure = installutils.port_available(636)
     return (ds_unsecure, ds_secure)
 
-def is_ds_running():
-    return ipaservices.knownservices.dirsrv.is_running()
+def is_ds_running(server_id=''):
+    return ipaservices.knownservices.dirsrv.is_running(instance_name=server_id)
 
 def has_managed_entries(host_name, dm_password):
     """Check to see if the Managed Entries plugin is available"""
@@ -411,7 +411,7 @@ class DsInstance(service.Service):
     def restart(self, instance=''):
         try:
             super(DsInstance, self).restart(instance)
-            if not is_ds_running():
+            if not is_ds_running(instance):
                 logging.critical("Failed to restart the directory server. See the installation log for details.")
                 sys.exit(1)
             installutils.wait_for_open_ports('localhost', self.open_ports, 300)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 513dc55..ad89e87 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -352,28 +352,16 @@ class KrbInstance(service.Service):
             min = version.LooseVersion(MIN_KRB5KDC_WITH_WORKERS)
             if ver >= min:
                 workers = True
+        # Write down config file
+        # We write realm and also number of workers (for multi-CPU systems)
+        replacevars = {'KRB5REALM':self.realm}
+        appendvars = {}
         if workers and cpus > 1:
-            #read in memory, find KRB5KDC_ARGS, check/change it, then overwrite file
-            self.fstore.backup_file("/etc/sysconfig/krb5kdc")
-
-            need_w = True
-            fd = open("/etc/sysconfig/krb5kdc", "r")
-            lines = fd.readlines()
-            fd.close()
-            for line in lines:
-                sline = line.strip()
-                if not sline.startswith('KRB5KDC_ARGS'):
-                    continue
-                sline = sline.replace('"', '')
-                if sline.find("-w") != -1:
-                    need_w = False
-
-            if need_w:
-                fd = open("/etc/sysconfig/krb5kdc", "w")
-                for line in lines:
-                    fd.write(line)
-                fd.write('KRB5KDC_ARGS="${KRB5KDC_ARGS} -w %s"\n' % str(cpus))
-                fd.close()
+            appendvars = {'KRB5KDC_ARGS': "-w %s" % str(cpus)}
+        ipautil.backup_config_and_replace_variables(self.fstore, "/etc/sysconfig/krb5kdc",
+                                                    replacevars=replacevars,
+                                                    appendvars=appendvars)
+        ipaservices.restore_context("/etc/sysconfig/krb5kdc")
 
     def __write_stash_from_ds(self):
         try:

From mkosek at redhat.com  Mon Oct  3 14:04:16 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Mon, 03 Oct 2011 16:04:16 +0200
Subject: [Freeipa-devel] [PATCH] 134 Improve handling of GIDs when migrating
	groups
Message-ID: <1317650658.5905.45.camel@dhcp-25-52.brq.redhat.com>

Since IPA v2 server already contain predefined groups that may collide
with groups in migrated (IPA v1) server (for example admins, ipausers),
users having colliding group as their primary group may happen to belong
to an unknown group on new IPA v2 server.

Implement --group-overwrite-gid option to overwrite GID of already
existing groups to prevent this issue.

https://fedorahosted.org/freeipa/ticket/1866

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-134-improve-handling-of-gids-when-migrating-groups.patch
Type: text/x-patch
Size: 5932 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111003/f62f6986/attachment.bin>

From JR.Aquino at citrix.com  Mon Oct  3 17:33:43 2011
From: JR.Aquino at citrix.com (JR Aquino)
Date: Mon, 3 Oct 2011 17:33:43 +0000
Subject: [Freeipa-devel] HBAC Authorization Alternative to SSSD
Message-ID: <22CBBBA3-C99D-4FF3-92CF-7165588266B2@citrixonline.com>

Attached is a pam_python module that can be used to perform FreeIPA HBAC authorization in conjunction with pam_python.so (http://ace-host.stuart.id.au/russell/files/pam_python/)

I have been working on this for a while as an alternative to sssd on systems that cannot support the sssd installation.  There is no caching provided by this code, and is intended as a proof of concept or interim fix on a small scale.

I have been craving a more formal c code approach to this general method, but am not adept in the c language.  If anyone is feeling savoy, assistance in creating a more formal pam module would be very appreciated!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: pam_pyauth.py
Type: text/x-python-script
Size: 12002 bytes
Desc: pam_pyauth.py
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111003/831ed80b/attachment.bin>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT00001.txt
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111003/831ed80b/attachment.txt>

From rcritten at redhat.com  Mon Oct  3 19:16:31 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 03 Oct 2011 15:16:31 -0400
Subject: [Freeipa-devel] [PATCH] 877 prompt for current password
In-Reply-To: <1316786442.2447.35.camel@dhcp-25-52.brq.redhat.com>
References: <4E73A094.8060409@redhat.com> <4E76E616.5080208@redhat.com>
	<4E773D8B.3020801@redhat.com>
	<1316786442.2447.35.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <4E8A0A0F.3010501@redhat.com>

Martin Kosek wrote:
> On Mon, 2011-09-19 at 09:03 -0400, Rob Crittenden wrote:
>> Jan Cholasta wrote:
>>> On 16.9.2011 21:16, Rob Crittenden wrote:
>>>> Prompt for the current password when changing your own password using
>>>> ipa passwd.
>>>>
>>>> I had to jump through several hoops with this:
>>>>
>>>> - Added a new sortorder option so the Current password is prompted first
>>>
>>> IMO something like "before='password'" would be more readable and
>>> probably less error-prone than "sortorder=-1".
>>
>> The params are sorted numerically based on whether they are required,
>> have a default, etc. A negative value means it will appear first. This
>> is intended to be generic enough without having to worry about nested
>> resolution (A before B, B before C, C before A).
>>
>>>
>>>> - Pass a magic value for current_password if changing someone else's
>>>> password
>>>>
>>>> NOTE: This breaks the API for passwd. There is no way around it. I have
>>>> this as a minor update as it won't cause older clients to blow up too
>>>> badly, but their passwd command won't work.
>>>>
>>>> rob
>>>>
>>>
>>> Honza
>>>
>
> Generally, it works fine except for the case when user passes its own
> user name. Do we want to support the following way?
>
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: fbar at IDM.LAB.BOS.REDHAT.COM
>
> Valid starting     Expires            Service principal
> 09/23/11 09:48:05  09/24/11 09:48:05  krbtgt/IDM.LAB.BOS.REDHAT.COM at IDM.LAB.BOS.REDHAT.COM
>
> # ipa passwd fbar
> New Password:
> Enter New Password again to verify:
> ipa: ERROR: Insufficient access: Invalid credentials
>
> Maybe we could throw an error when user passes its own principal to ipa
> passwd command. After all, this argument is for changing _other_ user
> passwords.
>
> Martin
>

Fixed. The username wasn't being normalized into a principal until after 
the default was set (where we determine whether to prompt for current 
password).

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-877-2-passwd.patch
Type: text/x-patch
Size: 4473 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111003/2cfa5d17/attachment.bin>

From simo at redhat.com  Mon Oct  3 20:20:56 2011
From: simo at redhat.com (Simo Sorce)
Date: Mon, 03 Oct 2011 16:20:56 -0400
Subject: [Freeipa-devel] [PATCH] #1794 - Speed up replica setup
Message-ID: <1317673256.17819.13.camel@willson.li.ssimo.org>

Newer 389ds servers have a new option to have a different set of
filtered attributes from normal replication.

This has been added in order to allow DS to replicate memberof
attributes only during a total update so that we do not need to run a
fixup memberof task on a replica at install time.
This task is quite inefficient for big database and can take a long
time. By replicating memberof while the DB is locked we are guaranteed
the memberof list is consistent so we do not need a fixup.

This patch allows to enable this feature dynamically. If the server does
not yet support the new option it falls back to the previous behavior.

Fixes: https://fedorahosted.org/freeipa/ticket/1794

I am sending the patch but it has been jointly developed at various
stages by Nathan, JR, and me.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Replication-Adjust-replica-installation-to-omit-proc.patch
Type: text/x-patch
Size: 6040 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111003/bbc9e704/attachment.bin>

From rcritten at redhat.com  Mon Oct  3 20:44:18 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 03 Oct 2011 16:44:18 -0400
Subject: [Freeipa-devel] [PATCH] 884 migration context and logging
In-Reply-To: <1317135483.22256.2.camel@dhcp-25-52.brq.redhat.com>
References: <4E8133F5.5030108@redhat.com>
	<1317135483.22256.2.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <4E8A1EA2.6030804@redhat.com>

Martin Kosek wrote:
> On Mon, 2011-09-26 at 22:24 -0400, Rob Crittenden wrote:
>> We can't assume that there will be only one naming context. Look at each
>> one until we find an IPA one.
>>
>> Add logging so you can know that a migration attempt fails and why.
>>
>> rob
>
> Looks good, its just difficult to set up a proper environment for
> reproduction. So far, I found just this problem:
>
> [Tue Sep 27 10:30:39 2011] [error] [client 10.34.25.52] mod_wsgi (pid=32705): Exception occurred processing WSGI script '/usr/share/ipa/migration/migration.py'.
> [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] Traceback (most recent call last):
> [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]   File "/usr/share/ipa/migration/migration.py", line 127, in application
> [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]     bind(form_data['username'].value, form_data['password'].value)
> [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]   File "/usr/share/ipa/migration/migration.py", line 107, in bind
> [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]     logging.error('migration bind failed: %s' % convert_exception(e))
>
> Martin
>

Just missed saving the exception as a variable, should work now.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-884-2-migration.patch
Type: text/x-patch
Size: 4505 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111003/c9759f54/attachment.bin>

From simo at redhat.com  Mon Oct  3 22:17:19 2011
From: simo at redhat.com (Simo Sorce)
Date: Mon, 03 Oct 2011 18:17:19 -0400
Subject: [Freeipa-devel] [PATCH] #1794 - Speed up replica setup
In-Reply-To: <1317673256.17819.13.camel@willson.li.ssimo.org>
References: <1317673256.17819.13.camel@willson.li.ssimo.org>
Message-ID: <1317680239.17819.19.camel@willson.li.ssimo.org>

On Mon, 2011-10-03 at 16:20 -0400, Simo Sorce wrote:
> Newer 389ds servers have a new option to have a different set of
> filtered attributes from normal replication.
> 
> This has been added in order to allow DS to replicate memberof
> attributes only during a total update so that we do not need to run a
> fixup memberof task on a replica at install time.
> This task is quite inefficient for big database and can take a long
> time. By replicating memberof while the DB is locked we are guaranteed
> the memberof list is consistent so we do not need a fixup.
> 
> This patch allows to enable this feature dynamically. If the server does
> not yet support the new option it falls back to the previous behavior.
> 
> Fixes: https://fedorahosted.org/freeipa/ticket/1794
> 
> I am sending the patch but it has been jointly developed at various
> stages by Nathan, JR, and me.
> 
> Simo.

After some thinking I found out that we cannot commit this patch until
the memberof plugin is converted to use the new transaction interfaces
for plugins, as otherwise it is possible to run into race conditions
where the member/memberof relations are not settled if a new replica is
installed while member attributes are being changed.

Granted the race is quite small and unlikely but real.
So please test and ack it, but we need to defer pushing to stable
branches until ds copes.
I think it is ok to push to master for testing, DS should have the
necessary support by the time we make another stable release from master
and in our test environments I am sure we will never hit the race.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From JR.Aquino at citrix.com  Mon Oct  3 22:39:48 2011
From: JR.Aquino at citrix.com (JR Aquino)
Date: Mon, 3 Oct 2011 22:39:48 +0000
Subject: [Freeipa-devel] [PATCH] #1794 - Speed up replica setup
In-Reply-To: <1317680239.17819.19.camel@willson.li.ssimo.org>
References: <1317673256.17819.13.camel@willson.li.ssimo.org>
	<1317680239.17819.19.camel@willson.li.ssimo.org>
Message-ID: <743B56B8-94B8-4B32-8DBD-51A8DB2EEB0A@citrixonline.com>

On Oct 3, 2011, at 3:17 PM, Simo Sorce wrote:

> On Mon, 2011-10-03 at 16:20 -0400, Simo Sorce wrote:
>> Newer 389ds servers have a new option to have a different set of
>> filtered attributes from normal replication.
>> 
>> This has been added in order to allow DS to replicate memberof
>> attributes only during a total update so that we do not need to run a
>> fixup memberof task on a replica at install time.
>> This task is quite inefficient for big database and can take a long
>> time. By replicating memberof while the DB is locked we are guaranteed
>> the memberof list is consistent so we do not need a fixup.
>> 
>> This patch allows to enable this feature dynamically. If the server does
>> not yet support the new option it falls back to the previous behavior.
>> 
>> Fixes: https://fedorahosted.org/freeipa/ticket/1794
>> 
>> I am sending the patch but it has been jointly developed at various
>> stages by Nathan, JR, and me.
>> 
>> Simo.
> 
> After some thinking I found out that we cannot commit this patch until
> the memberof plugin is converted to use the new transaction interfaces
> for plugins, as otherwise it is possible to run into race conditions
> where the member/memberof relations are not settled if a new replica is
> installed while member attributes are being changed.
> 
> Granted the race is quite small and unlikely but real.
> So please test and ack it, but we need to defer pushing to stable
> branches until ds copes.
> I think it is ok to push to master for testing, DS should have the
> necessary support by the time we make another stable release from master
> and in our test environments I am sure we will never hit the race.

Do we know which 389-ds-base incorporates the new option?  I would like to test and ack, but I'm not sure if I have a fixed 389-ds-base installed.



From adam at younglogic.com  Mon Oct  3 23:38:08 2011
From: adam at younglogic.com (Adam Young)
Date: Mon, 03 Oct 2011 19:38:08 -0400
Subject: [Freeipa-devel] Mozilla Specific User Certificate Generation code:
Message-ID: <4E8A4760.80806@younglogic.com>

It is possible to generate a Certificate signing request from the 
browser, if we use Mozilla specific code.  I've mildly hacked the 
Mozilla sample code to work with JQuery and to display the CSR to the 
screen, instead of sending it right to the server.

I'd see this working something like this:

1.  add the certificate attribute to the user plugin.
2.  On the user page, if the principal of the user selected matches the 
kerberos principal for the logged user, show the certificate control
3.  The certificate control allows the user to request a new certificate.
4.  If the user has a certificate, the certificate control allow  the 
user to download the certificate.


I have to look into the details, but the certificate shoud only be 
useable by default in the browser that originally requested it.  
However, it is fairly easy to export the certificate, along with the 
primary keys that generated its CSR, such that it would be usable 
elsewhere: For example https://ca.cern.ch/ca/Help/?kbid=040111

This seems like fairly simple to implement.  We would not even have to 
extend the API.  We keep the certificate request separate from the user 
until it is signed, and then add it to the user object.  Thus it would 
be created as a side effect of:

  ipa cert-request --add --principal=abradley at DEV.EXAMPLE.COM abradley.csr




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111003/bfd89c2c/attachment.html>

From rmeggins at redhat.com  Mon Oct  3 23:37:25 2011
From: rmeggins at redhat.com (Rich Megginson)
Date: Mon, 03 Oct 2011 17:37:25 -0600
Subject: [Freeipa-devel] [PATCH] #1794 - Speed up replica setup
In-Reply-To: <743B56B8-94B8-4B32-8DBD-51A8DB2EEB0A@citrixonline.com>
References: <1317673256.17819.13.camel@willson.li.ssimo.org>	<1317680239.17819.19.camel@willson.li.ssimo.org>
	<743B56B8-94B8-4B32-8DBD-51A8DB2EEB0A@citrixonline.com>
Message-ID: <4E8A4735.3080201@redhat.com>

On 10/03/2011 04:39 PM, JR Aquino wrote:
> On Oct 3, 2011, at 3:17 PM, Simo Sorce wrote:
>
>> On Mon, 2011-10-03 at 16:20 -0400, Simo Sorce wrote:
>>> Newer 389ds servers have a new option to have a different set of
>>> filtered attributes from normal replication.
>>>
>>> This has been added in order to allow DS to replicate memberof
>>> attributes only during a total update so that we do not need to run a
>>> fixup memberof task on a replica at install time.
>>> This task is quite inefficient for big database and can take a long
>>> time. By replicating memberof while the DB is locked we are guaranteed
>>> the memberof list is consistent so we do not need a fixup.
>>>
>>> This patch allows to enable this feature dynamically. If the server does
>>> not yet support the new option it falls back to the previous behavior.
>>>
>>> Fixes: https://fedorahosted.org/freeipa/ticket/1794
>>>
>>> I am sending the patch but it has been jointly developed at various
>>> stages by Nathan, JR, and me.
>>>
>>> Simo.
>> After some thinking I found out that we cannot commit this patch until
>> the memberof plugin is converted to use the new transaction interfaces
>> for plugins, as otherwise it is possible to run into race conditions
>> where the member/memberof relations are not settled if a new replica is
>> installed while member attributes are being changed.
>>
>> Granted the race is quite small and unlikely but real.
>> So please test and ack it, but we need to defer pushing to stable
>> branches until ds copes.
>> I think it is ok to push to master for testing, DS should have the
>> necessary support by the time we make another stable release from master
>> and in our test environments I am sure we will never hit the race.
> Do we know which 389-ds-base incorporates the new option?  I would like to test and ack, but I'm not sure if I have a fixed 389-ds-base installed.
1.2.10.a1 - in updates-testing
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel



From mkosek at redhat.com  Tue Oct  4 06:57:27 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 04 Oct 2011 08:57:27 +0200
Subject: [Freeipa-devel] [PATCH] 884 migration context and logging
In-Reply-To: <4E8A1EA2.6030804@redhat.com>
References: <4E8133F5.5030108@redhat.com>
	<1317135483.22256.2.camel@dhcp-25-52.brq.redhat.com>
	<4E8A1EA2.6030804@redhat.com>
Message-ID: <1317711449.27486.10.camel@dhcp-25-52.brq.redhat.com>

On Mon, 2011-10-03 at 16:44 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Mon, 2011-09-26 at 22:24 -0400, Rob Crittenden wrote:
> >> We can't assume that there will be only one naming context. Look at each
> >> one until we find an IPA one.
> >>
> >> Add logging so you can know that a migration attempt fails and why.
> >>
> >> rob
> >
> > Looks good, its just difficult to set up a proper environment for
> > reproduction. So far, I found just this problem:
> >
> > [Tue Sep 27 10:30:39 2011] [error] [client 10.34.25.52] mod_wsgi (pid=32705): Exception occurred processing WSGI script '/usr/share/ipa/migration/migration.py'.
> > [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] Traceback (most recent call last):
> > [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]   File "/usr/share/ipa/migration/migration.py", line 127, in application
> > [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]     bind(form_data['username'].value, form_data['password'].value)
> > [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]   File "/usr/share/ipa/migration/migration.py", line 107, in bind
> > [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]     logging.error('migration bind failed: %s' % convert_exception(e))
> >
> > Martin
> >
> 
> Just missed saving the exception as a variable, should work now.
> 
> rob

Works fine, tested on multiple-suffix LDAP server. We should be also
fine when anonymous access is not allowed (Simo was dealing with this in
ipa-client-install in #1881) since migration.py binds via socket.

I have just one suggestion - instead of searching for correct naming
context on your own, you may want to use a function get_ipa_basedn() I
implemented for ipa-client-install (#1868). This will do all the checks
and return you just the IPA baseDN:

https://fedorahosted.org/freeipa/changeset/00cffce6c2ba0121188326535d6c9cd244a4ae5b

Martin



From mkosek at redhat.com  Tue Oct  4 07:05:49 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 04 Oct 2011 09:05:49 +0200
Subject: [Freeipa-devel] [PATCH] 877 prompt for current password
In-Reply-To: <4E8A0A0F.3010501@redhat.com>
References: <4E73A094.8060409@redhat.com> <4E76E616.5080208@redhat.com>
	<4E773D8B.3020801@redhat.com>
	<1316786442.2447.35.camel@dhcp-25-52.brq.redhat.com>
	<4E8A0A0F.3010501@redhat.com>
Message-ID: <1317711952.27486.14.camel@dhcp-25-52.brq.redhat.com>

On Mon, 2011-10-03 at 15:16 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Mon, 2011-09-19 at 09:03 -0400, Rob Crittenden wrote:
> >> Jan Cholasta wrote:
> >>> On 16.9.2011 21:16, Rob Crittenden wrote:
> >>>> Prompt for the current password when changing your own password using
> >>>> ipa passwd.
> >>>>
> >>>> I had to jump through several hoops with this:
> >>>>
> >>>> - Added a new sortorder option so the Current password is prompted first
> >>>
> >>> IMO something like "before='password'" would be more readable and
> >>> probably less error-prone than "sortorder=-1".
> >>
> >> The params are sorted numerically based on whether they are required,
> >> have a default, etc. A negative value means it will appear first. This
> >> is intended to be generic enough without having to worry about nested
> >> resolution (A before B, B before C, C before A).
> >>
> >>>
> >>>> - Pass a magic value for current_password if changing someone else's
> >>>> password
> >>>>
> >>>> NOTE: This breaks the API for passwd. There is no way around it. I have
> >>>> this as a minor update as it won't cause older clients to blow up too
> >>>> badly, but their passwd command won't work.
> >>>>
> >>>> rob
> >>>>
> >>>
> >>> Honza
> >>>
> >
> > Generally, it works fine except for the case when user passes its own
> > user name. Do we want to support the following way?
> >
> > # klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: fbar at IDM.LAB.BOS.REDHAT.COM
> >
> > Valid starting     Expires            Service principal
> > 09/23/11 09:48:05  09/24/11 09:48:05  krbtgt/IDM.LAB.BOS.REDHAT.COM at IDM.LAB.BOS.REDHAT.COM
> >
> > # ipa passwd fbar
> > New Password:
> > Enter New Password again to verify:
> > ipa: ERROR: Insufficient access: Invalid credentials
> >
> > Maybe we could throw an error when user passes its own principal to ipa
> > passwd command. After all, this argument is for changing _other_ user
> > passwords.
> >
> > Martin
> >
> 
> Fixed. The username wasn't being normalized into a principal until after 
> the default was set (where we determine whether to prompt for current 
> password).
> 
> rob

I don't think this is the correct patch :-)

Martin



From jcholast at redhat.com  Tue Oct  4 08:07:59 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Tue, 04 Oct 2011 10:07:59 +0200
Subject: [Freeipa-devel] [PATCH] 51 Add a function for formatting network
	locations
Message-ID: <4E8ABEDF.4090902@redhat.com>

Add a function for formatting network locations of the form host:port 
for use in URLs.

If the host part is a literal IPv6 address, it must be enclosed in 
square brackets (RFC 2732).

https://fedorahosted.org/freeipa/ticket/1869

In the ticket it is suggested to create a host name and network address 
objects; I have created a new ticket for 3.0 to do that: 
https://fedorahosted.org/freeipa/ticket/1917

Honza

-- 
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-51-network-location-format.patch
Type: text/x-patch
Size: 22631 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111004/10ef813a/attachment.bin>

From jcholast at redhat.com  Tue Oct  4 08:34:19 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Tue, 04 Oct 2011 10:34:19 +0200
Subject: [Freeipa-devel] [PATCH] 133 Be more clear about selfsign option
In-Reply-To: <1317638208.5905.37.camel@dhcp-25-52.brq.redhat.com>
References: <1317638208.5905.37.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <4E8AC50B.4030907@redhat.com>

On 3.10.2011 12:36, Martin Kosek wrote:
> Installing IPA server --selfsign option is currently a one-way ticket
> to server with limited certificate capabilities. Make sure that user
> really want to install it by implementing the following steps:
>
> - moving the option to the bottom of certificate options section
> - adding a warning to ipa-server-install man page
> - adding a warning to ipa-server-install help
> - adding a warning to ipa-server-install configuration summary
>    when one runs ipa-server-install
>
> https://fedorahosted.org/freeipa/ticket/1908
>

ACK.

Honza

-- 
Jan Cholasta



From mkosek at redhat.com  Tue Oct  4 08:49:15 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 04 Oct 2011 10:49:15 +0200
Subject: [Freeipa-devel] [PATCH] 135 Install tools crash when password
	prompt is interrupted
Message-ID: <1317718161.27486.15.camel@dhcp-25-52.brq.redhat.com>

When getpass.getpass() function is interrupted via CTRL+D, EOFError
exception is thrown. Most of the install tools are not prepared for
this event and crash with this exception. Make sure that it is
handled properly and nice error message is printed.

https://fedorahosted.org/freeipa/ticket/1916

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-135-install-tools-crash.patch
Type: text/x-patch
Size: 15006 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111004/b2c504ff/attachment.bin>

From mkosek at redhat.com  Tue Oct  4 08:54:24 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 04 Oct 2011 10:54:24 +0200
Subject: [Freeipa-devel] [PATCH] 136 Fix ipa-managed-entries password option
	long form
Message-ID: <1317718466.27486.16.camel@dhcp-25-52.brq.redhat.com>

https://fedorahosted.org/freeipa/ticket/1913

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-136-fix-ipa-managed-entries-password-option-long-form.patch
Type: text/x-patch
Size: 1072 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111004/120f018b/attachment.bin>

From jcholast at redhat.com  Tue Oct  4 09:15:04 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Tue, 04 Oct 2011 11:15:04 +0200
Subject: [Freeipa-devel] [PATCH] ipa-pwd-extop: allow password change on
 all connections with SSF>1
In-Reply-To: <20110927081548.GD18636@localhost.localdomain>
References: <20110927081548.GD18636@localhost.localdomain>
Message-ID: <4E8ACE98.7060302@redhat.com>

On 27.9.2011 10:15, Sumit Bose wrote:
> Hi,
>
> currently the change password plugin does not check if the connection is
> coming from a local LDAPI socket and denies password change requests via
> LDAPI. This patch changes the check to just look at the overall SSF of
> the connection which covers all types of connection.
>
> There is a similar check in ipa_enrollment.c. But I think enrollments via
> LDAPI does not make much sense so it does not need to be changed.

IMHO it should be changed anyway, for the sake of consistency.

>
> This patch should fix https://fedorahosted.org/freeipa/ticket/1877.
>
> bye,
> Sumit
>

The patch has trailing whitespace on lines 20 and 32-35 and needs to be 
rebased.

Tested the patch with ldappasswd over ldap/ldaps/ldapi - works as expected.

Honza

-- 
Jan Cholasta



From mkosek at redhat.com  Tue Oct  4 09:30:35 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 04 Oct 2011 11:30:35 +0200
Subject: [Freeipa-devel] [PATCH] 133 Be more clear about selfsign option
In-Reply-To: <4E8AC50B.4030907@redhat.com>
References: <1317638208.5905.37.camel@dhcp-25-52.brq.redhat.com>
	<4E8AC50B.4030907@redhat.com>
Message-ID: <1317720638.27486.17.camel@dhcp-25-52.brq.redhat.com>

On Tue, 2011-10-04 at 10:34 +0200, Jan Cholasta wrote:
> On 3.10.2011 12:36, Martin Kosek wrote:
> > Installing IPA server --selfsign option is currently a one-way ticket
> > to server with limited certificate capabilities. Make sure that user
> > really want to install it by implementing the following steps:
> >
> > - moving the option to the bottom of certificate options section
> > - adding a warning to ipa-server-install man page
> > - adding a warning to ipa-server-install help
> > - adding a warning to ipa-server-install configuration summary
> >    when one runs ipa-server-install
> >
> > https://fedorahosted.org/freeipa/ticket/1908
> >
> 
> ACK.
> 
> Honza
> 

Pushed to master, ipa-2-1.

Martin



From abokovoy at redhat.com  Tue Oct  4 11:00:13 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Tue, 4 Oct 2011 14:00:13 +0300
Subject: [Freeipa-devel] [PATCH] 0016 Setup and restore ntp configuration on
	the
Message-ID: <20111004110013.GA2647@redhat.com>

client
Reply-To: 

Hi,

attached patch addresses ticket #1770.

-- 
/ Alexander Bokovoy
-------------- next part --------------
>From 6bb9520e2398a22c0264276171714ea5d201f83a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Tue, 4 Oct 2011 13:56:12 +0300
Subject: [PATCH] Setup and restore ntp configuration on the client side
 properly

When setting up the client-side NTP configuration, make sure that /etc/ntp/step-tickers
point to IPA NTP server as well.
When restoring the client during ipa-client-install --uninstall, make sure NTP configuration
is fully restored and NTP service is disabled if it was disabled before the installation.

https://fedorahosted.org/freeipa/ticket/1770
---
 ipa-client/ipa-install/ipa-client-install |   19 ++++++++++-
 ipa-client/ipaclient/ntpconf.py           |   52 ++++++++++++++++++++--------
 2 files changed, 55 insertions(+), 16 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 76f7f1913c804053edb8b90979286a0592fa5737..85f94074bfede3106b39e4d603d99d93930def5b 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -331,6 +331,23 @@ def uninstall(options, env, quiet=False):
                     emit_quiet(quiet, "Reboot command failed to exceute. " + str(e))
                     return CLIENT_UNINSTALL_ERROR
 
+    ntp_configured = statestore.has_state('ntp')
+    if ntp_configured:
+        ntp_enabled = statestore.restore_state('ntp', 'enabled')
+        ntp_step_tickers = statestore.restore_state('ntp', 'step-tickers')
+
+        restored = fstore.restore_file("/etc/ntp.conf")
+        restored |= fstore.restore_file("/etc/sysconfig/ntpd")
+        if ntp_step_tickers:
+           restored |= fstore.restore_file("/etc/ntp/step-tickers")
+
+        if not ntp_enabled:
+           ipaservices.knownservices.ntp.stop()
+           ipaservices.knownservices.ntp.disable()
+        else:
+           if restored:
+               ipaservices.knownservices.ntp.restart()
+
     # Remove the IPA configuration file
     try:
         os.remove("/etc/ipa/default.conf")
@@ -1102,7 +1119,7 @@ def install(options, env, fstore, statestore):
             ntp_server = options.ntp_server
         else:
             ntp_server = cli_server
-        ipaclient.ntpconf.config_ntp(ntp_server, fstore)
+        ipaclient.ntpconf.config_ntp(ntp_server, fstore, statestore)
         print "NTP enabled"
 
     print "Client configuration complete."
diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py
index 3042005f41ea3ed6c8fee739b9cf2b833a8d6d59..f63e5f9795efc38e0843f9e14f51ef286d1ddebc 100644
--- a/ipa-client/ipaclient/ntpconf.py
+++ b/ipa-client/ipaclient/ntpconf.py
@@ -20,6 +20,7 @@
 from ipapython import ipautil
 from ipapython import services as ipaservices
 import shutil
+import os
 
 ntp_conf = """# Permit time synchronization with our time source, but do not
 # permit the source to query or modify the service on this system.
@@ -80,30 +81,51 @@ SYNC_HWCLOCK=yes
 # Additional options for ntpdate
 NTPDATE_OPTIONS=""
 """
+ntp_step_tickers = """# Use IPA-provided NTP server for initial time
+$SERVER
+"""
+def __backup_config(path, fstore = None):
+    if fstore:
+        fstore.backup_file(path)
+    else:
+        shutil.copy(path, "%s.ipasave" % (path))
 
-def config_ntp(server_fqdn, fstore = None):
+def __write_config(path, content):
+    fd = open(path, "w")
+    fd.write(content)
+    fd.close()
+
+def config_ntp(server_fqdn, fstore = None, sysstore = None):
+    path_step_tickers = "/etc/ntp/step-tickers"
+    path_ntp_conf = "/etc/ntp.conf"
+    path_ntp_sysconfig = "/etc/sysconfig/ntpd"
     sub_dict = { }
     sub_dict["SERVER"] = server_fqdn
 
     nc = ipautil.template_str(ntp_conf, sub_dict)
+    config_step_tickers = False
 
-    if fstore:
-        fstore.backup_file("/etc/ntp.conf")
-    else:
-        shutil.copy("/etc/ntp.conf", "/etc/ntp.conf.ipasave")
 
-    fd = open("/etc/ntp.conf", "w")
-    fd.write(nc)
-    fd.close()
+    if os.path.exists(path_step_tickers):
+        config_step_tickers = True
+        ns = ipautil.template_str(ntp_step_tickers, sub_dict)
+        __backup_config(path_step_tickers, fstore)
+        __write_config(path_step_tickers, ns)
+        ipaservices.restore_context(path_step_tickers)
 
-    if fstore:
-        fstore.backup_file("/etc/sysconfig/ntpd")
-    else:
-        shutil.copy("/etc/sysconfig/ntpd", "/etc/sysconfig/ntpd.ipasave")
+    if sysstore:
+        module = 'ntp'
+        sysstore.backup_state(module, "enabled", ipaservices.knownservices.ntp.enabled())
+        if config_step_tickers:
+            sysstore.backup_state(module, "step-tickers", True)
 
-    fd = open("/etc/sysconfig/ntpd", "w")
-    fd.write(ntp_sysconfig)
-    fd.close()
+    __backup_config(path_ntp_conf, fstore)
+    __write_config(path_ntp_conf, nc)
+    ipaservices.restore_context(path_ntp_conf)
+
+    __backup_config(path_ntp_sysconfig)
+    __write_config(path_ntp_sysconfig, ntp_sysconfig)
+    ipaservices.restore_context(path_ntp_sysconfig)
 
     # Set the ntpd to start on boot
     ipaservices.knownservices.ntpd.enable()
-- 
1.7.6.4


From abokovoy at redhat.com  Tue Oct  4 11:36:27 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Tue, 4 Oct 2011 14:36:27 +0300
Subject: [Freeipa-devel] [PATCH] 0017 Configure pam_krb5 only when sssd is
	not in use
Message-ID: <20111004113626.GC2647@redhat.com>

Hi,

attached patch fixes https://fedorahosted.org/freeipa/ticket/1775

-- 
/ Alexander Bokovoy
-------------- next part --------------
>From e956fb4cb1738cb98d006973db0016868204c10c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Tue, 4 Oct 2011 14:33:36 +0300
Subject: [PATCH] Configure pam_krb5 on the client only if sssd is not
 configured

https://fedorahosted.org/freeipa/ticket/1775
---
 ipa-client/ipa-install/ipa-client-install |   15 ++++++++-------
 1 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 76f7f1913c804053edb8b90979286a0592fa5737..f8905641662aac17bb1164d49e84527aad4c3bf7 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1052,13 +1052,14 @@ def install(options, env, fstore, statestore):
     auth_config.execute()
     print message
 
-    #Modify pam to add pam_krb5
-    auth_config.reset()
-    auth_config.enable("krb5").\
-                add_option("update").\
-                add_option("nostart")
-    auth_config.execute()
-    print "Kerberos 5 enabled"
+    if not options.sssd:
+        #Modify pam to add pam_krb5 only when sssd is not in use
+        auth_config.reset()
+        auth_config.enable("krb5").\
+                    add_option("update").\
+                    add_option("nostart")
+        auth_config.execute()
+        print "Kerberos 5 enabled"
 
     # Update non-SSSD LDAP configuration after authconfig calls as it would
     # change its configuration otherways
-- 
1.7.6.4


From sgallagh at redhat.com  Tue Oct  4 12:03:55 2011
From: sgallagh at redhat.com (Stephen Gallagher)
Date: Tue, 04 Oct 2011 08:03:55 -0400
Subject: [Freeipa-devel] [PATCH] 130 ipa-client assumes a single
 namingcontext
In-Reply-To: <1317413754.14013.0.camel@willson.li.ssimo.org>
References: <1317302404.13820.28.camel@dhcp-25-52.brq.redhat.com>
	<1317412952.2367.12.camel@sgallagh520.bos.redhat.com>
	<1317413754.14013.0.camel@willson.li.ssimo.org>
Message-ID: <1317729836.2382.11.camel@sgallagh520.bos.redhat.com>

On Fri, 2011-09-30 at 16:15 -0400, Simo Sorce wrote:
> On Fri, 2011-09-30 at 16:02 -0400, Stephen Gallagher wrote:
> > On Thu, 2011-09-29 at 15:20 +0200, Martin Kosek wrote:
> > > How to test:
> > > 1) Add new naming context (suffix) to your LDAP database with installed
> > > IPA (see attached LDIF). The server should return the new suffix as the
> > > first one. You can change with its base DN if it does not.
> > > 2) Install IPA client against the server. ipa-client-install should the
> > > LDAP server as the IPA one only if the patch is applied on the client
> > > 
> > > ---
> > > 
> > > When LDAP server contains more that one suffixes, the ipa client
> > > installation does not detect it as IPA server and fails to install.
> > > Fix ipa server discovery so that it correctly searches all naming
> > > contexts for the IPA one.
> > > 
> > > https://fedorahosted.org/freeipa/ticket/1868
> > 
> > 
> > Tangentially related, it would be prudent for FreeIPA server
> > installations to set not only namingContexts but also the
> > defaultNamingContext. This way, clients autodetecting the ldap search
> > base from the RootDSE will have an unambiguous way to do so (in the
> > event that multiple namingContexts have been added)
> 
> Please CC yourself here to be notified when this will be available in
> DS: https://bugzilla.redhat.com/show_bug.cgi?id=742317


I'd like to add some more information on this (which I also just opened
as upstream ticket https://fedorahosted.org/freeipa/ticket/1919).

Right now, FreeIPA is set up with a single namingContexts, which is the
'dc=example,dc=com' root of the LDAP tree. The problem is that this
search domain encompasses both the standard cn=accounts and the
cn=compat trees. This means that SSSD, if set up as an RFC2307bis client
instead of a full ipa-client-install (which explicitly sets the search
base to cn=accounts) cannot safely auto-detect the search base to use.

I think that FreeIPA should ship with the following settings in the
RootDSE:

defaultNamingContext: cn=accounts,dc=example,dc=com
namingContexts: dc=example,dc=com
namingContexts: cn=accounts,dc=example,dc=com

and if compat mode is also enabled:
namingContexts: cn=compat,dc=example,dc=com

This will allow us to auto-detect in a sane way, as well as allowing us
to easily communicate to clients that compat mode is or is not enabled.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111004/e36cb7b5/attachment.sig>

From jcholast at redhat.com  Tue Oct  4 12:26:07 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Tue, 04 Oct 2011 14:26:07 +0200
Subject: [Freeipa-devel] [PATCH 48/48] Ticket #1879 - IPAdmin undefined
 anonymous parameter lists
In-Reply-To: <201109261952.p8QJqjVo016911@int-mx09.intmail.prod.int.phx2.redhat.com>
References: <201109261952.p8QJqjVo016911@int-mx09.intmail.prod.int.phx2.redhat.com>
Message-ID: <4E8AFB5F.6080502@redhat.com>

On 26.9.2011 21:52, John Dennis wrote:
> The IPAdmin class in ipaserver/ipaldap.py has methods with anonymous
> undefined parameter lists.
>
> For example:
>
>      def getList(self,*args):
>
> In Python syntax this means you can call getList with any positional
> parameter list you want.
>
> This is bad because:
>
> 1) It's not true, *args gets passed to an ldap function with a well
> defined parameter list, so you really do have to call it with a
> defined parameter list. *args will let you pass anything, but once it
> gets passed to the ldap function it will blow up if the parameters do
> not match (what parameters are those you're wondering? see item 2).
>
> 2) The programmer does not know what the valid parameters are unless
> they are defined in the formal parameter list.
>
> 3) Without a formal parameter list automatic documentation generators
> cannot produce API documentation (see item 2)
>
> 4) The Python interpreter cannot validate the parameters being passed
> because there is no formal parameter list. Note, Python does not
> validate the type of parameters, but it does validate the correct
> number of postitional parameters are passed and only defined keyword
> parameters are passed. Bypassing the language support facilities leads
> to programming errors.
>
> 5) Without a formal parameter list program checkers such as pylint
> cannot validate the program which leads to progamming errors.
>
> 6) Without a formal parameter list which includes default keyword
> parameters it's not possible to use keyword arguments nor to know what
> their default values are (see item 2). One is forced to pass a keyword
> argument as a positional argument, plus you must then pass every
> keyword argument between the end of the positional argument list and
> keyword arg of interest even of the other keyword arguments are not of
> interest. This also demands you know what the default value of the
> intermediate keyword arguments are (see item 2) and hope they don't
> change.
>
> Also the *args anonymous tuple get passed into the error handling code
> so it can report what the called values were. But because the tuple is
> anonymous the error handler cannot not describe what it was passed. In
> addition the error handling code makes assumptions about the possible
> contents of the anonymous tuple based on current practice instead of
> actual defined values. Things like "if the number of items in the
> tuple is 2 or less then the first tuple item must be a dn
> (Distinguished Name)" or "if the number of items in the tuple is
> greater than 2 then the 3rd item must be an ldap search filter". These
> are constructs which are not robust and will fail at some point in the
> future.
>
> This patch also fixes the use of IPAdmin.addEntry(). It was sometimes
> being called with (dn, modlist), sometimes a Entry object, or
> sometimes a Entity object. Now it's always called with either a Entry
> or Entity object and IPAdmin.addEntry() validates the type of the
> parameter passed.
>
> --
> John Dennis<jdennis at redhat.com>
>
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>

ACK.

Honza

-- 
Jan Cholasta



From abokovoy at redhat.com  Tue Oct  4 12:29:21 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Tue, 4 Oct 2011 15:29:21 +0300
Subject: [Freeipa-devel] [PATCH] 0018 Unroll StrEnum values when displaying
	help
Message-ID: <20111004122921.GD2647@redhat.com>

Hi,

when help is displayed, for options that require values we show their 
type. With string enumerations this does not really help to the user 
as it is unclear what are the values of the enumeration.

Attached patch fixes it by providing nicer list of possible values.

https://fedorahosted.org/freeipa/ticket/1848

As result, instead of what is shown in the ticket:
------------------------------------------------------------
[root at kungfupanda ~]# ipa help hbacrule-add
Purpose: Create a new HBAC rule.
Usage: ipa [global-options] hbacrule-add NAME [options]

Options:
  -h, --help            show this help message and exit
  --usercat=STRENUM     User category the rule applies to
  --hostcat=STRENUM     Host category the rule applies to
  --srchostcat=STRENUM  Source host category the rule applies to
  --servicecat=STRENUM  Service category the rule applies to
-------------------------------------------------------------

one would get following:

------------------------------------------------------------
[root at kungfupanda ~]# ipa help hbacrule-add
Purpose: Create a new HBAC rule.
Usage: ipa [global-options] hbacrule-add NAME [options]

Options:
  -h, --help            show this help message and exit
  --usercat=['all']     User category the rule applies to
  --hostcat=['all']     Host category the rule applies to
  --srchostcat=['all']  Source host category the rule applies to
  --servicecat=['all']  Service category the rule applies to
------------------------------------------------------------

It becomes even more reasonable with type or class options -- overall 
we have 65 StrEnums in current set of options.

For example, in dnsrecord-add --class option was shown as 
  --class=STRENUM      	DNS class

With the patch attached it will be more understandable:
------------------------------------------------------------
[root at host3 ~]# ipa help dnsrecord-add
Purpose: Add new DNS resource record.
Usage: ipa [global-options] dnsrecord-add DNSZONE NAME [options]

Options:
  -h, --help            show this help message and exit
  --ttl=INT             Time to live
  --class=['IN', 'CS', 'CH', 'HS']
                        DNS class
  --addattr=STR         Add an attribute/value pair. Format is attr=value. The
                        attribute must be part of the schema.
  --setattr=STR         Set an attribute to a name/value pair. Format is
                        attr=value. For multi-valued attributes, the command
                        replaces the values already present.
------------------------------------------------------------

-- 
/ Alexander Bokovoy
-------------- next part --------------
>From 911c0bbdbd137347e62e72384f1cd516d29dfec3 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Tue, 4 Oct 2011 15:17:58 +0300
Subject: [PATCH] Unroll StrEnum values when displaying help

https://fedorahosted.org/freeipa/ticket/1848
---
 ipalib/cli.py |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/ipalib/cli.py b/ipalib/cli.py
index 0a7d1a4cf30352198eebcc7ff65bcc16f948cda7..1c34d6939285b2dcae522c13be13dc4d9f23dc57 100644
--- a/ipalib/cli.py
+++ b/ipalib/cli.py
@@ -48,7 +48,7 @@ import plugable
 import util
 from errors import PublicError, CommandError, HelpError, InternalError, NoSuchNamespaceError, ValidationError, NotFound, NotConfiguredError
 from constants import CLI_TAB
-from parameters import Password, Bytes, File, Str
+from parameters import Password, Bytes, File, Str, StrEnum
 from text import _
 from ipapython.version import API_VERSION
 
@@ -1008,8 +1008,11 @@ class cli(backend.Executioner):
                     kw['action'] = 'store_false'
                 else:
                     kw['action'] = 'store_true'
+            elif isinstance(option, StrEnum):
+                kw['metavar'] = metavar=map(lambda x: str(x), option.values)
             else:
                 kw['metavar'] = metavar=option.__class__.__name__.upper()
+                
             if option.cli_short_name:
                 o = optparse.make_option('-%s' % option.cli_short_name, '--%s' % to_cli(option.cli_name), **kw)
             else:
-- 
1.7.6.4


From mkosek at redhat.com  Tue Oct  4 12:37:05 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 04 Oct 2011 14:37:05 +0200
Subject: [Freeipa-devel] [PATCH] 137 Improve ipa-replica-prepare DNS check
Message-ID: <1317731829.27486.18.camel@dhcp-25-52.brq.redhat.com>

Currently, verify_fqdn() function raises RuntimeError for every
problem with the hostname. This makes it difficult for tools
like ipa-replica-prepare to behave differently for a subset of
raised errors (for example to be able to create a DNS record for
new replica when verify_fqdn() reports a lookup error).

Implement own exceptions for verify_fqdn() that they can be safely
used to distinguish the error type.

https://fedorahosted.org/freeipa/ticket/1899

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-137-improve-ipa-replica-prepare-dns-check.patch
Type: text/x-patch
Size: 10384 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111004/d0a9cad8/attachment.bin>

From rcritten at redhat.com  Tue Oct  4 12:53:59 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 04 Oct 2011 08:53:59 -0400
Subject: [Freeipa-devel] [PATCH] 884 migration context and logging
In-Reply-To: <1317711449.27486.10.camel@dhcp-25-52.brq.redhat.com>
References: <4E8133F5.5030108@redhat.com>
	<1317135483.22256.2.camel@dhcp-25-52.brq.redhat.com>
	<4E8A1EA2.6030804@redhat.com>
	<1317711449.27486.10.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <4E8B01E7.4080509@redhat.com>

Martin Kosek wrote:
> On Mon, 2011-10-03 at 16:44 -0400, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On Mon, 2011-09-26 at 22:24 -0400, Rob Crittenden wrote:
>>>> We can't assume that there will be only one naming context. Look at each
>>>> one until we find an IPA one.
>>>>
>>>> Add logging so you can know that a migration attempt fails and why.
>>>>
>>>> rob
>>>
>>> Looks good, its just difficult to set up a proper environment for
>>> reproduction. So far, I found just this problem:
>>>
>>> [Tue Sep 27 10:30:39 2011] [error] [client 10.34.25.52] mod_wsgi (pid=32705): Exception occurred processing WSGI script '/usr/share/ipa/migration/migration.py'.
>>> [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] Traceback (most recent call last):
>>> [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]   File "/usr/share/ipa/migration/migration.py", line 127, in application
>>> [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]     bind(form_data['username'].value, form_data['password'].value)
>>> [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]   File "/usr/share/ipa/migration/migration.py", line 107, in bind
>>> [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]     logging.error('migration bind failed: %s' % convert_exception(e))
>>>
>>> Martin
>>>
>>
>> Just missed saving the exception as a variable, should work now.
>>
>> rob
>
> Works fine, tested on multiple-suffix LDAP server. We should be also
> fine when anonymous access is not allowed (Simo was dealing with this in
> ipa-client-install in #1881) since migration.py binds via socket.
>
> I have just one suggestion - instead of searching for correct naming
> context on your own, you may want to use a function get_ipa_basedn() I
> implemented for ipa-client-install (#1868). This will do all the checks
> and return you just the IPA baseDN:
>
> https://fedorahosted.org/freeipa/changeset/00cffce6c2ba0121188326535d6c9cd244a4ae5b
>
> Martin
>

Well, I did mine first so you should have copied from me :-)

I'll see if I can safely import that.

rob



From mkosek at redhat.com  Tue Oct  4 12:59:17 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 04 Oct 2011 14:59:17 +0200
Subject: [Freeipa-devel] [PATCH] 884 migration context and logging
In-Reply-To: <4E8B01E7.4080509@redhat.com>
References: <4E8133F5.5030108@redhat.com>
	<1317135483.22256.2.camel@dhcp-25-52.brq.redhat.com>
	<4E8A1EA2.6030804@redhat.com>
	<1317711449.27486.10.camel@dhcp-25-52.brq.redhat.com>
	<4E8B01E7.4080509@redhat.com>
Message-ID: <1317733159.27486.20.camel@dhcp-25-52.brq.redhat.com>

On Tue, 2011-10-04 at 08:53 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Mon, 2011-10-03 at 16:44 -0400, Rob Crittenden wrote:
> >> Martin Kosek wrote:
> >>> On Mon, 2011-09-26 at 22:24 -0400, Rob Crittenden wrote:
> >>>> We can't assume that there will be only one naming context. Look at each
> >>>> one until we find an IPA one.
> >>>>
> >>>> Add logging so you can know that a migration attempt fails and why.
> >>>>
> >>>> rob
> >>>
> >>> Looks good, its just difficult to set up a proper environment for
> >>> reproduction. So far, I found just this problem:
> >>>
> >>> [Tue Sep 27 10:30:39 2011] [error] [client 10.34.25.52] mod_wsgi (pid=32705): Exception occurred processing WSGI script '/usr/share/ipa/migration/migration.py'.
> >>> [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] Traceback (most recent call last):
> >>> [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]   File "/usr/share/ipa/migration/migration.py", line 127, in application
> >>> [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]     bind(form_data['username'].value, form_data['password'].value)
> >>> [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]   File "/usr/share/ipa/migration/migration.py", line 107, in bind
> >>> [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]     logging.error('migration bind failed: %s' % convert_exception(e))
> >>>
> >>> Martin
> >>>
> >>
> >> Just missed saving the exception as a variable, should work now.
> >>
> >> rob
> >
> > Works fine, tested on multiple-suffix LDAP server. We should be also
> > fine when anonymous access is not allowed (Simo was dealing with this in
> > ipa-client-install in #1881) since migration.py binds via socket.
> >
> > I have just one suggestion - instead of searching for correct naming
> > context on your own, you may want to use a function get_ipa_basedn() I
> > implemented for ipa-client-install (#1868). This will do all the checks
> > and return you just the IPA baseDN:
> >
> > https://fedorahosted.org/freeipa/changeset/00cffce6c2ba0121188326535d6c9cd244a4ae5b
> >
> > Martin
> >
> 
> Well, I did mine first so you should have copied from me :-)

I _did_ copy from you ;-) I just made a function for it so that it can
be reused.

> 
> I'll see if I can safely import that.
> 
> rob

Ok.

Martin



From rcritten at redhat.com  Tue Oct  4 12:59:23 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 04 Oct 2011 08:59:23 -0400
Subject: [Freeipa-devel] [PATCH] 877 prompt for current password
In-Reply-To: <1317711952.27486.14.camel@dhcp-25-52.brq.redhat.com>
References: <4E73A094.8060409@redhat.com> <4E76E616.5080208@redhat.com>
	<4E773D8B.3020801@redhat.com>
	<1316786442.2447.35.camel@dhcp-25-52.brq.redhat.com>
	<4E8A0A0F.3010501@redhat.com>
	<1317711952.27486.14.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <4E8B032B.8090008@redhat.com>

Martin Kosek wrote:
> On Mon, 2011-10-03 at 15:16 -0400, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On Mon, 2011-09-19 at 09:03 -0400, Rob Crittenden wrote:
>>>> Jan Cholasta wrote:
>>>>> On 16.9.2011 21:16, Rob Crittenden wrote:
>>>>>> Prompt for the current password when changing your own password using
>>>>>> ipa passwd.
>>>>>>
>>>>>> I had to jump through several hoops with this:
>>>>>>
>>>>>> - Added a new sortorder option so the Current password is prompted first
>>>>>
>>>>> IMO something like "before='password'" would be more readable and
>>>>> probably less error-prone than "sortorder=-1".
>>>>
>>>> The params are sorted numerically based on whether they are required,
>>>> have a default, etc. A negative value means it will appear first. This
>>>> is intended to be generic enough without having to worry about nested
>>>> resolution (A before B, B before C, C before A).
>>>>
>>>>>
>>>>>> - Pass a magic value for current_password if changing someone else's
>>>>>> password
>>>>>>
>>>>>> NOTE: This breaks the API for passwd. There is no way around it. I have
>>>>>> this as a minor update as it won't cause older clients to blow up too
>>>>>> badly, but their passwd command won't work.
>>>>>>
>>>>>> rob
>>>>>>
>>>>>
>>>>> Honza
>>>>>
>>>
>>> Generally, it works fine except for the case when user passes its own
>>> user name. Do we want to support the following way?
>>>
>>> # klist
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: fbar at IDM.LAB.BOS.REDHAT.COM
>>>
>>> Valid starting     Expires            Service principal
>>> 09/23/11 09:48:05  09/24/11 09:48:05  krbtgt/IDM.LAB.BOS.REDHAT.COM at IDM.LAB.BOS.REDHAT.COM
>>>
>>> # ipa passwd fbar
>>> New Password:
>>> Enter New Password again to verify:
>>> ipa: ERROR: Insufficient access: Invalid credentials
>>>
>>> Maybe we could throw an error when user passes its own principal to ipa
>>> passwd command. After all, this argument is for changing _other_ user
>>> passwords.
>>>
>>> Martin
>>>
>>
>> Fixed. The username wasn't being normalized into a principal until after
>> the default was set (where we determine whether to prompt for current
>> password).
>>
>> rob
>
> I don't think this is the correct patch :-)
>
> Martin
>

Try this one.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-877-2-passwd.patch
Type: text/x-patch
Size: 8504 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111004/b3c5d8e9/attachment.bin>

From simo at redhat.com  Tue Oct  4 13:06:18 2011
From: simo at redhat.com (Simo Sorce)
Date: Tue, 04 Oct 2011 09:06:18 -0400
Subject: [Freeipa-devel] [PATCH] 130 ipa-client assumes a single
 namingcontext
In-Reply-To: <1317729836.2382.11.camel@sgallagh520.bos.redhat.com>
References: <1317302404.13820.28.camel@dhcp-25-52.brq.redhat.com>
	<1317412952.2367.12.camel@sgallagh520.bos.redhat.com>
	<1317413754.14013.0.camel@willson.li.ssimo.org>
	<1317729836.2382.11.camel@sgallagh520.bos.redhat.com>
Message-ID: <1317733578.17819.30.camel@willson.li.ssimo.org>

On Tue, 2011-10-04 at 08:03 -0400, Stephen Gallagher wrote:
> On Fri, 2011-09-30 at 16:15 -0400, Simo Sorce wrote:
> > On Fri, 2011-09-30 at 16:02 -0400, Stephen Gallagher wrote:
> > > On Thu, 2011-09-29 at 15:20 +0200, Martin Kosek wrote:
> > > > How to test:
> > > > 1) Add new naming context (suffix) to your LDAP database with installed
> > > > IPA (see attached LDIF). The server should return the new suffix as the
> > > > first one. You can change with its base DN if it does not.
> > > > 2) Install IPA client against the server. ipa-client-install should the
> > > > LDAP server as the IPA one only if the patch is applied on the client
> > > > 
> > > > ---
> > > > 
> > > > When LDAP server contains more that one suffixes, the ipa client
> > > > installation does not detect it as IPA server and fails to install.
> > > > Fix ipa server discovery so that it correctly searches all naming
> > > > contexts for the IPA one.
> > > > 
> > > > https://fedorahosted.org/freeipa/ticket/1868
> > > 
> > > 
> > > Tangentially related, it would be prudent for FreeIPA server
> > > installations to set not only namingContexts but also the
> > > defaultNamingContext. This way, clients autodetecting the ldap search
> > > base from the RootDSE will have an unambiguous way to do so (in the
> > > event that multiple namingContexts have been added)
> > 
> > Please CC yourself here to be notified when this will be available in
> > DS: https://bugzilla.redhat.com/show_bug.cgi?id=742317
> 
> 
> I'd like to add some more information on this (which I also just opened
> as upstream ticket https://fedorahosted.org/freeipa/ticket/1919).
> 
> Right now, FreeIPA is set up with a single namingContexts, which is the
> 'dc=example,dc=com' root of the LDAP tree. The problem is that this
> search domain encompasses both the standard cn=accounts and the
> cn=compat trees. This means that SSSD, if set up as an RFC2307bis client
> instead of a full ipa-client-install (which explicitly sets the search
> base to cn=accounts) cannot safely auto-detect the search base to use.
> 
> I think that FreeIPA should ship with the following settings in the
> RootDSE:
> 
> defaultNamingContext: cn=accounts,dc=example,dc=com
> namingContexts: dc=example,dc=com
> namingContexts: cn=accounts,dc=example,dc=com
> 
> and if compat mode is also enabled:
> namingContexts: cn=compat,dc=example,dc=com
> 
> This will allow us to auto-detect in a sane way, as well as allowing us
> to easily communicate to clients that compat mode is or is not enabled.

No.
The best way out here is to move cn=compat into it's base imho.

We've had other issues in the past so I think we should really move
cn=compat to it's own base called just 'cn=compat'.

We should expose it as a namingContext of course so we should wait until
DS implements the option to have defaultNamingContext.

So we can point defaultNamingContext to the regualr base DN.

We probably also need to make this configurable at this point as we need
to not break existing setups at upgrade time (replicas need the info too
at replication time, so this option should be something we have in the
replicated tree imho).

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From mkosek at redhat.com  Tue Oct  4 13:18:43 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 04 Oct 2011 15:18:43 +0200
Subject: [Freeipa-devel] [PATCH] 877 prompt for current password
In-Reply-To: <4E8B032B.8090008@redhat.com>
References: <4E73A094.8060409@redhat.com> <4E76E616.5080208@redhat.com>
	<4E773D8B.3020801@redhat.com>
	<1316786442.2447.35.camel@dhcp-25-52.brq.redhat.com>
	<4E8A0A0F.3010501@redhat.com>
	<1317711952.27486.14.camel@dhcp-25-52.brq.redhat.com>
	<4E8B032B.8090008@redhat.com>
Message-ID: <1317734326.27486.21.camel@dhcp-25-52.brq.redhat.com>

On Tue, 2011-10-04 at 08:59 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Mon, 2011-10-03 at 15:16 -0400, Rob Crittenden wrote:
> >> Martin Kosek wrote:
> >>> On Mon, 2011-09-19 at 09:03 -0400, Rob Crittenden wrote:
> >>>> Jan Cholasta wrote:
> >>>>> On 16.9.2011 21:16, Rob Crittenden wrote:
> >>>>>> Prompt for the current password when changing your own password using
> >>>>>> ipa passwd.
> >>>>>>
> >>>>>> I had to jump through several hoops with this:
> >>>>>>
> >>>>>> - Added a new sortorder option so the Current password is prompted first
> >>>>>
> >>>>> IMO something like "before='password'" would be more readable and
> >>>>> probably less error-prone than "sortorder=-1".
> >>>>
> >>>> The params are sorted numerically based on whether they are required,
> >>>> have a default, etc. A negative value means it will appear first. This
> >>>> is intended to be generic enough without having to worry about nested
> >>>> resolution (A before B, B before C, C before A).
> >>>>
> >>>>>
> >>>>>> - Pass a magic value for current_password if changing someone else's
> >>>>>> password
> >>>>>>
> >>>>>> NOTE: This breaks the API for passwd. There is no way around it. I have
> >>>>>> this as a minor update as it won't cause older clients to blow up too
> >>>>>> badly, but their passwd command won't work.
> >>>>>>
> >>>>>> rob
> >>>>>>
> >>>>>
> >>>>> Honza
> >>>>>
> >>>
> >>> Generally, it works fine except for the case when user passes its own
> >>> user name. Do we want to support the following way?
> >>>
> >>> # klist
> >>> Ticket cache: FILE:/tmp/krb5cc_0
> >>> Default principal: fbar at IDM.LAB.BOS.REDHAT.COM
> >>>
> >>> Valid starting     Expires            Service principal
> >>> 09/23/11 09:48:05  09/24/11 09:48:05  krbtgt/IDM.LAB.BOS.REDHAT.COM at IDM.LAB.BOS.REDHAT.COM
> >>>
> >>> # ipa passwd fbar
> >>> New Password:
> >>> Enter New Password again to verify:
> >>> ipa: ERROR: Insufficient access: Invalid credentials
> >>>
> >>> Maybe we could throw an error when user passes its own principal to ipa
> >>> passwd command. After all, this argument is for changing _other_ user
> >>> passwords.
> >>>
> >>> Martin
> >>>
> >>
> >> Fixed. The username wasn't being normalized into a principal until after
> >> the default was set (where we determine whether to prompt for current
> >> password).
> >>
> >> rob
> >
> > I don't think this is the correct patch :-)
> >
> > Martin
> >
> 
> Try this one.

Yeah, this one is much better. ACK and pushed to master, ipa-2-1.

Martin



From rcritten at redhat.com  Tue Oct  4 13:26:55 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 04 Oct 2011 09:26:55 -0400
Subject: [Freeipa-devel] [PATCH] 884 migration context and logging
In-Reply-To: <1317733159.27486.20.camel@dhcp-25-52.brq.redhat.com>
References: <4E8133F5.5030108@redhat.com>
	<1317135483.22256.2.camel@dhcp-25-52.brq.redhat.com>
	<4E8A1EA2.6030804@redhat.com>
	<1317711449.27486.10.camel@dhcp-25-52.brq.redhat.com>
	<4E8B01E7.4080509@redhat.com>
	<1317733159.27486.20.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <4E8B099F.9070101@redhat.com>

Martin Kosek wrote:
> On Tue, 2011-10-04 at 08:53 -0400, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On Mon, 2011-10-03 at 16:44 -0400, Rob Crittenden wrote:
>>>> Martin Kosek wrote:
>>>>> On Mon, 2011-09-26 at 22:24 -0400, Rob Crittenden wrote:
>>>>>> We can't assume that there will be only one naming context. Look at each
>>>>>> one until we find an IPA one.
>>>>>>
>>>>>> Add logging so you can know that a migration attempt fails and why.
>>>>>>
>>>>>> rob
>>>>>
>>>>> Looks good, its just difficult to set up a proper environment for
>>>>> reproduction. So far, I found just this problem:
>>>>>
>>>>> [Tue Sep 27 10:30:39 2011] [error] [client 10.34.25.52] mod_wsgi (pid=32705): Exception occurred processing WSGI script '/usr/share/ipa/migration/migration.py'.
>>>>> [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] Traceback (most recent call last):
>>>>> [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]   File "/usr/share/ipa/migration/migration.py", line 127, in application
>>>>> [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]     bind(form_data['username'].value, form_data['password'].value)
>>>>> [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]   File "/usr/share/ipa/migration/migration.py", line 107, in bind
>>>>> [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]     logging.error('migration bind failed: %s' % convert_exception(e))
>>>>>
>>>>> Martin
>>>>>
>>>>
>>>> Just missed saving the exception as a variable, should work now.
>>>>
>>>> rob
>>>
>>> Works fine, tested on multiple-suffix LDAP server. We should be also
>>> fine when anonymous access is not allowed (Simo was dealing with this in
>>> ipa-client-install in #1881) since migration.py binds via socket.
>>>
>>> I have just one suggestion - instead of searching for correct naming
>>> context on your own, you may want to use a function get_ipa_basedn() I
>>> implemented for ipa-client-install (#1868). This will do all the checks
>>> and return you just the IPA baseDN:
>>>
>>> https://fedorahosted.org/freeipa/changeset/00cffce6c2ba0121188326535d6c9cd244a4ae5b
>>>
>>> Martin
>>>
>>
>> Well, I did mine first so you should have copied from me :-)
>
> I _did_ copy from you ;-) I just made a function for it so that it can
> be reused.
>
>>
>> I'll see if I can safely import that.
>>
>> rob
>
> Ok.
>
> Martin
>

Done

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-884-3-migration.patch
Type: text/x-patch
Size: 4072 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111004/a93ac220/attachment.bin>

From rcritten at redhat.com  Tue Oct  4 13:32:15 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 04 Oct 2011 09:32:15 -0400
Subject: [Freeipa-devel] Mozilla Specific User Certificate Generation
 code:
In-Reply-To: <4E8A4760.80806@younglogic.com>
References: <4E8A4760.80806@younglogic.com>
Message-ID: <4E8B0ADF.1010101@redhat.com>

Adam Young wrote:
> It is possible to generate a Certificate signing request from the
> browser, if we use Mozilla specific code. I've mildly hacked the Mozilla
> sample code to work with JQuery and to display the CSR to the screen,
> instead of sending it right to the server.
>
> I'd see this working something like this:
>
> 1. add the certificate attribute to the user plugin.
> 2. On the user page, if the principal of the user selected matches the
> kerberos principal for the logged user, show the certificate control
> 3. The certificate control allows the user to request a new certificate.
> 4. If the user has a certificate, the certificate control allow the user
> to download the certificate.
>
>
> I have to look into the details, but the certificate shoud only be
> useable by default in the browser that originally requested it. However,
> it is fairly easy to export the certificate, along with the primary keys
> that generated its CSR, such that it would be usable elsewhere: For
> example https://ca.cern.ch/ca/Help/?kbid=040111
>
> This seems like fairly simple to implement. We would not even have to
> extend the API. We keep the certificate request separate from the user
> until it is signed, and then add it to the user object. Thus it would be
> created as a side effect of:
>
> ipa cert-request --add --principal=abradley at DEV.EXAMPLE.COM abradley.csr

Yes, CRMF is how we'll eventually add user certificate support, but this 
is the easy part.

On the server side we need to add support for multiple certificate 
profiles (your above request issues a server cert for the user abradley).

We also need a way to manage a queue of requests. User certificates are 
a different beast from server certs and in many cases will require the 
intervention of a security officer, or some other 3rd party verification.

rob



From ayoung at redhat.com  Tue Oct  4 13:41:36 2011
From: ayoung at redhat.com (Adam Young)
Date: Tue, 04 Oct 2011 09:41:36 -0400
Subject: [Freeipa-devel] Mozilla Specific User Certificate Generation
 code:
In-Reply-To: <4E8B0ADF.1010101@redhat.com>
References: <4E8A4760.80806@younglogic.com> <4E8B0ADF.1010101@redhat.com>
Message-ID: <4E8B0D10.6030705@redhat.com>

On 10/04/2011 09:32 AM, Rob Crittenden wrote:
> Adam Young wrote:
>> It is possible to generate a Certificate signing request from the
>> browser, if we use Mozilla specific code. I've mildly hacked the Mozilla
>> sample code to work with JQuery and to display the CSR to the screen,
>> instead of sending it right to the server.
>>
>> I'd see this working something like this:
>>
>> 1. add the certificate attribute to the user plugin.
>> 2. On the user page, if the principal of the user selected matches the
>> kerberos principal for the logged user, show the certificate control
>> 3. The certificate control allows the user to request a new certificate.
>> 4. If the user has a certificate, the certificate control allow the user
>> to download the certificate.
>>
>>
>> I have to look into the details, but the certificate shoud only be
>> useable by default in the browser that originally requested it. However,
>> it is fairly easy to export the certificate, along with the primary keys
>> that generated its CSR, such that it would be usable elsewhere: For
>> example https://ca.cern.ch/ca/Help/?kbid=040111
>>
>> This seems like fairly simple to implement. We would not even have to
>> extend the API. We keep the certificate request separate from the user
>> until it is signed, and then add it to the user object. Thus it would be
>> created as a side effect of:
>>
>> ipa cert-request --add --principal=abradley at DEV.EXAMPLE.COM abradley.csr
>
> Yes, CRMF is how we'll eventually add user certificate support, but 
> this is the easy part.
>
> On the server side we need to add support for multiple certificate 
> profiles (your above request issues a server cert for the user abradley).
>
> We also need a way to manage a queue of requests. User certificates 
> are a different beast from server certs and in many cases will require 
> the intervention of a security officer, or some other 3rd party 
> verification.
>
> rob


Basic user certificates should probably be issued without security 
officer intervention, as they merely play the same role as the Kerberos 
credential.  Where it gets tricky is if we deactivate a user,  we should 
put the certificate on Hold,  which means we need to update the CRLs we 
publish, but CS should handle this fairly easily.  We would need to 
expand the Cert plugin to determine if a request is for a user 
certificate or a server certificate, but it has enough information do 
that already.

However, there might be other certificates that we want to issue in the 
future.  If I understand correctly,  this work should be delegated to 
Certificate server, and the IPA Cert plugin needs to be expanded to 
track the certificate requests pending in the CS instance.












From rcritten at redhat.com  Tue Oct  4 13:49:45 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 04 Oct 2011 09:49:45 -0400
Subject: [Freeipa-devel] [PATCH] 0018 Unroll StrEnum values when
 displaying help
In-Reply-To: <20111004122921.GD2647@redhat.com>
References: <20111004122921.GD2647@redhat.com>
Message-ID: <4E8B0EF9.9000304@redhat.com>

Alexander Bokovoy wrote:
> Hi,
>
> when help is displayed, for options that require values we show their
> type. With string enumerations this does not really help to the user
> as it is unclear what are the values of the enumeration.
>
> Attached patch fixes it by providing nicer list of possible values.
>
> https://fedorahosted.org/freeipa/ticket/1848
>
> As result, instead of what is shown in the ticket:
> ------------------------------------------------------------
> [root at kungfupanda ~]# ipa help hbacrule-add
> Purpose: Create a new HBAC rule.
> Usage: ipa [global-options] hbacrule-add NAME [options]
>
> Options:
>    -h, --help            show this help message and exit
>    --usercat=STRENUM     User category the rule applies to
>    --hostcat=STRENUM     Host category the rule applies to
>    --srchostcat=STRENUM  Source host category the rule applies to
>    --servicecat=STRENUM  Service category the rule applies to
> -------------------------------------------------------------
>
> one would get following:
>
> ------------------------------------------------------------
> [root at kungfupanda ~]# ipa help hbacrule-add
> Purpose: Create a new HBAC rule.
> Usage: ipa [global-options] hbacrule-add NAME [options]
>
> Options:
>    -h, --help            show this help message and exit
>    --usercat=['all']     User category the rule applies to
>    --hostcat=['all']     Host category the rule applies to
>    --srchostcat=['all']  Source host category the rule applies to
>    --servicecat=['all']  Service category the rule applies to
> ------------------------------------------------------------
>
> It becomes even more reasonable with type or class options -- overall
> we have 65 StrEnums in current set of options.
>
> For example, in dnsrecord-add --class option was shown as
>    --class=STRENUM      	DNS class
>
> With the patch attached it will be more understandable:
> ------------------------------------------------------------
> [root at host3 ~]# ipa help dnsrecord-add
> Purpose: Add new DNS resource record.
> Usage: ipa [global-options] dnsrecord-add DNSZONE NAME [options]
>
> Options:
>    -h, --help            show this help message and exit
>    --ttl=INT             Time to live
>    --class=['IN', 'CS', 'CH', 'HS']
>                          DNS class
>    --addattr=STR         Add an attribute/value pair. Format is attr=value. The
>                          attribute must be part of the schema.
>    --setattr=STR         Set an attribute to a name/value pair. Format is
>                          attr=value. For multi-valued attributes, the command
>                          replaces the values already present.
> ------------------------------------------------------------

ack, pushed to master and ipa-2-1



From mkosek at redhat.com  Tue Oct  4 14:15:22 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 04 Oct 2011 16:15:22 +0200
Subject: [Freeipa-devel] [PATCH] 884 migration context and logging
In-Reply-To: <4E8B099F.9070101@redhat.com>
References: <4E8133F5.5030108@redhat.com>
	<1317135483.22256.2.camel@dhcp-25-52.brq.redhat.com>
	<4E8A1EA2.6030804@redhat.com>
	<1317711449.27486.10.camel@dhcp-25-52.brq.redhat.com>
	<4E8B01E7.4080509@redhat.com>
	<1317733159.27486.20.camel@dhcp-25-52.brq.redhat.com>
	<4E8B099F.9070101@redhat.com>
Message-ID: <1317737724.27486.23.camel@dhcp-25-52.brq.redhat.com>

On Tue, 2011-10-04 at 09:26 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Tue, 2011-10-04 at 08:53 -0400, Rob Crittenden wrote:
> >> Martin Kosek wrote:
> >>> On Mon, 2011-10-03 at 16:44 -0400, Rob Crittenden wrote:
> >>>> Martin Kosek wrote:
> >>>>> On Mon, 2011-09-26 at 22:24 -0400, Rob Crittenden wrote:
> >>>>>> We can't assume that there will be only one naming context. Look at each
> >>>>>> one until we find an IPA one.
> >>>>>>
> >>>>>> Add logging so you can know that a migration attempt fails and why.
> >>>>>>
> >>>>>> rob
> >>>>>
> >>>>> Looks good, its just difficult to set up a proper environment for
> >>>>> reproduction. So far, I found just this problem:
> >>>>>
> >>>>> [Tue Sep 27 10:30:39 2011] [error] [client 10.34.25.52] mod_wsgi (pid=32705): Exception occurred processing WSGI script '/usr/share/ipa/migration/migration.py'.
> >>>>> [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] Traceback (most recent call last):
> >>>>> [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]   File "/usr/share/ipa/migration/migration.py", line 127, in application
> >>>>> [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]     bind(form_data['username'].value, form_data['password'].value)
> >>>>> [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]   File "/usr/share/ipa/migration/migration.py", line 107, in bind
> >>>>> [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]     logging.error('migration bind failed: %s' % convert_exception(e))
> >>>>>
> >>>>> Martin
> >>>>>
> >>>>
> >>>> Just missed saving the exception as a variable, should work now.
> >>>>
> >>>> rob
> >>>
> >>> Works fine, tested on multiple-suffix LDAP server. We should be also
> >>> fine when anonymous access is not allowed (Simo was dealing with this in
> >>> ipa-client-install in #1881) since migration.py binds via socket.
> >>>
> >>> I have just one suggestion - instead of searching for correct naming
> >>> context on your own, you may want to use a function get_ipa_basedn() I
> >>> implemented for ipa-client-install (#1868). This will do all the checks
> >>> and return you just the IPA baseDN:
> >>>
> >>> https://fedorahosted.org/freeipa/changeset/00cffce6c2ba0121188326535d6c9cd244a4ae5b
> >>>
> >>> Martin
> >>>
> >>
> >> Well, I did mine first so you should have copied from me :-)
> >
> > I _did_ copy from you ;-) I just made a function for it so that it can
> > be reused.
> >
> >>
> >> I'll see if I can safely import that.
> >>
> >> rob
> >
> > Ok.
> >
> > Martin
> >
> 
> Done
> 

ACK. Pushed to master, ipa-2-1.

Martin



From jcholast at redhat.com  Tue Oct  4 14:37:28 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Tue, 04 Oct 2011 16:37:28 +0200
Subject: [Freeipa-devel] [PATCH] 0017 Configure pam_krb5 only when sssd
 is not in use
In-Reply-To: <20111004113626.GC2647@redhat.com>
References: <20111004113626.GC2647@redhat.com>
Message-ID: <4E8B1A28.6090601@redhat.com>

On 4.10.2011 13:36, Alexander Bokovoy wrote:
> Hi,
>
> attached patch fixes https://fedorahosted.org/freeipa/ticket/1775
>

ACK.

Honza

-- 
Jan Cholasta



From mkosek at redhat.com  Tue Oct  4 15:05:51 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 04 Oct 2011 17:05:51 +0200
Subject: [Freeipa-devel] [PATCH] 0017 Configure pam_krb5 only when sssd
 is not in use
In-Reply-To: <4E8B1A28.6090601@redhat.com>
References: <20111004113626.GC2647@redhat.com> <4E8B1A28.6090601@redhat.com>
Message-ID: <1317740755.13305.0.camel@dhcp-25-52.brq.redhat.com>

On Tue, 2011-10-04 at 16:37 +0200, Jan Cholasta wrote:
> On 4.10.2011 13:36, Alexander Bokovoy wrote:
> > Hi,
> >
> > attached patch fixes https://fedorahosted.org/freeipa/ticket/1775
> >
> 
> ACK.
> 
> Honza
> 

Pushed to master, ipa-2-1.

Martin



From jcholast at redhat.com  Tue Oct  4 15:37:08 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Tue, 04 Oct 2011 17:37:08 +0200
Subject: [Freeipa-devel] [PATCH] 0016 Setup and restore ntp
 configuration on the
In-Reply-To: <20111004110013.GA2647@redhat.com>
References: <20111004110013.GA2647@redhat.com>
Message-ID: <4E8B2824.8020707@redhat.com>

On 4.10.2011 13:00, Alexander Bokovoy wrote:
> client
> Reply-To:
>
> Hi,
>
> attached patch addresses ticket #1770.
>

ipa-client-install fails with:

Traceback (most recent call last):
   File "/usr/sbin/ipa-client-install", line 1165, in <module>
     sys.exit(main())
   File "/usr/sbin/ipa-client-install", line 1154, in main
     rval = install(options, env, fstore, statestore)
   File "/usr/sbin/ipa-client-install", line 1122, in install
     ipaclient.ntpconf.config_ntp(ntp_server, fstore, statestore)
   File "/usr/lib/python2.7/site-packages/ipaclient/ntpconf.py", line 
118, in config_ntp
     sysstore.backup_state(module, "enabled", 
ipaservices.knownservices.ntp.enabled())
   File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 167, 
in __getattr__
     raise AttributeError('no magic attribute %r' % name)
AttributeError: no magic attribute 'ntp'

Honza

-- 
Jan Cholasta



From nalin at redhat.com  Tue Oct  4 15:52:53 2011
From: nalin at redhat.com (Nalin Dahyabhai)
Date: Tue, 4 Oct 2011 11:52:53 -0400
Subject: [Freeipa-devel] [PATCH] make users in nested groups show up in
	compat groups
Message-ID: <20111004155253.GB3393@redhat.com>

Jan Zeleny notes that users who are members of groups which are
themselves members of groups don't show up in the compat entries of the
the containing groups.

Nalin
-------------- next part --------------
>From 8a096c0a284b4e70ba2f479293299900712b3936 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin at redhat.com>
Date: Tue, 4 Oct 2011 11:46:59 -0400
Subject: [PATCH] list users from nested groups, too

---
 install/share/schema_compat.uldif |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/install/share/schema_compat.uldif b/install/share/schema_compat.uldif
index ac4b7b7..f042edf 100644
--- a/install/share/schema_compat.uldif
+++ b/install/share/schema_compat.uldif
@@ -46,7 +46,7 @@ default:schema-compat-entry-rdn: cn=%{cn}
 default:schema-compat-entry-attribute: objectclass=posixGroup
 default:schema-compat-entry-attribute: gidNumber=%{gidNumber}
 default:schema-compat-entry-attribute: memberUid=%{memberUid}
-default:schema-compat-entry-attribute: memberUid=%deref("member","uid")
+default:schema-compat-entry-attribute: memberUid=%deref_r("member","uid")
 
 dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
 add:objectClass: top
-- 
1.7.6.4


From jzeleny at redhat.com  Tue Oct  4 16:04:13 2011
From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=)
Date: Tue, 4 Oct 2011 18:04:13 +0200
Subject: [Freeipa-devel] [PATCH] make users in nested groups show up in
	compat groups
In-Reply-To: <20111004155253.GB3393@redhat.com>
References: <20111004155253.GB3393@redhat.com>
Message-ID: <201110041804.17424.jzeleny@redhat.com>

> Jan Zeleny notes that users who are members of groups which are
> themselves members of groups don't show up in the compat entries of the
> the containing groups.
> 
> Nalin

Ack

Jan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111004/21f17486/attachment.sig>

From jdennis at redhat.com  Tue Oct  4 16:09:26 2011
From: jdennis at redhat.com (John Dennis)
Date: Tue, 04 Oct 2011 12:09:26 -0400
Subject: [Freeipa-devel] [PATCH] 51 Add a function for formatting
 network locations
In-Reply-To: <4E8ABEDF.4090902@redhat.com>
References: <4E8ABEDF.4090902@redhat.com>
Message-ID: <4E8B2FB6.7070006@redhat.com>

On 10/04/2011 04:07 AM, Jan Cholasta wrote:

Looks good Jan, thank you. ACK


-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



From pvoborni at redhat.com  Tue Oct  4 16:43:23 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Tue, 04 Oct 2011 18:43:23 +0200
Subject: [Freeipa-devel] [PATCH] 019 Disables gid field if not posix group
 in group adder dialog
Message-ID: <4E8B37AB.3020500@redhat.com>

https://fedorahosted.org/freeipa/ticket/1922

gidNumber is not an allowed attribute for a non-posix group.  When 
adding a non-posix group from the UI, unchecking the "Is this a POSIX 
group?:" box should disable the "GID:" field.

-- 
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0019-Disables-gid-field-if-not-posix-group-in-group-adder.patch
Type: text/x-patch
Size: 2844 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111004/0421dc9b/attachment.bin>

From rcritten at redhat.com  Tue Oct  4 18:35:22 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 04 Oct 2011 14:35:22 -0400
Subject: [Freeipa-devel] [PATCH] 49 Work around pkisilent bugs
In-Reply-To: <4E803108.5060108@redhat.com>
References: <4E803108.5060108@redhat.com>
Message-ID: <4E8B51EA.7050006@redhat.com>

Jan Cholasta wrote:
> Work around pkisilent bugs.
>
> Check directory manager password for invalid characters.
> (https://bugzilla.redhat.com/show_bug.cgi?id=658641)
>
> Shell-escape pkisilent command-line arguments.
> (https://bugzilla.redhat.com/show_bug.cgi?id=741180)
>
> Once the bugs are fixed, the workarounds should be removed and pkisilent
> minimum required version should be bumped.
>
> https://fedorahosted.org/freeipa/ticket/1636
>
> Honza

Potential nack. The code here works I just found a couple more corner cases.

Some special characters in the subject base also cause pkisilent to 
fail. ampersand is one. I wonder if we need to catch this as well.

Tab in the password will cause a failure.

rob



From abokovoy at redhat.com  Tue Oct  4 18:53:55 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Tue, 4 Oct 2011 21:53:55 +0300
Subject: [Freeipa-devel] [PATCH] 0016 Setup and restore ntp
 configuration on the
In-Reply-To: <4E8B2824.8020707@redhat.com>
References: <20111004110013.GA2647@redhat.com>
 <4E8B2824.8020707@redhat.com>
Message-ID: <20111004185351.GE2647@redhat.com>

On Tue, 04 Oct 2011, Jan Cholasta wrote:
> On 4.10.2011 13:00, Alexander Bokovoy wrote:
> >client
> >Reply-To:
> >
> >Hi,
> >
> >attached patch addresses ticket #1770.
> >
> 
> ipa-client-install fails with:
> 
> Traceback (most recent call last):
>   File "/usr/sbin/ipa-client-install", line 1165, in <module>
>     sys.exit(main())
>   File "/usr/sbin/ipa-client-install", line 1154, in main
>     rval = install(options, env, fstore, statestore)
>   File "/usr/sbin/ipa-client-install", line 1122, in install
>     ipaclient.ntpconf.config_ntp(ntp_server, fstore, statestore)
>   File "/usr/lib/python2.7/site-packages/ipaclient/ntpconf.py", line
> 118, in config_ntp
>     sysstore.backup_state(module, "enabled",
> ipaservices.knownservices.ntp.enabled())
>   File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line
> 167, in __getattr__
>     raise AttributeError('no magic attribute %r' % name)
> AttributeError: no magic attribute 'ntp'
Mea culpa. :(

Fixed patch attached.

-- 
/ Alexander Bokovoy
-------------- next part --------------
>From 2de0c707424e735faf03fb786b98cbb3e3ee55da Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Tue, 4 Oct 2011 13:56:12 +0300
Subject: [PATCH] Setup and restore ntp configuration on the client side
 properly

When setting up the client-side NTP configuration, make sure that /etc/ntp/step-tickers
point to IPA NTP server as well.
When restoring the client during ipa-client-install --uninstall, make sure NTP configuration
is fully restored and NTP service is disabled if it was disabled before the installation.

https://fedorahosted.org/freeipa/ticket/1770
---
 ipa-client/ipa-install/ipa-client-install |   19 ++++++++++-
 ipa-client/ipaclient/ntpconf.py           |   52 ++++++++++++++++++++--------
 2 files changed, 55 insertions(+), 16 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 76f7f1913c804053edb8b90979286a0592fa5737..4b6520f2c7ad67442f57a5d98d691912555c2c3c 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -331,6 +331,23 @@ def uninstall(options, env, quiet=False):
                     emit_quiet(quiet, "Reboot command failed to exceute. " + str(e))
                     return CLIENT_UNINSTALL_ERROR
 
+    ntp_configured = statestore.has_state('ntp')
+    if ntp_configured:
+        ntp_enabled = statestore.restore_state('ntp', 'enabled')
+        ntp_step_tickers = statestore.restore_state('ntp', 'step-tickers')
+
+        restored = fstore.restore_file("/etc/ntp.conf")
+        restored |= fstore.restore_file("/etc/sysconfig/ntpd")
+        if ntp_step_tickers:
+           restored |= fstore.restore_file("/etc/ntp/step-tickers")
+
+        if not ntp_enabled:
+           ipaservices.knownservices.ntpd.stop()
+           ipaservices.knownservices.ntpd.disable()
+        else:
+           if restored:
+               ipaservices.knownservices.ntpd.restart()
+
     # Remove the IPA configuration file
     try:
         os.remove("/etc/ipa/default.conf")
@@ -1102,7 +1119,7 @@ def install(options, env, fstore, statestore):
             ntp_server = options.ntp_server
         else:
             ntp_server = cli_server
-        ipaclient.ntpconf.config_ntp(ntp_server, fstore)
+        ipaclient.ntpconf.config_ntp(ntp_server, fstore, statestore)
         print "NTP enabled"
 
     print "Client configuration complete."
diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py
index 3042005f41ea3ed6c8fee739b9cf2b833a8d6d59..cf203b90490f8268553229730cc2966d2c14f292 100644
--- a/ipa-client/ipaclient/ntpconf.py
+++ b/ipa-client/ipaclient/ntpconf.py
@@ -20,6 +20,7 @@
 from ipapython import ipautil
 from ipapython import services as ipaservices
 import shutil
+import os
 
 ntp_conf = """# Permit time synchronization with our time source, but do not
 # permit the source to query or modify the service on this system.
@@ -80,30 +81,51 @@ SYNC_HWCLOCK=yes
 # Additional options for ntpdate
 NTPDATE_OPTIONS=""
 """
+ntp_step_tickers = """# Use IPA-provided NTP server for initial time
+$SERVER
+"""
+def __backup_config(path, fstore = None):
+    if fstore:
+        fstore.backup_file(path)
+    else:
+        shutil.copy(path, "%s.ipasave" % (path))
 
-def config_ntp(server_fqdn, fstore = None):
+def __write_config(path, content):
+    fd = open(path, "w")
+    fd.write(content)
+    fd.close()
+
+def config_ntp(server_fqdn, fstore = None, sysstore = None):
+    path_step_tickers = "/etc/ntp/step-tickers"
+    path_ntp_conf = "/etc/ntp.conf"
+    path_ntp_sysconfig = "/etc/sysconfig/ntpd"
     sub_dict = { }
     sub_dict["SERVER"] = server_fqdn
 
     nc = ipautil.template_str(ntp_conf, sub_dict)
+    config_step_tickers = False
 
-    if fstore:
-        fstore.backup_file("/etc/ntp.conf")
-    else:
-        shutil.copy("/etc/ntp.conf", "/etc/ntp.conf.ipasave")
 
-    fd = open("/etc/ntp.conf", "w")
-    fd.write(nc)
-    fd.close()
+    if os.path.exists(path_step_tickers):
+        config_step_tickers = True
+        ns = ipautil.template_str(ntp_step_tickers, sub_dict)
+        __backup_config(path_step_tickers, fstore)
+        __write_config(path_step_tickers, ns)
+        ipaservices.restore_context(path_step_tickers)
 
-    if fstore:
-        fstore.backup_file("/etc/sysconfig/ntpd")
-    else:
-        shutil.copy("/etc/sysconfig/ntpd", "/etc/sysconfig/ntpd.ipasave")
+    if sysstore:
+        module = 'ntp'
+        sysstore.backup_state(module, "enabled", ipaservices.knownservices.ntpd.is_enabled())
+        if config_step_tickers:
+            sysstore.backup_state(module, "step-tickers", True)
 
-    fd = open("/etc/sysconfig/ntpd", "w")
-    fd.write(ntp_sysconfig)
-    fd.close()
+    __backup_config(path_ntp_conf, fstore)
+    __write_config(path_ntp_conf, nc)
+    ipaservices.restore_context(path_ntp_conf)
+
+    __backup_config(path_ntp_sysconfig)
+    __write_config(path_ntp_sysconfig, ntp_sysconfig)
+    ipaservices.restore_context(path_ntp_sysconfig)
 
     # Set the ntpd to start on boot
     ipaservices.knownservices.ntpd.enable()
-- 
1.7.6.4


From jcholast at redhat.com  Tue Oct  4 19:22:05 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Tue, 04 Oct 2011 21:22:05 +0200
Subject: [Freeipa-devel] [PATCH] 0016 Setup and restore ntp
 configuration on the
In-Reply-To: <20111004185351.GE2647@redhat.com>
References: <20111004110013.GA2647@redhat.com> <4E8B2824.8020707@redhat.com>
	<20111004185351.GE2647@redhat.com>
Message-ID: <4E8B5CDD.5010807@redhat.com>

On 4.10.2011 20:53, Alexander Bokovoy wrote:
> On Tue, 04 Oct 2011, Jan Cholasta wrote:
>> On 4.10.2011 13:00, Alexander Bokovoy wrote:
>>> client
>>> Reply-To:
>>>
>>> Hi,
>>>
>>> attached patch addresses ticket #1770.
>>>
>>
>> ipa-client-install fails with:
>>
>> Traceback (most recent call last):
>>    File "/usr/sbin/ipa-client-install", line 1165, in<module>
>>      sys.exit(main())
>>    File "/usr/sbin/ipa-client-install", line 1154, in main
>>      rval = install(options, env, fstore, statestore)
>>    File "/usr/sbin/ipa-client-install", line 1122, in install
>>      ipaclient.ntpconf.config_ntp(ntp_server, fstore, statestore)
>>    File "/usr/lib/python2.7/site-packages/ipaclient/ntpconf.py", line
>> 118, in config_ntp
>>      sysstore.backup_state(module, "enabled",
>> ipaservices.knownservices.ntp.enabled())
>>    File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line
>> 167, in __getattr__
>>      raise AttributeError('no magic attribute %r' % name)
>> AttributeError: no magic attribute 'ntp'
> Mea culpa. :(
>
> Fixed patch attached.
>

Now ipa-client-install --uninstall fails with:

Traceback (most recent call last):
   File "/usr/sbin/ipa-client-install", line 1165, in <module>
     sys.exit(main())
   File "/usr/sbin/ipa-client-install", line 1147, in main
     return uninstall(options, env)
   File "/usr/sbin/ipa-client-install", line 339, in uninstall
     restored = fstore.restore_file("/etc/ntp.conf")
   File "/usr/lib/python2.7/site-packages/ipapython/sysrestore.py", line 
158, in restore_file
     raise ValueError("No such file name in the index")
ValueError: No such file name in the index

Honza

-- 
Jan Cholasta



From abokovoy at redhat.com  Tue Oct  4 20:51:00 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Tue, 4 Oct 2011 23:51:00 +0300
Subject: [Freeipa-devel] [PATCH] 0016 Setup and restore ntp
 configuration on the
In-Reply-To: <4E8B5CDD.5010807@redhat.com>
References: <20111004110013.GA2647@redhat.com> <4E8B2824.8020707@redhat.com>
	<20111004185351.GE2647@redhat.com> <4E8B5CDD.5010807@redhat.com>
Message-ID: <20111004205059.GF2647@redhat.com>

On Tue, 04 Oct 2011, Jan Cholasta wrote:
> Now ipa-client-install --uninstall fails with:
> 
> Traceback (most recent call last):
>   File "/usr/sbin/ipa-client-install", line 1165, in <module>
>     sys.exit(main())
>   File "/usr/sbin/ipa-client-install", line 1147, in main
>     return uninstall(options, env)
>   File "/usr/sbin/ipa-client-install", line 339, in uninstall
>     restored = fstore.restore_file("/etc/ntp.conf")
>   File "/usr/lib/python2.7/site-packages/ipapython/sysrestore.py",
> line 158, in restore_file
>     raise ValueError("No such file name in the index")
> ValueError: No such file name in the index
Reproduced. This happens when the package freeipa-client is upgraded 
after client is enrolled with previous version -- in such case there 
is no backup state and therefore we can't restore.

Attached patch should fix it -- as we can ignore absent backup.
-- 
/ Alexander Bokovoy
-------------- next part --------------
>From a37e9ff4a35c4c9784bf6a174ca8a4da37a43f51 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Tue, 4 Oct 2011 13:56:12 +0300
Subject: [PATCH] Setup and restore ntp configuration on the client side
 properly

When setting up the client-side NTP configuration, make sure that /etc/ntp/step-tickers
point to IPA NTP server as well.
When restoring the client during ipa-client-install --uninstall, make sure NTP configuration
is fully restored and NTP service is disabled if it was disabled before the installation.

https://fedorahosted.org/freeipa/ticket/1770
---
 ipa-client/ipa-install/ipa-client-install |   26 ++++++++++++++-
 ipa-client/ipaclient/ntpconf.py           |   52 ++++++++++++++++++++--------
 2 files changed, 62 insertions(+), 16 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 76f7f1913c804053edb8b90979286a0592fa5737..b8d4867ab3df119132b7d9da35803e50bbd4ea51 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -320,6 +320,30 @@ def uninstall(options, env, quiet=False):
         # this is optional service, just log
         logging.info("%s daemon is not installed, skip configuration" % (nslcd.service_name))
 
+    ntp_configured = statestore.has_state('ntp')
+    if ntp_configured:
+        ntp_enabled = statestore.restore_state('ntp', 'enabled')
+        ntp_step_tickers = statestore.restore_state('ntp', 'step-tickers')
+
+        try:
+            # Restore might fail due to file missing in backup
+            # the reason for it might be that freeipa-client was updated
+            # to this version but not unenrolled/enrolled again
+            # In such case it is OK to fail
+            restored = fstore.restore_file("/etc/ntp.conf")
+            restored |= fstore.restore_file("/etc/sysconfig/ntpd")
+            if ntp_step_tickers:
+               restored |= fstore.restore_file("/etc/ntp/step-tickers")
+        except:
+            pass
+
+        if not ntp_enabled:
+           ipaservices.knownservices.ntpd.stop()
+           ipaservices.knownservices.ntpd.disable()
+        else:
+           if restored:
+               ipaservices.knownservices.ntpd.restart()
+
     if not options.unattended:
         emit_quiet(quiet, "The original nsswitch.conf configuration has been restored.")
         emit_quiet(quiet, "You may need to restart services or reboot the machine.")
@@ -1102,7 +1126,7 @@ def install(options, env, fstore, statestore):
             ntp_server = options.ntp_server
         else:
             ntp_server = cli_server
-        ipaclient.ntpconf.config_ntp(ntp_server, fstore)
+        ipaclient.ntpconf.config_ntp(ntp_server, fstore, statestore)
         print "NTP enabled"
 
     print "Client configuration complete."
diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py
index 3042005f41ea3ed6c8fee739b9cf2b833a8d6d59..cf203b90490f8268553229730cc2966d2c14f292 100644
--- a/ipa-client/ipaclient/ntpconf.py
+++ b/ipa-client/ipaclient/ntpconf.py
@@ -20,6 +20,7 @@
 from ipapython import ipautil
 from ipapython import services as ipaservices
 import shutil
+import os
 
 ntp_conf = """# Permit time synchronization with our time source, but do not
 # permit the source to query or modify the service on this system.
@@ -80,30 +81,51 @@ SYNC_HWCLOCK=yes
 # Additional options for ntpdate
 NTPDATE_OPTIONS=""
 """
+ntp_step_tickers = """# Use IPA-provided NTP server for initial time
+$SERVER
+"""
+def __backup_config(path, fstore = None):
+    if fstore:
+        fstore.backup_file(path)
+    else:
+        shutil.copy(path, "%s.ipasave" % (path))
 
-def config_ntp(server_fqdn, fstore = None):
+def __write_config(path, content):
+    fd = open(path, "w")
+    fd.write(content)
+    fd.close()
+
+def config_ntp(server_fqdn, fstore = None, sysstore = None):
+    path_step_tickers = "/etc/ntp/step-tickers"
+    path_ntp_conf = "/etc/ntp.conf"
+    path_ntp_sysconfig = "/etc/sysconfig/ntpd"
     sub_dict = { }
     sub_dict["SERVER"] = server_fqdn
 
     nc = ipautil.template_str(ntp_conf, sub_dict)
+    config_step_tickers = False
 
-    if fstore:
-        fstore.backup_file("/etc/ntp.conf")
-    else:
-        shutil.copy("/etc/ntp.conf", "/etc/ntp.conf.ipasave")
 
-    fd = open("/etc/ntp.conf", "w")
-    fd.write(nc)
-    fd.close()
+    if os.path.exists(path_step_tickers):
+        config_step_tickers = True
+        ns = ipautil.template_str(ntp_step_tickers, sub_dict)
+        __backup_config(path_step_tickers, fstore)
+        __write_config(path_step_tickers, ns)
+        ipaservices.restore_context(path_step_tickers)
 
-    if fstore:
-        fstore.backup_file("/etc/sysconfig/ntpd")
-    else:
-        shutil.copy("/etc/sysconfig/ntpd", "/etc/sysconfig/ntpd.ipasave")
+    if sysstore:
+        module = 'ntp'
+        sysstore.backup_state(module, "enabled", ipaservices.knownservices.ntpd.is_enabled())
+        if config_step_tickers:
+            sysstore.backup_state(module, "step-tickers", True)
 
-    fd = open("/etc/sysconfig/ntpd", "w")
-    fd.write(ntp_sysconfig)
-    fd.close()
+    __backup_config(path_ntp_conf, fstore)
+    __write_config(path_ntp_conf, nc)
+    ipaservices.restore_context(path_ntp_conf)
+
+    __backup_config(path_ntp_sysconfig)
+    __write_config(path_ntp_sysconfig, ntp_sysconfig)
+    ipaservices.restore_context(path_ntp_sysconfig)
 
     # Set the ntpd to start on boot
     ipaservices.knownservices.ntpd.enable()
-- 
1.7.6.4


From ayoung at redhat.com  Tue Oct  4 21:59:01 2011
From: ayoung at redhat.com (Adam Young)
Date: Tue, 04 Oct 2011 17:59:01 -0400
Subject: [Freeipa-devel] [PATCH] 019 Disables gid field if not posix
 group in group adder dialog
In-Reply-To: <4E8B37AB.3020500@redhat.com>
References: <4E8B37AB.3020500@redhat.com>
Message-ID: <4E8B81A5.4090204@redhat.com>

On 10/04/2011 12:43 PM, Petr Vobornik wrote:
> https://fedorahosted.org/freeipa/ticket/1922
>
> gidNumber is not an allowed attribute for a non-posix group.  When 
> adding a non-posix group from the UI, unchecking the "Is this a POSIX 
> group?:" box should disable the "GID:" field.
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
Patch would not apply, for some reason.  I forced it in by hand.  I need 
to set up another IPA server to test it, which I will do later on tonight

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111004/573d8293/attachment.htm>

From nalin at redhat.com  Tue Oct  4 22:32:08 2011
From: nalin at redhat.com (Nalin Dahyabhai)
Date: Tue, 4 Oct 2011 18:32:08 -0400
Subject: [Freeipa-devel] [PATCH] tweaks to ipa-replica-prepare.1
Message-ID: <20111004223208.GA3197@redhat.com>

I started reading this page, and the description for --pkinit_pin looked
wrong.  While in there, I figured it might be useful to note that the
PKCS#12 files also contain the private keys.

Nalin
-------------- next part --------------
>From 8fe270e43d7790dbd4210be9ff212ce410e3da69 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin at redhat.com>
Date: Tue, 4 Oct 2011 18:29:45 -0400
Subject: [PATCH 2/2] - note that PKCS#12 files also contain private keys, and
 that the "pkinit" options refer to the KDC's
 credentials

---
 install/tools/man/ipa-replica-prepare.1 |    9 ++++++---
 1 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/install/tools/man/ipa-replica-prepare.1 b/install/tools/man/ipa-replica-prepare.1
index c9cd544..7443483 100644
--- a/install/tools/man/ipa-replica-prepare.1
+++ b/install/tools/man/ipa-replica-prepare.1
@@ -34,10 +34,13 @@ Once the file has been created it will be named replica\-hostname. This file can
 .SH "OPTIONS"
 .TP
 \fB\-\-dirsrv_pkcs12\fR=\fIFILE\fR
-PKCS#12 file containing the Directory Server SSL Certificate
+PKCS#12 file containing the Directory Server SSL Certificate and Private Key
 .TP
 \fB\-\-http_pkcs12\fR=\fIFILE\fR
-PKCS#12 file containing the Apache Server SSL Certificate
+PKCS#12 file containing the Apache Server SSL Certificate and Private Key
+.TP
+\fB\-\-pkinit_pkcs12\fR=\fIFILE\fR
+PKCS#12 file containing the Kerberos KDC Certificate and Private Key
 .TP
 \fB\-\-dirsrv_pin\fR=\fIDIRSRV_PIN\fR
 The password of the Directory Server PKCS#12 file
@@ -46,7 +49,7 @@ The password of the Directory Server PKCS#12 file
 The password of the Apache Server PKCS#12 file
 .TP
 \fB\-\-pkinit_pin\fR=\fIPKINIT_PIN\fR
-The password of the Apache Server PKCS#12 file
+The password of the Kerberos KDC PKCS#12 file
 .TP
 \fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR
 Directory Manager (existing master) password
-- 
1.7.6.4


From pvoborni at redhat.com  Wed Oct  5 06:57:31 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Wed, 05 Oct 2011 08:57:31 +0200
Subject: [Freeipa-devel] [PATCH] 019 Disables gid field if not posix
 group in group adder dialog
In-Reply-To: <4E8B81A5.4090204@redhat.com>
References: <4E8B37AB.3020500@redhat.com> <4E8B81A5.4090204@redhat.com>
Message-ID: <4E8BFFDB.2050900@redhat.com>

On 10/04/2011 11:59 PM, Adam Young wrote:
> On 10/04/2011 12:43 PM, Petr Vobornik wrote:
>> https://fedorahosted.org/freeipa/ticket/1922
>>
>> gidNumber is not an allowed attribute for a non-posix group. When
>> adding a non-posix group from the UI, unchecking the "Is this a POSIX
>> group?:" box should disable the "GID:" field.
>>
> Patch would not apply, for some reason. I forced it in by hand. I need
> to set up another IPA server to test it, which I will do later on tonight

It applies (git am) on ipa-2-1. With -3 even on master. For completeness 
I attached rebased patch for master.


-- 
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0019-1-Disables-gid-field-if-not-posix-group-in-group-adder.patch
Type: text/x-patch
Size: 2833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111005/a8abd6cb/attachment.bin>

From mkosek at redhat.com  Wed Oct  5 07:04:31 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Wed, 05 Oct 2011 09:04:31 +0200
Subject: [Freeipa-devel] [PATCH] 51 Add a function for formatting
 network locations
In-Reply-To: <4E8B2FB6.7070006@redhat.com>
References: <4E8ABEDF.4090902@redhat.com> <4E8B2FB6.7070006@redhat.com>
Message-ID: <1317798274.6589.0.camel@dhcp-25-52.brq.redhat.com>

On Tue, 2011-10-04 at 12:09 -0400, John Dennis wrote:
> On 10/04/2011 04:07 AM, Jan Cholasta wrote:
> 
> Looks good Jan, thank you. ACK
> 
> 

The patch cannot be applied on current master/ipa-2-1. Please rebase the
patch before pushing.

Martin



From mkosek at redhat.com  Wed Oct  5 07:07:13 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Wed, 05 Oct 2011 09:07:13 +0200
Subject: [Freeipa-devel] [PATCH] make users in nested groups show up in
 compat groups
In-Reply-To: <201110041804.17424.jzeleny@redhat.com>
References: <20111004155253.GB3393@redhat.com>
	<201110041804.17424.jzeleny@redhat.com>
Message-ID: <1317798436.6589.1.camel@dhcp-25-52.brq.redhat.com>

On Tue, 2011-10-04 at 18:04 +0200, Jan Zelen? wrote:
> > Jan Zeleny notes that users who are members of groups which are
> > themselves members of groups don't show up in the compat entries of the
> > the containing groups.
> > 
> > Nalin
> 
> Ack
> 
> Jan

Pushed to master, ipa-2-1.

Martin



From jcholast at redhat.com  Wed Oct  5 08:33:32 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Wed, 05 Oct 2011 10:33:32 +0200
Subject: [Freeipa-devel] [PATCH] 51 Add a function for formatting
 network locations
In-Reply-To: <1317798274.6589.0.camel@dhcp-25-52.brq.redhat.com>
References: <4E8ABEDF.4090902@redhat.com> <4E8B2FB6.7070006@redhat.com>
	<1317798274.6589.0.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <4E8C165C.7000009@redhat.com>

On 5.10.2011 09:04, Martin Kosek wrote:
> On Tue, 2011-10-04 at 12:09 -0400, John Dennis wrote:
>> On 10/04/2011 04:07 AM, Jan Cholasta wrote:
>>
>> Looks good Jan, thank you. ACK
>>
>>
>
> The patch cannot be applied on current master/ipa-2-1. Please rebase the
> patch before pushing.
>
> Martin
>

Rebased patch attached.

Honza

-- 
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-51.1-network-location-format.patch
Type: text/x-patch
Size: 22665 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111005/53cda29c/attachment.bin>

From abokovoy at redhat.com  Wed Oct  5 08:38:55 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Wed, 5 Oct 2011 11:38:55 +0300
Subject: [Freeipa-devel] [PATCH] 0016 Setup and restore ntp
 configuration on the
In-Reply-To: <20111004205059.GF2647@redhat.com>
References: <20111004110013.GA2647@redhat.com> <4E8B2824.8020707@redhat.com>
	<20111004185351.GE2647@redhat.com> <4E8B5CDD.5010807@redhat.com>
	<20111004205059.GF2647@redhat.com>
Message-ID: <20111005083855.GB18611@redhat.com>

On Tue, 04 Oct 2011, Alexander Bokovoy wrote:
> Reproduced. This happens when the package freeipa-client is upgraded 
> after client is enrolled with previous version -- in such case there 
> is no backup state and therefore we can't restore.
Also add fstore to /etc/sysconfig/ntpd to really backup it.

-- 
/ Alexander Bokovoy
-------------- next part --------------
>From 0aab495a8175b25ebd48e30715527fcf6737b22b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Tue, 4 Oct 2011 13:56:12 +0300
Subject: [PATCH] Setup and restore ntp configuration on the client side
 properly

When setting up the client-side NTP configuration, make sure that /etc/ntp/step-tickers
point to IPA NTP server as well.
When restoring the client during ipa-client-install --uninstall, make sure NTP configuration
is fully restored and NTP service is disabled if it was disabled before the installation.

https://fedorahosted.org/freeipa/ticket/1770
---
 ipa-client/ipa-install/ipa-client-install |   26 ++++++++++++++-
 ipa-client/ipaclient/ntpconf.py           |   52 ++++++++++++++++++++--------
 2 files changed, 62 insertions(+), 16 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 76f7f1913c804053edb8b90979286a0592fa5737..b8d4867ab3df119132b7d9da35803e50bbd4ea51 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -320,6 +320,30 @@ def uninstall(options, env, quiet=False):
         # this is optional service, just log
         logging.info("%s daemon is not installed, skip configuration" % (nslcd.service_name))
 
+    ntp_configured = statestore.has_state('ntp')
+    if ntp_configured:
+        ntp_enabled = statestore.restore_state('ntp', 'enabled')
+        ntp_step_tickers = statestore.restore_state('ntp', 'step-tickers')
+
+        try:
+            # Restore might fail due to file missing in backup
+            # the reason for it might be that freeipa-client was updated
+            # to this version but not unenrolled/enrolled again
+            # In such case it is OK to fail
+            restored = fstore.restore_file("/etc/ntp.conf")
+            restored |= fstore.restore_file("/etc/sysconfig/ntpd")
+            if ntp_step_tickers:
+               restored |= fstore.restore_file("/etc/ntp/step-tickers")
+        except:
+            pass
+
+        if not ntp_enabled:
+           ipaservices.knownservices.ntpd.stop()
+           ipaservices.knownservices.ntpd.disable()
+        else:
+           if restored:
+               ipaservices.knownservices.ntpd.restart()
+
     if not options.unattended:
         emit_quiet(quiet, "The original nsswitch.conf configuration has been restored.")
         emit_quiet(quiet, "You may need to restart services or reboot the machine.")
@@ -1102,7 +1126,7 @@ def install(options, env, fstore, statestore):
             ntp_server = options.ntp_server
         else:
             ntp_server = cli_server
-        ipaclient.ntpconf.config_ntp(ntp_server, fstore)
+        ipaclient.ntpconf.config_ntp(ntp_server, fstore, statestore)
         print "NTP enabled"
 
     print "Client configuration complete."
diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py
index 3042005f41ea3ed6c8fee739b9cf2b833a8d6d59..8e151089c81fe761dc57fc6e8fb7ff5ba30b98fa 100644
--- a/ipa-client/ipaclient/ntpconf.py
+++ b/ipa-client/ipaclient/ntpconf.py
@@ -20,6 +20,7 @@
 from ipapython import ipautil
 from ipapython import services as ipaservices
 import shutil
+import os
 
 ntp_conf = """# Permit time synchronization with our time source, but do not
 # permit the source to query or modify the service on this system.
@@ -80,30 +81,51 @@ SYNC_HWCLOCK=yes
 # Additional options for ntpdate
 NTPDATE_OPTIONS=""
 """
+ntp_step_tickers = """# Use IPA-provided NTP server for initial time
+$SERVER
+"""
+def __backup_config(path, fstore = None):
+    if fstore:
+        fstore.backup_file(path)
+    else:
+        shutil.copy(path, "%s.ipasave" % (path))
 
-def config_ntp(server_fqdn, fstore = None):
+def __write_config(path, content):
+    fd = open(path, "w")
+    fd.write(content)
+    fd.close()
+
+def config_ntp(server_fqdn, fstore = None, sysstore = None):
+    path_step_tickers = "/etc/ntp/step-tickers"
+    path_ntp_conf = "/etc/ntp.conf"
+    path_ntp_sysconfig = "/etc/sysconfig/ntpd"
     sub_dict = { }
     sub_dict["SERVER"] = server_fqdn
 
     nc = ipautil.template_str(ntp_conf, sub_dict)
+    config_step_tickers = False
 
-    if fstore:
-        fstore.backup_file("/etc/ntp.conf")
-    else:
-        shutil.copy("/etc/ntp.conf", "/etc/ntp.conf.ipasave")
 
-    fd = open("/etc/ntp.conf", "w")
-    fd.write(nc)
-    fd.close()
+    if os.path.exists(path_step_tickers):
+        config_step_tickers = True
+        ns = ipautil.template_str(ntp_step_tickers, sub_dict)
+        __backup_config(path_step_tickers, fstore)
+        __write_config(path_step_tickers, ns)
+        ipaservices.restore_context(path_step_tickers)
 
-    if fstore:
-        fstore.backup_file("/etc/sysconfig/ntpd")
-    else:
-        shutil.copy("/etc/sysconfig/ntpd", "/etc/sysconfig/ntpd.ipasave")
+    if sysstore:
+        module = 'ntp'
+        sysstore.backup_state(module, "enabled", ipaservices.knownservices.ntpd.is_enabled())
+        if config_step_tickers:
+            sysstore.backup_state(module, "step-tickers", True)
 
-    fd = open("/etc/sysconfig/ntpd", "w")
-    fd.write(ntp_sysconfig)
-    fd.close()
+    __backup_config(path_ntp_conf, fstore)
+    __write_config(path_ntp_conf, nc)
+    ipaservices.restore_context(path_ntp_conf)
+
+    __backup_config(path_ntp_sysconfig, fstore)
+    __write_config(path_ntp_sysconfig, ntp_sysconfig)
+    ipaservices.restore_context(path_ntp_sysconfig)
 
     # Set the ntpd to start on boot
     ipaservices.knownservices.ntpd.enable()
-- 
1.7.6.4


From mkosek at redhat.com  Wed Oct  5 08:59:36 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Wed, 05 Oct 2011 10:59:36 +0200
Subject: [Freeipa-devel] [PATCH] 51 Add a function for formatting
 network locations
In-Reply-To: <4E8C165C.7000009@redhat.com>
References: <4E8ABEDF.4090902@redhat.com> <4E8B2FB6.7070006@redhat.com>
	<1317798274.6589.0.camel@dhcp-25-52.brq.redhat.com>
	<4E8C165C.7000009@redhat.com>
Message-ID: <1317805179.6589.7.camel@dhcp-25-52.brq.redhat.com>

On Wed, 2011-10-05 at 10:33 +0200, Jan Cholasta wrote:
> On 5.10.2011 09:04, Martin Kosek wrote:
> > On Tue, 2011-10-04 at 12:09 -0400, John Dennis wrote:
> >> On 10/04/2011 04:07 AM, Jan Cholasta wrote:
> >>
> >> Looks good Jan, thank you. ACK
> >>
> >>
> >
> > The patch cannot be applied on current master/ipa-2-1. Please rebase the
> > patch before pushing.
> >
> > Martin
> >
> 
> Rebased patch attached.
> 
> Honza
> 

Pushed to master, ipa-2-1.

Martin



From jcholast at redhat.com  Wed Oct  5 09:27:44 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Wed, 05 Oct 2011 11:27:44 +0200
Subject: [Freeipa-devel] [PATCH] 0016 Setup and restore ntp
 configuration on the
In-Reply-To: <20111005083855.GB18611@redhat.com>
References: <20111004110013.GA2647@redhat.com> <4E8B2824.8020707@redhat.com>
	<20111004185351.GE2647@redhat.com> <4E8B5CDD.5010807@redhat.com>
	<20111004205059.GF2647@redhat.com>
	<20111005083855.GB18611@redhat.com>
Message-ID: <4E8C2310.4050205@redhat.com>

On 5.10.2011 10:38, Alexander Bokovoy wrote:
> On Tue, 04 Oct 2011, Alexander Bokovoy wrote:
>> Reproduced. This happens when the package freeipa-client is upgraded
>> after client is enrolled with previous version -- in such case there
>> is no backup state and therefore we can't restore.
> Also add fstore to /etc/sysconfig/ntpd to really backup it.
>

ACK.

Honza

-- 
Jan Cholasta



From sbose at redhat.com  Wed Oct  5 09:58:31 2011
From: sbose at redhat.com (Sumit Bose)
Date: Wed, 5 Oct 2011 11:58:31 +0200
Subject: [Freeipa-devel] [PATCH] ipa-pwd-extop: allow password change on
 all connections with SSF>1
In-Reply-To: <4E8ACE98.7060302@redhat.com>
References: <20110927081548.GD18636@localhost.localdomain>
	<4E8ACE98.7060302@redhat.com>
Message-ID: <20111005095831.GA2252@localhost.localdomain>

On Tue, Oct 04, 2011 at 11:15:04AM +0200, Jan Cholasta wrote:
> On 27.9.2011 10:15, Sumit Bose wrote:
> >Hi,
> >
> >currently the change password plugin does not check if the connection is
> >coming from a local LDAPI socket and denies password change requests via
> >LDAPI. This patch changes the check to just look at the overall SSF of
> >the connection which covers all types of connection.
> >
> >There is a similar check in ipa_enrollment.c. But I think enrollments via
> >LDAPI does not make much sense so it does not need to be changed.
> 
> IMHO it should be changed anyway, for the sake of consistency.
> 
> >
> >This patch should fix https://fedorahosted.org/freeipa/ticket/1877.
> >
> >bye,
> >Sumit
> >
> 
> The patch has trailing whitespace on lines 20 and 32-35 and needs to
> be rebased.
> 
> Tested the patch with ldappasswd over ldap/ldaps/ldapi - works as expected.

Thank you for the review. I have changed ipa_enrollment.c accordingly
and checked that the patch applies against master as well as against
ipa-2-1 and that git does not complain about trailing whitespace. New
version attached.

bye,
Sumit

> 
> Honza
> 
> -- 
> Jan Cholasta
-------------- next part --------------
From 97f051d6e13f8b1fc64397d4171694248df978b4 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Tue, 27 Sep 2011 10:06:50 +0200
Subject: [PATCH] ipa-pwd-extop: allow password change on all connections with
 SSF>1

Instead of checking the individual SSFs for SASL, SSL/TLS and LDAPI connection
the global SSF is checked for password changes and enrollments.
---
 .../ipa-enrollment/ipa_enrollment.c                |   19 ++++++-------------
 .../ipa-pwd-extop/ipapwd_common.c                  |   19 ++++++-------------
 2 files changed, 12 insertions(+), 26 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
index 51231231fd1a597e27ac283c855bbd5146db3e24..946b56b205d33f068c9ca5601e7aad82a380310b 100644
--- a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
+++ b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
@@ -80,22 +80,15 @@ static const char *ipa_realm_dn;
 static int
 ipaenrollement_secure(Slapi_PBlock *pb, char **errMesg)
 {
-    int sasl_ssf, is_ssl;
+    int ssf;
     int rc = LDAP_SUCCESS;
 
     LOG_TRACE("=> ipaenrollment_secure\n");
 
-    /* Allow enrollment only for SSL/TLS established connections and
-     * connections using SASL privacy layers */
-    if (slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) {
-        LOG_TRACE("Could not get SASL SSF from connection\n");
-        *errMesg = "Operation requires a secure connection.\n";
-        rc = LDAP_OPERATIONS_ERROR;
-        goto done;
-    }
-
-    if (slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl) != 0) {
-        LOG_TRACE("Could not get IS SSL from connection\n");
+    /* Allow password modify on all connections with a Security Strength
+     * Factor (SSF) higher than 1 */
+    if (slapi_pblock_get(pb, SLAPI_OPERATION_SSF, &ssf) != 0) {
+        LOG_TRACE("Could not get SSF from connection\n");
         *errMesg = "Operation requires a secure connection.\n";
         rc = LDAP_OPERATIONS_ERROR;
         goto done;
@@ -108,7 +101,7 @@ ipaenrollement_secure(Slapi_PBlock *pb, char **errMesg)
         goto done;
     }
 
-    if ((0 == is_ssl) && (sasl_ssf <= 1)) {
+    if (ssf <= 1) {
         *errMesg = "Operation requires a secure connection.\n";
         rc = LDAP_CONFIDENTIALITY_REQUIRED;
         goto done;
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
index 7bc2e7d54da095cf1db232d3d173270f585a76f6..3ee7fefd47dd8c06799bc2eb3b37f17bc2b10444 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
@@ -615,7 +615,7 @@ done:
 int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
                       struct ipapwd_krbcfg **config, int check_flags)
 {
-    int ret, sasl_ssf, is_ssl;
+    int ret, ssf;
     int rc = LDAP_SUCCESS;
     Slapi_Backend *be;
     const Slapi_DN *psdn;
@@ -626,23 +626,16 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
 
 #ifdef LDAP_EXTOP_PASSMOD_CONN_SECURE
     if (check_flags & IPAPWD_CHECK_CONN_SECURE) {
-        /* Allow password modify only for SSL/TLS established connections and
-         * connections using SASL privacy layers */
-        if (slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) {
-            LOG("Could not get SASL SSF from connection\n");
+       /* Allow password modify on all connections with a Security Strength
+        * Factor (SSF) higher than 1 */
+        if (slapi_pblock_get(pb, SLAPI_OPERATION_SSF, &ssf) != 0) {
+            LOG("Could not get SSF from connection\n");
             *errMesg = "Operation requires a secure connection.\n";
             rc = LDAP_OPERATIONS_ERROR;
             goto done;
         }
 
-        if (slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl) != 0) {
-            LOG("Could not get IS SSL from connection\n");
-            *errMesg = "Operation requires a secure connection.\n";
-            rc = LDAP_OPERATIONS_ERROR;
-            goto done;
-        }
-
-        if ((0 == is_ssl) && (sasl_ssf <= 1)) {
+        if (ssf <= 1) {
             *errMesg = "Operation requires a secure connection.\n";
             rc = LDAP_CONFIDENTIALITY_REQUIRED;
             goto done;
-- 
1.7.6


From mkosek at redhat.com  Wed Oct  5 10:54:12 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Wed, 05 Oct 2011 12:54:12 +0200
Subject: [Freeipa-devel] [PATCH] 0016 Setup and restore ntp
 configuration on the
In-Reply-To: <4E8C2310.4050205@redhat.com>
References: <20111004110013.GA2647@redhat.com> <4E8B2824.8020707@redhat.com>
	<20111004185351.GE2647@redhat.com> <4E8B5CDD.5010807@redhat.com>
	<20111004205059.GF2647@redhat.com> <20111005083855.GB18611@redhat.com>
	<4E8C2310.4050205@redhat.com>
Message-ID: <1317812055.6589.8.camel@dhcp-25-52.brq.redhat.com>

On Wed, 2011-10-05 at 11:27 +0200, Jan Cholasta wrote:
> On 5.10.2011 10:38, Alexander Bokovoy wrote:
> > On Tue, 04 Oct 2011, Alexander Bokovoy wrote:
> >> Reproduced. This happens when the package freeipa-client is upgraded
> >> after client is enrolled with previous version -- in such case there
> >> is no backup state and therefore we can't restore.
> > Also add fstore to /etc/sysconfig/ntpd to really backup it.
> >
> 
> ACK.
> 
> Honza
> 

Pushed to master, ipa-2-1.

Martin



From pvoborni at redhat.com  Wed Oct  5 12:04:35 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Wed, 05 Oct 2011 14:04:35 +0200
Subject: [Freeipa-devel] [PATCH] 285 Added confirmation when adding
 multiple entries.
In-Reply-To: <4E868B2E.7060604@redhat.com>
References: <4E823994.7020604@redhat.com> <4E8256AA.3040507@redhat.com>
	<4E868B2E.7060604@redhat.com>
Message-ID: <4E8C47D3.6050502@redhat.com>

On 10/01/2011 05:38 AM, Endi Sukma Dewata wrote:
> On 9/27/2011 6:05 PM, Endi Sukma Dewata wrote:
>> On 9/27/2011 4:01 PM, Endi Sukma Dewata wrote:
>>> The adder dialog has been modified to show a confirmation message
>>> after each successful addition.
>>>
>>> Ticket #1786
>>
>> Rebased on top of 286 (because 286 needs to go to ipa-2-1 branch).
>
> Rebased on top of 292.
ACK

-- 
Petr Vobornik



From abokovoy at redhat.com  Wed Oct  5 12:16:06 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Wed, 5 Oct 2011 15:16:06 +0300
Subject: [Freeipa-devel] [PATCH] 0019 Sync time with NTP before joining the
	domain
Message-ID: <20111005121606.GA29306@redhat.com>

Hi,

https://fedorahosted.org/freeipa/ticket/1773

-- 
/ Alexander Bokovoy
-------------- next part --------------
>From 8b022ee7b1290cabd4e1a54971dc66420d73c1cc Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Wed, 5 Oct 2011 15:02:58 +0300
Subject: [PATCH] Before kinit, try to sync time with the NTP servers of the
 domain we are joining

When running ipa-client-install on a system whose clock is not in sync with the
master, kinit fails and enrollment is aborted. Manual checking of current time
at the master and adjusting on the client-to-be is then needed.

The patch tries to fetch SRV records for NTP servers of the domain we aim to join
and runs ntpdate to get time synchronized. If no SRV records are found, sync with IPA server itself.
If that fails, warn that time might be not in sync with KDC.

https://fedorahosted.org/freeipa/ticket/1773
---
 ipa-client/ipa-install/ipa-client-install |   14 ++++++++++++++
 ipa-client/ipaclient/ipadiscovery.py      |   21 +++++++++++++++++++++
 ipa-client/ipaclient/ntpconf.py           |   22 ++++++++++++++++++++++
 3 files changed, 57 insertions(+), 0 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 70ef811cec5a9107cb110d7ffa2a191fb36ea997..3810caea3eee403d0f225d52e0e5c5b2b8489a78 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -920,6 +920,20 @@ def install(options, env, fstore, statestore):
         nolog = tuple()
         # First test out the kerberos configuration
         try:
+            # Attempt to sync time with IPA server.
+            # We assume that NTP servers are discoverable through SRV records in the DNS
+            # If that fails, we try to sync directly with IPA server, assuming it runs NTP
+            ntp_servers = ipautil.parse_items(ds.ipadnssearchntp(cli_domain))
+            synced_ntp = False
+            if len(ntp_servers) > 0:
+                for s in ntp_servers:
+                   synced_ntp = ipaclient.ntpconf.synconce_ntp(s)
+                   if synced_ntp:
+                       break
+            if not synced_ntp:
+                synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server)
+            if not synced_ntp:
+                print "Unable to sync time with IPA NTP server, assuming the time is in sync."
             (krb_fd, krb_name) = tempfile.mkstemp()
             os.close(krb_fd)
             if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, krb_name):
diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py
index 3e31cad37dc1883c01e0729e390c5e5c16e022bd..cd5f81bd5147929deca43e502c4f9b2bdb98f99c 100644
--- a/ipa-client/ipaclient/ipadiscovery.py
+++ b/ipa-client/ipaclient/ipadiscovery.py
@@ -316,6 +316,27 @@ class IPADiscovery:
 
         return servers
 
+    def ipadnssearchntp(self, tdomain):
+        servers = ""
+        rserver = ""
+
+        qname = "_ntp._udp."+tdomain
+        # terminate the name
+        if not qname.endswith("."):
+            qname += "."
+        results = ipapython.dnsclient.query(qname, ipapython.dnsclient.DNS_C_IN, ipapython.dnsclient.DNS_T_SRV)
+
+        for result in results:
+            if result.dns_type == ipapython.dnsclient.DNS_T_SRV:
+                rserver = result.rdata.server.rstrip(".")
+                if servers:
+                    servers += "," + rserver
+                else:
+                    servers = rserver
+                break
+
+        return servers
+
     def ipadnssearchkrb(self, tdomain):
         realm = None
         kdc = None
diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py
index 8e151089c81fe761dc57fc6e8fb7ff5ba30b98fa..e2d349b166d9fc47bfd48f4c8054e211904778e7 100644
--- a/ipa-client/ipaclient/ntpconf.py
+++ b/ipa-client/ipaclient/ntpconf.py
@@ -132,3 +132,25 @@ def config_ntp(server_fqdn, fstore = None, sysstore = None):
 
     # Restart ntpd
     ipaservices.knownservices.ntpd.restart()
+
+def synconce_ntp(server_fqdn):
+    """
+    Syncs time with specified server using ntpdate.
+    Primarily designed to be used before Kerberos setup
+    to get time following the KDC time
+
+    Returns True if sync was successful
+    """
+    ntpdate="/usr/sbin/ntpdate"
+    result = False
+    if os.path.exists(ntpdate):
+        retries = 2
+        for retry in range(0,3):
+            try:
+                (sout, serr, rcode) = ipautil.run([ntpdate, "-U", "ntp", "-s", "-b", server_fqdn],capture_output=True)
+                if rcode == 0:
+                    result = True
+                    break
+            except:
+                pass
+    return result
-- 
1.7.6.4


From abokovoy at redhat.com  Wed Oct  5 12:17:37 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Wed, 5 Oct 2011 15:17:37 +0300
Subject: [Freeipa-devel] [PATCH] 0020 fix 'referenced before assignment'
Message-ID: <20111005121737.GB29306@redhat.com>

Hi,

in 1770 due to code moving from one part of the file to another, 
restored variable didn't get a proper assignment.

One line patch.

-- 
/ Alexander Bokovoy
-------------- next part --------------
>From 8c46d269fb412887cf0eb70ec69bb6861933f56a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Wed, 5 Oct 2011 15:11:29 +0300
Subject: [PATCH 2/2] Fix 'referenced before assignment' warning

---
 ipa-client/ipa-install/ipa-client-install |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 3810caea3eee403d0f225d52e0e5c5b2b8489a78..657c3be4d27e78b6c558697b4bbb27238a421966 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -324,6 +324,7 @@ def uninstall(options, env, quiet=False):
     if ntp_configured:
         ntp_enabled = statestore.restore_state('ntp', 'enabled')
         ntp_step_tickers = statestore.restore_state('ntp', 'step-tickers')
+        restored = False
 
         try:
             # Restore might fail due to file missing in backup
-- 
1.7.6.4


From jcholast at redhat.com  Wed Oct  5 12:24:17 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Wed, 05 Oct 2011 14:24:17 +0200
Subject: [Freeipa-devel] [PATCH] 49 Work around pkisilent bugs
In-Reply-To: <4E8B51EA.7050006@redhat.com>
References: <4E803108.5060108@redhat.com> <4E8B51EA.7050006@redhat.com>
Message-ID: <4E8C4C71.7090701@redhat.com>

On 4.10.2011 20:35, Rob Crittenden wrote:
> Jan Cholasta wrote:
>> Work around pkisilent bugs.
>>
>> Check directory manager password for invalid characters.
>> (https://bugzilla.redhat.com/show_bug.cgi?id=658641)
>>
>> Shell-escape pkisilent command-line arguments.
>> (https://bugzilla.redhat.com/show_bug.cgi?id=741180)
>>
>> Once the bugs are fixed, the workarounds should be removed and pkisilent
>> minimum required version should be bumped.
>>
>> https://fedorahosted.org/freeipa/ticket/1636
>>
>> Honza
>
> Potential nack. The code here works I just found a couple more corner
> cases.
>
> Some special characters in the subject base also cause pkisilent to
> fail. ampersand is one. I wonder if we need to catch this as well.
>
> Tab in the password will cause a failure.
>
> rob
>

Fixed patch attached.

Honza

-- 
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-49.1-pkisilent-workaround.patch
Type: text/x-patch
Size: 10393 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111005/04859bf8/attachment.bin>

From pvoborni at redhat.com  Wed Oct  5 12:35:43 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Wed, 05 Oct 2011 14:35:43 +0200
Subject: [Freeipa-devel] [PATCH] 293 Added selectable labels for radio
 buttons.
In-Reply-To: <4E868C19.6040001@redhat.com>
References: <4E868C19.6040001@redhat.com>
Message-ID: <4E8C4F1F.5010903@redhat.com>

On 10/01/2011 05:42 AM, Endi Sukma Dewata wrote:
> The radio buttons in association facet and radio widget are now
> linked to their labels so that they can be selected by clicking
> the labels.
>
> Ticket #1782
>
ACK

-- 
Petr Vobornik



From mkosek at redhat.com  Wed Oct  5 12:53:42 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Wed, 05 Oct 2011 14:53:42 +0200
Subject: [Freeipa-devel] [PATCH] 285 Added confirmation when adding
 multiple entries.
In-Reply-To: <4E8C47D3.6050502@redhat.com>
References: <4E823994.7020604@redhat.com> <4E8256AA.3040507@redhat.com>
	<4E868B2E.7060604@redhat.com> <4E8C47D3.6050502@redhat.com>
Message-ID: <1317819226.6589.9.camel@dhcp-25-52.brq.redhat.com>

On Wed, 2011-10-05 at 14:04 +0200, Petr Vobornik wrote:
> On 10/01/2011 05:38 AM, Endi Sukma Dewata wrote:
> > On 9/27/2011 6:05 PM, Endi Sukma Dewata wrote:
> >> On 9/27/2011 4:01 PM, Endi Sukma Dewata wrote:
> >>> The adder dialog has been modified to show a confirmation message
> >>> after each successful addition.
> >>>
> >>> Ticket #1786
> >>
> >> Rebased on top of 286 (because 286 needs to go to ipa-2-1 branch).
> >
> > Rebased on top of 292.
> ACK
> 

Pushed to master only since the ticket is for 3.0 effort.

Martin



From mkosek at redhat.com  Wed Oct  5 13:05:41 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Wed, 05 Oct 2011 15:05:41 +0200
Subject: [Freeipa-devel] [PATCH] 0020 fix 'referenced before assignment'
In-Reply-To: <20111005121737.GB29306@redhat.com>
References: <20111005121737.GB29306@redhat.com>
Message-ID: <1317819943.6589.10.camel@dhcp-25-52.brq.redhat.com>

On Wed, 2011-10-05 at 15:17 +0300, Alexander Bokovoy wrote:
> Hi,
> 
> in 1770 due to code moving from one part of the file to another, 
> restored variable didn't get a proper assignment.
> 
> One line patch.
> 

ACK. Pushed to master, ipa-2-1.

Martin



From jcholast at redhat.com  Wed Oct  5 13:06:19 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Wed, 05 Oct 2011 15:06:19 +0200
Subject: [Freeipa-devel] [PATCH] ipa-pwd-extop: allow password change on
 all connections with SSF>1
In-Reply-To: <20111005095831.GA2252@localhost.localdomain>
References: <20110927081548.GD18636@localhost.localdomain>
	<4E8ACE98.7060302@redhat.com>
	<20111005095831.GA2252@localhost.localdomain>
Message-ID: <4E8C564B.8010400@redhat.com>

On 5.10.2011 11:58, Sumit Bose wrote:
> On Tue, Oct 04, 2011 at 11:15:04AM +0200, Jan Cholasta wrote:
>> On 27.9.2011 10:15, Sumit Bose wrote:
>>> Hi,
>>>
>>> currently the change password plugin does not check if the connection is
>>> coming from a local LDAPI socket and denies password change requests via
>>> LDAPI. This patch changes the check to just look at the overall SSF of
>>> the connection which covers all types of connection.
>>>
>>> There is a similar check in ipa_enrollment.c. But I think enrollments via
>>> LDAPI does not make much sense so it does not need to be changed.
>>
>> IMHO it should be changed anyway, for the sake of consistency.
>>
>>>
>>> This patch should fix https://fedorahosted.org/freeipa/ticket/1877.
>>>
>>> bye,
>>> Sumit
>>>
>>
>> The patch has trailing whitespace on lines 20 and 32-35 and needs to
>> be rebased.
>>
>> Tested the patch with ldappasswd over ldap/ldaps/ldapi - works as expected.
>
> Thank you for the review. I have changed ipa_enrollment.c accordingly
> and checked that the patch applies against master as well as against
> ipa-2-1 and that git does not complain about trailing whitespace. New
> version attached.
>
> bye,
> Sumit

"git apply" still complains about the patch:

$ git status -sb
## ipa-2-1

$ git apply 
freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch 

../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:23: 
trailing whitespace.
     int ssf;
../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:39: 
trailing whitespace.
     /* Allow password modify on all connections with a Security Strength
../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:40: 
trailing whitespace.
      * Factor (SSF) higher than 1 */
../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:41: 
trailing whitespace.
     if (slapi_pblock_get(pb, SLAPI_OPERATION_SSF, &ssf) != 0) {
../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:42: 
trailing whitespace.
         LOG_TRACE("Could not get SSF from connection\n");
error: patch failed: 
daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c:80
error: daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c: patch 
does not apply
error: patch failed: 
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c:615
error: daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c: patch 
does not apply


It can be applied with "patch", but it complains too:

$ patch -p1 --no-backup-if-mismatch 
<freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch 

(Stripping trailing CRs from patch.)
patching file daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
(Stripping trailing CRs from patch.)
patching file daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c


The comment in ipa-enrollment.c should be changed from "Allow password 
modify on ..." to "Allow enrollment on ...".

Honza

>
>>
>> Honza
>>
>> --
>> Jan Cholasta
>>
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Jan Cholasta



From mkosek at redhat.com  Wed Oct  5 13:11:15 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Wed, 05 Oct 2011 15:11:15 +0200
Subject: [Freeipa-devel] [PATCH] 293 Added selectable labels for radio
 buttons.
In-Reply-To: <4E8C4F1F.5010903@redhat.com>
References: <4E868C19.6040001@redhat.com> <4E8C4F1F.5010903@redhat.com>
Message-ID: <1317820280.6589.11.camel@dhcp-25-52.brq.redhat.com>

On Wed, 2011-10-05 at 14:35 +0200, Petr Vobornik wrote:
> On 10/01/2011 05:42 AM, Endi Sukma Dewata wrote:
> > The radio buttons in association facet and radio widget are now
> > linked to their labels so that they can be selected by clicking
> > the labels.
> >
> > Ticket #1782
> >
> ACK
> 

Pushed to master.

Martin



From rcritten at redhat.com  Wed Oct  5 13:20:47 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 05 Oct 2011 09:20:47 -0400
Subject: [Freeipa-devel] [PATCH] 0019 Sync time with NTP before joining
 the domain
In-Reply-To: <20111005121606.GA29306@redhat.com>
References: <20111005121606.GA29306@redhat.com>
Message-ID: <4E8C59AF.6000404@redhat.com>

Alexander Bokovoy wrote:
> Hi,
>
> https://fedorahosted.org/freeipa/ticket/1773
>

In synconce_ntp() ipautil.run is going to raise an exception when a 
ntpupdate returns non-zero so the retry code isn't going to work. You 
need to add raiseonerr=False to the call.

It looks like you changed your mind on the retries variable too.

rob



From abokovoy at redhat.com  Wed Oct  5 14:27:33 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Wed, 5 Oct 2011 17:27:33 +0300
Subject: [Freeipa-devel] [PATCH] 0019 Sync time with NTP before joining
 the domain
In-Reply-To: <4E8C59AF.6000404@redhat.com>
References: <20111005121606.GA29306@redhat.com> <4E8C59AF.6000404@redhat.com>
Message-ID: <20111005142732.GD29306@redhat.com>

On Wed, 05 Oct 2011, Rob Crittenden wrote:
> In synconce_ntp() ipautil.run is going to raise an exception when a
> ntpupdate returns non-zero so the retry code isn't going to work.
> You need to add raiseonerr=False to the call.
> 
> It looks like you changed your mind on the retries variable too.
Right.

I ended up not using raiseonerr=False as all I needed is a way to 
break out of the loop on success so that will come sequentially if 
there is no exception.

Patch attached.
-- 
/ Alexander Bokovoy
-------------- next part --------------
>From b80796995a550ff0411fe32b4e6dd1f9c04cbb2f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Wed, 5 Oct 2011 17:25:09 +0300
Subject: [PATCH] Before kinit, try to sync time with the NTP servers of the
 domain we are joining

When running ipa-client-install on a system whose clock is not in sync with the
master, kinit fails and enrollment is aborted. Manual checking of current time
at the master and adjusting on the client-to-be is then needed.

The patch tries to fetch SRV records for NTP servers of the domain we aim to
join and runs ntpdate to get time synchronized. If no SRV records are found,
sync with IPA server itself.  If that fails, warn that time might be not in
sync with KDC.

https://fedorahosted.org/freeipa/ticket/1773
---
 ipa-client/ipa-install/ipa-client-install |   14 ++++++++++++++
 ipa-client/ipaclient/ipadiscovery.py      |   21 +++++++++++++++++++++
 ipa-client/ipaclient/ntpconf.py           |   22 ++++++++++++++++++++++
 3 files changed, 57 insertions(+), 0 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 5f541f316433338d3d932690fb4a325ad5ec447b..657c3be4d27e78b6c558697b4bbb27238a421966 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -921,6 +921,20 @@ def install(options, env, fstore, statestore):
         nolog = tuple()
         # First test out the kerberos configuration
         try:
+            # Attempt to sync time with IPA server.
+            # We assume that NTP servers are discoverable through SRV records in the DNS
+            # If that fails, we try to sync directly with IPA server, assuming it runs NTP
+            ntp_servers = ipautil.parse_items(ds.ipadnssearchntp(cli_domain))
+            synced_ntp = False
+            if len(ntp_servers) > 0:
+                for s in ntp_servers:
+                   synced_ntp = ipaclient.ntpconf.synconce_ntp(s)
+                   if synced_ntp:
+                       break
+            if not synced_ntp:
+                synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server)
+            if not synced_ntp:
+                print "Unable to sync time with IPA NTP server, assuming the time is in sync."
             (krb_fd, krb_name) = tempfile.mkstemp()
             os.close(krb_fd)
             if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, krb_name):
diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py
index 3e31cad37dc1883c01e0729e390c5e5c16e022bd..cd5f81bd5147929deca43e502c4f9b2bdb98f99c 100644
--- a/ipa-client/ipaclient/ipadiscovery.py
+++ b/ipa-client/ipaclient/ipadiscovery.py
@@ -316,6 +316,27 @@ class IPADiscovery:
 
         return servers
 
+    def ipadnssearchntp(self, tdomain):
+        servers = ""
+        rserver = ""
+
+        qname = "_ntp._udp."+tdomain
+        # terminate the name
+        if not qname.endswith("."):
+            qname += "."
+        results = ipapython.dnsclient.query(qname, ipapython.dnsclient.DNS_C_IN, ipapython.dnsclient.DNS_T_SRV)
+
+        for result in results:
+            if result.dns_type == ipapython.dnsclient.DNS_T_SRV:
+                rserver = result.rdata.server.rstrip(".")
+                if servers:
+                    servers += "," + rserver
+                else:
+                    servers = rserver
+                break
+
+        return servers
+
     def ipadnssearchkrb(self, tdomain):
         realm = None
         kdc = None
diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py
index 8e151089c81fe761dc57fc6e8fb7ff5ba30b98fa..e71692f4019bf410d6107a471330edc98146c29c 100644
--- a/ipa-client/ipaclient/ntpconf.py
+++ b/ipa-client/ipaclient/ntpconf.py
@@ -132,3 +132,25 @@ def config_ntp(server_fqdn, fstore = None, sysstore = None):
 
     # Restart ntpd
     ipaservices.knownservices.ntpd.restart()
+
+def synconce_ntp(server_fqdn):
+    """
+    Syncs time with specified server using ntpdate.
+    Primarily designed to be used before Kerberos setup
+    to get time following the KDC time
+
+    Returns True if sync was successful
+    """
+    ntpdate="/usr/sbin/ntpdate"
+    result = False
+    if os.path.exists(ntpdate):
+        # retry several times -- logic follows /etc/init.d/ntpdate
+        # implementation
+        for retry in range(0,3):
+            try:
+                ipautil.run([ntpdate, "-U", "ntp", "-s", "-b", server_fqdn])
+                result = True
+                break
+            except:
+                pass
+    return result
-- 
1.7.6.4


From sbose at redhat.com  Wed Oct  5 14:36:47 2011
From: sbose at redhat.com (Sumit Bose)
Date: Wed, 5 Oct 2011 16:36:47 +0200
Subject: [Freeipa-devel] [PATCH] ipa-pwd-extop: allow password change on
 all connections with SSF>1
In-Reply-To: <4E8C564B.8010400@redhat.com>
References: <20110927081548.GD18636@localhost.localdomain>
	<4E8ACE98.7060302@redhat.com>
	<20111005095831.GA2252@localhost.localdomain>
	<4E8C564B.8010400@redhat.com>
Message-ID: <20111005143647.GD2252@localhost.localdomain>

On Wed, Oct 05, 2011 at 03:06:19PM +0200, Jan Cholasta wrote:
> On 5.10.2011 11:58, Sumit Bose wrote:
> >On Tue, Oct 04, 2011 at 11:15:04AM +0200, Jan Cholasta wrote:
> >>On 27.9.2011 10:15, Sumit Bose wrote:
> >>>Hi,
> >>>
> >>>currently the change password plugin does not check if the connection is
> >>>coming from a local LDAPI socket and denies password change requests via
> >>>LDAPI. This patch changes the check to just look at the overall SSF of
> >>>the connection which covers all types of connection.
> >>>
> >>>There is a similar check in ipa_enrollment.c. But I think enrollments via
> >>>LDAPI does not make much sense so it does not need to be changed.
> >>
> >>IMHO it should be changed anyway, for the sake of consistency.
> >>
> >>>
> >>>This patch should fix https://fedorahosted.org/freeipa/ticket/1877.
> >>>
> >>>bye,
> >>>Sumit
> >>>
> >>
> >>The patch has trailing whitespace on lines 20 and 32-35 and needs to
> >>be rebased.
> >>
> >>Tested the patch with ldappasswd over ldap/ldaps/ldapi - works as expected.
> >
> >Thank you for the review. I have changed ipa_enrollment.c accordingly
> >and checked that the patch applies against master as well as against
> >ipa-2-1 and that git does not complain about trailing whitespace. New
> >version attached.
> >
> >bye,
> >Sumit
> 
> "git apply" still complains about the patch:
> 
> $ git status -sb
> ## ipa-2-1
> 
> $ git apply freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch
> 
> ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:23:
> trailing whitespace.
>     int ssf;
> ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:39:
> trailing whitespace.
>     /* Allow password modify on all connections with a Security Strength
> ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:40:
> trailing whitespace.
>      * Factor (SSF) higher than 1 */
> ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:41:
> trailing whitespace.
>     if (slapi_pblock_get(pb, SLAPI_OPERATION_SSF, &ssf) != 0) {
> ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:42:
> trailing whitespace.
>         LOG_TRACE("Could not get SSF from connection\n");
> error: patch failed:
> daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c:80
> error: daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c:
> patch does not apply
> error: patch failed:
> daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c:615
> error: daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c:
> patch does not apply
> 
> 
> It can be applied with "patch", but it complains too:
> 
> $ patch -p1 --no-backup-if-mismatch <freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch
> 
> (Stripping trailing CRs from patch.)
> patching file daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
> (Stripping trailing CRs from patch.)
> patching file daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
> 
> 
> The comment in ipa-enrollment.c should be changed from "Allow
> password modify on ..." to "Allow enrollment on ...".

I changed the comment and send the patch not in base64.

bye,
Sumit

> 
> Honza
> 
> >
> >>
> >>Honza
> >>
> >>--
> >>Jan Cholasta
> >>
> >>
> >>_______________________________________________
> >>Freeipa-devel mailing list
> >>Freeipa-devel at redhat.com
> >>https://www.redhat.com/mailman/listinfo/freeipa-devel
> 
> 
> -- 
> Jan Cholasta
-------------- next part --------------
>From d3dfd8c7a93ba7cd16a967fb8b6075830fed8c8a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Tue, 27 Sep 2011 10:06:50 +0200
Subject: [PATCH] ipa-pwd-extop: allow password change on all connections with
 SSF>1

Instead of checking the individual SSFs for SASL, SSL/TLS and LDAPI connection
the global SSF is checked for password changes and enrollments.
---
 .../ipa-enrollment/ipa_enrollment.c                |   19 ++++++-------------
 .../ipa-pwd-extop/ipapwd_common.c                  |   19 ++++++-------------
 2 files changed, 12 insertions(+), 26 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
index 51231231fd1a597e27ac283c855bbd5146db3e24..78fb359cdb91455a629836df317aa639f35a516e 100644
--- a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
+++ b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
@@ -80,22 +80,15 @@ static const char *ipa_realm_dn;
 static int
 ipaenrollement_secure(Slapi_PBlock *pb, char **errMesg)
 {
-    int sasl_ssf, is_ssl;
+    int ssf;
     int rc = LDAP_SUCCESS;
 
     LOG_TRACE("=> ipaenrollment_secure\n");
 
-    /* Allow enrollment only for SSL/TLS established connections and
-     * connections using SASL privacy layers */
-    if (slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) {
-        LOG_TRACE("Could not get SASL SSF from connection\n");
-        *errMesg = "Operation requires a secure connection.\n";
-        rc = LDAP_OPERATIONS_ERROR;
-        goto done;
-    }
-
-    if (slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl) != 0) {
-        LOG_TRACE("Could not get IS SSL from connection\n");
+    /* Allow enrollment on all connections with a Security Strength
+     * Factor (SSF) higher than 1 */
+    if (slapi_pblock_get(pb, SLAPI_OPERATION_SSF, &ssf) != 0) {
+        LOG_TRACE("Could not get SSF from connection\n");
         *errMesg = "Operation requires a secure connection.\n";
         rc = LDAP_OPERATIONS_ERROR;
         goto done;
@@ -108,7 +101,7 @@ ipaenrollement_secure(Slapi_PBlock *pb, char **errMesg)
         goto done;
     }
 
-    if ((0 == is_ssl) && (sasl_ssf <= 1)) {
+    if (ssf <= 1) {
         *errMesg = "Operation requires a secure connection.\n";
         rc = LDAP_CONFIDENTIALITY_REQUIRED;
         goto done;
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
index 7bc2e7d54da095cf1db232d3d173270f585a76f6..3ee7fefd47dd8c06799bc2eb3b37f17bc2b10444 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
@@ -615,7 +615,7 @@ done:
 int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
                       struct ipapwd_krbcfg **config, int check_flags)
 {
-    int ret, sasl_ssf, is_ssl;
+    int ret, ssf;
     int rc = LDAP_SUCCESS;
     Slapi_Backend *be;
     const Slapi_DN *psdn;
@@ -626,23 +626,16 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
 
 #ifdef LDAP_EXTOP_PASSMOD_CONN_SECURE
     if (check_flags & IPAPWD_CHECK_CONN_SECURE) {
-        /* Allow password modify only for SSL/TLS established connections and
-         * connections using SASL privacy layers */
-        if (slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) {
-            LOG("Could not get SASL SSF from connection\n");
+       /* Allow password modify on all connections with a Security Strength
+        * Factor (SSF) higher than 1 */
+        if (slapi_pblock_get(pb, SLAPI_OPERATION_SSF, &ssf) != 0) {
+            LOG("Could not get SSF from connection\n");
             *errMesg = "Operation requires a secure connection.\n";
             rc = LDAP_OPERATIONS_ERROR;
             goto done;
         }
 
-        if (slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl) != 0) {
-            LOG("Could not get IS SSL from connection\n");
-            *errMesg = "Operation requires a secure connection.\n";
-            rc = LDAP_OPERATIONS_ERROR;
-            goto done;
-        }
-
-        if ((0 == is_ssl) && (sasl_ssf <= 1)) {
+        if (ssf <= 1) {
             *errMesg = "Operation requires a secure connection.\n";
             rc = LDAP_CONFIDENTIALITY_REQUIRED;
             goto done;
-- 
1.7.6


From jcholast at redhat.com  Wed Oct  5 14:41:00 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Wed, 05 Oct 2011 16:41:00 +0200
Subject: [Freeipa-devel] [PATCH] ipa-pwd-extop: allow password change on
 all connections with SSF>1
In-Reply-To: <20111005143647.GD2252@localhost.localdomain>
References: <20110927081548.GD18636@localhost.localdomain>
	<4E8ACE98.7060302@redhat.com>
	<20111005095831.GA2252@localhost.localdomain>
	<4E8C564B.8010400@redhat.com>
	<20111005143647.GD2252@localhost.localdomain>
Message-ID: <4E8C6C7C.1080904@redhat.com>

On 5.10.2011 16:36, Sumit Bose wrote:
> On Wed, Oct 05, 2011 at 03:06:19PM +0200, Jan Cholasta wrote:
>> On 5.10.2011 11:58, Sumit Bose wrote:
>>> On Tue, Oct 04, 2011 at 11:15:04AM +0200, Jan Cholasta wrote:
>>>> On 27.9.2011 10:15, Sumit Bose wrote:
>>>>> Hi,
>>>>>
>>>>> currently the change password plugin does not check if the connection is
>>>>> coming from a local LDAPI socket and denies password change requests via
>>>>> LDAPI. This patch changes the check to just look at the overall SSF of
>>>>> the connection which covers all types of connection.
>>>>>
>>>>> There is a similar check in ipa_enrollment.c. But I think enrollments via
>>>>> LDAPI does not make much sense so it does not need to be changed.
>>>>
>>>> IMHO it should be changed anyway, for the sake of consistency.
>>>>
>>>>>
>>>>> This patch should fix https://fedorahosted.org/freeipa/ticket/1877.
>>>>>
>>>>> bye,
>>>>> Sumit
>>>>>
>>>>
>>>> The patch has trailing whitespace on lines 20 and 32-35 and needs to
>>>> be rebased.
>>>>
>>>> Tested the patch with ldappasswd over ldap/ldaps/ldapi - works as expected.
>>>
>>> Thank you for the review. I have changed ipa_enrollment.c accordingly
>>> and checked that the patch applies against master as well as against
>>> ipa-2-1 and that git does not complain about trailing whitespace. New
>>> version attached.
>>>
>>> bye,
>>> Sumit
>>
>> "git apply" still complains about the patch:
>>
>> $ git status -sb
>> ## ipa-2-1
>>
>> $ git apply freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch
>>
>> ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:23:
>> trailing whitespace.
>>      int ssf;
>> ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:39:
>> trailing whitespace.
>>      /* Allow password modify on all connections with a Security Strength
>> ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:40:
>> trailing whitespace.
>>       * Factor (SSF) higher than 1 */
>> ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:41:
>> trailing whitespace.
>>      if (slapi_pblock_get(pb, SLAPI_OPERATION_SSF,&ssf) != 0) {
>> ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:42:
>> trailing whitespace.
>>          LOG_TRACE("Could not get SSF from connection\n");
>> error: patch failed:
>> daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c:80
>> error: daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c:
>> patch does not apply
>> error: patch failed:
>> daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c:615
>> error: daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c:
>> patch does not apply
>>
>>
>> It can be applied with "patch", but it complains too:
>>
>> $ patch -p1 --no-backup-if-mismatch<freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch
>>
>> (Stripping trailing CRs from patch.)
>> patching file daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
>> (Stripping trailing CRs from patch.)
>> patching file daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
>>
>>
>> The comment in ipa-enrollment.c should be changed from "Allow
>> password modify on ..." to "Allow enrollment on ...".
>
> I changed the comment and send the patch not in base64.
>
> bye,
> Sumit

Thank you, ACK.

Honza

>
>>
>> Honza
>>
>>>
>>>>
>>>> Honza
>>>>
>>>> --
>>>> Jan Cholasta
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-devel mailing list
>>>> Freeipa-devel at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>>
>> --
>> Jan Cholasta
>>
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Jan Cholasta



From rcritten at redhat.com  Wed Oct  5 15:09:55 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 05 Oct 2011 11:09:55 -0400
Subject: [Freeipa-devel] [PATCH] 885 optimize indirect member calculation
Message-ID: <4E8C7343.4090704@redhat.com>

When calculating indirect membership of a group all members are examined 
and if those have members, those are added as well. This does not need 
to be done when the member in question is a user or a host as they 
cannot have members.

For large groups this is a significant performance improvement (as well 
as reducing unnecessary load on 389-ds).

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-885-search.patch
Type: text/x-patch
Size: 1734 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111005/7f5639e4/attachment.bin>

From mkosek at redhat.com  Wed Oct  5 15:13:32 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Wed, 05 Oct 2011 17:13:32 +0200
Subject: [Freeipa-devel] [PATCH] 138 Prevent collisions of hostgroup and
	netgroup
Message-ID: <1317827614.6589.23.camel@dhcp-25-52.brq.redhat.com>

For every hostgroup a managed netgroup is created (if this is allowed).
Make sure that if a stand-alone netgroup exists, a hostgroup with the
same name cannot be created to prevent collisions.

https://fedorahosted.org/freeipa/ticket/1914

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-138-prevent-collisions-of-hostgroup-and-netgroup.patch
Type: text/x-patch
Size: 1496 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111005/eb99f9c7/attachment.bin>

From mkosek at redhat.com  Wed Oct  5 15:22:07 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Wed, 05 Oct 2011 17:22:07 +0200
Subject: [Freeipa-devel] [PATCH] ipa-pwd-extop: allow password change on
 all connections with SSF>1
In-Reply-To: <4E8C6C7C.1080904@redhat.com>
References: <20110927081548.GD18636@localhost.localdomain>
	<4E8ACE98.7060302@redhat.com>
	<20111005095831.GA2252@localhost.localdomain>
	<4E8C564B.8010400@redhat.com>
	<20111005143647.GD2252@localhost.localdomain>
	<4E8C6C7C.1080904@redhat.com>
Message-ID: <1317828130.6589.25.camel@dhcp-25-52.brq.redhat.com>

On Wed, 2011-10-05 at 16:41 +0200, Jan Cholasta wrote:
> On 5.10.2011 16:36, Sumit Bose wrote:
> > On Wed, Oct 05, 2011 at 03:06:19PM +0200, Jan Cholasta wrote:
> >> On 5.10.2011 11:58, Sumit Bose wrote:
> >>> On Tue, Oct 04, 2011 at 11:15:04AM +0200, Jan Cholasta wrote:
> >>>> On 27.9.2011 10:15, Sumit Bose wrote:
> >>>>> Hi,
> >>>>>
> >>>>> currently the change password plugin does not check if the connection is
> >>>>> coming from a local LDAPI socket and denies password change requests via
> >>>>> LDAPI. This patch changes the check to just look at the overall SSF of
> >>>>> the connection which covers all types of connection.
> >>>>>
> >>>>> There is a similar check in ipa_enrollment.c. But I think enrollments via
> >>>>> LDAPI does not make much sense so it does not need to be changed.
> >>>>
> >>>> IMHO it should be changed anyway, for the sake of consistency.
> >>>>
> >>>>>
> >>>>> This patch should fix https://fedorahosted.org/freeipa/ticket/1877.
> >>>>>
> >>>>> bye,
> >>>>> Sumit
> >>>>>
> >>>>
> >>>> The patch has trailing whitespace on lines 20 and 32-35 and needs to
> >>>> be rebased.
> >>>>
> >>>> Tested the patch with ldappasswd over ldap/ldaps/ldapi - works as expected.
> >>>
> >>> Thank you for the review. I have changed ipa_enrollment.c accordingly
> >>> and checked that the patch applies against master as well as against
> >>> ipa-2-1 and that git does not complain about trailing whitespace. New
> >>> version attached.
> >>>
> >>> bye,
> >>> Sumit
> >>
> >> "git apply" still complains about the patch:
> >>
> >> $ git status -sb
> >> ## ipa-2-1
> >>
> >> $ git apply freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch
> >>
> >> ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:23:
> >> trailing whitespace.
> >>      int ssf;
> >> ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:39:
> >> trailing whitespace.
> >>      /* Allow password modify on all connections with a Security Strength
> >> ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:40:
> >> trailing whitespace.
> >>       * Factor (SSF) higher than 1 */
> >> ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:41:
> >> trailing whitespace.
> >>      if (slapi_pblock_get(pb, SLAPI_OPERATION_SSF,&ssf) != 0) {
> >> ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:42:
> >> trailing whitespace.
> >>          LOG_TRACE("Could not get SSF from connection\n");
> >> error: patch failed:
> >> daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c:80
> >> error: daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c:
> >> patch does not apply
> >> error: patch failed:
> >> daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c:615
> >> error: daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c:
> >> patch does not apply
> >>
> >>
> >> It can be applied with "patch", but it complains too:
> >>
> >> $ patch -p1 --no-backup-if-mismatch<freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch
> >>
> >> (Stripping trailing CRs from patch.)
> >> patching file daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
> >> (Stripping trailing CRs from patch.)
> >> patching file daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
> >>
> >>
> >> The comment in ipa-enrollment.c should be changed from "Allow
> >> password modify on ..." to "Allow enrollment on ...".
> >
> > I changed the comment and send the patch not in base64.
> >
> > bye,
> > Sumit
> 
> Thank you, ACK.
> 
> Honza

Added missing trac ticket reference to Sumit's patch.

Pushed to master, ipa-2-1.

Martin



From simo at redhat.com  Wed Oct  5 15:54:28 2011
From: simo at redhat.com (Simo Sorce)
Date: Wed, 05 Oct 2011 11:54:28 -0400
Subject: [Freeipa-devel] [PATCH] #1900 fix replica-prepare issues with
 anonynous binds disabled
Message-ID: <1317830068.6664.3.camel@willson.li.ssimo.org>

With anonymous binds disabled we were failing to run ipa-replica-prepare
because some tests were done anonymously.

During the creation of this patch we also hit a NSS Shutdown issue, to
work around this issue ipa-repica-prepare has been hardcoded to use
ldapi:// installed of ldaps://

The patch as is seem to properly allow the creation of a replica file
with anonymous connections disallowed (works also when they are
allowed).

Fixes #1900

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-replica-prepare-anonymous-binds-may-be-disallowed.patch
Type: text/x-patch
Size: 8570 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111005/6ce94ad3/attachment.bin>

From rcritten at redhat.com  Wed Oct  5 17:21:49 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 05 Oct 2011 13:21:49 -0400
Subject: [Freeipa-devel] [PATCH] 49 Work around pkisilent bugs
In-Reply-To: <4E8C4C71.7090701@redhat.com>
References: <4E803108.5060108@redhat.com> <4E8B51EA.7050006@redhat.com>
	<4E8C4C71.7090701@redhat.com>
Message-ID: <4E8C922D.3030605@redhat.com>

Jan Cholasta wrote:
> On 4.10.2011 20:35, Rob Crittenden wrote:
>> Jan Cholasta wrote:
>>> Work around pkisilent bugs.
>>>
>>> Check directory manager password for invalid characters.
>>> (https://bugzilla.redhat.com/show_bug.cgi?id=658641)
>>>
>>> Shell-escape pkisilent command-line arguments.
>>> (https://bugzilla.redhat.com/show_bug.cgi?id=741180)
>>>
>>> Once the bugs are fixed, the workarounds should be removed and pkisilent
>>> minimum required version should be bumped.
>>>
>>> https://fedorahosted.org/freeipa/ticket/1636
>>>
>>> Honza
>>
>> Potential nack. The code here works I just found a couple more corner
>> cases.
>>
>> Some special characters in the subject base also cause pkisilent to
>> fail. ampersand is one. I wonder if we need to catch this as well.
>>
>> Tab in the password will cause a failure.
>>
>> rob
>>
>
> Fixed patch attached.
>
> Honza
>

ack, pushed to master and ipa-2-1



From rcritten at redhat.com  Wed Oct  5 17:44:50 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 05 Oct 2011 13:44:50 -0400
Subject: [Freeipa-devel] [PATCH] 134 Improve handling of GIDs when
 migrating groups
In-Reply-To: <1317650658.5905.45.camel@dhcp-25-52.brq.redhat.com>
References: <1317650658.5905.45.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <4E8C9792.9090100@redhat.com>

Martin Kosek wrote:
> Since IPA v2 server already contain predefined groups that may collide
> with groups in migrated (IPA v1) server (for example admins, ipausers),
> users having colliding group as their primary group may happen to belong
> to an unknown group on new IPA v2 server.
>
> Implement --group-overwrite-gid option to overwrite GID of already
> existing groups to prevent this issue.
>
> https://fedorahosted.org/freeipa/ticket/1866

For argument's sake, what is the user going to see the first time they 
run this? I assume they won't think about these duplicate groups and 
just do the migration. This means that the result may be some users 
pointing to non-existent GIDs.

If they re-run the migration with this option will it then fix 
everything up?

I'm wondering if we need a --test argument so people can run the 
migration w/o writing entries to look for problems like this.

rob



From rcritten at redhat.com  Wed Oct  5 18:02:28 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 05 Oct 2011 14:02:28 -0400
Subject: [Freeipa-devel] [PATCH] 135 Install tools crash when password
 prompt is interrupted
In-Reply-To: <1317718161.27486.15.camel@dhcp-25-52.brq.redhat.com>
References: <1317718161.27486.15.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <4E8C9BB4.4030502@redhat.com>

Martin Kosek wrote:
> When getpass.getpass() function is interrupted via CTRL+D, EOFError
> exception is thrown. Most of the install tools are not prepared for
> this event and crash with this exception. Make sure that it is
> handled properly and nice error message is printed.
>
> https://fedorahosted.org/freeipa/ticket/1916

ACK but it needs to be rebased.

rob



From rcritten at redhat.com  Wed Oct  5 20:08:51 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 05 Oct 2011 16:08:51 -0400
Subject: [Freeipa-devel] [PATCH] tweaks to ipa-replica-prepare.1
In-Reply-To: <20111004223208.GA3197@redhat.com>
References: <20111004223208.GA3197@redhat.com>
Message-ID: <4E8CB953.8010302@redhat.com>

Nalin Dahyabhai wrote:
> I started reading this page, and the description for --pkinit_pin looked
> wrong.  While in there, I figured it might be useful to note that the
> PKCS#12 files also contain the private keys.
>
> Nalin

ack, pushed to master and ipa-2-1



From rcritten at redhat.com  Wed Oct  5 20:42:38 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 05 Oct 2011 16:42:38 -0400
Subject: [Freeipa-devel] [PATCH] 0019 Sync time with NTP before joining
 the domain
In-Reply-To: <20111005142732.GD29306@redhat.com>
References: <20111005121606.GA29306@redhat.com> <4E8C59AF.6000404@redhat.com>
	<20111005142732.GD29306@redhat.com>
Message-ID: <4E8CC13E.9080906@redhat.com>

Alexander Bokovoy wrote:
> On Wed, 05 Oct 2011, Rob Crittenden wrote:
>> In synconce_ntp() ipautil.run is going to raise an exception when a
>> ntpupdate returns non-zero so the retry code isn't going to work.
>> You need to add raiseonerr=False to the call.
>>
>> It looks like you changed your mind on the retries variable too.
> Right.
>
> I ended up not using raiseonerr=False as all I needed is a way to
> break out of the loop on success so that will come sequentially if
> there is no exception.
>
> Patch attached.

This works but there is a noticeable pause on my system when ntpdate is 
being run. I think it would be handy to output a message saying that the 
date is being updated.

Is it necessary to sync the date when a one-time password is being used? 
It doesn't hurt but it does pause a second or three.

rob



From rcritten at redhat.com  Wed Oct  5 20:43:39 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 05 Oct 2011 16:43:39 -0400
Subject: [Freeipa-devel] [PATCH] 138 Prevent collisions of hostgroup and
 netgroup
In-Reply-To: <1317827614.6589.23.camel@dhcp-25-52.brq.redhat.com>
References: <1317827614.6589.23.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <4E8CC17B.3030101@redhat.com>

Martin Kosek wrote:
> For every hostgroup a managed netgroup is created (if this is allowed).
> Make sure that if a stand-alone netgroup exists, a hostgroup with the
> same name cannot be created to prevent collisions.
>
> https://fedorahosted.org/freeipa/ticket/1914

You need to check to see if the managed entries configuration is enabled 
before doing this. If it is disabled then having duplicate names is fine 
(though re-enabling it later would have undefined consequences).

rob



From simo at redhat.com  Wed Oct  5 21:11:07 2011
From: simo at redhat.com (Simo Sorce)
Date: Wed, 05 Oct 2011 17:11:07 -0400
Subject: [Freeipa-devel] [PATCH] #1900 fix replica-prepare issues with
 anonynous binds disabled
In-Reply-To: <1317830068.6664.3.camel@willson.li.ssimo.org>
References: <1317830068.6664.3.camel@willson.li.ssimo.org>
Message-ID: <1317849067.6664.11.camel@willson.li.ssimo.org>

On Wed, 2011-10-05 at 11:54 -0400, Simo Sorce wrote:
> With anonymous binds disabled we were failing to run ipa-replica-prepare
> because some tests were done anonymously.
> 
> During the creation of this patch we also hit a NSS Shutdown issue, to
> work around this issue ipa-repica-prepare has been hardcoded to use
> ldapi:// installed of ldaps://
> 
> The patch as is seem to properly allow the creation of a replica file
> with anonymous connections disallowed (works also when they are
> allowed).
> 
> Fixes #1900
> 
> Simo.

Rebased on top of ipa-2-1 (should apply cleanly to master as well).

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-2-replica-prepare-anonymous-binds-may-be-disallowed.patch
Type: text/x-patch
Size: 8593 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111005/c1f49f43/attachment.bin>

From rcritten at redhat.com  Wed Oct  5 21:18:00 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 05 Oct 2011 17:18:00 -0400
Subject: [Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
Message-ID: <4E8CC988.6050408@redhat.com>

The aci prefix was missing in the description of the three dns acis 
which made them not show up when viewing their permission entries.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-887-prefix.patch
Type: text/x-patch
Size: 6134 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111005/492f71dd/attachment.bin>

From abokovoy at redhat.com  Wed Oct  5 21:33:52 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Thu, 6 Oct 2011 00:33:52 +0300
Subject: [Freeipa-devel] [PATCH] 0019 Sync time with NTP before joining
 the domain
In-Reply-To: <4E8CC13E.9080906@redhat.com>
References: <20111005121606.GA29306@redhat.com> <4E8C59AF.6000404@redhat.com>
	<20111005142732.GD29306@redhat.com> <4E8CC13E.9080906@redhat.com>
Message-ID: <20111005213351.GA13256@redhat.com>

On Wed, 05 Oct 2011, Rob Crittenden wrote:
> >I ended up not using raiseonerr=False as all I needed is a way to
> >break out of the loop on success so that will come sequentially if
> >there is no exception.
> >
> >Patch attached.
> 
> This works but there is a noticeable pause on my system when ntpdate
> is being run. I think it would be handy to output a message saying
> that the date is being updated.
I'll add the message.

> Is it necessary to sync the date when a one-time password is being
> used? It doesn't hurt but it does pause a second or three.
If I understand correctly, our use of OTP term for hosts is different 
from what current IETF draft on OTP preauth with kerberos assumes.

At least, according to IETF draft on OTP preauth with kerberos,
http://tools.ietf.org/html/draft-ietf-krb-wg-otp-preauth-19#section-2.4
client has to submit next key if clocks have drifted which implies you 
cannot re-use the same OTP next time. To me this looks like in OTP 
case clocks synchronization is very important. In our OTP case it does 
not matter except for an artificial delay...

I've added the message.
-- 
/ Alexander Bokovoy
-------------- next part --------------
>From 87e4fd1260c47bb6a04900810be7282d83c1b563 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Wed, 5 Oct 2011 17:25:09 +0300
Subject: [PATCH] Before kinit, try to sync time with the NTP servers of the
 domain we are joining

When running ipa-client-install on a system whose clock is not in sync with the
master, kinit fails and enrollment is aborted. Manual checking of current time
at the master and adjusting on the client-to-be is then needed.

The patch tries to fetch SRV records for NTP servers of the domain we aim to
join and runs ntpdate to get time synchronized. If no SRV records are found,
sync with IPA server itself.  If that fails, warn that time might be not in
sync with KDC.

https://fedorahosted.org/freeipa/ticket/1773
---
 ipa-client/ipa-install/ipa-client-install |   15 +++++++++++++++
 ipa-client/ipaclient/ipadiscovery.py      |   21 +++++++++++++++++++++
 ipa-client/ipaclient/ntpconf.py           |   22 ++++++++++++++++++++++
 3 files changed, 58 insertions(+), 0 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 5f541f316433338d3d932690fb4a325ad5ec447b..d8952f0e1db6266cf1981bee5e853f7fa9285a25 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -921,6 +921,21 @@ def install(options, env, fstore, statestore):
         nolog = tuple()
         # First test out the kerberos configuration
         try:
+            # Attempt to sync time with IPA server.
+            # We assume that NTP servers are discoverable through SRV records in the DNS
+            # If that fails, we try to sync directly with IPA server, assuming it runs NTP
+            print 'Synchronizing time with KDC...'
+            ntp_servers = ipautil.parse_items(ds.ipadnssearchntp(cli_domain))
+            synced_ntp = False
+            if len(ntp_servers) > 0:
+                for s in ntp_servers:
+                   synced_ntp = ipaclient.ntpconf.synconce_ntp(s)
+                   if synced_ntp:
+                       break
+            if not synced_ntp:
+                synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server)
+            if not synced_ntp:
+                print "Unable to sync time with IPA NTP server, assuming the time is in sync."
             (krb_fd, krb_name) = tempfile.mkstemp()
             os.close(krb_fd)
             if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, krb_name):
diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py
index 3e31cad37dc1883c01e0729e390c5e5c16e022bd..cd5f81bd5147929deca43e502c4f9b2bdb98f99c 100644
--- a/ipa-client/ipaclient/ipadiscovery.py
+++ b/ipa-client/ipaclient/ipadiscovery.py
@@ -316,6 +316,27 @@ class IPADiscovery:
 
         return servers
 
+    def ipadnssearchntp(self, tdomain):
+        servers = ""
+        rserver = ""
+
+        qname = "_ntp._udp."+tdomain
+        # terminate the name
+        if not qname.endswith("."):
+            qname += "."
+        results = ipapython.dnsclient.query(qname, ipapython.dnsclient.DNS_C_IN, ipapython.dnsclient.DNS_T_SRV)
+
+        for result in results:
+            if result.dns_type == ipapython.dnsclient.DNS_T_SRV:
+                rserver = result.rdata.server.rstrip(".")
+                if servers:
+                    servers += "," + rserver
+                else:
+                    servers = rserver
+                break
+
+        return servers
+
     def ipadnssearchkrb(self, tdomain):
         realm = None
         kdc = None
diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py
index 8e151089c81fe761dc57fc6e8fb7ff5ba30b98fa..e71692f4019bf410d6107a471330edc98146c29c 100644
--- a/ipa-client/ipaclient/ntpconf.py
+++ b/ipa-client/ipaclient/ntpconf.py
@@ -132,3 +132,25 @@ def config_ntp(server_fqdn, fstore = None, sysstore = None):
 
     # Restart ntpd
     ipaservices.knownservices.ntpd.restart()
+
+def synconce_ntp(server_fqdn):
+    """
+    Syncs time with specified server using ntpdate.
+    Primarily designed to be used before Kerberos setup
+    to get time following the KDC time
+
+    Returns True if sync was successful
+    """
+    ntpdate="/usr/sbin/ntpdate"
+    result = False
+    if os.path.exists(ntpdate):
+        # retry several times -- logic follows /etc/init.d/ntpdate
+        # implementation
+        for retry in range(0,3):
+            try:
+                ipautil.run([ntpdate, "-U", "ntp", "-s", "-b", server_fqdn])
+                result = True
+                break
+            except:
+                pass
+    return result
-- 
1.7.6.4


From rcritten at redhat.com  Wed Oct  5 21:36:56 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 05 Oct 2011 17:36:56 -0400
Subject: [Freeipa-devel] [PATCH] 0019 Sync time with NTP before joining
 the domain
In-Reply-To: <20111005213351.GA13256@redhat.com>
References: <20111005121606.GA29306@redhat.com> <4E8C59AF.6000404@redhat.com>
	<20111005142732.GD29306@redhat.com> <4E8CC13E.9080906@redhat.com>
	<20111005213351.GA13256@redhat.com>
Message-ID: <4E8CCDF8.9010308@redhat.com>

Alexander Bokovoy wrote:
> On Wed, 05 Oct 2011, Rob Crittenden wrote:
>>> I ended up not using raiseonerr=False as all I needed is a way to
>>> break out of the loop on success so that will come sequentially if
>>> there is no exception.
>>>
>>> Patch attached.
>>
>> This works but there is a noticeable pause on my system when ntpdate
>> is being run. I think it would be handy to output a message saying
>> that the date is being updated.
> I'll add the message.
>
>> Is it necessary to sync the date when a one-time password is being
>> used? It doesn't hurt but it does pause a second or three.
> If I understand correctly, our use of OTP term for hosts is different
> from what current IETF draft on OTP preauth with kerberos assumes.
>
> At least, according to IETF draft on OTP preauth with kerberos,
> http://tools.ietf.org/html/draft-ietf-krb-wg-otp-preauth-19#section-2.4
> client has to submit next key if clocks have drifted which implies you
> cannot re-use the same OTP next time. To me this looks like in OTP
> case clocks synchronization is very important. In our OTP case it does
> not matter except for an artificial delay...

This is not Kerberos OTP, it does an LDAP simple bind.

> I've added the message.

Ok, I'll take a look.

rob



From rcritten at redhat.com  Wed Oct  5 21:53:21 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 05 Oct 2011 17:53:21 -0400
Subject: [Freeipa-devel] [PATCH] #1900 fix replica-prepare issues with
 anonynous binds disabled
In-Reply-To: <1317849067.6664.11.camel@willson.li.ssimo.org>
References: <1317830068.6664.3.camel@willson.li.ssimo.org>
	<1317849067.6664.11.camel@willson.li.ssimo.org>
Message-ID: <4E8CD1D1.7020507@redhat.com>

Simo Sorce wrote:
> On Wed, 2011-10-05 at 11:54 -0400, Simo Sorce wrote:
>> With anonymous binds disabled we were failing to run ipa-replica-prepare
>> because some tests were done anonymously.
>>
>> During the creation of this patch we also hit a NSS Shutdown issue, to
>> work around this issue ipa-repica-prepare has been hardcoded to use
>> ldapi:// installed of ldaps://
>>
>> The patch as is seem to properly allow the creation of a replica file
>> with anonymous connections disallowed (works also when they are
>> allowed).
>>
>> Fixes #1900
>>
>> Simo.
>
> Rebased on top of ipa-2-1 (should apply cleanly to master as well).
>
> Simo.

ACK

rob



From dpal at redhat.com  Wed Oct  5 22:41:19 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Wed, 05 Oct 2011 18:41:19 -0400
Subject: [Freeipa-devel] [PATCH] 0019 Sync time with NTP before joining
 the domain
In-Reply-To: <4E8CCDF8.9010308@redhat.com>
References: <20111005121606.GA29306@redhat.com>
	<4E8C59AF.6000404@redhat.com>	<20111005142732.GD29306@redhat.com>
	<4E8CC13E.9080906@redhat.com>	<20111005213351.GA13256@redhat.com>
	<4E8CCDF8.9010308@redhat.com>
Message-ID: <4E8CDD0F.60209@redhat.com>

On 10/05/2011 05:36 PM, Rob Crittenden wrote:
> Alexander Bokovoy wrote:
>> On Wed, 05 Oct 2011, Rob Crittenden wrote:
>>>> I ended up not using raiseonerr=False as all I needed is a way to
>>>> break out of the loop on success so that will come sequentially if
>>>> there is no exception.
>>>>
>>>> Patch attached.
>>>
>>> This works but there is a noticeable pause on my system when ntpdate
>>> is being run. I think it would be handy to output a message saying
>>> that the date is being updated.
>> I'll add the message.
>>
>>> Is it necessary to sync the date when a one-time password is being
>>> used? It doesn't hurt but it does pause a second or three.
>> If I understand correctly, our use of OTP term for hosts is different
>> from what current IETF draft on OTP preauth with kerberos assumes.
>>
>> At least, according to IETF draft on OTP preauth with kerberos,
>> http://tools.ietf.org/html/draft-ietf-krb-wg-otp-preauth-19#section-2.4
>> client has to submit next key if clocks have drifted which implies you
>> cannot re-use the same OTP next time. To me this looks like in OTP
>> case clocks synchronization is very important. In our OTP case it does
>> not matter except for an artificial delay...
>
> This is not Kerberos OTP, it does an LDAP simple bind.


It is more like a "nonce", it is not an OTP that can be generated based
on some hardware or software token.
The Kerberos OTP draft is about those OTPs we are not. We are literally
One Time Password.

>
>> I've added the message.
>
> Ok, I'll take a look.
>
> rob
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From adam at younglogic.com  Thu Oct  6 01:09:50 2011
From: adam at younglogic.com (Adam Young)
Date: Wed, 05 Oct 2011 21:09:50 -0400
Subject: [Freeipa-devel] Upgrading due to proxy changes
Message-ID: <4E8CFFDE.9070308@younglogic.com>

Upgrading  from a system that had an earlier version of IPA to the 
current is broken right now, due to the fact that the new code expects 
to talk to the Certificate Authority (CA)  via the proxy ports (80, 
443), and the old code used non standard ports (above 8000).


IPA needs to make two changes during upgrade.  I'm trying to figure out 
the right place to make them.

The first change is to  /etc/httpd/conf.d/nss.conf.  The function to 
make the change during install is:

  ipaserver/install/httpinstance.py     self.__enable_mod_nss_renegotiate

which just makes these two method calls.


installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on',False)
installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation', 
'on',False)


Seems to me that they should be added to 
install/tools/ipa-upgradeconfig, possibly the main, or a function called 
from it.  Should I move the call  enable_mod_nss_renegotiate  into 
installutils and call it from both places instead of having it in 
httpinstance?


The other change is a little trickier.  If the PKI server has not yet 
had the proxy enabled,  we need to run the script pki-setup-proxy.  To 
test if we should call that script, Ade and I have agreed that the best 
way is to test in CS.conf  for changes made:  The values
proxy.securePort and proxy.unsecurePort should be set.  Is there an 
appropriate tool for making this check?  someting from installutils?  
I'm guessing get_directive('/etc/pki-ca/CS.cfg','proxy.securePort' , '=')?





From ayoung at redhat.com  Thu Oct  6 01:10:59 2011
From: ayoung at redhat.com (Adam Young)
Date: Wed, 05 Oct 2011 21:10:59 -0400
Subject: [Freeipa-devel] Upgrading due to proxy changes
Message-ID: <4E8D0023.4000201@redhat.com>

Upgrading  from a system that had an earlier version of IPA to the 
current is broken right now, due to the fact that the new code expects 
to talk to the Certificate Authority (CA)  via the proxy ports (80, 
443), and the old code used non standard ports (above 8000).


IPA needs to make two changes during upgrade.  I'm trying to figure out 
the right place to make them.

The first change is to  /etc/httpd/conf.d/nss.conf.  The function to 
make the change during install is:

  ipaserver/install/httpinstance.py     self.__enable_mod_nss_renegotiate

which just makes these two method calls.


installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on',False)
installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation', 
'on',False)


Seems to me that they should be added to 
install/tools/ipa-upgradeconfig, possibly the main, or a function called 
from it.  Should I move the call  enable_mod_nss_renegotiate  into 
installutils and call it from both places instead of having it in 
httpinstance?


The other change is a little trickier.  If the PKI server has not yet 
had the proxy enabled,  we need to run the script pki-setup-proxy.  To 
test if we should call that script, Ade and I have agreed that the best 
way is to test in CS.conf  for changes made:  The values
proxy.securePort and proxy.unsecurePort should be set.  Is there an 
appropriate tool for making this check?  someting from installutils?  
I'm guessing get_directive('/etc/pki-ca/CS.cfg','proxy.securePort' , '=')?



From abokovoy at redhat.com  Thu Oct  6 04:30:14 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Thu, 6 Oct 2011 07:30:14 +0300
Subject: [Freeipa-devel] [PATCH] 0019 Sync time with NTP before joining
 the domain
In-Reply-To: <4E8CDD0F.60209@redhat.com>
References: <20111005121606.GA29306@redhat.com> <4E8C59AF.6000404@redhat.com>
	<20111005142732.GD29306@redhat.com> <4E8CC13E.9080906@redhat.com>
	<20111005213351.GA13256@redhat.com> <4E8CCDF8.9010308@redhat.com>
	<4E8CDD0F.60209@redhat.com>
Message-ID: <20111006043014.GB13256@redhat.com>

On Wed, 05 Oct 2011, Dmitri Pal wrote:
> >> At least, according to IETF draft on OTP preauth with kerberos,
> >> http://tools.ietf.org/html/draft-ietf-krb-wg-otp-preauth-19#section-2.4
> >> client has to submit next key if clocks have drifted which implies you
> >> cannot re-use the same OTP next time. To me this looks like in OTP
> >> case clocks synchronization is very important. In our OTP case it does
> >> not matter except for an artificial delay...
> >
> > This is not Kerberos OTP, it does an LDAP simple bind.
> 
> 
> It is more like a "nonce", it is not an OTP that can be generated based
> on some hardware or software token.
> The Kerberos OTP draft is about those OTPs we are not. We are literally
> One Time Password.
Does it also mean if clocks were skewed, you would not have next 
chance to use the same password again? If that's the case, it is 
better to wait a second or three for time sync.
-- 
/ Alexander Bokovoy



From rcritten at redhat.com  Thu Oct  6 04:38:16 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 06 Oct 2011 00:38:16 -0400
Subject: [Freeipa-devel] [PATCH] 0019 Sync time with NTP before joining
 the domain
In-Reply-To: <20111006043014.GB13256@redhat.com>
References: <20111005121606.GA29306@redhat.com> <4E8C59AF.6000404@redhat.com>
	<20111005142732.GD29306@redhat.com> <4E8CC13E.9080906@redhat.com>
	<20111005213351.GA13256@redhat.com>
	<4E8CCDF8.9010308@redhat.com> <4E8CDD0F.60209@redhat.com>
	<20111006043014.GB13256@redhat.com>
Message-ID: <4E8D30B8.9060501@redhat.com>

Alexander Bokovoy wrote:
> On Wed, 05 Oct 2011, Dmitri Pal wrote:
>>>> At least, according to IETF draft on OTP preauth with kerberos,
>>>> http://tools.ietf.org/html/draft-ietf-krb-wg-otp-preauth-19#section-2.4
>>>> client has to submit next key if clocks have drifted which implies you
>>>> cannot re-use the same OTP next time. To me this looks like in OTP
>>>> case clocks synchronization is very important. In our OTP case it does
>>>> not matter except for an artificial delay...
>>>
>>> This is not Kerberos OTP, it does an LDAP simple bind.
>>
>>
>> It is more like a "nonce", it is not an OTP that can be generated based
>> on some hardware or software token.
>> The Kerberos OTP draft is about those OTPs we are not. We are literally
>> One Time Password.
> Does it also mean if clocks were skewed, you would not have next
> chance to use the same password again? If that's the case, it is
> better to wait a second or three for time sync.

The password is deleted on the bind, it isn't time sensitive. I'm fine 
with any potential delay since the message is printed.

rob



From mkosek at redhat.com  Thu Oct  6 06:30:01 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Thu, 06 Oct 2011 08:30:01 +0200
Subject: [Freeipa-devel] [PATCH] 135 Install tools crash when password
 prompt is interrupted
In-Reply-To: <4E8C9BB4.4030502@redhat.com>
References: <1317718161.27486.15.camel@dhcp-25-52.brq.redhat.com>
	<4E8C9BB4.4030502@redhat.com>
Message-ID: <1317882603.16404.0.camel@dhcp-25-52.brq.redhat.com>

On Wed, 2011-10-05 at 14:02 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > When getpass.getpass() function is interrupted via CTRL+D, EOFError
> > exception is thrown. Most of the install tools are not prepared for
> > this event and crash with this exception. Make sure that it is
> > handled properly and nice error message is printed.
> >
> > https://fedorahosted.org/freeipa/ticket/1916
> 
> ACK but it needs to be rebased.
> 
> rob

Rebased and pushed to master, ipa-2-1.

Martin



From mkosek at redhat.com  Thu Oct  6 06:45:05 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Thu, 06 Oct 2011 08:45:05 +0200
Subject: [Freeipa-devel] [PATCH] #1900 fix replica-prepare issues with
 anonynous binds disabled
In-Reply-To: <4E8CD1D1.7020507@redhat.com>
References: <1317830068.6664.3.camel@willson.li.ssimo.org>
	<1317849067.6664.11.camel@willson.li.ssimo.org>
	<4E8CD1D1.7020507@redhat.com>
Message-ID: <1317883508.16404.5.camel@dhcp-25-52.brq.redhat.com>

On Wed, 2011-10-05 at 17:53 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Wed, 2011-10-05 at 11:54 -0400, Simo Sorce wrote:
> >> With anonymous binds disabled we were failing to run ipa-replica-prepare
> >> because some tests were done anonymously.
> >>
> >> During the creation of this patch we also hit a NSS Shutdown issue, to
> >> work around this issue ipa-repica-prepare has been hardcoded to use
> >> ldapi:// installed of ldaps://
> >>
> >> The patch as is seem to properly allow the creation of a replica file
> >> with anonymous connections disallowed (works also when they are
> >> allowed).
> >>
> >> Fixes #1900
> >>
> >> Simo.
> >
> > Rebased on top of ipa-2-1 (should apply cleanly to master as well).
> >
> > Simo.
> 
> ACK
> 
> rob

This patch clashed with the last commit (my ticket #1916). I rebased the
patch (yes, I am that kind) and pushed to master, ipa-2-1.

Martin



From mkosek at redhat.com  Thu Oct  6 08:15:14 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Thu, 06 Oct 2011 10:15:14 +0200
Subject: [Freeipa-devel] [PATCH] 134 Improve handling of GIDs when
 migrating groups
In-Reply-To: <4E8C9792.9090100@redhat.com>
References: <1317650658.5905.45.camel@dhcp-25-52.brq.redhat.com>
	<4E8C9792.9090100@redhat.com>
Message-ID: <1317888916.16404.16.camel@dhcp-25-52.brq.redhat.com>

On Wed, 2011-10-05 at 13:44 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > Since IPA v2 server already contain predefined groups that may collide
> > with groups in migrated (IPA v1) server (for example admins, ipausers),
> > users having colliding group as their primary group may happen to belong
> > to an unknown group on new IPA v2 server.
> >
> > Implement --group-overwrite-gid option to overwrite GID of already
> > existing groups to prevent this issue.
> >
> > https://fedorahosted.org/freeipa/ticket/1866
> 
> For argument's sake, what is the user going to see the first time they 
> run this? I assume they won't think about these duplicate groups and 
> just do the migration. This means that the result may be some users 
> pointing to non-existent GIDs.

At first I was thinking about making the GID the default behavior and
just add flag "--dont-overwrite-gid. But I was afraid this could do some
damage and change GIDs where it is not required. However, I made some
improvements in this area, please see below.

> 
> If they re-run the migration with this option will it then fix 
> everything up?

Yep.

> 
> I'm wondering if we need a --test argument so people can run the 
> migration w/o writing entries to look for problems like this.
> 
> rob

If we want to do this, we would have to add a lot of LDAP query checks
since mostly try doing the LDAP write and write failures in case of an
exception.

However, I updated the patch so that user is notified about existence of
--group-overwrite-gid option better. If a migration of a group with a
GID number fails because of DuplicateError, a notice about GID is
displayed. This should make him check this situation and either use
group-mod --gidnumber=... or re-run the migration with
--group-overwrite-gid.

I also updated the Password option not to ask user for LDAP password
twice, because it makes me really mad :-)

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-134-2-improve-handling-of-gids-when-migrating-groups.patch
Type: text/x-patch
Size: 10207 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111006/c7ff11ff/attachment.bin>

From mkosek at redhat.com  Thu Oct  6 08:22:06 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Thu, 06 Oct 2011 10:22:06 +0200
Subject: [Freeipa-devel] [PATCH] 138 Prevent collisions of hostgroup and
 netgroup
In-Reply-To: <4E8CC17B.3030101@redhat.com>
References: <1317827614.6589.23.camel@dhcp-25-52.brq.redhat.com>
	<4E8CC17B.3030101@redhat.com>
Message-ID: <1317889329.16404.20.camel@dhcp-25-52.brq.redhat.com>

On Wed, 2011-10-05 at 16:43 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > For every hostgroup a managed netgroup is created (if this is allowed).
> > Make sure that if a stand-alone netgroup exists, a hostgroup with the
> > same name cannot be created to prevent collisions.
> >
> > https://fedorahosted.org/freeipa/ticket/1914
> 
> You need to check to see if the managed entries configuration is enabled 
> before doing this. If it is disabled then having duplicate names is fine 
> (though re-enabling it later would have undefined consequences).
> 
> rob

Are you sure about this? If somebody disables the netgroup managed entry
plugin for some reason and later would want to enable it again he could
run into trouble with duplicate entries (as you mentioned). Personally I
would leave the patch as is.

If you are sure this needs to be done, I can make the check using the
same LDAP query for NGP Defition that ipa-managed-entries does.

Martin



From jcholast at redhat.com  Thu Oct  6 09:17:46 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Thu, 06 Oct 2011 11:17:46 +0200
Subject: [Freeipa-devel] [PATCH] 137 Improve ipa-replica-prepare DNS
	check
In-Reply-To: <1317731829.27486.18.camel@dhcp-25-52.brq.redhat.com>
References: <1317731829.27486.18.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <4E8D723A.9090301@redhat.com>

On 4.10.2011 14:37, Martin Kosek wrote:
> Currently, verify_fqdn() function raises RuntimeError for every
> problem with the hostname. This makes it difficult for tools
> like ipa-replica-prepare to behave differently for a subset of
> raised errors (for example to be able to create a DNS record for
> new replica when verify_fqdn() reports a lookup error).
>
> Implement own exceptions for verify_fqdn() that they can be safely
> used to distinguish the error type.
>
> https://fedorahosted.org/freeipa/ticket/1899
>

ACK. Please rebase before pushing.

Honza

-- 
Jan Cholasta



From mkosek at redhat.com  Thu Oct  6 09:29:34 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Thu, 06 Oct 2011 11:29:34 +0200
Subject: [Freeipa-devel] [PATCH] 137 Improve ipa-replica-prepare DNS
 check
In-Reply-To: <4E8D723A.9090301@redhat.com>
References: <1317731829.27486.18.camel@dhcp-25-52.brq.redhat.com>
	<4E8D723A.9090301@redhat.com>
Message-ID: <1317893376.16404.21.camel@dhcp-25-52.brq.redhat.com>

On Thu, 2011-10-06 at 11:17 +0200, Jan Cholasta wrote:
> On 4.10.2011 14:37, Martin Kosek wrote:
> > Currently, verify_fqdn() function raises RuntimeError for every
> > problem with the hostname. This makes it difficult for tools
> > like ipa-replica-prepare to behave differently for a subset of
> > raised errors (for example to be able to create a DNS record for
> > new replica when verify_fqdn() reports a lookup error).
> >
> > Implement own exceptions for verify_fqdn() that they can be safely
> > used to distinguish the error type.
> >
> > https://fedorahosted.org/freeipa/ticket/1899
> >
> 
> ACK. Please rebase before pushing.
> 
> Honza
> 

Rebased and pushed to master, ipa-2-1.

Martin



From jcholast at redhat.com  Thu Oct  6 09:44:46 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Thu, 06 Oct 2011 11:44:46 +0200
Subject: [Freeipa-devel] [PATCH] 019 Disables gid field if not posix
 group in group adder dialog
In-Reply-To: <4E8B37AB.3020500@redhat.com>
References: <4E8B37AB.3020500@redhat.com>
Message-ID: <4E8D788E.3010900@redhat.com>

On 4.10.2011 18:43, Petr Vobornik wrote:
> https://fedorahosted.org/freeipa/ticket/1922
>
> gidNumber is not an allowed attribute for a non-posix group. When adding
> a non-posix group from the UI, unchecking the "Is this a POSIX group?:"
> box should disable the "GID:" field.
>

ACK.

Honza

-- 
Jan Cholasta



From abokovoy at redhat.com  Thu Oct  6 11:08:30 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Thu, 6 Oct 2011 14:08:30 +0300
Subject: [Freeipa-devel] [PATCH] 885 optimize indirect member calculation
In-Reply-To: <4E8C7343.4090704@redhat.com>
References: <4E8C7343.4090704@redhat.com>
Message-ID: <20111006110829.GA21545@redhat.com>

On Wed, 05 Oct 2011, Rob Crittenden wrote:
> When calculating indirect membership of a group all members are
> examined and if those have members, those are added as well. This
> does not need to be done when the member in question is a user or a
> host as they cannot have members.
> 
> For large groups this is a significant performance improvement (as
> well as reducing unnecessary load on 389-ds).
Works for me. However, shouldn't we expand this to all terminal 
objects rather than users and hosts?

Something like attached patch? The containers list should be sorted by 
probability of encountering the container in real life, with users and 
hosts to be at the beginning.
-- 
/ Alexander Bokovoy
-------------- next part --------------
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index b12403b..f9d1d14 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -42,6 +42,7 @@ import ldap.sasl as _ldap_sasl
 from ldap.controls import LDAPControl
 # for backward compatibility
 from ldap.functions import explode_dn
+from ipalib.dn import DN
 
 import krbV
 
@@ -960,6 +961,26 @@ class ldap2(CrudBackend, Encoder):
         # update group entry
         self.update_entry(group_dn, group_entry_attrs)
 
+    def is_terminal(self, dn):
+        """Check if the DN cannot have nested members
+           Returns True if DN corresponds to terminal element, False otherwise
+        """
+        containers = ('user', 'host', 'hbac', 'hbacservice', 'automount', 'automember',
+                      'service', 'sudocmd', 'sudorule')
+        for container in containers:
+            key = "container_%s" % (container)
+            try:
+                if dn.endswith(DN(api.env[key], api.env.basedn)):
+                    return True
+            except KeyError:
+                # Protect against cases when the plugin for the container is
+                # not loaded and accessing container dn causes an exception.
+                # Simply skip such containers.
+                pass
+
+        return False
+
+
     def get_members(self, group_dn, members, attr_list=[], membertype=MEMBERS_ALL, time_limit=None, size_limit=None, normalize=True):
         """Do a memberOf search of groupdn and return the attributes in
            attr_list (an empty list returns all attributes).
@@ -987,6 +1008,11 @@ class ldap2(CrudBackend, Encoder):
         if membertype == MEMBERS_ALL or membertype == MEMBERS_INDIRECT:
             checkmembers = copy.deepcopy(members)
             for member in checkmembers:
+                # No need to check entry types that are not nested for
+                # additional members
+                if self.is_terminal(DN(member)):
+                    results.append([member, {}])
+                    continue
                 try:
                     (result, truncated) = self.find_entries(searchfilter,
                         attr_list, member, time_limit=time_limit,

From mkosek at redhat.com  Thu Oct  6 11:15:55 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Thu, 06 Oct 2011 13:15:55 +0200
Subject: [Freeipa-devel] [PATCH] 019 Disables gid field if not posix
 group in group adder dialog
In-Reply-To: <4E8D788E.3010900@redhat.com>
References: <4E8B37AB.3020500@redhat.com> <4E8D788E.3010900@redhat.com>
Message-ID: <1317899758.16404.29.camel@dhcp-25-52.brq.redhat.com>

On Thu, 2011-10-06 at 11:44 +0200, Jan Cholasta wrote:
> On 4.10.2011 18:43, Petr Vobornik wrote:
> > https://fedorahosted.org/freeipa/ticket/1922
> >
> > gidNumber is not an allowed attribute for a non-posix group. When adding
> > a non-posix group from the UI, unchecking the "Is this a POSIX group?:"
> > box should disable the "GID:" field.
> >
> 
> ACK.
> 
> Honza
> 

Pushed to master, ipa-2-1.

Martin



From mkosek at redhat.com  Thu Oct  6 12:03:38 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Thu, 06 Oct 2011 14:03:38 +0200
Subject: [Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
In-Reply-To: <4E8CC988.6050408@redhat.com>
References: <4E8CC988.6050408@redhat.com>
Message-ID: <1317902620.16404.34.camel@dhcp-25-52.brq.redhat.com>

On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote:
> The aci prefix was missing in the description of the three dns acis 
> which made them not show up when viewing their permission entries.
> 
> rob

This works fine, but it is just a part of a solution. DNS related
privileges miss memberof attribute for the DNS permissions and thus the
permissions are not listed:

# ipa permission-show "add dns entries"
  Permission name: add dns entries
  Permissions: add
  Type: dnsrecord
  Granted to Privilege: DNS Administrators, DNS Servers

# ipa privilege-show "DNS Administrators"
  Privilege name: DNS Administrators
  Description: DNS Administrators
<<< Missing permissions

I think the reason is that the permissions are in a wrong order in the
LDIF and are created before the privilege itself. When member links are
being created for DNS permissions, the memberof plugin cannot add
memberof attributes for the privilege since it does not exist yet. This
is the main issue that the BZ bug complains about.

Martin



From rcritten at redhat.com  Thu Oct  6 12:48:36 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 06 Oct 2011 08:48:36 -0400
Subject: [Freeipa-devel] [PATCH] 885 optimize indirect member calculation
In-Reply-To: <20111006110829.GA21545@redhat.com>
References: <4E8C7343.4090704@redhat.com> <20111006110829.GA21545@redhat.com>
Message-ID: <4E8DA3A4.8080103@redhat.com>

Alexander Bokovoy wrote:
> On Wed, 05 Oct 2011, Rob Crittenden wrote:
>> When calculating indirect membership of a group all members are
>> examined and if those have members, those are added as well. This
>> does not need to be done when the member in question is a user or a
>> host as they cannot have members.
>>
>> For large groups this is a significant performance improvement (as
>> well as reducing unnecessary load on 389-ds).
> Works for me. However, shouldn't we expand this to all terminal
> objects rather than users and hosts?
>
> Something like attached patch? The containers list should be sorted by
> probability of encountering the container in real life, with users and
> hosts to be at the beginning.

Most of these cannot be a member of other things, the exception being 
hbacservice. Since this is limited to pam services I was going on the 
assumption that this would be a fairly small number so even if we did a 
couple of extra searches now and then there would be little downside, it 
can't be nested.

rob



From abokovoy at redhat.com  Thu Oct  6 12:59:34 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Thu, 6 Oct 2011 15:59:34 +0300
Subject: [Freeipa-devel] [PATCH] 885 optimize indirect member calculation
In-Reply-To: <4E8DA3A4.8080103@redhat.com>
References: <4E8C7343.4090704@redhat.com> <20111006110829.GA21545@redhat.com>
	<4E8DA3A4.8080103@redhat.com>
Message-ID: <20111006125933.GC21545@redhat.com>

On Thu, 06 Oct 2011, Rob Crittenden wrote:
> >Something like attached patch? The containers list should be sorted by
> >probability of encountering the container in real life, with users and
> >hosts to be at the beginning.
> 
> Most of these cannot be a member of other things, the exception
> being hbacservice. Since this is limited to pam services I was going
> on the assumption that this would be a fairly small number so even
> if we did a couple of extra searches now and then there would be
> little downside, it can't be nested.
Ok, fair enough.
I have been running the script from the ticket for a while now and 
reached 1003 users. It looks like ns-slapd's memory use slowly grows 
and at few points there are failures on getting 'large group':
------------------------------------------------
Adding user 994 to IPA ... 
Adding user 994 to large-group ... 
ipa: ERROR: large-group: group not found
Adding user 995 to IPA ... 
Adding user 995 to large-group ... 
Adding user 996 to IPA ... 
Adding user 996 to large-group ... 
ipa: ERROR: large-group: group not found
Adding user 997 to IPA ... 
Adding user 997 to large-group ... 
ipa: ERROR: large-group: group not found
Adding user 998 to IPA ... 
Adding user 998 to large-group ... 
ipa: ERROR: large-group: group not found
Adding user 999 to IPA ... 
Adding user 999 to large-group ... 
------------------------------------------------

After that (and until 1004 so far) there were no failures.

Current memory consumption is following:
31953 dirsrv    20   0 2089m 665m 3532 S  3.6 66.6  42:07.14 ns-slapd     

Free memory fluctuates around 50M and most of the other processes are 
now in swap:
Mem:   1023444k total,   965736k used,    57708k free,      632k buffers
Swap:  2031612k total,  1012792k used,  1018820k free,    18096k cached

-- 
/ Alexander Bokovoy



From simo at redhat.com  Thu Oct  6 13:33:21 2011
From: simo at redhat.com (Simo Sorce)
Date: Thu, 06 Oct 2011 09:33:21 -0400
Subject: [Freeipa-devel] [PATCH] #1900 fix replica-prepare issues with
 anonynous binds disabled
In-Reply-To: <1317883508.16404.5.camel@dhcp-25-52.brq.redhat.com>
References: <1317830068.6664.3.camel@willson.li.ssimo.org>
	<1317849067.6664.11.camel@willson.li.ssimo.org>
	<4E8CD1D1.7020507@redhat.com>
	<1317883508.16404.5.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <1317908001.6664.18.camel@willson.li.ssimo.org>

On Thu, 2011-10-06 at 08:45 +0200, Martin Kosek wrote:
> On Wed, 2011-10-05 at 17:53 -0400, Rob Crittenden wrote:
> > Simo Sorce wrote:
> > > On Wed, 2011-10-05 at 11:54 -0400, Simo Sorce wrote:
> > >> With anonymous binds disabled we were failing to run ipa-replica-prepare
> > >> because some tests were done anonymously.
> > >>
> > >> During the creation of this patch we also hit a NSS Shutdown issue, to
> > >> work around this issue ipa-repica-prepare has been hardcoded to use
> > >> ldapi:// installed of ldaps://
> > >>
> > >> The patch as is seem to properly allow the creation of a replica file
> > >> with anonymous connections disallowed (works also when they are
> > >> allowed).
> > >>
> > >> Fixes #1900
> > >>
> > >> Simo.
> > >
> > > Rebased on top of ipa-2-1 (should apply cleanly to master as well).
> > >
> > > Simo.
> > 
> > ACK
> > 
> > rob
> 
> This patch clashed with the last commit (my ticket #1916). I rebased the
> patch (yes, I am that kind) and pushed to master, ipa-2-1.

Thanks!

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From pvoborni at redhat.com  Thu Oct  6 13:42:25 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Thu, 06 Oct 2011 15:42:25 +0200
Subject: [Freeipa-devel] [PATCH] 020 Fixed links to images in config and
	migration pages
Message-ID: <4E8DB041.1010805@redhat.com>

https://fedorahosted.org/freeipa/ticket/1932

Description of problem:
Title is missing while configuring browser for the first time.

Actual results:
There is no title on this screen. I noticed it only on step 8 and later 
so I am not sure if title is also missing earlier at step 6 or not.

Expected results:
Title "Identity Management" is always present.

Fixed:
  * modified paths to images
  * fixed padding in ssbrowser.html
  * moved browser icons to ui folder
  * deleted unused images in html and migration folders (they are 
already in ui folder, and weren't deployed)

-- 
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0020-Fixed-links-to-images-in-config-and-migration-pages.patch
Type: text/x-patch
Size: 41373 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111006/2427b8c2/attachment.bin>

From jhrozek at redhat.com  Thu Oct  6 15:29:36 2011
From: jhrozek at redhat.com (Jakub Hrozek)
Date: Thu, 6 Oct 2011 17:29:36 +0200
Subject: [Freeipa-devel] [PATCH] #1820 Fix legacy password generation
In-Reply-To: <1316468346.2684.509.camel@willson.li.ssimo.org>
References: <1316468346.2684.509.camel@willson.li.ssimo.org>
Message-ID: <20111006152936.GB23539@zeppelin.brq.redhat.com>

On Mon, Sep 19, 2011 at 05:39:06PM -0400, Simo Sorce wrote:
> Today I found another regression in the kpasswd password change path.
> 
> I filed ticket #1820
> 
> Legacy password hashes were not generated due to an issue with the list
> of attributes being searched in ipadb_get_principal(), objectclass was
> missing.
> 
> This patch fixes it.
> 

It does :-)

Ack!



From simo at redhat.com  Thu Oct  6 16:15:38 2011
From: simo at redhat.com (Simo Sorce)
Date: Thu, 06 Oct 2011 12:15:38 -0400
Subject: [Freeipa-devel] [PATCH] #1820 Fix legacy password generation
In-Reply-To: <20111006152936.GB23539@zeppelin.brq.redhat.com>
References: <1316468346.2684.509.camel@willson.li.ssimo.org>
	<20111006152936.GB23539@zeppelin.brq.redhat.com>
Message-ID: <1317917738.6664.43.camel@willson.li.ssimo.org>

On Thu, 2011-10-06 at 17:29 +0200, Jakub Hrozek wrote:
> On Mon, Sep 19, 2011 at 05:39:06PM -0400, Simo Sorce wrote:
> > Today I found another regression in the kpasswd password change path.
> > 
> > I filed ticket #1820
> > 
> > Legacy password hashes were not generated due to an issue with the list
> > of attributes being searched in ipadb_get_principal(), objectclass was
> > missing.
> > 
> > This patch fixes it.
> > 
> 
> It does :-)
> 
> Ack!

Thanks!
Pushed to master.

Simo.
-- 
Simo Sorce * Red Hat, Inc * New York



From rcritten at redhat.com  Thu Oct  6 18:05:36 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 06 Oct 2011 14:05:36 -0400
Subject: [Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
In-Reply-To: <1317902620.16404.34.camel@dhcp-25-52.brq.redhat.com>
References: <4E8CC988.6050408@redhat.com>
	<1317902620.16404.34.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <4E8DEDF0.9080202@redhat.com>

Martin Kosek wrote:
> On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote:
>> The aci prefix was missing in the description of the three dns acis
>> which made them not show up when viewing their permission entries.
>>
>> rob
>
> This works fine, but it is just a part of a solution. DNS related
> privileges miss memberof attribute for the DNS permissions and thus the
> permissions are not listed:
>
> # ipa permission-show "add dns entries"
>    Permission name: add dns entries
>    Permissions: add
>    Type: dnsrecord
>    Granted to Privilege: DNS Administrators, DNS Servers
>
> # ipa privilege-show "DNS Administrators"
>    Privilege name: DNS Administrators
>    Description: DNS Administrators
> <<<  Missing permissions
>
> I think the reason is that the permissions are in a wrong order in the
> LDIF and are created before the privilege itself. When member links are
> being created for DNS permissions, the memberof plugin cannot add
> memberof attributes for the privilege since it does not exist yet. This
> is the main issue that the BZ bug complains about.
>
> Martin
>

There are two problems:

1. The acis lacked a prefix so they didn't appear as permissions

2. The permission was added before the privilege so the memberof values 
weren't being calculated.

This fixes it for new installs and adds an update to fix up existing 
installs.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-887-2-prefix.patch
Type: text/x-patch
Size: 9145 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111006/fa28218a/attachment.bin>

From mkosek at redhat.com  Thu Oct  6 19:39:11 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Thu, 06 Oct 2011 21:39:11 +0200
Subject: [Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
In-Reply-To: <4E8DEDF0.9080202@redhat.com>
References: <4E8CC988.6050408@redhat.com>
	<1317902620.16404.34.camel@dhcp-25-52.brq.redhat.com>
	<4E8DEDF0.9080202@redhat.com>
Message-ID: <1317929952.2489.2.camel@priserak>

On Thu, 2011-10-06 at 14:05 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote:
> >> The aci prefix was missing in the description of the three dns acis
> >> which made them not show up when viewing their permission entries.
> >>
> >> rob
> >
> > This works fine, but it is just a part of a solution. DNS related
> > privileges miss memberof attribute for the DNS permissions and thus the
> > permissions are not listed:
> >
> > # ipa permission-show "add dns entries"
> >    Permission name: add dns entries
> >    Permissions: add
> >    Type: dnsrecord
> >    Granted to Privilege: DNS Administrators, DNS Servers
> >
> > # ipa privilege-show "DNS Administrators"
> >    Privilege name: DNS Administrators
> >    Description: DNS Administrators
> > <<<  Missing permissions
> >
> > I think the reason is that the permissions are in a wrong order in the
> > LDIF and are created before the privilege itself. When member links are
> > being created for DNS permissions, the memberof plugin cannot add
> > memberof attributes for the privilege since it does not exist yet. This
> > is the main issue that the BZ bug complains about.
> >
> > Martin
> >
> 
> There are two problems:
> 
> 1. The acis lacked a prefix so they didn't appear as permissions
> 
> 2. The permission was added before the privilege so the memberof values 
> weren't being calculated.
> 
> This fixes it for new installs and adds an update to fix up existing 
> installs.
> 
> rob

It works fine when doing upgrade. However, when running a clean install,
I get these errors:

# ipa-server-install --setup-dns
...
  [9/13]: publish CA cert
  [10/13]: creating a keytab for httpd
  [11/13]: configuring SELinux for httpd
  [12/13]: restarting httpd
  [13/13]: configuring httpd to start on boot
done configuring httpd.
Applying LDAP updates
root        : ERROR    Add failure Object class violation: missing required attribute "objectclass"
root        : ERROR    Add failure Object class violation: missing required attribute "objectclass"
root        : ERROR    Add failure Object class violation: missing required attribute "objectclass"
Restarting IPA to initialize updates before performing deletes:
  [1/2]: stopping directory server
  [2/2]: starting directory server
done configuring dirsrv.
Restarting the directory server
Restarting the KDC
Restarting the web server
Configuring named:
  [1/9]: adding DNS container
  [2/9]: setting up our zone
  [3/9]: setting up reverse zone
  [4/9]: setting up our own record
  [5/9]: setting up kerberos principal
  [6/9]: setting up named.conf
  [7/9]: restarting named
  [8/9]: configuring named to start on boot
  [9/9]: changing resolv.conf to point to ourselves
done configuring named.
==============================================================================
Setup complete

Do you hit this too? Permissions and privileges member attributes were OK though.

Martin



From rcritten at redhat.com  Thu Oct  6 19:46:46 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 06 Oct 2011 15:46:46 -0400
Subject: [Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
In-Reply-To: <1317929952.2489.2.camel@priserak>
References: <4E8CC988.6050408@redhat.com>
	<1317902620.16404.34.camel@dhcp-25-52.brq.redhat.com>
	<4E8DEDF0.9080202@redhat.com> <1317929952.2489.2.camel@priserak>
Message-ID: <4E8E05A6.4040903@redhat.com>

Martin Kosek wrote:
> On Thu, 2011-10-06 at 14:05 -0400, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote:
>>>> The aci prefix was missing in the description of the three dns acis
>>>> which made them not show up when viewing their permission entries.
>>>>
>>>> rob
>>>
>>> This works fine, but it is just a part of a solution. DNS related
>>> privileges miss memberof attribute for the DNS permissions and thus the
>>> permissions are not listed:
>>>
>>> # ipa permission-show "add dns entries"
>>>     Permission name: add dns entries
>>>     Permissions: add
>>>     Type: dnsrecord
>>>     Granted to Privilege: DNS Administrators, DNS Servers
>>>
>>> # ipa privilege-show "DNS Administrators"
>>>     Privilege name: DNS Administrators
>>>     Description: DNS Administrators
>>> <<<   Missing permissions
>>>
>>> I think the reason is that the permissions are in a wrong order in the
>>> LDIF and are created before the privilege itself. When member links are
>>> being created for DNS permissions, the memberof plugin cannot add
>>> memberof attributes for the privilege since it does not exist yet. This
>>> is the main issue that the BZ bug complains about.
>>>
>>> Martin
>>>
>>
>> There are two problems:
>>
>> 1. The acis lacked a prefix so they didn't appear as permissions
>>
>> 2. The permission was added before the privilege so the memberof values
>> weren't being calculated.
>>
>> This fixes it for new installs and adds an update to fix up existing
>> installs.
>>
>> rob
>
> It works fine when doing upgrade. However, when running a clean install,
> I get these errors:
>
> # ipa-server-install --setup-dns
> ...
>    [9/13]: publish CA cert
>    [10/13]: creating a keytab for httpd
>    [11/13]: configuring SELinux for httpd
>    [12/13]: restarting httpd
>    [13/13]: configuring httpd to start on boot
> done configuring httpd.
> Applying LDAP updates
> root        : ERROR    Add failure Object class violation: missing required attribute "objectclass"
> root        : ERROR    Add failure Object class violation: missing required attribute "objectclass"
> root        : ERROR    Add failure Object class violation: missing required attribute "objectclass"
> Restarting IPA to initialize updates before performing deletes:
>    [1/2]: stopping directory server
>    [2/2]: starting directory server
> done configuring dirsrv.
> Restarting the directory server
> Restarting the KDC
> Restarting the web server
> Configuring named:
>    [1/9]: adding DNS container
>    [2/9]: setting up our zone
>    [3/9]: setting up reverse zone
>    [4/9]: setting up our own record
>    [5/9]: setting up kerberos principal
>    [6/9]: setting up named.conf
>    [7/9]: restarting named
>    [8/9]: configuring named to start on boot
>    [9/9]: changing resolv.conf to point to ourselves
> done configuring named.
> ==============================================================================
> Setup complete
>
> Do you hit this too? Permissions and privileges member attributes were OK though.
>
> Martin
>

Bah, ok. We only create these permissions when dns is installed so I'll 
need to find some way to optionally add this.

rob



From rcritten at redhat.com  Thu Oct  6 20:44:50 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 06 Oct 2011 16:44:50 -0400
Subject: [Freeipa-devel] Upgrading due to proxy changes
In-Reply-To: <4E8D0023.4000201@redhat.com>
References: <4E8D0023.4000201@redhat.com>
Message-ID: <4E8E1342.401@redhat.com>

Adam Young wrote:
> Upgrading from a system that had an earlier version of IPA to the
> current is broken right now, due to the fact that the new code expects
> to talk to the Certificate Authority (CA) via the proxy ports (80, 443),
> and the old code used non standard ports (above 8000).
>
>
> IPA needs to make two changes during upgrade. I'm trying to figure out
> the right place to make them.
>
> The first change is to /etc/httpd/conf.d/nss.conf. The function to make
> the change during install is:
>
> ipaserver/install/httpinstance.py self.__enable_mod_nss_renegotiate
>
> which just makes these two method calls.
>
>
> installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on',False)
> installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation',
> 'on',False)
>
>
> Seems to me that they should be added to
> install/tools/ipa-upgradeconfig, possibly the main, or a function called
> from it. Should I move the call enable_mod_nss_renegotiate into
> installutils and call it from both places instead of having it in
> httpinstance?

You can create an HTTPInstance object and just call them directly, that 
is probably best.
     fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
     http = httpinstance.HTTPInstance(fstore)
     http.enable_mod_nss_renegotiate()

You'll need to make the method public, drop the __.

> The other change is a little trickier. If the PKI server has not yet had
> the proxy enabled, we need to run the script pki-setup-proxy. To test if
> we should call that script, Ade and I have agreed that the best way is
> to test in CS.conf for changes made: The values
> proxy.securePort and proxy.unsecurePort should be set. Is there an
> appropriate tool for making this check? someting from installutils? I'm
> guessing get_directive('/etc/pki-ca/CS.cfg','proxy.securePort' , '=')?

I guess I'd have preferred that the upgrade script be robust enough to 
be run any time. Given the circumstances this looks ok.

rob



From ayoung at redhat.com  Thu Oct  6 21:03:09 2011
From: ayoung at redhat.com (Adam Young)
Date: Thu, 06 Oct 2011 17:03:09 -0400
Subject: [Freeipa-devel] [PATCH]  0286-split-metadata-call
Message-ID: <4E8E178D.6050105@redhat.com>

Even if ACKed, don't push this patch alone.  It is part of some work 
that Petr V is going to be doing as part of fixing 
https://fedorahosted.org/freeipa/ticket/1933.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-admiyo-0286-split-metadata-call.patch
Type: text/x-patch
Size: 2743 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111006/a60ba611/attachment.bin>

From rcritten at redhat.com  Thu Oct  6 21:06:52 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 06 Oct 2011 17:06:52 -0400
Subject: [Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
In-Reply-To: <4E8E05A6.4040903@redhat.com>
References: <4E8CC988.6050408@redhat.com>
	<1317902620.16404.34.camel@dhcp-25-52.brq.redhat.com>
	<4E8DEDF0.9080202@redhat.com> <1317929952.2489.2.camel@priserak>
	<4E8E05A6.4040903@redhat.com>
Message-ID: <4E8E186C.7080108@redhat.com>

Rob Crittenden wrote:
> Martin Kosek wrote:
>> On Thu, 2011-10-06 at 14:05 -0400, Rob Crittenden wrote:
>>> Martin Kosek wrote:
>>>> On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote:
>>>>> The aci prefix was missing in the description of the three dns acis
>>>>> which made them not show up when viewing their permission entries.
>>>>>
>>>>> rob
>>>>
>>>> This works fine, but it is just a part of a solution. DNS related
>>>> privileges miss memberof attribute for the DNS permissions and thus the
>>>> permissions are not listed:
>>>>
>>>> # ipa permission-show "add dns entries"
>>>> Permission name: add dns entries
>>>> Permissions: add
>>>> Type: dnsrecord
>>>> Granted to Privilege: DNS Administrators, DNS Servers
>>>>
>>>> # ipa privilege-show "DNS Administrators"
>>>> Privilege name: DNS Administrators
>>>> Description: DNS Administrators
>>>> <<< Missing permissions
>>>>
>>>> I think the reason is that the permissions are in a wrong order in the
>>>> LDIF and are created before the privilege itself. When member links are
>>>> being created for DNS permissions, the memberof plugin cannot add
>>>> memberof attributes for the privilege since it does not exist yet. This
>>>> is the main issue that the BZ bug complains about.
>>>>
>>>> Martin
>>>>
>>>
>>> There are two problems:
>>>
>>> 1. The acis lacked a prefix so they didn't appear as permissions
>>>
>>> 2. The permission was added before the privilege so the memberof values
>>> weren't being calculated.
>>>
>>> This fixes it for new installs and adds an update to fix up existing
>>> installs.
>>>
>>> rob
>>
>> It works fine when doing upgrade. However, when running a clean install,
>> I get these errors:
>>
>> # ipa-server-install --setup-dns
>> ...
>> [9/13]: publish CA cert
>> [10/13]: creating a keytab for httpd
>> [11/13]: configuring SELinux for httpd
>> [12/13]: restarting httpd
>> [13/13]: configuring httpd to start on boot
>> done configuring httpd.
>> Applying LDAP updates
>> root : ERROR Add failure Object class violation: missing required
>> attribute "objectclass"
>> root : ERROR Add failure Object class violation: missing required
>> attribute "objectclass"
>> root : ERROR Add failure Object class violation: missing required
>> attribute "objectclass"
>> Restarting IPA to initialize updates before performing deletes:
>> [1/2]: stopping directory server
>> [2/2]: starting directory server
>> done configuring dirsrv.
>> Restarting the directory server
>> Restarting the KDC
>> Restarting the web server
>> Configuring named:
>> [1/9]: adding DNS container
>> [2/9]: setting up our zone
>> [3/9]: setting up reverse zone
>> [4/9]: setting up our own record
>> [5/9]: setting up kerberos principal
>> [6/9]: setting up named.conf
>> [7/9]: restarting named
>> [8/9]: configuring named to start on boot
>> [9/9]: changing resolv.conf to point to ourselves
>> done configuring named.
>> ==============================================================================
>>
>> Setup complete
>>
>> Do you hit this too? Permissions and privileges member attributes were
>> OK though.
>>
>> Martin
>>
>
> Bah, ok. We only create these permissions when dns is installed so I'll
> need to find some way to optionally add this.
>
> rob

I needed to add a new type to the updater to only add new values if the 
entry exists.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-887-3-prefix.patch
Type: text/x-patch
Size: 12226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111006/2632a634/attachment.bin>

From ayoung at redhat.com  Fri Oct  7 01:27:29 2011
From: ayoung at redhat.com (Adam Young)
Date: Thu, 06 Oct 2011 21:27:29 -0400
Subject: [Freeipa-devel] [PATCHES]  0287 and 0288 for Proxy upgrade
Message-ID: <4E8E5581.6040802@redhat.com>

Not yet ready for prime time.

I've tested the changes to updateinstance by hand, so I know they work.  
I'm having problems with the python  import setup.

RPM build fails with:


install/tools/ipa-upgradeconfig:36: [F0401] Unable to import 'installutils'


And, if I uncomment the import for http utils,  I get an error at run 
time as well.  That confuses me, as I am able to import installutils at 
runtime.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-admiyo-0287-Make-nss_mod-config-options-change-a-public-function.patch
Type: text/x-patch
Size: 3966 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111006/9f32d060/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-admiyo-0288-upgrade-pki-proxy-setup.patch
Type: text/x-patch
Size: 2473 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111006/9f32d060/attachment-0001.bin>

From rcritten at redhat.com  Fri Oct  7 01:31:59 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 06 Oct 2011 21:31:59 -0400
Subject: [Freeipa-devel] [PATCH] 134 Improve handling of GIDs when
 migrating groups
In-Reply-To: <1317888916.16404.16.camel@dhcp-25-52.brq.redhat.com>
References: <1317650658.5905.45.camel@dhcp-25-52.brq.redhat.com>
	<4E8C9792.9090100@redhat.com>
	<1317888916.16404.16.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <4E8E568F.9070603@redhat.com>

Martin Kosek wrote:
> On Wed, 2011-10-05 at 13:44 -0400, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> Since IPA v2 server already contain predefined groups that may collide
>>> with groups in migrated (IPA v1) server (for example admins, ipausers),
>>> users having colliding group as their primary group may happen to belong
>>> to an unknown group on new IPA v2 server.
>>>
>>> Implement --group-overwrite-gid option to overwrite GID of already
>>> existing groups to prevent this issue.
>>>
>>> https://fedorahosted.org/freeipa/ticket/1866
>>
>> For argument's sake, what is the user going to see the first time they
>> run this? I assume they won't think about these duplicate groups and
>> just do the migration. This means that the result may be some users
>> pointing to non-existent GIDs.
>
> At first I was thinking about making the GID the default behavior and
> just add flag "--dont-overwrite-gid. But I was afraid this could do some
> damage and change GIDs where it is not required. However, I made some
> improvements in this area, please see below.
>
>>
>> If they re-run the migration with this option will it then fix
>> everything up?
>
> Yep.
>
>>
>> I'm wondering if we need a --test argument so people can run the
>> migration w/o writing entries to look for problems like this.
>>
>> rob
>
> If we want to do this, we would have to add a lot of LDAP query checks
> since mostly try doing the LDAP write and write failures in case of an
> exception.
>
> However, I updated the patch so that user is notified about existence of
> --group-overwrite-gid option better. If a migration of a group with a
> GID number fails because of DuplicateError, a notice about GID is
> displayed. This should make him check this situation and either use
> group-mod --gidnumber=... or re-run the migration with
> --group-overwrite-gid.
>
> I also updated the Password option not to ask user for LDAP password
> twice, because it makes me really mad :-)
>
> Martin

# ipa migrate-ds ldap://panther.greyoak.com 
--user-container=cn=users,cn=accounts 
--group-container=cn=groups,cn=accounts 
--user-ignore-objectclass=radiusprofile
Password:
ipa: ERROR: an internal error has occurred

[Thu Oct 06 21:28:49 2011] [error] ipa: ERROR: non-public: TypeError: 
_post_migrate_user() got an unexpected keyword argument 'options'
[Thu Oct 06 21:28:49 2011] [error] Traceback (most recent call last):
[Thu Oct 06 21:28:49 2011] [error]   File 
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 223, in 
wsgi_execute
[Thu Oct 06 21:28:49 2011] [error]     result = 
self.Command[name](*args, **options)
[Thu Oct 06 21:28:49 2011] [error]   File 
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 432, in __call__
[Thu Oct 06 21:28:49 2011] [error]     ret = self.run(*args, **options)
[Thu Oct 06 21:28:49 2011] [error]   File 
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 738, in run
[Thu Oct 06 21:28:49 2011] [error]     return self.execute(*args, **options)
[Thu Oct 06 21:28:49 2011] [error]   File 
"/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py", line 
633, in execute
[Thu Oct 06 21:28:49 2011] [error]     ldap, config, ds_ldap, 
ds_base_dn, options
[Thu Oct 06 21:28:49 2011] [error]   File 
"/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py", line 
602, in migrate
[Thu Oct 06 21:28:49 2011] [error]     options = options,
[Thu Oct 06 21:28:49 2011] [error] TypeError: _post_migrate_user() got 
an unexpected keyword argument 'options'

rob



From rcritten at redhat.com  Fri Oct  7 02:21:54 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 06 Oct 2011 22:21:54 -0400
Subject: [Freeipa-devel] [PATCHES]  0287 and 0288 for Proxy upgrade
In-Reply-To: <4E8E5581.6040802@redhat.com>
References: <4E8E5581.6040802@redhat.com>
Message-ID: <4E8E6242.7030804@redhat.com>

Adam Young wrote:
> Not yet ready for prime time.
>
> I've tested the changes to updateinstance by hand, so I know they work.
> I'm having problems with the python import setup.
>
> RPM build fails with:
>
>
> install/tools/ipa-upgradeconfig:36: [F0401] Unable to import 'installutils'
>
>
> And, if I uncomment the import for http utils, I get an error at run
> time as well. That confuses me, as I am able to import installutils at
> runtime.

I think these patches fix it. Please double check my comments. I tested 
this on a non-updated dogtag install (e.g. it doesn't have the new 
script) and it didn't seem to break anything.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Make-mod_nss-renegotiation-configuration-a-public-fu.patch
Type: text/x-patch
Size: 1936 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111006/011e7cbf/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Execute-pki-proxy-setup-when-server-is-upgraded-if-n.patch
Type: text/x-patch
Size: 2301 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111006/011e7cbf/attachment-0001.bin>

From rcritten at redhat.com  Fri Oct  7 02:26:41 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 06 Oct 2011 22:26:41 -0400
Subject: [Freeipa-devel] [PATCH] 0019 Sync time with NTP before joining
 the domain
In-Reply-To: <20111005213351.GA13256@redhat.com>
References: <20111005121606.GA29306@redhat.com> <4E8C59AF.6000404@redhat.com>
	<20111005142732.GD29306@redhat.com> <4E8CC13E.9080906@redhat.com>
	<20111005213351.GA13256@redhat.com>
Message-ID: <4E8E6361.4010702@redhat.com>

Alexander Bokovoy wrote:
> On Wed, 05 Oct 2011, Rob Crittenden wrote:
>>> I ended up not using raiseonerr=False as all I needed is a way to
>>> break out of the loop on success so that will come sequentially if
>>> there is no exception.
>>>
>>> Patch attached.
>>
>> This works but there is a noticeable pause on my system when ntpdate
>> is being run. I think it would be handy to output a message saying
>> that the date is being updated.
> I'll add the message.
>
>> Is it necessary to sync the date when a one-time password is being
>> used? It doesn't hurt but it does pause a second or three.
> If I understand correctly, our use of OTP term for hosts is different
> from what current IETF draft on OTP preauth with kerberos assumes.
>
> At least, according to IETF draft on OTP preauth with kerberos,
> http://tools.ietf.org/html/draft-ietf-krb-wg-otp-preauth-19#section-2.4
> client has to submit next key if clocks have drifted which implies you
> cannot re-use the same OTP next time. To me this looks like in OTP
> case clocks synchronization is very important. In our OTP case it does
> not matter except for an artificial delay...
>
> I've added the message.

I modified the commit message a bit to prevent wrapping.

Pushed to master and ipa-2-1

rob



From rcritten at redhat.com  Fri Oct  7 02:40:22 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 06 Oct 2011 22:40:22 -0400
Subject: [Freeipa-devel] [PATCH] 138 Prevent collisions of hostgroup and
 netgroup
In-Reply-To: <1317889329.16404.20.camel@dhcp-25-52.brq.redhat.com>
References: <1317827614.6589.23.camel@dhcp-25-52.brq.redhat.com>
	<4E8CC17B.3030101@redhat.com>
	<1317889329.16404.20.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <4E8E6696.2010902@redhat.com>

Martin Kosek wrote:
> On Wed, 2011-10-05 at 16:43 -0400, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> For every hostgroup a managed netgroup is created (if this is allowed).
>>> Make sure that if a stand-alone netgroup exists, a hostgroup with the
>>> same name cannot be created to prevent collisions.
>>>
>>> https://fedorahosted.org/freeipa/ticket/1914
>>
>> You need to check to see if the managed entries configuration is enabled
>> before doing this. If it is disabled then having duplicate names is fine
>> (though re-enabling it later would have undefined consequences).
>>
>> rob
>
> Are you sure about this? If somebody disables the netgroup managed entry
> plugin for some reason and later would want to enable it again he could
> run into trouble with duplicate entries (as you mentioned). Personally I
> would leave the patch as is.
>
> If you are sure this needs to be done, I can make the check using the
> same LDAP query for NGP Defition that ipa-managed-entries does.
>
> Martin
>

ack, pushed to master and ipa-2-1



From rcritten at redhat.com  Fri Oct  7 02:59:00 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 06 Oct 2011 22:59:00 -0400
Subject: [Freeipa-devel] [PATCH] 888 always verify hostname
Message-ID: <4E8E6AF4.8060302@redhat.com>

When installing with DNS we skip a few hostname checks on the assumption 
that the DNS we are installing will cover things. We still need to 
verify /etc/hosts and we do this with gethostbyname_ex() which returns 
the primary name and all other names of the host. If the primary name 
doesn't match (e.g. the shortname is defined first in /etc/hosts) or it 
isn't resolvable at all then we error out.

This also prevents a chicken-and-egg error as several services need to 
start before DNS is available so the hostname must be defined.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-888-hostname.patch
Type: text/x-patch
Size: 1537 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111006/ee78d252/attachment.bin>

From edewata at redhat.com  Fri Oct  7 04:59:40 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Thu, 06 Oct 2011 23:59:40 -0500
Subject: [Freeipa-devel] [PATCH] 020 Fixed links to images in config and
 migration pages
In-Reply-To: <4E8DB041.1010805@redhat.com>
References: <4E8DB041.1010805@redhat.com>
Message-ID: <4E8E873C.4020503@redhat.com>

On 10/6/2011 8:42 AM, Petr Vobornik wrote:
> https://fedorahosted.org/freeipa/ticket/1932
>
> Description of problem:
> Title is missing while configuring browser for the first time.
>
> Actual results:
> There is no title on this screen. I noticed it only on step 8 and later
> so I am not sure if title is also missing earlier at step 6 or not.
>
> Expected results:
> Title "Identity Management" is always present.
>
> Fixed:
> * modified paths to images
> * fixed padding in ssbrowser.html
> * moved browser icons to ui folder
> * deleted unused images in html and migration folders (they are already
> in ui folder, and weren't deployed)

ACK and pushed to master and ipa-2-1.

-- 
Endi S. Dewata



From mkosek at redhat.com  Fri Oct  7 06:39:12 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Fri, 07 Oct 2011 08:39:12 +0200
Subject: [Freeipa-devel] [PATCH] 134 Improve handling of GIDs when
 migrating groups
In-Reply-To: <4E8E568F.9070603@redhat.com>
References: <1317650658.5905.45.camel@dhcp-25-52.brq.redhat.com>
	<4E8C9792.9090100@redhat.com>
	<1317888916.16404.16.camel@dhcp-25-52.brq.redhat.com>
	<4E8E568F.9070603@redhat.com>
Message-ID: <1317969555.8399.2.camel@dhcp-25-52.brq.redhat.com>

On Thu, 2011-10-06 at 21:31 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Wed, 2011-10-05 at 13:44 -0400, Rob Crittenden wrote:
> >> Martin Kosek wrote:
> >>> Since IPA v2 server already contain predefined groups that may collide
> >>> with groups in migrated (IPA v1) server (for example admins, ipausers),
> >>> users having colliding group as their primary group may happen to belong
> >>> to an unknown group on new IPA v2 server.
> >>>
> >>> Implement --group-overwrite-gid option to overwrite GID of already
> >>> existing groups to prevent this issue.
> >>>
> >>> https://fedorahosted.org/freeipa/ticket/1866
> >>
> >> For argument's sake, what is the user going to see the first time they
> >> run this? I assume they won't think about these duplicate groups and
> >> just do the migration. This means that the result may be some users
> >> pointing to non-existent GIDs.
> >
> > At first I was thinking about making the GID the default behavior and
> > just add flag "--dont-overwrite-gid. But I was afraid this could do some
> > damage and change GIDs where it is not required. However, I made some
> > improvements in this area, please see below.
> >
> >>
> >> If they re-run the migration with this option will it then fix
> >> everything up?
> >
> > Yep.
> >
> >>
> >> I'm wondering if we need a --test argument so people can run the
> >> migration w/o writing entries to look for problems like this.
> >>
> >> rob
> >
> > If we want to do this, we would have to add a lot of LDAP query checks
> > since mostly try doing the LDAP write and write failures in case of an
> > exception.
> >
> > However, I updated the patch so that user is notified about existence of
> > --group-overwrite-gid option better. If a migration of a group with a
> > GID number fails because of DuplicateError, a notice about GID is
> > displayed. This should make him check this situation and either use
> > group-mod --gidnumber=... or re-run the migration with
> > --group-overwrite-gid.
> >
> > I also updated the Password option not to ask user for LDAP password
> > twice, because it makes me really mad :-)
> >
> > Martin
> 
> # ipa migrate-ds ldap://panther.greyoak.com 
> --user-container=cn=users,cn=accounts 
> --group-container=cn=groups,cn=accounts 
> --user-ignore-objectclass=radiusprofile
> Password:
> ipa: ERROR: an internal error has occurred
> 
> [Thu Oct 06 21:28:49 2011] [error] ipa: ERROR: non-public: TypeError: 
> _post_migrate_user() got an unexpected keyword argument 'options'
> [Thu Oct 06 21:28:49 2011] [error] Traceback (most recent call last):
> [Thu Oct 06 21:28:49 2011] [error]   File 
> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 223, in 
> wsgi_execute
> [Thu Oct 06 21:28:49 2011] [error]     result = 
> self.Command[name](*args, **options)
> [Thu Oct 06 21:28:49 2011] [error]   File 
> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 432, in __call__
> [Thu Oct 06 21:28:49 2011] [error]     ret = self.run(*args, **options)
> [Thu Oct 06 21:28:49 2011] [error]   File 
> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 738, in run
> [Thu Oct 06 21:28:49 2011] [error]     return self.execute(*args, **options)
> [Thu Oct 06 21:28:49 2011] [error]   File 
> "/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py", line 
> 633, in execute
> [Thu Oct 06 21:28:49 2011] [error]     ldap, config, ds_ldap, 
> ds_base_dn, options
> [Thu Oct 06 21:28:49 2011] [error]   File 
> "/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py", line 
> 602, in migrate
> [Thu Oct 06 21:28:49 2011] [error]     options = options,
> [Thu Oct 06 21:28:49 2011] [error] TypeError: _post_migrate_user() got 
> an unexpected keyword argument 'options'
> 
> rob

Ouch. This one must have come from some previous tries. And since the
users were already migrated in my testing, it was left undiscovered. I
wonder why pylint was quiet.

Sending a fixed version, it should work fine now.

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-134-3-improve-handling-of-gids-when-migrating-groups.patch
Type: text/x-patch
Size: 10163 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111007/d3276f1c/attachment.bin>

From mkosek at redhat.com  Fri Oct  7 07:53:33 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Fri, 07 Oct 2011 09:53:33 +0200
Subject: [Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
In-Reply-To: <4E8E186C.7080108@redhat.com>
References: <4E8CC988.6050408@redhat.com>
	<1317902620.16404.34.camel@dhcp-25-52.brq.redhat.com>
	<4E8DEDF0.9080202@redhat.com> <1317929952.2489.2.camel@priserak>
	<4E8E05A6.4040903@redhat.com> <4E8E186C.7080108@redhat.com>
Message-ID: <1317974016.8399.13.camel@dhcp-25-52.brq.redhat.com>

On Thu, 2011-10-06 at 17:06 -0400, Rob Crittenden wrote:
> Rob Crittenden wrote:
> > Martin Kosek wrote:
> >> On Thu, 2011-10-06 at 14:05 -0400, Rob Crittenden wrote:
> >>> Martin Kosek wrote:
> >>>> On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote:
> >>>>> The aci prefix was missing in the description of the three dns acis
> >>>>> which made them not show up when viewing their permission entries.
> >>>>>
> >>>>> rob
> >>>>
> >>>> This works fine, but it is just a part of a solution. DNS related
> >>>> privileges miss memberof attribute for the DNS permissions and thus the
> >>>> permissions are not listed:
> >>>>
> >>>> # ipa permission-show "add dns entries"
> >>>> Permission name: add dns entries
> >>>> Permissions: add
> >>>> Type: dnsrecord
> >>>> Granted to Privilege: DNS Administrators, DNS Servers
> >>>>
> >>>> # ipa privilege-show "DNS Administrators"
> >>>> Privilege name: DNS Administrators
> >>>> Description: DNS Administrators
> >>>> <<< Missing permissions
> >>>>
> >>>> I think the reason is that the permissions are in a wrong order in the
> >>>> LDIF and are created before the privilege itself. When member links are
> >>>> being created for DNS permissions, the memberof plugin cannot add
> >>>> memberof attributes for the privilege since it does not exist yet. This
> >>>> is the main issue that the BZ bug complains about.
> >>>>
> >>>> Martin
> >>>>
> >>>
> >>> There are two problems:
> >>>
> >>> 1. The acis lacked a prefix so they didn't appear as permissions
> >>>
> >>> 2. The permission was added before the privilege so the memberof values
> >>> weren't being calculated.
> >>>
> >>> This fixes it for new installs and adds an update to fix up existing
> >>> installs.
> >>>
> >>> rob
> >>
> >> It works fine when doing upgrade. However, when running a clean install,
> >> I get these errors:
> >>
> >> # ipa-server-install --setup-dns
> >> ...
> >> [9/13]: publish CA cert
> >> [10/13]: creating a keytab for httpd
> >> [11/13]: configuring SELinux for httpd
> >> [12/13]: restarting httpd
> >> [13/13]: configuring httpd to start on boot
> >> done configuring httpd.
> >> Applying LDAP updates
> >> root : ERROR Add failure Object class violation: missing required
> >> attribute "objectclass"
> >> root : ERROR Add failure Object class violation: missing required
> >> attribute "objectclass"
> >> root : ERROR Add failure Object class violation: missing required
> >> attribute "objectclass"
> >> Restarting IPA to initialize updates before performing deletes:
> >> [1/2]: stopping directory server
> >> [2/2]: starting directory server
> >> done configuring dirsrv.
> >> Restarting the directory server
> >> Restarting the KDC
> >> Restarting the web server
> >> Configuring named:
> >> [1/9]: adding DNS container
> >> [2/9]: setting up our zone
> >> [3/9]: setting up reverse zone
> >> [4/9]: setting up our own record
> >> [5/9]: setting up kerberos principal
> >> [6/9]: setting up named.conf
> >> [7/9]: restarting named
> >> [8/9]: configuring named to start on boot
> >> [9/9]: changing resolv.conf to point to ourselves
> >> done configuring named.
> >> ==============================================================================
> >>
> >> Setup complete
> >>
> >> Do you hit this too? Permissions and privileges member attributes were
> >> OK though.
> >>
> >> Martin
> >>
> >
> > Bah, ok. We only create these permissions when dns is installed so I'll
> > need to find some way to optionally add this.
> >
> > rob
> 
> I needed to add a new type to the updater to only add new values if the 
> entry exists.
> 
> rob

I still get the same error. We have a new handy addifnew update type
ready, lets use it in these DNS .update file too :-)

Martin



From mkosek at redhat.com  Fri Oct  7 09:25:27 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Fri, 07 Oct 2011 11:25:27 +0200
Subject: [Freeipa-devel] [PATCH] 888 always verify hostname
In-Reply-To: <4E8E6AF4.8060302@redhat.com>
References: <4E8E6AF4.8060302@redhat.com>
Message-ID: <1317979530.8399.26.camel@dhcp-25-52.brq.redhat.com>

On Thu, 2011-10-06 at 22:59 -0400, Rob Crittenden wrote:
> When installing with DNS we skip a few hostname checks on the assumption 
> that the DNS we are installing will cover things. We still need to 
> verify /etc/hosts and we do this with gethostbyname_ex() which returns 
> the primary name and all other names of the host. If the primary name 
> doesn't match (e.g. the shortname is defined first in /etc/hosts) or it 
> isn't resolvable at all then we error out.
> 
> This also prevents a chicken-and-egg error as several services need to 
> start before DNS is available so the hostname must be defined.
> 
> rob

I see several problems with the patch. At first, it needs a rebase, I
reworked the exceptions raised in verify_fqdn in #1899.

Then, this patch would break several things:

1) Now, when we install a server with --setup-dns and the host is not
resolvable, we add a record to /etc/hosts ourselves, so that the user is
not obliged to hack /etc/hosts:

# ipa-server-install --setup-dns
...
Server host name [vm-050.idm.lab.bos.redhat.com]: 

Warning: skipping DNS resolution of host vm-050.idm.lab.bos.redhat.com
The domain name has been calculated based on the host name.

Please confirm the domain name [idm.lab.bos.redhat.com]: 

Unable to resolve IP address for host name
Please provide the IP address to be used for this host name: 10.16.78.50
Adding [10.16.78.50 vm-050.idm.lab.bos.redhat.com] to your /etc/hosts file   <<<<<<
The IPA Master Server will be configured with
Hostname:    vm-050.idm.lab.bos.redhat.com
IP address:  10.16.78.50
Domain name: idm.lab.bos.redhat.com


2) This will break ipa-replica-prepare. We cannot assume that only local
host names are passed to to verify_fqdn since it is also used to for new
replica hostname check in ipa-replica-prepare:

# ipa-replica-prepare vm-103.idm.lab.bos.redhat.com
Directory Manager (existing master) password: 

The host name vm-103.idm.lab.bos.redhat.com is not resolvable. It must
appear in at least /etc/hosts.
Add the --ip-address argument to create a DNS entry.

We must be very cautious in this function, there was already a BZ from
RHEV-M guys which could be now broken:

https://bugzilla.redhat.com/show_bug.cgi?id=729357

Martin



From mkosek at redhat.com  Fri Oct  7 12:30:58 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Fri, 07 Oct 2011 14:30:58 +0200
Subject: [Freeipa-devel] [PATCH] 888 always verify hostname
In-Reply-To: <1317979530.8399.26.camel@dhcp-25-52.brq.redhat.com>
References: <4E8E6AF4.8060302@redhat.com>
	<1317979530.8399.26.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <1317990660.8399.37.camel@dhcp-25-52.brq.redhat.com>

On Fri, 2011-10-07 at 11:25 +0200, Martin Kosek wrote:
> On Thu, 2011-10-06 at 22:59 -0400, Rob Crittenden wrote:
> > When installing with DNS we skip a few hostname checks on the assumption 
> > that the DNS we are installing will cover things. We still need to 
> > verify /etc/hosts and we do this with gethostbyname_ex() which returns 
> > the primary name and all other names of the host. If the primary name 
> > doesn't match (e.g. the shortname is defined first in /etc/hosts) or it 
> > isn't resolvable at all then we error out.
> > 
> > This also prevents a chicken-and-egg error as several services need to 
> > start before DNS is available so the hostname must be defined.
> > 
> > rob
> 
> I see several problems with the patch. At first, it needs a rebase, I
> reworked the exceptions raised in verify_fqdn in #1899.
> 
> Then, this patch would break several things:
> 
> 1) Now, when we install a server with --setup-dns and the host is not
> resolvable, we add a record to /etc/hosts ourselves, so that the user is
> not obliged to hack /etc/hosts:
> 
> # ipa-server-install --setup-dns
> ...
> Server host name [vm-050.idm.lab.bos.redhat.com]: 
> 
> Warning: skipping DNS resolution of host vm-050.idm.lab.bos.redhat.com
> The domain name has been calculated based on the host name.
> 
> Please confirm the domain name [idm.lab.bos.redhat.com]: 
> 
> Unable to resolve IP address for host name
> Please provide the IP address to be used for this host name: 10.16.78.50
> Adding [10.16.78.50 vm-050.idm.lab.bos.redhat.com] to your /etc/hosts file   <<<<<<
> The IPA Master Server will be configured with
> Hostname:    vm-050.idm.lab.bos.redhat.com
> IP address:  10.16.78.50
> Domain name: idm.lab.bos.redhat.com
> 
> 
> 2) This will break ipa-replica-prepare. We cannot assume that only local
> host names are passed to to verify_fqdn since it is also used to for new
> replica hostname check in ipa-replica-prepare:
> 
> # ipa-replica-prepare vm-103.idm.lab.bos.redhat.com
> Directory Manager (existing master) password: 
> 
> The host name vm-103.idm.lab.bos.redhat.com is not resolvable. It must
> appear in at least /etc/hosts.
> Add the --ip-address argument to create a DNS entry.
> 
> We must be very cautious in this function, there was already a BZ from
> RHEV-M guys which could be now broken:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=729357
> 
> Martin
> 

What about doing something like this (attached)? This would prevent user
installing IPA with misconfigured /etc/hosts for both following cases:
1.2.3.4 foo                                << just short name
1.2.3.4 foo foo.example.com                << short name is primary

It would still allow user to configure IPA with --setup-dns without
making a record in /etc/hosts on his own.

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-140-check-hostname-resolution-sanity.patch
Type: text/x-patch
Size: 4660 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111007/5fa652a2/attachment.bin>

From mkosek at redhat.com  Fri Oct  7 12:48:52 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Fri, 07 Oct 2011 14:48:52 +0200
Subject: [Freeipa-devel] [PATCH] 141 Make sure ipa-client-install returns
	correct error code
Message-ID: <1317991737.8399.40.camel@dhcp-25-52.brq.redhat.com>

https://fedorahosted.org/freeipa/ticket/1937

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-141-make-sure-ipa-client-install-returns-correct-error-c.patch
Type: text/x-patch
Size: 886 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111007/c8ed674f/attachment.bin>

From rcritten at redhat.com  Fri Oct  7 12:52:42 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 07 Oct 2011 08:52:42 -0400
Subject: [Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
In-Reply-To: <1317974016.8399.13.camel@dhcp-25-52.brq.redhat.com>
References: <4E8CC988.6050408@redhat.com>
	<1317902620.16404.34.camel@dhcp-25-52.brq.redhat.com>
	<4E8DEDF0.9080202@redhat.com> <1317929952.2489.2.camel@priserak>
	<4E8E05A6.4040903@redhat.com> <4E8E186C.7080108@redhat.com>
	<1317974016.8399.13.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <4E8EF61A.6090707@redhat.com>

Martin Kosek wrote:
> On Thu, 2011-10-06 at 17:06 -0400, Rob Crittenden wrote:
>> Rob Crittenden wrote:
>>> Martin Kosek wrote:
>>>> On Thu, 2011-10-06 at 14:05 -0400, Rob Crittenden wrote:
>>>>> Martin Kosek wrote:
>>>>>> On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote:
>>>>>>> The aci prefix was missing in the description of the three dns acis
>>>>>>> which made them not show up when viewing their permission entries.
>>>>>>>
>>>>>>> rob
>>>>>>
>>>>>> This works fine, but it is just a part of a solution. DNS related
>>>>>> privileges miss memberof attribute for the DNS permissions and thus the
>>>>>> permissions are not listed:
>>>>>>
>>>>>> # ipa permission-show "add dns entries"
>>>>>> Permission name: add dns entries
>>>>>> Permissions: add
>>>>>> Type: dnsrecord
>>>>>> Granted to Privilege: DNS Administrators, DNS Servers
>>>>>>
>>>>>> # ipa privilege-show "DNS Administrators"
>>>>>> Privilege name: DNS Administrators
>>>>>> Description: DNS Administrators
>>>>>> <<<  Missing permissions
>>>>>>
>>>>>> I think the reason is that the permissions are in a wrong order in the
>>>>>> LDIF and are created before the privilege itself. When member links are
>>>>>> being created for DNS permissions, the memberof plugin cannot add
>>>>>> memberof attributes for the privilege since it does not exist yet. This
>>>>>> is the main issue that the BZ bug complains about.
>>>>>>
>>>>>> Martin
>>>>>>
>>>>>
>>>>> There are two problems:
>>>>>
>>>>> 1. The acis lacked a prefix so they didn't appear as permissions
>>>>>
>>>>> 2. The permission was added before the privilege so the memberof values
>>>>> weren't being calculated.
>>>>>
>>>>> This fixes it for new installs and adds an update to fix up existing
>>>>> installs.
>>>>>
>>>>> rob
>>>>
>>>> It works fine when doing upgrade. However, when running a clean install,
>>>> I get these errors:
>>>>
>>>> # ipa-server-install --setup-dns
>>>> ...
>>>> [9/13]: publish CA cert
>>>> [10/13]: creating a keytab for httpd
>>>> [11/13]: configuring SELinux for httpd
>>>> [12/13]: restarting httpd
>>>> [13/13]: configuring httpd to start on boot
>>>> done configuring httpd.
>>>> Applying LDAP updates
>>>> root : ERROR Add failure Object class violation: missing required
>>>> attribute "objectclass"
>>>> root : ERROR Add failure Object class violation: missing required
>>>> attribute "objectclass"
>>>> root : ERROR Add failure Object class violation: missing required
>>>> attribute "objectclass"
>>>> Restarting IPA to initialize updates before performing deletes:
>>>> [1/2]: stopping directory server
>>>> [2/2]: starting directory server
>>>> done configuring dirsrv.
>>>> Restarting the directory server
>>>> Restarting the KDC
>>>> Restarting the web server
>>>> Configuring named:
>>>> [1/9]: adding DNS container
>>>> [2/9]: setting up our zone
>>>> [3/9]: setting up reverse zone
>>>> [4/9]: setting up our own record
>>>> [5/9]: setting up kerberos principal
>>>> [6/9]: setting up named.conf
>>>> [7/9]: restarting named
>>>> [8/9]: configuring named to start on boot
>>>> [9/9]: changing resolv.conf to point to ourselves
>>>> done configuring named.
>>>> ==============================================================================
>>>>
>>>> Setup complete
>>>>
>>>> Do you hit this too? Permissions and privileges member attributes were
>>>> OK though.
>>>>
>>>> Martin
>>>>
>>>
>>> Bah, ok. We only create these permissions when dns is installed so I'll
>>> need to find some way to optionally add this.
>>>
>>> rob
>>
>> I needed to add a new type to the updater to only add new values if the
>> entry exists.
>>
>> rob
>
> I still get the same error. We have a new handy addifnew update type
> ready, lets use it in these DNS .update file too :-)
>
> Martin
>

addifnew adds single value attributes if they aren't already in the 
entry, that will cause the same error.

rob



From rcritten at redhat.com  Fri Oct  7 12:58:14 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 07 Oct 2011 08:58:14 -0400
Subject: [Freeipa-devel] [PATCH] 888 always verify hostname
In-Reply-To: <1317979530.8399.26.camel@dhcp-25-52.brq.redhat.com>
References: <4E8E6AF4.8060302@redhat.com>
	<1317979530.8399.26.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <4E8EF766.2070706@redhat.com>

Martin Kosek wrote:
> On Thu, 2011-10-06 at 22:59 -0400, Rob Crittenden wrote:
>> When installing with DNS we skip a few hostname checks on the assumption
>> that the DNS we are installing will cover things. We still need to
>> verify /etc/hosts and we do this with gethostbyname_ex() which returns
>> the primary name and all other names of the host. If the primary name
>> doesn't match (e.g. the shortname is defined first in /etc/hosts) or it
>> isn't resolvable at all then we error out.
>>
>> This also prevents a chicken-and-egg error as several services need to
>> start before DNS is available so the hostname must be defined.
>>
>> rob
>
> I see several problems with the patch. At first, it needs a rebase, I
> reworked the exceptions raised in verify_fqdn in #1899.
>
> Then, this patch would break several things:
>
> 1) Now, when we install a server with --setup-dns and the host is not
> resolvable, we add a record to /etc/hosts ourselves, so that the user is
> not obliged to hack /etc/hosts:
>
> # ipa-server-install --setup-dns
> ...
> Server host name [vm-050.idm.lab.bos.redhat.com]:
>
> Warning: skipping DNS resolution of host vm-050.idm.lab.bos.redhat.com
> The domain name has been calculated based on the host name.
>
> Please confirm the domain name [idm.lab.bos.redhat.com]:
>
> Unable to resolve IP address for host name
> Please provide the IP address to be used for this host name: 10.16.78.50
> Adding [10.16.78.50 vm-050.idm.lab.bos.redhat.com] to your /etc/hosts file<<<<<<
> The IPA Master Server will be configured with
> Hostname:    vm-050.idm.lab.bos.redhat.com
> IP address:  10.16.78.50
> Domain name: idm.lab.bos.redhat.com

Yes but the entry is added /etc/hosts at the very END of installation, 
apparently too late for some things. We can alternately add this prior 
to configuring anything else.

>
>
> 2) This will break ipa-replica-prepare. We cannot assume that only local
> host names are passed to to verify_fqdn since it is also used to for new
> replica hostname check in ipa-replica-prepare:
>
> # ipa-replica-prepare vm-103.idm.lab.bos.redhat.com
> Directory Manager (existing master) password:
>
> The host name vm-103.idm.lab.bos.redhat.com is not resolvable. It must
> appear in at least /etc/hosts.
> Add the --ip-address argument to create a DNS entry.
>
> We must be very cautious in this function, there was already a BZ from
> RHEV-M guys which could be now broken:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=729357
>
> Martin
>

Ok, perhaps it just needs to be pulled directly into ipa-server-install. 
We do need some mechanism to check /etc/hosts to be sure that there 
isn't an existing bad host entry.

rob



From mkosek at redhat.com  Fri Oct  7 13:06:38 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Fri, 07 Oct 2011 15:06:38 +0200
Subject: [Freeipa-devel] [PATCH] 888 always verify hostname
In-Reply-To: <4E8EF766.2070706@redhat.com>
References: <4E8E6AF4.8060302@redhat.com>
	<1317979530.8399.26.camel@dhcp-25-52.brq.redhat.com>
	<4E8EF766.2070706@redhat.com>
Message-ID: <1317992800.8399.43.camel@dhcp-25-52.brq.redhat.com>

On Fri, 2011-10-07 at 08:58 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Thu, 2011-10-06 at 22:59 -0400, Rob Crittenden wrote:
> >> When installing with DNS we skip a few hostname checks on the assumption
> >> that the DNS we are installing will cover things. We still need to
> >> verify /etc/hosts and we do this with gethostbyname_ex() which returns
> >> the primary name and all other names of the host. If the primary name
> >> doesn't match (e.g. the shortname is defined first in /etc/hosts) or it
> >> isn't resolvable at all then we error out.
> >>
> >> This also prevents a chicken-and-egg error as several services need to
> >> start before DNS is available so the hostname must be defined.
> >>
> >> rob
> >
> > I see several problems with the patch. At first, it needs a rebase, I
> > reworked the exceptions raised in verify_fqdn in #1899.
> >
> > Then, this patch would break several things:
> >
> > 1) Now, when we install a server with --setup-dns and the host is not
> > resolvable, we add a record to /etc/hosts ourselves, so that the user is
> > not obliged to hack /etc/hosts:
> >
> > # ipa-server-install --setup-dns
> > ...
> > Server host name [vm-050.idm.lab.bos.redhat.com]:
> >
> > Warning: skipping DNS resolution of host vm-050.idm.lab.bos.redhat.com
> > The domain name has been calculated based on the host name.
> >
> > Please confirm the domain name [idm.lab.bos.redhat.com]:
> >
> > Unable to resolve IP address for host name
> > Please provide the IP address to be used for this host name: 10.16.78.50
> > Adding [10.16.78.50 vm-050.idm.lab.bos.redhat.com] to your /etc/hosts file<<<<<<
> > The IPA Master Server will be configured with
> > Hostname:    vm-050.idm.lab.bos.redhat.com
> > IP address:  10.16.78.50
> > Domain name: idm.lab.bos.redhat.com
> 
> Yes but the entry is added /etc/hosts at the very END of installation, 
> apparently too late for some things. We can alternately add this prior 
> to configuring anything else.

But we add the entry to /etc/hosts right in the beginning. After the
line marked with <<<<<< is printed. I double-checked it right now.

> 
> >
> >
> > 2) This will break ipa-replica-prepare. We cannot assume that only local
> > host names are passed to to verify_fqdn since it is also used to for new
> > replica hostname check in ipa-replica-prepare:
> >
> > # ipa-replica-prepare vm-103.idm.lab.bos.redhat.com
> > Directory Manager (existing master) password:
> >
> > The host name vm-103.idm.lab.bos.redhat.com is not resolvable. It must
> > appear in at least /etc/hosts.
> > Add the --ip-address argument to create a DNS entry.
> >
> > We must be very cautious in this function, there was already a BZ from
> > RHEV-M guys which could be now broken:
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=729357
> >
> > Martin
> >
> 
> Ok, perhaps it just needs to be pulled directly into ipa-server-install. 
> We do need some mechanism to check /etc/hosts to be sure that there 
> isn't an existing bad host entry.
> 
> rob

Please check the patch I sent. I do one part in verify_fqdn and one part
in ipa-server-install when user gives us an address.

Martin



From abokovoy at redhat.com  Fri Oct  7 13:17:15 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Fri, 7 Oct 2011 16:17:15 +0300
Subject: [Freeipa-devel] [PATCH] 141 Make sure ipa-client-install
 returns correct error code
In-Reply-To: <1317991737.8399.40.camel@dhcp-25-52.brq.redhat.com>
References: <1317991737.8399.40.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <20111007131714.GA25040@redhat.com>

On Fri, 07 Oct 2011, Martin Kosek wrote:
> https://fedorahosted.org/freeipa/ticket/1937
> 
> >From d2c9d1518929fa83d8574e7ae555817e8cc96c5e Mon Sep 17 00:00:00 2001
> From: Martin Kosek <mkosek at redhat.com>
> Date: Fri, 7 Oct 2011 14:47:28 +0200
> Subject: [PATCH] Make sure ipa-client-install returns correct error code
> 
> https://fedorahosted.org/freeipa/ticket/1937
> ---
>  ipa-client/ipa-install/ipa-client-install |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
> index 75de24aab86b5381244fc800e5d1a4bc79df111f..ee643de537d97180b7c04811fa800b71b36ca16f 100755
> --- a/ipa-client/ipa-install/ipa-client-install
> +++ b/ipa-client/ipa-install/ipa-client-install
> @@ -1193,6 +1193,8 @@ def main():
>              options.unattended = True
>              uninstall(options, env, quiet=True)
>  
> +    return rval
> +
>  try:
>      if __name__ == "__main__":
>          sys.exit(main())
ACK.

-- 
/ Alexander Bokovoy



From rcritten at redhat.com  Fri Oct  7 13:18:01 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 07 Oct 2011 09:18:01 -0400
Subject: [Freeipa-devel] [PATCH] 888 always verify hostname
In-Reply-To: <1317992800.8399.43.camel@dhcp-25-52.brq.redhat.com>
References: <4E8E6AF4.8060302@redhat.com>
	<1317979530.8399.26.camel@dhcp-25-52.brq.redhat.com>
	<4E8EF766.2070706@redhat.com>
	<1317992800.8399.43.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <4E8EFC09.9030301@redhat.com>

Martin Kosek wrote:
> On Fri, 2011-10-07 at 08:58 -0400, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On Thu, 2011-10-06 at 22:59 -0400, Rob Crittenden wrote:
>>>> When installing with DNS we skip a few hostname checks on the assumption
>>>> that the DNS we are installing will cover things. We still need to
>>>> verify /etc/hosts and we do this with gethostbyname_ex() which returns
>>>> the primary name and all other names of the host. If the primary name
>>>> doesn't match (e.g. the shortname is defined first in /etc/hosts) or it
>>>> isn't resolvable at all then we error out.
>>>>
>>>> This also prevents a chicken-and-egg error as several services need to
>>>> start before DNS is available so the hostname must be defined.
>>>>
>>>> rob
>>>
>>> I see several problems with the patch. At first, it needs a rebase, I
>>> reworked the exceptions raised in verify_fqdn in #1899.
>>>
>>> Then, this patch would break several things:
>>>
>>> 1) Now, when we install a server with --setup-dns and the host is not
>>> resolvable, we add a record to /etc/hosts ourselves, so that the user is
>>> not obliged to hack /etc/hosts:
>>>
>>> # ipa-server-install --setup-dns
>>> ...
>>> Server host name [vm-050.idm.lab.bos.redhat.com]:
>>>
>>> Warning: skipping DNS resolution of host vm-050.idm.lab.bos.redhat.com
>>> The domain name has been calculated based on the host name.
>>>
>>> Please confirm the domain name [idm.lab.bos.redhat.com]:
>>>
>>> Unable to resolve IP address for host name
>>> Please provide the IP address to be used for this host name: 10.16.78.50
>>> Adding [10.16.78.50 vm-050.idm.lab.bos.redhat.com] to your /etc/hosts file<<<<<<
>>> The IPA Master Server will be configured with
>>> Hostname:    vm-050.idm.lab.bos.redhat.com
>>> IP address:  10.16.78.50
>>> Domain name: idm.lab.bos.redhat.com
>>
>> Yes but the entry is added /etc/hosts at the very END of installation,
>> apparently too late for some things. We can alternately add this prior
>> to configuring anything else.
>
> But we add the entry to /etc/hosts right in the beginning. After the
> line marked with<<<<<<  is printed. I double-checked it right now.

Ok, this is totally freaky then. See ticket 
https://fedorahosted.org/freeipa/ticket/1931
>
>>
>>>
>>>
>>> 2) This will break ipa-replica-prepare. We cannot assume that only local
>>> host names are passed to to verify_fqdn since it is also used to for new
>>> replica hostname check in ipa-replica-prepare:
>>>
>>> # ipa-replica-prepare vm-103.idm.lab.bos.redhat.com
>>> Directory Manager (existing master) password:
>>>
>>> The host name vm-103.idm.lab.bos.redhat.com is not resolvable. It must
>>> appear in at least /etc/hosts.
>>> Add the --ip-address argument to create a DNS entry.
>>>
>>> We must be very cautious in this function, there was already a BZ from
>>> RHEV-M guys which could be now broken:
>>>
>>> https://bugzilla.redhat.com/show_bug.cgi?id=729357
>>>
>>> Martin
>>>
>>
>> Ok, perhaps it just needs to be pulled directly into ipa-server-install.
>> We do need some mechanism to check /etc/hosts to be sure that there
>> isn't an existing bad host entry.
>>
>> rob
>
> Please check the patch I sent. I do one part in verify_fqdn and one part
> in ipa-server-install when user gives us an address.
>
> Martin
>



From mkosek at redhat.com  Fri Oct  7 13:26:03 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Fri, 07 Oct 2011 15:26:03 +0200
Subject: [Freeipa-devel] [PATCH] 141 Make sure ipa-client-install
 returns correct error code
In-Reply-To: <20111007131714.GA25040@redhat.com>
References: <1317991737.8399.40.camel@dhcp-25-52.brq.redhat.com>
	<20111007131714.GA25040@redhat.com>
Message-ID: <1317993965.8399.44.camel@dhcp-25-52.brq.redhat.com>

On Fri, 2011-10-07 at 16:17 +0300, Alexander Bokovoy wrote:
> On Fri, 07 Oct 2011, Martin Kosek wrote:
> > https://fedorahosted.org/freeipa/ticket/1937
> > 
> > >From d2c9d1518929fa83d8574e7ae555817e8cc96c5e Mon Sep 17 00:00:00 2001
> > From: Martin Kosek <mkosek at redhat.com>
> > Date: Fri, 7 Oct 2011 14:47:28 +0200
> > Subject: [PATCH] Make sure ipa-client-install returns correct error code
> > 
> > https://fedorahosted.org/freeipa/ticket/1937
> > ---
> >  ipa-client/ipa-install/ipa-client-install |    2 ++
> >  1 files changed, 2 insertions(+), 0 deletions(-)
> > 
> > diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
> > index 75de24aab86b5381244fc800e5d1a4bc79df111f..ee643de537d97180b7c04811fa800b71b36ca16f 100755
> > --- a/ipa-client/ipa-install/ipa-client-install
> > +++ b/ipa-client/ipa-install/ipa-client-install
> > @@ -1193,6 +1193,8 @@ def main():
> >              options.unattended = True
> >              uninstall(options, env, quiet=True)
> >  
> > +    return rval
> > +
> >  try:
> >      if __name__ == "__main__":
> >          sys.exit(main())
> ACK.
> 

Pushed to master, ipa-2-1.

Martin



From rcritten at redhat.com  Fri Oct  7 14:15:54 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 07 Oct 2011 10:15:54 -0400
Subject: [Freeipa-devel] [PATCH] 885 optimize indirect member calculation
In-Reply-To: <20111006110829.GA21545@redhat.com>
References: <4E8C7343.4090704@redhat.com> <20111006110829.GA21545@redhat.com>
Message-ID: <4E8F099A.3040002@redhat.com>

Alexander Bokovoy wrote:
> On Wed, 05 Oct 2011, Rob Crittenden wrote:
>> When calculating indirect membership of a group all members are
>> examined and if those have members, those are added as well. This
>> does not need to be done when the member in question is a user or a
>> host as they cannot have members.
>>
>> For large groups this is a significant performance improvement (as
>> well as reducing unnecessary load on 389-ds).
> Works for me. However, shouldn't we expand this to all terminal
> objects rather than users and hosts?
>
> Something like attached patch? The containers list should be sorted by
> probability of encountering the container in real life, with users and
> hosts to be at the beginning.

Pushed to master and ipa-2-1.

389-ds is still leaking something but this mitigates it somewhat and 
generally reduces the load when showing large groups.

rob



From mkosek at redhat.com  Fri Oct  7 14:46:13 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Fri, 07 Oct 2011 16:46:13 +0200
Subject: [Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
In-Reply-To: <4E8EF61A.6090707@redhat.com>
References: <4E8CC988.6050408@redhat.com>
	<1317902620.16404.34.camel@dhcp-25-52.brq.redhat.com>
	<4E8DEDF0.9080202@redhat.com> <1317929952.2489.2.camel@priserak>
	<4E8E05A6.4040903@redhat.com> <4E8E186C.7080108@redhat.com>
	<1317974016.8399.13.camel@dhcp-25-52.brq.redhat.com>
	<4E8EF61A.6090707@redhat.com>
Message-ID: <1317998775.8399.49.camel@dhcp-25-52.brq.redhat.com>

On Fri, 2011-10-07 at 08:52 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Thu, 2011-10-06 at 17:06 -0400, Rob Crittenden wrote:
> >> Rob Crittenden wrote:
> >>> Martin Kosek wrote:
> >>>> On Thu, 2011-10-06 at 14:05 -0400, Rob Crittenden wrote:
> >>>>> Martin Kosek wrote:
> >>>>>> On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote:
> >>>>>>> The aci prefix was missing in the description of the three dns acis
> >>>>>>> which made them not show up when viewing their permission entries.
> >>>>>>>
> >>>>>>> rob
> >>>>>>
> >>>>>> This works fine, but it is just a part of a solution. DNS related
> >>>>>> privileges miss memberof attribute for the DNS permissions and thus the
> >>>>>> permissions are not listed:
> >>>>>>
> >>>>>> # ipa permission-show "add dns entries"
> >>>>>> Permission name: add dns entries
> >>>>>> Permissions: add
> >>>>>> Type: dnsrecord
> >>>>>> Granted to Privilege: DNS Administrators, DNS Servers
> >>>>>>
> >>>>>> # ipa privilege-show "DNS Administrators"
> >>>>>> Privilege name: DNS Administrators
> >>>>>> Description: DNS Administrators
> >>>>>> <<<  Missing permissions
> >>>>>>
> >>>>>> I think the reason is that the permissions are in a wrong order in the
> >>>>>> LDIF and are created before the privilege itself. When member links are
> >>>>>> being created for DNS permissions, the memberof plugin cannot add
> >>>>>> memberof attributes for the privilege since it does not exist yet. This
> >>>>>> is the main issue that the BZ bug complains about.
> >>>>>>
> >>>>>> Martin
> >>>>>>
> >>>>>
> >>>>> There are two problems:
> >>>>>
> >>>>> 1. The acis lacked a prefix so they didn't appear as permissions
> >>>>>
> >>>>> 2. The permission was added before the privilege so the memberof values
> >>>>> weren't being calculated.
> >>>>>
> >>>>> This fixes it for new installs and adds an update to fix up existing
> >>>>> installs.
> >>>>>
> >>>>> rob
> >>>>
> >>>> It works fine when doing upgrade. However, when running a clean install,
> >>>> I get these errors:
> >>>>
> >>>> # ipa-server-install --setup-dns
> >>>> ...
> >>>> [9/13]: publish CA cert
> >>>> [10/13]: creating a keytab for httpd
> >>>> [11/13]: configuring SELinux for httpd
> >>>> [12/13]: restarting httpd
> >>>> [13/13]: configuring httpd to start on boot
> >>>> done configuring httpd.
> >>>> Applying LDAP updates
> >>>> root : ERROR Add failure Object class violation: missing required
> >>>> attribute "objectclass"
> >>>> root : ERROR Add failure Object class violation: missing required
> >>>> attribute "objectclass"
> >>>> root : ERROR Add failure Object class violation: missing required
> >>>> attribute "objectclass"
> >>>> Restarting IPA to initialize updates before performing deletes:
> >>>> [1/2]: stopping directory server
> >>>> [2/2]: starting directory server
> >>>> done configuring dirsrv.
> >>>> Restarting the directory server
> >>>> Restarting the KDC
> >>>> Restarting the web server
> >>>> Configuring named:
> >>>> [1/9]: adding DNS container
> >>>> [2/9]: setting up our zone
> >>>> [3/9]: setting up reverse zone
> >>>> [4/9]: setting up our own record
> >>>> [5/9]: setting up kerberos principal
> >>>> [6/9]: setting up named.conf
> >>>> [7/9]: restarting named
> >>>> [8/9]: configuring named to start on boot
> >>>> [9/9]: changing resolv.conf to point to ourselves
> >>>> done configuring named.
> >>>> ==============================================================================
> >>>>
> >>>> Setup complete
> >>>>
> >>>> Do you hit this too? Permissions and privileges member attributes were
> >>>> OK though.
> >>>>
> >>>> Martin
> >>>>
> >>>
> >>> Bah, ok. We only create these permissions when dns is installed so I'll
> >>> need to find some way to optionally add this.
> >>>
> >>> rob
> >>
> >> I needed to add a new type to the updater to only add new values if the
> >> entry exists.
> >>
> >> rob
> >
> > I still get the same error. We have a new handy addifnew update type
> > ready, lets use it in these DNS .update file too :-)
> >
> > Martin
> >
> 
> addifnew adds single value attributes if they aren't already in the 
> entry, that will cause the same error.
> 
> rob

I tested the patch when I replaced all add: directives 40-dns.update
with addifexist. The clean installation now did not produce any error,
memberships were OK.

However, updating existing installation with DNS was not OK - privileges
are still without memberof attributes:

# ipa privilege-find dns
--------------------
2 privileges matched
--------------------
  Privilege name: DNS Administrators
  Description: DNS Administrators

  Privilege name: DNS Servers
  Description: DNS Servers
----------------------------
Number of entries returned 2
----------------------------

Martin



From rcritten at redhat.com  Fri Oct  7 15:09:11 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 07 Oct 2011 11:09:11 -0400
Subject: [Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
In-Reply-To: <1317998775.8399.49.camel@dhcp-25-52.brq.redhat.com>
References: <4E8CC988.6050408@redhat.com>
	<1317902620.16404.34.camel@dhcp-25-52.brq.redhat.com>
	<4E8DEDF0.9080202@redhat.com> <1317929952.2489.2.camel@priserak>
	<4E8E05A6.4040903@redhat.com> <4E8E186C.7080108@redhat.com>
	<1317974016.8399.13.camel@dhcp-25-52.brq.redhat.com>
	<4E8EF61A.6090707@redhat.com>
	<1317998775.8399.49.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <4E8F1617.90005@redhat.com>

Martin Kosek wrote:
> On Fri, 2011-10-07 at 08:52 -0400, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On Thu, 2011-10-06 at 17:06 -0400, Rob Crittenden wrote:
>>>> Rob Crittenden wrote:
>>>>> Martin Kosek wrote:
>>>>>> On Thu, 2011-10-06 at 14:05 -0400, Rob Crittenden wrote:
>>>>>>> Martin Kosek wrote:
>>>>>>>> On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote:
>>>>>>>>> The aci prefix was missing in the description of the three dns acis
>>>>>>>>> which made them not show up when viewing their permission entries.
>>>>>>>>>
>>>>>>>>> rob
>>>>>>>>
>>>>>>>> This works fine, but it is just a part of a solution. DNS related
>>>>>>>> privileges miss memberof attribute for the DNS permissions and thus the
>>>>>>>> permissions are not listed:
>>>>>>>>
>>>>>>>> # ipa permission-show "add dns entries"
>>>>>>>> Permission name: add dns entries
>>>>>>>> Permissions: add
>>>>>>>> Type: dnsrecord
>>>>>>>> Granted to Privilege: DNS Administrators, DNS Servers
>>>>>>>>
>>>>>>>> # ipa privilege-show "DNS Administrators"
>>>>>>>> Privilege name: DNS Administrators
>>>>>>>> Description: DNS Administrators
>>>>>>>> <<<   Missing permissions
>>>>>>>>
>>>>>>>> I think the reason is that the permissions are in a wrong order in the
>>>>>>>> LDIF and are created before the privilege itself. When member links are
>>>>>>>> being created for DNS permissions, the memberof plugin cannot add
>>>>>>>> memberof attributes for the privilege since it does not exist yet. This
>>>>>>>> is the main issue that the BZ bug complains about.
>>>>>>>>
>>>>>>>> Martin
>>>>>>>>
>>>>>>>
>>>>>>> There are two problems:
>>>>>>>
>>>>>>> 1. The acis lacked a prefix so they didn't appear as permissions
>>>>>>>
>>>>>>> 2. The permission was added before the privilege so the memberof values
>>>>>>> weren't being calculated.
>>>>>>>
>>>>>>> This fixes it for new installs and adds an update to fix up existing
>>>>>>> installs.
>>>>>>>
>>>>>>> rob
>>>>>>
>>>>>> It works fine when doing upgrade. However, when running a clean install,
>>>>>> I get these errors:
>>>>>>
>>>>>> # ipa-server-install --setup-dns
>>>>>> ...
>>>>>> [9/13]: publish CA cert
>>>>>> [10/13]: creating a keytab for httpd
>>>>>> [11/13]: configuring SELinux for httpd
>>>>>> [12/13]: restarting httpd
>>>>>> [13/13]: configuring httpd to start on boot
>>>>>> done configuring httpd.
>>>>>> Applying LDAP updates
>>>>>> root : ERROR Add failure Object class violation: missing required
>>>>>> attribute "objectclass"
>>>>>> root : ERROR Add failure Object class violation: missing required
>>>>>> attribute "objectclass"
>>>>>> root : ERROR Add failure Object class violation: missing required
>>>>>> attribute "objectclass"
>>>>>> Restarting IPA to initialize updates before performing deletes:
>>>>>> [1/2]: stopping directory server
>>>>>> [2/2]: starting directory server
>>>>>> done configuring dirsrv.
>>>>>> Restarting the directory server
>>>>>> Restarting the KDC
>>>>>> Restarting the web server
>>>>>> Configuring named:
>>>>>> [1/9]: adding DNS container
>>>>>> [2/9]: setting up our zone
>>>>>> [3/9]: setting up reverse zone
>>>>>> [4/9]: setting up our own record
>>>>>> [5/9]: setting up kerberos principal
>>>>>> [6/9]: setting up named.conf
>>>>>> [7/9]: restarting named
>>>>>> [8/9]: configuring named to start on boot
>>>>>> [9/9]: changing resolv.conf to point to ourselves
>>>>>> done configuring named.
>>>>>> ==============================================================================
>>>>>>
>>>>>> Setup complete
>>>>>>
>>>>>> Do you hit this too? Permissions and privileges member attributes were
>>>>>> OK though.
>>>>>>
>>>>>> Martin
>>>>>>
>>>>>
>>>>> Bah, ok. We only create these permissions when dns is installed so I'll
>>>>> need to find some way to optionally add this.
>>>>>
>>>>> rob
>>>>
>>>> I needed to add a new type to the updater to only add new values if the
>>>> entry exists.
>>>>
>>>> rob
>>>
>>> I still get the same error. We have a new handy addifnew update type
>>> ready, lets use it in these DNS .update file too :-)
>>>
>>> Martin
>>>
>>
>> addifnew adds single value attributes if they aren't already in the
>> entry, that will cause the same error.
>>
>> rob
>
> I tested the patch when I replaced all add: directives 40-dns.update
> with addifexist. The clean installation now did not produce any error,
> memberships were OK.
>
> However, updating existing installation with DNS was not OK - privileges
> are still without memberof attributes:
>
> # ipa privilege-find dns
> --------------------
> 2 privileges matched
> --------------------
>    Privilege name: DNS Administrators
>    Description: DNS Administrators
>
>    Privilege name: DNS Servers
>    Description: DNS Servers
> ----------------------------
> Number of entries returned 2
> ----------------------------
>
> Martin
>

Strange, it works for me. Can you try this updated patch?

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-887-4-prefix.patch
Type: text/x-patch
Size: 12268 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111007/cd182ea0/attachment.bin>

From pvoborni at redhat.com  Fri Oct  7 15:55:54 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Fri, 07 Oct 2011 17:55:54 +0200
Subject: [Freeipa-devel] [PATCH] 021 Split Web UI initialization to several
	smaller calls
Message-ID: <4E8F210A.1030409@redhat.com>

https://fedorahosted.org/freeipa/ticket/1933

based on ayoung-0286-split-metadata-call

Web UI init method was modified to get initialization data in 3 calls.
First call remains the same as before except that the json_metadata 
command was removed.

JSON metadata are requested after successful response of the first batch 
command. This approach should preserve functionality in IE (where 
request is missing after authentication). Getting JSON metadata is split 
to two commands - this should prevent the error in linked ticket. These 
two commands are paralelly executed by new concurent_command object.

Concurrent command waits for all responses then it calls each command's 
success handler.

I don't know if this patch actually solves the problem because I didn't 
manage to reproduce it.

Note: In the attached archive is patch for updating data files (offline, 
unit testing). Unpacked it has 1.4MiB...
-- 
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0021-Split-Web-UI-initialization-to-several-smaller-calls.patch
Type: text/x-patch
Size: 7668 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111007/75ee2deb/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0021-1-Split-Web-UI-initialization-to-several-smaller-calls.patch.zip
Type: application/zip
Size: 59540 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111007/75ee2deb/attachment.zip>

From ayoung at redhat.com  Fri Oct  7 17:50:01 2011
From: ayoung at redhat.com (Adam Young)
Date: Fri, 07 Oct 2011 13:50:01 -0400
Subject: [Freeipa-devel] [PATCHES]  0287 and 0288 for Proxy upgrade
In-Reply-To: <4E8E6242.7030804@redhat.com>
References: <4E8E5581.6040802@redhat.com> <4E8E6242.7030804@redhat.com>
Message-ID: <4E8F3BC9.8030302@redhat.com>

On 10/06/2011 10:21 PM, Rob Crittenden wrote:
> Adam Young wrote:
>> Not yet ready for prime time.
>>
>> I've tested the changes to updateinstance by hand, so I know they work.
>> I'm having problems with the python import setup.
>>
>> RPM build fails with:
>>
>>
>> install/tools/ipa-upgradeconfig:36: [F0401] Unable to import 
>> 'installutils'
>>
>>
>> And, if I uncomment the import for http utils, I get an error at run
>> time as well. That confuses me, as I am able to import installutils at
>> runtime.
>
> I think these patches fix it. Please double check my comments. I 
> tested this on a non-updated dogtag install (e.g. it doesn't have the 
> new script) and it didn't seem to break anything.
>
> rob
They work, but require this additional patch to the RPM spec.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-admiyo-0289-Force-the-upgrade-of-pki-setup-when-upgrading-the-RP.patch
Type: text/x-patch
Size: 3391 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111007/34220db2/attachment.bin>

From simo at redhat.com  Fri Oct  7 18:14:48 2011
From: simo at redhat.com (Simo Sorce)
Date: Fri, 07 Oct 2011 14:14:48 -0400
Subject: [Freeipa-devel] [PATCH] #1794 - Speed up replica setup
In-Reply-To: <1317680239.17819.19.camel@willson.li.ssimo.org>
References: <1317673256.17819.13.camel@willson.li.ssimo.org>
	<1317680239.17819.19.camel@willson.li.ssimo.org>
Message-ID: <1318011288.31149.10.camel@willson.li.ssimo.org>

On Mon, 2011-10-03 at 18:17 -0400, Simo Sorce wrote:
> On Mon, 2011-10-03 at 16:20 -0400, Simo Sorce wrote:
> > Newer 389ds servers have a new option to have a different set of
> > filtered attributes from normal replication.
> > 
> > This has been added in order to allow DS to replicate memberof
> > attributes only during a total update so that we do not need to run a
> > fixup memberof task on a replica at install time.
> > This task is quite inefficient for big database and can take a long
> > time. By replicating memberof while the DB is locked we are guaranteed
> > the memberof list is consistent so we do not need a fixup.
> > 
> > This patch allows to enable this feature dynamically. If the server does
> > not yet support the new option it falls back to the previous behavior.
> > 
> > Fixes: https://fedorahosted.org/freeipa/ticket/1794
> > 
> > I am sending the patch but it has been jointly developed at various
> > stages by Nathan, JR, and me.
> > 
> > Simo.
> 
> After some thinking I found out that we cannot commit this patch until
> the memberof plugin is converted to use the new transaction interfaces
> for plugins, as otherwise it is possible to run into race conditions
> where the member/memberof relations are not settled if a new replica is
> installed while member attributes are being changed.
> 
> Granted the race is quite small and unlikely but real.
> So please test and ack it, but we need to defer pushing to stable
> branches until ds copes.
> I think it is ok to push to master for testing, DS should have the
> necessary support by the time we make another stable release from master
> and in our test environments I am sure we will never hit the race.

After some more testing I found a small bug that can cause issues in
some conditions, new patch attached.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-2-Replication-Adjust-replica-installation-to-omit-proc.patch
Type: text/x-patch
Size: 6040 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111007/7d9cec9f/attachment.bin>

From rcritten at redhat.com  Fri Oct  7 18:42:14 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 07 Oct 2011 14:42:14 -0400
Subject: [Freeipa-devel] [PATCHES]  0287 and 0288 for Proxy upgrade
In-Reply-To: <4E8F3BC9.8030302@redhat.com>
References: <4E8E5581.6040802@redhat.com> <4E8E6242.7030804@redhat.com>
	<4E8F3BC9.8030302@redhat.com>
Message-ID: <4E8F4806.7040601@redhat.com>

Adam Young wrote:
> On 10/06/2011 10:21 PM, Rob Crittenden wrote:
>> Adam Young wrote:
>>> Not yet ready for prime time.
>>>
>>> I've tested the changes to updateinstance by hand, so I know they work.
>>> I'm having problems with the python import setup.
>>>
>>> RPM build fails with:
>>>
>>>
>>> install/tools/ipa-upgradeconfig:36: [F0401] Unable to import
>>> 'installutils'
>>>
>>>
>>> And, if I uncomment the import for http utils, I get an error at run
>>> time as well. That confuses me, as I am able to import installutils at
>>> runtime.
>>
>> I think these patches fix it. Please double check my comments. I
>> tested this on a non-updated dogtag install (e.g. it doesn't have the
>> new script) and it didn't seem to break anything.
>>
>> rob
> They work, but require this additional patch to the RPM spec.

We talked about this a bit in IRC. I think we want to bump up all dogtag 
packages to 9.0.15. The update is pending push to updates-testing at 
this moment.

With that change ack all around, just be sure to remove the non-sequitor 
services change before pushing.

rob



From ayoung at redhat.com  Fri Oct  7 18:56:52 2011
From: ayoung at redhat.com (Adam Young)
Date: Fri, 07 Oct 2011 14:56:52 -0400
Subject: [Freeipa-devel] [PATCH] 021 Split Web UI initialization to
 several smaller calls
In-Reply-To: <4E8F210A.1030409@redhat.com>
References: <4E8F210A.1030409@redhat.com>
Message-ID: <4E8F4B74.4040708@redhat.com>

On 10/07/2011 11:55 AM, Petr Vobornik wrote:
> https://fedorahosted.org/freeipa/ticket/1933
>
> based on ayoung-0286-split-metadata-call
>
> Web UI init method was modified to get initialization data in 3 calls.
> First call remains the same as before except that the json_metadata 
> command was removed.
>
> JSON metadata are requested after successful response of the first 
> batch command. This approach should preserve functionality in IE 
> (where request is missing after authentication). Getting JSON metadata 
> is split to two commands - this should prevent the error in linked 
> ticket. These two commands are paralelly executed by new 
> concurent_command object.
>
> Concurrent command waits for all responses then it calls each 
> command's success handler.
>
> I don't know if this patch actually solves the problem because I 
> didn't manage to reproduce it.
>
> Note: In the attached archive is patch for updating data files 
> (offline, unit testing). Unpacked it has 1.4MiB...
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
ACK.  I pushed both patches to ipa-2.1.
The patch naming was off:  don't use -1 to indicate a related patch, but 
rather a newer version of an already submitted patch.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111007/639e47c5/attachment.htm>

From ayoung at redhat.com  Fri Oct  7 19:05:19 2011
From: ayoung at redhat.com (Adam Young)
Date: Fri, 07 Oct 2011 15:05:19 -0400
Subject: [Freeipa-devel] [PATCHES]  0287 and 0288 for Proxy upgrade
In-Reply-To: <4E8F4806.7040601@redhat.com>
References: <4E8E5581.6040802@redhat.com> <4E8E6242.7030804@redhat.com>
	<4E8F3BC9.8030302@redhat.com> <4E8F4806.7040601@redhat.com>
Message-ID: <4E8F4D6F.1030700@redhat.com>

On 10/07/2011 02:42 PM, Rob Crittenden wrote:
> Adam Young wrote:
>> On 10/06/2011 10:21 PM, Rob Crittenden wrote:
>>> Adam Young wrote:
>>>> Not yet ready for prime time.
>>>>
>>>> I've tested the changes to updateinstance by hand, so I know they 
>>>> work.
>>>> I'm having problems with the python import setup.
>>>>
>>>> RPM build fails with:
>>>>
>>>>
>>>> install/tools/ipa-upgradeconfig:36: [F0401] Unable to import
>>>> 'installutils'
>>>>
>>>>
>>>> And, if I uncomment the import for http utils, I get an error at run
>>>> time as well. That confuses me, as I am able to import installutils at
>>>> runtime.
>>>
>>> I think these patches fix it. Please double check my comments. I
>>> tested this on a non-updated dogtag install (e.g. it doesn't have the
>>> new script) and it didn't seem to break anything.
>>>
>>> rob
>> They work, but require this additional patch to the RPM spec.
>
> We talked about this a bit in IRC. I think we want to bump up all 
> dogtag packages to 9.0.15. The update is pending push to 
> updates-testing at this moment.
>
> With that change ack all around, just be sure to remove the 
> non-sequitor services change before pushing.
>
> rob
removed service change and pushed to ipa-2.1



From mkosek at redhat.com  Mon Oct 10 07:35:08 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Mon, 10 Oct 2011 09:35:08 +0200
Subject: [Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
In-Reply-To: <4E8F1617.90005@redhat.com>
References: <4E8CC988.6050408@redhat.com>
	<1317902620.16404.34.camel@dhcp-25-52.brq.redhat.com>
	<4E8DEDF0.9080202@redhat.com> <1317929952.2489.2.camel@priserak>
	<4E8E05A6.4040903@redhat.com> <4E8E186C.7080108@redhat.com>
	<1317974016.8399.13.camel@dhcp-25-52.brq.redhat.com>
	<4E8EF61A.6090707@redhat.com>
	<1317998775.8399.49.camel@dhcp-25-52.brq.redhat.com>
	<4E8F1617.90005@redhat.com>
Message-ID: <1318232111.23975.6.camel@dhcp-25-52.brq.redhat.com>

On Fri, 2011-10-07 at 11:09 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:

> >
> > I tested the patch when I replaced all add: directives 40-dns.update
> > with addifexist. The clean installation now did not produce any error,
> > memberships were OK.
> >
> > However, updating existing installation with DNS was not OK - privileges
> > are still without memberof attributes:
> >
> > # ipa privilege-find dns
> > --------------------
> > 2 privileges matched
> > --------------------
> >    Privilege name: DNS Administrators
> >    Description: DNS Administrators
> >
> >    Privilege name: DNS Servers
> >    Description: DNS Servers
> > ----------------------------
> > Number of entries returned 2
> > ----------------------------
> >
> > Martin
> >
> 
> Strange, it works for me. Can you try this updated patch?
> 
> rob

I must have been doing something wrong. This one works fine - both
upgrade and a fresh installation.

ACK.

Martin



From pvoborni at redhat.com  Mon Oct 10 12:13:47 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Mon, 10 Oct 2011 14:13:47 +0200
Subject: [Freeipa-devel] [PATCH] 023 Circular entity dependency
Message-ID: <4E92E17B.7040701@redhat.com>

https://fedorahosted.org/freeipa/ticket/1531

(3.0 Core Effort Iteration 01 September Y11 Release)

Implemented solution:
  * all entities are created on application start
  * dependant objects (facets and dialogs) are created at once on their 
first use in entity.

Note(patch naming): patch 022 was second part of 021, but the file name 
was wrong(021-1)
-- 
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0023-Circular-entity-dependency.patch
Type: text/x-patch
Size: 19288 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111010/330e0c76/attachment.bin>

From abokovoy at redhat.com  Mon Oct 10 13:43:09 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Mon, 10 Oct 2011 16:43:09 +0300
Subject: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support
Message-ID: <20111010134235.GB3661@redhat.com>

Hi,

rebased, updated package dependencies, and verified against 
Fedora 16+updates-testing.

This patch is for ipa-2-1 branch. I need to do few cosmetic changes in 
freeipa.spec.in to accomodate it to 3.0 (master branch) as ipa_kpasswd 
is gone there.

-- 
/ Alexander Bokovoy
-------------- next part --------------
>From f71e9d5f59de43293b4162c933502fd80e5d3aa3 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Mon, 10 Oct 2011 15:25:15 +0300
Subject: [PATCH] Add support for systemd environments and use it to support
 Fedora 16

https://fedorahosted.org/freeipa/ticket/1192
---
 Makefile                          |    2 +-
 freeipa.spec.in                   |   77 ++++++++++++++-
 ipa.init => init/SystemV/ipa.init |    0
 init/systemd/ipa.service          |   14 +++
 init/systemd/ipa_kpasswd.service  |   10 ++
 install/tools/ipactl              |   12 ++-
 ipapython/config.py               |    2 +-
 ipapython/ipautil.py              |   90 ++++++++++++++++
 ipapython/platform/base.py        |   14 ++--
 ipapython/platform/fedora16.py    |  113 ++++++++++++++++++++
 ipapython/platform/redhat.py      |   61 ++---------
 ipapython/platform/systemd.py     |  204 +++++++++++++++++++++++++++++++++++++
 ipaserver/install/cainstance.py   |    4 +-
 ipaserver/install/dsinstance.py   |    6 +-
 ipaserver/install/krbinstance.py  |   30 ++----
 15 files changed, 552 insertions(+), 87 deletions(-)
 rename ipa.init => init/SystemV/ipa.init (100%)
 create mode 100644 init/systemd/ipa.service
 create mode 100644 init/systemd/ipa_kpasswd.service
 create mode 100644 ipapython/platform/fedora16.py
 create mode 100644 ipapython/platform/systemd.py

diff --git a/Makefile b/Makefile
index 9d8802587f9fa1130271d3824667d83b637ac9ee..3cd08e2e9dd6b65ae9ad82af08cc68979048b6cd 100644
--- a/Makefile
+++ b/Makefile
@@ -8,7 +8,7 @@ PRJ_PREFIX=freeipa
 RPMBUILD ?= $(PWD)/rpmbuild
 TARGET ?= master
 
-SUPPORTED_PLATFORM=redhat
+SUPPORTED_PLATFORM ?= redhat
 
 # After updating the version in VERSION you should run the version-update
 # target.
diff --git a/freeipa.spec.in b/freeipa.spec.in
index ed88e445aeb1783ea2011dc6ad62b5e3bf05db8e..927ec1cd839b1a2b2947f28ce754e98c2600b70d 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -24,10 +24,17 @@ Source0:        freeipa-%{version}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %if ! %{ONLY_CLIENT}
+%if 0%{?fedora} >= 16
+BuildRequires: 389-ds-base-devel >= 1.2.10
+%else
 BuildRequires:  389-ds-base-devel >= 1.2.9
+%endif
 BuildRequires:  svrcore-devel
 BuildRequires:  /usr/share/selinux/devel/Makefile
 BuildRequires:  policycoreutils >= %{POLICYCOREUTILSVER}
+%if 0%{?fedora} >= 16
+BuildRequires:  systemd-units 
+%endif
 %endif
 BuildRequires:  nspr-devel
 BuildRequires:  nss-devel
@@ -85,11 +92,19 @@ Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
 Requires: %{name}-server-selinux = %{version}-%{release}
+%if 0%{?fedora} >= 16
+Requires(pre): 389-ds-base >= 1.2.10-0.1.a1
+%else
 Requires(pre): 389-ds-base >= 1.2.9.7-1
+%endif
 Requires: openldap-clients
 Requires: nss
 Requires: nss-tools
+%if 0%{?fedora} >= 16
+Requires: krb5-server >= 1.9.1-15
+%else
 Requires: krb5-server
+%endif
 Requires: krb5-server-ldap
 Requires: krb5-pkinit-openssl
 Requires: cyrus-sasl-gssapi%{?_isa}
@@ -102,6 +117,11 @@ Requires: python-ldap
 Requires: python-krbV
 Requires: acl
 Requires: python-pyasn1 >= 0.0.9a
+%if 0%{?fedora} >= 16
+Requires: systemd-units >= 36-3
+Requires(pre): systemd-units
+Requires(post): systemd-units
+%endif
 %if 0%{?fedora} >= 15
 Requires: selinux-policy >= 3.9.16-18
 %else
@@ -109,6 +129,12 @@ Requires: selinux-policy >= 3.9.7-27
 %endif
 Requires(post): selinux-policy-base
 Requires: slapi-nis >= 0.21
+%if 0%{?fedora} >= 16
+Requires: pki-ca >= 9.0.15
+Requires: pki-silent >= 9.0.15
+# Only tomcat6 greater than this version provides proper systemd support
+Requires: tomcat6 >= 6.0.32-17
+%else
 %if 0%{?fedora} >= 15
 Requires: pki-ca >= 9.0.15
 Requires: pki-silent >= 9.0.15
@@ -117,13 +143,19 @@ Requires: pki-setup  >= 9.0.15
 Requires: pki-ca >= 9.0.5
 Requires: pki-silent >= 9.0.5
 %endif
+%endif
 Requires: dogtag-pki-common-theme
 Requires: dogtag-pki-ca-theme
 %if 0%{?rhel}
 Requires: subscription-manager
 %endif
+%if 0%{?fedora} >= 16
+Requires(preun): python systemd-units
+Requires(postun): python systemd-units
+%else
 Requires(preun):  python initscripts chkconfig
 Requires(postun): python initscripts chkconfig
+%endif
 
 # We have a soft-requires on bind. It is an optional part of
 # IPA but if it is configured we need a way to require versions
@@ -252,6 +284,9 @@ package.
 %build
 export CFLAGS="$CFLAGS %{optflags}"
 export CPPFLAGS="$CPPFLAGS %{optflags}"
+%if 0%{?fedora} >= 16
+export SUPPORTED_PLATFORM=fedora16
+%endif
 make version-update
 cd ipa-client; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd ..
 %if ! %{ONLY_CLIENT}
@@ -313,7 +348,16 @@ mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
 /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf
 /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
 /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
-install -m755 ipa.init %{buildroot}%{_initrddir}/ipa
+%if 0%{?fedora} >= 16
+# Default to systemd initscripts for F16 and above
+mkdir -p %{buildroot}%{_unitdir}
+for i in ipa.service ipa_kpasswd.service ; do
+	install -m 644 init/systemd/$i %{buildroot}%{_unitdir}/$i
+done
+rm -f %{buildroot}%{_initrddir}/ipa_kpasswd
+%else
+install -m755 init/SystemV/ipa.init %{buildroot}%{_initrddir}/ipa
+%endif
 %endif
 
 mkdir -p %{buildroot}%{_sysconfdir}/ipa/
@@ -333,8 +377,14 @@ rm -rf %{buildroot}
 %if ! %{ONLY_CLIENT}
 %post server
 if [ $1 = 1 ]; then
+%if 0%{?fedora} >= 16
+# Use systemd scheme
+    /bin/systemctl --system daemon-reload 2>&1 || :
+%else
+# Use SystemV scheme only before F16
     /sbin/chkconfig --add ipa
     /sbin/chkconfig --add ipa_kpasswd
+%endif
 fi
 if [ $1 -gt 1 ] ; then
     /usr/sbin/ipa-upgradeconfig || :
@@ -343,14 +393,28 @@ fi
 
 %preun server
 if [ $1 = 0 ]; then
+%if 0%{?fedora} >= 16
+# Use systemd scheme
+    /bin/systemctl --quiet stop ipa.service || :
+    /bin/systemctl --quiet disable ipa.service || :
+%else
+# Use SystemV scheme only before F16
     /sbin/chkconfig --del ipa
     /sbin/chkconfig --del ipa_kpasswd
     /sbin/service ipa stop >/dev/null 2>&1 || :
+%endif
 fi
 
 %postun server
 if [ "$1" -ge "1" ]; then
+%if 0%{?fedora} >= 16
+# Use systemd scheme
+    /bin/systemctl --quiet is-active ipa.service >/dev/null && \
+    /bin/systemctl try-restart ipa.service >/dev/null 2>&1 || :
+%else
+# Use SystemV scheme only before F16
     /sbin/service ipa condrestart >/dev/null 2>&1 || :
+%endif
 fi
 
 %pre server-selinux
@@ -419,8 +483,15 @@ fi
 %{_sbindir}/ipa-upgradeconfig
 %{_sbindir}/ipa-compliance
 %{_sysconfdir}/cron.d/ipa-compliance
+%if 0%{?fedora} >= 16
+# Use systemd scheme
+%attr(644,root,root) %{_unitdir}/ipa.service
+%attr(644,root,root) %{_unitdir}/ipa_kpasswd.service
+%else
+# Use SystemV scheme only before F16
 %attr(755,root,root) %{_initrddir}/ipa
 %attr(755,root,root) %{_initrddir}/ipa_kpasswd
+%endif
 %dir %{python_sitelib}/ipaserver
 %{python_sitelib}/ipaserver/*
 %dir %{_usr}/share/ipa
@@ -551,10 +622,12 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
 
 %changelog
+* Mon Oct 10 2011 Alexander Bokovoy <abokovoy at redhat.com> - 2.1.1-3
+- Default to systemd for Fedora 16 and onwards
+
 * Fri Oct 7 2011 Adam Young <ayoung at redhat.com> - 2.1.1-2
 - Add explicit dependency on pki-setup.
 
-
 * Mon Sep 12 2011 Alexander Bokovoy <abokovoy at redhat.com> - 2.1.1-1
 - Make sure platform adaptation is packaged in -python sub-package
 
diff --git a/ipa.init b/init/SystemV/ipa.init
similarity index 100%
rename from ipa.init
rename to init/SystemV/ipa.init
diff --git a/init/systemd/ipa.service b/init/systemd/ipa.service
new file mode 100644
index 0000000000000000000000000000000000000000..ba27d1dfd2db24389fc14163a77b262d54d5b5e6
--- /dev/null
+++ b/init/systemd/ipa.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Identity, Policy, Audit
+Requires=syslog.target network.target
+After=syslog.target network.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/ipactl start
+ExecStop=/usr/sbin/ipactl stop
+RemainAfterExit=yes
+TimeoutSec=0
+
+[Install]
+WantedBy=multi-user.target
diff --git a/init/systemd/ipa_kpasswd.service b/init/systemd/ipa_kpasswd.service
new file mode 100644
index 0000000000000000000000000000000000000000..17aa4633be2e50608909b4fa6091d28a13e57616
--- /dev/null
+++ b/init/systemd/ipa_kpasswd.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=IPA Kerberos password service
+Requires=krb5kdc.service
+Wants=krb5kdc.service
+
+[Service]
+Type=forking
+PIDFile=/var/run/ipa_kpasswd.pid
+ExecStart=/usr/sbin/ipa_kpasswd
+
diff --git a/install/tools/ipactl b/install/tools/ipactl
index 4055cf91bd6ec6b5a91c0e677ec4c7765c3bff6f..13e4b007ab4081f9d55db40a1471107e02b558d7 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -24,7 +24,7 @@ try:
     from ipaserver.install import service
     from ipapython import services as ipaservices
     from ipaserver.install.dsinstance import config_dirname, realm_to_serverid
-    from ipaserver.install.installutils import is_ipa_configured
+    from ipaserver.install.installutils import is_ipa_configured, wait_for_open_ports, wait_for_open_socket
     from ipapython import sysrestore
     from ipapython import config
     from ipalib import api, errors
@@ -32,6 +32,7 @@ try:
     import logging
     import ldap
     import ldap.sasl
+    import ldapurl
     import socket
 except ImportError:
     print >> sys.stderr, """\
@@ -117,6 +118,15 @@ def get_config():
     attrs = ['cn', 'ipaConfigString']
 
     try:
+        # systemd services are so fast that we come here before
+        # Directory Server actually starts listening. Wait for
+        # the socket/port be really available.
+        lurl = ldapurl.LDAPUrl(api.env.ldap_uri)
+        if lurl.urlscheme == 'ldapi':
+            wait_for_open_socket(lurl.hostport, timeout=6)
+        else:
+            (host,port) = lurl.hostport.split(':')
+            wait_for_open_ports(host, [port], timeout=6)
         con = ldap.initialize(api.env.ldap_uri)
         con.sasl_interactive_bind_s('', SASL_EXTERNAL)
         res = con.search_st(base,
diff --git a/ipapython/config.py b/ipapython/config.py
index 051e39f92c8c0a8289c0bfdf8a53ad761c0457f6..4e0fb11b8fac6ed3ce88e0b70eacc3b30046abf5 100644
--- a/ipapython/config.py
+++ b/ipapython/config.py
@@ -178,7 +178,7 @@ def __discover_config(discover_server = True):
 
         if not config.default_domain:
             #try once with REALM -> domain
-            dom_name = config.default_realm.lower()
+            dom_name = config.default_realm.lower() #pylint: disable=E1103
             name = "_ldap._tcp."+dom_name+"."
             rs = ipapython.dnsclient.query(name, ipapython.dnsclient.DNS_C_IN, ipapython.dnsclient.DNS_T_SRV)
             rl = len(rs)
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 6e037926ce678557d9273be6ff1e9a6c65d0f80e..49fc64cea7c48d7aaf7e44de3c26d395fddbaa28 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -1185,3 +1185,93 @@ def get_ipa_basedn(conn):
 
     return None
 
+def config_replace_variables(filepath, replacevars=dict(), appendvars=dict()):
+    """
+    Take a key=value based configuration file, and write new version 
+    with certain values replaced or appended 
+
+    All (key,value) pairs from replacevars and appendvars that were not found 
+    in the configuration file, will be added there.
+
+    It is responsibility of a caller to ensure that replacevars and
+    appendvars do not overlap.
+
+    It is responsibility of a caller to back up file.
+
+    returns dictionary of affected keys and their previous values
+
+    One have to run restore_context(filepath) afterwards or
+    security context of the file will not be correct after modification
+    """
+    pattern = re.compile('''
+(^
+                        \s*
+        (?P<option>     [^\#;]+?)
+                        (\s*=\s*)
+        (?P<value>      .+?)?
+                        (\s*((\#|;).*)?)?
+$)''', re.VERBOSE)
+    orig_stat = os.stat(filepath)
+    old_values = dict()
+    temp_filename = None
+    with tempfile.NamedTemporaryFile(delete=False) as new_config:
+        temp_filename = new_config.name
+        with open(filepath, 'r') as f:
+            for line in f:
+                new_line = line
+                m = pattern.match(line)
+                if m:
+                    option, value = m.group('option', 'value')
+                    if option is not None:
+                        if replacevars and option in replacevars:
+                            # replace value completely
+                            new_line = u"%s=%s\n" % (option, replacevars[option])
+                            old_values[option] = value
+                        if appendvars and option in appendvars:
+                            # append new value unless it is already existing in the original one
+                            if value.find(appendvars[option]) == -1:
+                                new_line = u"%s=%s %s\n" % (option, value, appendvars[option])
+                            old_values[option] = value
+                new_config.write(new_line)
+        # Now add all options from replacevars and appendvars that were not found in the file
+        new_vars = replacevars.copy()
+        new_vars.update(appendvars)
+        newvars_view = new_vars.viewkeys() - old_values.viewkeys()
+        append_view = (appendvars.viewkeys() - replacevars.viewkeys()) - old_values.viewkeys()
+        for item in newvars_view:
+            new_config.write("%s=%s\n" % (item,new_vars[item]))
+        for item in append_view:
+            new_config.write("%s=%s\n" % (item,appendvars[item]))
+        new_config.flush()
+        # Make sure the resulting file is readable by others before installing it
+        os.fchmod(new_config.fileno(), orig_stat.st_mode)
+        os.fchown(new_config.fileno(), orig_stat.st_uid, orig_stat.st_gid)
+
+    # At this point new_config is closed but not removed due to 'delete=False' above
+    # Now, install the temporary file as configuration and ensure old version is available as .orig
+    # While .orig file is not used during uninstall, it is left there for administrator.
+    install_file(temp_filename, filepath)
+
+    return old_values
+
+def backup_config_and_replace_variables(fstore, filepath, replacevars=dict(), appendvars=dict()):
+    """
+    Take a key=value based configuration file, back up it, and
+    write new version with certain values replaced or appended 
+
+    All (key,value) pairs from replacevars and appendvars that
+    were not found in the configuration file, will be added there.
+
+    It is responsibility of a caller to ensure that replacevars and
+    appendvars do not overlap.
+
+    returns dictionary of affected keys and their previous values
+
+    One have to run restore_context(filepath) afterwards or
+    security context of the file will not be correct after modification
+    """
+    # Backup original filepath
+    fstore.backup_file(filepath)
+    old_values = config_replace_variables(filepath, replacevars, appendvars)
+
+    return old_values
diff --git a/ipapython/platform/base.py b/ipapython/platform/base.py
index f9d409972a61ffc730f1313470fb8c09dc90ed97..7e03f4892da8ee7b7c602c83d1eb9cc9aa9bf159 100644
--- a/ipapython/platform/base.py
+++ b/ipapython/platform/base.py
@@ -22,7 +22,7 @@ from ipalib.plugable import MagicDict
 # set them as in Red Hat distributions. Actual implementation should make them available
 # through knownservices.<name> and take care of remapping internally, if needed
 wellknownservices = ['certmonger', 'dirsrv', 'httpd', 'ipa', 'krb5kdc', 'messagebus',
-                     'nslcd', 'nscd', 'ntpd', 'portmap', 'rpcbind']
+                     'nslcd', 'nscd', 'ntpd', 'portmap', 'rpcbind', 'ipa_kpasswd']
 
 class AuthConfig(object):
     """
@@ -120,25 +120,25 @@ class PlatformService(object):
     def restart(self, instance_name="", capture_output=True):
         return
 
-    def is_running(self):
+    def is_running(self, instance_name=""):
         return False
 
     def is_installed(self):
         return False
 
-    def is_enabled(self):
+    def is_enabled(self, instance_name=""):
         return False
 
-    def enable(self):
+    def enable(self, instance_name=""):
         return
 
-    def disable(self):
+    def disable(self, instance_name=""):
         return
 
-    def install(self):
+    def install(self, instance_name=""):
         return
 
-    def remove(self):
+    def remove(self, instance_name=""):
         return
 
 class KnownServices(MagicDict):
diff --git a/ipapython/platform/fedora16.py b/ipapython/platform/fedora16.py
new file mode 100644
index 0000000000000000000000000000000000000000..bad1fac69f589a9786b98fc554d5ba7a114513ee
--- /dev/null
+++ b/ipapython/platform/fedora16.py
@@ -0,0 +1,113 @@
+# Author: Alexander Bokovoy <abokovoy at redhat.com>
+#
+# Copyright (C) 2011   Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.    See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+from ipapython import ipautil
+from ipapython.platform import base, redhat, systemd
+import os
+
+# All what we allow exporting directly from this module
+# Everything else is made available through these symbols when they directly imported into ipapython.services:
+# authconfig -- class reference for platform-specific implementation of authconfig(8)
+# service    -- class reference for platform-specific implementation of a PlatformService class
+# knownservices -- factory instance to access named services IPA cares about, names are ipapython.services.wellknownservices
+# backup_and_replace_hostname -- platform-specific way to set hostname and make it persistent over reboots
+# restore_context -- platform-sepcific way to restore security context, if applicable
+__all__ = ['authconfig', 'service', 'knownservices', 'backup_and_replace_hostname', 'restore_context']
+
+# For beginning just remap names to add .service
+# As more services will migrate to systemd, unit names will deviate and
+# mapping will be kept in this dictionary
+system_units = dict(map(lambda x: (x, "%s.service" % (x)), base.wellknownservices))
+
+# Rewrite dirsrv and pki-cad services as they support instances via separate service generator
+# To make this working, one needs to have both foo at .service and foo.target -- the latter is used
+# when request should be coming for all instances (like stop). systemd, unfortunately, does not allow
+# to request action for all service instances at once if only foo at .service unit is available.
+# To add more, if any of those services need to be started/stopped automagically, one needs to manually
+# create symlinks in /etc/systemd/system/foo.target.wants/ (look into systemd.py's enable() code).
+system_units['dirsrv'] = 'dirsrv at .service'
+# Our directory server instance for PKI is dirsrv at PKI-IPA.service
+system_units['pkids'] = 'dirsrv at PKI-IPA.service'
+# Our PKI instance is pki-cad at pki-ca.service
+system_units['pki-cad'] = 'pki-cad at pki-ca.service'
+
+class Fedora16Service(systemd.SystemdService):
+    def __init__(self, service_name):
+        if service_name in system_units:
+            service_name = system_units[service_name]
+        else:
+            if len(service_name.split('.')) == 1:
+                # if service_name does not have a dot, it is not foo.service and not a foo.target
+                # Thus, not correct service name for systemd, default to foo.service style then
+                service_name = "%s.service" % (service_name)
+        super(Fedora16Service, self).__init__(service_name)
+
+# Special handling of directory server service
+# LimitNOFILE needs to be increased or any value set in the directory for this value will fail
+# Read /lib/systemd/system/dirsrv at .service for details.
+# We do modification of LimitNOFILE on service.enable() but we also need to explicitly enable instances
+# to install proper symlinks as dirsrv.target.wants/ dependencies. Unfortunately, ipa-server-install
+# does not do explicit dirsrv.enable() because the service startup is handled by ipactl.
+# If we wouldn't do this, our instances will not be started as systemd would not have any clue
+# about instances (PKI-IPA and the domain we serve) at all. Thus, hook into dirsrv.restart().
+class Fedora16DirectoryService(Fedora16Service):
+    def enable(self, instance_name=""):
+        super(Fedora16DirectoryService, self).enable(instance_name)
+        srv_etc = os.path.join(self.SYSTEMD_ETC_PATH, self.service_name)
+        if os.path.exists(srv_etc):
+            # We need to enable LimitNOFILE=8192 in the dirsrv at .service
+            # We rely on the fact that [Service] section is the last one
+            # and if variable is not there, it will be added as the last line
+            replacevars = {'LimitNOFILE':'8192'}
+            ipautil.config_replace_variables(srv_etc, replacevars=replacevars)
+            redhat.restore_context(srv_etc)
+            ipautil.run(["/bin/systemctl", "--system", "daemon-reload"],raiseonerr=False)
+
+    def restart(self, instance_name="", capture_output=True):
+        if len(instance_name) > 0:
+            elements = self.service_name.split("@")
+            srv_etc = os.path.join(self.SYSTEMD_ETC_PATH, self.service_name)
+            srv_tgt = os.path.join(self.SYSTEMD_ETC_PATH, self.SYSTEMD_SRV_TARGET % (elements[0]))
+            srv_lnk = os.path.join(srv_tgt, self.service_instance(instance_name))
+            if not os.path.exists(srv_etc):
+                self.enable(instance_name)
+            elif not os.path.samefile(srv_etc, srv_lnk):
+                os.unlink(srv_lnk)
+                os.symlink(srv_etc, srv_lnk)
+        super(Fedora16DirectoryService, self).restart(instance_name, capture_output=capture_output)
+
+# Redirect directory server service through special sub-class due to its special handling of instances
+def f16_service(name):
+    if name == 'dirsrv':
+        return Fedora16DirectoryService(name)
+    return Fedora16Service(name)
+
+class Fedora16Services(base.KnownServices):
+    def __init__(self):
+        services = dict()
+        for s in base.wellknownservices:
+            services[s] = f16_service(s)
+        # Call base class constructor. This will lock services to read-only
+        super(Fedora16Services, self).__init__(services)
+
+authconfig = redhat.authconfig
+service = f16_service
+knownservices = Fedora16Services()
+restore_context = redhat.restore_context
+backup_and_replace_hostname = redhat.backup_and_replace_hostname
diff --git a/ipapython/platform/redhat.py b/ipapython/platform/redhat.py
index 6bf8bf348a4c30c79ad29d8b2b30a088bd28372d..d9de3abca0c3281850143c0fe23070b89a29a8f1 100644
--- a/ipapython/platform/redhat.py
+++ b/ipapython/platform/redhat.py
@@ -65,20 +65,20 @@ class RedHatService(base.PlatformService):
                 installed = False
         return installed
 
-    def is_enabled(self):
+    def is_enabled(self, instance_name=""):
         (stdout, stderr, returncode) = ipautil.run(["/sbin/chkconfig", self.service_name],raiseonerr=False)
         return (returncode == 0)
 
-    def enable(self):
+    def enable(self, instance_name=""):
         ipautil.run(["/sbin/chkconfig", self.service_name, "on"])
 
-    def disable(self):
+    def disable(self, instance_name=""):
         ipautil.run(["/sbin/chkconfig", self.service_name, "off"])
 
-    def install(self):
+    def install(self, instance_name=""):
         ipautil.run(["/sbin/chkconfig", "--add", self.service_name])
 
-    def remove(self):
+    def remove(self, instance_name=""):
         ipautil.run(["/sbin/chkconfig", "--del", self.service_name])
 
 class RedHatAuthConfig(base.AuthConfig):
@@ -133,48 +133,11 @@ def restore_context(filepath):
     ipautil.run(["/sbin/restorecon", filepath], raiseonerr=False)
 
 def backup_and_replace_hostname(fstore, statestore, hostname):
-    network_filename = "/etc/sysconfig/network"
-    # Backup original /etc/sysconfig/network
-    fstore.backup_file(network_filename)
-    hostname_pattern = re.compile('''
-(^
-                        \s*
-        (?P<option>     [^\#;]+?)
-                        (\s*=\s*)
-        (?P<value>      .+?)?
-                        (\s*((\#|;).*)?)?
-$)''', re.VERBOSE)
-    temp_filename = None
-    with tempfile.NamedTemporaryFile(delete=False) as new_config:
-        temp_filename = new_config.name
-        with open(network_filename, 'r') as f:
-            for line in f:
-                new_line = line
-                m = hostname_pattern.match(line)
-                if m:
-                    option, value = m.group('option', 'value')
-                    if option is not None and option == 'HOSTNAME':
-                        if value is not None and hostname != value:
-                            new_line = u"HOSTNAME=%s\n" % (hostname)
-                            statestore.backup_state('network', 'hostname', value)
-                new_config.write(new_line)
-        new_config.flush()
-        # Make sure the resulting file is readable by others before installing it
-        os.fchmod(new_config.fileno(), stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
-        os.fchown(new_config.fileno(), 0, 0)
-
-    # At this point new_config is closed but not removed due to 'delete=False' above
-    # Now, install the temporary file as configuration and ensure old version is available as .orig
-    # While .orig file is not used during uninstall, it is left there for administrator.
-    ipautil.install_file(temp_filename, network_filename)
-    try:
-        ipautil.run(['/bin/hostname', hostname])
-    except ipautil.CalledProcessError, e:
-        print >>sys.stderr, "Failed to set this machine hostname to %s (%s)." % (hostname, str(e))
-
-    # For SE Linux environments it is important to reset SE labels to the expected ones
-    try:
-        restore_context(network_filename)
-    except ipautil.CalledProcessError, e:
-        print >>sys.stderr, "Failed to set permissions for %s (%s)." % (network_filename, str(e))
+    replacevars = {'HOSTNAME':hostname}
+    old_values = ipautil.backup_config_and_replace_variables(fstore,
+                                                          "/etc/sysconfig/network", 
+                                                          replacevars=replacevars)
+    restore_context("/etc/sysconfig/network")
+    if old_values['HOSTNAME']:
+        statestore.backup_state('network', 'hostname', old_values['HOSTNAME'])
 
diff --git a/ipapython/platform/systemd.py b/ipapython/platform/systemd.py
new file mode 100644
index 0000000000000000000000000000000000000000..e9990ab38fc764fd2a09d07335d86a9e4e981358
--- /dev/null
+++ b/ipapython/platform/systemd.py
@@ -0,0 +1,204 @@
+# Author: Alexander Bokovoy <abokovoy at redhat.com>
+#
+# Copyright (C) 2011   Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.    See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+from ipapython import ipautil
+from ipapython.platform import base
+import sys, os, shutil
+
+class SystemdService(base.PlatformService):
+    SYSTEMD_ETC_PATH = "/etc/systemd/system/"
+    SYSTEMD_LIB_PATH = "/lib/systemd/system/"
+    SYSTEMD_SRV_TARGET = "%s.target.wants"
+
+    def __init__(self, service_name):
+        super(SystemdService, self).__init__(service_name)
+        self.lib_path = os.path.join(self.SYSTEMD_LIB_PATH, self.service_name)
+        self.lib_path_exists = None
+
+    def service_instance(self, instance_name):
+        if self.lib_path_exists is None:
+            self.lib_path_exists = os.path.exists(self.lib_path)
+
+        elements = self.service_name.split("@")
+
+        # Short-cut: if there is already exact service name, return it
+        if self.lib_path_exists and len(instance_name) == 0:
+            if len(elements) == 1:
+                # service name is like pki-cad.target or krb5kdc.service
+                return self.service_name
+            if len(elements) > 1 and elements[1][0] != '.':
+                # Service name is like pki-cad at pki-ca.service and that file exists
+                return self.service_name
+
+        if len(elements) > 1:
+            # We have dynamic service
+            if len(instance_name) > 0:
+                # Instanciate dynamic service
+                return "%s@%s.service" % (elements[0], instance_name)
+            else:
+                # No instance name, try with target
+                tgt_name = "%s.target" % (elements[0])
+                srv_lib = os.path.join(self.SYSTEMD_LIB_PATH, tgt_name)
+                if os.path.exists(srv_lib):
+                    return tgt_name
+
+        return self.service_name
+
+    def parse_variables(self, text, separator=None):
+        """
+        Parses 'systemctl show' output and returns a dict[variable]=value
+        Arguments: text -- 'systemctl show' output as string
+                   separator -- optional (defaults to None), what separates the key/value pairs in the text
+        """
+        def splitter(x, separator=None):
+            if len(x) > 1:
+                y = x.split(separator)
+                return (y[0], y[-1])
+            return (None,None)
+        return dict(map(lambda x: splitter(x, separator=separator), text.split("\n")))
+
+    def stop(self, instance_name="", capture_output=True):
+        ipautil.run(["/bin/systemctl", "stop", self.service_instance(instance_name)], capture_output=capture_output)
+
+    def start(self, instance_name="", capture_output=True):
+        ipautil.run(["/bin/systemctl", "start", self.service_instance(instance_name)], capture_output=capture_output)
+
+    def restart(self, instance_name="", capture_output=True):
+        # Restart command is broken before systemd-36-3.fc16
+        # If you have older systemd version, restart of dependent services will hang systemd indefinetly
+        ipautil.run(["/bin/systemctl", "restart", self.service_instance(instance_name)], capture_output=capture_output)
+
+    def is_running(self, instance_name=""):
+        ret = True
+        try:
+            (sout, serr, rcode) = ipautil.run(["/bin/systemctl", "is-active", self.service_instance(instance_name)],capture_output=True)
+            if rcode != 0:
+                ret = False
+        except ipautil.CalledProcessError:
+                ret = False
+        return ret
+
+    def is_installed(self):
+        installed = True
+        try:
+            (sout,serr,rcode) = ipautil.run(["/bin/systemctl", "list-unit-files", "--full"])
+            if rcode != 0:
+                installed = False
+            else:
+                svar = self.parse_variables(sout)
+                if not self.service_instance("") in svar:
+                    # systemd doesn't show the service
+                    installed = False
+        except ipautil.CalledProcessError, e:
+                installed = False
+        return installed
+
+    def is_enabled(self, instance_name=""):
+        enabled = True
+        try:
+            (sout,serr,rcode) = ipautil.run(["/bin/systemctl", "is-enabled", self.service_instance(instance_name)])
+            if rcode != 0:
+                enabled = False
+        except ipautil.CalledProcessError, e:
+                enabled = False
+        return enabled
+
+    def enable(self, instance_name=""):
+        if self.lib_path_exists is None:
+            self.lib_path_exists = os.path.exists(self.lib_path)
+        elements = self.service_name.split("@")
+        l = len(elements)
+
+        if self.lib_path_exists and (l > 1 and elements[1][0] != '.'):
+            # There is explicit service unit supporting this instance, follow normal systemd enabler
+            self.__enable(instance_name)
+            return
+
+        if self.lib_path_exists and (l == 1):
+            # There is explicit service unit which does not support the instances, ignore instance
+            self.__enable()
+            return
+
+        if len(instance_name) > 0 and l > 1:
+            # New instance, we need to do following:
+            # 1. Copy <service>@.service to /etc/systemd/system/ if it is not there
+            # 2. Make /etc/systemd/system/<service>.target.wants/ if it is not there
+            # 3. Link /etc/systemd/system/<service>.target.wants/<service>@<instance_name>.service to
+            #    /etc/systemd/system/<service>@.service
+            srv_etc = os.path.join(self.SYSTEMD_ETC_PATH, self.service_name)
+            srv_tgt = os.path.join(self.SYSTEMD_ETC_PATH, self.SYSTEMD_SRV_TARGET % (elements[0]))
+            srv_lnk = os.path.join(srv_tgt, self.service_instance(instance_name))
+            try:
+                if not ipautil.file_exists(srv_etc):
+                    shutil.copy(self.lib_path, srv_etc)
+                if not ipautil.dir_exists(srv_tgt):
+                    os.mkdir(srv_tgt)
+                if os.path.exists(srv_lnk):
+                    # Remove old link
+                    os.unlink(srv_lnk)
+                if not os.path.exists(srv_lnk):
+                    # object does not exist _or_ is a broken link
+                    if not os.path.islink(srv_lnk):
+                        # if it truly does not exist, make a link
+                        os.symlink(srv_etc, srv_lnk)
+                    else:
+                        # Link exists and it is broken, make new one
+                        os.unlink(srv_lnk)
+                        os.symlink(srv_etc, srv_lnk)
+                ipautil.run(["/bin/systemctl", "--system", "daemon-reload"])
+            except:
+                pass
+        else:
+            self.__enable(instance_name)
+
+    def disable(self, instance_name=""):
+        elements = self.service_name.split("@")
+        if instance_name != "" and len(elements) > 1:
+            # Remove instance, we need to do following:
+            #  Remove link from /etc/systemd/system/<service>.target.wants/<service>@<instance_name>.service 
+            #  to /etc/systemd/system/<service>@.service
+            srv_tgt = os.path.join(self.SYSTEMD_ETC_PATH, self.SYSTEMD_SRV_TARGET % (elements[0]))
+            srv_lnk = os.path.join(srv_tgt, self.service_instance(instance_name))
+            try:
+                if ipautil.dir_exists(srv_tgt):
+                    if os.path.islink(srv_lnk):
+                        os.unlink(srv_lnk)
+                ipautil.run(["/bin/systemctl", "--system", "daemon-reload"])
+            except:
+                pass
+        else:
+            self.__disable(instance_name)
+
+    def __enable(self, instance_name=""):
+        try:
+            ipautil.run(["/bin/systemctl", "enable", self.service_instance(instance_name)])
+        except ipautil.CalledProcessError, e:
+            pass
+
+    def __disable(self, instance_name=""):
+        try:
+            ipautil.run(["/bin/systemctl", "disable", self.service_instance(instance_name)])
+        except ipautil.CalledProcessError, e:
+            pass
+
+    def install(self):
+        self.enable()
+
+    def remove(self):
+        self.disable()
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index c819957a6dc225e1fd1b08642ca90a614e9d09c1..fed4b2cdf373aa2266cf730de0dc622b0c25ba0c 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -375,7 +375,7 @@ class CADSInstance(service.Service):
     def restart_instance(self):
         try:
             ipaservices.knownservices.dirsrv.restart(self.serverid)
-            if not dsinstance.is_ds_running():
+            if not dsinstance.is_ds_running(self.serverid):
                 logging.critical("Failed to restart the directory server. See the installation log for details.")
                 sys.exit(1)
         except Exception:
@@ -693,7 +693,7 @@ class CAInstance(service.Service):
 
     def __restart_instance(self):
         try:
-            self.restart()
+            self.restart(PKI_INSTANCE_NAME)
             installutils.wait_for_open_ports('localhost', 9180, 300)
         except Exception:
             # TODO: roll back here?
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index cd2a216555c735f484303a9cfb49105287f017a1..e71de62260d5320fe3d9eeb306c4393169370250 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -107,8 +107,8 @@ def check_ports():
     ds_secure = installutils.port_available(636)
     return (ds_unsecure, ds_secure)
 
-def is_ds_running():
-    return ipaservices.knownservices.dirsrv.is_running()
+def is_ds_running(server_id=''):
+    return ipaservices.knownservices.dirsrv.is_running(instance_name=server_id)
 
 def has_managed_entries(host_name, dm_password):
     """Check to see if the Managed Entries plugin is available"""
@@ -411,7 +411,7 @@ class DsInstance(service.Service):
     def restart(self, instance=''):
         try:
             super(DsInstance, self).restart(instance)
-            if not is_ds_running():
+            if not is_ds_running(instance):
                 logging.critical("Failed to restart the directory server. See the installation log for details.")
                 sys.exit(1)
             installutils.wait_for_open_ports('localhost', self.open_ports, 300)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 513dc5523589341cbcebbe1a80694e7eae6c4308..ad89e87d67c2f581836bd8dbbef530492325e394 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -352,28 +352,16 @@ class KrbInstance(service.Service):
             min = version.LooseVersion(MIN_KRB5KDC_WITH_WORKERS)
             if ver >= min:
                 workers = True
+        # Write down config file
+        # We write realm and also number of workers (for multi-CPU systems)
+        replacevars = {'KRB5REALM':self.realm}
+        appendvars = {}
         if workers and cpus > 1:
-            #read in memory, find KRB5KDC_ARGS, check/change it, then overwrite file
-            self.fstore.backup_file("/etc/sysconfig/krb5kdc")
-
-            need_w = True
-            fd = open("/etc/sysconfig/krb5kdc", "r")
-            lines = fd.readlines()
-            fd.close()
-            for line in lines:
-                sline = line.strip()
-                if not sline.startswith('KRB5KDC_ARGS'):
-                    continue
-                sline = sline.replace('"', '')
-                if sline.find("-w") != -1:
-                    need_w = False
-
-            if need_w:
-                fd = open("/etc/sysconfig/krb5kdc", "w")
-                for line in lines:
-                    fd.write(line)
-                fd.write('KRB5KDC_ARGS="${KRB5KDC_ARGS} -w %s"\n' % str(cpus))
-                fd.close()
+            appendvars = {'KRB5KDC_ARGS': "-w %s" % str(cpus)}
+        ipautil.backup_config_and_replace_variables(self.fstore, "/etc/sysconfig/krb5kdc",
+                                                    replacevars=replacevars,
+                                                    appendvars=appendvars)
+        ipaservices.restore_context("/etc/sysconfig/krb5kdc")
 
     def __write_stash_from_ds(self):
         try:
-- 
1.7.6.4


From abokovoy at redhat.com  Mon Oct 10 14:07:22 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Mon, 10 Oct 2011 17:07:22 +0300
Subject: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support
In-Reply-To: <20111010134235.GB3661@redhat.com>
References: <20111010134235.GB3661@redhat.com>
Message-ID: <20111010140721.GC3661@redhat.com>

On Mon, 10 Oct 2011, Alexander Bokovoy wrote:
> rebased, updated package dependencies, and verified against 
> Fedora 16+updates-testing.
> 
> This patch is for ipa-2-1 branch. I need to do few cosmetic changes in 
> freeipa.spec.in to accomodate it to 3.0 (master branch) as ipa_kpasswd 
> is gone there.
Forgot to add that altogether this patch fixes:

https://fedorahosted.org/freeipa/ticket/1192 -- support systemd
https://fedorahosted.org/freeipa/ticket/1651 -- update F16 dependencies
https://fedorahosted.org/freeipa/ticket/1871 -- not setting HOSTNAME if it was missing from the configuration file

The latter one is integrated within the systemd patch because the same 
function is re-used for editing systemd service files and 
/etc/sysconfig/krb5kdc and it simply makes little sense to separate 
them as without editing systemd services for dirsrv, one cannot start 
dirsrv with number of file descriptors required by IPA defaults, and 
krb5kdc configuration should be written properly before krb5kdc is 
started as its systemd service unit uses parameters from the 
configuration file.
-- 
/ Alexander Bokovoy



From rcritten at redhat.com  Mon Oct 10 14:21:21 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 10 Oct 2011 10:21:21 -0400
Subject: [Freeipa-devel] [PATCH] 889 fix selfsign upgrades
Message-ID: <4E92FF61.4030704@redhat.com>

Upgrading an installation that was installed with selfsign CA will fail 
in ipa-upgradeconfig because it doesn't handle the case where dogtag 
isn't installed.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-889-upgrade.patch
Type: text/x-patch
Size: 993 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111010/6d30ff93/attachment.bin>

From rcritten at redhat.com  Mon Oct 10 20:49:08 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 10 Oct 2011 16:49:08 -0400
Subject: [Freeipa-devel] [PATCHES]  0287 and 0288 for Proxy upgrade
In-Reply-To: <4E8F4D6F.1030700@redhat.com>
References: <4E8E5581.6040802@redhat.com> <4E8E6242.7030804@redhat.com>
	<4E8F3BC9.8030302@redhat.com> <4E8F4806.7040601@redhat.com>
	<4E8F4D6F.1030700@redhat.com>
Message-ID: <4E935A44.40307@redhat.com>

Adam Young wrote:
> On 10/07/2011 02:42 PM, Rob Crittenden wrote:
>> Adam Young wrote:
>>> On 10/06/2011 10:21 PM, Rob Crittenden wrote:
>>>> Adam Young wrote:
>>>>> Not yet ready for prime time.
>>>>>
>>>>> I've tested the changes to updateinstance by hand, so I know they
>>>>> work.
>>>>> I'm having problems with the python import setup.
>>>>>
>>>>> RPM build fails with:
>>>>>
>>>>>
>>>>> install/tools/ipa-upgradeconfig:36: [F0401] Unable to import
>>>>> 'installutils'
>>>>>
>>>>>
>>>>> And, if I uncomment the import for http utils, I get an error at run
>>>>> time as well. That confuses me, as I am able to import installutils at
>>>>> runtime.
>>>>
>>>> I think these patches fix it. Please double check my comments. I
>>>> tested this on a non-updated dogtag install (e.g. it doesn't have the
>>>> new script) and it didn't seem to break anything.
>>>>
>>>> rob
>>> They work, but require this additional patch to the RPM spec.
>>
>> We talked about this a bit in IRC. I think we want to bump up all
>> dogtag packages to 9.0.15. The update is pending push to
>> updates-testing at this moment.
>>
>> With that change ack all around, just be sure to remove the
>> non-sequitor services change before pushing.
>>
>> rob
> removed service change and pushed to ipa-2.1
>

I pushed to master



From rcritten at redhat.com  Mon Oct 10 20:49:37 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 10 Oct 2011 16:49:37 -0400
Subject: [Freeipa-devel] [PATCH]  0286-split-metadata-call
In-Reply-To: <4E8E178D.6050105@redhat.com>
References: <4E8E178D.6050105@redhat.com>
Message-ID: <4E935A61.1020808@redhat.com>

Adam Young wrote:
> Even if ACKed, don't push this patch alone. It is part of some work that
> Petr V is going to be doing as part of fixing
> https://fedorahosted.org/freeipa/ticket/1933.
>

Adam pushed to ipa-2-1 on Friday, I pushed to master

rob



From rcritten at redhat.com  Mon Oct 10 20:53:41 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 10 Oct 2011 16:53:41 -0400
Subject: [Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
In-Reply-To: <1318232111.23975.6.camel@dhcp-25-52.brq.redhat.com>
References: <4E8CC988.6050408@redhat.com>
	<1317902620.16404.34.camel@dhcp-25-52.brq.redhat.com>
	<4E8DEDF0.9080202@redhat.com> <1317929952.2489.2.camel@priserak>
	<4E8E05A6.4040903@redhat.com> <4E8E186C.7080108@redhat.com>
	<1317974016.8399.13.camel@dhcp-25-52.brq.redhat.com>
	<4E8EF61A.6090707@redhat.com>
	<1317998775.8399.49.camel@dhcp-25-52.brq.redhat.com>
	<4E8F1617.90005@redhat.com>
	<1318232111.23975.6.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <4E935B55.5020407@redhat.com>

Martin Kosek wrote:
> On Fri, 2011-10-07 at 11:09 -0400, Rob Crittenden wrote:
>> Martin Kosek wrote:
>
>>>
>>> I tested the patch when I replaced all add: directives 40-dns.update
>>> with addifexist. The clean installation now did not produce any error,
>>> memberships were OK.
>>>
>>> However, updating existing installation with DNS was not OK - privileges
>>> are still without memberof attributes:
>>>
>>> # ipa privilege-find dns
>>> --------------------
>>> 2 privileges matched
>>> --------------------
>>>     Privilege name: DNS Administrators
>>>     Description: DNS Administrators
>>>
>>>     Privilege name: DNS Servers
>>>     Description: DNS Servers
>>> ----------------------------
>>> Number of entries returned 2
>>> ----------------------------
>>>
>>> Martin
>>>
>>
>> Strange, it works for me. Can you try this updated patch?
>>
>> rob
>
> I must have been doing something wrong. This one works fine - both
> upgrade and a fresh installation.
>
> ACK.
>
> Martin
>

Ok, pushed to master and ipa-2-1



From rcritten at redhat.com  Mon Oct 10 20:53:59 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 10 Oct 2011 16:53:59 -0400
Subject: [Freeipa-devel] [PATCH] 021 Split Web UI initialization to
 several smaller calls
In-Reply-To: <4E8F4B74.4040708@redhat.com>
References: <4E8F210A.1030409@redhat.com> <4E8F4B74.4040708@redhat.com>
Message-ID: <4E935B67.8060202@redhat.com>

Adam Young wrote:
> On 10/07/2011 11:55 AM, Petr Vobornik wrote:
>> https://fedorahosted.org/freeipa/ticket/1933
>>
>> based on ayoung-0286-split-metadata-call
>>
>> Web UI init method was modified to get initialization data in 3 calls.
>> First call remains the same as before except that the json_metadata
>> command was removed.
>>
>> JSON metadata are requested after successful response of the first
>> batch command. This approach should preserve functionality in IE
>> (where request is missing after authentication). Getting JSON metadata
>> is split to two commands - this should prevent the error in linked
>> ticket. These two commands are paralelly executed by new
>> concurent_command object.
>>
>> Concurrent command waits for all responses then it calls each
>> command's success handler.
>>
>> I don't know if this patch actually solves the problem because I
>> didn't manage to reproduce it.
>>
>> Note: In the attached archive is patch for updating data files
>> (offline, unit testing). Unpacked it has 1.4MiB...
>>
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
> ACK. I pushed both patches to ipa-2.1.
> The patch naming was off: don't use -1 to indicate a related patch, but
> rather a newer version of an already submitted patch.

pushed to master



From abokovoy at redhat.com  Tue Oct 11 07:25:50 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Tue, 11 Oct 2011 10:25:50 +0300
Subject: [Freeipa-devel] [PATCH] 0021 Increase number of 'getent passwd
	attempts' to 10
Message-ID: <20111011072549.GB24510@redhat.com>

Hi,

https://fedorahosted.org/freeipa/ticket/1774

-- 
/ Alexander Bokovoy
-------------- next part --------------
>From 6603e5af84c03dbabdd3de8a681a8d9d9b89013d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Tue, 11 Oct 2011 10:22:16 +0300
Subject: [PATCH] Increase number of 'getent passwd attempts' to 10

During ipa-client-install SSSD is not always started up properly for some
reason, things like "getent passwd admin" do not work.  This is particulary
true for large setups where admin is included in a large set of groups.

https://fedorahosted.org/freeipa/ticket/1774
---
 ipa-client/ipa-install/ipa-client-install |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index ee643de537d97180b7c04811fa800b71b36ca16f..969dc9b0faa5e131f1e9199325bdf2350157ab8a 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1124,10 +1124,10 @@ def install(options, env, fstore, statestore):
     if not options.on_master:
         n = 0
         found = False
-        # Loop for up to 5 seconds to see if nss is working properly.
-        # It can sometimes take a few seconds to connect to the remote
-        # provider.
-        while n < 5 and not found:
+        # Loop for up to 10 seconds to see if nss is working properly.
+        # It can sometimes take a few seconds to connect to the remote provider.
+        # Particulary, SSSD might take longer than 6-8 seconds.
+        while n < 10 and not found:
             try:
                 ipautil.run(["getent", "passwd", "admin"])
                 found = True
-- 
1.7.6.4


From mkosek at redhat.com  Tue Oct 11 08:29:34 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 11 Oct 2011 10:29:34 +0200
Subject: [Freeipa-devel] [PATCH] 142 Improve default user/group object class
	validation
Message-ID: <1318321776.10939.0.camel@dhcp-25-52.brq.redhat.com>

When user/group default object class is being modified via
ipa config-mod, no validation check is run. Check at least
the following:

- all object classes are known to LDAP
- all default user/group attributes are allowed under the new
  set of default object classes

https://fedorahosted.org/freeipa/ticket/1893

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-142-improve-default-user-group-object-class-validation.patch
Type: text/x-patch
Size: 3776 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111011/2c856b40/attachment.bin>

From pvoborni at redhat.com  Tue Oct 11 08:30:50 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Tue, 11 Oct 2011 10:30:50 +0200
Subject: [Freeipa-devel] [PATCH] 024 Added missing fields to password policy
	page
Message-ID: <4E93FEBA.5000000@redhat.com>

https://fedorahosted.org/freeipa/ticket/1944

(2.1.3 Release)

No editable fields exist for "maxfail", "failinterval" "lockouttime" and 
"priority" in password policy page.

-- 
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0024-Added-missing-fields-to-password-policy-page.patch
Type: text/x-patch
Size: 1536 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111011/17936ec1/attachment.bin>

From abokovoy at redhat.com  Tue Oct 11 08:33:44 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Tue, 11 Oct 2011 11:33:44 +0300
Subject: [Freeipa-devel] [PATCH] 0023  Improve hbactest
Message-ID: <20111011083343.GC24510@redhat.com>

Hi,

two improvements for hbactest command:
1. Include indirect membership for users and hosts
2. Append FreeIPA default domain to hosts in hbactest request if they 
   are not fully qualified ones.

Fixes
https://fedorahosted.org/freeipa/ticket/1862
https://fedorahosted.org/freeipa/ticket/1949

Two patches in the same commit because they affect the same code and 
otherwise would have created dependency between the patches anyway.
-- 
/ Alexander Bokovoy
-------------- next part --------------
>From 09ccb28ab1f6fb5c5d2ee41b583125e95bd23a62 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Tue, 11 Oct 2011 11:25:24 +0300
Subject: [PATCH] Include indirect membership and canonicalize hosts during
 HBAC rules testing

When users and hosts are included into groups indirectly, make sure that
during HBAC test e fill in all indirect groups properly into an HBAC request.

Also, if hosts provided for test are not specified fully, canonicalize them
using IPA domain.

This makes possible following requests:
ipa hbactest --user foobar --srchost vm-101 --host vm-101 --service sshd

Request to evaluate:
 <user <name foobar groups [hbacusers,ipausers]>
  service <name sshd groups []>
  targethost <name vm-101.ipa.local groups []>
  srchost <name vm-101.ipa.local groups []>
 >

Fixes:
https://fedorahosted.org/freeipa/ticket/1862
https://fedorahosted.org/freeipa/ticket/1949
---
 ipalib/plugins/hbactest.py |   30 +++++++++++++++++++++++-------
 1 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py
index 75442451ca91783718942f78738170f399ef8ca9..9b33dafa4424c2919732dd9e5161806b31fc5568 100644
--- a/ipalib/plugins/hbactest.py
+++ b/ipalib/plugins/hbactest.py
@@ -204,6 +204,14 @@ class hbactest(Command):
         ),
     )
 
+    def canonicalize(self, host):
+        """
+        Canonicalize the host name -- add default IPA domain if that is missing
+        """
+        if host.find('.') == -1:
+            return u'%s.%s' % (host, self.env.domain)
+        return host
+
     def execute(self, *args, **options):
         # First receive all needed information:
         # 1. HBAC rules (whether enabled or disabled)
@@ -264,7 +272,11 @@ class hbactest(Command):
         if options['user'] != u'all':
             try:
                 request.user.name = options['user']
-                request.user.groups = self.api.Command.user_show(request.user.name)['result']['memberof_group']
+                search_result = self.api.Command.user_show(request.user.name)['result']
+                groups = search_result['memberof_group']
+                if 'memberofindirect_group' in search_result:
+                    groups += search_result['memberofindirect_group']
+                request.user.groups = sorted(set(groups))
             except:
                 pass
 
@@ -278,19 +290,23 @@ class hbactest(Command):
 
         if options['sourcehost'] != u'all':
             try:
-                request.srchost.name = options['sourcehost']
+                request.srchost.name = self.canonicalize(options['sourcehost'])
                 srchost_result = self.api.Command.host_show(request.srchost.name)['result']
-                srchost_groups = srchost_result['memberof_hostgroup']
-                request.srchost.groups = sorted(set(srchost_groups))
+                groups = srchost_result['memberof_hostgroup']
+                if 'memberofindirect_hostgroup' in srchost_result:
+                    groups += search_result['memberofindirect_hostgroup']
+                request.srchost.groups = sorted(set(groups))
             except:
                  pass
 
         if options['targethost'] != u'all':
             try:
-                request.targethost.name = options['targethost']
+                request.targethost.name = self.canonicalize(options['targethost'])
                 tgthost_result = self.api.Command.host_show(request.targethost.name)['result']
-                tgthost_groups = tgthost_result['memberof_hostgroup']
-                request.targethost.groups = sorted(set(tgthost_groups))
+                groups = tgthost_result['memberof_hostgroup']
+                if 'memberofindirect_hostgroup' in tgthost_result:
+                    groups += search_result['memberofindirect_hostgroup']
+                request.targethost.groups = sorted(set(groups))
             except:
                 pass
 
-- 
1.7.6.4


From mkosek at redhat.com  Tue Oct 11 08:38:23 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 11 Oct 2011 10:38:23 +0200
Subject: [Freeipa-devel] [PATCH] 0021 Increase number of 'getent passwd
 attempts' to 10
In-Reply-To: <20111011072549.GB24510@redhat.com>
References: <20111011072549.GB24510@redhat.com>
Message-ID: <1318322305.10939.1.camel@dhcp-25-52.brq.redhat.com>

On Tue, 2011-10-11 at 10:25 +0300, Alexander Bokovoy wrote:
> Hi,
> 
> https://fedorahosted.org/freeipa/ticket/1774
> 

ACK. Pushed to master, ipa-2-1.

Martin



From abokovoy at redhat.com  Tue Oct 11 09:01:22 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Tue, 11 Oct 2011 12:01:22 +0300
Subject: [Freeipa-devel] [PATCH] 142 Improve default user/group object
 class validation
In-Reply-To: <1318321776.10939.0.camel@dhcp-25-52.brq.redhat.com>
References: <1318321776.10939.0.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <20111011090121.GD24510@redhat.com>

On Tue, 11 Oct 2011, Martin Kosek wrote:
> @@ -212,6 +216,24 @@ class config_mod(LDAPUpdate):
>                          raise errors.ValidationError(
>                              name=k, error='attribute "%s" not allowed' % a
>                          )
Could you please also (in a separate patch) fix the above and others 
by adding translations? Other exception messages in 
plugins/config.py are designed to be used for user interactions but 
this one is not localized.

> +
> +        for (attr, obj) in (('ipauserobjectclasses', 'user'),
> +                            ('ipagroupobjectclasses', 'group')):
> +            if attr in entry_attrs:
> +                objectclasses = entry_attrs[attr] + self.api.Object[obj].possible_objectclasses
would it make sense to do sort(set(objectclasses)) to get unique list 
before using it further? Just a thought. get_allowed_attributes() will 
go to LDAP's schema to consult about the attributes and it seems to me 
we'd better not to do this multiple times for the same.

> +                new_allowed_attrs = ldap.get_allowed_attributes(objectclasses,
> +                                        raise_on_unknown=True)
> +                checked_attrs = self.api.Object[obj].default_attributes
> +                if self.api.Object[obj].uuid_attribute:
> +                    checked_attrs.append(self.api.Object[obj].uuid_attribute)
> +                for obj_attr in self.api.Object[obj].default_attributes:
Shouldn't this be checked_attrs?


-- 
/ Alexander Bokovoy



From mkosek at redhat.com  Tue Oct 11 09:03:39 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 11 Oct 2011 11:03:39 +0200
Subject: [Freeipa-devel] [PATCH] 143 Fix dnszone-add name_from_ip server
	validation
Message-ID: <1318323821.10939.3.camel@dhcp-25-52.brq.redhat.com>

Based mainly on Rob's fix proposed in Trac.
---
Ticket 1627 contained a (temporary hack-ish) fix for dnszone-add
name_from_ip validation which works fine for CLI. However, when
the command is not proceeded via CLI and sent directly to the
RPC server, the server throws Internal Server Error.

Make sure that the server returns a reasonable error.

https://fedorahosted.org/freeipa/ticket/1941

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-143-fix-dnszone-add-name_from_ip-server-validation.patch
Type: text/x-patch
Size: 1665 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111011/b657cd5a/attachment.bin>

From abokovoy at redhat.com  Tue Oct 11 09:13:14 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Tue, 11 Oct 2011 12:13:14 +0300
Subject: [Freeipa-devel] [PATCH] 0024 Force use of kerberos realm to be a
	string in config.py
Message-ID: <20111011091313.GE24510@redhat.com>

Hi,

there seems to be something new with python-2.7.2 on Fedora 16 and 
'make lint' complains about 
  dom_name = config.default_realm.lower()
as config.default_realm is of type _Chainmap during static analysis. 

We get config.default_realm out of krbV.default_context().default_realm.

The code change works fine with Fedora 15 as well (tested).
-- 
/ Alexander Bokovoy
-------------- next part --------------
>From c25b21972fb3a93b7c2ff1ab15715ae0bd3369b5 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Tue, 11 Oct 2011 12:07:23 +0300
Subject: [PATCH 2/2] Force kerberos realm to be a string

Fixes issue with Python linter on Fedora 16 where it assumes for C modules-provided
objects that they are of type _Chainmap during static analysis.
---
 ipapython/config.py |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/ipapython/config.py b/ipapython/config.py
index 051e39f92c8c0a8289c0bfdf8a53ad761c0457f6..d4c724dc9ac754cb221fe60d7c13bd0c716dd296 100644
--- a/ipapython/config.py
+++ b/ipapython/config.py
@@ -178,7 +178,7 @@ def __discover_config(discover_server = True):
 
         if not config.default_domain:
             #try once with REALM -> domain
-            dom_name = config.default_realm.lower()
+            dom_name = str(config.default_realm).lower()
             name = "_ldap._tcp."+dom_name+"."
             rs = ipapython.dnsclient.query(name, ipapython.dnsclient.DNS_C_IN, ipapython.dnsclient.DNS_T_SRV)
             rl = len(rs)
-- 
1.7.6.4


From atkac at redhat.com  Tue Oct 11 09:27:08 2011
From: atkac at redhat.com (Adam Tkac)
Date: Tue, 11 Oct 2011 11:27:08 +0200
Subject: [Freeipa-devel] [PATCH] bind-dyndb-ldap: Add new ldap_hostname
	option (ticket #1931)
Message-ID: <4E940BEC.9030909@redhat.com>

Hello all,

please see attached patch for bind-dyndb-ldap, it should solve (at least
from bind-dyndb-ldap side) ticket #1931. It adds new "ldap_hostname"
option and ipa-server-install utility should set this option when
/bin/hostname is different from --hostname parameter.

Comments are welcomed.

Regards, Adam
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 0001-Added-new-ldap_hostname-option.patch
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111011/cd0937d2/attachment.ksh>

From mkosek at redhat.com  Tue Oct 11 09:47:10 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 11 Oct 2011 11:47:10 +0200
Subject: [Freeipa-devel] [PATCH] 142 Improve default user/group object
 class validation
In-Reply-To: <20111011090121.GD24510@redhat.com>
References: <1318321776.10939.0.camel@dhcp-25-52.brq.redhat.com>
	<20111011090121.GD24510@redhat.com>
Message-ID: <1318326432.10939.7.camel@dhcp-25-52.brq.redhat.com>

On Tue, 2011-10-11 at 12:01 +0300, Alexander Bokovoy wrote:
> On Tue, 11 Oct 2011, Martin Kosek wrote:
> > @@ -212,6 +216,24 @@ class config_mod(LDAPUpdate):
> >                          raise errors.ValidationError(
> >                              name=k, error='attribute "%s" not allowed' % a
> >                          )
> Could you please also (in a separate patch) fix the above and others 
> by adding translations? Other exception messages in 
> plugins/config.py are designed to be used for user interactions but 
> this one is not localized.

Patch based on 142 for config plugin i18n fix attached. I created a
ticket to fix all of these issues in 3.0 branch:

https://fedorahosted.org/freeipa/ticket/1953

> 
> > +
> > +        for (attr, obj) in (('ipauserobjectclasses', 'user'),
> > +                            ('ipagroupobjectclasses', 'group')):
> > +            if attr in entry_attrs:
> > +                objectclasses = entry_attrs[attr] + self.api.Object[obj].possible_objectclasses
> would it make sense to do sort(set(objectclasses)) to get unique list 
> before using it further? Just a thought. get_allowed_attributes() will 
> go to LDAP's schema to consult about the attributes and it seems to me 
> we'd better not to do this multiple times for the same.

I added a list(set()) to remove duplicates, I don't think it is
necessary to sort it.

> 
> > +                new_allowed_attrs = ldap.get_allowed_attributes(objectclasses,
> > +                                        raise_on_unknown=True)
> > +                checked_attrs = self.api.Object[obj].default_attributes
> > +                if self.api.Object[obj].uuid_attribute:
> > +                    checked_attrs.append(self.api.Object[obj].uuid_attribute)
> > +                for obj_attr in self.api.Object[obj].default_attributes:
> Shouldn't this be checked_attrs?
> 

Correct. The previous version worked because .append modified the
original list. Fixed.

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-142-2-improve-default-user-group-object-class-validation.patch
Type: text/x-patch
Size: 3803 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111011/3655cf52/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-144-fix-i18n-in-config-plugin.patch
Type: text/x-patch
Size: 1403 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111011/3655cf52/attachment-0001.bin>

From abokovoy at redhat.com  Tue Oct 11 10:16:46 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Tue, 11 Oct 2011 13:16:46 +0300
Subject: [Freeipa-devel] [PATCH] 142 Improve default user/group object
 class validation
In-Reply-To: <1318326432.10939.7.camel@dhcp-25-52.brq.redhat.com>
References: <1318321776.10939.0.camel@dhcp-25-52.brq.redhat.com>
	<20111011090121.GD24510@redhat.com>
	<1318326432.10939.7.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <20111011101646.GF24510@redhat.com>

On Tue, 11 Oct 2011, Martin Kosek wrote:
> On Tue, 2011-10-11 at 12:01 +0300, Alexander Bokovoy wrote:
> > On Tue, 11 Oct 2011, Martin Kosek wrote:
> > > @@ -212,6 +216,24 @@ class config_mod(LDAPUpdate):
> > >                          raise errors.ValidationError(
> > >                              name=k, error='attribute "%s" not allowed' % a
> > >                          )
> > Could you please also (in a separate patch) fix the above and others 
> > by adding translations? Other exception messages in 
> > plugins/config.py are designed to be used for user interactions but 
> > this one is not localized.
> 
> Patch based on 142 for config plugin i18n fix attached. I created a
ACK.

> ticket to fix all of these issues in 3.0 branch:
> 
> https://fedorahosted.org/freeipa/ticket/1953
Thanks!

 
> > 
> > > +
> > > +        for (attr, obj) in (('ipauserobjectclasses', 'user'),
> > > +                            ('ipagroupobjectclasses', 'group')):
> > > +            if attr in entry_attrs:
> > > +                objectclasses = entry_attrs[attr] + self.api.Object[obj].possible_objectclasses
> > would it make sense to do sort(set(objectclasses)) to get unique list 
> > before using it further? Just a thought. get_allowed_attributes() will 
> > go to LDAP's schema to consult about the attributes and it seems to me 
> > we'd better not to do this multiple times for the same.
> 
> I added a list(set()) to remove duplicates, I don't think it is
> necessary to sort it.
Yes, this is fine.

> > > +                new_allowed_attrs = ldap.get_allowed_attributes(objectclasses,
> > > +                                        raise_on_unknown=True)
> > > +                checked_attrs = self.api.Object[obj].default_attributes
> > > +                if self.api.Object[obj].uuid_attribute:
> > > +                    checked_attrs.append(self.api.Object[obj].uuid_attribute)
> > > +                for obj_attr in self.api.Object[obj].default_attributes:
> > Shouldn't this be checked_attrs?
> > 
> 
> Correct. The previous version worked because .append modified the
> original list. Fixed.
Hm..
+                checked_attrs = self.api.Object[obj].default_attributes
doesn't change anything -- you still get a reference to 
default_attributes and through 
  checked_attrs += ....
you'd modify the original one. Wouldn't the following be more correct:
+                checked_attrs = copy(self.api.Object[obj].default_attributes)
?
-- 
/ Alexander Bokovoy



From mkosek at redhat.com  Tue Oct 11 10:55:24 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 11 Oct 2011 12:55:24 +0200
Subject: [Freeipa-devel] [PATCH] 142 Improve default user/group object
 class validation
In-Reply-To: <20111011101646.GF24510@redhat.com>
References: <1318321776.10939.0.camel@dhcp-25-52.brq.redhat.com>
	<20111011090121.GD24510@redhat.com>
	<1318326432.10939.7.camel@dhcp-25-52.brq.redhat.com>
	<20111011101646.GF24510@redhat.com>
Message-ID: <1318330527.10939.11.camel@dhcp-25-52.brq.redhat.com>

On Tue, 2011-10-11 at 13:16 +0300, Alexander Bokovoy wrote:
> On Tue, 11 Oct 2011, Martin Kosek wrote:
> > On Tue, 2011-10-11 at 12:01 +0300, Alexander Bokovoy wrote:
> > > On Tue, 11 Oct 2011, Martin Kosek wrote:
> > > > @@ -212,6 +216,24 @@ class config_mod(LDAPUpdate):
> > > >                          raise errors.ValidationError(
> > > >                              name=k, error='attribute "%s" not allowed' % a
> > > >                          )
> > > Could you please also (in a separate patch) fix the above and others 
> > > by adding translations? Other exception messages in 
> > > plugins/config.py are designed to be used for user interactions but 
> > > this one is not localized.
> > 
> > Patch based on 142 for config plugin i18n fix attached. I created a
> ACK.
> 
> > ticket to fix all of these issues in 3.0 branch:
> > 
> > https://fedorahosted.org/freeipa/ticket/1953
> Thanks!
> 
>  
> > > 
> > > > +
> > > > +        for (attr, obj) in (('ipauserobjectclasses', 'user'),
> > > > +                            ('ipagroupobjectclasses', 'group')):
> > > > +            if attr in entry_attrs:
> > > > +                objectclasses = entry_attrs[attr] + self.api.Object[obj].possible_objectclasses
> > > would it make sense to do sort(set(objectclasses)) to get unique list 
> > > before using it further? Just a thought. get_allowed_attributes() will 
> > > go to LDAP's schema to consult about the attributes and it seems to me 
> > > we'd better not to do this multiple times for the same.
> > 
> > I added a list(set()) to remove duplicates, I don't think it is
> > necessary to sort it.
> Yes, this is fine.
> 
> > > > +                new_allowed_attrs = ldap.get_allowed_attributes(objectclasses,
> > > > +                                        raise_on_unknown=True)
> > > > +                checked_attrs = self.api.Object[obj].default_attributes
> > > > +                if self.api.Object[obj].uuid_attribute:
> > > > +                    checked_attrs.append(self.api.Object[obj].uuid_attribute)
> > > > +                for obj_attr in self.api.Object[obj].default_attributes:
> > > Shouldn't this be checked_attrs?
> > > 
> > 
> > Correct. The previous version worked because .append modified the
> > original list. Fixed.
> Hm..
> +                checked_attrs = self.api.Object[obj].default_attributes
> doesn't change anything -- you still get a reference to 
> default_attributes and through 
>   checked_attrs += ....
> you'd modify the original one. Wouldn't the following be more correct:
> +                checked_attrs = copy(self.api.Object[obj].default_attributes)
> ?

This was done on purpose. When you combine 2 lists in Python using +
operator, a new list is created without modifying the old one. Check the
following example:

>>> a = [1,2,3]
>>> b = [4]
>>> c = a+b
>>> print c
[1, 2, 3, 4]
>>> print a
[1, 2, 3]
>>> print b
[4]
>>> c.append(5)
>>> print c
[1, 2, 3, 4, 5]
>>> print a
[1, 2, 3]
>>> print b
[4]

Martin



From abokovoy at redhat.com  Tue Oct 11 10:57:55 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Tue, 11 Oct 2011 13:57:55 +0300
Subject: [Freeipa-devel] [PATCH] 142 Improve default user/group object
 class validation
In-Reply-To: <1318330527.10939.11.camel@dhcp-25-52.brq.redhat.com>
References: <1318321776.10939.0.camel@dhcp-25-52.brq.redhat.com>
	<20111011090121.GD24510@redhat.com>
	<1318326432.10939.7.camel@dhcp-25-52.brq.redhat.com>
	<20111011101646.GF24510@redhat.com>
	<1318330527.10939.11.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <20111011105755.GG24510@redhat.com>

On Tue, 11 Oct 2011, Martin Kosek wrote:
> This was done on purpose. When you combine 2 lists in Python using +
> operator, a new list is created without modifying the old one. Check the
> following example:
> 
> >>> a = [1,2,3]
> >>> b = [4]
> >>> c = a+b
> >>> print c
> [1, 2, 3, 4]
> >>> print a
> [1, 2, 3]
> >>> print b
> [4]
> >>> c.append(5)
> >>> print c
> [1, 2, 3, 4, 5]
> >>> print a
> [1, 2, 3]
> >>> print b
> [4]
Sorry, but this is not our case:
>>> a = [1,2,3]
>>> b = a
>>> b += [4]
>>> print a
[1, 2, 3, 4]
>>> print b
[1, 2, 3, 4]

-- 
/ Alexander Bokovoy



From mkosek at redhat.com  Tue Oct 11 11:21:29 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 11 Oct 2011 13:21:29 +0200
Subject: [Freeipa-devel] [PATCH] 142 Improve default user/group object
 class validation
In-Reply-To: <20111011105755.GG24510@redhat.com>
References: <1318321776.10939.0.camel@dhcp-25-52.brq.redhat.com>
	<20111011090121.GD24510@redhat.com>
	<1318326432.10939.7.camel@dhcp-25-52.brq.redhat.com>
	<20111011101646.GF24510@redhat.com>
	<1318330527.10939.11.camel@dhcp-25-52.brq.redhat.com>
	<20111011105755.GG24510@redhat.com>
Message-ID: <1318332091.3614.2.camel@dhcp-30-109.brq.redhat.com>

On Tue, 2011-10-11 at 13:57 +0300, Alexander Bokovoy wrote:
> On Tue, 11 Oct 2011, Martin Kosek wrote:
> > This was done on purpose. When you combine 2 lists in Python using +
> > operator, a new list is created without modifying the old one. Check the
> > following example:
> > 
> > >>> a = [1,2,3]
> > >>> b = [4]
> > >>> c = a+b
> > >>> print c
> > [1, 2, 3, 4]
> > >>> print a
> > [1, 2, 3]
> > >>> print b
> > [4]
> > >>> c.append(5)
> > >>> print c
> > [1, 2, 3, 4, 5]
> > >>> print a
> > [1, 2, 3]
> > >>> print b
> > [4]
> Sorry, but this is not our case:
> >>> a = [1,2,3]
> >>> b = a
> >>> b += [4]
> >>> print a
> [1, 2, 3, 4]
> >>> print b
> [1, 2, 3, 4]
> 

You are right. This is an important Python lesson for me. c=c+a is NOT
equal to c+=a as it is in C. Behold:
>>> a=[1,2,3]
>>> b=a
>>> b = b + [4]
>>> a
[1, 2, 3]
>>> b
[1, 2, 3, 4]
>>> 
>>> 
>>> a=[1,2,3]
>>> b=a
>>> b+= [4]
>>> a
[1, 2, 3, 4]
>>> b
[1, 2, 3, 4]

Updated patch attached.

Martin


-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-142-3-improve-default-user-group-object-class-validation.patch
Type: text/x-patch
Size: 3818 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111011/befce003/attachment.bin>

From abokovoy at redhat.com  Tue Oct 11 11:56:53 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Tue, 11 Oct 2011 14:56:53 +0300
Subject: [Freeipa-devel] [PATCH] 142 Improve default user/group object
 class validation
In-Reply-To: <1318332091.3614.2.camel@dhcp-30-109.brq.redhat.com>
References: <1318321776.10939.0.camel@dhcp-25-52.brq.redhat.com>
	<20111011090121.GD24510@redhat.com>
	<1318326432.10939.7.camel@dhcp-25-52.brq.redhat.com>
	<20111011101646.GF24510@redhat.com>
	<1318330527.10939.11.camel@dhcp-25-52.brq.redhat.com>
	<20111011105755.GG24510@redhat.com>
	<1318332091.3614.2.camel@dhcp-30-109.brq.redhat.com>
Message-ID: <20111011115652.GI24510@redhat.com>

On Tue, 11 Oct 2011, Martin Kosek wrote:
> When user/group default object class is being modified via
> ipa config-mod, no validation check is run. Check at least
> the following:
> 
> - all object classes are known to LDAP
> - all default user/group attributes are allowed under the new
>   set of default object classes
> 
> https://fedorahosted.org/freeipa/ticket/1893
ACK.

-- 
/ Alexander Bokovoy



From pvoborni at redhat.com  Tue Oct 11 12:10:37 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Tue, 11 Oct 2011 14:10:37 +0200
Subject: [Freeipa-devel] [PATCH] 025 Fixed: Duplicate CSS definitions
Message-ID: <4E94323D.6060109@redhat.com>

https://fedorahosted.org/freeipa/ticket/1565

(3.0 Core Effort Iteration 01 September Y11 Release)

-- 
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0025-Fixed-Duplicate-CSS-definitions.patch
Type: text/x-patch
Size: 49361 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111011/a430dc7e/attachment.bin>

From mkosek at redhat.com  Tue Oct 11 12:45:01 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 11 Oct 2011 14:45:01 +0200
Subject: [Freeipa-devel] [PATCH] 143 Fix dnszone-add name_from_ip server
 validation
In-Reply-To: <1318323821.10939.3.camel@dhcp-25-52.brq.redhat.com>
References: <1318323821.10939.3.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <1318337103.3614.6.camel@dhcp-30-109.brq.redhat.com>

On Tue, 2011-10-11 at 11:03 +0200, Martin Kosek wrote:
> Based mainly on Rob's fix proposed in Trac.
> ---
> Ticket 1627 contained a (temporary hack-ish) fix for dnszone-add
> name_from_ip validation which works fine for CLI. However, when
> the command is not proceeded via CLI and sent directly to the
> RPC server, the server throws Internal Server Error.
> 
> Make sure that the server returns a reasonable error.
> 
> https://fedorahosted.org/freeipa/ticket/1941
> 

We miss a test for name_from_ip parameter. I added 2 unit cases that
verify this option works + reports a ValidationError when the IP address
is wrong.

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-143-2-fix-dnszone-add-name_from_ip-server-validation.patch
Type: text/x-patch
Size: 4454 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111011/287dbde5/attachment.bin>

From mkosek at redhat.com  Tue Oct 11 13:00:21 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 11 Oct 2011 15:00:21 +0200
Subject: [Freeipa-devel] [PATCH] 142 Improve default user/group object
 class validation
In-Reply-To: <20111011115652.GI24510@redhat.com>
References: <1318321776.10939.0.camel@dhcp-25-52.brq.redhat.com>
	<20111011090121.GD24510@redhat.com>
	<1318326432.10939.7.camel@dhcp-25-52.brq.redhat.com>
	<20111011101646.GF24510@redhat.com>
	<1318330527.10939.11.camel@dhcp-25-52.brq.redhat.com>
	<20111011105755.GG24510@redhat.com>
	<1318332091.3614.2.camel@dhcp-30-109.brq.redhat.com>
	<20111011115652.GI24510@redhat.com>
Message-ID: <1318338023.3614.7.camel@dhcp-30-109.brq.redhat.com>

On Tue, 2011-10-11 at 14:56 +0300, Alexander Bokovoy wrote:
> On Tue, 11 Oct 2011, Martin Kosek wrote:
> > When user/group default object class is being modified via
> > ipa config-mod, no validation check is run. Check at least
> > the following:
> > 
> > - all object classes are known to LDAP
> > - all default user/group attributes are allowed under the new
> >   set of default object classes
> > 
> > https://fedorahosted.org/freeipa/ticket/1893
> ACK.
> 

Both patches (config plugin validation + config plugin i18n fix) pushed
to master, ipa-2-1.

Martin



From rcritten at redhat.com  Tue Oct 11 13:10:23 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 11 Oct 2011 09:10:23 -0400
Subject: [Freeipa-devel] [PATCH] 143 Fix dnszone-add name_from_ip server
 validation
In-Reply-To: <1318337103.3614.6.camel@dhcp-30-109.brq.redhat.com>
References: <1318323821.10939.3.camel@dhcp-25-52.brq.redhat.com>
	<1318337103.3614.6.camel@dhcp-30-109.brq.redhat.com>
Message-ID: <4E94403F.1040700@redhat.com>

Martin Kosek wrote:
> On Tue, 2011-10-11 at 11:03 +0200, Martin Kosek wrote:
>> Based mainly on Rob's fix proposed in Trac.
>> ---
>> Ticket 1627 contained a (temporary hack-ish) fix for dnszone-add
>> name_from_ip validation which works fine for CLI. However, when
>> the command is not proceeded via CLI and sent directly to the
>> RPC server, the server throws Internal Server Error.
>>
>> Make sure that the server returns a reasonable error.
>>
>> https://fedorahosted.org/freeipa/ticket/1941
>>
>
> We miss a test for name_from_ip parameter. I added 2 unit cases that
> verify this option works + reports a ValidationError when the IP address
> is wrong.
>
> Martin

ack



From jcholast at redhat.com  Tue Oct 11 13:11:19 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Tue, 11 Oct 2011 15:11:19 +0200
Subject: [Freeipa-devel] [PATCH] 52 Disallow deletion of global password
	policy
Message-ID: <4E944077.5010906@redhat.com>

Don't allow "ipa pwpolicy-del global_policy".

https://fedorahosted.org/freeipa/ticket/1936

Questions:

Is it possible to disallow deletion of specific objects on LDAP level 
instead?

The default HBAC rule, allow_all, can also be deleted - should it be 
disallowed too?

Honza

-- 
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-52-pwpolicy-del-global.patch
Type: text/x-patch
Size: 1036 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111011/d9baaec7/attachment.bin>

From mkosek at redhat.com  Tue Oct 11 13:17:24 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 11 Oct 2011 15:17:24 +0200
Subject: [Freeipa-devel] [PATCH] 143 Fix dnszone-add name_from_ip server
 validation
In-Reply-To: <4E94403F.1040700@redhat.com>
References: <1318323821.10939.3.camel@dhcp-25-52.brq.redhat.com>
	<1318337103.3614.6.camel@dhcp-30-109.brq.redhat.com>
	<4E94403F.1040700@redhat.com>
Message-ID: <1318339046.2496.0.camel@balmora.brq.redhat.com>

On Tue, 2011-10-11 at 09:10 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Tue, 2011-10-11 at 11:03 +0200, Martin Kosek wrote:
> >> Based mainly on Rob's fix proposed in Trac.
> >> ---
> >> Ticket 1627 contained a (temporary hack-ish) fix for dnszone-add
> >> name_from_ip validation which works fine for CLI. However, when
> >> the command is not proceeded via CLI and sent directly to the
> >> RPC server, the server throws Internal Server Error.
> >>
> >> Make sure that the server returns a reasonable error.
> >>
> >> https://fedorahosted.org/freeipa/ticket/1941
> >>
> >
> > We miss a test for name_from_ip parameter. I added 2 unit cases that
> > verify this option works + reports a ValidationError when the IP address
> > is wrong.
> >
> > Martin
> 
> ack
> 

Pushed to master, ipa-2-1.

Martin



From rcritten at redhat.com  Tue Oct 11 13:19:56 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 11 Oct 2011 09:19:56 -0400
Subject: [Freeipa-devel] [PATCH] 52 Disallow deletion of global password
 policy
In-Reply-To: <4E944077.5010906@redhat.com>
References: <4E944077.5010906@redhat.com>
Message-ID: <4E94427C.8030602@redhat.com>

Jan Cholasta wrote:
> Don't allow "ipa pwpolicy-del global_policy".
>
> https://fedorahosted.org/freeipa/ticket/1936

Can you add a unit test case for this? Then ack.

>
> Questions:
>
> Is it possible to disallow deletion of specific objects on LDAP level
> instead?

Well, that would be ideal in some cases. We'd need to write a plugin to 
intercept changes and have it compare it to a list of "no deletes". You 
can file an RFE if you want, this might be handy to have.

>
> The default HBAC rule, allow_all, can also be deleted - should it be
> disallowed too?

This is one we want to be removable. Before we had this the default HBAC 
stance was "nobody can log in" and it was jarring to most folks.

It is possible to install without this rule using the option --no_hbac_allow

rob



From rcritten at redhat.com  Tue Oct 11 13:46:17 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 11 Oct 2011 09:46:17 -0400
Subject: [Freeipa-devel] [PATCH] 0024 Force use of kerberos realm to be
 a string in config.py
In-Reply-To: <20111011091313.GE24510@redhat.com>
References: <20111011091313.GE24510@redhat.com>
Message-ID: <4E9448A9.4000408@redhat.com>

Alexander Bokovoy wrote:
> Hi,
>
> there seems to be something new with python-2.7.2 on Fedora 16 and
> 'make lint' complains about
>    dom_name = config.default_realm.lower()
> as config.default_realm is of type _Chainmap during static analysis.
>
> We get config.default_realm out of krbV.default_context().default_realm.
>
> The code change works fine with Fedora 15 as well (tested).

ACK, pushed to master and ipa-2-1.

rob



From rcritten at redhat.com  Tue Oct 11 14:18:20 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 11 Oct 2011 10:18:20 -0400
Subject: [Freeipa-devel] [PATCH] 0023  Improve hbactest
In-Reply-To: <20111011083343.GC24510@redhat.com>
References: <20111011083343.GC24510@redhat.com>
Message-ID: <4E94502C.2090909@redhat.com>

Alexander Bokovoy wrote:
> Hi,
>
> two improvements for hbactest command:
> 1. Include indirect membership for users and hosts
> 2. Append FreeIPA default domain to hosts in hbactest request if they
>     are not fully qualified ones.
>
> Fixes
> https://fedorahosted.org/freeipa/ticket/1862
> https://fedorahosted.org/freeipa/ticket/1949
>
> Two patches in the same commit because they affect the same code and
> otherwise would have created dependency between the patches anyway.

ack, pushed to master and ipa-2-1

rob



From mkosek at redhat.com  Tue Oct 11 15:07:48 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 11 Oct 2011 17:07:48 +0200
Subject: [Freeipa-devel] [PATCH] 888 always verify hostname
In-Reply-To: <4E8EFC09.9030301@redhat.com>
References: <4E8E6AF4.8060302@redhat.com>
	<1317979530.8399.26.camel@dhcp-25-52.brq.redhat.com>
	<4E8EF766.2070706@redhat.com>
	<1317992800.8399.43.camel@dhcp-25-52.brq.redhat.com>
	<4E8EFC09.9030301@redhat.com>
Message-ID: <1318345671.2965.1.camel@balmora.brq.redhat.com>

On Fri, 2011-10-07 at 09:18 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> >>
> >> Yes but the entry is added /etc/hosts at the very END of installation,
> >> apparently too late for some things. We can alternately add this prior
> >> to configuring anything else.
> >
> > But we add the entry to /etc/hosts right in the beginning. After the
> > line marked with<<<<<<  is printed. I double-checked it right now.
> 
> Ok, this is totally freaky then. See ticket 
> https://fedorahosted.org/freeipa/ticket/1931
> >

I think it is worth mentioning there that the /etc/hosts entry is added
in the beginning only if the hostname is not resolvable and IP address
is passed by the user, i.e. only when the following line printed:

# ipa-server-install --setup-dns (or --no-host-dns)
...
Please provide the IP address to be used for this host name: 10.16.78.50
Adding [10.16.78.50 ipa.example.com] to your /etc/hosts file
...

I saw that 1931 should be solved by a new custom hostname parameter
passed to bind-dyndb-ldap plugin.


I did some additional testing of my proposed patch 140 and it behaved
fine. It is able to catch misconfigured /etc/hosts in both following ways:

1) invalid hostname for given IP address

1.2.3.4  foo

or short name first:

1.2.3.4 foo foo.example.com


To sum this up - I think the patch is ready for review.

Martin




From rcritten at redhat.com  Tue Oct 11 16:00:25 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 11 Oct 2011 12:00:25 -0400
Subject: [Freeipa-devel] [PATCH] 024 Added missing fields to password
 policy page
In-Reply-To: <4E93FEBA.5000000@redhat.com>
References: <4E93FEBA.5000000@redhat.com>
Message-ID: <4E946819.8090101@redhat.com>

Petr Vobornik wrote:
> https://fedorahosted.org/freeipa/ticket/1944
>
> (2.1.3 Release)
>
> No editable fields exist for "maxfail", "failinterval" "lockouttime" and
> "priority" in password policy page.

Ack. Pushed to master and ipa-2-1.



From yzhang at redhat.com  Tue Oct 11 16:41:34 2011
From: yzhang at redhat.com (yi zhang)
Date: Tue, 11 Oct 2011 09:41:34 -0700
Subject: [Freeipa-devel] [PATCH] 024 Added missing fields to password
 policy page
In-Reply-To: <4E93FEBA.5000000@redhat.com>
References: <4E93FEBA.5000000@redhat.com>
Message-ID: <4E9471BE.7060004@redhat.com>

On 10/11/2011 01:30 AM, Petr Vobornik wrote:
> https://fedorahosted.org/freeipa/ticket/1944
>
> (2.1.3 Release)
>
> No editable fields exist for "maxfail", "failinterval" "lockouttime" 
> and "priority" in password policy page.
Thanks!
Yi
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Yi Zhang                          |
| QA @ Mountain View, Calinfornia   |
| Cell: 408-509-6375                |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111011/2f581836/attachment.htm>

From jcholast at redhat.com  Tue Oct 11 16:51:24 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Tue, 11 Oct 2011 18:51:24 +0200
Subject: [Freeipa-devel] [PATCH] 53 Don't leak passwords through
 kdb5_ldap_util command line arguments
Message-ID: <4E94740C.7060104@redhat.com>

https://fedorahosted.org/freeipa/ticket/1948

Honza

-- 
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-53-krbinstance-password-leak.patch
Type: text/x-patch
Size: 1798 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111011/37a2dda8/attachment.bin>

From jdennis at redhat.com  Tue Oct 11 21:05:01 2011
From: jdennis at redhat.com (John Dennis)
Date: Tue, 11 Oct 2011 17:05:01 -0400
Subject: [Freeipa-devel] [PATCH 50/50] Ticket 1718 - Fix Spanish po
	translation file
Message-ID: <201110112105.p9BL519M026264@int-mx02.intmail.prod.int.phx2.redhat.com>

There were quite errors in es.po, it was difficult or impossible to
track down where they came from, Transifex does not have good revision
history.

I fixed about 20% of the msgstr's in the file that had obvious
problems which could be spotted by a non-Spanish speaking person.

Spurious backslashes and backslash-newlines had been introduced. I
tracked this particular problem down to a bug in polib. polib is a
Python library which can read/write po/mo files. In Fedora it's
packaged as python-polib. polib is used by the Transifex instance to
read/write po files. We don't currently use polib in IPA (that will
change soon though) but I wrote utilities using polib to help fix the
bad po file and analyze what had gone wrong. I discovered that if one
simply uses polib to read a po file into memory and they write that po
file back out from memory you don't end up with the same contents if
there are backslashed escapes in the file. I tracked this down to the
escape() and unescape() functions in polib. This caused me to look to
see if upstream polib had been fixed. It had. Therefore I think the
spurious backslashes were introduced when Transifex was using an older
broken version of polib. I filed this Fedora bug
https://bugzilla.redhat.com/show_bug.cgi?id=744419 to get the fixes
into python-polib. I manually corrected all the backslash errors.

I compared all 1329 translations from a known good version of es.po
with the current version and generated a new es.po by taking the
translation (e.g. msgstr) from the two po files which was obviously
correct. In those instances where neither msgstr was obviosuly correct
the deleted the translation entirely.

I also wrote utilities to validate any "substitution" variables
appearing in the text. I discovered a number of instances where the
substitution variable had been malformed by the translator such that
it was syntactically invalid. This is how we originally discovered
problems with the translation, it was throwing Python exceptions. I
fixed all those errors.

I also found approximately 80 translations where the leading
whitespace had been altered by the translator. Those also were fixed.

I cannot verify that the remaining translations are a correct Spanish
translation of the original text (in fact a number of them I looked at
seemed dubious to me, for example it omitted recongnizable
keywords). But I do believe that the obvious errors are fixed and we
shouldn't be throwing any more Python exceptions because of malformed
substitution variables.

--
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0050-Ticket-1718-Fix-Spanish-po-translation-file.patch
Type: text/x-patch
Size: 71921 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111011/ff4f88bf/attachment.bin>

From rcritten at redhat.com  Tue Oct 11 21:40:03 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 11 Oct 2011 17:40:03 -0400
Subject: [Freeipa-devel] [PATCH] 890 OTP client enrollment with anonymous
	disabled
Message-ID: <4E94B7B3.7060507@redhat.com>

Fix OTP client enrollment when anonymous searches are disabled in 389-ds.

This is fixed mostly by passing in the basedn to ipa-join so we don't 
have to hunt for it. I did modify that routine so it will look through 
all naming contexts to find the IPA one but this will fail if anonymous 
searches are not allowed.

I fixed a couple of minor memory leaks too (valgrind still reports 
several but they are out of our control).

This should be tested both with a OTP host and using an authorized user.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-890-client.patch
Type: text/x-patch
Size: 15395 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111011/196e39a9/attachment.bin>

From rcritten at redhat.com  Tue Oct 11 22:06:22 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 11 Oct 2011 18:06:22 -0400
Subject: [Freeipa-devel] [PATCH 50/50] Ticket 1718 - Fix Spanish po
 translation file
In-Reply-To: <201110112105.p9BL519M026264@int-mx02.intmail.prod.int.phx2.redhat.com>
References: <201110112105.p9BL519M026264@int-mx02.intmail.prod.int.phx2.redhat.com>
Message-ID: <4E94BDDE.60005@redhat.com>

John Dennis wrote:
> There were quite errors in es.po, it was difficult or impossible to
> track down where they came from, Transifex does not have good revision
> history.
>
> I fixed about 20% of the msgstr's in the file that had obvious
> problems which could be spotted by a non-Spanish speaking person.
>

I think this should be left as it was:

  #: ipalib/plugins/config.py:76
  msgid "searchtimelimit must be -1 or > 1."
-msgstr "searchtimelimit debe ser -1 o&gt; 1."
+msgstr ""

There are some cases where leading white space is remove and a bunch 
where it is added. Are these ok?

@@ -3184,7 +3117,7 @@ msgid ""
  "    "
  msgstr ""
  "\n"
-"B?squeda de cuentas de derechod."
+"    B?squeda de cuentas de derechod."

Otherwise looks lots better

rob



From jcholast at redhat.com  Wed Oct 12 07:28:27 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Wed, 12 Oct 2011 09:28:27 +0200
Subject: [Freeipa-devel] [PATCH] 52 Disallow deletion of global password
 policy
In-Reply-To: <4E94427C.8030602@redhat.com>
References: <4E944077.5010906@redhat.com> <4E94427C.8030602@redhat.com>
Message-ID: <4E95419B.70306@redhat.com>

Dne 11.10.2011 15:19, Rob Crittenden napsal(a):
> Jan Cholasta wrote:
>> Don't allow "ipa pwpolicy-del global_policy".
>>
>> https://fedorahosted.org/freeipa/ticket/1936
>
> Can you add a unit test case for this? Then ack.
>
>>
>> Questions:
>>
>> Is it possible to disallow deletion of specific objects on LDAP level
>> instead?
>
> Well, that would be ideal in some cases. We'd need to write a plugin to
> intercept changes and have it compare it to a list of "no deletes". You
> can file an RFE if you want, this might be handy to have.
>
>>
>> The default HBAC rule, allow_all, can also be deleted - should it be
>> disallowed too?
>
> This is one we want to be removable. Before we had this the default HBAC
> stance was "nobody can log in" and it was jarring to most folks.
>
> It is possible to install without this rule using the option
> --no_hbac_allow
>
> rob

Unit test added.

Honza

-- 
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-52.1-pwpolicy-del-global.patch
Type: text/x-patch
Size: 2304 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111012/9a476d6e/attachment.bin>

From mkosek at redhat.com  Wed Oct 12 07:59:23 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Wed, 12 Oct 2011 09:59:23 +0200
Subject: [Freeipa-devel] [PATCH] 145 Optimize member/memberof searches in
	LDAP
Message-ID: <1318406366.14093.13.camel@balmora.brq.redhat.com>

How to test:

1) Add some nested membership relationships:
$ ipa group-add --desc=foo group1
$ ipa group-add --desc=foo group2
$ ipa user-add --first=Foo --last=Bar foobar

$ ipa role-add-member helpdesk --groups=group2
$ ipa group-add-member group2 --groups=group1
$ ipa group-add-member group1 --users=foobar

2) Start receiving all SCOPE_SUBTREE (scope=2) searches in LDAP:
# tail -f /var/log/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/access | grep SRCH | grep "scope=2" | grep -v krbprincipalaux

3) Do some -show commands to see the unnecessary SCOPE_SUBTREE (scope=2)
searches we do to get memberships:

$ ipa role-show helpdesk --all --raw
$ ipa user-show foobar --all --raw
etc.

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-145-optimize-member-memberof-searches-in-ldap.patch
Type: text/x-patch
Size: 2391 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111012/86630e46/attachment.bin>

From jcholast at redhat.com  Wed Oct 12 08:11:19 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Wed, 12 Oct 2011 10:11:19 +0200
Subject: [Freeipa-devel] [PATCH] 26 Remove redundant configuration
 values from krb5.conf
In-Reply-To: <4E0A375E.4020906@redhat.com>
References: <4E09CFC0.4040804@redhat.com> <4E0A375E.4020906@redhat.com>
Message-ID: <4E954BA7.1090205@redhat.com>

Dne 28.6.2011 22:19, Rob Crittenden napsal(a):
> Jan Cholasta wrote:
>> https://fedorahosted.org/freeipa/ticket/1358
>>
>> Honza
>
> ack, pushed to master and ipa-2-0

Don't configure [appdefaults], as per Nalin's suggestion 
(https://fedorahosted.org/freeipa/ticket/1358#comment:5)

Honza

-- 
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-26a-krb5-conf-redundant.patch
Type: text/x-patch
Size: 1674 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111012/8910d123/attachment.bin>

From mkosek at redhat.com  Wed Oct 12 08:16:00 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Wed, 12 Oct 2011 10:16:00 +0200
Subject: [Freeipa-devel] [PATCH] 52 Disallow deletion of global password
 policy
In-Reply-To: <4E95419B.70306@redhat.com>
References: <4E944077.5010906@redhat.com> <4E94427C.8030602@redhat.com>
	<4E95419B.70306@redhat.com>
Message-ID: <1318407363.14093.14.camel@balmora.brq.redhat.com>

On Wed, 2011-10-12 at 09:28 +0200, Jan Cholasta wrote:
> Dne 11.10.2011 15:19, Rob Crittenden napsal(a):
> > Jan Cholasta wrote:
> >> Don't allow "ipa pwpolicy-del global_policy".
> >>
> >> https://fedorahosted.org/freeipa/ticket/1936
> >
> > Can you add a unit test case for this? Then ack.
> >
> >>
> >> Questions:
> >>
> >> Is it possible to disallow deletion of specific objects on LDAP level
> >> instead?
> >
> > Well, that would be ideal in some cases. We'd need to write a plugin to
> > intercept changes and have it compare it to a list of "no deletes". You
> > can file an RFE if you want, this might be handy to have.
> >
> >>
> >> The default HBAC rule, allow_all, can also be deleted - should it be
> >> disallowed too?
> >
> > This is one we want to be removable. Before we had this the default HBAC
> > stance was "nobody can log in" and it was jarring to most folks.
> >
> > It is possible to install without this rule using the option
> > --no_hbac_allow
> >
> > rob
> 
> Unit test added.
> 
> Honza

Second ACK and pushed to master, ipa-2-1.

Martin



From mkosek at redhat.com  Wed Oct 12 09:01:57 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Wed, 12 Oct 2011 11:01:57 +0200
Subject: [Freeipa-devel] [PATCH] 146 ipa-client-install hangs if the
	discovered server is
Message-ID: <1318410120.14093.17.camel@balmora.brq.redhat.com>

For starters I added a 15 second timeout and 2 tries. These numbers are
arbitrary, I am open to suggestions.

Martin

---
Add a timeout to the wget call to cover a case when autodiscovered
server does not response to our attempt to download ca.crt. Let
user specify a different IPA server in that case.

https://fedorahosted.org/freeipa/ticket/1960

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-146-ipa-client-install-hangs.patch
Type: text/x-patch
Size: 2786 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111012/9c96752b/attachment.bin>

From abokovoy at redhat.com  Wed Oct 12 11:33:33 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Wed, 12 Oct 2011 14:33:33 +0300
Subject: [Freeipa-devel] [PATCH] 0025/0026 ipa-client-install --hostname not
 setting HOSTNAME if it is missing from the configuration file
Message-ID: <20111012113332.GA15646@redhat.com>

Hi,

attached is a small refactoring that is pursuing two goals:
 - fix https://fedorahosted.org/freeipa/ticket/1871 
  and
 - prepare grounds for systemd integration

As ticket 1871 is about cases when HOSTNAME is missing from 
/etc/sysconfig/network, this patch adds support to append 
HOSTNAME=<hostname> when it is missing. However, it does a bit more -- 
it introduces generic replacement/appending tool for key=value style 
configuration files.

For all key=value pairs in replacevars, existing value of key will get 
replaced by a new one.

For all key=value pairs in appendvars, existing value of key will me 
amended to also include new value.

The latter is the case of configuring krb5kdc.

Also, all keys totally missing from the config will be added. Values 
from replacevars and appendvars are merged before doing it so there is 
only single key=value pair afterwards. Obviously, it is the caller 
responsibility to not allow replacevars/appendvars have conflicting 
values.

Patch 0025 introduces the common code and transforms 
ipapython.services.backup_and_replace_hostname()

Patch 0026 uses this new code to change 
ipaserver/install/krb5instance.py to use new code.
-- 
/ Alexander Bokovoy
-------------- next part --------------
>From db1a37bbb58ddd1a99c5498940f2988477392a06 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Wed, 12 Oct 2011 14:15:01 +0300
Subject: [PATCH 1/2] Refactor backup_and_replace_hostname() into a flexible
 config modification tool

backup_and_replace_hostname() was doing three things:
1. Given config file in 'key=value' style, replace value for a specified key (HOSTNAME)
2. Backup original file and install a replacement
3. Restore original security context after editing

We have several more places where parts of the functionality are needed,
thus making two tools in ipapython.ipautil:

    1. config_replace_variables(filepath, replacevars=dict(), appendvars=dict())
       Replaces or appends values to specified keys, adding new key=value pairs if key was absent

    2. backup_config_and_replace_variables(fstore, filepath, replacevars=dict(), appendvars=dict())
       Backups config file and calls config_replace_variables()

A caller must handle security context after using these two tools.

In addition, as before, there is ipapython.services.backup_and_replace_hostname() that uses
these common tools and restores security context after editing.

The code will be used extensively for systemd integration for Fedora 16.

Fixes:
    https://fedorahosted.org/freeipa/ticket/1871
---
 ipapython/ipautil.py         |   90 ++++++++++++++++++++++++++++++++++++++++++
 ipapython/platform/redhat.py |   51 +++--------------------
 2 files changed, 97 insertions(+), 44 deletions(-)

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 6e037926ce678557d9273be6ff1e9a6c65d0f80e..49fc64cea7c48d7aaf7e44de3c26d395fddbaa28 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -1185,3 +1185,93 @@ def get_ipa_basedn(conn):
 
     return None
 
+def config_replace_variables(filepath, replacevars=dict(), appendvars=dict()):
+    """
+    Take a key=value based configuration file, and write new version 
+    with certain values replaced or appended 
+
+    All (key,value) pairs from replacevars and appendvars that were not found 
+    in the configuration file, will be added there.
+
+    It is responsibility of a caller to ensure that replacevars and
+    appendvars do not overlap.
+
+    It is responsibility of a caller to back up file.
+
+    returns dictionary of affected keys and their previous values
+
+    One have to run restore_context(filepath) afterwards or
+    security context of the file will not be correct after modification
+    """
+    pattern = re.compile('''
+(^
+                        \s*
+        (?P<option>     [^\#;]+?)
+                        (\s*=\s*)
+        (?P<value>      .+?)?
+                        (\s*((\#|;).*)?)?
+$)''', re.VERBOSE)
+    orig_stat = os.stat(filepath)
+    old_values = dict()
+    temp_filename = None
+    with tempfile.NamedTemporaryFile(delete=False) as new_config:
+        temp_filename = new_config.name
+        with open(filepath, 'r') as f:
+            for line in f:
+                new_line = line
+                m = pattern.match(line)
+                if m:
+                    option, value = m.group('option', 'value')
+                    if option is not None:
+                        if replacevars and option in replacevars:
+                            # replace value completely
+                            new_line = u"%s=%s\n" % (option, replacevars[option])
+                            old_values[option] = value
+                        if appendvars and option in appendvars:
+                            # append new value unless it is already existing in the original one
+                            if value.find(appendvars[option]) == -1:
+                                new_line = u"%s=%s %s\n" % (option, value, appendvars[option])
+                            old_values[option] = value
+                new_config.write(new_line)
+        # Now add all options from replacevars and appendvars that were not found in the file
+        new_vars = replacevars.copy()
+        new_vars.update(appendvars)
+        newvars_view = new_vars.viewkeys() - old_values.viewkeys()
+        append_view = (appendvars.viewkeys() - replacevars.viewkeys()) - old_values.viewkeys()
+        for item in newvars_view:
+            new_config.write("%s=%s\n" % (item,new_vars[item]))
+        for item in append_view:
+            new_config.write("%s=%s\n" % (item,appendvars[item]))
+        new_config.flush()
+        # Make sure the resulting file is readable by others before installing it
+        os.fchmod(new_config.fileno(), orig_stat.st_mode)
+        os.fchown(new_config.fileno(), orig_stat.st_uid, orig_stat.st_gid)
+
+    # At this point new_config is closed but not removed due to 'delete=False' above
+    # Now, install the temporary file as configuration and ensure old version is available as .orig
+    # While .orig file is not used during uninstall, it is left there for administrator.
+    install_file(temp_filename, filepath)
+
+    return old_values
+
+def backup_config_and_replace_variables(fstore, filepath, replacevars=dict(), appendvars=dict()):
+    """
+    Take a key=value based configuration file, back up it, and
+    write new version with certain values replaced or appended 
+
+    All (key,value) pairs from replacevars and appendvars that
+    were not found in the configuration file, will be added there.
+
+    It is responsibility of a caller to ensure that replacevars and
+    appendvars do not overlap.
+
+    returns dictionary of affected keys and their previous values
+
+    One have to run restore_context(filepath) afterwards or
+    security context of the file will not be correct after modification
+    """
+    # Backup original filepath
+    fstore.backup_file(filepath)
+    old_values = config_replace_variables(filepath, replacevars, appendvars)
+
+    return old_values
diff --git a/ipapython/platform/redhat.py b/ipapython/platform/redhat.py
index 6bf8bf348a4c30c79ad29d8b2b30a088bd28372d..ef4a9c45016ba7761dff04a9181ddda736396beb 100644
--- a/ipapython/platform/redhat.py
+++ b/ipapython/platform/redhat.py
@@ -133,48 +133,11 @@ def restore_context(filepath):
     ipautil.run(["/sbin/restorecon", filepath], raiseonerr=False)
 
 def backup_and_replace_hostname(fstore, statestore, hostname):
-    network_filename = "/etc/sysconfig/network"
-    # Backup original /etc/sysconfig/network
-    fstore.backup_file(network_filename)
-    hostname_pattern = re.compile('''
-(^
-                        \s*
-        (?P<option>     [^\#;]+?)
-                        (\s*=\s*)
-        (?P<value>      .+?)?
-                        (\s*((\#|;).*)?)?
-$)''', re.VERBOSE)
-    temp_filename = None
-    with tempfile.NamedTemporaryFile(delete=False) as new_config:
-        temp_filename = new_config.name
-        with open(network_filename, 'r') as f:
-            for line in f:
-                new_line = line
-                m = hostname_pattern.match(line)
-                if m:
-                    option, value = m.group('option', 'value')
-                    if option is not None and option == 'HOSTNAME':
-                        if value is not None and hostname != value:
-                            new_line = u"HOSTNAME=%s\n" % (hostname)
-                            statestore.backup_state('network', 'hostname', value)
-                new_config.write(new_line)
-        new_config.flush()
-        # Make sure the resulting file is readable by others before installing it
-        os.fchmod(new_config.fileno(), stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
-        os.fchown(new_config.fileno(), 0, 0)
-
-    # At this point new_config is closed but not removed due to 'delete=False' above
-    # Now, install the temporary file as configuration and ensure old version is available as .orig
-    # While .orig file is not used during uninstall, it is left there for administrator.
-    ipautil.install_file(temp_filename, network_filename)
-    try:
-        ipautil.run(['/bin/hostname', hostname])
-    except ipautil.CalledProcessError, e:
-        print >>sys.stderr, "Failed to set this machine hostname to %s (%s)." % (hostname, str(e))
-
-    # For SE Linux environments it is important to reset SE labels to the expected ones
-    try:
-        restore_context(network_filename)
-    except ipautil.CalledProcessError, e:
-        print >>sys.stderr, "Failed to set permissions for %s (%s)." % (network_filename, str(e))
+    replacevars = {'HOSTNAME':hostname}
+    old_values = ipautil.backup_config_and_replace_variables(fstore,
+                                                          "/etc/sysconfig/network", 
+                                                          replacevars=replacevars)
+    restore_context("/etc/sysconfig/network")
+    if old_values['HOSTNAME']:
+        statestore.backup_state('network', 'hostname', old_values['HOSTNAME'])
 
-- 
1.7.6.4

-------------- next part --------------
>From b3eafe089c96ee80affaf3a49c15e0f72104990b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Wed, 12 Oct 2011 14:18:21 +0300
Subject: [PATCH 2/2] Write KRB5REALM to /etc/sysconfig/krb5kdc and make use
 of common backup_config_and_replace_variables() tool

systemd service unit for krb5kdc in Fedora 16 uses KRB5REALM variable of /etc/sysconfig/krb5kdc
to start krb5kdc for the default realm. Thus, we need to make sure it is always existing and
pointing to our realm.

Partial fix for:
   https://fedorahosted.org/freeipa/ticket/1192
---
 ipaserver/install/krbinstance.py |   30 +++++++++---------------------
 1 files changed, 9 insertions(+), 21 deletions(-)

diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 513dc5523589341cbcebbe1a80694e7eae6c4308..ad89e87d67c2f581836bd8dbbef530492325e394 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -352,28 +352,16 @@ class KrbInstance(service.Service):
             min = version.LooseVersion(MIN_KRB5KDC_WITH_WORKERS)
             if ver >= min:
                 workers = True
+        # Write down config file
+        # We write realm and also number of workers (for multi-CPU systems)
+        replacevars = {'KRB5REALM':self.realm}
+        appendvars = {}
         if workers and cpus > 1:
-            #read in memory, find KRB5KDC_ARGS, check/change it, then overwrite file
-            self.fstore.backup_file("/etc/sysconfig/krb5kdc")
-
-            need_w = True
-            fd = open("/etc/sysconfig/krb5kdc", "r")
-            lines = fd.readlines()
-            fd.close()
-            for line in lines:
-                sline = line.strip()
-                if not sline.startswith('KRB5KDC_ARGS'):
-                    continue
-                sline = sline.replace('"', '')
-                if sline.find("-w") != -1:
-                    need_w = False
-
-            if need_w:
-                fd = open("/etc/sysconfig/krb5kdc", "w")
-                for line in lines:
-                    fd.write(line)
-                fd.write('KRB5KDC_ARGS="${KRB5KDC_ARGS} -w %s"\n' % str(cpus))
-                fd.close()
+            appendvars = {'KRB5KDC_ARGS': "-w %s" % str(cpus)}
+        ipautil.backup_config_and_replace_variables(self.fstore, "/etc/sysconfig/krb5kdc",
+                                                    replacevars=replacevars,
+                                                    appendvars=appendvars)
+        ipaservices.restore_context("/etc/sysconfig/krb5kdc")
 
     def __write_stash_from_ds(self):
         try:
-- 
1.7.6.4


From rcritten at redhat.com  Wed Oct 12 12:52:29 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Oct 2011 08:52:29 -0400
Subject: [Freeipa-devel] [PATCH] 146 ipa-client-install hangs if the
 discovered server is
In-Reply-To: <1318410120.14093.17.camel@balmora.brq.redhat.com>
References: <1318410120.14093.17.camel@balmora.brq.redhat.com>
Message-ID: <4E958D8D.2050206@redhat.com>

Martin Kosek wrote:
> For starters I added a 15 second timeout and 2 tries. These numbers are
> arbitrary, I am open to suggestions.
>
> Martin
>
> ---
> Add a timeout to the wget call to cover a case when autodiscovered
> server does not response to our attempt to download ca.crt. Let
> user specify a different IPA server in that case.
>
> https://fedorahosted.org/freeipa/ticket/1960

There is a wget call in ipa-client-install as well, should a timeout be 
added there?

rob



From jcholast at redhat.com  Wed Oct 12 12:57:26 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Wed, 12 Oct 2011 14:57:26 +0200
Subject: [Freeipa-devel] [PATCH] 889 fix selfsign upgrades
In-Reply-To: <4E92FF61.4030704@redhat.com>
References: <4E92FF61.4030704@redhat.com>
Message-ID: <4E958EB6.8060007@redhat.com>

Dne 10.10.2011 16:21, Rob Crittenden napsal(a):
> Upgrading an installation that was installed with selfsign CA will fail
> in ipa-upgradeconfig because it doesn't handle the case where dogtag
> isn't installed.
>
> rob
>

ACK.

Honza

-- 
Jan Cholasta



From mkosek at redhat.com  Wed Oct 12 13:03:44 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Wed, 12 Oct 2011 15:03:44 +0200
Subject: [Freeipa-devel] [PATCH] 146 ipa-client-install hangs if the
 discovered server is
In-Reply-To: <4E958D8D.2050206@redhat.com>
References: <1318410120.14093.17.camel@balmora.brq.redhat.com>
	<4E958D8D.2050206@redhat.com>
Message-ID: <1318424626.14093.24.camel@balmora.brq.redhat.com>

On Wed, 2011-10-12 at 08:52 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > For starters I added a 15 second timeout and 2 tries. These numbers are
> > arbitrary, I am open to suggestions.
> >
> > Martin
> >
> > ---
> > Add a timeout to the wget call to cover a case when autodiscovered
> > server does not response to our attempt to download ca.crt. Let
> > user specify a different IPA server in that case.
> >
> > https://fedorahosted.org/freeipa/ticket/1960
> 
> There is a wget call in ipa-client-install as well, should a timeout be 
> added there?
> 
> rob
> 

This wget is for the very same ca.crt that was already (successfully)
retrieved when the server was being checked by ipadiscovery. Thus I
don't think it is necessary.

Martin



From mkosek at redhat.com  Wed Oct 12 13:08:37 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Wed, 12 Oct 2011 15:08:37 +0200
Subject: [Freeipa-devel] [PATCH] 147 Hostname used by IPA must be a system
	hostname
Message-ID: <1318424919.14093.27.camel@balmora.brq.redhat.com>

This patch depends on my patch 140 (attached just to be sure).

Do I understand it correctly that new proposed bind-dyndb-ldap option
ldap_hostname won't be needed?

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-147-hostname-used-by-ipa-must-be-a-system-hostname.patch
Type: text/x-patch
Size: 5649 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111012/9b3ea182/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-140-check-hostname-resolution-sanity.patch
Type: text/x-patch
Size: 4660 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111012/9b3ea182/attachment-0001.bin>

From simo at redhat.com  Wed Oct 12 13:31:34 2011
From: simo at redhat.com (Simo Sorce)
Date: Wed, 12 Oct 2011 09:31:34 -0400
Subject: [Freeipa-devel] [PATCH] 146 ipa-client-install hangs if the
 discovered server is
In-Reply-To: <1318424626.14093.24.camel@balmora.brq.redhat.com>
References: <1318410120.14093.17.camel@balmora.brq.redhat.com>
	<4E958D8D.2050206@redhat.com>
	<1318424626.14093.24.camel@balmora.brq.redhat.com>
Message-ID: <1318426294.31149.79.camel@willson.li.ssimo.org>

On Wed, 2011-10-12 at 15:03 +0200, Martin Kosek wrote:
> On Wed, 2011-10-12 at 08:52 -0400, Rob Crittenden wrote:
> > Martin Kosek wrote:
> > > For starters I added a 15 second timeout and 2 tries. These numbers are
> > > arbitrary, I am open to suggestions.
> > >
> > > Martin
> > >
> > > ---
> > > Add a timeout to the wget call to cover a case when autodiscovered
> > > server does not response to our attempt to download ca.crt. Let
> > > user specify a different IPA server in that case.
> > >
> > > https://fedorahosted.org/freeipa/ticket/1960
> > 
> > There is a wget call in ipa-client-install as well, should a timeout be 
> > added there?
> > 
> > rob
> > 
> 
> This wget is for the very same ca.crt that was already (successfully)
> retrieved when the server was being checked by ipadiscovery. Thus I
> don't think it is necessary.

Shouldn't it be eliminated then ?
OR do we really need to dload the cert twice? Or did I misunderstand
your reply ?

Simo.
-- 
Simo Sorce * Red Hat, Inc * New York



From rcritten at redhat.com  Wed Oct 12 13:32:00 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Oct 2011 09:32:00 -0400
Subject: [Freeipa-devel] [PATCH] 0025/0026 ipa-client-install --hostname
 not setting HOSTNAME if it is missing from the configuration file
In-Reply-To: <20111012113332.GA15646@redhat.com>
References: <20111012113332.GA15646@redhat.com>
Message-ID: <4E9596D0.6050402@redhat.com>

Alexander Bokovoy wrote:
> Hi,
>
> attached is a small refactoring that is pursuing two goals:
>   - fix https://fedorahosted.org/freeipa/ticket/1871
>    and
>   - prepare grounds for systemd integration
>
> As ticket 1871 is about cases when HOSTNAME is missing from
> /etc/sysconfig/network, this patch adds support to append
> HOSTNAME=<hostname>  when it is missing. However, it does a bit more --
> it introduces generic replacement/appending tool for key=value style
> configuration files.
>
> For all key=value pairs in replacevars, existing value of key will get
> replaced by a new one.
>
> For all key=value pairs in appendvars, existing value of key will me
> amended to also include new value.
>
> The latter is the case of configuring krb5kdc.
>
> Also, all keys totally missing from the config will be added. Values
> from replacevars and appendvars are merged before doing it so there is
> only single key=value pair afterwards. Obviously, it is the caller
> responsibility to not allow replacevars/appendvars have conflicting
> values.
>
> Patch 0025 introduces the common code and transforms
> ipapython.services.backup_and_replace_hostname()
>
> Patch 0026 uses this new code to change
> ipaserver/install/krb5instance.py to use new code.

Why should the caller be responsible for calling restore_context()?

I think:

if old_values['HOSTNAME']: ...

should be

if 'HOSTNAME' in old_values: ...

rob



From abokovoy at redhat.com  Wed Oct 12 13:51:55 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Wed, 12 Oct 2011 16:51:55 +0300
Subject: [Freeipa-devel] [PATCH] 0025/0026 ipa-client-install --hostname
 not setting HOSTNAME if it is missing from the configuration file
In-Reply-To: <4E9596D0.6050402@redhat.com>
References: <20111012113332.GA15646@redhat.com> <4E9596D0.6050402@redhat.com>
Message-ID: <20111012135154.GB15646@redhat.com>

On Wed, 12 Oct 2011, Rob Crittenden wrote:
> >Also, all keys totally missing from the config will be added. Values
> >from replacevars and appendvars are merged before doing it so there is
> >only single key=value pair afterwards. Obviously, it is the caller
> >responsibility to not allow replacevars/appendvars have conflicting
> >values.
> >
> >Patch 0025 introduces the common code and transforms
> >ipapython.services.backup_and_replace_hostname()
> >
> >Patch 0026 uses this new code to change
> >ipaserver/install/krb5instance.py to use new code.
> 
> Why should the caller be responsible for calling restore_context()?
Because ipapython.ipautil cannot depend on ipapython.services as 
underlying platform-specific code uses ipapython.ipautil -- we 
discussed this with Simo few weeks ago when the first version of this 
patch was done for systemd support.

We have very few places where this is needed and wrapper functions 
(like hostname handler) should take care of the context restoration 
as they will also handle state store as well (in addition to file 
store).

> I think:
> 
> if old_values['HOSTNAME']: ...
> 
> should be
> 
> if 'HOSTNAME' in old_values: ...
Updated patch attached.

-- 
/ Alexander Bokovoy
-------------- next part --------------
>From 6c01a86f232d10176372a9fbf7c8a4d40f8e928a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Wed, 12 Oct 2011 16:42:09 +0300
Subject: [PATCH] Refactor backup_and_replace_hostname() into a flexible
 config modification tool

backup_and_replace_hostname() was doing three things:
    1. Given config file in 'key=value' style, replace value for a specified key (HOSTNAME)
    2. Backup original file and install a replacement
    3. Restore original security context after editing

We have several more places where parts of the functionality are needed,
thus making two tools in ipapython.ipautil:

    1. config_replace_variables(filepath, replacevars=dict(), appendvars=dict())
       Replaces or appends values to specified keys, adding new key=value pairs if key was absent

    2. backup_config_and_replace_variables(fstore, filepath, replacevars=dict(), appendvars=dict())
       Backups config file and calls config_replace_variables()

A caller must handle security context after using these two tools.

In addition, as before, there is ipapython.services.backup_and_replace_hostname() that uses
these common tools and restores security context after editing.

The code will be used extensively for systemd integration for Fedora 16.

Fixes:
    https://fedorahosted.org/freeipa/ticket/1871
---
 ipapython/ipautil.py         |   90 ++++++++++++++++++++++++++++++++++++++++++
 ipapython/platform/redhat.py |   47 +++------------------
 2 files changed, 97 insertions(+), 40 deletions(-)

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 6e037926ce678557d9273be6ff1e9a6c65d0f80e..49fc64cea7c48d7aaf7e44de3c26d395fddbaa28 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -1185,3 +1185,93 @@ def get_ipa_basedn(conn):
 
     return None
 
+def config_replace_variables(filepath, replacevars=dict(), appendvars=dict()):
+    """
+    Take a key=value based configuration file, and write new version 
+    with certain values replaced or appended 
+
+    All (key,value) pairs from replacevars and appendvars that were not found 
+    in the configuration file, will be added there.
+
+    It is responsibility of a caller to ensure that replacevars and
+    appendvars do not overlap.
+
+    It is responsibility of a caller to back up file.
+
+    returns dictionary of affected keys and their previous values
+
+    One have to run restore_context(filepath) afterwards or
+    security context of the file will not be correct after modification
+    """
+    pattern = re.compile('''
+(^
+                        \s*
+        (?P<option>     [^\#;]+?)
+                        (\s*=\s*)
+        (?P<value>      .+?)?
+                        (\s*((\#|;).*)?)?
+$)''', re.VERBOSE)
+    orig_stat = os.stat(filepath)
+    old_values = dict()
+    temp_filename = None
+    with tempfile.NamedTemporaryFile(delete=False) as new_config:
+        temp_filename = new_config.name
+        with open(filepath, 'r') as f:
+            for line in f:
+                new_line = line
+                m = pattern.match(line)
+                if m:
+                    option, value = m.group('option', 'value')
+                    if option is not None:
+                        if replacevars and option in replacevars:
+                            # replace value completely
+                            new_line = u"%s=%s\n" % (option, replacevars[option])
+                            old_values[option] = value
+                        if appendvars and option in appendvars:
+                            # append new value unless it is already existing in the original one
+                            if value.find(appendvars[option]) == -1:
+                                new_line = u"%s=%s %s\n" % (option, value, appendvars[option])
+                            old_values[option] = value
+                new_config.write(new_line)
+        # Now add all options from replacevars and appendvars that were not found in the file
+        new_vars = replacevars.copy()
+        new_vars.update(appendvars)
+        newvars_view = new_vars.viewkeys() - old_values.viewkeys()
+        append_view = (appendvars.viewkeys() - replacevars.viewkeys()) - old_values.viewkeys()
+        for item in newvars_view:
+            new_config.write("%s=%s\n" % (item,new_vars[item]))
+        for item in append_view:
+            new_config.write("%s=%s\n" % (item,appendvars[item]))
+        new_config.flush()
+        # Make sure the resulting file is readable by others before installing it
+        os.fchmod(new_config.fileno(), orig_stat.st_mode)
+        os.fchown(new_config.fileno(), orig_stat.st_uid, orig_stat.st_gid)
+
+    # At this point new_config is closed but not removed due to 'delete=False' above
+    # Now, install the temporary file as configuration and ensure old version is available as .orig
+    # While .orig file is not used during uninstall, it is left there for administrator.
+    install_file(temp_filename, filepath)
+
+    return old_values
+
+def backup_config_and_replace_variables(fstore, filepath, replacevars=dict(), appendvars=dict()):
+    """
+    Take a key=value based configuration file, back up it, and
+    write new version with certain values replaced or appended 
+
+    All (key,value) pairs from replacevars and appendvars that
+    were not found in the configuration file, will be added there.
+
+    It is responsibility of a caller to ensure that replacevars and
+    appendvars do not overlap.
+
+    returns dictionary of affected keys and their previous values
+
+    One have to run restore_context(filepath) afterwards or
+    security context of the file will not be correct after modification
+    """
+    # Backup original filepath
+    fstore.backup_file(filepath)
+    old_values = config_replace_variables(filepath, replacevars, appendvars)
+
+    return old_values
diff --git a/ipapython/platform/redhat.py b/ipapython/platform/redhat.py
index 6bf8bf348a4c30c79ad29d8b2b30a088bd28372d..0c2ba63628fc512b7e7d00326f7698d9d156bedb 100644
--- a/ipapython/platform/redhat.py
+++ b/ipapython/platform/redhat.py
@@ -133,48 +133,15 @@ def restore_context(filepath):
     ipautil.run(["/sbin/restorecon", filepath], raiseonerr=False)
 
 def backup_and_replace_hostname(fstore, statestore, hostname):
-    network_filename = "/etc/sysconfig/network"
-    # Backup original /etc/sysconfig/network
-    fstore.backup_file(network_filename)
-    hostname_pattern = re.compile('''
-(^
-                        \s*
-        (?P<option>     [^\#;]+?)
-                        (\s*=\s*)
-        (?P<value>      .+?)?
-                        (\s*((\#|;).*)?)?
-$)''', re.VERBOSE)
-    temp_filename = None
-    with tempfile.NamedTemporaryFile(delete=False) as new_config:
-        temp_filename = new_config.name
-        with open(network_filename, 'r') as f:
-            for line in f:
-                new_line = line
-                m = hostname_pattern.match(line)
-                if m:
-                    option, value = m.group('option', 'value')
-                    if option is not None and option == 'HOSTNAME':
-                        if value is not None and hostname != value:
-                            new_line = u"HOSTNAME=%s\n" % (hostname)
-                            statestore.backup_state('network', 'hostname', value)
-                new_config.write(new_line)
-        new_config.flush()
-        # Make sure the resulting file is readable by others before installing it
-        os.fchmod(new_config.fileno(), stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
-        os.fchown(new_config.fileno(), 0, 0)
-
-    # At this point new_config is closed but not removed due to 'delete=False' above
-    # Now, install the temporary file as configuration and ensure old version is available as .orig
-    # While .orig file is not used during uninstall, it is left there for administrator.
-    ipautil.install_file(temp_filename, network_filename)
     try:
         ipautil.run(['/bin/hostname', hostname])
     except ipautil.CalledProcessError, e:
         print >>sys.stderr, "Failed to set this machine hostname to %s (%s)." % (hostname, str(e))
-
-    # For SE Linux environments it is important to reset SE labels to the expected ones
-    try:
-        restore_context(network_filename)
-    except ipautil.CalledProcessError, e:
-        print >>sys.stderr, "Failed to set permissions for %s (%s)." % (network_filename, str(e))
+    replacevars = {'HOSTNAME':hostname}
+    old_values = ipautil.backup_config_and_replace_variables(fstore,
+                                                          "/etc/sysconfig/network", 
+                                                          replacevars=replacevars)
+    restore_context("/etc/sysconfig/network")
+    if 'HOSTNAME' in old_values:
+        statestore.backup_state('network', 'hostname', old_values['HOSTNAME'])
 
-- 
1.7.6.4


From a1176360 at adelaide.edu.au  Wed Oct 12 13:49:34 2011
From: a1176360 at adelaide.edu.au (William Brown)
Date: Thu, 13 Oct 2011 00:19:34 +1030
Subject: [Freeipa-devel] ipa-client-install sudoers + automount
Message-ID: <4E959AEE.2050701@adelaide.edu.au>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Is there a reason that ipa-client-install does not configure nsswitch
for ldap sudoers and automount by default? I would see such a
modification as a feature for this, rather than a negative.

Alternately, this could be added as a module to ipa command to
"autoconfigure" these for a joined host.

In order to implement this one would need write into ipa-client-install:

* Add ldap to sudoers and automount in nsswitch
* Generate configuration for Automount in a way similar to
https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/configuring-automount.html
** Automount could setup the location at this point.
* Generate configuration for nss_ldap.conf for sudoers according to
https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example-configuring-sudo.html
** This could use the static sudo password method as listed, and would
involve adding these lines to the nss_ldap configuration in
ipa-client-install. Some kind of RPC call could be made to retrieve
the sudo password using the admin ticket.

ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes

binddn uid=sudo,cn=sysaccounts,cn=etc,dc=x
bindpw testpassword

** Alternately, nss_ldap can use kerberos caches for SASL binds.

sudoers_base ou=SUDOers,dc=x
use_sasl on
krb5_ccname FILE:/etc/.ldapsearch

The later requires the kerberos cache to be primed and added to cron
with something like:

kinit -k host/client3.ipa.x -c /etc/.ldapsearch

* nss_ldap configuration would be part of the default install,
regardless of SSSD presence (ldap would not be listed in nsswitch for
users or groups however)

Nslcd does not support the sudoers option as far as my research tells
me. It would also mean that nss_ldap becomes a dependency, rather than
optional. Nslcd also supports sasl for ldap.

Of the sudo bindpw or krb5_cc method in nss_ldap which is preferred?

- -- 
Sincerely,

William Brown

Research and Teaching
Information and Technology Services
The University of Adelaide

CRICOS Provider Number 00123M
- -----------------------------------------------------------
IMPORTANT: This message may contain confidential or legally privileged
information. If you think it was sent to you by mistake, please delete
all copies and advise the sender. For the purposes of the SPAM Act
2003, this email is authorised by The University of Adelaide.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOlZroAAoJEKcRRTun3Hg9GEQQAIpjeWpmR19G9MoikRZiTA+F
RTX7WVA4/AwO7OCQG/elQb8/2TnJb3r0UnuJfMJhgHX6Gac+4CMYdCSoRsbpK19I
VOZGqAuZMAAca+7Gc80CehxbcZ5dGQWtkfLDzWlRQDj8tRitGhSNUZfkwUZgvUFf
XtDEARrpYwNGixsF41zNr4sjR+L7T+ir0Ugm0B3cQS6zCgCpdbflPejEpvUTxPWq
T5vb3BeRVqgAmQ/fltoVIDmaZ+pORFlOTyEYU/kb2HybBpAwLvM/QPykCZpAOx7a
OeGko94lbm3J7FuajPvtWkC4/kNMx0lMrAKOgdoP/qOhjfc3kVD7TtNgsme7+7jU
oJaTkyQJe2qcFQYcvIXrVHw4fmeWRzmNnZ1JUoKMizditQzyCe7Qvi++FqFJsgSn
pa1z9TBaEum1B9CaVuXb7CQvj5jW3Xtr8Sc0sP/gsJDdgxS1D9jEZGvDRO8gEth2
pEMjb+rC1D36Q2gOnbtvMmPVJnQb9BXJLS7ZsYP7niIK0FEFOaxubQDesm3Edzmz
a8ng1mjHU5/a45F4OyjtTYCXaMT1sO0PafC34cypA/arAWlY1c0WXasonhifZznw
iZvtkAAQTo5tY+ce9hidnkxhMyCjXVvGXH5iPkrtqIxU1OMBqeyvMag+IMrMnmfm
qDjCNAIvdbP0lCLnnGpa
=vWZj
-----END PGP SIGNATURE-----



From mkosek at redhat.com  Wed Oct 12 14:03:41 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Wed, 12 Oct 2011 16:03:41 +0200
Subject: [Freeipa-devel] [PATCH] 146 ipa-client-install hangs if the
 discovered server is
In-Reply-To: <1318426294.31149.79.camel@willson.li.ssimo.org>
References: <1318410120.14093.17.camel@balmora.brq.redhat.com>
	<4E958D8D.2050206@redhat.com>
	<1318424626.14093.24.camel@balmora.brq.redhat.com>
	<1318426294.31149.79.camel@willson.li.ssimo.org>
Message-ID: <1318428224.14093.36.camel@balmora.brq.redhat.com>

On Wed, 2011-10-12 at 09:31 -0400, Simo Sorce wrote:
> On Wed, 2011-10-12 at 15:03 +0200, Martin Kosek wrote:
> > On Wed, 2011-10-12 at 08:52 -0400, Rob Crittenden wrote:
> > > Martin Kosek wrote:
> > > > For starters I added a 15 second timeout and 2 tries. These numbers are
> > > > arbitrary, I am open to suggestions.
> > > >
> > > > Martin
> > > >
> > > > ---
> > > > Add a timeout to the wget call to cover a case when autodiscovered
> > > > server does not response to our attempt to download ca.crt. Let
> > > > user specify a different IPA server in that case.
> > > >
> > > > https://fedorahosted.org/freeipa/ticket/1960
> > > 
> > > There is a wget call in ipa-client-install as well, should a timeout be 
> > > added there?
> > > 
> > > rob
> > > 
> > 
> > This wget is for the very same ca.crt that was already (successfully)
> > retrieved when the server was being checked by ipadiscovery. Thus I
> > don't think it is necessary.
> 
> Shouldn't it be eliminated then ?
> OR do we really need to dload the cert twice? Or did I misunderstand
> your reply ?
> 
> Simo.

You understood correctly. We always try to download ca.crt during
ipacheckldap() call. We clean up all temporary files downloaded during
server verification in the end.

When the user finally confirms and we start the actual client
installation, then we download ca.crt to /etc/ipa/. I think that the
current procedure is OK compared to additional code we would have to add
to pass the ca.crt from ipacheckldap() and cover all possible cases.
Please, open an enhancement ticket if you think otherwise.

Martin



From rcritten at redhat.com  Wed Oct 12 14:12:29 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Oct 2011 10:12:29 -0400
Subject: [Freeipa-devel] ipa-client-install sudoers + automount
In-Reply-To: <4E959AEE.2050701@adelaide.edu.au>
References: <4E959AEE.2050701@adelaide.edu.au>
Message-ID: <4E95A04D.8090302@redhat.com>

William Brown wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Is there a reason that ipa-client-install does not configure nsswitch
> for ldap sudoers and automount by default? I would see such a
> modification as a feature for this, rather than a negative.
>
> Alternately, this could be added as a module to ipa command to
> "autoconfigure" these for a joined host.
>
> In order to implement this one would need write into ipa-client-install:
>
> * Add ldap to sudoers and automount in nsswitch
> * Generate configuration for Automount in a way similar to
> https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/configuring-automount.html
> ** Automount could setup the location at this point.
> * Generate configuration for nss_ldap.conf for sudoers according to
> https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example-configuring-sudo.html
> ** This could use the static sudo password method as listed, and would
> involve adding these lines to the nss_ldap configuration in
> ipa-client-install. Some kind of RPC call could be made to retrieve
> the sudo password using the admin ticket.
>
> ssl start_tls
> tls_cacertfile /etc/ipa/ca.crt
> tls_checkpeer yes
>
> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=x
> bindpw testpassword
>
> ** Alternately, nss_ldap can use kerberos caches for SASL binds.
>
> sudoers_base ou=SUDOers,dc=x
> use_sasl on
> krb5_ccname FILE:/etc/.ldapsearch
>
> The later requires the kerberos cache to be primed and added to cron
> with something like:
>
> kinit -k host/client3.ipa.x -c /etc/.ldapsearch
>
> * nss_ldap configuration would be part of the default install,
> regardless of SSSD presence (ldap would not be listed in nsswitch for
> users or groups however)
>
> Nslcd does not support the sudoers option as far as my research tells
> me. It would also mean that nss_ldap becomes a dependency, rather than
> optional. Nslcd also supports sasl for ldap.

These are both on our roadmap, we just haven't gotten to them yet:

https://fedorahosted.org/freeipa/ticket/1233
http://freeipa.org/page/SUDO_integration_plans

> Of the sudo bindpw or krb5_cc method in nss_ldap which is preferred?

We currently provide a shared account for use with sudo as a temporary 
measure. sssd support is our preferred solution.

rob



From rcritten at redhat.com  Wed Oct 12 14:17:02 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Oct 2011 10:17:02 -0400
Subject: [Freeipa-devel] [PATCH] 889 fix selfsign upgrades
In-Reply-To: <4E958EB6.8060007@redhat.com>
References: <4E92FF61.4030704@redhat.com> <4E958EB6.8060007@redhat.com>
Message-ID: <4E95A15E.5080301@redhat.com>

Jan Cholasta wrote:
> Dne 10.10.2011 16:21, Rob Crittenden napsal(a):
>> Upgrading an installation that was installed with selfsign CA will fail
>> in ipa-upgradeconfig because it doesn't handle the case where dogtag
>> isn't installed.
>>
>> rob
>>
>
> ACK.
>
> Honza
>

pushed to master and ipa-2-1



From william.e.brown at adelaide.edu.au  Wed Oct 12 14:29:56 2011
From: william.e.brown at adelaide.edu.au (William Brown)
Date: Thu, 13 Oct 2011 00:59:56 +1030
Subject: [Freeipa-devel] ipa-client-install sudoers + automount
In-Reply-To: <4E95A04D.8090302@redhat.com>
References: <4E959AEE.2050701@adelaide.edu.au> <4E95A04D.8090302@redhat.com>
Message-ID: <4E95A464.2010309@adelaide.edu.au>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> 
> These are both on our roadmap, we just haven't gotten to them yet:
> 
> https://fedorahosted.org/freeipa/ticket/1233 
> http://freeipa.org/page/SUDO_integration_plans

Okay, I did not find these two pages while searching. It appears to be
what I have just discussed however.

> 
>> Of the sudo bindpw or krb5_cc method in nss_ldap which is
>> preferred?
> 
> We currently provide a shared account for use with sudo as a
> temporary measure. sssd support is our preferred solution.

Okay. In terms of the SSSD sudo / automount provider, the biggest
issue I see is that to read the ou=SUDOers branch of the LDAP tree,
you must be bound (Or for automount if anon bind is disabled). For
that you need either

A) A shared account for sudo reading
B) A way to extract the systems host krb5 ticket inside of SSSD to
make that query

It would be reasonable for SSSD to be able to extract the keytab to a
localcache, and just to re-new / re-extract it if it expires when a
query is performed.

However, I see the benefit as being that you can cache those queries -
especially sudo's. Automount may not benefit from this however, since
in a situation where you are away from the IPA server, you are likely
away from NFS also.

An aside point - during the client auto-configuration, it would be
good to have automount "work out" the location of the client. This
could be used in
"SEARCH_BASE="cn=location,cn=automount,dc=example,dc=com"" for example.

Has any work started on the SSSD sudo provider?

- -- 
Sincerely,

William Brown

Research and Teaching
Information and Technology Services
The University of Adelaide

CRICOS Provider Number 00123M
- -----------------------------------------------------------
IMPORTANT: This message may contain confidential or legally privileged
information. If you think it was sent to you by mistake, please delete
all copies and advise the sender. For the purposes of the SPAM Act
2003, this email is authorised by The University of Adelaide.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOlaRiAAoJEKcRRTun3Hg9PHYP/jqeOIpGRH0o/0QOie8yPz6C
EI3/acWgvu751KuEy0T1nNI6DuADUtrUFgFTZrHP0cOQX2/028sCc+gibOTcTvYg
8h4ARUhaNFcfTH0QdTuxMxSWpxuYSuR8hzx9/AAqTy5e6TDXE38mcLRWVxoRFiY3
c7PeQk9DfP45Gb2R9ymqB+YlFU4KE2DT5lrABtujg2h1he6XA/b+5btJLYVTRoRC
bE2nJZLbV7F2c9qq/5wi3xjXtRQiYSGtyRT1tjy+wGUCUznAh1eigDH+bu7N/5LZ
XsPJSmwVHAUgidZNNxHkl1bWqy6Ksvuk3++VJK2uE4LHMvwsUU70JxGY/j/tF7un
GN4Ntq7+mbpy0HmJp+tNNfNFonS7fpuF+lKk/9RwbTej9h9pCesIqnZrX5dZkre+
0NTkAzYjL+F3zYIsN8J8Ew8qIMn/VYBgS56CeFagrFDToENvRmbRnjUijGQRxQfr
112ZSjd2D99z+MuJuO4MTYtwQ2Kkl7a67Ngyo2CX4AnGdYNlThTfEX9afbep97yr
zJmVIGc3hbgEF/XbzyNelLeQJGi4CB9wnexnd0u5zYCpzmhMrJ0G8aJMaZ8Gjllk
17yxCehv0XTMK2aFiqfjdUqJTWngZl7MxusH1bVTcjry5HP0zPHI0HmBZV9Y7+uk
w94Bm8NfKlA7D5bKjShs
=RmkX
-----END PGP SIGNATURE-----



From mkosek at redhat.com  Wed Oct 12 15:09:42 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Wed, 12 Oct 2011 17:09:42 +0200
Subject: [Freeipa-devel] [PATCH] 890 OTP client enrollment with
 anonymous disabled
In-Reply-To: <4E94B7B3.7060507@redhat.com>
References: <4E94B7B3.7060507@redhat.com>
Message-ID: <1318432185.14093.41.camel@balmora.brq.redhat.com>

On Tue, 2011-10-11 at 17:40 -0400, Rob Crittenden wrote:
> Fix OTP client enrollment when anonymous searches are disabled in 389-ds.
> 
> This is fixed mostly by passing in the basedn to ipa-join so we don't 
> have to hunt for it. I did modify that routine so it will look through 
> all naming contexts to find the IPA one but this will fail if anonymous 
> searches are not allowed.
> 
> I fixed a couple of minor memory leaks too (valgrind still reports 
> several but they are out of our control).
> 
> This should be tested both with a OTP host and using an authorized user.
> 
> rob

Hmm, works fine. Good job there. I tested all four cases -
password/kerberos join on LDAP server with anonymous binds
allowed/disallowed. ipa-join was always successful.

ACK. Please, just fix one whitespace error before pushing:

$ git apply ~/freeipa-rcrit-890-client.patch
/home/mkosek/freeipa-rcrit-890-client.patch:87: trailing whitespace.
        
Martin



From rcritten at redhat.com  Wed Oct 12 15:35:30 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Oct 2011 11:35:30 -0400
Subject: [Freeipa-devel] [PATCH] 890 OTP client enrollment with
 anonymous disabled
In-Reply-To: <1318432185.14093.41.camel@balmora.brq.redhat.com>
References: <4E94B7B3.7060507@redhat.com>
	<1318432185.14093.41.camel@balmora.brq.redhat.com>
Message-ID: <4E95B3C2.1040106@redhat.com>

Martin Kosek wrote:
> On Tue, 2011-10-11 at 17:40 -0400, Rob Crittenden wrote:
>> Fix OTP client enrollment when anonymous searches are disabled in 389-ds.
>>
>> This is fixed mostly by passing in the basedn to ipa-join so we don't
>> have to hunt for it. I did modify that routine so it will look through
>> all naming contexts to find the IPA one but this will fail if anonymous
>> searches are not allowed.
>>
>> I fixed a couple of minor memory leaks too (valgrind still reports
>> several but they are out of our control).
>>
>> This should be tested both with a OTP host and using an authorized user.
>>
>> rob
>
> Hmm, works fine. Good job there. I tested all four cases -
> password/kerberos join on LDAP server with anonymous binds
> allowed/disallowed. ipa-join was always successful.
>
> ACK. Please, just fix one whitespace error before pushing:
>
> $ git apply ~/freeipa-rcrit-890-client.patch
> /home/mkosek/freeipa-rcrit-890-client.patch:87: trailing whitespace.
>
> Martin
>

Fixed and pushed to master and ipa-2-1

rob



From rcritten at redhat.com  Wed Oct 12 15:36:35 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Oct 2011 11:36:35 -0400
Subject: [Freeipa-devel] [PATCH] 0025/0026 ipa-client-install --hostname
 not setting HOSTNAME if it is missing from the configuration file
In-Reply-To: <20111012135154.GB15646@redhat.com>
References: <20111012113332.GA15646@redhat.com> <4E9596D0.6050402@redhat.com>
	<20111012135154.GB15646@redhat.com>
Message-ID: <4E95B403.4050107@redhat.com>

Alexander Bokovoy wrote:
> On Wed, 12 Oct 2011, Rob Crittenden wrote:
>>> Also, all keys totally missing from the config will be added. Values
>> >from replacevars and appendvars are merged before doing it so there is
>>> only single key=value pair afterwards. Obviously, it is the caller
>>> responsibility to not allow replacevars/appendvars have conflicting
>>> values.
>>>
>>> Patch 0025 introduces the common code and transforms
>>> ipapython.services.backup_and_replace_hostname()
>>>
>>> Patch 0026 uses this new code to change
>>> ipaserver/install/krb5instance.py to use new code.
>>
>> Why should the caller be responsible for calling restore_context()?
> Because ipapython.ipautil cannot depend on ipapython.services as
> underlying platform-specific code uses ipapython.ipautil -- we
> discussed this with Simo few weeks ago when the first version of this
> patch was done for systemd support.
>
> We have very few places where this is needed and wrapper functions
> (like hostname handler) should take care of the context restoration
> as they will also handle state store as well (in addition to file
> store).
>
>> I think:
>>
>> if old_values['HOSTNAME']: ...
>>
>> should be
>>
>> if 'HOSTNAME' in old_values: ...
> Updated patch attached.
>

Tests out ok for me, ACK.

Pushed to master and ipa-2-1



From rcritten at redhat.com  Wed Oct 12 15:42:47 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Oct 2011 11:42:47 -0400
Subject: [Freeipa-devel] ipa-client-install sudoers + automount
In-Reply-To: <4E95A464.2010309@adelaide.edu.au>
References: <4E959AEE.2050701@adelaide.edu.au> <4E95A04D.8090302@redhat.com>
	<4E95A464.2010309@adelaide.edu.au>
Message-ID: <4E95B577.9000201@redhat.com>

William Brown wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>>
>> These are both on our roadmap, we just haven't gotten to them yet:
>>
>> https://fedorahosted.org/freeipa/ticket/1233
>> http://freeipa.org/page/SUDO_integration_plans
>
> Okay, I did not find these two pages while searching. It appears to be
> what I have just discussed however.
>
>>
>>> Of the sudo bindpw or krb5_cc method in nss_ldap which is
>>> preferred?
>>
>> We currently provide a shared account for use with sudo as a
>> temporary measure. sssd support is our preferred solution.
>
> Okay. In terms of the SSSD sudo / automount provider, the biggest
> issue I see is that to read the ou=SUDOers branch of the LDAP tree,
> you must be bound (Or for automount if anon bind is disabled). For
> that you need either
>
> A) A shared account for sudo reading
> B) A way to extract the systems host krb5 ticket inside of SSSD to
> make that query
>
> It would be reasonable for SSSD to be able to extract the keytab to a
> localcache, and just to re-new / re-extract it if it expires when a
> query is performed.

This is how SSSD works now. It uses the host keytab to authenticate to 
the IPA LDAP server.

> However, I see the benefit as being that you can cache those queries -
> especially sudo's. Automount may not benefit from this however, since
> in a situation where you are away from the IPA server, you are likely
> away from NFS also.
>
> An aside point - during the client auto-configuration, it would be
> good to have automount "work out" the location of the client. This
> could be used in
> "SEARCH_BASE="cn=location,cn=automount,dc=example,dc=com"" for example.

Yeah, working this out is non-trivial though. I think the initial cut of 
automount support is going to be optional and the location will be 
prompted for. location is just a string so can be used for all sorts of 
purposes other than regional support (e.g. a developers automount, tech 
support automount, helpdesk automount, etc).

> Has any work started on the SSSD sudo provider?

Yes, I believe it has. I don't know the full state of it, maybe one of 
the sssd dev lurkers will chime in :-)

regards

rob



From jdennis at redhat.com  Wed Oct 12 15:49:38 2011
From: jdennis at redhat.com (John Dennis)
Date: Wed, 12 Oct 2011 11:49:38 -0400
Subject: [Freeipa-devel] [PATCH 50/50] Ticket 1718 - Fix Spanish po
 translation file
In-Reply-To: <4E94BDDE.60005@redhat.com>
References: <201110112105.p9BL519M026264@int-mx02.intmail.prod.int.phx2.redhat.com>
	<4E94BDDE.60005@redhat.com>
Message-ID: <4E95B712.40201@redhat.com>

On 10/11/2011 06:06 PM, Rob Crittenden wrote:
> John Dennis wrote:
>> There were quite errors in es.po, it was difficult or impossible to
>> track down where they came from, Transifex does not have good revision
>> history.
>>
>> I fixed about 20% of the msgstr's in the file that had obvious
>> problems which could be spotted by a non-Spanish speaking person.
>>
>
> I think this should be left as it was:
>
>    #: ipalib/plugins/config.py:76
>    msgid "searchtimelimit must be -1 or>  1."
> -msgstr "searchtimelimit debe ser -1 o&gt; 1."
> +msgstr ""

Why? This isn't where things are formatted for HTML. This string might 
be output on the command line. None of the other translations (nor the 
default English) does HTML escapes in the translation. The HTML escaping 
should occur after fetching the translation if and only if it's being 
inserted into HTML.

>
> There are some cases where leading white space is remove and a bunch
> where it is added. Are these ok?
>
> @@ -3184,7 +3117,7 @@ msgid ""
>    "    "
>    msgstr ""
>    "\n"
> -"B?squeda de cuentas de derechod."
> +"    B?squeda de cuentas de derechod."

The translator modified the leading whitespace. I ran a script which 
forced the leading whitespace in the original string (msgid) to be the 
same in the translation (msgstr). Thus it set the leading whitespace 
back to what it should have been. In many instances it's a non-issue 
because we strip leading and trailing whitespace prior to display.
>
> Otherwise looks lots better
>
> rob


-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



From rcritten at redhat.com  Wed Oct 12 15:57:31 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Oct 2011 11:57:31 -0400
Subject: [Freeipa-devel] [PATCH 50/50] Ticket 1718 - Fix Spanish po
 translation file
In-Reply-To: <4E95B712.40201@redhat.com>
References: <201110112105.p9BL519M026264@int-mx02.intmail.prod.int.phx2.redhat.com>
	<4E94BDDE.60005@redhat.com> <4E95B712.40201@redhat.com>
Message-ID: <4E95B8EB.9050008@redhat.com>

John Dennis wrote:
> On 10/11/2011 06:06 PM, Rob Crittenden wrote:
>> John Dennis wrote:
>>> There were quite errors in es.po, it was difficult or impossible to
>>> track down where they came from, Transifex does not have good revision
>>> history.
>>>
>>> I fixed about 20% of the msgstr's in the file that had obvious
>>> problems which could be spotted by a non-Spanish speaking person.
>>>
>>
>> I think this should be left as it was:
>>
>> #: ipalib/plugins/config.py:76
>> msgid "searchtimelimit must be -1 or> 1."
>> -msgstr "searchtimelimit debe ser -1 o&gt; 1."
>> +msgstr ""
>
> Why? This isn't where things are formatted for HTML. This string might
> be output on the command line. None of the other translations (nor the
> default English) does HTML escapes in the translation. The HTML escaping
> should occur after fetching the translation if and only if it's being
> inserted into HTML.

Ok, but we don't have to drop the whole thing, just replace &gt; with >?

>>
>> There are some cases where leading white space is remove and a bunch
>> where it is added. Are these ok?
>>
>> @@ -3184,7 +3117,7 @@ msgid ""
>> " "
>> msgstr ""
>> "\n"
>> -"B?squeda de cuentas de derechod."
>> +" B?squeda de cuentas de derechod."
>
> The translator modified the leading whitespace. I ran a script which
> forced the leading whitespace in the original string (msgid) to be the
> same in the translation (msgstr). Thus it set the leading whitespace
> back to what it should have been. In many instances it's a non-issue
> because we strip leading and trailing whitespace prior to display.
>

Ok.

rob



From jdennis at redhat.com  Wed Oct 12 16:11:35 2011
From: jdennis at redhat.com (John Dennis)
Date: Wed, 12 Oct 2011 12:11:35 -0400
Subject: [Freeipa-devel] [PATCH 50/50] Ticket 1718 - Fix Spanish po
 translation file
In-Reply-To: <4E95B8EB.9050008@redhat.com>
References: <201110112105.p9BL519M026264@int-mx02.intmail.prod.int.phx2.redhat.com>
	<4E94BDDE.60005@redhat.com> <4E95B712.40201@redhat.com>
	<4E95B8EB.9050008@redhat.com>
Message-ID: <4E95BC37.9020802@redhat.com>

On 10/12/2011 11:57 AM, Rob Crittenden wrote:
>>> #: ipalib/plugins/config.py:76
>>> msgid "searchtimelimit must be -1 or>  1."
>>> -msgstr "searchtimelimit debe ser -1 o&gt; 1."
>>> +msgstr ""
>>
>> Why? This isn't where things are formatted for HTML. This string might
>> be output on the command line. None of the other translations (nor the
>> default English) does HTML escapes in the translation. The HTML escaping
>> should occur after fetching the translation if and only if it's being
>> inserted into HTML.
>
> Ok, but we don't have to drop the whole thing, just replace&gt; with>?

I thought what I had done was replace the &gt; with > but I obviously 
didn't read the diff as closely as you did, good catch Rob , let me go 
back and check to make sure I didn't another similar mistake. Also I 
forgot to update the metadata in the header of the po.

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



From abokovoy at redhat.com  Wed Oct 12 16:24:08 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Wed, 12 Oct 2011 19:24:08 +0300
Subject: [Freeipa-devel] [PATCH] 0012 Modify existing SSSD configuration
 instead of dropping it
In-Reply-To: <1315921891.2367.54.camel@sgallagh520.bos.redhat.com>
References: <20110907131514.GA5491@redhat.com>
	<1315405169.15945.3.camel@sgallagh520.bos.redhat.com>
	<20110908112649.GA17001@redhat.com>
	<20110913121143.GA27633@redhat.com>
	<1315919309.15570.24.camel@dhcp-25-52.brq.redhat.com>
	<20110913132241.GB27633@redhat.com>
	<1315920400.2367.43.camel@sgallagh520.bos.redhat.com>
	<20110913133352.GC27633@redhat.com>
	<1315921891.2367.54.camel@sgallagh520.bos.redhat.com>
Message-ID: <20111012162407.GC15646@redhat.com>

On Tue, 13 Sep 2011, Stephen Gallagher wrote:

> On Tue, 2011-09-13 at 16:33 +0300, Alexander Bokovoy wrote:
> > On Tue, 13 Sep 2011, Stephen Gallagher wrote:
> > > > >   File "/usr/lib/python2.7/site-packages/SSSDConfig.py", line 1207, in import_config
> > > > >     fd = open(configfile, 'r')
> > > > > IOError: [Errno 2] No such file or directory: '/etc/sssd/sssd.conf'
> > > > Right, we need to fallback to new sssd.conf in case of any exception, 
> > > > not only for ParsingError.
> > > Actually, that's not necessarily true. Do we want to fall back on
> > > permission error, for instance? This could result in clobbering an
> > > existing file (if for example the existing sssd.conf's SELinux context
> > > is wrong, preventing reading, but when we create a new one and save it
> > > in place later we have the right context and it replaces the old one).
> > Let's define what we want to see here.
> > 
> > 1. There is no sssd.conf -> create new one (unlikely for existing SSSD 
> > installation -- if we went to this path, we already found SSSD 
> > installed)
> 
> Actually, this is fairly likely in future releases. There's so much
> noise in the example configuration that I've decided that we're going to
> install it as %doc instead of %config. So a raw installation of the SSSD
> package will have no sssd.conf in place. We obviously need to consider
> this.
> 
> > 2. There is sssd.conf -> modify existing one
> >    2.1. Can't open for write -> report error
> 
> Agreed.
> 
> >    2.2. Can't open and read due to parsing error -> create new one
> > ...
> 
> There are two issues here. Failure to open for reading and ParseError on
> read. That said, I think they should be handled the same way (see
> below).
> 
> 
> Unfortunately, we have additional issues here... The SSSDConfig API is
> more strict with options than the SSSD itself is. Specifically, the SSSD
> will ignore unknown options entirely, but the SSSDConfig will through a
> ParseError on unknown options.
> 
> The long-term goal is for SSSD to be more strict about this, but we
> don't currently have a way to do this.
> 
> So as I see it, we have three choices for dealing with ParseError:
> 
> 1) Back up the existing sssd.conf and replace it with a completely new
> one for FreeIPA. Pros: sssd.conf is guaranteed to parse cleanly. FreeIPA
> client install completes successfully. Cons: existing configuration
> (which may have worked) is not preserved.
> 
> 2) Be restrictive on ParseError and throw an error telling them to fix
> their config file. Pros: we don't break an existing setup. Cons: FreeIPA
> installation has been broken.
> 
> 3) Default to one of the above but provide a command-line flag to behave
> the other way. This is probably our best bet. I'd suggest defaulting to
> replacing the config file on ParseError (with a loud message at the END
> of ipa-client-install pointing to the backed-up file).
Attached patch tries to implement these ideas. It is untested as I 
wanted to get feedback on the approach first.


-- 
/ Alexander Bokovoy
-------------- next part --------------
>From 459e77ebd6a6e0d6f1371d93fb1a16dad84ff1bf Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Wed, 12 Oct 2011 19:14:55 +0300
Subject: [PATCH] Refactor authconfig use in ipa-client-install

When certain features are being configured via authconfig, we need to remember
what was configured and what was the state before it so that during uninstall
we restore proper state of the services.

Mostly it affects sssd configuration with multiple domains but also pre-existing
LDAP and krb5 configurations.

This should fix following tickets:
https://fedorahosted.org/freeipa/ticket/1750
https://fedorahosted.org/freeipa/ticket/1769
---
 ipa-client/ipa-install/ipa-client-install |  104 +++++++++++++++++++++++------
 ipapython/sysrestore.py                   |   13 ++++
 2 files changed, 97 insertions(+), 20 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 969dc9b0faa5e131f1e9199325bdf2350157ab8a..1bc2d719c84c44a629041d0ec9609ab8c13b9cdd 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -108,6 +108,9 @@ def parse_options():
     sssd_group.add_option("-S", "--no-sssd", dest="sssd",
                       action="store_false", default=True,
                       help="Do not configure the client to use SSSD for authentication")
+    sssd_group.add_option("--preserve-sssd", dest="preserve_sssd",
+                      action="store_true", default=False,
+                      help="Preserve old SSSD configuration if possible")
     parser.add_option_group(sssd_group)
 
     uninstall_group = OptionGroup(parser, "uninstall options")
@@ -177,22 +180,33 @@ def uninstall(options, env, quiet=False):
         print "Refer to ipa-server-install for uninstallation."
         return CLIENT_NOT_CONFIGURED
 
-    sssdconfig = SSSDConfig.SSSDConfig()
-    sssdconfig.import_config()
-    domains = sssdconfig.list_active_domains()
-
     hostname = None
-    for name in domains:
-        domain = sssdconfig.get_domain(name)
-        try:
-            provider = domain.get_option('id_provider')
-        except SSSDConfig.NoOptionError:
-            continue
-        if provider == "ipa":
+    was_sssd_configured = False
+    try:
+        sssdconfig = SSSDConfig.SSSDConfig()
+        sssdconfig.import_config()
+        domains = sssdconfig.list_active_domains()
+        if len(domains) > 1:
+            # There was more than IPA domain configured
+            was_sssd_configured = True
+        for name in domains:
+            domain = sssdconfig.get_domain(name)
             try:
-                hostname = domain.get_option('ipa_hostname')
+                provider = domain.get_option('id_provider')
             except SSSDConfig.NoOptionError:
                 continue
+            if provider == "ipa":
+                try:
+                    hostname = domain.get_option('ipa_hostname')
+                except SSSDConfig.NoOptionError:
+                    continue
+    except Exception, e:
+        # We were unable to read existing SSSD config. This might mean few things:
+        # - sssd wasn't installed
+        # - sssd was removed after install and before uninstall
+        # - there are no active domains
+        # in both cases we cannot continue with SSSD
+        pass
 
     if hostname is None:
         hostname = socket.getfqdn()
@@ -266,14 +280,31 @@ def uninstall(options, env, quiet=False):
             logging.debug("Failed to remove Kerberos service principals: %s" % str(e))
 
     emit_quiet(quiet, "Disabling client Kerberos and LDAP configurations")
+    was_sssd_installed = False
+    if fstore.has_files():
+        was_sssd_installed = fstore.has_file("/etc/sssd/sssd.conf")
     try:
         auth_config = ipaservices.authconfig()
-        auth_config.disable("ldap").\
-                    disable("krb5").\
-                    disable("sssd").\
-                    disable("sssdauth").\
-                    disable("mkhomedir").\
-                    add_option("update")
+        if statestore.has_state('authconfig'):
+            # disable only those configurations that we enabled during install
+            for conf in ('ldap', 'krb5', 'sssd', 'sssdauth', 'mkhomedir'):
+                cnf = statestore.restore_state('authconfig', conf)
+                if cnf:
+                    auth_config.disable(conf)
+        else:
+            # There was no authconfig status store
+            # It means the code was upgraded after original install
+            # Fall back to old logic
+            auth_config.disable("ldap").\
+                        disable("krb5")
+            if not(was_sssd_installed and was_sssd_configured):
+                # assume there was sssd.conf before install and there were more than one domain in it
+                # In such case restoring sssd.conf will require us to keep SSSD running
+                auth_config.disable("sssd").\
+                            disable("sssdauth")
+            auth_config.disable("mkhomedir")
+
+        auth_config.add_option("update")
         auth_config.execute()
     except Exception, e:
         emit_quiet(quiet, "Failed to remove krb5/LDAP configuration. " +str(e))
@@ -345,6 +376,13 @@ def uninstall(options, env, quiet=False):
            if restored:
                ipaservices.knownservices.ntpd.restart()
 
+    if was_sssd_installed and was_sssd_configured:
+        # SSSD was installed before our installation, config now is restored, restart it
+        emit_quiet(quiet, "The original configuration of SSSD included other domains than IPA-based one.")
+        emit_quiet(quiet, "Original configuration file is restored, restarting SSSD service.")
+        sssd = ipaservices.service('sssd')
+        sssd.restart()
+
     if not options.unattended:
         emit_quiet(quiet, "The original nsswitch.conf configuration has been restored.")
         emit_quiet(quiet, "You may need to restart services or reboot the machine.")
@@ -618,8 +656,29 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options):
             print "%s request for host certificate failed" % (cmonger.service_name)
 
 def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options):
-    sssdconfig = SSSDConfig.SSSDConfig()
-    sssdconfig.new_config()
+    try:
+        sssdconfig = SSSDConfig.SSSDConfig()
+        sssdconfig.import_config()
+    except Exception, e:
+        if os.path.exists("/etc/sssd/sssd.conf") and options.preserve_sssd:
+            # SSSD config is in place but we are unable to read it
+            # In addition, we are instructed to preserve it
+            # This all means we can't use it and have to bail out
+            print "SSSD config exists but cannot be parsed: %s" % (str(e))
+            print "Correct errors in /etc/sssd/sssd.conf and re-run installation"
+            logging.error("Failed to parse SSSD configuration and was instructed to preserve existing SSSD config: %s" % (str(e)))
+            return 1
+
+        # SSSD configuration does not exist or we are not asked to preserve it, create new one
+        # We do make new SSSDConfig instance because IPAChangeConf-derived classes have no
+        # means to reset their state and ParseError exception could come due to parsing
+        # error from older version which cannot be upgraded anymore, leaving sssdconfig
+        # instance practically unusable
+        # Note that we already backed up sssd.conf before going into this routine
+        print "New SSSD config will be generated. The old one is backed up and can be restored during uninstall"
+        logging.error("Failed to parse SSSD configuration and will generate new one")
+        sssdconfig = SSSDConfig.SSSDConfig()
+        sssdconfig.new_config()
 
     domain = sssdconfig.new_domain(cli_domain)
     domain.add_provider('ipa', 'id')
@@ -1085,16 +1144,20 @@ def install(options, env, fstore, statestore):
     # Modify nsswitch/pam stack
     auth_config = ipaservices.authconfig()
     if options.sssd:
+        statestore.backup_state('authconfig', 'sssd', True)
+        statestore.backup_state('authconfig', 'sssdauth', True)
         auth_config.enable("sssd").\
                     enable("sssdauth")
         message = "SSSD enabled"
         conf = 'SSSD'
     else:
+        statestore.backup_state('authconfig', 'ldap', True)
         auth_config.enable("ldap").\
                     enable("forcelegacy")
         message = "LDAP enabled"
 
     if options.mkhomedir:
+        statestore.backup_state('authconfig', 'mkhomedir', True)
         auth_config.enable("mkhomedir")
 
     auth_config.add_option("update")
@@ -1104,6 +1167,7 @@ def install(options, env, fstore, statestore):
     if not options.sssd:
         #Modify pam to add pam_krb5 only when sssd is not in use
         auth_config.reset()
+        statestore.backup_state('authconfig', 'krb5', True)
         auth_config.enable("krb5").\
                     add_option("update").\
                     add_option("nostart")
diff --git a/ipapython/sysrestore.py b/ipapython/sysrestore.py
index 9b0e39fcb6b2b5035f1bd5012ac598309c83e9ae..e22b4d4fa617141c3546290d7f049f5037651ce1 100644
--- a/ipapython/sysrestore.py
+++ b/ipapython/sysrestore.py
@@ -130,6 +130,19 @@ class FileStore:
         self.files[filename] = string.join([str(stat.st_mode),str(stat.st_uid),str(stat.st_gid),path], ',')
         self.save()
 
+    def has_file(self, path):
+        """Checks whether file at @path was added to the file store
+
+        Returns #True if the file exists in the file store, #False otherwise
+        """
+        result = False
+        for (key, value) in self.files.items():
+            (mode,uid,gid,filepath) = string.split(value, ',', 3)
+            if (filepath == path):
+                result = True
+                break
+        return result
+
     def restore_file(self, path):
         """Restore the copy of a file at @path to its original
         location and delete the copy.
-- 
1.7.6.4


From simo at redhat.com  Wed Oct 12 16:25:58 2011
From: simo at redhat.com (Simo Sorce)
Date: Wed, 12 Oct 2011 12:25:58 -0400
Subject: [Freeipa-devel] ipa-client-install sudoers + automount
In-Reply-To: <4E95B577.9000201@redhat.com>
References: <4E959AEE.2050701@adelaide.edu.au> <4E95A04D.8090302@redhat.com>
	<4E95A464.2010309@adelaide.edu.au>  <4E95B577.9000201@redhat.com>
Message-ID: <1318436758.31149.82.camel@willson.li.ssimo.org>

On Wed, 2011-10-12 at 11:42 -0400, Rob Crittenden wrote:
> > Has any work started on the SSSD sudo provider?
> 
> Yes, I believe it has. I don't know the full state of it, maybe one
> of 
> the sssd dev lurkers will chime in :-)

In progress,
see sssd-devel@ or join #sssd on Freenode and ask there :)

Simo.
> 
-- 
Simo Sorce * Red Hat, Inc * New York



From jhrozek at redhat.com  Wed Oct 12 16:31:44 2011
From: jhrozek at redhat.com (Jakub Hrozek)
Date: Wed, 12 Oct 2011 18:31:44 +0200
Subject: [Freeipa-devel] ipa-client-install sudoers + automount
In-Reply-To: <1318436758.31149.82.camel@willson.li.ssimo.org>
References: <4E959AEE.2050701@adelaide.edu.au> <4E95A04D.8090302@redhat.com>
	<4E95A464.2010309@adelaide.edu.au> <4E95B577.9000201@redhat.com>
	<1318436758.31149.82.camel@willson.li.ssimo.org>
Message-ID: <20111012163144.GD27083@zeppelin.brq.redhat.com>

On Wed, Oct 12, 2011 at 12:25:58PM -0400, Simo Sorce wrote:
> On Wed, 2011-10-12 at 11:42 -0400, Rob Crittenden wrote:
> > > Has any work started on the SSSD sudo provider?
> > 
> > Yes, I believe it has. I don't know the full state of it, maybe one
> > of 
> > the sssd dev lurkers will chime in :-)

The work is in progress and some preliminary patches have landed on
sssd-devel list earlier this week.

We would like to include this feature in 1.7.0 upstream release.

CC yourself to https://fedorahosted.org/sssd/ticket/623 to be notified
of updates.

HTH,
    Jakub



From rcritten at redhat.com  Wed Oct 12 18:08:51 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Oct 2011 14:08:51 -0400
Subject: [Freeipa-devel] [PATCH] bind-dyndb-ldap: Add new ldap_hostname
 option (ticket #1931)
In-Reply-To: <4E940BEC.9030909@redhat.com>
References: <4E940BEC.9030909@redhat.com>
Message-ID: <4E95D7B3.7000208@redhat.com>

Adam Tkac wrote:
> Hello all,
>
> please see attached patch for bind-dyndb-ldap, it should solve (at least
> from bind-dyndb-ldap side) ticket #1931. It adds new "ldap_hostname"
> option and ipa-server-install utility should set this option when
> /bin/hostname is different from --hostname parameter.
>
> Comments are welcomed.
>
> Regards, Adam

ACK, this looks fine to me.

rob



From rcritten at redhat.com  Wed Oct 12 18:36:42 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Oct 2011 14:36:42 -0400
Subject: [Freeipa-devel] [PATCH] 53 Don't leak passwords through
 kdb5_ldap_util command line arguments
In-Reply-To: <4E94740C.7060104@redhat.com>
References: <4E94740C.7060104@redhat.com>
Message-ID: <4E95DE3A.9050703@redhat.com>

Jan Cholasta wrote:
> https://fedorahosted.org/freeipa/ticket/1948
>
> Honza
>

Very nice, ACK,

Rebased patch pushed to master, pushed to ipa-2-1

rob



From rcritten at redhat.com  Wed Oct 12 19:17:43 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Oct 2011 15:17:43 -0400
Subject: [Freeipa-devel] [PATCH] 26 Remove redundant configuration
 values from krb5.conf
In-Reply-To: <4E954BA7.1090205@redhat.com>
References: <4E09CFC0.4040804@redhat.com> <4E0A375E.4020906@redhat.com>
	<4E954BA7.1090205@redhat.com>
Message-ID: <4E95E7D7.9030104@redhat.com>

Jan Cholasta wrote:
> Dne 28.6.2011 22:19, Rob Crittenden napsal(a):
>> Jan Cholasta wrote:
>>> https://fedorahosted.org/freeipa/ticket/1358
>>>
>>> Honza
>>
>> ack, pushed to master and ipa-2-0
>
> Don't configure [appdefaults], as per Nalin's suggestion
> (https://fedorahosted.org/freeipa/ticket/1358#comment:5)
>
> Honza
>

ack, pushed to master and ipa-2-1



From rcritten at redhat.com  Wed Oct 12 19:33:30 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Oct 2011 15:33:30 -0400
Subject: [Freeipa-devel] [PATCH] 0012 Modify existing SSSD configuration
 instead of dropping it
In-Reply-To: <20111012162407.GC15646@redhat.com>
References: <20110907131514.GA5491@redhat.com>
	<1315405169.15945.3.camel@sgallagh520.bos.redhat.com>
	<20110908112649.GA17001@redhat.com>
	<20110913121143.GA27633@redhat.com>
	<1315919309.15570.24.camel@dhcp-25-52.brq.redhat.com>
	<20110913132241.GB27633@redhat.com>
	<1315920400.2367.43.camel@sgallagh520.bos.redhat.com>
	<20110913133352.GC27633@redhat.com>
	<1315921891.2367.54.camel@sgallagh520.bos.redhat.com>
	<20111012162407.GC15646@redhat.com>
Message-ID: <4E95EB8A.9060901@redhat.com>

Alexander Bokovoy wrote:
> On Tue, 13 Sep 2011, Stephen Gallagher wrote:
>
>> On Tue, 2011-09-13 at 16:33 +0300, Alexander Bokovoy wrote:
>>> On Tue, 13 Sep 2011, Stephen Gallagher wrote:
>>>>>>    File "/usr/lib/python2.7/site-packages/SSSDConfig.py", line 1207, in import_config
>>>>>>      fd = open(configfile, 'r')
>>>>>> IOError: [Errno 2] No such file or directory: '/etc/sssd/sssd.conf'
>>>>> Right, we need to fallback to new sssd.conf in case of any exception,
>>>>> not only for ParsingError.
>>>> Actually, that's not necessarily true. Do we want to fall back on
>>>> permission error, for instance? This could result in clobbering an
>>>> existing file (if for example the existing sssd.conf's SELinux context
>>>> is wrong, preventing reading, but when we create a new one and save it
>>>> in place later we have the right context and it replaces the old one).
>>> Let's define what we want to see here.
>>>
>>> 1. There is no sssd.conf ->  create new one (unlikely for existing SSSD
>>> installation -- if we went to this path, we already found SSSD
>>> installed)
>>
>> Actually, this is fairly likely in future releases. There's so much
>> noise in the example configuration that I've decided that we're going to
>> install it as %doc instead of %config. So a raw installation of the SSSD
>> package will have no sssd.conf in place. We obviously need to consider
>> this.
>>
>>> 2. There is sssd.conf ->  modify existing one
>>>     2.1. Can't open for write ->  report error
>>
>> Agreed.
>>
>>>     2.2. Can't open and read due to parsing error ->  create new one
>>> ...
>>
>> There are two issues here. Failure to open for reading and ParseError on
>> read. That said, I think they should be handled the same way (see
>> below).
>>
>>
>> Unfortunately, we have additional issues here... The SSSDConfig API is
>> more strict with options than the SSSD itself is. Specifically, the SSSD
>> will ignore unknown options entirely, but the SSSDConfig will through a
>> ParseError on unknown options.
>>
>> The long-term goal is for SSSD to be more strict about this, but we
>> don't currently have a way to do this.
>>
>> So as I see it, we have three choices for dealing with ParseError:
>>
>> 1) Back up the existing sssd.conf and replace it with a completely new
>> one for FreeIPA. Pros: sssd.conf is guaranteed to parse cleanly. FreeIPA
>> client install completes successfully. Cons: existing configuration
>> (which may have worked) is not preserved.
>>
>> 2) Be restrictive on ParseError and throw an error telling them to fix
>> their config file. Pros: we don't break an existing setup. Cons: FreeIPA
>> installation has been broken.
>>
>> 3) Default to one of the above but provide a command-line flag to behave
>> the other way. This is probably our best bet. I'd suggest defaulting to
>> replacing the config file on ParseError (with a loud message at the END
>> of ipa-client-install pointing to the backed-up file).
> Attached patch tries to implement these ideas. It is untested as I
> wanted to get feedback on the approach first.
>

Well, in the "generate new file" option I think the output is a bit 
misleading.

+        print "New SSSD config will be generated. The old one is backed 
up and can be restored during uninstall"

There could have been no existing sssd.conf, right?

+        logging.error("Failed to parse SSSD configuration and will 
generate new one")

This could imply that an error occurred when in fact there just was no 
sssd.conf to import.

Otherwise the approach looks good.

rob



From jdennis at redhat.com  Wed Oct 12 19:44:22 2011
From: jdennis at redhat.com (John Dennis)
Date: Wed, 12 Oct 2011 15:44:22 -0400
Subject: [Freeipa-devel] [PATCH 50/50] Ticket 1718 - Fix Spanish po
 translation file
In-Reply-To: <4E95BC37.9020802@redhat.com>
References: <201110112105.p9BL519M026264@int-mx02.intmail.prod.int.phx2.redhat.com>
	<4E94BDDE.60005@redhat.com> <4E95B712.40201@redhat.com>
	<4E95B8EB.9050008@redhat.com> <4E95BC37.9020802@redhat.com>
Message-ID: <4E95EE16.4030303@redhat.com>

On 10/12/2011 12:11 PM, John Dennis wrote:
> I thought what I had done was replace the&gt; with>  but I obviously
> didn't read the diff as closely as you did, good catch Rob , let me go
> back and check to make sure I didn't another similar mistake. Also I
> forgot to update the metadata in the header of the po.

Attached is a revised patch with the mistake you found fixed. While 
reviewing the patch I discovered one of my tools had truncated long 
messages while it was fixing whitespace, I fixed that too. I also 
updated the metadata to show the po file had been edited by me. There 
are a few other minor formatting fixes thrown in for good measure :-)

Use this patch instead.

John


-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0050-Ticket-1718-Fix-Spanish-po-translation-file.patch
Type: text/x-patch
Size: 74191 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111012/353632da/attachment.bin>

From abokovoy at redhat.com  Wed Oct 12 19:47:25 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Wed, 12 Oct 2011 22:47:25 +0300
Subject: [Freeipa-devel] [PATCH] 0012 Modify existing SSSD configuration
 instead of dropping it
In-Reply-To: <4E95EB8A.9060901@redhat.com>
References: <1315405169.15945.3.camel@sgallagh520.bos.redhat.com>
	<20110908112649.GA17001@redhat.com>
	<20110913121143.GA27633@redhat.com>
	<1315919309.15570.24.camel@dhcp-25-52.brq.redhat.com>
	<20110913132241.GB27633@redhat.com>
	<1315920400.2367.43.camel@sgallagh520.bos.redhat.com>
	<20110913133352.GC27633@redhat.com>
	<1315921891.2367.54.camel@sgallagh520.bos.redhat.com>
	<20111012162407.GC15646@redhat.com> <4E95EB8A.9060901@redhat.com>
Message-ID: <20111012194724.GD15646@redhat.com>

On Wed, 12 Oct 2011, Rob Crittenden wrote:
> >>2) Be restrictive on ParseError and throw an error telling them to fix
> >>their config file. Pros: we don't break an existing setup. Cons: FreeIPA
> >>installation has been broken.
> >>
> >>3) Default to one of the above but provide a command-line flag to behave
> >>the other way. This is probably our best bet. I'd suggest defaulting to
> >>replacing the config file on ParseError (with a loud message at the END
> >>of ipa-client-install pointing to the backed-up file).
> >Attached patch tries to implement these ideas. It is untested as I
> >wanted to get feedback on the approach first.
> >
> 
> Well, in the "generate new file" option I think the output is a bit
> misleading.
> 
> +        print "New SSSD config will be generated. The old one is
> backed up and can be restored during uninstall"
> 
> There could have been no existing sssd.conf, right?
> 
> +        logging.error("Failed to parse SSSD configuration and will
> generate new one")
> 
> This could imply that an error occurred when in fact there just was
> no sssd.conf to import.
> 
> Otherwise the approach looks good.
Thanks, will do more testing tomorrow and make better phrases as well. 
I can differentiate "file does not exist" and error parsing.
-- 
/ Alexander Bokovoy



From rcritten at redhat.com  Wed Oct 12 19:57:11 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Oct 2011 15:57:11 -0400
Subject: [Freeipa-devel] [PATCH 50/50] Ticket 1718 - Fix Spanish po
 translation file
In-Reply-To: <4E95EE16.4030303@redhat.com>
References: <201110112105.p9BL519M026264@int-mx02.intmail.prod.int.phx2.redhat.com>
	<4E94BDDE.60005@redhat.com> <4E95B712.40201@redhat.com>
	<4E95B8EB.9050008@redhat.com> <4E95BC37.9020802@redhat.com>
	<4E95EE16.4030303@redhat.com>
Message-ID: <4E95F117.70702@redhat.com>

John Dennis wrote:
> On 10/12/2011 12:11 PM, John Dennis wrote:
>> I thought what I had done was replace the&gt; with> but I obviously
>> didn't read the diff as closely as you did, good catch Rob , let me go
>> back and check to make sure I didn't another similar mistake. Also I
>> forgot to update the metadata in the header of the po.
>
> Attached is a revised patch with the mistake you found fixed. While
> reviewing the patch I discovered one of my tools had truncated long
> messages while it was fixing whitespace, I fixed that too. I also
> updated the metadata to show the po file had been edited by me. There
> are a few other minor formatting fixes thrown in for good measure :-)
>
> Use this patch instead.
>
> John
>
>

ACK, pushed to master and ipa-2-1

Very strangely I had to drop the first changeset in the patch. It was a 
change that apparently wasn't actually changing anything and making git 
very unhappy.

Anyway, nice work. I'm sure it wasn't a lot of fun.

rob



From rcritten at redhat.com  Wed Oct 12 20:33:11 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Oct 2011 16:33:11 -0400
Subject: [Freeipa-devel] [PATCH] 134 Improve handling of GIDs when
 migrating groups
In-Reply-To: <1317969555.8399.2.camel@dhcp-25-52.brq.redhat.com>
References: <1317650658.5905.45.camel@dhcp-25-52.brq.redhat.com>
	<4E8C9792.9090100@redhat.com>
	<1317888916.16404.16.camel@dhcp-25-52.brq.redhat.com>
	<4E8E568F.9070603@redhat.com>
	<1317969555.8399.2.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <4E95F987.8090602@redhat.com>

Martin Kosek wrote:
> On Thu, 2011-10-06 at 21:31 -0400, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On Wed, 2011-10-05 at 13:44 -0400, Rob Crittenden wrote:
>>>> Martin Kosek wrote:
>>>>> Since IPA v2 server already contain predefined groups that may collide
>>>>> with groups in migrated (IPA v1) server (for example admins, ipausers),
>>>>> users having colliding group as their primary group may happen to belong
>>>>> to an unknown group on new IPA v2 server.
>>>>>
>>>>> Implement --group-overwrite-gid option to overwrite GID of already
>>>>> existing groups to prevent this issue.
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/1866
>>>>
>>>> For argument's sake, what is the user going to see the first time they
>>>> run this? I assume they won't think about these duplicate groups and
>>>> just do the migration. This means that the result may be some users
>>>> pointing to non-existent GIDs.
>>>
>>> At first I was thinking about making the GID the default behavior and
>>> just add flag "--dont-overwrite-gid. But I was afraid this could do some
>>> damage and change GIDs where it is not required. However, I made some
>>> improvements in this area, please see below.
>>>
>>>>
>>>> If they re-run the migration with this option will it then fix
>>>> everything up?
>>>
>>> Yep.
>>>
>>>>
>>>> I'm wondering if we need a --test argument so people can run the
>>>> migration w/o writing entries to look for problems like this.
>>>>
>>>> rob
>>>
>>> If we want to do this, we would have to add a lot of LDAP query checks
>>> since mostly try doing the LDAP write and write failures in case of an
>>> exception.
>>>
>>> However, I updated the patch so that user is notified about existence of
>>> --group-overwrite-gid option better. If a migration of a group with a
>>> GID number fails because of DuplicateError, a notice about GID is
>>> displayed. This should make him check this situation and either use
>>> group-mod --gidnumber=... or re-run the migration with
>>> --group-overwrite-gid.
>>>
>>> I also updated the Password option not to ask user for LDAP password
>>> twice, because it makes me really mad :-)
>>>
>>> Martin
>>
>> # ipa migrate-ds ldap://panther.greyoak.com
>> --user-container=cn=users,cn=accounts
>> --group-container=cn=groups,cn=accounts
>> --user-ignore-objectclass=radiusprofile
>> Password:
>> ipa: ERROR: an internal error has occurred
>>
>> [Thu Oct 06 21:28:49 2011] [error] ipa: ERROR: non-public: TypeError:
>> _post_migrate_user() got an unexpected keyword argument 'options'
>> [Thu Oct 06 21:28:49 2011] [error] Traceback (most recent call last):
>> [Thu Oct 06 21:28:49 2011] [error]   File
>> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 223, in
>> wsgi_execute
>> [Thu Oct 06 21:28:49 2011] [error]     result =
>> self.Command[name](*args, **options)
>> [Thu Oct 06 21:28:49 2011] [error]   File
>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 432, in __call__
>> [Thu Oct 06 21:28:49 2011] [error]     ret = self.run(*args, **options)
>> [Thu Oct 06 21:28:49 2011] [error]   File
>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 738, in run
>> [Thu Oct 06 21:28:49 2011] [error]     return self.execute(*args, **options)
>> [Thu Oct 06 21:28:49 2011] [error]   File
>> "/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py", line
>> 633, in execute
>> [Thu Oct 06 21:28:49 2011] [error]     ldap, config, ds_ldap,
>> ds_base_dn, options
>> [Thu Oct 06 21:28:49 2011] [error]   File
>> "/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py", line
>> 602, in migrate
>> [Thu Oct 06 21:28:49 2011] [error]     options = options,
>> [Thu Oct 06 21:28:49 2011] [error] TypeError: _post_migrate_user() got
>> an unexpected keyword argument 'options'
>>
>> rob
>
> Ouch. This one must have come from some previous tries. And since the
> users were already migrated in my testing, it was left undiscovered. I
> wonder why pylint was quiet.
>
> Sending a fixed version, it should work fine now.
>
> Martin

ack, pushed to master and ipa-2-1



From rcritten at redhat.com  Wed Oct 12 21:59:24 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Oct 2011 17:59:24 -0400
Subject: [Freeipa-devel] [PATCH] 146 ipa-client-install hangs if the
 discovered server is
In-Reply-To: <1318428224.14093.36.camel@balmora.brq.redhat.com>
References: <1318410120.14093.17.camel@balmora.brq.redhat.com>
	<4E958D8D.2050206@redhat.com>
	<1318424626.14093.24.camel@balmora.brq.redhat.com>
	<1318426294.31149.79.camel@willson.li.ssimo.org>
	<1318428224.14093.36.camel@balmora.brq.redhat.com>
Message-ID: <4E960DBC.5080208@redhat.com>

Martin Kosek wrote:
> On Wed, 2011-10-12 at 09:31 -0400, Simo Sorce wrote:
>> On Wed, 2011-10-12 at 15:03 +0200, Martin Kosek wrote:
>>> On Wed, 2011-10-12 at 08:52 -0400, Rob Crittenden wrote:
>>>> Martin Kosek wrote:
>>>>> For starters I added a 15 second timeout and 2 tries. These numbers are
>>>>> arbitrary, I am open to suggestions.
>>>>>
>>>>> Martin
>>>>>
>>>>> ---
>>>>> Add a timeout to the wget call to cover a case when autodiscovered
>>>>> server does not response to our attempt to download ca.crt. Let
>>>>> user specify a different IPA server in that case.
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/1960
>>>>
>>>> There is a wget call in ipa-client-install as well, should a timeout be
>>>> added there?
>>>>
>>>> rob
>>>>
>>>
>>> This wget is for the very same ca.crt that was already (successfully)
>>> retrieved when the server was being checked by ipadiscovery. Thus I
>>> don't think it is necessary.
>>
>> Shouldn't it be eliminated then ?
>> OR do we really need to dload the cert twice? Or did I misunderstand
>> your reply ?
>>
>> Simo.
>
> You understood correctly. We always try to download ca.crt during
> ipacheckldap() call. We clean up all temporary files downloaded during
> server verification in the end.
>
> When the user finally confirms and we start the actual client
> installation, then we download ca.crt to /etc/ipa/. I think that the
> current procedure is OK compared to additional code we would have to add
> to pass the ca.crt from ipacheckldap() and cover all possible cases.
> Please, open an enhancement ticket if you think otherwise.
>
> Martin
>

ACK, works fine.

pushed to master and ipa-2-1



From rcritten at redhat.com  Thu Oct 13 03:38:43 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Oct 2011 23:38:43 -0400
Subject: [Freeipa-devel] [PATCH] 147 Hostname used by IPA must be a
 system hostname
In-Reply-To: <1318424919.14093.27.camel@balmora.brq.redhat.com>
References: <1318424919.14093.27.camel@balmora.brq.redhat.com>
Message-ID: <4E965D43.1000407@redhat.com>

Martin Kosek wrote:
> This patch depends on my patch 140 (attached just to be sure).
>
> Do I understand it correctly that new proposed bind-dyndb-ldap option
> ldap_hostname won't be needed?
>
> Martin

I think it would be a good idea to add it when it becomes available in 
bind-dyndb-ldap.

NACK on the patch though.

Two problems so far:

1. If an installation error occurs after the hostname has been changed 
it isn't reverted and the uninstaller needs to be run. This should 
rollback like the client.

2. It isn't actually working:

# ipa-server-install -a password -p password --setup-dns --hostname 
foo.testrelm

[ snip ]

Server host name [foo.testrelm]:

Warning: skipping DNS resolution of host foo.testrelm

Warning: hostname foo.testrelm does not match system hostname 
doberman.greyoak.com.
System hostname will be updated during the installation process
to prevent service failures.

The domain name has been calculated based on the host name.

Please confirm the domain name [testrelm]:

Unable to resolve IP address for host name
Please provide the IP address to be used for this host name: 192.168.186.9
Adding [192.168.186.9 foo.testrelm] to your /etc/hosts file
The host name foo.testrelm does not match the reverse lookup 
doberman.greyoak.com for 192.168.186.9
Please check your DNS or /etc/hosts file and restart the installation.

[root at doberman freeipa]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 
localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 
localhost6.localdomain6
192.168.186.9   doberman.greyoak.com doberman
192.168.186.9   foo.testrelm foo

/etc/hosts contained the doberman entry previously.

rob



From rcritten at redhat.com  Thu Oct 13 03:48:28 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Oct 2011 23:48:28 -0400
Subject: [Freeipa-devel] [PATCH] 145 Optimize member/memberof searches
 in LDAP
In-Reply-To: <1318406366.14093.13.camel@balmora.brq.redhat.com>
References: <1318406366.14093.13.camel@balmora.brq.redhat.com>
Message-ID: <4E965F8C.7020004@redhat.com>

Martin Kosek wrote:
> How to test:
>
> 1) Add some nested membership relationships:
> $ ipa group-add --desc=foo group1
> $ ipa group-add --desc=foo group2
> $ ipa user-add --first=Foo --last=Bar foobar
>
> $ ipa role-add-member helpdesk --groups=group2
> $ ipa group-add-member group2 --groups=group1
> $ ipa group-add-member group1 --users=foobar
>
> 2) Start receiving all SCOPE_SUBTREE (scope=2) searches in LDAP:
> # tail -f /var/log/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/access | grep SRCH | grep "scope=2" | grep -v krbprincipalaux
>
> 3) Do some -show commands to see the unnecessary SCOPE_SUBTREE (scope=2)
> searches we do to get memberships:
>
> $ ipa role-show helpdesk --all --raw
> $ ipa user-show foobar --all --raw
> etc.
>
> Martin

ACK, pushed to master and ipa-2-1

rob



From rcritten at redhat.com  Thu Oct 13 03:54:23 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Oct 2011 23:54:23 -0400
Subject: [Freeipa-devel] [PATCH] 891 drop has_upg() check
Message-ID: <4E9660EF.6070205@redhat.com>

The has_upg() check was created during a transition period for 389-ds. 
It is no longer needed and is actually breaking things. The location of 
UPG template moved so it thinks the feature is not available. This is 
making the primary user's group ipausers instead of the UPG.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-891-upg.patch
Type: text/x-patch
Size: 2327 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111012/b5747476/attachment.bin>

From jcholast at redhat.com  Thu Oct 13 07:32:14 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Thu, 13 Oct 2011 09:32:14 +0200
Subject: [Freeipa-devel] [PATCH] 891 drop has_upg() check
In-Reply-To: <4E9660EF.6070205@redhat.com>
References: <4E9660EF.6070205@redhat.com>
Message-ID: <4E9693FE.50804@redhat.com>

Dne 13.10.2011 05:54, Rob Crittenden napsal(a):
> The has_upg() check was created during a transition period for 389-ds.
> It is no longer needed and is actually breaking things. The location of
> UPG template moved so it thinks the feature is not available. This is
> making the primary user's group ipausers instead of the UPG.
>
> rob
>

ACK.

Honza

-- 
Jan Cholasta



From mkosek at redhat.com  Thu Oct 13 08:16:22 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Thu, 13 Oct 2011 10:16:22 +0200
Subject: [Freeipa-devel] [PATCH] 891 drop has_upg() check
In-Reply-To: <4E9660EF.6070205@redhat.com>
References: <4E9660EF.6070205@redhat.com>
Message-ID: <1318493784.1246.19.camel@balmora.brq.redhat.com>

On Wed, 2011-10-12 at 23:54 -0400, Rob Crittenden wrote:
> The has_upg() check was created during a transition period for 389-ds. 
> It is no longer needed and is actually breaking things. The location of 
> UPG template moved so it thinks the feature is not available. This is 
> making the primary user's group ipausers instead of the UPG.
> 
> rob

Shouldn't we remove has_managed_entries() and its use too? After all, we
claim that this patch fixes #1242 which asks for has_managed_entries()
removal.

Martin



From jcholast at redhat.com  Thu Oct 13 09:55:55 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Thu, 13 Oct 2011 11:55:55 +0200
Subject: [Freeipa-devel] [PATCH] 54 Fix attempted write to attribute of
	read-only object
Message-ID: <4E96B5AB.4030800@redhat.com>

Also fixes a few issues in the unit tests. All of them now run successfully.

https://fedorahosted.org/freeipa/ticket/1959

Honza

-- 
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-54-fix-read-only-write.patch
Type: text/x-patch
Size: 4336 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111013/c6f19afe/attachment.bin>

From mkosek at redhat.com  Thu Oct 13 10:56:09 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Thu, 13 Oct 2011 12:56:09 +0200
Subject: [Freeipa-devel] [PATCH] 140 + 148 + 147 Hostname fixes
In-Reply-To: <4E965D43.1000407@redhat.com>
References: <1318424919.14093.27.camel@balmora.brq.redhat.com>
	<4E965D43.1000407@redhat.com>
Message-ID: <1318503372.1246.34.camel@balmora.brq.redhat.com>

On Wed, 2011-10-12 at 23:38 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > This patch depends on my patch 140 (attached just to be sure).
> >
> > Do I understand it correctly that new proposed bind-dyndb-ldap option
> > ldap_hostname won't be needed?
> >
> > Martin
> 
> I think it would be a good idea to add it when it becomes available in 
> bind-dyndb-ldap.

I will create a tracking ticket if the current 2.1.3 ticket gets closed.

> 
> NACK on the patch though.
> 
> Two problems so far:
> 
> 1. If an installation error occurs after the hostname has been changed 
> it isn't reverted and the uninstaller needs to be run. This should 
> rollback like the client.

I think this is quite different. Client runs a whole uninstall()
procedure when the installation crashes. I see we have following options
here:
1) Run uninstall() when server installation crashes (not my favorite,
this would make the investigation of what went difficult)
2) Restore just hostname and /etc/sysconfig/network file when
installation crashes and leave other for --uninstall (thus create a bit
inconsistent state)
3) Leave it as is

> 
> 2. It isn't actually working:
> 
> # ipa-server-install -a password -p password --setup-dns --hostname 
> foo.testrelm
> 
> [ snip ]
> 
> Server host name [foo.testrelm]:
> 
> Warning: skipping DNS resolution of host foo.testrelm
> 
> Warning: hostname foo.testrelm does not match system hostname 
> doberman.greyoak.com.
> System hostname will be updated during the installation process
> to prevent service failures.
> 
> The domain name has been calculated based on the host name.
> 
> Please confirm the domain name [testrelm]:
> 
> Unable to resolve IP address for host name
> Please provide the IP address to be used for this host name: 192.168.186.9
> Adding [192.168.186.9 foo.testrelm] to your /etc/hosts file
> The host name foo.testrelm does not match the reverse lookup 
> doberman.greyoak.com for 192.168.186.9
> Please check your DNS or /etc/hosts file and restart the installation.
> 
> [root at doberman freeipa]# cat /etc/hosts
> 127.0.0.1   localhost localhost.localdomain localhost4 
> localhost4.localdomain4
> ::1         localhost localhost.localdomain localhost6 
> localhost6.localdomain6
> 192.168.186.9   doberman.greyoak.com doberman
> 192.168.186.9   foo.testrelm foo
> 
> /etc/hosts contained the doberman entry previously.
> 
> rob

I think you did not have my patch 140 applied, otherwise the
installation should crash. This bug was there all the time I think.

To fix that, I created a patch
freeipa-mkosek-148-check-etc-hosts-file-in-ipa-server-install.patch
improving /etc/hosts.

Please, check all three attached rebased patches. They should fix both
tickets 1923 and 1931.

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-140-2-check-hostname-resolution-sanity.patch
Type: text/x-patch
Size: 3390 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111013/9a1efa76/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-148-check-etc-hosts-file-in-ipa-server-install.patch
Type: text/x-patch
Size: 4960 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111013/9a1efa76/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-147-2-hostname-used-by-ipa-must-be-a-system-hostname.patch
Type: text/x-patch
Size: 5649 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111013/9a1efa76/attachment-0002.bin>

From abokovoy at redhat.com  Thu Oct 13 11:09:45 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Thu, 13 Oct 2011 14:09:45 +0300
Subject: [Freeipa-devel] [PATCH] 140 + 148 + 147 Hostname fixes
In-Reply-To: <1318503372.1246.34.camel@balmora.brq.redhat.com>
References: <1318424919.14093.27.camel@balmora.brq.redhat.com>
	<4E965D43.1000407@redhat.com>
	<1318503372.1246.34.camel@balmora.brq.redhat.com>
Message-ID: <20111013110944.GA2840@redhat.com>

On Thu, 13 Oct 2011, Martin Kosek wrote:
> > 1. If an installation error occurs after the hostname has been changed 
> > it isn't reverted and the uninstaller needs to be run. This should 
> > rollback like the client.
> 
> I think this is quite different. Client runs a whole uninstall()
> procedure when the installation crashes. I see we have following options
> here:
> 1) Run uninstall() when server installation crashes (not my favorite,
> this would make the investigation of what went difficult)
Agree.

> 2) Restore just hostname and /etc/sysconfig/network file when
> installation crashes and leave other for --uninstall (thus create a bit
> inconsistent state)
For this one, there is now FileStore.has_file(path) method that allows 
to check whether file store has back up for a file pointed by an 
absolute path. This will allow you to proper detect that we actually 
changed hostname/archived /etc/sysconfig/network already -- either in 
server or client installation context.

Unlike all other methods, this one gives you nondestructive peeking of 
the file store state.
-- 
/ Alexander Bokovoy



From william.e.brown at adelaide.edu.au  Thu Oct 13 11:52:27 2011
From: william.e.brown at adelaide.edu.au (William Brown)
Date: Thu, 13 Oct 2011 22:22:27 +1030
Subject: [Freeipa-devel] XML-RPC
Message-ID: <4E96D0FB.8010209@adelaide.edu.au>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I'm having some difficulty initiating an XML-RPC from an external
python client with freeipa.

What is the correct way to interact with the XML-RPC from python,
especially in an application that is outside of the freeipa codebase?
Should I be including ipalib/rpc.py and calling it somehow?

- -- 
Sincerely,

William Brown

Research and Teaching
Information and Technology Services
The University of Adelaide

CRICOS Provider Number 00123M
- -----------------------------------------------------------
IMPORTANT: This message may contain confidential or legally privileged
information. If you think it was sent to you by mistake, please delete
all copies and advise the sender. For the purposes of the SPAM Act
2003, this email is authorised by The University of Adelaide.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOltD6AAoJEKcRRTun3Hg9flcQAJGiNzybcF99kpEmp9n8Jdkv
W0xqeuHq5f+x9vPz8r/pa0nbu0m/Dj41X8O/uinfh9JcFSsk1gjXXJ0KcjseKPu6
dShnCHc/TEqJwvGUkfOPFqQ6sMBfKp6AfkgSh9h7gZyL9NbEYzsBVr6k9T46Crxm
iCVnBNjRkNf/Vjk+jTJ6tmvg5ZNOeesyjpf2D5HJvk7J4EaaoL66mh6BmRCzZZYm
h8bMl4kRdTjnewuEcqEOHX1MLJOep4Wqq6bfREsrB0e3FzH1moxb9cM1gfhT7cSb
9quzGzi18htcQbjvuPrLS4euW7+Y5kmkHrpeeakTPSC2GWy66jkgQUTcQzpHIpI7
rruGKymcvhcppgUB/TTQUqGQg/TYygm/uP5VLAaDeiEFmM4RBxC8xftwhOfNkisA
3/h/1nziNK31Av3bgIGrBCq9f+mE/o79WIrEdYAUNo28wJFRfCbbcU68FR44ld5G
tvrt4w6GiK+rNM2KnIlI98SQ1U4TL+vyXuHn3M1tuFtjtn+mfxWBnHC+hp58LwwO
iuEJc/3hap8L/b+8F2szXmVzRBpJ/OlMkJeioxinYqDMaRAv3A1y0755zbEq6gz+
Qs9gx00uAr66vvZM+Jh0TLMMC+jpKoVMXfcn4lKx67HHlNNFRZ+CI7w8pf33dFl8
xtRNyWnTCqiXxBgPKAMz
=fvva
-----END PGP SIGNATURE-----



From abokovoy at redhat.com  Thu Oct 13 12:38:12 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Thu, 13 Oct 2011 15:38:12 +0300
Subject: [Freeipa-devel] [PATCH] 0012 Modify existing SSSD configuration
 instead of dropping it
In-Reply-To: <4E95EB8A.9060901@redhat.com>
References: <1315405169.15945.3.camel@sgallagh520.bos.redhat.com>
	<20110908112649.GA17001@redhat.com>
	<20110913121143.GA27633@redhat.com>
	<1315919309.15570.24.camel@dhcp-25-52.brq.redhat.com>
	<20110913132241.GB27633@redhat.com>
	<1315920400.2367.43.camel@sgallagh520.bos.redhat.com>
	<20110913133352.GC27633@redhat.com>
	<1315921891.2367.54.camel@sgallagh520.bos.redhat.com>
	<20111012162407.GC15646@redhat.com> <4E95EB8A.9060901@redhat.com>
Message-ID: <20111013123808.GB2840@redhat.com>

On Wed, 12 Oct 2011, Rob Crittenden wrote:
> Well, in the "generate new file" option I think the output is a bit
> misleading.
> 
> +        print "New SSSD config will be generated. The old one is
> backed up and can be restored during uninstall"
> 
> There could have been no existing sssd.conf, right?
> 
> +        logging.error("Failed to parse SSSD configuration and will
> generate new one")
> 
> This could imply that an error occurred when in fact there just was
> no sssd.conf to import.
> 
> Otherwise the approach looks good.
New version is attached. Works fine for me -- both in case 
uninstall-after-upgrade (means no installation code was run and 
nothing in state/file store) and normal install/uninstall. I also 
tried installing/uninstalling with missing sssd.conf and all went 
well:

1. Missing sssd.conf
---------------------
Enrolled in IPA realm IPA.LOCAL
Created /etc/ipa/default.conf
New SSSD config will be created.
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IPA.LOCAL
SSSD enabled
NTP enabled
Client configuration complete.
---------------------

2. Invalid sssd.conf
---------------------
Enrolled in IPA realm IPA.LOCAL
Created /etc/ipa/default.conf
Unable to parse existing SSSD config. As option --preserve-sssd was not specified, new config will override the old one.
The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
root        : ERROR    Unable to parse existing SSSD config and --preserve-sssd was not specified: 
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IPA.LOCAL
SSSD enabled
NTP enabled
Client configuration complete.
---------------------

3. Existing proper sssd.conf
---------------------
Enrolled in IPA realm IPA.LOCAL
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IPA.LOCAL
SSSD enabled
NTP enabled
Client configuration complete.
---------------------

The only visible difference is change of comment symbol from ';' to 
'#' for the existing correct sssd.conf, but that's how SSSDConfig 
works.
-- 
/ Alexander Bokovoy
-------------- next part --------------
>From 51b6ac3c8f65f5686b87243dbeb9c33e3ac6ee58 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Wed, 12 Oct 2011 19:14:55 +0300
Subject: [PATCH] Refactor authconfig use in ipa-client-install

When certain features are being configured via authconfig, we need to remember
what was configured and what was the state before it so that during uninstall
we restore proper state of the services.

Mostly it affects sssd configuration with multiple domains but also pre-existing
LDAP and krb5 configurations.

This should fix following tickets:
https://fedorahosted.org/freeipa/ticket/1750
https://fedorahosted.org/freeipa/ticket/1769
---
 ipa-client/ipa-install/ipa-client-install |  110 +++++++++++++++++++++++-----
 ipapython/sysrestore.py                   |   13 ++++
 2 files changed, 103 insertions(+), 20 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index e1487fae05097af7f62a38f8fa635d863dc8b008..2080e78587468a04ff7da0345b7c5e441f154713 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -108,6 +108,9 @@ def parse_options():
     sssd_group.add_option("-S", "--no-sssd", dest="sssd",
                       action="store_false", default=True,
                       help="Do not configure the client to use SSSD for authentication")
+    sssd_group.add_option("--preserve-sssd", dest="preserve_sssd",
+                      action="store_true", default=False,
+                      help="Preserve old SSSD configuration if possible")
     parser.add_option_group(sssd_group)
 
     uninstall_group = OptionGroup(parser, "uninstall options")
@@ -177,22 +180,33 @@ def uninstall(options, env, quiet=False):
         print "Refer to ipa-server-install for uninstallation."
         return CLIENT_NOT_CONFIGURED
 
-    sssdconfig = SSSDConfig.SSSDConfig()
-    sssdconfig.import_config()
-    domains = sssdconfig.list_active_domains()
-
     hostname = None
-    for name in domains:
-        domain = sssdconfig.get_domain(name)
-        try:
-            provider = domain.get_option('id_provider')
-        except SSSDConfig.NoOptionError:
-            continue
-        if provider == "ipa":
+    was_sssd_configured = False
+    try:
+        sssdconfig = SSSDConfig.SSSDConfig()
+        sssdconfig.import_config()
+        domains = sssdconfig.list_active_domains()
+        if len(domains) > 1:
+            # There was more than IPA domain configured
+            was_sssd_configured = True
+        for name in domains:
+            domain = sssdconfig.get_domain(name)
             try:
-                hostname = domain.get_option('ipa_hostname')
+                provider = domain.get_option('id_provider')
             except SSSDConfig.NoOptionError:
                 continue
+            if provider == "ipa":
+                try:
+                    hostname = domain.get_option('ipa_hostname')
+                except SSSDConfig.NoOptionError:
+                    continue
+    except Exception, e:
+        # We were unable to read existing SSSD config. This might mean few things:
+        # - sssd wasn't installed
+        # - sssd was removed after install and before uninstall
+        # - there are no active domains
+        # in both cases we cannot continue with SSSD
+        pass
 
     if hostname is None:
         hostname = socket.getfqdn()
@@ -266,14 +280,31 @@ def uninstall(options, env, quiet=False):
             logging.debug("Failed to remove Kerberos service principals: %s" % str(e))
 
     emit_quiet(quiet, "Disabling client Kerberos and LDAP configurations")
+    was_sssd_installed = False
+    if fstore.has_files():
+        was_sssd_installed = fstore.has_file("/etc/sssd/sssd.conf")
     try:
         auth_config = ipaservices.authconfig()
-        auth_config.disable("ldap").\
-                    disable("krb5").\
-                    disable("sssd").\
-                    disable("sssdauth").\
-                    disable("mkhomedir").\
-                    add_option("update")
+        if statestore.has_state('authconfig'):
+            # disable only those configurations that we enabled during install
+            for conf in ('ldap', 'krb5', 'sssd', 'sssdauth', 'mkhomedir'):
+                cnf = statestore.restore_state('authconfig', conf)
+                if cnf:
+                    auth_config.disable(conf)
+        else:
+            # There was no authconfig status store
+            # It means the code was upgraded after original install
+            # Fall back to old logic
+            auth_config.disable("ldap").\
+                        disable("krb5")
+            if not(was_sssd_installed and was_sssd_configured):
+                # assume there was sssd.conf before install and there were more than one domain in it
+                # In such case restoring sssd.conf will require us to keep SSSD running
+                auth_config.disable("sssd").\
+                            disable("sssdauth")
+            auth_config.disable("mkhomedir")
+
+        auth_config.add_option("update")
         auth_config.execute()
     except Exception, e:
         emit_quiet(quiet, "Failed to remove krb5/LDAP configuration. " +str(e))
@@ -345,6 +376,13 @@ def uninstall(options, env, quiet=False):
            if restored:
                ipaservices.knownservices.ntpd.restart()
 
+    if was_sssd_installed and was_sssd_configured:
+        # SSSD was installed before our installation, config now is restored, restart it
+        emit_quiet(quiet, "The original configuration of SSSD included other domains than IPA-based one.")
+        emit_quiet(quiet, "Original configuration file is restored, restarting SSSD service.")
+        sssd = ipaservices.service('sssd')
+        sssd.restart()
+
     if not options.unattended:
         emit_quiet(quiet, "The original nsswitch.conf configuration has been restored.")
         emit_quiet(quiet, "You may need to restart services or reboot the machine.")
@@ -612,8 +650,35 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options):
             print "%s request for host certificate failed" % (cmonger.service_name)
 
 def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options):
-    sssdconfig = SSSDConfig.SSSDConfig()
-    sssdconfig.new_config()
+    try:
+        sssdconfig = SSSDConfig.SSSDConfig()
+        sssdconfig.import_config()
+    except Exception, e:
+        if os.path.exists("/etc/sssd/sssd.conf") and options.preserve_sssd:
+            # SSSD config is in place but we are unable to read it
+            # In addition, we are instructed to preserve it
+            # This all means we can't use it and have to bail out
+            print "SSSD config exists but cannot be parsed: %s" % (str(e))
+            print "Correct errors in /etc/sssd/sssd.conf and re-run installation"
+            logging.error("Failed to parse SSSD configuration and was instructed to preserve existing SSSD config: %s" % (str(e)))
+            return 1
+
+        # SSSD configuration does not exist or we are not asked to preserve it, create new one
+        # We do make new SSSDConfig instance because IPAChangeConf-derived classes have no
+        # means to reset their state and ParseError exception could come due to parsing
+        # error from older version which cannot be upgraded anymore, leaving sssdconfig
+        # instance practically unusable
+        # Note that we already backed up sssd.conf before going into this routine
+        if type(e) is IOError:
+            print "New SSSD config will be created."
+        else:
+            # It was not IOError so it must have been parsing error
+            print "Unable to parse existing SSSD config. As option --preserve-sssd was not specified, new config will override the old one."
+            print "The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall."
+            logging.error("Unable to parse existing SSSD config and --preserve-sssd was not specified: %s" % (str(e)))
+        logging.info("New SSSD config will be created")
+        sssdconfig = SSSDConfig.SSSDConfig()
+        sssdconfig.new_config()
 
     domain = sssdconfig.new_domain(cli_domain)
     domain.add_provider('ipa', 'id')
@@ -1081,16 +1146,20 @@ def install(options, env, fstore, statestore):
     # Modify nsswitch/pam stack
     auth_config = ipaservices.authconfig()
     if options.sssd:
+        statestore.backup_state('authconfig', 'sssd', True)
+        statestore.backup_state('authconfig', 'sssdauth', True)
         auth_config.enable("sssd").\
                     enable("sssdauth")
         message = "SSSD enabled"
         conf = 'SSSD'
     else:
+        statestore.backup_state('authconfig', 'ldap', True)
         auth_config.enable("ldap").\
                     enable("forcelegacy")
         message = "LDAP enabled"
 
     if options.mkhomedir:
+        statestore.backup_state('authconfig', 'mkhomedir', True)
         auth_config.enable("mkhomedir")
 
     auth_config.add_option("update")
@@ -1100,6 +1169,7 @@ def install(options, env, fstore, statestore):
     if not options.sssd:
         #Modify pam to add pam_krb5 only when sssd is not in use
         auth_config.reset()
+        statestore.backup_state('authconfig', 'krb5', True)
         auth_config.enable("krb5").\
                     add_option("update").\
                     add_option("nostart")
diff --git a/ipapython/sysrestore.py b/ipapython/sysrestore.py
index 9b0e39fcb6b2b5035f1bd5012ac598309c83e9ae..e22b4d4fa617141c3546290d7f049f5037651ce1 100644
--- a/ipapython/sysrestore.py
+++ b/ipapython/sysrestore.py
@@ -130,6 +130,19 @@ class FileStore:
         self.files[filename] = string.join([str(stat.st_mode),str(stat.st_uid),str(stat.st_gid),path], ',')
         self.save()
 
+    def has_file(self, path):
+        """Checks whether file at @path was added to the file store
+
+        Returns #True if the file exists in the file store, #False otherwise
+        """
+        result = False
+        for (key, value) in self.files.items():
+            (mode,uid,gid,filepath) = string.split(value, ',', 3)
+            if (filepath == path):
+                result = True
+                break
+        return result
+
     def restore_file(self, path):
         """Restore the copy of a file at @path to its original
         location and delete the copy.
-- 
1.7.6.4


From mkosek at redhat.com  Thu Oct 13 12:40:43 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Thu, 13 Oct 2011 14:40:43 +0200
Subject: [Freeipa-devel] [PATCH] 149 Make IPv4 address parsing more strict
Message-ID: <1318509645.1246.35.camel@balmora.brq.redhat.com>

Let netaddr.IPAddress() use inet_pton() rather than inet_aton() for
IP address parsing. We will use the same function in IPv4/IPv6
conversions + be stricter and don't allow IP addresses such as
'1.1.1' at the same time.

https://fedorahosted.org/freeipa/ticket/1965

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-149-make-ipv4-address-parsing-more-strict.patch
Type: text/x-patch
Size: 2347 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111013/f73dd20e/attachment.bin>

From abokovoy at redhat.com  Thu Oct 13 12:48:45 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Thu, 13 Oct 2011 15:48:45 +0300
Subject: [Freeipa-devel] [PATCH] 149 Make IPv4 address parsing more
	strict
In-Reply-To: <1318509645.1246.35.camel@balmora.brq.redhat.com>
References: <1318509645.1246.35.camel@balmora.brq.redhat.com>
Message-ID: <20111013124844.GC2840@redhat.com>

On Thu, 13 Oct 2011, Martin Kosek wrote:
> Let netaddr.IPAddress() use inet_pton() rather than inet_aton() for
> IP address parsing. We will use the same function in IPv4/IPv6
> conversions + be stricter and don't allow IP addresses such as
> '1.1.1' at the same time.
> 
> https://fedorahosted.org/freeipa/ticket/1965
ACK, good change.

-- 
/ Alexander Bokovoy



From mkosek at redhat.com  Thu Oct 13 13:05:43 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Thu, 13 Oct 2011 15:05:43 +0200
Subject: [Freeipa-devel] [PATCH] 149 Make IPv4 address parsing more
 strict
In-Reply-To: <20111013124844.GC2840@redhat.com>
References: <1318509645.1246.35.camel@balmora.brq.redhat.com>
	<20111013124844.GC2840@redhat.com>
Message-ID: <1318511151.1246.36.camel@balmora.brq.redhat.com>

On Thu, 2011-10-13 at 15:48 +0300, Alexander Bokovoy wrote:
> On Thu, 13 Oct 2011, Martin Kosek wrote:
> > Let netaddr.IPAddress() use inet_pton() rather than inet_aton() for
> > IP address parsing. We will use the same function in IPv4/IPv6
> > conversions + be stricter and don't allow IP addresses such as
> > '1.1.1' at the same time.
> > 
> > https://fedorahosted.org/freeipa/ticket/1965
> ACK, good change.
> 

Thanks. Pushed to master, ipa-2-1.

Martin



From rcritten at redhat.com  Thu Oct 13 15:01:29 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 13 Oct 2011 11:01:29 -0400
Subject: [Freeipa-devel] [PATCH] 891 drop has_upg() check
In-Reply-To: <1318493784.1246.19.camel@balmora.brq.redhat.com>
References: <4E9660EF.6070205@redhat.com>
	<1318493784.1246.19.camel@balmora.brq.redhat.com>
Message-ID: <4E96FD49.7070909@redhat.com>

Martin Kosek wrote:
> On Wed, 2011-10-12 at 23:54 -0400, Rob Crittenden wrote:
>> The has_upg() check was created during a transition period for 389-ds.
>> It is no longer needed and is actually breaking things. The location of
>> UPG template moved so it thinks the feature is not available. This is
>> making the primary user's group ipausers instead of the UPG.
>>
>> rob
>
> Shouldn't we remove has_managed_entries() and its use too? After all, we
> claim that this patch fixes #1242 which asks for has_managed_entries()
> removal.
>
> Martin
>

Updated patch attached. It removes has_managed_entries().

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-891-2-upg.patch
Type: text/x-patch
Size: 5172 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111013/ca482d73/attachment.bin>

From rcritten at redhat.com  Thu Oct 13 15:36:05 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 13 Oct 2011 11:36:05 -0400
Subject: [Freeipa-devel] [PATCH] 54 Fix attempted write to attribute of
 read-only object
In-Reply-To: <4E96B5AB.4030800@redhat.com>
References: <4E96B5AB.4030800@redhat.com>
Message-ID: <4E970565.6040009@redhat.com>

Jan Cholasta wrote:
> Also fixes a few issues in the unit tests. All of them now run
> successfully.
>
> https://fedorahosted.org/freeipa/ticket/1959
>
> Honza

I think it would be better to use:

object.__setattr__(self, 'ca_host', self._select_ca())

This will cache the value of a known CA host.

rob



From mkosek at redhat.com  Thu Oct 13 16:05:26 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Thu, 13 Oct 2011 18:05:26 +0200
Subject: [Freeipa-devel] [PATCH] 891 drop has_upg() check
In-Reply-To: <4E96FD49.7070909@redhat.com>
References: <4E9660EF.6070205@redhat.com>
	<1318493784.1246.19.camel@balmora.brq.redhat.com>
	<4E96FD49.7070909@redhat.com>
Message-ID: <1318521928.30594.7.camel@balmora.brq.redhat.com>

On Thu, 2011-10-13 at 11:01 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Wed, 2011-10-12 at 23:54 -0400, Rob Crittenden wrote:
> >> The has_upg() check was created during a transition period for 389-ds.
> >> It is no longer needed and is actually breaking things. The location of
> >> UPG template moved so it thinks the feature is not available. This is
> >> making the primary user's group ipausers instead of the UPG.
> >>
> >> rob
> >
> > Shouldn't we remove has_managed_entries() and its use too? After all, we
> > claim that this patch fixes #1242 which asks for has_managed_entries()
> > removal.
> >
> > Martin
> >
> 
> Updated patch attached. It removes has_managed_entries().
> 
> rob

Looks good - there is just some leftover in the bottom of commit
message, probably from patch squashing.

However, I was thinking about has_upg() removal. Shouldn't we check if
the UPG plugin is enabled (the same way we do in ipa-managed-entries)?
Otherwise if the plugin is disabled and we would run user-add command
without --noprivate option, we would set nonexistent GID for the user as
the UPG wouldn't be created.

Martin



From ayoung at redhat.com  Thu Oct 13 16:53:02 2011
From: ayoung at redhat.com (Adam Young)
Date: Thu, 13 Oct 2011 12:53:02 -0400
Subject: [Freeipa-devel] Requirements for User Certificates  in IPA
Message-ID: <4E97176E.1050000@redhat.com>

Each IPA user will have the ability to request a cryptographic 
certificate. The primary usage for user certificates is for 
authentication in cases where Kerberos is not an option: Across 
firewalls and cases where cross domain trust has not been established.


There are a range of options for implementing user certificates. The 
variables are the number of certificates per user, the work-flow for 
approving certificates, and tracking the approval agent for a 
certificate signing.


The simplest use case is a user can have only a single certificate, and 
it gets approved automatically. This is the way host certificates 
currently work. The justification for automated approval is that the 
user has already authenticated themselves via Kerberos in order to 
request the ticket in the first place.


There is an argument for allow a user to have multiple certificates. The 
user might have multiple devices, such as both a laptop and a cellphone, 
that should be independently authenticated. Allowing multiple 
certificates means that the user is not responsible for transporting 
private keys between the two devices, and thus they are less likely to 
accidentally expose it. It also means that revoking a certificate for a 
lost cell phone will not cut off all remote access for a user.


Some organizations might decide that a certificate needs to require a 
higher guarantee of the users identity than just the Kerberos ticket. If 
certificate signing is not automated, then IPA is going to need both a 
queue to track certificate requests and a mechanism to notify the 
approval authority upon request submission. In order for a user to 
approve a CSR request, that user would need an appropriate ACI. This 
would be managed by IPA Roles. Approval of a certificate should then be 
an audited process, which could be done by customizing the User 
certificate profile to record the approving user.


Heavy use of user certificates would provide a much larger load on the 
OCSP service proxied through the IPA server. This load would need to be 
taken into account during deployment planning.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111013/4fab166f/attachment.htm>

From rcritten at redhat.com  Thu Oct 13 17:10:12 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 13 Oct 2011 13:10:12 -0400
Subject: [Freeipa-devel] [PATCH] 891 drop has_upg() check
In-Reply-To: <1318521928.30594.7.camel@balmora.brq.redhat.com>
References: <4E9660EF.6070205@redhat.com>
	<1318493784.1246.19.camel@balmora.brq.redhat.com>
	<4E96FD49.7070909@redhat.com>
	<1318521928.30594.7.camel@balmora.brq.redhat.com>
Message-ID: <4E971B74.2000305@redhat.com>

Martin Kosek wrote:
> On Thu, 2011-10-13 at 11:01 -0400, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On Wed, 2011-10-12 at 23:54 -0400, Rob Crittenden wrote:
>>>> The has_upg() check was created during a transition period for 389-ds.
>>>> It is no longer needed and is actually breaking things. The location of
>>>> UPG template moved so it thinks the feature is not available. This is
>>>> making the primary user's group ipausers instead of the UPG.
>>>>
>>>> rob
>>>
>>> Shouldn't we remove has_managed_entries() and its use too? After all, we
>>> claim that this patch fixes #1242 which asks for has_managed_entries()
>>> removal.
>>>
>>> Martin
>>>
>>
>> Updated patch attached. It removes has_managed_entries().
>>
>> rob
>
> Looks good - there is just some leftover in the bottom of commit
> message, probably from patch squashing.
>
> However, I was thinking about has_upg() removal. Shouldn't we check if
> the UPG plugin is enabled (the same way we do in ipa-managed-entries)?
> Otherwise if the plugin is disabled and we would run user-add command
> without --noprivate option, we would set nonexistent GID for the user as
> the UPG wouldn't be created.
>
> Martin
>

Ok, good point.

I decided to just fix has_upg() for now.

I'm caching the value so we don't have to do an extra search every 
single time we add a user. I don't think this is the kind of thing that 
is going to be turned on/off a lot (e.g. you'll turn it off and be done 
with it).

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-891-3-upg.patch
Type: text/x-patch
Size: 1995 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111013/9316c0ce/attachment.bin>

From rcritten at redhat.com  Thu Oct 13 17:11:03 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 13 Oct 2011 13:11:03 -0400
Subject: [Freeipa-devel] [PATCH] 0012 Modify existing SSSD configuration
 instead of dropping it
In-Reply-To: <20111013123808.GB2840@redhat.com>
References: <1315405169.15945.3.camel@sgallagh520.bos.redhat.com>
	<20110908112649.GA17001@redhat.com>
	<20110913121143.GA27633@redhat.com>
	<1315919309.15570.24.camel@dhcp-25-52.brq.redhat.com>
	<20110913132241.GB27633@redhat.com>
	<1315920400.2367.43.camel@sgallagh520.bos.redhat.com>
	<20110913133352.GC27633@redhat.com>
	<1315921891.2367.54.camel@sgallagh520.bos.redhat.com>
	<20111012162407.GC15646@redhat.com> <4E95EB8A.9060901@redhat.com>
	<20111013123808.GB2840@redhat.com>
Message-ID: <4E971BA7.3080705@redhat.com>

Alexander Bokovoy wrote:
> On Wed, 12 Oct 2011, Rob Crittenden wrote:
>> Well, in the "generate new file" option I think the output is a bit
>> misleading.
>>
>> +        print "New SSSD config will be generated. The old one is
>> backed up and can be restored during uninstall"
>>
>> There could have been no existing sssd.conf, right?
>>
>> +        logging.error("Failed to parse SSSD configuration and will
>> generate new one")
>>
>> This could imply that an error occurred when in fact there just was
>> no sssd.conf to import.
>>
>> Otherwise the approach looks good.
> New version is attached. Works fine for me -- both in case
> uninstall-after-upgrade (means no installation code was run and
> nothing in state/file store) and normal install/uninstall. I also
> tried installing/uninstalling with missing sssd.conf and all went
> well:
>
> 1. Missing sssd.conf
> ---------------------
> Enrolled in IPA realm IPA.LOCAL
> Created /etc/ipa/default.conf
> New SSSD config will be created.
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm IPA.LOCAL
> SSSD enabled
> NTP enabled
> Client configuration complete.
> ---------------------
>
> 2. Invalid sssd.conf
> ---------------------
> Enrolled in IPA realm IPA.LOCAL
> Created /etc/ipa/default.conf
> Unable to parse existing SSSD config. As option --preserve-sssd was not specified, new config will override the old one.
> The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
> root        : ERROR    Unable to parse existing SSSD config and --preserve-sssd was not specified:
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm IPA.LOCAL
> SSSD enabled
> NTP enabled
> Client configuration complete.
> ---------------------
>
> 3. Existing proper sssd.conf
> ---------------------
> Enrolled in IPA realm IPA.LOCAL
> Created /etc/ipa/default.conf
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm IPA.LOCAL
> SSSD enabled
> NTP enabled
> Client configuration complete.
> ---------------------
>
> The only visible difference is change of comment symbol from ';' to
> '#' for the existing correct sssd.conf, but that's how SSSDConfig
> works.

ack, pushed to master and ipa-2-1

rob



From ayoung at redhat.com  Thu Oct 13 18:51:29 2011
From: ayoung at redhat.com (Adam Young)
Date: Thu, 13 Oct 2011 14:51:29 -0400
Subject: [Freeipa-devel] [PATCH] 0290-rolegroup-to-role
Message-ID: <4E973331.3050106@redhat.com>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-admiyo-0290-rolegroup-to-role.patch
Type: text/x-patch
Size: 1317 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111013/9f33357c/attachment.bin>

From rcritten at redhat.com  Thu Oct 13 19:09:56 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 13 Oct 2011 15:09:56 -0400
Subject: [Freeipa-devel] [PATCH] 891 drop has_upg() check
In-Reply-To: <4E971B74.2000305@redhat.com>
References: <4E9660EF.6070205@redhat.com>
	<1318493784.1246.19.camel@balmora.brq.redhat.com>
	<4E96FD49.7070909@redhat.com>
	<1318521928.30594.7.camel@balmora.brq.redhat.com>
	<4E971B74.2000305@redhat.com>
Message-ID: <4E973784.3010604@redhat.com>

Rob Crittenden wrote:
> Martin Kosek wrote:
>> On Thu, 2011-10-13 at 11:01 -0400, Rob Crittenden wrote:
>>> Martin Kosek wrote:
>>>> On Wed, 2011-10-12 at 23:54 -0400, Rob Crittenden wrote:
>>>>> The has_upg() check was created during a transition period for 389-ds.
>>>>> It is no longer needed and is actually breaking things. The
>>>>> location of
>>>>> UPG template moved so it thinks the feature is not available. This is
>>>>> making the primary user's group ipausers instead of the UPG.
>>>>>
>>>>> rob
>>>>
>>>> Shouldn't we remove has_managed_entries() and its use too? After
>>>> all, we
>>>> claim that this patch fixes #1242 which asks for has_managed_entries()
>>>> removal.
>>>>
>>>> Martin
>>>>
>>>
>>> Updated patch attached. It removes has_managed_entries().
>>>
>>> rob
>>
>> Looks good - there is just some leftover in the bottom of commit
>> message, probably from patch squashing.
>>
>> However, I was thinking about has_upg() removal. Shouldn't we check if
>> the UPG plugin is enabled (the same way we do in ipa-managed-entries)?
>> Otherwise if the plugin is disabled and we would run user-add command
>> without --noprivate option, we would set nonexistent GID for the user as
>> the UPG wouldn't be created.
>>
>> Martin
>>
>
> Ok, good point.
>
> I decided to just fix has_upg() for now.
>
> I'm caching the value so we don't have to do an extra search every
> single time we add a user. I don't think this is the kind of thing that
> is going to be turned on/off a lot (e.g. you'll turn it off and be done
> with it).
>
> rob

Updated patch to remove caching. Since the config is now replicated if 
an admin disables it they would quickly have to restart all Apache 
servers on all replicas which is bad.

rob

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-891-4-upg.patch
Type: text/x-patch
Size: 2411 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111013/77ce6f11/attachment.bin>

From mkosek at redhat.com  Thu Oct 13 19:17:50 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Thu, 13 Oct 2011 21:17:50 +0200
Subject: [Freeipa-devel] [PATCH] 891 drop has_upg() check
In-Reply-To: <4E973784.3010604@redhat.com>
References: <4E9660EF.6070205@redhat.com>
	<1318493784.1246.19.camel@balmora.brq.redhat.com>
	<4E96FD49.7070909@redhat.com>
	<1318521928.30594.7.camel@balmora.brq.redhat.com>
	<4E971B74.2000305@redhat.com> <4E973784.3010604@redhat.com>
Message-ID: <1318533472.2049.1.camel@priserak>

On Thu, 2011-10-13 at 15:09 -0400, Rob Crittenden wrote:
> Rob Crittenden wrote:
> > Martin Kosek wrote:
> >> On Thu, 2011-10-13 at 11:01 -0400, Rob Crittenden wrote:
> >>> Martin Kosek wrote:
> >>>> On Wed, 2011-10-12 at 23:54 -0400, Rob Crittenden wrote:
> >>>>> The has_upg() check was created during a transition period for 389-ds.
> >>>>> It is no longer needed and is actually breaking things. The
> >>>>> location of
> >>>>> UPG template moved so it thinks the feature is not available. This is
> >>>>> making the primary user's group ipausers instead of the UPG.
> >>>>>
> >>>>> rob
> >>>>
> >>>> Shouldn't we remove has_managed_entries() and its use too? After
> >>>> all, we
> >>>> claim that this patch fixes #1242 which asks for has_managed_entries()
> >>>> removal.
> >>>>
> >>>> Martin
> >>>>
> >>>
> >>> Updated patch attached. It removes has_managed_entries().
> >>>
> >>> rob
> >>
> >> Looks good - there is just some leftover in the bottom of commit
> >> message, probably from patch squashing.
> >>
> >> However, I was thinking about has_upg() removal. Shouldn't we check if
> >> the UPG plugin is enabled (the same way we do in ipa-managed-entries)?
> >> Otherwise if the plugin is disabled and we would run user-add command
> >> without --noprivate option, we would set nonexistent GID for the user as
> >> the UPG wouldn't be created.
> >>
> >> Martin
> >>
> >
> > Ok, good point.
> >
> > I decided to just fix has_upg() for now.
> >
> > I'm caching the value so we don't have to do an extra search every
> > single time we add a user. I don't think this is the kind of thing that
> > is going to be turned on/off a lot (e.g. you'll turn it off and be done
> > with it).
> >
> > rob
> 
> Updated patch to remove caching. Since the config is now replicated if 
> an admin disables it they would quickly have to restart all Apache 
> servers on all replicas which is bad.
> 
> rob
> 

ipaserver/plugins/ldap2.py:723: [E0001] invalid syntax

return = False? Really? :-)

Martin



From rcritten at redhat.com  Thu Oct 13 19:28:43 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 13 Oct 2011 15:28:43 -0400
Subject: [Freeipa-devel] [PATCH] 891 drop has_upg() check
In-Reply-To: <1318533472.2049.1.camel@priserak>
References: <4E9660EF.6070205@redhat.com>
	<1318493784.1246.19.camel@balmora.brq.redhat.com>
	<4E96FD49.7070909@redhat.com>
	<1318521928.30594.7.camel@balmora.brq.redhat.com>
	<4E971B74.2000305@redhat.com> <4E973784.3010604@redhat.com>
	<1318533472.2049.1.camel@priserak>
Message-ID: <4E973BEB.20005@redhat.com>

Martin Kosek wrote:
> On Thu, 2011-10-13 at 15:09 -0400, Rob Crittenden wrote:
>> Rob Crittenden wrote:
>>> Martin Kosek wrote:
>>>> On Thu, 2011-10-13 at 11:01 -0400, Rob Crittenden wrote:
>>>>> Martin Kosek wrote:
>>>>>> On Wed, 2011-10-12 at 23:54 -0400, Rob Crittenden wrote:
>>>>>>> The has_upg() check was created during a transition period for 389-ds.
>>>>>>> It is no longer needed and is actually breaking things. The
>>>>>>> location of
>>>>>>> UPG template moved so it thinks the feature is not available. This is
>>>>>>> making the primary user's group ipausers instead of the UPG.
>>>>>>>
>>>>>>> rob
>>>>>>
>>>>>> Shouldn't we remove has_managed_entries() and its use too? After
>>>>>> all, we
>>>>>> claim that this patch fixes #1242 which asks for has_managed_entries()
>>>>>> removal.
>>>>>>
>>>>>> Martin
>>>>>>
>>>>>
>>>>> Updated patch attached. It removes has_managed_entries().
>>>>>
>>>>> rob
>>>>
>>>> Looks good - there is just some leftover in the bottom of commit
>>>> message, probably from patch squashing.
>>>>
>>>> However, I was thinking about has_upg() removal. Shouldn't we check if
>>>> the UPG plugin is enabled (the same way we do in ipa-managed-entries)?
>>>> Otherwise if the plugin is disabled and we would run user-add command
>>>> without --noprivate option, we would set nonexistent GID for the user as
>>>> the UPG wouldn't be created.
>>>>
>>>> Martin
>>>>
>>>
>>> Ok, good point.
>>>
>>> I decided to just fix has_upg() for now.
>>>
>>> I'm caching the value so we don't have to do an extra search every
>>> single time we add a user. I don't think this is the kind of thing that
>>> is going to be turned on/off a lot (e.g. you'll turn it off and be done
>>> with it).
>>>
>>> rob
>>
>> Updated patch to remove caching. Since the config is now replicated if
>> an admin disables it they would quickly have to restart all Apache
>> servers on all replicas which is bad.
>>
>> rob
>>
>
> ipaserver/plugins/ldap2.py:723: [E0001] invalid syntax
>
> return = False? Really? :-)
>
> Martin
>

I'm feeling very philosophical right now. To return or not return...

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-891-5-upg.patch
Type: text/x-patch
Size: 2407 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111013/3d78d8c5/attachment.bin>

From mkosek at redhat.com  Thu Oct 13 19:41:03 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Thu, 13 Oct 2011 21:41:03 +0200
Subject: [Freeipa-devel] [PATCH] 891 drop has_upg() check
In-Reply-To: <4E973BEB.20005@redhat.com>
References: <4E9660EF.6070205@redhat.com>
	<1318493784.1246.19.camel@balmora.brq.redhat.com>
	<4E96FD49.7070909@redhat.com>
	<1318521928.30594.7.camel@balmora.brq.redhat.com>
	<4E971B74.2000305@redhat.com> <4E973784.3010604@redhat.com>
	<1318533472.2049.1.camel@priserak> <4E973BEB.20005@redhat.com>
Message-ID: <1318534864.2049.2.camel@priserak>

On Thu, 2011-10-13 at 15:28 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Thu, 2011-10-13 at 15:09 -0400, Rob Crittenden wrote:
> >> Rob Crittenden wrote:
> >>> Martin Kosek wrote:
> >>>> On Thu, 2011-10-13 at 11:01 -0400, Rob Crittenden wrote:
> >>>>> Martin Kosek wrote:
> >>>>>> On Wed, 2011-10-12 at 23:54 -0400, Rob Crittenden wrote:
> >>>>>>> The has_upg() check was created during a transition period for 389-ds.
> >>>>>>> It is no longer needed and is actually breaking things. The
> >>>>>>> location of
> >>>>>>> UPG template moved so it thinks the feature is not available. This is
> >>>>>>> making the primary user's group ipausers instead of the UPG.
> >>>>>>>
> >>>>>>> rob
> >>>>>>
> >>>>>> Shouldn't we remove has_managed_entries() and its use too? After
> >>>>>> all, we
> >>>>>> claim that this patch fixes #1242 which asks for has_managed_entries()
> >>>>>> removal.
> >>>>>>
> >>>>>> Martin
> >>>>>>
> >>>>>
> >>>>> Updated patch attached. It removes has_managed_entries().
> >>>>>
> >>>>> rob
> >>>>
> >>>> Looks good - there is just some leftover in the bottom of commit
> >>>> message, probably from patch squashing.
> >>>>
> >>>> However, I was thinking about has_upg() removal. Shouldn't we check if
> >>>> the UPG plugin is enabled (the same way we do in ipa-managed-entries)?
> >>>> Otherwise if the plugin is disabled and we would run user-add command
> >>>> without --noprivate option, we would set nonexistent GID for the user as
> >>>> the UPG wouldn't be created.
> >>>>
> >>>> Martin
> >>>>
> >>>
> >>> Ok, good point.
> >>>
> >>> I decided to just fix has_upg() for now.
> >>>
> >>> I'm caching the value so we don't have to do an extra search every
> >>> single time we add a user. I don't think this is the kind of thing that
> >>> is going to be turned on/off a lot (e.g. you'll turn it off and be done
> >>> with it).
> >>>
> >>> rob
> >>
> >> Updated patch to remove caching. Since the config is now replicated if
> >> an admin disables it they would quickly have to restart all Apache
> >> servers on all replicas which is bad.
> >>
> >> rob
> >>
> >
> > ipaserver/plugins/ldap2.py:723: [E0001] invalid syntax
> >
> > return = False? Really? :-)
> >
> > Martin
> >
> 
> I'm feeling very philosophical right now. To return or not return...
> 
> rob

Return. Always.

ACK and pushed to master, ipa-2-1.

Martin



From rcritten at redhat.com  Thu Oct 13 20:30:01 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 13 Oct 2011 16:30:01 -0400
Subject: [Freeipa-devel] [PATCH] 0290-rolegroup-to-role
In-Reply-To: <4E973331.3050106@redhat.com>
References: <4E973331.3050106@redhat.com>
Message-ID: <4E974A49.6000602@redhat.com>

Ack, pushed to master and ipa-2-1

I modified the changelog a little bit before pushing.



From rcritten at redhat.com  Thu Oct 13 22:01:43 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 13 Oct 2011 18:01:43 -0400
Subject: [Freeipa-devel] [PATCH] 893 always save value of hostname
Message-ID: <4E975FC7.5060304@redhat.com>

In backup_and_replace_hostname() the value of hostname wasn't being 
saved if it wasn't in /etc/sysconfig/network. This should save it in 
every case.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-893-hostname.patch
Type: text/x-patch
Size: 1384 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111013/701fc437/attachment.bin>

From abokovoy at redhat.com  Thu Oct 13 22:07:29 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Fri, 14 Oct 2011 01:07:29 +0300
Subject: [Freeipa-devel] [PATCH] 893 always save value of hostname
In-Reply-To: <4E975FC7.5060304@redhat.com>
References: <4E975FC7.5060304@redhat.com>
Message-ID: <20111013220729.GB1472@redhat.com>

On Thu, 13 Oct 2011, Rob Crittenden wrote:
> In backup_and_replace_hostname() the value of hostname wasn't being
> saved if it wasn't in /etc/sysconfig/network. This should save it in
> every case.
ACK
(yes, I need to go to bed)
-- 
/ Alexander Bokovoy



From rcritten at redhat.com  Thu Oct 13 22:08:51 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 13 Oct 2011 18:08:51 -0400
Subject: [Freeipa-devel] [PATCH] 140 + 148 + 147 Hostname fixes
In-Reply-To: <20111013110944.GA2840@redhat.com>
References: <1318424919.14093.27.camel@balmora.brq.redhat.com>
	<4E965D43.1000407@redhat.com>
	<1318503372.1246.34.camel@balmora.brq.redhat.com>
	<20111013110944.GA2840@redhat.com>
Message-ID: <4E976173.8050808@redhat.com>

Alexander Bokovoy wrote:
> On Thu, 13 Oct 2011, Martin Kosek wrote:
>>> 1. If an installation error occurs after the hostname has been changed
>>> it isn't reverted and the uninstaller needs to be run. This should
>>> rollback like the client.
>>
>> I think this is quite different. Client runs a whole uninstall()
>> procedure when the installation crashes. I see we have following options
>> here:
>> 1) Run uninstall() when server installation crashes (not my favorite,
>> this would make the investigation of what went difficult)
> Agree.
>
>> 2) Restore just hostname and /etc/sysconfig/network file when
>> installation crashes and leave other for --uninstall (thus create a bit
>> inconsistent state)
> For this one, there is now FileStore.has_file(path) method that allows
> to check whether file store has back up for a file pointed by an
> absolute path. This will allow you to proper detect that we actually
> changed hostname/archived /etc/sysconfig/network already -- either in
> server or client installation context.
>
> Unlike all other methods, this one gives you nondestructive peeking of
> the file store state.

ACK x 3, working fine.

I discovered one minor bug unrelated to these. If /etc/sysconfig/network 
doesn't have HOSTNAME set then the system hostname isn't restored when 
the server is uninstalled. My patch 893 will address that separately.

pushed to master and ipa-2-1

rob



From rcritten at redhat.com  Thu Oct 13 22:10:50 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 13 Oct 2011 18:10:50 -0400
Subject: [Freeipa-devel] [PATCH] 893 always save value of hostname
In-Reply-To: <20111013220729.GB1472@redhat.com>
References: <4E975FC7.5060304@redhat.com> <20111013220729.GB1472@redhat.com>
Message-ID: <4E9761EA.2090905@redhat.com>

Alexander Bokovoy wrote:
> On Thu, 13 Oct 2011, Rob Crittenden wrote:
>> In backup_and_replace_hostname() the value of hostname wasn't being
>> saved if it wasn't in /etc/sysconfig/network. This should save it in
>> every case.
> ACK
> (yes, I need to go to bed)

Why bother, it's almost time to get up, right? ;-)

pushed to master and ipa-2-1



From rcritten at redhat.com  Thu Oct 13 22:36:08 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 13 Oct 2011 18:36:08 -0400
Subject: [Freeipa-devel] [PATCH] 894 add winsync info to ipa-replica-manage
	man page
Message-ID: <4E9767D8.4080804@redhat.com>

Added more detailed information on creating a winsync replica to the 
ipa-replica-manage man page.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-894-winsync.patch
Type: text/x-patch
Size: 3426 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111013/5c4e3823/attachment.bin>

From abokovoy at redhat.com  Fri Oct 14 03:43:43 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Fri, 14 Oct 2011 06:43:43 +0300
Subject: [Freeipa-devel] [PATCH] 894 add winsync info to
 ipa-replica-manage man page
In-Reply-To: <4E9767D8.4080804@redhat.com>
References: <4E9767D8.4080804@redhat.com>
Message-ID: <20111014034342.GA4552@redhat.com>

On Thu, 13 Oct 2011, Rob Crittenden wrote:
> Added more detailed information on creating a winsync replica to the
> ipa-replica-manage man page.

> +Creating a Windows AD Synchronization agreement is similar to creating an IPA replication agreement, there are just a couple of extra steps:
> +.TP
> +1. Transfer the base64\-encoded Windows AD CA Certficate to your IPA Server
> +.TP
> +2. Remove any existing kerberos credentials
> +  # kdestroy
> +.TP
> +3) Add the winsync replication agreement
> + # ipa\-replica\-manage connect \-\-winsync 
> \-\-passsync=<bindpwd_for_syncuser_that will_be_used_for_agreement> 
> \-\-cacert=/path/to/adscacert/WIN\-CA.cer \-\-binddn 
> "cn=administrator,cn=users,dc=ipa,dc=qe" \-\-bindpw 
> <ads_administrator_password> \-v <adserver.fqdn>
Could you please make DN similar to what is below? There will be 
confusion:

> +.TP
> +You will be prompted to supply the Directory Manager's password.
> +.TP
> +Create a winsync replication agreement:
> +
> + # ipa\-replica\-manage connect \-\-winsync \-\-passsync=MySecret
> +\-\-cacert=/root/WIN\-CA.cer \-\-binddn "cn=administrator,cn=users,dc=ad,dc=example,dc=com"
> +\-\-bindpw MySecret \-v windows.ad.example.com
> +
> +.TP
> +Remove a winsync replication agreement:
> + # ipa\-replica\-manage disconnect windows.ad.example.com
>  .SH "EXIT STATUS"
>  0 if the command was successful


-- 
/ Alexander Bokovoy



From rcritten at redhat.com  Fri Oct 14 04:40:59 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 14 Oct 2011 00:40:59 -0400
Subject: [Freeipa-devel] [PATCH] 894 add winsync info to
 ipa-replica-manage man page
In-Reply-To: <20111014034342.GA4552@redhat.com>
References: <4E9767D8.4080804@redhat.com> <20111014034342.GA4552@redhat.com>
Message-ID: <4E97BD5B.8080802@redhat.com>

Alexander Bokovoy wrote:
> On Thu, 13 Oct 2011, Rob Crittenden wrote:
>> Added more detailed information on creating a winsync replica to the
>> ipa-replica-manage man page.
>
>> +Creating a Windows AD Synchronization agreement is similar to creating an IPA replication agreement, there are just a couple of extra steps:
>> +.TP
>> +1. Transfer the base64\-encoded Windows AD CA Certficate to your IPA Server
>> +.TP
>> +2. Remove any existing kerberos credentials
>> +  # kdestroy
>> +.TP
>> +3) Add the winsync replication agreement
>> + # ipa\-replica\-manage connect \-\-winsync
>> \-\-passsync=<bindpwd_for_syncuser_that will_be_used_for_agreement>
>> \-\-cacert=/path/to/adscacert/WIN\-CA.cer \-\-binddn
>> "cn=administrator,cn=users,dc=ipa,dc=qe" \-\-bindpw
>> <ads_administrator_password>  \-v<adserver.fqdn>
> Could you please make DN similar to what is below? There will be
> confusion:

Done. I also added a bit about the PassSync user and the AD bind dn.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-894-2-winsync.patch
Type: text/x-patch
Size: 3865 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111014/86016c3d/attachment.bin>

From abokovoy at redhat.com  Fri Oct 14 05:04:19 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Fri, 14 Oct 2011 08:04:19 +0300
Subject: [Freeipa-devel] [PATCH] 894 add winsync info to
 ipa-replica-manage man page
In-Reply-To: <4E97BD5B.8080802@redhat.com>
References: <4E9767D8.4080804@redhat.com> <20111014034342.GA4552@redhat.com>
	<4E97BD5B.8080802@redhat.com>
Message-ID: <20111014050418.GB4552@redhat.com>

On Fri, 14 Oct 2011, Rob Crittenden wrote:
> Alexander Bokovoy wrote:
> >On Thu, 13 Oct 2011, Rob Crittenden wrote:
> >>Added more detailed information on creating a winsync replica to the
> >>ipa-replica-manage man page.
> >
> >>+Creating a Windows AD Synchronization agreement is similar to creating an IPA replication agreement, there are just a couple of extra steps:
> >>+.TP
> >>+1. Transfer the base64\-encoded Windows AD CA Certficate to your IPA Server
> >>+.TP
> >>+2. Remove any existing kerberos credentials
> >>+  # kdestroy
> >>+.TP
> >>+3) Add the winsync replication agreement
> >>+ # ipa\-replica\-manage connect \-\-winsync
> >>\-\-passsync=<bindpwd_for_syncuser_that will_be_used_for_agreement>
> >>\-\-cacert=/path/to/adscacert/WIN\-CA.cer \-\-binddn
> >>"cn=administrator,cn=users,dc=ipa,dc=qe" \-\-bindpw
> >><ads_administrator_password>  \-v<adserver.fqdn>
> >Could you please make DN similar to what is below? There will be
> >confusion:
> 
> Done. I also added a bit about the PassSync user and the AD bind dn.
ACK

-- 
/ Alexander Bokovoy



From mkosek at redhat.com  Fri Oct 14 07:07:40 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Fri, 14 Oct 2011 09:07:40 +0200
Subject: [Freeipa-devel] [PATCH] 894 add winsync info to
 ipa-replica-manage man page
In-Reply-To: <20111014050418.GB4552@redhat.com>
References: <4E9767D8.4080804@redhat.com> <20111014034342.GA4552@redhat.com>
	<4E97BD5B.8080802@redhat.com> <20111014050418.GB4552@redhat.com>
Message-ID: <1318576063.9468.0.camel@balmora.brq.redhat.com>

On Fri, 2011-10-14 at 08:04 +0300, Alexander Bokovoy wrote:
> On Fri, 14 Oct 2011, Rob Crittenden wrote:
> > Alexander Bokovoy wrote:
> > >On Thu, 13 Oct 2011, Rob Crittenden wrote:
> > >>Added more detailed information on creating a winsync replica to the
> > >>ipa-replica-manage man page.
> > >
> > >>+Creating a Windows AD Synchronization agreement is similar to creating an IPA replication agreement, there are just a couple of extra steps:
> > >>+.TP
> > >>+1. Transfer the base64\-encoded Windows AD CA Certficate to your IPA Server
> > >>+.TP
> > >>+2. Remove any existing kerberos credentials
> > >>+  # kdestroy
> > >>+.TP
> > >>+3) Add the winsync replication agreement
> > >>+ # ipa\-replica\-manage connect \-\-winsync
> > >>\-\-passsync=<bindpwd_for_syncuser_that will_be_used_for_agreement>
> > >>\-\-cacert=/path/to/adscacert/WIN\-CA.cer \-\-binddn
> > >>"cn=administrator,cn=users,dc=ipa,dc=qe" \-\-bindpw
> > >><ads_administrator_password>  \-v<adserver.fqdn>
> > >Could you please make DN similar to what is below? There will be
> > >confusion:
> > 
> > Done. I also added a bit about the PassSync user and the AD bind dn.
> ACK
> 

Pushed to master, ipa-2-1.

Martin



From abokovoy at redhat.com  Fri Oct 14 07:33:12 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Fri, 14 Oct 2011 10:33:12 +0300
Subject: [Freeipa-devel] [PATCH] 0027 Document --preserve-sssd option of
	ipa-client-install
Message-ID: <20111014073311.GA8783@redhat.com>

Hi,

document new option --preserve-sssd introduced when fixing ticket 
1750.

-- 
/ Alexander Bokovoy
-------------- next part --------------
>From bb98c30ddf8efad1a563529f1776ab1c8f097683 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Fri, 14 Oct 2011 10:27:59 +0300
Subject: [PATCH] Document --preserve-sssd option of ipa-client-install

Add documentation about --preserve-sssd, an ipa-client-install's option to
honor previously available SSSD configuration in case it is not possible to
merge it cleanly with the new one. In this case ipa-client-install will fail
and ask user to fix SSSD config before continuing.

Additional fix for
https://fedorahosted.org/freeipa/ticket/1750
https://fedorahosted.org/freeipa/ticket/1769
---
 ipa-client/man/ipa-client-install.1 |    9 +++++++++
 1 files changed, 9 insertions(+), 0 deletions(-)

diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1
index 0bfbe5451c9016276eff25f3b1a4fe02e1efd593..fa2950f262ce13c287bca97bf4d7363bd7683d78 100644
--- a/ipa-client/man/ipa-client-install.1
+++ b/ipa-client/man/ipa-client-install.1
@@ -85,6 +85,15 @@ Configure SSSD not to store user password when the server is offline.
 .TP
 \fB\-S\fR, \fB\-\-no\-sssd\fR
 Do not configure the client to use SSSD for authentication, use nss_ldap instead.
+.TP
+\fB\-\-preserve\-sssd\fR
+Disabled by default. When enabled, preserves old SSSD configuration if it is
+not possible to merge it with a new one. Effectively, if the merge is not
+possible due to SSSDConfig reader encountering unsupported options,
+\fBipa\-client\-install\fR will not run further and ask to fix SSSD config
+first. When this option is not specified, \fBipa\-client\-install\fR will back
+up SSSD config and create new one. The back up version will be restored during
+uninstall. 
 
 .SS "UNINSTALL OPTIONS"
 .TP
-- 
1.7.6.4


From jcholast at redhat.com  Fri Oct 14 08:01:31 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Fri, 14 Oct 2011 10:01:31 +0200
Subject: [Freeipa-devel] [PATCH] 54 Fix attempted write to attribute of
 read-only object
In-Reply-To: <4E970565.6040009@redhat.com>
References: <4E96B5AB.4030800@redhat.com> <4E970565.6040009@redhat.com>
Message-ID: <4E97EC5B.90309@redhat.com>

Dne 13.10.2011 17:36, Rob Crittenden napsal(a):
> Jan Cholasta wrote:
>> Also fixes a few issues in the unit tests. All of them now run
>> successfully.
>>
>> https://fedorahosted.org/freeipa/ticket/1959
>>
>> Honza
>
> I think it would be better to use:
>
> object.__setattr__(self, 'ca_host', self._select_ca())
>
> This will cache the value of a known CA host.
>
> rob

That's ugly!

Here you are anyway.

Honza

-- 
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-54.1-fix-read-only-write.patch
Type: text/x-patch
Size: 3908 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111014/9fd2c9f6/attachment.bin>

From abokovoy at redhat.com  Fri Oct 14 08:19:00 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Fri, 14 Oct 2011 11:19:00 +0300
Subject: [Freeipa-devel] [PATCH] 54 Fix attempted write to attribute of
 read-only object
In-Reply-To: <4E97EC5B.90309@redhat.com>
References: <4E96B5AB.4030800@redhat.com> <4E970565.6040009@redhat.com>
	<4E97EC5B.90309@redhat.com>
Message-ID: <20111014081859.GB8783@redhat.com>

On Fri, 14 Oct 2011, Jan Cholasta wrote:
>          Perform an HTTP request.
>          """
> -        if self.ca_host == None:
> -            self.ca_host = self._select_ca()
> +        if self.ca_host is None:
> +            object.__setattr__(self, 'ca_host', self._select_ca())
>          return dogtag.http_request(self.ca_host, port, url, **kw)
I don't like this approach as well. A better way would be to have a 
class CaCache that is mutable and allow changing its properties. Then 
you would create an instance of CaCache in ca.__init__() and ask for 
its properties later.

You can move those _select_ca(), _select_any_master(), 
_host_has_service() to CaCache as they seem to not depend on anything 
in class ca but rather use global api.env.

This way you will get is a fairly simple CaCache class reusable both 
in ca and ra classes.
-- 
/ Alexander Bokovoy



From mkosek at redhat.com  Fri Oct 14 08:33:29 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Fri, 14 Oct 2011 10:33:29 +0200
Subject: [Freeipa-devel] [PATCH] 0027 Document --preserve-sssd option of
 ipa-client-install
In-Reply-To: <20111014073311.GA8783@redhat.com>
References: <20111014073311.GA8783@redhat.com>
Message-ID: <1318581211.9468.3.camel@balmora.brq.redhat.com>

On Fri, 2011-10-14 at 10:33 +0300, Alexander Bokovoy wrote:
> Hi,
> 
> document new option --preserve-sssd introduced when fixing ticket 
> 1750.
> 

ACK. Pushed to master, ipa-2-1.

Martin



From mkosek at redhat.com  Fri Oct 14 08:36:45 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Fri, 14 Oct 2011 10:36:45 +0200
Subject: [Freeipa-devel] [PATCH] 150 Fix ipa-client-install -U option
	alignment
Message-ID: <1318581407.9468.6.camel@balmora.brq.redhat.com>

Found when reviewing Alexander's man page patch 27.

Pushed to master, ipa-2-1 under the one-liner rule.

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-150-fix-ipa-client-install-u-option-alignment.patch
Type: text/x-patch
Size: 830 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111014/de103fce/attachment.bin>

From mkosek at redhat.com  Fri Oct 14 09:50:53 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Fri, 14 Oct 2011 11:50:53 +0200
Subject: [Freeipa-devel] [PATCH] 151 Add --zonemgr validator
Message-ID: <1318585856.9468.7.camel@balmora.brq.redhat.com>

Do at least a basic validation of DNS zone manager mail address.

Do not require '@' to be in the mail address as it is not used
in common DNS zone configuration (in bind for example) and people
may be used to configure it that way. '@' is always removed by the
installer before the DNS zone is created.

https://fedorahosted.org/freeipa/ticket/1966

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-151-add-zonemgr-validator.patch
Type: text/x-patch
Size: 3632 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111014/b1140d24/attachment.bin>

From sbose at redhat.com  Fri Oct 14 10:15:57 2011
From: sbose at redhat.com (Sumit Bose)
Date: Fri, 14 Oct 2011 12:15:57 +0200
Subject: [Freeipa-devel] [PATCH] 8 Add DNS service records for Windows
Message-ID: <20111014101557.GC4622@localhost.localdomain>

Hi,

this patch adds DNS service records for for Windows systems during the
setup of trust support.

Fixes https://fedorahosted.org/freeipa/ticket/1939.

bye,
Sumit
-------------- next part --------------
>From 098f835edf3baedf2e69392909c9e725fde378f0 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Thu, 13 Oct 2011 12:01:57 +0200
Subject: [PATCH] Add DNS service records for Windows

https://fedorahosted.org/freeipa/ticket/1939
---
 ipaserver/install/adtrustinstance.py |   25 +++++++++++++++++++++++++
 1 files changed, 25 insertions(+), 0 deletions(-)

diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index d1dc759c611f03215b461b8fe7ebc32d15dc857a..7899d9deca97f9b0311585ef22b1fb5944501bf8 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -27,6 +27,7 @@ import tempfile
 import installutils
 from ipaserver import ipaldap
 from ipaserver.install.dsinstance import realm_to_serverid
+from ipaserver.install.bindinstance import get_rr, add_rr, del_rr
 from ipalib import errors
 from ipapython import sysrestore
 from ipapython import ipautil
@@ -246,6 +247,29 @@ class ADTRUSTInstance(service.Service):
         except ipautil.CalledProcessError, e:
             logging.critical("Failed to add key for %s" % cifs_principal)
 
+    def __add_dns_service_records(self):
+        zone = self.domain_name
+        ipa_srv_rec = ("_ldap._tcp", "_kerberos._tcp", "_kerberos._udp")
+        win_srv_suffix = (".Default-First-Site-Name._sites.dc._msdcs",
+                          ".dc._msdcs")
+
+        for srv in ipa_srv_rec:
+            ipa_rdata = get_rr(zone, srv, "SRV")
+            if not ipa_rdata:
+                print "Canot find %s service record in locally, please add " \
+                      "%s.Default-First-Site-Name._sites.dc._msdcs and " \
+                      "%s.dc._msdcs for the %s DNS zone to your DNS server" % \
+                      (srv, srv, srv, zone)
+            else:
+                for suff in win_srv_suffix:
+                    win_srv = srv+suff
+                    win_rdata = get_rr(zone, win_srv, "SRV")
+                    if win_rdata:
+                        for rec in win_rdata:
+                            del_rr(zone, win_srv, "SRV", rec)
+                    for rec in ipa_rdata:
+                        add_rr(zone, win_srv, "SRV", rec)
+
     def __start(self):
         try:
             self.start()
@@ -312,6 +336,7 @@ class ADTRUSTInstance(service.Service):
         self.step("Adding cifs Kerberos principal", self.__setup_principal)
         self.step("Adding admin(group) SIDs", self.__add_admin_sids)
         self.step("configuring smbd to start on boot", self.__enable)
+        self.step("adding special DNS service records", self.__add_dns_service_records)
         self.step("starting smbd", self.__start)
 
         self.start_creation("Configuring smbd:")
-- 
1.7.6


From rcritten at redhat.com  Fri Oct 14 12:38:40 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 14 Oct 2011 08:38:40 -0400
Subject: [Freeipa-devel] [PATCH] update min nvr of 389-ds-base
Message-ID: <4E982D50.5040804@redhat.com>

Pushed this under the 1-liner rule. This is needed so we change the 
search limits.

rob

 From 21a30679c278e13f79e974af27fd370a2c2b8ecf Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten at redhat.com>
Date: Fri, 14 Oct 2011 08:36:38 -0400
Subject: [PATCH] Set min nvr of 389-ds-base to 1.2.10-0.4.a4 for limits 
fixes
  (740942, 742324)

---
  freeipa.spec.in |    8 +++++---
  1 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index ed88e44..c5a5e74 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -85,7 +85,7 @@ Requires: %{name}-python = %{version}-%{release}
  Requires: %{name}-client = %{version}-%{release}
  Requires: %{name}-admintools = %{version}-%{release}
  Requires: %{name}-server-selinux = %{version}-%{release}
-Requires(pre): 389-ds-base >= 1.2.9.7-1
+Requires(pre): 389-ds-base >= 1.2.10-0.4.a4
  Requires: openldap-clients
  Requires: nss
  Requires: nss-tools
@@ -551,9 +551,11 @@ fi
  %ghost %attr(0644,root,apache) %config(noreplace) 
%{_sysconfdir}/ipa/default.conf

  %changelog
-* Fri Oct 7 2011 Adam Young <ayoung at redhat.com> - 2.1.1-2
-- Add explicit dependency on pki-setup.
+* Fri Oct 14 2011 Rob Crittenden <rcritten at redhat.com> - 2.1.1-3
+- Set min nvr of 389-ds-base to 1.2.10-0.4.a4 for limits fixes (740942, 
742324)

+* Fri Oct  7 2011 Adam Young <ayoung at redhat.com> - 2.1.1-2
+- Add explicit dependency on pki-setup.

  * Mon Sep 12 2011 Alexander Bokovoy <abokovoy at redhat.com> - 2.1.1-1
  - Make sure platform adaptation is packaged in -python sub-package
-- 
1.7.6



From jdennis at redhat.com  Fri Oct 14 13:28:45 2011
From: jdennis at redhat.com (John Dennis)
Date: Fri, 14 Oct 2011 09:28:45 -0400
Subject: [Freeipa-devel] Handling certificates in JSON/XML-RPC (was: ticket
	1201 status)
In-Reply-To: <4E97BF4B.7020200@redhat.com>
References: <4E976E04.6030501@redhat.com> <4E97BF4B.7020200@redhat.com>
Message-ID: <4E98390D.90109@redhat.com>

[ I had a private email exchange with Rob concerning ticket 1201, we've 
had a long standing issue with how certificates are exchanged because in 
LDAP they are binary values. I told Rob I had a proof of concept working 
and Rob sent me a code snippet illustrating an earlier attempt he had 
made to fix the problem that didn't pan out. I wrote this reply as a 
response to Rob to explain my approach but it occurred to me this is a 
design issue which should be in open discussion thus this reply is to 
the devel list so others can review it and be in the loop. Apologies if 
you missed some earlier context. ]

-----------------------------------------------------------------

Thanks for the code snippet. I think the problem you might have run into 
is that you were doing the conversion at the point xmlrpc parameters are 
marshaled, that doesn't cover the json case (or other locations).

The way I'm planning on tackling this is to do the pem conversion at the 
moment it's read from LDAP. We already have a mechanism for that and you 
helped point me towards it when you mentioned wehandle some attributes 
specially based on it's LDAP syntax.

We "decorate" the  find_entries() method in ldap2 with the 
@decode_retval() decorator. What this does is examine the values 
returned from the LDAP query and converts them to our preferred types. I 
stumbled upon this while doing the DN work, I didn't know it existed, 
it's not all that visible when reading the code this conversion is 
occurring. It calls into something called an Encoder object (in 
encoder.py) which is a parameterized mechanism setup in ldap2. In 
summary what it does is use a table ( _SYNTAX_MAPPING) to lookup the 
attributes syntax and as long as it's not in the table it gets promoted 
to unicode, otherwise it's left as a str.

With a few tweaks this mechanism could be a bit more flexible. Rather 
than just using the existence of the attribute in the table as the 
decision on whether to call a conversion routine on it (e.g. encoding to 
unicode) the value in the table could be a function pointer to a 
conversion routine. Thus the logic would become "if the attribute is in 
the table, call the converter on the value, otherwise fallback to the 
default conversion (which happens to be UTF-8 <-> unicode".

In short what will happen is the whenever a 'usercertificate' is 
returned from LDAP (DER format) it will be converted to PEM format as a 
unicode object (i.e. indicating it's text data) in the result.

I believe this is fine because most of the places we use certificates 
internally already pass PEM formatted versions and call into 
x509.normalize_certificate() which checks for PEM vs. DER encoding.

This then completes another aspect of the "always use PEM formatting" 
for certs code cleanup.

The only thing left to do is modify the javascript code to stop looking 
for usercerticate attributes as base64.

The command line tools which save a cert to a file perform a binary to 
PEM conversion at the point they write the file. At first blush you 
might think that logic should be removed since now certs will be 
returned in PEM format, hence no conversion is necessary. But I think 
I'm going to leave that logic in place, here's why: The code calls into 
x509.normalize_certificate() thus it can accept the cert either as 
binary or PEM. The command line might be connected to a server without 
the new modification, thus if we leave it as it currently is the command 
line will work with either an old or new server response. The javascipt 
code in the web UI is tied to the server so those changes will occur in 
lockstep.



-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



From rcritten at redhat.com  Fri Oct 14 13:37:36 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 14 Oct 2011 09:37:36 -0400
Subject: [Freeipa-devel] [PATCH] 895 fix config_replace_variables()
Message-ID: <4E983B20.2060000@redhat.com>

Handle an empty value in a name/value pair in config_replace_variables()

This would blow up if you tried to append a value to an entry that 
looked like:

NAME=

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-895-config.patch
Type: text/x-patch
Size: 1346 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111014/22648d2d/attachment.bin>

From abokovoy at redhat.com  Fri Oct 14 13:40:34 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Fri, 14 Oct 2011 16:40:34 +0300
Subject: [Freeipa-devel] [PATCH] 895 fix config_replace_variables()
In-Reply-To: <4E983B20.2060000@redhat.com>
References: <4E983B20.2060000@redhat.com>
Message-ID: <20111014134034.GE8783@redhat.com>

On Fri, 14 Oct 2011, Rob Crittenden wrote:
> Handle an empty value in a name/value pair in config_replace_variables()
> 
> This would blow up if you tried to append a value to an entry that
> looked like:
> 
> NAME=
Yes. ACK.

-- 
/ Alexander Bokovoy



From abokovoy at redhat.com  Fri Oct 14 14:42:49 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Fri, 14 Oct 2011 17:42:49 +0300
Subject: [Freeipa-devel] [PATCH] 0028 replace dictview by set for better
	portability
Message-ID: <20111014144248.GF8783@redhat.com>

Hi,

dictview is a new class in Python 2.7. We need to support older Python 
versions and thus, use set instead.

-- 
/ Alexander Bokovoy
-------------- next part --------------
>From 169210f725d753d0707c0ee05c659747193fd6e5 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Fri, 14 Oct 2011 17:40:26 +0300
Subject: [PATCH] Use set class instead of dictview class as set is wider
 supported

---
 ipapython/ipautil.py |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 75e8e6fdf32c4c1ca74fd7990c1070f7bdfed219..718f209b32649df23177dcab7d5105d01c0cd7bc 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -1244,8 +1244,8 @@ $)''', re.VERBOSE)
         # Now add all options from replacevars and appendvars that were not found in the file
         new_vars = replacevars.copy()
         new_vars.update(appendvars)
-        newvars_view = new_vars.viewkeys() - old_values.viewkeys()
-        append_view = (appendvars.viewkeys() - replacevars.viewkeys()) - old_values.viewkeys()
+        newvars_view = set(new_vars.keys()) - set(old_values.keys())
+        append_view = (set(appendvars.keys()) - set(replacevars.keys())) - set(old_values.keys())
         for item in newvars_view:
             new_config.write("%s=%s\n" % (item,new_vars[item]))
         for item in append_view:
-- 
1.7.6.4


From sbose at redhat.com  Fri Oct 14 15:12:02 2011
From: sbose at redhat.com (Sumit Bose)
Date: Fri, 14 Oct 2011 17:12:02 +0200
Subject: [Freeipa-devel] [PATCH] 8 Add DNS service records for Windows
In-Reply-To: <20111014101557.GC4622@localhost.localdomain>
References: <20111014101557.GC4622@localhost.localdomain>
Message-ID: <20111014151202.GD4622@localhost.localdomain>

On Fri, Oct 14, 2011 at 12:15:57PM +0200, Sumit Bose wrote:
> Hi,
> 
> this patch adds DNS service records for for Windows systems during the
> setup of trust support.
> 
> Fixes https://fedorahosted.org/freeipa/ticket/1939.
> 
> bye,
> Sumit

Alexander made some comments on irc which I tried to integrate into this
new version of the patch.

bye,
Sumit
-------------- next part --------------
>From 71a4c7940d3726225e5e2c4c1fb88609707b6f18 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Thu, 13 Oct 2011 12:01:57 +0200
Subject: [PATCH] Add DNS service records for Windows

https://fedorahosted.org/freeipa/ticket/1939
---
 install/tools/ipa-adtrust-install       |    5 ++-
 install/tools/man/ipa-adtrust-install.1 |    3 ++
 ipaserver/install/adtrustinstance.py    |   59 +++++++++++++++++++++++++++++-
 3 files changed, 64 insertions(+), 3 deletions(-)

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index cc99b5551ede7787ce296bae594553da74da0ffa..4230094742e5c390dd7f8b671500ca75639611b8 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -44,6 +44,9 @@ def parse_options():
                       type="ip", ip_local=True, help="Master Server IP Address")
     parser.add_option("--netbios-name", dest="netbios_name",
                       help="NetBIOS name of the IPA domain")
+    parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true",
+                      default=False, help="Do not create DNS service records " \
+                                          "for Windows in managed DNS server")
     parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
                       default=False, help="unattended installation never prompts the user")
 
@@ -196,7 +199,7 @@ def main():
         api.Backend.ldap2.connect(ccache)
 
     smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain,
-              netbios_name)
+              netbios_name, options.no_msdcs)
     smb.create_instance()
 
     print "=============================================================================="
diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1
index a3981adf48d14cc0e540c646fff099490203f862..b61da19088b40d6a9e53784f9a061913ecda4321 100644
--- a/install/tools/man/ipa-adtrust-install.1
+++ b/install/tools/man/ipa-adtrust-install.1
@@ -39,6 +39,9 @@ The IP address of the IPA server. If not provided then this is determined based
 \fB\-\-netbios\-name\fR=\fINETBIOS_NAME\fR
 The NetBIOS name for the IPA domain. If not provided then this is determined based on the leading component of the DNS domain name.
 .TP
+\fB\-\-no\-msdcs\fR
+Do not create DNS service records for Windows in managed DNS server
+.TP
 \fB\-U\fR, \fB\-\-unattended\fR
 An unattended installation that will never prompt for user input
 .SH "EXIT STATUS"
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index d1dc759c611f03215b461b8fe7ebc32d15dc857a..0723e31fff67451aefd62fb1b756b19ba0a422f9 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -27,7 +27,9 @@ import tempfile
 import installutils
 from ipaserver import ipaldap
 from ipaserver.install.dsinstance import realm_to_serverid
-from ipalib import errors
+from ipaserver.install.bindinstance import get_rr, add_rr, del_rr, \
+                                           dns_zone_exists
+from ipalib import errors, api
 from ipapython import sysrestore
 from ipapython import ipautil
 
@@ -246,6 +248,56 @@ class ADTRUSTInstance(service.Service):
         except ipautil.CalledProcessError, e:
             logging.critical("Failed to add key for %s" % cifs_principal)
 
+    def __add_dns_service_records(self):
+        """
+        Add DNS service records for Windows if DNS is enabled and the DNS zone
+        is managed. If there are already service records for LDAP and Kerberos
+        their values are used. Otherwise default values are used.
+        """
+
+        zone = self.domain_name
+        host = self.fqdn.split(".")[0]
+
+        ipa_srv_rec = (
+            ("_ldap._tcp", ["0 100 389 %s" % host]),
+            ("_kerberos._tcp", ["0 100 88 %s" % host]),
+            ("_kerberos._udp", ["0 100 88 %s" % host])
+        )
+        win_srv_suffix = (".Default-First-Site-Name._sites.dc._msdcs",
+                          ".dc._msdcs")
+
+        err_msg = None
+        ret = api.Command.dns_is_enabled()
+        if not ret['result']:
+            err_msg = "DNS is not enabled in this IPA server."
+        else:
+            if not dns_zone_exists(zone):
+                err_msg = "The DNS zone %s is not managed on this IPA server" % \
+                          zone
+
+        if err_msg:
+            print err_msg
+            print "Add the following service records to your DNS server " \
+                  "for DNS zone %s: " % zone
+            for (srv, rdata) in ipa_srv_rec:
+                for suff in win_srv_suffix:
+                    print " - %s%s"  % (srv, suff)
+            return
+
+        for (srv, rdata) in ipa_srv_rec:
+            ipa_rdata = get_rr(zone, srv, "SRV")
+            if not ipa_rdata:
+                ipa_rdata = rdata
+
+            for suff in win_srv_suffix:
+                win_srv = srv+suff
+                win_rdata = get_rr(zone, win_srv, "SRV")
+                if win_rdata:
+                    for rec in win_rdata:
+                        del_rr(zone, win_srv, "SRV", rec)
+                for rec in ipa_rdata:
+                    add_rr(zone, win_srv, "SRV", rec)
+
     def __start(self):
         try:
             self.start()
@@ -278,12 +330,13 @@ class ADTRUSTInstance(service.Service):
                              LDAPI_SOCKET = self.ldapi_socket)
 
     def setup(self, fqdn, ip_address, realm_name, domain_name, netbios_name,
-              smbd_user="samba"):
+              no_msdcs, smbd_user="samba"):
         self.fqdn =fqdn
         self.ip_address = ip_address
         self.realm_name = realm_name
         self.domain_name = domain_name
         self.netbios_name = netbios_name
+        self.no_msdcs = no_msdcs
         self.smbd_user = smbd_user
         self.suffix = ipautil.realm_to_suffix(self.realm_name)
         self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % realm_to_serverid(self.realm_name)
@@ -312,6 +365,8 @@ class ADTRUSTInstance(service.Service):
         self.step("Adding cifs Kerberos principal", self.__setup_principal)
         self.step("Adding admin(group) SIDs", self.__add_admin_sids)
         self.step("configuring smbd to start on boot", self.__enable)
+        if not self.no_msdcs:
+            self.step("adding special DNS service records", self.__add_dns_service_records)
         self.step("starting smbd", self.__start)
 
         self.start_creation("Configuring smbd:")
-- 
1.7.6


From rcritten at redhat.com  Fri Oct 14 15:32:39 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 14 Oct 2011 11:32:39 -0400
Subject: [Freeipa-devel] [PATCH] 896 update all ldap files on client
Message-ID: <4E985617.7070707@redhat.com>

A client may configure ldap in any number of different places. If the 
file exists we should update it.

You can test this by not installing nslcd on F-15 and install nss_ldap 
instead. The resulting client install will not work.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-896-client.patch
Type: text/x-patch
Size: 2175 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111014/88de0052/attachment.bin>

From rcritten at redhat.com  Fri Oct 14 15:35:03 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 14 Oct 2011 11:35:03 -0400
Subject: [Freeipa-devel] [PATCH] 0028 replace dictview by set for better
 portability
In-Reply-To: <20111014144248.GF8783@redhat.com>
References: <20111014144248.GF8783@redhat.com>
Message-ID: <4E9856A7.2080805@redhat.com>

Alexander Bokovoy wrote:
> Hi,
>
> dictview is a new class in Python 2.7. We need to support older Python
> versions and thus, use set instead.

ACK, pushed to master and ipa-2-1



From simo at redhat.com  Fri Oct 14 15:38:35 2011
From: simo at redhat.com (Simo Sorce)
Date: Fri, 14 Oct 2011 11:38:35 -0400
Subject: [Freeipa-devel] [PATCH] 896 update all ldap files on client
In-Reply-To: <4E985617.7070707@redhat.com>
References: <4E985617.7070707@redhat.com>
Message-ID: <1318606715.31149.141.camel@willson.li.ssimo.org>

On Fri, 2011-10-14 at 11:32 -0400, Rob Crittenden wrote:
> A client may configure ldap in any number of different places. If the 
> file exists we should update it.
> 
> You can test this by not installing nslcd on F-15 and install nss_ldap 
> instead. The resulting client install will not work.

ACK.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From abokovoy at redhat.com  Fri Oct 14 17:21:51 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Fri, 14 Oct 2011 20:21:51 +0300
Subject: [Freeipa-devel] [PATCH] 8 Add DNS service records for Windows
In-Reply-To: <20111014151202.GD4622@localhost.localdomain>
References: <20111014101557.GC4622@localhost.localdomain>
	<20111014151202.GD4622@localhost.localdomain>
Message-ID: <20111014172150.GA17515@redhat.com>

On Fri, 14 Oct 2011, Sumit Bose wrote:
> On Fri, Oct 14, 2011 at 12:15:57PM +0200, Sumit Bose wrote:
> > Hi,
> > 
> > this patch adds DNS service records for for Windows systems during the
> > setup of trust support.
> > 
> > Fixes https://fedorahosted.org/freeipa/ticket/1939.
> > 
> > bye,
> > Sumit
> 
> Alexander made some comments on irc which I tried to integrate into this
> new version of the patch.
Looks good now. I haven't tested it in real life and there are very 
few minor comments bellow.

> +        err_msg = None
> +        ret = api.Command.dns_is_enabled()
> +        if not ret['result']:
> +            err_msg = "DNS is not enabled in this IPA server."
Maybe "DNS management was not enabled at install time."?

> +        else:
> +            if not dns_zone_exists(zone):
> +                err_msg = "The DNS zone %s is not managed on this IPA server" % \
> +                          zone
Same here -- "DNS zone %s cannot be managed as it is not defined in IPA"?

>      def setup(self, fqdn, ip_address, realm_name, domain_name, netbios_name,
> -              smbd_user="samba"):
> +              no_msdcs, smbd_user="samba"):
Maybe we could make no_msdcs defaulting to False here? I.e. 
+                no_msdcs=False, smbd_user="samba"):

It would make more clear what is the default and that it is really 
optional setting -- I'm thinking from the perspective of maintenance 
of the code in future.

-- 
/ Alexander Bokovoy



From rcritten at redhat.com  Fri Oct 14 17:54:12 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 14 Oct 2011 13:54:12 -0400
Subject: [Freeipa-devel] [PATCH] 896 update all ldap files on client
In-Reply-To: <1318606715.31149.141.camel@willson.li.ssimo.org>
References: <4E985617.7070707@redhat.com>
	<1318606715.31149.141.camel@willson.li.ssimo.org>
Message-ID: <4E987744.4040906@redhat.com>

Simo Sorce wrote:
> On Fri, 2011-10-14 at 11:32 -0400, Rob Crittenden wrote:
>> A client may configure ldap in any number of different places. If the
>> file exists we should update it.
>>
>> You can test this by not installing nslcd on F-15 and install nss_ldap
>> instead. The resulting client install will not work.
>
> ACK.
>
> Simo.
>

pushed to master and ipa-2-1



From simo at redhat.com  Fri Oct 14 17:56:06 2011
From: simo at redhat.com (Simo Sorce)
Date: Fri, 14 Oct 2011 13:56:06 -0400
Subject: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support
In-Reply-To: <20111010140721.GC3661@redhat.com>
References: <20111010134235.GB3661@redhat.com>
	<20111010140721.GC3661@redhat.com>
Message-ID: <1318614966.31149.149.camel@willson.li.ssimo.org>

On Mon, 2011-10-10 at 17:07 +0300, Alexander Bokovoy wrote:
> On Mon, 10 Oct 2011, Alexander Bokovoy wrote:
> > rebased, updated package dependencies, and verified against 
> > Fedora 16+updates-testing.
> > 
> > This patch is for ipa-2-1 branch. I need to do few cosmetic changes in 
> > freeipa.spec.in to accomodate it to 3.0 (master branch) as ipa_kpasswd 
> > is gone there.
> Forgot to add that altogether this patch fixes:
> 
> https://fedorahosted.org/freeipa/ticket/1192 -- support systemd
> https://fedorahosted.org/freeipa/ticket/1651 -- update F16 dependencies
> https://fedorahosted.org/freeipa/ticket/1871 -- not setting HOSTNAME if it was missing from the configuration file
> 
> The latter one is integrated within the systemd patch because the same 
> function is re-used for editing systemd service files and 
> /etc/sysconfig/krb5kdc and it simply makes little sense to separate 
> them as without editing systemd services for dirsrv, one cannot start 
> dirsrv with number of file descriptors required by IPA defaults, and 
> krb5kdc configuration should be written properly before krb5kdc is 
> started as its systemd service unit uses parameters from the 
> configuration file.

Attached a rebased patch with the modifications needed to apply it on
master.

Everything seem to work on master but I haven't tested ipa-2-1 so this
is a partial ACK of the original patch as well.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-support-for-systemd-environments-and-use-it-to-s.patch
Type: text/x-patch
Size: 32003 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111014/d64f398c/attachment.bin>

From rcritten at redhat.com  Fri Oct 14 17:56:46 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 14 Oct 2011 13:56:46 -0400
Subject: [Freeipa-devel] [PATCH] 895 fix config_replace_variables()
In-Reply-To: <20111014134034.GE8783@redhat.com>
References: <4E983B20.2060000@redhat.com> <20111014134034.GE8783@redhat.com>
Message-ID: <4E9877DE.70704@redhat.com>

Alexander Bokovoy wrote:
> On Fri, 14 Oct 2011, Rob Crittenden wrote:
>> Handle an empty value in a name/value pair in config_replace_variables()
>>
>> This would blow up if you tried to append a value to an entry that
>> looked like:
>>
>> NAME=
> Yes. ACK.
>

pushed to master and ipa-2-1



From rcritten at redhat.com  Fri Oct 14 18:08:21 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 14 Oct 2011 14:08:21 -0400
Subject: [Freeipa-devel] [PATCH] 897 detect if SSSD already has domain
	configured
Message-ID: <4E987A95.6050704@redhat.com>

If the existing sssd.conf already has the domain configured we throw the 
config away and start over.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-897-client.patch
Type: text/x-patch
Size: 1531 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111014/e3cfa032/attachment.bin>

From rcritten at redhat.com  Fri Oct 14 18:11:30 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 14 Oct 2011 14:11:30 -0400
Subject: [Freeipa-devel] [PATCH] 151 Add --zonemgr validator
In-Reply-To: <1318585856.9468.7.camel@balmora.brq.redhat.com>
References: <1318585856.9468.7.camel@balmora.brq.redhat.com>
Message-ID: <4E987B52.4060700@redhat.com>

Martin Kosek wrote:
> Do at least a basic validation of DNS zone manager mail address.
>
> Do not require '@' to be in the mail address as it is not used
> in common DNS zone configuration (in bind for example) and people
> may be used to configure it that way. '@' is always removed by the
> installer before the DNS zone is created.
>
> https://fedorahosted.org/freeipa/ticket/1966

There is already a zonemgr_callback defined for this option, can the 
verify_zonemgr call be either integrated or called from that?

rob



From rcritten at redhat.com  Fri Oct 14 18:34:22 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 14 Oct 2011 14:34:22 -0400
Subject: [Freeipa-devel] [PATCH] 897 detect if SSSD already has domain
 configured
In-Reply-To: <20111014181950.GA18731@redhat.com>
References: <4E987A95.6050704@redhat.com> <20111014181950.GA18731@redhat.com>
Message-ID: <4E9880AE.1000606@redhat.com>

Alexander Bokovoy wrote:
> On Fri, 14 Oct 2011, Rob Crittenden wrote:
>> If the existing sssd.conf already has the domain configured we throw
>> the config away and start over.
> ACK.

pushed to master and ipa-2-1



From ayoung at redhat.com  Fri Oct 14 19:12:44 2011
From: ayoung at redhat.com (Adam Young)
Date: Fri, 14 Oct 2011 15:12:44 -0400
Subject: [Freeipa-devel] Handling certificates in JSON/XML-RPC
In-Reply-To: <4E98390D.90109@redhat.com>
References: <4E976E04.6030501@redhat.com> <4E97BF4B.7020200@redhat.com>
	<4E98390D.90109@redhat.com>
Message-ID: <4E9889AC.7060300@redhat.com>

On 10/14/2011 09:28 AM, John Dennis wrote:
> [ I had a private email exchange with Rob concerning ticket 1201, 
> we've had a long standing issue with how certificates are exchanged 
> because in LDAP they are binary values. I told Rob I had a proof of 
> concept working and Rob sent me a code snippet illustrating an earlier 
> attempt he had made to fix the problem that didn't pan out. I wrote 
> this reply as a response to Rob to explain my approach but it occurred 
> to me this is a design issue which should be in open discussion thus 
> this reply is to the devel list so others can review it and be in the 
> loop. Apologies if you missed some earlier context. ]
>
> -----------------------------------------------------------------
>
> Thanks for the code snippet. I think the problem you might have run 
> into is that you were doing the conversion at the point xmlrpc 
> parameters are marshaled, that doesn't cover the json case (or other 
> locations).
>
> The way I'm planning on tackling this is to do the pem conversion at 
> the moment it's read from LDAP. We already have a mechanism for that 
> and you helped point me towards it when you mentioned wehandle some 
> attributes specially based on it's LDAP syntax.
>
> We "decorate" the  find_entries() method in ldap2 with the 
> @decode_retval() decorator. What this does is examine the values 
> returned from the LDAP query and converts them to our preferred types. 
> I stumbled upon this while doing the DN work, I didn't know it 
> existed, it's not all that visible when reading the code this 
> conversion is occurring. It calls into something called an Encoder 
> object (in encoder.py) which is a parameterized mechanism setup in 
> ldap2. In summary what it does is use a table ( _SYNTAX_MAPPING) to 
> lookup the attributes syntax and as long as it's not in the table it 
> gets promoted to unicode, otherwise it's left as a str.
>
> With a few tweaks this mechanism could be a bit more flexible. Rather 
> than just using the existence of the attribute in the table as the 
> decision on whether to call a conversion routine on it (e.g. encoding 
> to unicode) the value in the table could be a function pointer to a 
> conversion routine. Thus the logic would become "if the attribute is 
> in the table, call the converter on the value, otherwise fallback to 
> the default conversion (which happens to be UTF-8 <-> unicode".
>
> In short what will happen is the whenever a 'usercertificate' is 
> returned from LDAP (DER format) it will be converted to PEM format as 
> a unicode object (i.e. indicating it's text data) in the result.
>
> I believe this is fine because most of the places we use certificates 
> internally already pass PEM formatted versions and call into 
> x509.normalize_certificate() which checks for PEM vs. DER encoding.
>
> This then completes another aspect of the "always use PEM formatting" 
> for certs code cleanup.
>
> The only thing left to do is modify the javascript code to stop 
> looking for usercerticate attributes as base64.
>
> The command line tools which save a cert to a file perform a binary to 
> PEM conversion at the point they write the file. At first blush you 
> might think that logic should be removed since now certs will be 
> returned in PEM format, hence no conversion is necessary. But I think 
> I'm going to leave that logic in place, here's why: The code calls 
> into x509.normalize_certificate() thus it can accept the cert either 
> as binary or PEM. The command line might be connected to a server 
> without the new modification, thus if we leave it as it currently is 
> the command line will work with either an old or new server response. 
> The javascipt code in the web UI is tied to the server so those 
> changes will occur in lockstep.
>

I wonder if we need to keep the Binary format for some use cases.  I 
know that there are cases where the PKI code needs to expose 
certificates to the browser as straight binary.  But that would not go 
through the XML or JSON RPCs.  Keep in mind how to do the conversion if 
it becomes necessary and we can talk then.



From sbose at redhat.com  Fri Oct 14 19:16:48 2011
From: sbose at redhat.com (Sumit Bose)
Date: Fri, 14 Oct 2011 21:16:48 +0200
Subject: [Freeipa-devel] [PATCH] 8 Add DNS service records for Windows
In-Reply-To: <20111014172150.GA17515@redhat.com>
References: <20111014101557.GC4622@localhost.localdomain>
	<20111014151202.GD4622@localhost.localdomain>
	<20111014172150.GA17515@redhat.com>
Message-ID: <20111014191648.GE4622@localhost.localdomain>

On Fri, Oct 14, 2011 at 08:21:51PM +0300, Alexander Bokovoy wrote:
> On Fri, 14 Oct 2011, Sumit Bose wrote:
> > On Fri, Oct 14, 2011 at 12:15:57PM +0200, Sumit Bose wrote:
> > > Hi,
> > > 
> > > this patch adds DNS service records for for Windows systems during the
> > > setup of trust support.
> > > 
> > > Fixes https://fedorahosted.org/freeipa/ticket/1939.
> > > 
> > > bye,
> > > Sumit
> > 
> > Alexander made some comments on irc which I tried to integrate into this
> > new version of the patch.
> Looks good now. I haven't tested it in real life and there are very 
> few minor comments bellow.
> 
> > +        err_msg = None
> > +        ret = api.Command.dns_is_enabled()
> > +        if not ret['result']:
> > +            err_msg = "DNS is not enabled in this IPA server."
> Maybe "DNS management was not enabled at install time."?
> 
> > +        else:
> > +            if not dns_zone_exists(zone):
> > +                err_msg = "The DNS zone %s is not managed on this IPA server" % \
> > +                          zone
> Same here -- "DNS zone %s cannot be managed as it is not defined in IPA"?
> 
> >      def setup(self, fqdn, ip_address, realm_name, domain_name, netbios_name,
> > -              smbd_user="samba"):
> > +              no_msdcs, smbd_user="samba"):
> Maybe we could make no_msdcs defaulting to False here? I.e. 
> +                no_msdcs=False, smbd_user="samba"):
> 
> It would make more clear what is the default and that it is really 
> optional setting -- I'm thinking from the perspective of maintenance 
> of the code in future.

Thank you for your comments, new version attached.

bye,
Sumit

> 
> -- 
> / Alexander Bokovoy
-------------- next part --------------
>From c189f360c15aa24d1e896218856e63cfdfadaa40 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Thu, 13 Oct 2011 12:01:57 +0200
Subject: [PATCH] Add DNS service records for Windows

https://fedorahosted.org/freeipa/ticket/1939
---
 install/tools/ipa-adtrust-install       |    5 ++-
 install/tools/man/ipa-adtrust-install.1 |    3 ++
 ipaserver/install/adtrustinstance.py    |   59 +++++++++++++++++++++++++++++-
 3 files changed, 64 insertions(+), 3 deletions(-)

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index cc99b5551ede7787ce296bae594553da74da0ffa..4230094742e5c390dd7f8b671500ca75639611b8 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -44,6 +44,9 @@ def parse_options():
                       type="ip", ip_local=True, help="Master Server IP Address")
     parser.add_option("--netbios-name", dest="netbios_name",
                       help="NetBIOS name of the IPA domain")
+    parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true",
+                      default=False, help="Do not create DNS service records " \
+                                          "for Windows in managed DNS server")
     parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
                       default=False, help="unattended installation never prompts the user")
 
@@ -196,7 +199,7 @@ def main():
         api.Backend.ldap2.connect(ccache)
 
     smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain,
-              netbios_name)
+              netbios_name, options.no_msdcs)
     smb.create_instance()
 
     print "=============================================================================="
diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1
index a3981adf48d14cc0e540c646fff099490203f862..b61da19088b40d6a9e53784f9a061913ecda4321 100644
--- a/install/tools/man/ipa-adtrust-install.1
+++ b/install/tools/man/ipa-adtrust-install.1
@@ -39,6 +39,9 @@ The IP address of the IPA server. If not provided then this is determined based
 \fB\-\-netbios\-name\fR=\fINETBIOS_NAME\fR
 The NetBIOS name for the IPA domain. If not provided then this is determined based on the leading component of the DNS domain name.
 .TP
+\fB\-\-no\-msdcs\fR
+Do not create DNS service records for Windows in managed DNS server
+.TP
 \fB\-U\fR, \fB\-\-unattended\fR
 An unattended installation that will never prompt for user input
 .SH "EXIT STATUS"
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index d1dc759c611f03215b461b8fe7ebc32d15dc857a..17140a372f3c61d4b14503b5f28ff6c87d88b8dc 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -27,7 +27,9 @@ import tempfile
 import installutils
 from ipaserver import ipaldap
 from ipaserver.install.dsinstance import realm_to_serverid
-from ipalib import errors
+from ipaserver.install.bindinstance import get_rr, add_rr, del_rr, \
+                                           dns_zone_exists
+from ipalib import errors, api
 from ipapython import sysrestore
 from ipapython import ipautil
 
@@ -246,6 +248,56 @@ class ADTRUSTInstance(service.Service):
         except ipautil.CalledProcessError, e:
             logging.critical("Failed to add key for %s" % cifs_principal)
 
+    def __add_dns_service_records(self):
+        """
+        Add DNS service records for Windows if DNS is enabled and the DNS zone
+        is managed. If there are already service records for LDAP and Kerberos
+        their values are used. Otherwise default values are used.
+        """
+
+        zone = self.domain_name
+        host = self.fqdn.split(".")[0]
+
+        ipa_srv_rec = (
+            ("_ldap._tcp", ["0 100 389 %s" % host]),
+            ("_kerberos._tcp", ["0 100 88 %s" % host]),
+            ("_kerberos._udp", ["0 100 88 %s" % host])
+        )
+        win_srv_suffix = (".Default-First-Site-Name._sites.dc._msdcs",
+                          ".dc._msdcs")
+
+        err_msg = None
+        ret = api.Command.dns_is_enabled()
+        if not ret['result']:
+            err_msg = "DNS management was not enabled at install time."
+        else:
+            if not dns_zone_exists(zone):
+                err_msg = "DNS zone %s cannot be managed " \
+                          "as it is not defined in IPA" % zone
+
+        if err_msg:
+            print err_msg
+            print "Add the following service records to your DNS server " \
+                  "for DNS zone %s: " % zone
+            for (srv, rdata) in ipa_srv_rec:
+                for suff in win_srv_suffix:
+                    print " - %s%s"  % (srv, suff)
+            return
+
+        for (srv, rdata) in ipa_srv_rec:
+            ipa_rdata = get_rr(zone, srv, "SRV")
+            if not ipa_rdata:
+                ipa_rdata = rdata
+
+            for suff in win_srv_suffix:
+                win_srv = srv+suff
+                win_rdata = get_rr(zone, win_srv, "SRV")
+                if win_rdata:
+                    for rec in win_rdata:
+                        del_rr(zone, win_srv, "SRV", rec)
+                for rec in ipa_rdata:
+                    add_rr(zone, win_srv, "SRV", rec)
+
     def __start(self):
         try:
             self.start()
@@ -278,12 +330,13 @@ class ADTRUSTInstance(service.Service):
                              LDAPI_SOCKET = self.ldapi_socket)
 
     def setup(self, fqdn, ip_address, realm_name, domain_name, netbios_name,
-              smbd_user="samba"):
+              no_msdcs=False, smbd_user="samba"):
         self.fqdn =fqdn
         self.ip_address = ip_address
         self.realm_name = realm_name
         self.domain_name = domain_name
         self.netbios_name = netbios_name
+        self.no_msdcs = no_msdcs
         self.smbd_user = smbd_user
         self.suffix = ipautil.realm_to_suffix(self.realm_name)
         self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % realm_to_serverid(self.realm_name)
@@ -312,6 +365,8 @@ class ADTRUSTInstance(service.Service):
         self.step("Adding cifs Kerberos principal", self.__setup_principal)
         self.step("Adding admin(group) SIDs", self.__add_admin_sids)
         self.step("configuring smbd to start on boot", self.__enable)
+        if not self.no_msdcs:
+            self.step("adding special DNS service records", self.__add_dns_service_records)
         self.step("starting smbd", self.__start)
 
         self.start_creation("Configuring smbd:")
-- 
1.7.6


From abokovoy at redhat.com  Fri Oct 14 19:27:00 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Fri, 14 Oct 2011 22:27:00 +0300
Subject: [Freeipa-devel] [PATCH] 8 Add DNS service records for Windows
In-Reply-To: <20111014191648.GE4622@localhost.localdomain>
References: <20111014101557.GC4622@localhost.localdomain>
	<20111014151202.GD4622@localhost.localdomain>
	<20111014172150.GA17515@redhat.com>
	<20111014191648.GE4622@localhost.localdomain>
Message-ID: <20111014192659.GB18731@redhat.com>

On Fri, 14 Oct 2011, Sumit Bose wrote:
> Thank you for your comments, new version attached.
ACK from code reading. I'll try to test it once 2.1.3 is 
released, if you don't mind.
-- 
/ Alexander Bokovoy



From rcritten at redhat.com  Fri Oct 14 19:36:40 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 14 Oct 2011 15:36:40 -0400
Subject: [Freeipa-devel] [PATCH] 898 check for duplicate hostgroups
Message-ID: <4E988F48.7030009@redhat.com>

When adding a hostgroup check for current existence of hostgroup and 
netgroup

The netgroup gets added automatically so we need to check in advance for 
it. But we also need to look for the hostgroup otherwise the error 
message is confusing (netgroup already exists).

Also convert to using existing already_exists handler.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-898-hostgroup.patch
Type: text/x-patch
Size: 1592 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111014/38a04eaa/attachment.bin>

From rcritten at redhat.com  Fri Oct 14 20:03:59 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 14 Oct 2011 16:03:59 -0400
Subject: [Freeipa-devel] [PATCH] fix typo in error message
Message-ID: <4E9895AF.4080200@redhat.com>

Pushed under the 1-character rule

 From b607c5cc5ab34c007640011f299f358f190f6652 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten at redhat.com>
Date: Thu, 13 Oct 2011 22:52:57 -0400
Subject: [PATCH] Fix typo in invalid PTR record error message

https://fedorahosted.org/freeipa/ticket/1982
---
  ipalib/plugins/dns.py |    2 +-
  1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index 0964208..f6bbb3c 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -648,7 +648,7 @@ class dnsrecord(LDAPObject):
          for ptr in options['ptrrecord']:
              if not ptr.endswith('.'):
                  raise errors.ValidationError(name='ptr-rec',
-                        error=unicode(_('PTR record \'%s\' is not fully 
qualified (check traling \'.\')') % ptr))
+                        error=unicode(_('PTR record \'%s\' is not fully 
qualified (check trailing \'.\')') % ptr))

          return dn

-- 
1.6.2.5



From simo at redhat.com  Fri Oct 14 20:14:01 2011
From: simo at redhat.com (Simo Sorce)
Date: Fri, 14 Oct 2011 16:14:01 -0400
Subject: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support
In-Reply-To: <1318614966.31149.149.camel@willson.li.ssimo.org>
References: <20111010134235.GB3661@redhat.com>
	<20111010140721.GC3661@redhat.com>
	<1318614966.31149.149.camel@willson.li.ssimo.org>
Message-ID: <1318623241.31149.156.camel@willson.li.ssimo.org>

On Fri, 2011-10-14 at 13:56 -0400, Simo Sorce wrote:
> On Mon, 2011-10-10 at 17:07 +0300, Alexander Bokovoy wrote:
> > On Mon, 10 Oct 2011, Alexander Bokovoy wrote:
> > > rebased, updated package dependencies, and verified against 
> > > Fedora 16+updates-testing.
> > > 
> > > This patch is for ipa-2-1 branch. I need to do few cosmetic changes in 
> > > freeipa.spec.in to accomodate it to 3.0 (master branch) as ipa_kpasswd 
> > > is gone there.
> > Forgot to add that altogether this patch fixes:
> > 
> > https://fedorahosted.org/freeipa/ticket/1192 -- support systemd
> > https://fedorahosted.org/freeipa/ticket/1651 -- update F16 dependencies
> > https://fedorahosted.org/freeipa/ticket/1871 -- not setting HOSTNAME if it was missing from the configuration file
> > 
> > The latter one is integrated within the systemd patch because the same 
> > function is re-used for editing systemd service files and 
> > /etc/sysconfig/krb5kdc and it simply makes little sense to separate 
> > them as without editing systemd services for dirsrv, one cannot start 
> > dirsrv with number of file descriptors required by IPA defaults, and 
> > krb5kdc configuration should be written properly before krb5kdc is 
> > started as its systemd service unit uses parameters from the 
> > configuration file.
> 
> Attached a rebased patch with the modifications needed to apply it on
> master.
> 
> Everything seem to work on master but I haven't tested ipa-2-1 so this
> is a partial ACK of the original patch as well.

A bit of bad news, I restarted the machine and I am having issue
properly restarting services.
This patch is still better than nothing as otherwise nothing works at
all on f16, but we need to work out why starting services is unreliable.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From jdennis at redhat.com  Fri Oct 14 20:19:15 2011
From: jdennis at redhat.com (John Dennis)
Date: Fri, 14 Oct 2011 16:19:15 -0400
Subject: [Freeipa-devel] Handling certificates in JSON/XML-RPC
In-Reply-To: <4E9889AC.7060300@redhat.com>
References: <4E976E04.6030501@redhat.com> <4E97BF4B.7020200@redhat.com>
	<4E98390D.90109@redhat.com> <4E9889AC.7060300@redhat.com>
Message-ID: <4E989943.30208@redhat.com>

On 10/14/2011 03:12 PM, Adam Young wrote:
> I wonder if we need to keep the Binary format for some use cases.  I
> know that there are cases where the PKI code needs to expose
> certificates to the browser as straight binary.  But that would not go
> through the XML or JSON RPCs.  Keep in mind how to do the conversion if
> it becomes necessary and we can talk then.

FWIW PEM is the officially sanctioned mechanism to exchange certs and 
csr's via text protocols that's why we're using it in this context.

The ability to convert text PEM data to binary DER is trivial and is 
widely available.

We got ourselves in trouble in the past by passing unadorned base64 data 
for certs. Because we use base64 data for all binary data IPA it became 
very difficult when looking at a blob of data to know what it was and 
what format it was in (especially since we weren't consistent).

Protocols that pass certs in binary DER form have markers (tags) in the 
protocol which identify the binary data that follows as a DER encoded 
cert, thus the binary exchange of certs do not suffer from the content 
ambiguity we experienced with text protocols (or rather more 
specifically the way we had engineered our use of text protocols).

If we restrict our usage to only PEM or DER it becomes trivial to 
identify the format. And by using PEM exclusively in text protocols we 
have a vastly more robust, portable and industry standard exchange 
mechanism.

Also I suspect "exposing binary DER certs to the browser" is something 
more likely to occur at a different protocol level (e.g. the SSL/TLS 
handshake). The exchange of certs and private keys between people are 
almost always done via PEM and PKCS12 respectively, both of which are 
text based and backed by standards.

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



From JR.Aquino at citrix.com  Fri Oct 14 20:18:46 2011
From: JR.Aquino at citrix.com (JR Aquino)
Date: Fri, 14 Oct 2011 20:18:46 +0000
Subject: [Freeipa-devel] [PATCH] #1794 - Speed up replica setup
In-Reply-To: <1318011288.31149.10.camel@willson.li.ssimo.org>
References: <1317673256.17819.13.camel@willson.li.ssimo.org>
	<1317680239.17819.19.camel@willson.li.ssimo.org>
	<1318011288.31149.10.camel@willson.li.ssimo.org>
Message-ID: <ACD76320-8333-4E9C-8A8C-F8935876A262@citrixonline.com>

On Oct 7, 2011, at 11:14 AM, Simo Sorce wrote:

> On Mon, 2011-10-03 at 18:17 -0400, Simo Sorce wrote:
>> On Mon, 2011-10-03 at 16:20 -0400, Simo Sorce wrote:
>>> Newer 389ds servers have a new option to have a different set of
>>> filtered attributes from normal replication.
>>> 
>>> This has been added in order to allow DS to replicate memberof
>>> attributes only during a total update so that we do not need to run a
>>> fixup memberof task on a replica at install time.
>>> This task is quite inefficient for big database and can take a long
>>> time. By replicating memberof while the DB is locked we are guaranteed
>>> the memberof list is consistent so we do not need a fixup.
>>> 
>>> This patch allows to enable this feature dynamically. If the server does
>>> not yet support the new option it falls back to the previous behavior.
>>> 
>>> Fixes: https://fedorahosted.org/freeipa/ticket/1794
>>> 
>>> I am sending the patch but it has been jointly developed at various
>>> stages by Nathan, JR, and me.
>>> 
>>> Simo.
>> 
>> After some thinking I found out that we cannot commit this patch until
>> the memberof plugin is converted to use the new transaction interfaces
>> for plugins, as otherwise it is possible to run into race conditions
>> where the member/memberof relations are not settled if a new replica is
>> installed while member attributes are being changed.
>> 
>> Granted the race is quite small and unlikely but real.
>> So please test and ack it, but we need to defer pushing to stable
>> branches until ds copes.
>> I think it is ok to push to master for testing, DS should have the
>> necessary support by the time we make another stable release from master
>> and in our test environments I am sure we will never hit the race.
> 
> After some more testing I found a small bug that can cause issues in
> some conditions, new patch attached.
> 
> Simo.

ACK with 389-ds-base-1.2.10-0.4.a4



From simo at redhat.com  Fri Oct 14 21:05:47 2011
From: simo at redhat.com (Simo Sorce)
Date: Fri, 14 Oct 2011 17:05:47 -0400
Subject: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support
In-Reply-To: <1318623241.31149.156.camel@willson.li.ssimo.org>
References: <20111010134235.GB3661@redhat.com>
	<20111010140721.GC3661@redhat.com>
	<1318614966.31149.149.camel@willson.li.ssimo.org>
	<1318623241.31149.156.camel@willson.li.ssimo.org>
Message-ID: <1318626347.31149.159.camel@willson.li.ssimo.org>

On Fri, 2011-10-14 at 16:14 -0400, Simo Sorce wrote:
> On Fri, 2011-10-14 at 13:56 -0400, Simo Sorce wrote:
> > On Mon, 2011-10-10 at 17:07 +0300, Alexander Bokovoy wrote:
> > > On Mon, 10 Oct 2011, Alexander Bokovoy wrote:
> > > > rebased, updated package dependencies, and verified against 
> > > > Fedora 16+updates-testing.
> > > > 
> > > > This patch is for ipa-2-1 branch. I need to do few cosmetic changes in 
> > > > freeipa.spec.in to accomodate it to 3.0 (master branch) as ipa_kpasswd 
> > > > is gone there.
> > > Forgot to add that altogether this patch fixes:
> > > 
> > > https://fedorahosted.org/freeipa/ticket/1192 -- support systemd
> > > https://fedorahosted.org/freeipa/ticket/1651 -- update F16 dependencies
> > > https://fedorahosted.org/freeipa/ticket/1871 -- not setting HOSTNAME if it was missing from the configuration file
> > > 
> > > The latter one is integrated within the systemd patch because the same 
> > > function is re-used for editing systemd service files and 
> > > /etc/sysconfig/krb5kdc and it simply makes little sense to separate 
> > > them as without editing systemd services for dirsrv, one cannot start 
> > > dirsrv with number of file descriptors required by IPA defaults, and 
> > > krb5kdc configuration should be written properly before krb5kdc is 
> > > started as its systemd service unit uses parameters from the 
> > > configuration file.
> > 
> > Attached a rebased patch with the modifications needed to apply it on
> > master.
> > 
> > Everything seem to work on master but I haven't tested ipa-2-1 so this
> > is a partial ACK of the original patch as well.
> 
> A bit of bad news, I restarted the machine and I am having issue
> properly restarting services.
> This patch is still better than nothing as otherwise nothing works at
> all on f16, but we need to work out why starting services is unreliable.

Ok found the issue and it is a bug in the conversion to systemd.
I opened ticket #1990 for this.

Attached find a rebased patch that fixes enough of the bug to let the
server work (they keytab part), but it doesn't address the ulimit part.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-2-Add-support-for-systemd-environments-and-use-it-to-s.patch
Type: text/x-patch
Size: 32827 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111014/ec9dd5c1/attachment.bin>

From jdennis at redhat.com  Sat Oct 15 03:23:27 2011
From: jdennis at redhat.com (John Dennis)
Date: Fri, 14 Oct 2011 23:23:27 -0400
Subject: [Freeipa-devel] change to interface used to provide certificates
Message-ID: <4E98FCAF.20904@redhat.com>

I've been fixing a bug in the web UI when we retrieve a certificate. The 
data that's displayed cannot be copied and used with any other 
certificate (i.e. x509) software, openssl and NSS being prime examples. 
The crux of the problem is it's not in a standard format. There are 2 
standard formats for certificates, DER if it's binary and PEM if it text.

What the web UI was outputting was bare base64 encoding of DER data 
(closely related to PEM, but not PEM). We've used bare base64 data in a 
number of places and have gradually fixed a number of them over time. 
The use of bare base64 all goes back to the dawn of IPA and how 
certificate data is stored in LDAP (binary DER) and how binary data 
passes through our RPC mechanism. The early limitations of handling 
certificate data got "institutionalized" in IPA and we got used to using 
the non-standard bare base64 form, not because it's correct but because 
of deficiencies in other parts of the code which are now fixed.

The fact is nobody else uses this format, it's completely non-standard. 
As part of the bug fix I'm working on (certificate output in PEM format 
rather than bare base64) I would also like to clean up the parts of the 
code in both the web UI and the command line which accept certificate 
data as bare base64 and change them so they only accept PEM. In fact as 
it stands now if you paste PEM into the web UI things will fail. The 
command line interface writes PEM data and accepts either PEM or bare 
base64. Currently the web UI outputs bare base64 and accepts bare 
base64. After my bug fix the web UI will output PEM but would still 
require bare base64 as input (if I don't fix that as well). These weird 
inconsistencies aren't good IMHO.

I'd like us to adopt the convention that we only ever input and output 
certificates (and CSR's) in either PEM or DER formats (and PKCS12 in 
specific cases). This matches what both openssl and NSS does and just 
about every other piece of software I'm familiar with. In practical 
terms for the near term it would mean we just support PEM, if we want to 
add DER support later we can, it won't be hard, but we need to stop 
accepting bare base64 data and insist on standard PEM.

This would be a change to the interface. More importantly it's a change 
somewhat late in the game just prior to a major release. But the 
consistency and adherence to standards warrant the change, not to 
mention we probably don't want version 2 of IPA to go out the door this 
way. It would train people with bad habits, frustrate them, and we would 
regret having to support it down the road.

Importing and exporting certs via the web UI and command line are not 
common operations. The only significant impact changing to requiring PEM 
input would be on our automated tests which would have to make sure they 
supplied PEM format.

Comments? Questions?

If I don't hear a major outcry I'm going to proceed with making the 
import and export of certs be PEM only for 100% consistency across the 
board (it would be weird if you couldn't paste the cert data into the 
web UI which you copied from the web UI).

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



From abokovoy at redhat.com  Sun Oct 16 21:28:15 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Mon, 17 Oct 2011 00:28:15 +0300
Subject: [Freeipa-devel] [PATCH] 0029 hbactest fails while you have svcgroup
	in hbacrule
Message-ID: <20111016212815.GA9413@redhat.com>

Hi,

attached patch should fix ticket 1988. This is currently last known 
bug in hbactest and should be safe to add to 2.1.3 (even though it is 
targetting 2.1.4 milestone).

Tested using rules similar to the ones in the ticket description and 
also with --service=<service group> (where service group is the group 
specified in the rule), as well as negative cases.

https://fedorahosted.org/freeipa/ticket/1988

-- 
/ Alexander Bokovoy
-------------- next part --------------
>From f3e1b4f3259e841e2bd54f649231b36e257a2559 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Mon, 17 Oct 2011 00:23:26 +0300
Subject: [PATCH] hbactest fails while you have svcgroup in hbacrule

https://fedorahosted.org/freeipa/ticket/1988
---
 ipalib/plugins/hbactest.py |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py
index 9b33dafa4424c2919732dd9e5161806b31fc5568..6bbdada4ea5a6f9c50cb1bb93909a39deee8acd6 100644
--- a/ipalib/plugins/hbactest.py
+++ b/ipalib/plugins/hbactest.py
@@ -283,8 +283,9 @@ class hbactest(Command):
         if options['service'] != u'all':
             try:
                 request.service.name = options['service']
-                request.service.groups = \
-                    self.api.Command.hbacsvcgroup_show(request.service.name)['result']['member_hbacsvc']
+                service_result = self.api.Command.hbacsvc_show(request.service.name)['result']
+                if 'memberof_hbacsvcgroup' in service_result:
+                    request.service.groups = service_result['memberof_hbacsvcgroup']
             except:
                 pass
 
-- 
1.7.6.4


From ayoung at redhat.com  Mon Oct 17 01:14:46 2011
From: ayoung at redhat.com (Adam Young)
Date: Sun, 16 Oct 2011 21:14:46 -0400
Subject: [Freeipa-devel] change to interface used to provide certificates
In-Reply-To: <4E98FCAF.20904@redhat.com>
References: <4E98FCAF.20904@redhat.com>
Message-ID: <4E9B8186.1060704@redhat.com>

On 10/14/2011 11:23 PM, John Dennis wrote:
> I've been fixing a bug in the web UI when we retrieve a certificate. 
> The data that's displayed cannot be copied and used with any other 
> certificate (i.e. x509) software, openssl and NSS being prime 
> examples. The crux of the problem is it's not in a standard format. 
> There are 2 standard formats for certificates, DER if it's binary and 
> PEM if it text.
>
> What the web UI was outputting was bare base64 encoding of DER data 
> (closely related to PEM, but not PEM). We've used bare base64 data in 
> a number of places and have gradually fixed a number of them over 
> time. The use of bare base64 all goes back to the dawn of IPA and how 
> certificate data is stored in LDAP (binary DER) and how binary data 
> passes through our RPC mechanism. The early limitations of handling 
> certificate data got "institutionalized" in IPA and we got used to 
> using the non-standard bare base64 form, not because it's correct but 
> because of deficiencies in other parts of the code which are now fixed.
>
> The fact is nobody else uses this format, it's completely 
> non-standard. As part of the bug fix I'm working on (certificate 
> output in PEM format rather than bare base64) I would also like to 
> clean up the parts of the code in both the web UI and the command line 
> which accept certificate data as bare base64 and change them so they 
> only accept PEM. In fact as it stands now if you paste PEM into the 
> web UI things will fail. The command line interface writes PEM data 
> and accepts either PEM or bare base64. Currently the web UI outputs 
> bare base64 and accepts bare base64. After my bug fix the web UI will 
> output PEM but would still require bare base64 as input (if I don't 
> fix that as well). These weird inconsistencies aren't good IMHO.
>
> I'd like us to adopt the convention that we only ever input and output 
> certificates (and CSR's) in either PEM or DER formats (and PKCS12 in 
> specific cases). This matches what both openssl and NSS does and just 
> about every other piece of software I'm familiar with. In practical 
> terms for the near term it would mean we just support PEM, if we want 
> to add DER support later we can, it won't be hard, but we need to stop 
> accepting bare base64 data and insist on standard PEM.
>
> This would be a change to the interface. More importantly it's a 
> change somewhat late in the game just prior to a major release. But 
> the consistency and adherence to standards warrant the change, not to 
> mention we probably don't want version 2 of IPA to go out the door 
> this way. It would train people with bad habits, frustrate them, and 
> we would regret having to support it down the road.
>
> Importing and exporting certs via the web UI and command line are not 
> common operations. The only significant impact changing to requiring 
> PEM input would be on our automated tests which would have to make 
> sure they supplied PEM format.
>
> Comments? Questions?
>
> If I don't hear a major outcry I'm going to proceed with making the 
> import and export of certs be PEM only for 100% consistency across the 
> board (it would be weird if you couldn't paste the cert data into the 
> web UI which you copied from the web UI).
>
I'm in support of it, buit not for this release: target 3.0.  We should 
do this as an additional interface on top of what we have now.  We can 
tag the original as deprecated.

The web UI can convert the format on the way out or on the way in: from 
PEM to bare base64 or DER.  We can do this without breaking the existing 
API.  I think that changing this in the web UI can be done without 
breaking anything but the QA tests.



From mkosek at redhat.com  Mon Oct 17 07:09:32 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Mon, 17 Oct 2011 09:09:32 +0200
Subject: [Freeipa-devel] [PATCH] 151 Add --zonemgr validator
In-Reply-To: <4E987B52.4060700@redhat.com>
References: <1318585856.9468.7.camel@balmora.brq.redhat.com>
	<4E987B52.4060700@redhat.com>
Message-ID: <1318835375.26757.2.camel@balmora.brq.redhat.com>

On Fri, 2011-10-14 at 14:11 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > Do at least a basic validation of DNS zone manager mail address.
> >
> > Do not require '@' to be in the mail address as it is not used
> > in common DNS zone configuration (in bind for example) and people
> > may be used to configure it that way. '@' is always removed by the
> > installer before the DNS zone is created.
> >
> > https://fedorahosted.org/freeipa/ticket/1966
> 
> There is already a zonemgr_callback defined for this option, can the 
> verify_zonemgr call be either integrated or called from that?
> 
> rob
> 

Right. Please, try this one. I also added a parser error when more than
one '@' is in the checked value.

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-151-2-add-zonemgr-validator.patch
Type: text/x-patch
Size: 5688 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111017/a25bf1f9/attachment.bin>

From atkac at redhat.com  Mon Oct 17 11:04:46 2011
From: atkac at redhat.com (Adam Tkac)
Date: Mon, 17 Oct 2011 13:04:46 +0200
Subject: [Freeipa-devel] [PATCH] bind-dyndb-ldap: Add new ldap_hostname
 option (ticket #1931)
In-Reply-To: <4E95D7B3.7000208@redhat.com>
References: <4E940BEC.9030909@redhat.com> <4E95D7B3.7000208@redhat.com>
Message-ID: <4E9C0BCE.1050106@redhat.com>

On 10/12/2011 08:08 PM, Rob Crittenden wrote:
> Adam Tkac wrote:
>> Hello all,
>>
>> please see attached patch for bind-dyndb-ldap, it should solve (at least
>> from bind-dyndb-ldap side) ticket #1931. It adds new "ldap_hostname"
>> option and ipa-server-install utility should set this option when
>> /bin/hostname is different from --hostname parameter.
>>
>> Comments are welcomed.
>>
>> Regards, Adam
>
> ACK, this looks fine to me.
>
> rob
>
Thanks for the review, pushed to bind-dyndb-ldap master.

Regards, Adam



From abokovoy at redhat.com  Mon Oct 17 11:21:59 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Mon, 17 Oct 2011 14:21:59 +0300
Subject: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support
In-Reply-To: <1318626347.31149.159.camel@willson.li.ssimo.org>
References: <20111010134235.GB3661@redhat.com>
	<20111010140721.GC3661@redhat.com>
	<1318614966.31149.149.camel@willson.li.ssimo.org>
	<1318623241.31149.156.camel@willson.li.ssimo.org>
	<1318626347.31149.159.camel@willson.li.ssimo.org>
Message-ID: <20111017112049.GB9413@redhat.com>

On Fri, 14 Oct 2011, Simo Sorce wrote:
> > > Attached a rebased patch with the modifications needed to apply it on
> > > master.
> > > 
> > > Everything seem to work on master but I haven't tested ipa-2-1 so this
> > > is a partial ACK of the original patch as well.
> > 
> > A bit of bad news, I restarted the machine and I am having issue
> > properly restarting services.
> > This patch is still better than nothing as otherwise nothing works at
> > all on f16, but we need to work out why starting services is unreliable.
> 
> Ok found the issue and it is a bug in the conversion to systemd.
> I opened ticket #1990 for this.
> 
> Attached find a rebased patch that fixes enough of the bug to let the
> server work (they keytab part), but it doesn't address the ulimit part.
KRB5_KTNAME was missing but LimitNOFile is available -- it is now 
modified in dirsrv at .service file directly. The code in 
ipapython/platform/fedora16.py goes to a great length to enable that 
by copying file to /etc/systemd/system, modifying the config, and 
relinking all dirsrv instances to it. That's how systemd is organized.

Now, I think I found actual issue preventing proper restarts. 
wait_for_socket() only considered 'connection refused' as valid error 
when unable to connect and waiting up until timeout is gone. 
Unfortunately, directory services start a bit slower than we had hoped 
and by the time we attempt to connect to local AF_UNIX socket, there 
is no actual socket on file system yet so we get:

Oct 17 06:48:36 vm-114 ipactl[954]: Failed to read data from Directory 
Service: Unknown error when retrieving list of services from LDAP: 
[Errno 2] No such file or directory
Oct 17 06:48:36 vm-114 ipactl[954]: Shutting down
Oct 17 06:48:36 vm-114 ipactl[954]: Starting Directory Service

After applying attached patch I now have fully working FreeIPA 2.1 git 
on Fedora 16.

-- 
/ Alexander Bokovoy
-------------- next part --------------
>From cb5583ad8023d87fdbf863cd65032d0f11108bc0 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Mon, 17 Oct 2011 14:17:07 +0300
Subject: [PATCH 4/4] Spin for connection success also when socket is not
 (yet) available

We were spinning for socket connection if attempt to connect returned errno 111
(connection refused). However, it is not enough for local AF_UNIX sockets as
heavy applications might not be able to start yet and therefore the whole path
might be missing. So spin for errno 2 (no such file or directory) as well.

Partial fix for
  https://fedorahosted.org/freeipa/ticket/1990
---
 ipaserver/install/installutils.py |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 5cfc8f0376e25d9eb25206d54ac5bbea47aca9b2..0a36c354e1d2f901bfdef51c151d035ba8ee64ca 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -507,7 +507,7 @@ def wait_for_open_socket(socket_name, timeout=0):
             s.close()
             break;
         except socket.error, e:
-            if e.errno == 111:  # 111: Connection refused
+            if e.errno in (2,111):  # 111: Connection refused, 2: File not found
                 if timeout and time.time() > op_timeout: # timeout exceeded
                     raise e
                 time.sleep(1)
-- 
1.7.6.4


From pvoborni at redhat.com  Mon Oct 17 11:26:44 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Mon, 17 Oct 2011 13:26:44 +0200
Subject: [Freeipa-devel] [PATCH] 026 Fixed: Unable to add external user for
 RunAs User for Sudo
Message-ID: <4E9C10F4.6050109@redhat.com>

https://fedorahosted.org/freeipa/ticket/1987
-- 
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0026-Fixed-Unable-to-add-external-user-for-RunAs-User-for.patch
Type: text/x-patch
Size: 1487 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111017/4cc96606/attachment.bin>

From abokovoy at redhat.com  Mon Oct 17 12:12:26 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Mon, 17 Oct 2011 15:12:26 +0300
Subject: [Freeipa-devel] [PATCH] 026 Fixed: Unable to add external user
 for RunAs User for Sudo
In-Reply-To: <4E9C10F4.6050109@redhat.com>
References: <4E9C10F4.6050109@redhat.com>
Message-ID: <20111017121226.GC9413@redhat.com>

On Mon, 17 Oct 2011, Petr Vobornik wrote:
> https://fedorahosted.org/freeipa/ticket/1987
> -- 
> Petr Vobornik

> From 931b27dbb54ace65e2213ffed718ee04ace5fc07 Mon Sep 17 00:00:00 2001
> From: Petr Vobornik <pvoborni at redhat.com>
> Date: Mon, 17 Oct 2011 11:48:03 +0200
> Subject: [PATCH] Fixed: Unable to add external user for RunAs User for Sudo
>  rules
> 
> https://fedorahosted.org/freeipa/ticket/1987
> 
> There is no way to add root or any external user as a RunAs User for a Sudo
> Rule.
ACK.

-- 
/ Alexander Bokovoy



From mkosek at redhat.com  Mon Oct 17 12:20:38 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Mon, 17 Oct 2011 14:20:38 +0200
Subject: [Freeipa-devel] [PATCH] 152 Enable automember for upgraded servers
Message-ID: <1318854040.26757.8.camel@balmora.brq.redhat.com>

automember functionality is depends on predefined data is in LDAP.
Since we add it for fresh installs only, automember cannot be used
for upgraded servers. Make sure that automember LDAP data is added
during upgrade too.

https://fedorahosted.org/freeipa/ticket/1992

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-152-enable-automember-for-upgraded-servers.patch
Type: text/x-patch
Size: 2256 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111017/524d463c/attachment.bin>

From mkosek at redhat.com  Mon Oct 17 12:43:04 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Mon, 17 Oct 2011 14:43:04 +0200
Subject: [Freeipa-devel] [PATCH] 153 Improve hostgroup/netgroup collision
	checks
Message-ID: <1318855386.26757.9.camel@balmora.brq.redhat.com>

When the NGP plugin is enabled, a managed netgroup is created for
every hostgroup. We already check that netgroup with the same
name does not exist and provide a meaningful error message.
However, this error message was also printed when a duplicate
hostgroup existed.

This patch checks for duplicate hostgroup existence first and
netgroup on the second place. It also makes sure that when NGP
plugin is (temporarily) disabled, a colliding netgroup cannot
be created.

https://fedorahosted.org/freeipa/ticket/1914

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-153-improve-hostgroup-netgroup-collision-checks.patch
Type: text/x-patch
Size: 3502 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111017/55d96e5f/attachment.bin>

From rcritten at redhat.com  Mon Oct 17 13:35:56 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 17 Oct 2011 09:35:56 -0400
Subject: [Freeipa-devel] change to interface used to provide certificates
In-Reply-To: <4E98FCAF.20904@redhat.com>
References: <4E98FCAF.20904@redhat.com>
Message-ID: <4E9C2F3C.3000909@redhat.com>

John Dennis wrote:
> I've been fixing a bug in the web UI when we retrieve a certificate. The
> data that's displayed cannot be copied and used with any other
> certificate (i.e. x509) software, openssl and NSS being prime examples.
> The crux of the problem is it's not in a standard format. There are 2
> standard formats for certificates, DER if it's binary and PEM if it text.
>
> What the web UI was outputting was bare base64 encoding of DER data
> (closely related to PEM, but not PEM). We've used bare base64 data in a
> number of places and have gradually fixed a number of them over time.
> The use of bare base64 all goes back to the dawn of IPA and how
> certificate data is stored in LDAP (binary DER) and how binary data
> passes through our RPC mechanism. The early limitations of handling
> certificate data got "institutionalized" in IPA and we got used to using
> the non-standard bare base64 form, not because it's correct but because
> of deficiencies in other parts of the code which are now fixed.
>
> The fact is nobody else uses this format, it's completely non-standard.
> As part of the bug fix I'm working on (certificate output in PEM format
> rather than bare base64) I would also like to clean up the parts of the
> code in both the web UI and the command line which accept certificate
> data as bare base64 and change them so they only accept PEM. In fact as
> it stands now if you paste PEM into the web UI things will fail. The
> command line interface writes PEM data and accepts either PEM or bare
> base64. Currently the web UI outputs bare base64 and accepts bare
> base64. After my bug fix the web UI will output PEM but would still
> require bare base64 as input (if I don't fix that as well). These weird
> inconsistencies aren't good IMHO.

ldapsearch returns raw certificate data as well and this is what the IPA 
tools were modeled on, so this is not unprecedented.

PEM is just base64 with line limits, carriage returns and a 
header/footer. Try passing that in as dashed argument and you'll see why 
we allow it to be passed in as a single base64 blob (and even that is 
rather awful).

>
> I'd like us to adopt the convention that we only ever input and output
> certificates (and CSR's) in either PEM or DER formats (and PKCS12 in
> specific cases). This matches what both openssl and NSS does and just
> about every other piece of software I'm familiar with. In practical
> terms for the near term it would mean we just support PEM, if we want to
> add DER support later we can, it won't be hard, but we need to stop
> accepting bare base64 data and insist on standard PEM.

Considering that you can't pass binary data via XML-RPC you'd have to 
base64 encode it anyway...

>
> This would be a change to the interface. More importantly it's a change
> somewhat late in the game just prior to a major release. But the
> consistency and adherence to standards warrant the change, not to
> mention we probably don't want version 2 of IPA to go out the door this
> way. It would train people with bad habits, frustrate them, and we would
> regret having to support it down the road.

Changing the meaning of arguments is not allowed at this point. Input of 
certificates is not something a typical user will do, they will manage 
certificates via the cert API. We just as a policy try not to hide 
functionality so updating certificates is exposed like everything else is.

>
> Importing and exporting certs via the web UI and command line are not
> common operations. The only significant impact changing to requiring PEM
> input would be on our automated tests which would have to make sure they
> supplied PEM format.
>
> Comments? Questions?
>
> If I don't hear a major outcry I'm going to proceed with making the
> import and export of certs be PEM only for 100% consistency across the
> board (it would be weird if you couldn't paste the cert data into the
> web UI which you copied from the web UI).
>

I'm fine with display of it as PEM and accepting it as PEM but I think 
disallowing an input form that has been there for so long is bad.

rob



From rcritten at redhat.com  Mon Oct 17 14:22:56 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 17 Oct 2011 10:22:56 -0400
Subject: [Freeipa-devel] [PATCH] 153 Improve hostgroup/netgroup
 collision checks
In-Reply-To: <1318855386.26757.9.camel@balmora.brq.redhat.com>
References: <1318855386.26757.9.camel@balmora.brq.redhat.com>
Message-ID: <4E9C3A40.7060405@redhat.com>

Martin Kosek wrote:
> When the NGP plugin is enabled, a managed netgroup is created for
> every hostgroup. We already check that netgroup with the same
> name does not exist and provide a meaningful error message.
> However, this error message was also printed when a duplicate
> hostgroup existed.
>
> This patch checks for duplicate hostgroup existence first and
> netgroup on the second place. It also makes sure that when NGP
> plugin is (temporarily) disabled, a colliding netgroup cannot
> be created.
>
> https://fedorahosted.org/freeipa/ticket/1914

NACK, you should use self.obj.handle_duplicate_entry and/or 
self.obj.already_exists_msg for reporting errors. See my patch 898 for 
an example of this.

rob



From mkosek at redhat.com  Mon Oct 17 14:50:53 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Mon, 17 Oct 2011 16:50:53 +0200
Subject: [Freeipa-devel] [PATCH] 153 Improve hostgroup/netgroup
 collision checks
In-Reply-To: <4E9C3A40.7060405@redhat.com>
References: <1318855386.26757.9.camel@balmora.brq.redhat.com>
	<4E9C3A40.7060405@redhat.com>
Message-ID: <1318863055.8151.18.camel@balmora.brq.redhat.com>

On Mon, 2011-10-17 at 10:22 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > When the NGP plugin is enabled, a managed netgroup is created for
> > every hostgroup. We already check that netgroup with the same
> > name does not exist and provide a meaningful error message.
> > However, this error message was also printed when a duplicate
> > hostgroup existed.
> >
> > This patch checks for duplicate hostgroup existence first and
> > netgroup on the second place. It also makes sure that when NGP
> > plugin is (temporarily) disabled, a colliding netgroup cannot
> > be created.
> >
> > https://fedorahosted.org/freeipa/ticket/1914
> 
> NACK, you should use self.obj.handle_duplicate_entry and/or 
> self.obj.already_exists_msg for reporting errors. See my patch 898 for 
> an example of this.
> 
> rob

I was thinking about this too. My motivation was to add a bit of
information why we reported a colliding hostgroup/netgroup, that they
share a common namespace.

I was afraid that the error "netgroup ... already exists" when user
tries to add a colliding hostgroup may rise questions.

If we go your way, we may want to add a second check I included in my
patch - test that when adding a new netgroup, a hostgroup of the same
name does not exist. This would prevent name space collisions if user
decides to enable NGP plugin again.

Additionally, the DuplicateEntry exception you are rising in your patch
may be simplified:

self.api.Object['netgroup'].handle_duplicate_entry(keys[-1])

Martin



From rcritten at redhat.com  Mon Oct 17 14:56:57 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 17 Oct 2011 10:56:57 -0400
Subject: [Freeipa-devel] [PATCH] 153 Improve hostgroup/netgroup
 collision checks
In-Reply-To: <1318863055.8151.18.camel@balmora.brq.redhat.com>
References: <1318855386.26757.9.camel@balmora.brq.redhat.com>
	<4E9C3A40.7060405@redhat.com>
	<1318863055.8151.18.camel@balmora.brq.redhat.com>
Message-ID: <4E9C4239.4070803@redhat.com>

Martin Kosek wrote:
> On Mon, 2011-10-17 at 10:22 -0400, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> When the NGP plugin is enabled, a managed netgroup is created for
>>> every hostgroup. We already check that netgroup with the same
>>> name does not exist and provide a meaningful error message.
>>> However, this error message was also printed when a duplicate
>>> hostgroup existed.
>>>
>>> This patch checks for duplicate hostgroup existence first and
>>> netgroup on the second place. It also makes sure that when NGP
>>> plugin is (temporarily) disabled, a colliding netgroup cannot
>>> be created.
>>>
>>> https://fedorahosted.org/freeipa/ticket/1914
>>
>> NACK, you should use self.obj.handle_duplicate_entry and/or
>> self.obj.already_exists_msg for reporting errors. See my patch 898 for
>> an example of this.
>>
>> rob
>
> I was thinking about this too. My motivation was to add a bit of
> information why we reported a colliding hostgroup/netgroup, that they
> share a common namespace.
>
> I was afraid that the error "netgroup ... already exists" when user
> tries to add a colliding hostgroup may rise questions.
>
> If we go your way, we may want to add a second check I included in my
> patch - test that when adding a new netgroup, a hostgroup of the same
> name does not exist. This would prevent name space collisions if user
> decides to enable NGP plugin again.
>
> Additionally, the DuplicateEntry exception you are rising in your patch
> may be simplified:
>
> self.api.Object['netgroup'].handle_duplicate_entry(keys[-1])
>
> Martin
>

Ok, I see where you were going now. ACK to your patch as-is. Go ahead 
and push to ipa-2-1 and master.

rob



From mkosek at redhat.com  Mon Oct 17 15:33:12 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Mon, 17 Oct 2011 17:33:12 +0200
Subject: [Freeipa-devel] [PATCH] 153 Improve hostgroup/netgroup
 collision checks
In-Reply-To: <4E9C4239.4070803@redhat.com>
References: <1318855386.26757.9.camel@balmora.brq.redhat.com>
	<4E9C3A40.7060405@redhat.com>
	<1318863055.8151.18.camel@balmora.brq.redhat.com>
	<4E9C4239.4070803@redhat.com>
Message-ID: <1318865595.10288.0.camel@balmora.brq.redhat.com>

On Mon, 2011-10-17 at 10:56 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Mon, 2011-10-17 at 10:22 -0400, Rob Crittenden wrote:
> >> Martin Kosek wrote:
> >>> When the NGP plugin is enabled, a managed netgroup is created for
> >>> every hostgroup. We already check that netgroup with the same
> >>> name does not exist and provide a meaningful error message.
> >>> However, this error message was also printed when a duplicate
> >>> hostgroup existed.
> >>>
> >>> This patch checks for duplicate hostgroup existence first and
> >>> netgroup on the second place. It also makes sure that when NGP
> >>> plugin is (temporarily) disabled, a colliding netgroup cannot
> >>> be created.
> >>>
> >>> https://fedorahosted.org/freeipa/ticket/1914
> >>
> >> NACK, you should use self.obj.handle_duplicate_entry and/or
> >> self.obj.already_exists_msg for reporting errors. See my patch 898 for
> >> an example of this.
> >>
> >> rob
> >
> > I was thinking about this too. My motivation was to add a bit of
> > information why we reported a colliding hostgroup/netgroup, that they
> > share a common namespace.
> >
> > I was afraid that the error "netgroup ... already exists" when user
> > tries to add a colliding hostgroup may rise questions.
> >
> > If we go your way, we may want to add a second check I included in my
> > patch - test that when adding a new netgroup, a hostgroup of the same
> > name does not exist. This would prevent name space collisions if user
> > decides to enable NGP plugin again.
> >
> > Additionally, the DuplicateEntry exception you are rising in your patch
> > may be simplified:
> >
> > self.api.Object['netgroup'].handle_duplicate_entry(keys[-1])
> >
> > Martin
> >
> 
> Ok, I see where you were going now. ACK to your patch as-is. Go ahead 
> and push to ipa-2-1 and master.
> 
> rob

Ok, thanks. Pushed to master, ipa-2-1.

Martin



From simo at redhat.com  Mon Oct 17 15:45:06 2011
From: simo at redhat.com (Simo Sorce)
Date: Mon, 17 Oct 2011 11:45:06 -0400
Subject: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support
In-Reply-To: <20111017112049.GB9413@redhat.com>
References: <20111010134235.GB3661@redhat.com>
	<20111010140721.GC3661@redhat.com>
	<1318614966.31149.149.camel@willson.li.ssimo.org>
	<1318623241.31149.156.camel@willson.li.ssimo.org>
	<1318626347.31149.159.camel@willson.li.ssimo.org>
	<20111017112049.GB9413@redhat.com>
Message-ID: <1318866306.31149.176.camel@willson.li.ssimo.org>

On Mon, 2011-10-17 at 14:21 +0300, Alexander Bokovoy wrote:
> On Fri, 14 Oct 2011, Simo Sorce wrote:
> > > > Attached a rebased patch with the modifications needed to apply it on
> > > > master.
> > > > 
> > > > Everything seem to work on master but I haven't tested ipa-2-1 so this
> > > > is a partial ACK of the original patch as well.
> > > 
> > > A bit of bad news, I restarted the machine and I am having issue
> > > properly restarting services.
> > > This patch is still better than nothing as otherwise nothing works at
> > > all on f16, but we need to work out why starting services is unreliable.
> > 
> > Ok found the issue and it is a bug in the conversion to systemd.
> > I opened ticket #1990 for this.
> > 
> > Attached find a rebased patch that fixes enough of the bug to let the
> > server work (they keytab part), but it doesn't address the ulimit part.
> KRB5_KTNAME was missing but LimitNOFile is available -- it is now 
> modified in dirsrv at .service file directly. The code in 
> ipapython/platform/fedora16.py goes to a great length to enable that 
> by copying file to /etc/systemd/system, modifying the config, and 
> relinking all dirsrv instances to it. That's how systemd is organized.
> 
> Now, I think I found actual issue preventing proper restarts. 
> wait_for_socket() only considered 'connection refused' as valid error 
> when unable to connect and waiting up until timeout is gone. 
> Unfortunately, directory services start a bit slower than we had hoped 
> and by the time we attempt to connect to local AF_UNIX socket, there 
> is no actual socket on file system yet so we get:
> 
> Oct 17 06:48:36 vm-114 ipactl[954]: Failed to read data from Directory 
> Service: Unknown error when retrieving list of services from LDAP: 
> [Errno 2] No such file or directory
> Oct 17 06:48:36 vm-114 ipactl[954]: Shutting down
> Oct 17 06:48:36 vm-114 ipactl[954]: Starting Directory Service
> 
> After applying attached patch I now have fully working FreeIPA 2.1 git 
> on Fedora 16.

ACk,
fixes my startup issue as well.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From edewata at redhat.com  Mon Oct 17 16:04:45 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Mon, 17 Oct 2011 14:04:45 -0200
Subject: [Freeipa-devel] [PATCH] 026 Fixed: Unable to add external user
 for RunAs User for Sudo
In-Reply-To: <20111017121226.GC9413@redhat.com>
References: <4E9C10F4.6050109@redhat.com> <20111017121226.GC9413@redhat.com>
Message-ID: <4E9C521D.5020107@redhat.com>

On 10/17/2011 10:12 AM, Alexander Bokovoy wrote:
> On Mon, 17 Oct 2011, Petr Vobornik wrote:
>> https://fedorahosted.org/freeipa/ticket/1987
>> --
>> Petr Vobornik
>
>>  From 931b27dbb54ace65e2213ffed718ee04ace5fc07 Mon Sep 17 00:00:00 2001
>> From: Petr Vobornik<pvoborni at redhat.com>
>> Date: Mon, 17 Oct 2011 11:48:03 +0200
>> Subject: [PATCH] Fixed: Unable to add external user for RunAs User for Sudo
>>   rules
>>
>> https://fedorahosted.org/freeipa/ticket/1987
>>
>> There is no way to add root or any external user as a RunAs User for a Sudo
>> Rule.
> ACK.

Pushed to master and ipa-2-1.

-- 
Endi S. Dewata



From nalin at redhat.com  Mon Oct 17 19:06:49 2011
From: nalin at redhat.com (Nalin Dahyabhai)
Date: Mon, 17 Oct 2011 15:06:49 -0400
Subject: [Freeipa-devel] change to interface used to provide certificates
In-Reply-To: <4E98FCAF.20904@redhat.com>
References: <4E98FCAF.20904@redhat.com>
Message-ID: <20111017190649.GC17367@redhat.com>

On Fri, Oct 14, 2011 at 11:23:27PM -0400, John Dennis wrote:
> Importing and exporting certs via the web UI and command line are
> not common operations. The only significant impact changing to
> requiring PEM input would be on our automated tests which would have
> to make sure they supplied PEM format.
> 
> Comments? Questions?

If we're talking about the "cert_request" RPC, then this impacts
certmonger, so I need to know (and would prefer to know sooner rather
than later) if it needs to change its expectations.

Cheers,

Nalin



From simo at redhat.com  Mon Oct 17 19:16:03 2011
From: simo at redhat.com (Simo Sorce)
Date: Mon, 17 Oct 2011 15:16:03 -0400
Subject: [Freeipa-devel] change to interface used to provide certificates
In-Reply-To: <4E9C2F3C.3000909@redhat.com>
References: <4E98FCAF.20904@redhat.com>  <4E9C2F3C.3000909@redhat.com>
Message-ID: <1318878963.31149.190.camel@willson.li.ssimo.org>

On Mon, 2011-10-17 at 09:35 -0400, Rob Crittenden wrote:
> John Dennis wrote:
> > I've been fixing a bug in the web UI when we retrieve a certificate. The
> > data that's displayed cannot be copied and used with any other
> > certificate (i.e. x509) software, openssl and NSS being prime examples.
> > The crux of the problem is it's not in a standard format. There are 2
> > standard formats for certificates, DER if it's binary and PEM if it text.
> >
> > What the web UI was outputting was bare base64 encoding of DER data
> > (closely related to PEM, but not PEM). We've used bare base64 data in a
> > number of places and have gradually fixed a number of them over time.
> > The use of bare base64 all goes back to the dawn of IPA and how
> > certificate data is stored in LDAP (binary DER) and how binary data
> > passes through our RPC mechanism. The early limitations of handling
> > certificate data got "institutionalized" in IPA and we got used to using
> > the non-standard bare base64 form, not because it's correct but because
> > of deficiencies in other parts of the code which are now fixed.
> >
> > The fact is nobody else uses this format, it's completely non-standard.
> > As part of the bug fix I'm working on (certificate output in PEM format
> > rather than bare base64) I would also like to clean up the parts of the
> > code in both the web UI and the command line which accept certificate
> > data as bare base64 and change them so they only accept PEM. In fact as
> > it stands now if you paste PEM into the web UI things will fail. The
> > command line interface writes PEM data and accepts either PEM or bare
> > base64. Currently the web UI outputs bare base64 and accepts bare
> > base64. After my bug fix the web UI will output PEM but would still
> > require bare base64 as input (if I don't fix that as well). These weird
> > inconsistencies aren't good IMHO.
> 
> ldapsearch returns raw certificate data as well and this is what the IPA 
> tools were modeled on, so this is not unprecedented.
> 
> PEM is just base64 with line limits, carriage returns and a 
> header/footer. Try passing that in as dashed argument and you'll see why 
> we allow it to be passed in as a single base64 blob (and even that is 
> rather awful).
> 
> >
> > I'd like us to adopt the convention that we only ever input and output
> > certificates (and CSR's) in either PEM or DER formats (and PKCS12 in
> > specific cases). This matches what both openssl and NSS does and just
> > about every other piece of software I'm familiar with. In practical
> > terms for the near term it would mean we just support PEM, if we want to
> > add DER support later we can, it won't be hard, but we need to stop
> > accepting bare base64 data and insist on standard PEM.
> 
> Considering that you can't pass binary data via XML-RPC you'd have to 
> base64 encode it anyway...
> 
> >
> > This would be a change to the interface. More importantly it's a change
> > somewhat late in the game just prior to a major release. But the
> > consistency and adherence to standards warrant the change, not to
> > mention we probably don't want version 2 of IPA to go out the door this
> > way. It would train people with bad habits, frustrate them, and we would
> > regret having to support it down the road.
> 
> Changing the meaning of arguments is not allowed at this point. Input of 
> certificates is not something a typical user will do, they will manage 
> certificates via the cert API. We just as a policy try not to hide 
> functionality so updating certificates is exposed like everything else is.
> 
> >
> > Importing and exporting certs via the web UI and command line are not
> > common operations. The only significant impact changing to requiring PEM
> > input would be on our automated tests which would have to make sure they
> > supplied PEM format.
> >
> > Comments? Questions?
> >
> > If I don't hear a major outcry I'm going to proceed with making the
> > import and export of certs be PEM only for 100% consistency across the
> > board (it would be weird if you couldn't paste the cert data into the
> > web UI which you copied from the web UI).
> >
> 
> I'm fine with display of it as PEM and accepting it as PEM but I think 
> disallowing an input form that has been there for so long is bad.

We can't disable it in 2.x

We can discuss if it makes sense to do so in 3.0, but I doubt the
'benefits' will supersede the problems introduced by doing so.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From edewata at redhat.com  Mon Oct 17 20:39:41 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Mon, 17 Oct 2011 18:39:41 -0200
Subject: [Freeipa-devel] [PATCH] 023 Circular entity dependency
In-Reply-To: <4E92E17B.7040701@redhat.com>
References: <4E92E17B.7040701@redhat.com>
Message-ID: <4E9C928D.90209@redhat.com>

On 10/10/2011 10:13 AM, Petr Vobornik wrote:
> https://fedorahosted.org/freeipa/ticket/1531
>
> (3.0 Core Effort Iteration 01 September Y11 Release)
>
> Implemented solution:
> * all entities are created on application start
> * dependant objects (facets and dialogs) are created at once on their
> first use in entity.
>
> Note(patch naming): patch 022 was second part of 021, but the file name
> was wrong(021-1)

Some comments/issues:

1. One of the goals of this bug is to remove the temporary workaround in 
IPA.search_facet.create_content(). We should now be able to call the 
initialize_table_columns() during facet initialization.

2. Using lazy-loading to create entities, facets, and dialogs makes 
object creations a little bit unpredictable. This is probably fine for 
now, but if there's a problem the other option is to create all objects 
during application initialization. We can use a loop to create all 
entities first, then use another loop to create all dependent objects in 
each entity.

3. Another goal is to replace entity names used in spec (see 
other_entity & nested_entity spec properties) with the actual entity 
objects. In this case it might be better to use the loops described in 
#2. This can be done separately.

4. In the original code, when creating a facet for indirect association 
it will try to find the corresponding direct facet and use it instead of 
creating a new one. In the new code, the indirect facet will always be 
created, but since there is no indirect facet group the facet will never 
appear. It would be better if we can avoid unnecessary creation of 
indirect facets.

5. In entity.js:201, the use of entity.title for the breadcrumb tooltip 
might not be appropriate because usually the title is plural whereas the 
breadcrumb points to a single object. It would be better to use the 
entity.metadata.label_singular.

6. Invoking a method by concatenating the method name dynamically such 
as prepare_<facet type>_spec will work, but it's more error prone and 
will clutter up the namespace. It would be better to store the methods 
in a map like this:

   that.map.put('search', function(spec) {
     ...
   });

and use it like this:

   var method = that.map.get('search');
   method(spec);

This can be done separately.

7. The code in entity.js:474,998,1000 should have a deeper indentation 
because it's a continuation of the previous line.

8. The facet_specs and dialog_specs lists can be replaced with 
ordered_map. It already has a method to find an element by its name. 
This can be done separately.

-- 
Endi S. Dewata



From mkosek at redhat.com  Tue Oct 18 10:56:16 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 18 Oct 2011 12:56:16 +0200
Subject: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support
In-Reply-To: <20111017112049.GB9413@redhat.com>
References: <20111010134235.GB3661@redhat.com>
	<20111010140721.GC3661@redhat.com>
	<1318614966.31149.149.camel@willson.li.ssimo.org>
	<1318623241.31149.156.camel@willson.li.ssimo.org>
	<1318626347.31149.159.camel@willson.li.ssimo.org>
	<20111017112049.GB9413@redhat.com>
Message-ID: <1318935379.19922.24.camel@balmora.brq.redhat.com>

On Mon, 2011-10-17 at 14:21 +0300, Alexander Bokovoy wrote:
> On Fri, 14 Oct 2011, Simo Sorce wrote:
> > > > Attached a rebased patch with the modifications needed to apply it on
> > > > master.
> > > > 
> > > > Everything seem to work on master but I haven't tested ipa-2-1 so this
> > > > is a partial ACK of the original patch as well.
> > > 
> > > A bit of bad news, I restarted the machine and I am having issue
> > > properly restarting services.
> > > This patch is still better than nothing as otherwise nothing works at
> > > all on f16, but we need to work out why starting services is unreliable.
> > 
> > Ok found the issue and it is a bug in the conversion to systemd.
> > I opened ticket #1990 for this.
> > 
> > Attached find a rebased patch that fixes enough of the bug to let the
> > server work (they keytab part), but it doesn't address the ulimit part.
> KRB5_KTNAME was missing but LimitNOFile is available -- it is now 
> modified in dirsrv at .service file directly. The code in 
> ipapython/platform/fedora16.py goes to a great length to enable that 
> by copying file to /etc/systemd/system, modifying the config, and 
> relinking all dirsrv instances to it. That's how systemd is organized.
> 
> Now, I think I found actual issue preventing proper restarts. 
> wait_for_socket() only considered 'connection refused' as valid error 
> when unable to connect and waiting up until timeout is gone. 
> Unfortunately, directory services start a bit slower than we had hoped 
> and by the time we attempt to connect to local AF_UNIX socket, there 
> is no actual socket on file system yet so we get:
> 
> Oct 17 06:48:36 vm-114 ipactl[954]: Failed to read data from Directory 
> Service: Unknown error when retrieving list of services from LDAP: 
> [Errno 2] No such file or directory
> Oct 17 06:48:36 vm-114 ipactl[954]: Shutting down
> Oct 17 06:48:36 vm-114 ipactl[954]: Starting Directory Service
> 
> After applying attached patch I now have fully working FreeIPA 2.1 git 
> on Fedora 16.
> 

Hi Alexander,

I tested our most recent master with simo's rebased patch and your patch
0004-Spin-for-connection-success-also-when-socket-is-not-.patch. It
looks very good, I hit just few issues:

1) ipa service reports inactive (dead) status even though LDAP server is
running:

systemctl status ipa.service
ipa.service - Identity, Policy, Audit
	  Loaded: loaded (/lib/systemd/system/ipa.service; enabled)
	  Active: inactive (dead) since Mon, 17 Oct 2011 10:21:30 -0400; 15s ago
	 Process: 25194 ExecStop=/usr/sbin/ipactl stop (code=exited, status=0/SUCCESS)
	 Process: 25173 ExecStart=/usr/sbin/ipactl start (code=exited, status=0/SUCCESS)
	  CGroup: name=systemd:/system/ipa.service

Maybe we should return "active" status when dirsrv is running?

2) I wasn't able to build IPA on F-15 after the patches were applied:
$ make rpms
...
+ install -m755
init/SystemV/ipa.init /home/mkosek/freeipa/rpmbuild/BUILDROOT/freeipa-2.99.0GITb607c5c-0.fc15.x86_64/etc/rc.d/init.d/ipa
install: cannot stat `init/SystemV/ipa.init': No such file or directory
error: Bad exit status from /var/tmp/rpm-tmp.nwbRUX (%install)

ipa.init was removed from the git, but it was never moved to
init/SystemV/.

Martin



From abokovoy at redhat.com  Tue Oct 18 11:27:39 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Tue, 18 Oct 2011 14:27:39 +0300
Subject: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support
In-Reply-To: <1318935379.19922.24.camel@balmora.brq.redhat.com>
References: <20111010134235.GB3661@redhat.com>
	<20111010140721.GC3661@redhat.com>
	<1318614966.31149.149.camel@willson.li.ssimo.org>
	<1318623241.31149.156.camel@willson.li.ssimo.org>
	<1318626347.31149.159.camel@willson.li.ssimo.org>
	<20111017112049.GB9413@redhat.com>
	<1318935379.19922.24.camel@balmora.brq.redhat.com>
Message-ID: <20111018112738.GA2258@redhat.com>

On Tue, 18 Oct 2011, Martin Kosek wrote:
> I tested our most recent master with simo's rebased patch and your patch
> 0004-Spin-for-connection-success-also-when-socket-is-not-.patch. It
> looks very good, I hit just few issues:
> 
> 1) ipa service reports inactive (dead) status even though LDAP server is
> running:
> 
> systemctl status ipa.service
> ipa.service - Identity, Policy, Audit
> 	  Loaded: loaded (/lib/systemd/system/ipa.service; enabled)
> 	  Active: inactive (dead) since Mon, 17 Oct 2011 10:21:30 -0400; 15s ago
> 	 Process: 25194 ExecStop=/usr/sbin/ipactl stop (code=exited, status=0/SUCCESS)
> 	 Process: 25173 ExecStart=/usr/sbin/ipactl start (code=exited, status=0/SUCCESS)
> 	  CGroup: name=systemd:/system/ipa.service
> 
> Maybe we should return "active" status when dirsrv is running?
We can't. This is systemd's status which we can't influence. And you 
have stopped the service so it is properly showing it as 'inactive'.

I still need to investigate such cases as in correct situation it should be:
ipa.service - Identity, Policy, Audit
	  Loaded: loaded (/lib/systemd/system/ipa.service; enabled)
	  Active: active (exited) since Mon, 17 Oct 2011 07:03:17 -0400; 24h ago
	 Process: 956 ExecStart=/usr/sbin/ipactl start (code=exited, status=0/SUCCESS)
	  CGroup: name=systemd:/system/ipa.service

Note that you have ExecStop for process 25194 (which is newer than 
25173) -- which means you have stopped ipa.service yourself.

It should have stopped dirsrv.target, though. Here is how it looks if 
I issue 'systemctl stop ipa.service':
ipa.service - Identity, Policy, Audit
	  Loaded: loaded (/lib/systemd/system/ipa.service; enabled)
	  Active: inactive (dead) since Tue, 18 Oct 2011 07:24:30 -0400; 1s ago
	 Process: 11004 ExecStop=/usr/sbin/ipactl stop (code=exited, status=0/SUCCESS)
	 Process: 956 ExecStart=/usr/sbin/ipactl start (code=exited, status=0/SUCCESS)
	  CGroup: name=systemd:/system/ipa.service

And for dirsrv.target after that:
# systemctl status dirsrv.target
dirsrv.target - 389 Directory Server
	  Loaded: loaded (/lib/systemd/system/dirsrv.target; disabled)
	  Active: inactive (dead)


> 2) I wasn't able to build IPA on F-15 after the patches were applied:
> $ make rpms
> ...
> + install -m755
> init/SystemV/ipa.init /home/mkosek/freeipa/rpmbuild/BUILDROOT/freeipa-2.99.0GITb607c5c-0.fc15.x86_64/etc/rc.d/init.d/ipa
> install: cannot stat `init/SystemV/ipa.init': No such file or directory
> error: Bad exit status from /var/tmp/rpm-tmp.nwbRUX (%install)
> 
> ipa.init was removed from the git, but it was never moved to
> init/SystemV/.
It should have been moved (rm+new file). I'll check what's happening 
there, maybe Simo's patch omitted that one?

http://koji.fedoraproject.org/koji/taskinfo?taskID=3437275 is current 
scratch build of 2.1 for F-16. It is 2.1.2+diff up to current ipa-2-1 
git tree + systemd patch.
-- 
/ Alexander Bokovoy



From abokovoy at redhat.com  Tue Oct 18 12:48:10 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Tue, 18 Oct 2011 15:48:10 +0300
Subject: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support
In-Reply-To: <20111018112738.GA2258@redhat.com>
References: <20111010134235.GB3661@redhat.com>
	<20111010140721.GC3661@redhat.com>
	<1318614966.31149.149.camel@willson.li.ssimo.org>
	<1318623241.31149.156.camel@willson.li.ssimo.org>
	<1318626347.31149.159.camel@willson.li.ssimo.org>
	<20111017112049.GB9413@redhat.com>
	<1318935379.19922.24.camel@balmora.brq.redhat.com>
	<20111018112738.GA2258@redhat.com>
Message-ID: <20111018124809.GB2258@redhat.com>

On Tue, 18 Oct 2011, Alexander Bokovoy wrote:
> > ipa.init was removed from the git, but it was never moved to
> > init/SystemV/.
> It should have been moved (rm+new file). I'll check what's happening 
> there, maybe Simo's patch omitted that one?
> 
> http://koji.fedoraproject.org/koji/taskinfo?taskID=3437275 is current 
> scratch build of 2.1 for F-16. It is 2.1.2+diff up to current ipa-2-1 
> git tree + systemd patch.
I did another rebase and current version of systemd support for 
ipa-2-1 is in systemd-ipa-2-1 branch of my tree:
http://fedorapeople.org/gitweb?p=abbra/public_git/freeipa.git;a=shortlog;h=refs/heads/systemd-ipa-2-1

-- 
/ Alexander Bokovoy



From pvoborni at redhat.com  Tue Oct 18 12:52:54 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Tue, 18 Oct 2011 14:52:54 +0200
Subject: [Freeipa-devel] [PATCH] 023 Circular entity dependency
In-Reply-To: <4E9C928D.90209@redhat.com>
References: <4E92E17B.7040701@redhat.com> <4E9C928D.90209@redhat.com>
Message-ID: <4E9D76A6.5070301@redhat.com>

Comments in text. Also attached git diff for convenience.

On 10/17/2011 10:39 PM, Endi Sukma Dewata wrote:
 > On 10/10/2011 10:13 AM, Petr Vobornik wrote:
 >> https://fedorahosted.org/freeipa/ticket/1531
 >>
 >> (3.0 Core Effort Iteration 01 September Y11 Release)
 >>
 >> Implemented solution:
 >> * all entities are created on application start
 >> * dependant objects (facets and dialogs) are created at once on their
 >> first use in entity.
 >>
 >> Note(patch naming): patch 022 was second part of 021, but the file name
 >> was wrong(021-1)
 >
 > Some comments/issues:
 >
 > 1. One of the goals of this bug is to remove the temporary workaround in
 > IPA.search_facet.create_content(). We should now be able to call the
 > initialize_table_columns() during facet initialization.

Fixed

 > 2. Using lazy-loading to create entities, facets, and dialogs makes
 > object creations a little bit unpredictable. This is probably fine for
 > now, but if there's a problem the other option is to create all objects
 > during application initialization. We can use a loop to create all
 > entities first, then use another loop to create all dependent objects in
 > each entity.

I don't think it's necessary  but if it becomes a problem, we can use 
the initialization loop.

 > 3. Another goal is to replace entity names used in spec (see
 > other_entity & nested_entity spec properties) with the actual entity
 > objects. In this case it might be better to use the loops described in
 > #2. This can be done separately.

Wouldn't it lead to the circular dependancy problem again? I think using 
entity names and calling IPA.get_entity at the time when it is needed is 
fine. But we should make some naming conversions of function params or 
object properties to distinguish when we are working with just name or 
entity itself.

 > 4. In the original code, when creating a facet for indirect association
 > it will try to find the corresponding direct facet and use it instead of
 > creating a new one. In the new code, the indirect facet will always be
 > created, but since there is no indirect facet group the facet will never
 > appear. It would be better if we can avoid unnecessary creation of
 > indirect facets.

Fixed

 > 5. In entity.js:201, the use of entity.title for the breadcrumb tooltip
 > might not be appropriate because usually the title is plural whereas the
 > breadcrumb points to a single object. It would be better to use the
 > entity.metadata.label_singular.

Fixed

 > 6. Invoking a method by concatenating the method name dynamically such
 > as prepare_<facet type>_spec will work, but it's more error prone and
 > will clutter up the namespace. It would be better to store the methods
 > in a map like this:
 >
 > that.map.put('search', function(spec) {
 > ...
 > });
 >
 > and use it like this:
 >
 > var method = that.map.get('search');
 > method(spec);
 >
 > This can be done separately.
Reworked. Used object as a map, ordered map isn't necessary.

 >
 > 7. The code in entity.js:474,998,1000 should have a deeper indentation
 > because it's a continuation of the previous line.

Fixed

 > 8. The facet_specs and dialog_specs lists can be replaced with
 > ordered_map. It already has a method to find an element by its name.
 > This can be done separately.
 >
My intention was to be able specify entity facets and dialogs simply by 
specifying their spec in entity spec (without calling builder function), 
this is possible now. I didn't want to add initialization logic for 
facet_specs (to fill the ordered_map) to entity in order to keep it as 
simple as possible. It would be nice though. Maybe we could make an 
utility object with methods for some simple initialization logic which 
is used on many places - like checking if boolean is set or some more 
complicated like initialization of ordered_map (needs key selector fn as 
parameter).

-- 
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0023-1-Circular-entity-dependency.patch
Type: text/x-patch
Size: 21198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111018/4d45b42a/attachment.bin>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: diff
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111018/4d45b42a/attachment.ksh>

From simo at redhat.com  Tue Oct 18 12:54:34 2011
From: simo at redhat.com (Simo Sorce)
Date: Tue, 18 Oct 2011 08:54:34 -0400
Subject: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support
In-Reply-To: <20111018112738.GA2258@redhat.com>
References: <20111010134235.GB3661@redhat.com>
	<20111010140721.GC3661@redhat.com>
	<1318614966.31149.149.camel@willson.li.ssimo.org>
	<1318623241.31149.156.camel@willson.li.ssimo.org>
	<1318626347.31149.159.camel@willson.li.ssimo.org>
	<20111017112049.GB9413@redhat.com>
	<1318935379.19922.24.camel@balmora.brq.redhat.com>
	<20111018112738.GA2258@redhat.com>
Message-ID: <1318942475.31149.214.camel@willson.li.ssimo.org>

On Tue, 2011-10-18 at 14:27 +0300, Alexander Bokovoy wrote:
> On Tue, 18 Oct 2011, Martin Kosek wrote:

> > ipa.init was removed from the git, but it was never moved to
> > init/SystemV/.
> It should have been moved (rm+new file). I'll check what's happening 
> there, maybe Simo's patch omitted that one?

Can certainly be my mistake during the rebase. Patches didn't apply
cleanly so I had to add all new files manually again to the patch. Maybe
I missed ipa.init as it was moved ...

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From mkosek at redhat.com  Tue Oct 18 13:29:47 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 18 Oct 2011 15:29:47 +0200
Subject: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support
In-Reply-To: <20111018124809.GB2258@redhat.com>
References: <20111010134235.GB3661@redhat.com>
	<20111010140721.GC3661@redhat.com>
	<1318614966.31149.149.camel@willson.li.ssimo.org>
	<1318623241.31149.156.camel@willson.li.ssimo.org>
	<1318626347.31149.159.camel@willson.li.ssimo.org>
	<20111017112049.GB9413@redhat.com>
	<1318935379.19922.24.camel@balmora.brq.redhat.com>
	<20111018112738.GA2258@redhat.com> <20111018124809.GB2258@redhat.com>
Message-ID: <1318944589.19922.39.camel@balmora.brq.redhat.com>

On Tue, 2011-10-18 at 15:48 +0300, Alexander Bokovoy wrote:
> On Tue, 18 Oct 2011, Alexander Bokovoy wrote:
> > > ipa.init was removed from the git, but it was never moved to
> > > init/SystemV/.
> > It should have been moved (rm+new file). I'll check what's happening 
> > there, maybe Simo's patch omitted that one?
> > 
> > http://koji.fedoraproject.org/koji/taskinfo?taskID=3437275 is current 
> > scratch build of 2.1 for F-16. It is 2.1.2+diff up to current ipa-2-1 
> > git tree + systemd patch.
> I did another rebase and current version of systemd support for 
> ipa-2-1 is in systemd-ipa-2-1 branch of my tree:
> http://fedorapeople.org/gitweb?p=abbra/public_git/freeipa.git;a=shortlog;h=refs/heads/systemd-ipa-2-1
> 

Yep, ipa.init is now correctly moved and I was able to compile ipa on
both F-15 and F-16. I still have few question/issues:

1) When ipa is not configured, it is ok that ipa.service status returns
error. However, I still got ipa.service status error after the ipa was
configured:

# systemctl status ipa.service
ipa.service - Identity, Policy, Audit
	  Loaded: loaded (/lib/systemd/system/ipa.service; disabled)
	  Active: failed since Tue, 18 Oct 2011 09:04:41 -0400; 1min 50s ago
	Main PID: 18499 (code=exited, status=6)
	  CGroup: name=systemd:/system/ipa.service
# /usr/sbin/ipactl status
IPA is not configured (see man pages of ipa-server-install for help)

# ipa-server-install
...
Applying LDAP updates
Restarting IPA to initialize updates before performing deletes:
  [1/2]: stopping directory server
  [2/2]: starting directory server
done configuring dirsrv.
Restarting the directory server
Restarting the KDC
Restarting the web server
Sample zone file for bind has been created in /tmp/sample.zone.teFbNR.db
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		UDP Ports:
		  * 88, 464: kerberos
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

# systemctl status ipa.service
ipa.service - Identity, Policy, Audit
	  Loaded: loaded (/lib/systemd/system/ipa.service; enabled)
	  Active: failed since Tue, 18 Oct 2011 09:04:41 -0400; 6min ago
	Main PID: 18499 (code=exited, status=6)
	  CGroup: name=systemd:/system/ipa.service



2) ipactl shows stopped dirsrv and CA service even though they should be
up (cert-show command worked):

# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: STOPPED
HTTP Service: RUNNING
CA Service: STOPPED

When I restarted the ipa service, everything was OK including the status
I mentioned in my previous mail:

# systemctl restart ipa.service
# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING

# systemctl status ipa.service
ipa.service - Identity, Policy, Audit
	  Loaded: loaded (/lib/systemd/system/ipa.service; enabled)
	  Active: active (exited) since Tue, 18 Oct 2011 09:18:32 -0400; 2min 41s ago
	 Process: 20069 ExecStart=/usr/sbin/ipactl start (code=exited, status=0/SUCCESS)
	  CGroup: name=systemd:/system/ipa.service


Martin



From abokovoy at redhat.com  Tue Oct 18 13:42:07 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Tue, 18 Oct 2011 16:42:07 +0300
Subject: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support
In-Reply-To: <1318944589.19922.39.camel@balmora.brq.redhat.com>
References: <20111010134235.GB3661@redhat.com>
	<20111010140721.GC3661@redhat.com>
	<1318614966.31149.149.camel@willson.li.ssimo.org>
	<1318623241.31149.156.camel@willson.li.ssimo.org>
	<1318626347.31149.159.camel@willson.li.ssimo.org>
	<20111017112049.GB9413@redhat.com>
	<1318935379.19922.24.camel@balmora.brq.redhat.com>
	<20111018112738.GA2258@redhat.com>
	<20111018124809.GB2258@redhat.com>
	<1318944589.19922.39.camel@balmora.brq.redhat.com>
Message-ID: <20111018134207.GD2258@redhat.com>

On Tue, 18 Oct 2011, Martin Kosek wrote:
> 1) When ipa is not configured, it is ok that ipa.service status returns
> error. However, I still got ipa.service status error after the ipa was
> configured:
> 
> # systemctl status ipa.service
> ipa.service - Identity, Policy, Audit
> 	  Loaded: loaded (/lib/systemd/system/ipa.service; disabled)
> 	  Active: failed since Tue, 18 Oct 2011 09:04:41 -0400; 1min 50s ago
> 	Main PID: 18499 (code=exited, status=6)
> 	  CGroup: name=systemd:/system/ipa.service
> # /usr/sbin/ipactl status
> IPA is not configured (see man pages of ipa-server-install for help)
> 
> # ipa-server-install
> ...
> Applying LDAP updates
> Restarting IPA to initialize updates before performing deletes:
>   [1/2]: stopping directory server
>   [2/2]: starting directory server
> done configuring dirsrv.
> Restarting the directory server
> Restarting the KDC
> Restarting the web server
> Sample zone file for bind has been created in /tmp/sample.zone.teFbNR.db
> ==============================================================================
> Setup complete
> 
> Next steps:
> 	1. You must make sure these network ports are open:
> 		TCP Ports:
> 		  * 80, 443: HTTP/HTTPS
> 		  * 389, 636: LDAP/LDAPS
> 		  * 88, 464: kerberos
> 		UDP Ports:
> 		  * 88, 464: kerberos
> 		  * 123: ntp
> 
> 	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
> 	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
> 	   and the web user interface.
> 
> Be sure to back up the CA certificate stored in /root/cacert.p12
> This file is required to create replicas. The password for this
> file is the Directory Manager password
> 
> # systemctl status ipa.service
> ipa.service - Identity, Policy, Audit
> 	  Loaded: loaded (/lib/systemd/system/ipa.service; enabled)
> 	  Active: failed since Tue, 18 Oct 2011 09:04:41 -0400; 6min ago
> 	Main PID: 18499 (code=exited, status=6)
> 	  CGroup: name=systemd:/system/ipa.service
We were discussing with Simo yesterday that perhaps we need to do 
restart of ipa.service (on systemd platform only) explicitly after 
ipa-server-install.

Right now the last action we do is ipa.enable(), i.e. just enable 
ipa.service. As all services were started before during 
ipa-server-install, we deemed not needed to do any restart in System V 
case.

systemd, however, detects status based on its own tracking of events 
and there is no way to report status of the service other than 
systemd's internal state.

So we might do implicit restart of ipa.service at the end of install. 
That would be another 5-10 seconds delay depending on the hardware.

> 2) ipactl shows stopped dirsrv and CA service even though they should be
> up (cert-show command worked):
This might be related as well -- I've seen multiple times when 
ipa_kpasswd didn't start after ipa-server-install but works after 
restart.
-- 
/ Alexander Bokovoy



From rcritten at redhat.com  Tue Oct 18 16:13:19 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 18 Oct 2011 12:13:19 -0400
Subject: [Freeipa-devel] [PATCH] Fix help system
Message-ID: <4E9DA59F.9040607@redhat.com>

Forgive me for not having this in git format. This patch fixes a couple 
of problems in the help system:

1. If all commands in an object are disabled the object is still visible 
as a topic, see ipa help aci as an example

2. ipa help will show you that show-mappings help is broken

3. You shouldn't be able to get help on disabled cli.

diff --git a/ipalib/cli.py b/ipalib/cli.py
index 06e7b1c..7fe8087 100644
--- a/ipalib/cli.py
+++ b/ipalib/cli.py
@@ -748,6 +748,8 @@ class help(frontend.Local):
              self.print_commands(name)
          elif name in self.Command:
              cmd = self.Command[name]
+            if cmd.NO_CLI:
+                raise HelpError(topic=name)
              print unicode(_('Purpose: %s')) % unicode(_(cmd.doc)).strip()
              self.Backend.cli.build_parser(cmd).print_help()
          elif mod_name in sys.modules:
@@ -805,6 +807,9 @@ class help(frontend.Local):
              m = '%s.%s' % (self._PLUGIN_BASE_MODULE, topic)
              doc = (unicode(_(sys.modules[m].__doc__)) or '').strip()

+            if topic not in self.Command and len(commands) == 0:
+                raise HelpError(topic=topic)
+
              print doc
              if len(commands) > 1:
                  print ''
@@ -814,6 +819,9 @@ class help(frontend.Local):
              print "\n"

  class show_mappings(frontend.Command):
+    """
+    Show mapping of LDAP attributes to command-line option.
+    """
      takes_args = (
          Str('command_name',
              label=_('Command name'),



From mkosek at redhat.com  Tue Oct 18 16:36:50 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 18 Oct 2011 18:36:50 +0200
Subject: [Freeipa-devel] [PATCH] Fix help system
In-Reply-To: <4E9DA59F.9040607@redhat.com>
References: <4E9DA59F.9040607@redhat.com>
Message-ID: <1318955812.31147.3.camel@balmora.brq.redhat.com>

On Tue, 2011-10-18 at 12:13 -0400, Rob Crittenden wrote:
> Forgive me for not having this in git format. This patch fixes a couple 
> of problems in the help system:
> 
> 1. If all commands in an object are disabled the object is still visible 
> as a topic, see ipa help aci as an example
> 
> 2. ipa help will show you that show-mappings help is broken
> 
> 3. You shouldn't be able to get help on disabled cli.
> 
> diff --git a/ipalib/cli.py b/ipalib/cli.py
> index 06e7b1c..7fe8087 100644
> --- a/ipalib/cli.py
> +++ b/ipalib/cli.py
> @@ -748,6 +748,8 @@ class help(frontend.Local):
>               self.print_commands(name)
>           elif name in self.Command:
>               cmd = self.Command[name]
> +            if cmd.NO_CLI:
> +                raise HelpError(topic=name)
>               print unicode(_('Purpose: %s')) % unicode(_(cmd.doc)).strip()
>               self.Backend.cli.build_parser(cmd).print_help()
>           elif mod_name in sys.modules:
> @@ -805,6 +807,9 @@ class help(frontend.Local):
>               m = '%s.%s' % (self._PLUGIN_BASE_MODULE, topic)
>               doc = (unicode(_(sys.modules[m].__doc__)) or '').strip()
> 
> +            if topic not in self.Command and len(commands) == 0:
> +                raise HelpError(topic=topic)
> +
>               print doc
>               if len(commands) > 1:
>                   print ''
> @@ -814,6 +819,9 @@ class help(frontend.Local):
>               print "\n"
> 
>   class show_mappings(frontend.Command):
> +    """
> +    Show mapping of LDAP attributes to command-line option.
> +    """
>       takes_args = (
>           Str('command_name',
>               label=_('Command name'),
> 

ACK. Works fine.

Please, just format it properly and add a commit message with ticket ID
https://fedorahosted.org/freeipa/ticket/1998 before pushing :-)

Martin



From edewata at redhat.com  Tue Oct 18 18:25:04 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Tue, 18 Oct 2011 16:25:04 -0200
Subject: [Freeipa-devel] [PATCH] 023 Circular entity dependency
In-Reply-To: <4E9D76A6.5070301@redhat.com>
References: <4E92E17B.7040701@redhat.com> <4E9C928D.90209@redhat.com>
	<4E9D76A6.5070301@redhat.com>
Message-ID: <4E9DC480.6030408@redhat.com>

On 10/18/2011 10:52 AM, Petr Vobornik wrote:
>  > 3. Another goal is to replace entity names used in spec (see
>  > other_entity & nested_entity spec properties) with the actual entity
>  > objects. In this case it might be better to use the loops described in
>  > #2. This can be done separately.
>
> Wouldn't it lead to the circular dependancy problem again? I think using
> entity names and calling IPA.get_entity at the time when it is needed is
> fine. But we should make some naming conversions of function params or
> object properties to distinguish when we are working with just name or
> entity itself.

It shouldn't. The circular dependency happens when we create an entity 
that has a facet that depends on another entity, and that entity also 
has a facet that depends on the first entity, but the first entity is 
still being created. If we create all entities first separately, by the 
time we create the facets all entities are already created.

Agreed on the parameter naming.

>  > 5. In entity.js:201, the use of entity.title for the breadcrumb tooltip
>  > might not be appropriate because usually the title is plural whereas the
>  > breadcrumb points to a single object. It would be better to use the
>  > entity.metadata.label_singular.
>
> Fixed

The first and last elements in the breadcrumb actually don't have the 
tooltip set so it will show a default tooltip which might not be 
correct. This is an existing issue so we can fix this separately.

>  > 8. The facet_specs and dialog_specs lists can be replaced with
>  > ordered_map. It already has a method to find an element by its name.
>  > This can be done separately.
>
> My intention was to be able specify entity facets and dialogs simply by
> specifying their spec in entity spec (without calling builder function),
> this is possible now. I didn't want to add initialization logic for
> facet_specs (to fill the ordered_map) to entity in order to keep it as
> simple as possible. It would be nice though. Maybe we could make an
> utility object with methods for some simple initialization logic which
> is used on many places - like checking if boolean is set or some more
> complicated like initialization of ordered_map (needs key selector fn as
> parameter).

I didn't mean to replace the spec with a class. I was referring to using 
the ordered_map to replace the plain array (i.e. facet_specs and 
dialog_specs) that contains the specs because the ordered_map already 
has a method to lookup the elements by their name. So instead of:

   entity.facet_specs.push(spec);
   var facet = get_spec_by_name(entity.facet_specs, association_name);

it will be

   entity.facet_specs.put(spec.name, spec);
   var facet = entity.facet_specs.get(association_name);

This is not crucial, we can always improve it later.

ACK and pushed to master.

-- 
Endi S. Dewata



From ayoung at redhat.com  Tue Oct 18 21:55:33 2011
From: ayoung at redhat.com (Adam Young)
Date: Tue, 18 Oct 2011 17:55:33 -0400
Subject: [Freeipa-devel] [PATCH] 023 Circular entity dependency
In-Reply-To: <4E9DC480.6030408@redhat.com>
References: <4E92E17B.7040701@redhat.com> <4E9C928D.90209@redhat.com>
	<4E9D76A6.5070301@redhat.com> <4E9DC480.6030408@redhat.com>
Message-ID: <4E9DF5D5.4020308@redhat.com>

On 10/18/2011 02:25 PM, Endi Sukma Dewata wrote:
> On 10/18/2011 10:52 AM, Petr Vobornik wrote:
>> > 3. Another goal is to replace entity names used in spec (see
>> > other_entity & nested_entity spec properties) with the actual entity
>> > objects. In this case it might be better to use the loops described in
>> > #2. This can be done separately.
>>
>> Wouldn't it lead to the circular dependancy problem again? I think using
>> entity names and calling IPA.get_entity at the time when it is needed is
>> fine. But we should make some naming conversions of function params or
>> object properties to distinguish when we are working with just name or
>> entity itself.
>
> It shouldn't. The circular dependency happens when we create an entity 
> that has a facet that depends on another entity, and that entity also 
> has a facet that depends on the first entity, but the first entity is 
> still being created. If we create all entities first separately, by 
> the time we create the facets all entities are already created.
>
> Agreed on the parameter naming.
>
>> > 5. In entity.js:201, the use of entity.title for the breadcrumb 
>> tooltip
>> > might not be appropriate because usually the title is plural 
>> whereas the
>> > breadcrumb points to a single object. It would be better to use the
>> > entity.metadata.label_singular.
>>
>> Fixed
>
> The first and last elements in the breadcrumb actually don't have the 
> tooltip set so it will show a default tooltip which might not be 
> correct. This is an existing issue so we can fix this separately.
>
>> > 8. The facet_specs and dialog_specs lists can be replaced with
>> > ordered_map. It already has a method to find an element by its name.
>> > This can be done separately.
>>
>> My intention was to be able specify entity facets and dialogs simply by
>> specifying their spec in entity spec (without calling builder function),
>> this is possible now. I didn't want to add initialization logic for
>> facet_specs (to fill the ordered_map) to entity in order to keep it as
>> simple as possible. It would be nice though. Maybe we could make an
>> utility object with methods for some simple initialization logic which
>> is used on many places - like checking if boolean is set or some more
>> complicated like initialization of ordered_map (needs key selector fn as
>> parameter).
>
> I didn't mean to replace the spec with a class. I was referring to 
> using the ordered_map to replace the plain array (i.e. facet_specs and 
> dialog_specs) that contains the specs because the ordered_map already 
> has a method to lookup the elements by their name. So instead of:
>
>   entity.facet_specs.push(spec);
>   var facet = get_spec_by_name(entity.facet_specs, association_name);
>
> it will be
>
>   entity.facet_specs.put(spec.name, spec);
>   var facet = entity.facet_specs.get(association_name);
>
> This is not crucial, we can always improve it later.
>
> ACK and pushed to master.
>
Nice work.  I am not 100% satisfied with the solution, but that is due 
to limitations in the Javascript language.  I think this is the best we 
can get with the tools we have today.

A more perfect solution would allow us to use a lazy load proxy, and to 
hide from an end component that the object is a proxy.  the getters code 
we had a while back sort of gave us that, but as we found, browser specific.

Ideally, when we set a Facet on an entity, that would be a lazy load 
proxy, as would be the case where we explicitly link one entity up with 
another.






From mkosek at redhat.com  Wed Oct 19 12:15:11 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Wed, 19 Oct 2011 14:15:11 +0200
Subject: [Freeipa-devel] [PATCH] 120 Improve DNS record data validation
In-Reply-To: <1315401507.12548.14.camel@dhcp-25-52.brq.redhat.com>
References: <1315400728.12548.12.camel@dhcp-25-52.brq.redhat.com>
	<1315401507.12548.14.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <1319026515.9647.13.camel@balmora.brq.redhat.com>

On Wed, 2011-09-07 at 15:18 +0200, Martin Kosek wrote:
> On Wed, 2011-09-07 at 15:05 +0200, Martin Kosek wrote:
> > This is 3.0 Core Effort Backlog patch.
> > 
> > The changes to API may look scary, but it should be OK, I just added
> > validators and normalizers. I found a lot of RR types unsupported by
> > bind-dyndb-ldap. I implemented a validator telling this information to
> > the user. I think the message is more user-friendly than the previous
> > LDAP schema error.
> > 
> > Enjoy the RFCs! :-)
> > 
> > Martin
> > 
> > ---
> > Implement missing validators for DNS RR types so that we can capture
> > at least basic user errors. Additionally, a normalizer creating
> > a fully-qualified domain name has been implemented for several RRs
> > to prevent this common user error.
> > 
> > https://fedorahosted.org/freeipa/ticket/1106
> > 
> 
> I noticed a typo in format description for LOC record validation. A
> fixed patch attached.
> 
> Martin

Rebased for current master.

This patch is still waiting for review. As I would like to base my next
DNS work (structured DNS commands) on this patch I would like to have it
reviewed soon.

Thanks,
Martin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-120-3-improve-dns-record-data-validation.patch
Type: text/x-patch
Size: 64870 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111019/812172c6/attachment.bin>

From edewata at redhat.com  Wed Oct 19 12:48:15 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 19 Oct 2011 10:48:15 -0200
Subject: [Freeipa-devel] [PATCH] 025 Fixed: Duplicate CSS definitions
In-Reply-To: <4E94323D.6060109@redhat.com>
References: <4E94323D.6060109@redhat.com>
Message-ID: <4E9EC70F.6020701@redhat.com>

On 10/11/2011 10:10 AM, Petr Vobornik wrote:
> https://fedorahosted.org/freeipa/ticket/1565
>
> (3.0 Core Effort Iteration 01 September Y11 Release)

ACK and pushed to master.

-- 
Endi S. Dewata



From ayoung at redhat.com  Wed Oct 19 13:57:33 2011
From: ayoung at redhat.com (Adam Young)
Date: Wed, 19 Oct 2011 09:57:33 -0400
Subject: [Freeipa-devel] Nesting widgets
In-Reply-To: <4E83BE0F.2020502@redhat.com>
References: <4E83BE0F.2020502@redhat.com>
Message-ID: <4E9ED74D.2020902@redhat.com>

Reposting to bring this discussion back to life.  We started having it 
on IRC.

On 09/28/2011 08:38 PM, Adam Young wrote:
> So I decided to try to get an IP Address widget working.  See the 
> attached patch.  It was fairly trivial.
>
> However, this widget is not really all that useful by itself.  It 
> would need to work as a part of a multivalued_text widget in order to 
> replace the widget used on the dnsrecord page.  And looking at the 
> multivalued text widget, I think you will agree that is going to be 
> tricky.
>
> The problem is that we don't really have the API set up for nesting.  
> This has burnt us on the Sections  as well as making more complex 
> widgets.  Usually, instead of reusing the widgets we have, it is 
> easier to go straight to the HTML.
>
> I think the crux comes from the 1-1  mapping between widgets and 
> fields of the request/result JSON.  For widget it is:  load(record)  
> and the load command knows how to find the value it needs inside the 
> record.  For save, on the other hand, it just returns the values it 
> needs.
>
>
> In order to make the widget scheme more nestable,    the section 
> section.load and save  can do more work,  such as scoping down the  
> piece of the request record to just that portion required by the 
> widget.  Bascially, it can do what widget.load does, just externally
>
>
>         var value = record[that.name];
>         if (value instanceof Array) {
>             widget.values = value;
>         } else {
>             widget.values = value ? [value] : [];
>         }
>
>         widget.writable = true;
>
>         if (widget.param_info) { Re:
>             if (widget.param_info.primary_key) {
>                 widget.writable = false;
>             }
>
>             if (widget.param_info.flags && 'no_update' in 
> that.param_info.flags) {
>                 widget.writable = false;
>             }
>         }
> Re:
>         if (widget.record.attributelevelrights) {
>             var rights = that.record.attributelevelrights[that.name];
>             if (!rights || rights.indexOf('w') < 0) {
>                 widget.writable = false;
>             }
>         }
>
>
> This seems to break encapsulation, but I think it might be the right 
> level of abstraction.  We can make this code reusable by other 
> sections by calling it something like section.widget_load.
>
> load then becomes nothing more than a call to reset for most widgets.  
> But, for the widgets that need nesting, or that need additional 
> rendering logic (like select) we still have a place for them to over 
> ride it.  I think it is telling that most of the overridden load 
> functions still cal the parent function first.  I thik that is an 
> indicator that what we have can be refactored.
>
>
> Looking through  widget.js,  I'd say that most of the widgets can be 
> safely redone this way.  Text_area.load looks suspect, it should 
> probbly be using the load functionality from the base class.  
> table_widget will need some thought, but I think it will work is the 
> value is set as an array, and then  the code   is called.
>
>       if (that.values) {
>             for (var i=0; i<that.values.length; i++) {
>                 var record = that.get_record(result, i);
>                 that.add_record(record);
>             }
>         }
>         that.unselect_all();
>
>
> I think that the save functions be OK as is.  the multivalue save 
> should be able to work with the result of calling sae from each 
> individual text area.
>
>
>
> So where would this help us. DNS records is probably the big one.  
> With users, we might have to store multiple keys or certificates.  We 
> don't currently validate email addresses, and we could there.  It 
> would probably simplify the code for ACIs, but there really is no 
> reason to put effort in to reworking that for its own sake.
>
>
>
> The other possibility is that we could redo the multivalue widget as a 
> section.  I know we've done that else where.  On the user page, the  
> Email addresses and phone numbers would then each go into their own 
> section....or we leave the multivlue widget there, but apply this 
> approach else where.  For DNS records, this means that each record 
> type would basically become its own section.  I don't favor this 
> approach, but I could buy the argument that redoing the widget API is 
> too much work.
>
>
>
>
>



From rcritten at redhat.com  Wed Oct 19 14:55:08 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 19 Oct 2011 10:55:08 -0400
Subject: [Freeipa-devel] Announcing FreeIPA 2.1.3
Message-ID: <4E9EE4CC.6020809@redhat.com>

The FreeIPA team is proud to announce version 2.1.3.

It can be downloaded from http://www.freeipa.org/Downloads

== What happened to 2.1.2!? ==

Right after tagging 2.1.2 we found an upgrade issue that would have 
affected any users using the selfsign CA (installed with --selfsign). We 
decided to hold back the release, fix a few more bugs, and just push out 
2.1.3 instead about a week later. So here we are.

== Highlights in 2.1.3 ==

* Enforce that system hostname matches hostname of IPA server.
* Require that /etc/hosts is sane even when configuring DNS.
* Increase default server-side LDAP search limits.
* Client enrollment improvements including longer wait for sssd to 
start, recovery if discovered IPA server is not responsive and when 
anonymous bind is disabled in 389-ds.

== Highlights in 2.1.2 ==

* Upgrade older dogtag installs to use new PKI proxy configuration
* hbactest improvements
* Added platform-independent code to make ipa-client-install more portable
* Make client uninstaller more robust, should restore state more completely.
* UI usability improvements
* Tool for Enabling/Disabling Managed Entry Plugins
* Managed Entries configuration is now replicated
* IPv6 client enrollment improvements
* Man page improvements
* Performance improvements when calculating indirect membership
* Improved handling of disabled anonymous binds in 389-ds
* user is now prompted to enter current password when changing to a new
password
* ipa server now support multiple namingContexts. ipa-client-install and
password migration were fixed

== Upgrading ==

=== Server ===

To upgrade a 2.0.0, 2.0.1 or 2.1.0 server do the following:
  # yum update freeipa-server --enablerepo=updates-testing

This will pull in updated freeIPA, 389-ds, dogtag, libcurl and xmlrpc-c 
packages (and perhaps some others). A script will be executed in the rpm 
postinstall phase to update the IPA LDAP server with any required changes.

There is a bug reported against 389-ds, 
https://bugzilla.redhat.com/show_bug.cgi?id=730387, related to 
read-write locks. The NSPR RW lock implementation does not safely allow 
re-entrant use of reader
locks. This is a timing issue so it is difficult to predict. During 
testing one user experienced this and the upgrade hung. To break the 
hang kill the ns-slapd process for your realm, wait for the yum 
transaction to complete, then restart 389-ds and manually run the update 
process:

  # service dirsrv start
  # ipa-ldap-updater --update

=== Client ===

The ipa-client-install tool in the ipa-client package is just a 
configuration tool. There should be no need to re-run this on every 
client already enrolled.

== Detailed Changelog for 2.1.3 ==

Adam Young (1):
  * Fix dynamic display of UI tabs based on rights

Alexander Bokovoy (8):
  * Increase number of 'getent passwd attempts' to 10
  * Force kerberos realm to be a string
  * Include indirect membership and canonicalize hosts during HBAC rules 
testi
ng
  * Refactor backup_and_replace_hostname() into a flexible config 
modification tool
  * Write KRB5REALM to /etc/sysconfig/krb5kdc and make use of common 
backup_config_and_replace_variables() tool
  * Refactor authconfig use in ipa-client-install
  * Document --preserve-sssd option of ipa-client-install
  * Use set class instead of dictview class as set is wider supported

Jan Cholasta (3):
  * Disallow deletion of global password policy.
  * Don't leak passwords through kdb5_ldap_util command line arguments.
  * Remove more redundant configuration values from krb5.conf.

John Dennis (1):
  * Fix Spanish po translation file

Martin Kosek (12):
  * Improve default user/group object class validation
  * Fix i18n in config plugin
  * Fix dnszone-add name_from_ip server validation
  * Improve handling of GIDs when migrating groups
  * ipa-client-install hangs if the discovered server is unresponsive
  * Optimize member/memberof searches in LDAP
  * Make IPv4 address parsing more strict
  * Check hostname resolution sanity
  * Hostname used by IPA must be a system hostname
  * Check /etc/hosts file in ipa-server-install
  * Fix ipa-client-install -U option alignment
  * Improve hostgroup/netgroup collision checks

Petr Vobornik (2):
  * Added missing fields to password policy page
  * Fixed: Unable to add external user for RunAs User for Sudo rules

Rob Crittenden (12):
  * Fix DNS permissions and membership in privileges
  * Fix upgrades of selfsign server
  * Make ipa-join work against an LDAP server that disallows anon binds
  * Fix has_upg() to work with relocated managed entries configuration.
  * Work around limits not being updatable in 389-ds.
  * Save the value of hostname even if it doesn't appear in 
/etc/sysconfig/network
  * Add explicit instructions to ipa-replica-manage for winsync replication
  * Set min nvr of 389-ds-base to 1.2.10-0.4.a4 for limits fixes 
(740942, 742324)
  * Handle an empty value in a name/value pair in config_replace_variables()
  * Update all LDAP configuration files that we can.
  * If our domain is already configured in sssd.conf start with a new 
config.
  * Fix typo in invalid PTR record error message

Simo Sorce (1):
  * updates: Change default limits on ldap searches

== Detailed Changelog for 2.1.2 ==

Adam Young (4):
  * split metadata call
  * Make mod_nss renegotiation configuration a public function
  * Execute pki proxy setup when server is upgraded if needed
  * Force the upgrade of pki-setup when upgrading the RPMS

Alexander Bokovoy (13):
  * Incorrect name in examples of ipa help hbactest
  * Unroll groups when testing HBAC rules
  * Introduce platform-specific adaptation for services used by FreeIPA.
  * Convert server install code to platform-independent access to system 
services
  * Convert client-side tools to platform-independent access to system 
services
  * Convert installation tools to platform-independent access to system 
services
  * Cleanup whitespace
  * When external host is specified in HBAC rule, allow its use in 
simulation
  * Unroll StrEnum values when displaying help
  * Configure pam_krb5 on the client only if sssd is not configured
  * Setup and restore ntp configuration on the client side properly
  * Fix 'referenced before assignment' warning
  * Before kinit, try to sync time with the NTP servers of the domain we 
are joining

Endi S. Dewata (24):
  * Fixed unit test for entity select widget.
  * Fixed layout problem in permission adder dialog.
  * Fixed sudo rule association dialogs.
  * Fixed missing optional field.
  * Fixed labels for run-as users and groups.
  * Fixed problem opening host adder dialog.
  * Removed entitlement menu.
  * Fixed posix group checkbox.
  * Fixed columns in HBAC/sudo rules list pages.
  * Fixed missing cancel button in unprovisioning dialog.
  * Fixed problem enabling/disabling DNS zone.
  * Fixed problem enrolling member with the same name.
  * Modified dialog to use sections.
  * Removed undo flags from dialog field specs.
  * Fixed problem on combobox with search limit.
  * Fixed problem displaying special characters.
  * Fixed add/delete arrows position.
  * Fixed duplicate entries in enrollment dialog.
  * Updated color scheme.
  * Fixed tab and dialog widths.
  * Disable enroll button if nothing selected.
  * Fixed missing default shell field.
  * I18n clean-up.
  * Disable sudo options Delete button if nothing selected.

JR Aquino (1):
  * Create Tool for Enabling/Disabling Managed Entry Plugins

Jakub Hrozek (1):
  * Silence a compilation warning in ipa_kpasswd

Jan Cholasta (6):
  * Check that install hostname matches the server hostname.
  * Fix client install on IPv6 machines.
  * Fix ipa-replica-prepare always warning the user about not using the 
system hostname.
  * Validate name_from_ip parameter of dnszone.
  * Add a function for formatting network locations of the form 
host:port for use in URLs.
  * Work around pkisilent bugs.

Jr Aquino (1):
  * Move Managed Entries into their own container in the replicated space.

Marko Myllynen (1):
  * Don't remove /tmp when removing temp cert dir

Martin Kosek (21):
  * Improve man pages structure
  * Improve ipa-join man page
  * Fix permissions in installers
  * Fix configure.jar permissions
  * Set bind and bind-dyndb-ldap min nvr
  * Fix pylint false positive in hbactest module
  * ipactl does not stop dirsrv
  * dirsrv is not stopped correctly in the fallback
  * Remove checks for ds-replication plugin
  * Fix /usr/bin/ipa dupled server list
  * Revert "Always require SSL in the Kerberos authorization block."
  * Fix error messages in hbacrule
  * Fix LDAPCreate search failure
  * Fix HBAC tests hostnames
  * ipa-client assumes a single namingcontext
  * migrate process cannot handle multivalued pkey attribute
  * Be more clear about selfsign option
  * Install tools crash when password prompt is interrupted
  * Improve ipa-replica-prepare DNS check
  * Prevent collisions of hostgroup and netgroup
  * Make sure ipa-client-install returns correct error code

Nalin Dahyabhai (2):
  * list users from nested groups, too
  * Update man pages to note that PKCS#12 files also contain private 
keys, and that the "pkinit" options refer to the KDC's credentials

Petr Vobornik (10):
  * Fixed: JavaScript type error in entitlement page
  * Fixed inconsistency in enabling delete buttons
  * Code cleanup: widget creation
  * Fixed: Column header for attributes table should be full width
  * Fixed: Enrolment dialog offers to add entity to reflexive association.
  * Fixed: Some widgets do not have space for validation error message
  * Disables gid field if not posix group in group adder dialog
  * Fixed links to images in config and migration pages
  * Split Web UI initialization to several smaller calls #2
  * Split Web UI initialization to several smaller calls

Rob Crittenden (20):
  * Don't allow a OTP to be set on an enrolled host
  * Remove normalizer that made role, privilege and permission names 
lower-case
  * Improved handling for ipa-pki-proxy.conf
  * The precendence on the modrdn plugin was set in the wrong location.
  * Update ipa-ldap-updater man page saying it is not an end-user utility
  * Skip the cert validator if the csr we are passed in is a valid filename
  * Change the Requires for the server and server-selinux for proper order
  * Suppress managed netgroups as indirect members of hosts.
  * The return value of restorecon is not reliable, ignore it.
  * Normalize uid in user principal to lower-case and do validation
  * Shut down duplicated file handle when HTTP response code is not 200.
  * Don't log one-time password in logs when configuring client.
  * Always require SSL in the Kerberos authorization block.
  * Include failed service and service groups in hbac rule management
  * Add regular expression pattern to host names.
  * Detect CA installation type in ipa-replica-prepare and ipa-ca-install.
  * Require current password when using passwd to change your own password.
  * Migration: don't assume there is only one naming context, add logging.
  * When calculating indirect membership don't test nesting on users and 
hosts.

Simo Sorce (4):
  * ipa-pwd-extop: Fix segfault in password change.
  * ipa-pwd-extop: Enforce old password checks
  * ipa-client-install: Fix joining when LDAP access is restricted
  * replica-prepare: anonymous binds may be disallowed

Sumit Bose (2):
  * Call standard_logging_setup() before any logging is done
  * ipa-pwd-extop: allow password change on all connections with SSF>1

Yuri Chornoivan (1):
  * Fix typos



From mkosek at redhat.com  Wed Oct 19 15:33:45 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Wed, 19 Oct 2011 17:33:45 +0200
Subject: [Freeipa-devel] LDAP conflicts resolution API
Message-ID: <1319038426.9647.67.camel@balmora.brq.redhat.com>

Hello all,

I am now investigating how to deal with LDAP conflicts resolution
between replicas. Conflicting LDAP objects may be created if 2 LDAP
objects (users, hosts, etc) with the same DN are created on disconnected
replicas. When the replicas synchronize again, 389-ds renames one of the
objects to something like this:

nsuniqueid=0a950601-435311e0-86a2f5bd-3cd26022+uid=utest,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com

for users OR

fqdn=rhel61-client3.testrelm+nsuniqueid=807bb87f-652211e0-9e848fb2-f0f04a39,cn=computers,cn=accounts,dc=testrelm

for hosts.

Records like this then cannot be handled via IPA commands and can cause
a wide range of problems. There are already 2 tickets filed:

https://fedorahosted.org/freeipa/ticket/1025
https://fedorahosted.org/freeipa/ticket/1174

Since we cannot avoid creating these objects, we can at least help
mitigate the consequences and help user remove the conflicts using our
CLI (or WebUI in the future).

I would like to propose a simple plugin to manage these conflicts:

1) ipa confict-find
This command would find all conflicting LDAP objects using filter
nsds5ReplConflict=*. Since this plugin would work with all LDAP objects
we support, the most straightforward implementation would be to display
raw LDAP data.

I am still thinking if we could make the output prettier by finding what
LDAP object is in conflict (user, host, sudorule) and display the
objects in standard way as we do in ipa user-show, ipa host-show or ipa
sudorule-show. I guess we could identify the conflicting object type by
comparing its parent DN to all known LDAP objects container_dn.

Raw LDAP data output would look like this:

$ ipa conflic-find
-----------------
3 conflicts found
-----------------
dn: nsuniqueid=02631581-fa5f11e0-bb339359-34a214df+uid=utest2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
mepManagedEntry: cn=utest2,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
displayName: User Test
cn: User Test
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: mepOriginEntry
loginShell: /bin/sh
sn: Test
gecos: User Test
homeDirectory: /home/utest2
krbPwdPolicyReference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,
 dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
krbPrincipalName: utest2 at IDM.LAB.BOS.REDHAT.COM
givenName: User
uid: utest2
initials: UT
uidNumber: 1451000003
gidNumber: 1451000003
ipaUniqueID: 0636d5b6-fa5f-11e0-b85b-00163e6f5efc


dn: nsuniqueid=02631582-fa5f11e0-bb339359-34a214df+cn=utest2,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
description: User private group for utest2
gidNumber: 1451000003
objectClass: posixgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: top
cn: utest2
mepManagedBy: uid=utest2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
ipaUniqueID: 0639ee7c-fa5f-11e0-b85b-00163e6f5efc


dn: nsuniqueid=af8a5d81-fa6011e0-bb339359-34a214df+fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
cn: foo.example.com
objectClass: ipaobject
objectClass: nshost
objectClass: ipahost
objectClass: pkiuser
objectClass: ipaservice
objectClass: krbprincipalaux
objectClass: krbprincipal
objectClass: top
fqdn: foo.example.com
managedBy: fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,
 dc=redhat,dc=com
krbPrincipalName: host/foo.example.com at IDM.LAB.BOS.REDHAT.COM
serverHostName: foo
ipaUniqueID: d069dff8-fa60-11e0-874e-00163e6f5efc



User could then copy&paste DNs to manipulate the objects further:

2) ipa conflict-show DN

This command would show chosen conflicting object closer + the original object it conflicts with:

$ ipa conflict-show 'nsuniqueid=02631582-fa5f11e0-bb339359-34a214df+cn=utest2,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'
dn: fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
cn: foo.example.com
objectClass: ipaobject
objectClass: nshost
objectClass: ipahost
objectClass: pkiuser
objectClass: ipaservice
objectClass: krbprincipalaux
objectClass: krbprincipal
objectClass: top
fqdn: foo.example.com
managedBy: fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,
 dc=redhat,dc=com
krbPrincipalName: host/foo.example.com at IDM.LAB.BOS.REDHAT.COM
serverHostName: foo
ipaUniqueID: 94b378e8-fa60-11e0-867b-00163e2d6a08

dn: nsuniqueid=af8a5d81-fa6011e0-bb339359-34a214df+fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
cn: foo.example.com
objectClass: ipaobject
objectClass: nshost
objectClass: ipahost
objectClass: pkiuser
objectClass: ipaservice
objectClass: krbprincipalaux
objectClass: krbprincipal
objectClass: top
fqdn: foo.example.com
managedBy: fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,
 dc=redhat,dc=com
krbPrincipalName: host/foo.example.com at IDM.LAB.BOS.REDHAT.COM
serverHostName: foo
ipaUniqueID: d069dff8-fa60-11e0-874e-00163e6f5efc


3) When user decides what to do with the conflicting object, he would use the following commands:

ipa conflict-rename DN NEW_RDN

This command would change the conflicting LDAP objects RDN to foo2.example.com:
$ ipa conflict-rename 'nsuniqueid=af8a5d81-fa6011e0-bb339359-34a214df+fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' foo2.example.com

OR

ipa conflict-del DN

This command would delete conflicting LDAP objects altogether:
ipa conflict-del 'nsuniqueid=af8a5d81-fa6011e0-bb339359-34a214df+fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'


Thoughts, comments?

Thank you,
Martin



From simo at redhat.com  Wed Oct 19 15:46:51 2011
From: simo at redhat.com (Simo Sorce)
Date: Wed, 19 Oct 2011 11:46:51 -0400
Subject: [Freeipa-devel] LDAP conflicts resolution API
In-Reply-To: <1319038426.9647.67.camel@balmora.brq.redhat.com>
References: <1319038426.9647.67.camel@balmora.brq.redhat.com>
Message-ID: <1319039211.25154.1.camel@willson.li.ssimo.org>

On Wed, 2011-10-19 at 17:33 +0200, Martin Kosek wrote:
> Hello all,
> 
> I am now investigating how to deal with LDAP conflicts resolution
> between replicas. Conflicting LDAP objects may be created if 2 LDAP
> objects (users, hosts, etc) with the same DN are created on disconnected
> replicas. When the replicas synchronize again, 389-ds renames one of the
> objects to something like this:
> 
> nsuniqueid=0a950601-435311e0-86a2f5bd-3cd26022+uid=utest,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> 
> for users OR
> 
> fqdn=rhel61-client3.testrelm+nsuniqueid=807bb87f-652211e0-9e848fb2-f0f04a39,cn=computers,cn=accounts,dc=testrelm
> 
> for hosts.
> 
> Records like this then cannot be handled via IPA commands and can cause
> a wide range of problems. There are already 2 tickets filed:
> 
> https://fedorahosted.org/freeipa/ticket/1025
> https://fedorahosted.org/freeipa/ticket/1174
> 
> Since we cannot avoid creating these objects, we can at least help
> mitigate the consequences and help user remove the conflicts using our
> CLI (or WebUI in the future).
> 
> I would like to propose a simple plugin to manage these conflicts:
> 
> 1) ipa confict-find
> This command would find all conflicting LDAP objects using filter
> nsds5ReplConflict=*. Since this plugin would work with all LDAP objects
> we support, the most straightforward implementation would be to display
> raw LDAP data.
> 
> I am still thinking if we could make the output prettier by finding what
> LDAP object is in conflict (user, host, sudorule) and display the
> objects in standard way as we do in ipa user-show, ipa host-show or ipa
> sudorule-show. I guess we could identify the conflicting object type by
> comparing its parent DN to all known LDAP objects container_dn.
> 
> Raw LDAP data output would look like this:
> 
> $ ipa conflic-find
> -----------------
> 3 conflicts found
> -----------------
> dn: nsuniqueid=02631581-fa5f11e0-bb339359-34a214df+uid=utest2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> memberOf: cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> mepManagedEntry: cn=utest2,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> displayName: User Test
> cn: User Test
> objectClass: top
> objectClass: person
> objectClass: organizationalperson
> objectClass: inetorgperson
> objectClass: inetuser
> objectClass: posixaccount
> objectClass: krbprincipalaux
> objectClass: krbticketpolicyaux
> objectClass: ipaobject
> objectClass: mepOriginEntry
> loginShell: /bin/sh
> sn: Test
> gecos: User Test
> homeDirectory: /home/utest2
> krbPwdPolicyReference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,
>  dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> krbPrincipalName: utest2 at IDM.LAB.BOS.REDHAT.COM
> givenName: User
> uid: utest2
> initials: UT
> uidNumber: 1451000003
> gidNumber: 1451000003
> ipaUniqueID: 0636d5b6-fa5f-11e0-b85b-00163e6f5efc
> 
> 
> dn: nsuniqueid=02631582-fa5f11e0-bb339359-34a214df+cn=utest2,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> description: User private group for utest2
> gidNumber: 1451000003
> objectClass: posixgroup
> objectClass: ipaobject
> objectClass: mepManagedEntry
> objectClass: top
> cn: utest2
> mepManagedBy: uid=utest2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> ipaUniqueID: 0639ee7c-fa5f-11e0-b85b-00163e6f5efc
> 
> 
> dn: nsuniqueid=af8a5d81-fa6011e0-bb339359-34a214df+fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> cn: foo.example.com
> objectClass: ipaobject
> objectClass: nshost
> objectClass: ipahost
> objectClass: pkiuser
> objectClass: ipaservice
> objectClass: krbprincipalaux
> objectClass: krbprincipal
> objectClass: top
> fqdn: foo.example.com
> managedBy: fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,
>  dc=redhat,dc=com
> krbPrincipalName: host/foo.example.com at IDM.LAB.BOS.REDHAT.COM
> serverHostName: foo
> ipaUniqueID: d069dff8-fa60-11e0-874e-00163e6f5efc
> 
> 
> 
> User could then copy&paste DNs to manipulate the objects further:
> 
> 2) ipa conflict-show DN
> 
> This command would show chosen conflicting object closer + the original object it conflicts with:
> 
> $ ipa conflict-show 'nsuniqueid=02631582-fa5f11e0-bb339359-34a214df+cn=utest2,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'
> dn: fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> cn: foo.example.com
> objectClass: ipaobject
> objectClass: nshost
> objectClass: ipahost
> objectClass: pkiuser
> objectClass: ipaservice
> objectClass: krbprincipalaux
> objectClass: krbprincipal
> objectClass: top
> fqdn: foo.example.com
> managedBy: fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,
>  dc=redhat,dc=com
> krbPrincipalName: host/foo.example.com at IDM.LAB.BOS.REDHAT.COM
> serverHostName: foo
> ipaUniqueID: 94b378e8-fa60-11e0-867b-00163e2d6a08
> 
> dn: nsuniqueid=af8a5d81-fa6011e0-bb339359-34a214df+fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> cn: foo.example.com
> objectClass: ipaobject
> objectClass: nshost
> objectClass: ipahost
> objectClass: pkiuser
> objectClass: ipaservice
> objectClass: krbprincipalaux
> objectClass: krbprincipal
> objectClass: top
> fqdn: foo.example.com
> managedBy: fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,
>  dc=redhat,dc=com
> krbPrincipalName: host/foo.example.com at IDM.LAB.BOS.REDHAT.COM
> serverHostName: foo
> ipaUniqueID: d069dff8-fa60-11e0-874e-00163e6f5efc
> 
> 
> 3) When user decides what to do with the conflicting object, he would use the following commands:
> 
> ipa conflict-rename DN NEW_RDN
> 
> This command would change the conflicting LDAP objects RDN to foo2.example.com:
> $ ipa conflict-rename 'nsuniqueid=af8a5d81-fa6011e0-bb339359-34a214df+fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' foo2.example.com
> 
> OR
> 
> ipa conflict-del DN
> 
> This command would delete conflicting LDAP objects altogether:
> ipa conflict-del 'nsuniqueid=af8a5d81-fa6011e0-bb339359-34a214df+fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'
> 
> 
> Thoughts, comments?

Sounds good to me.
But I wonder if we can tell DS to create/move these conflicting objects
into a cn=conflicts subtree by means of configuration ?

It would certainly cause some entries to "disappear", but it would also
prevent some of the issues with have those entries.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From rmeggins at redhat.com  Wed Oct 19 15:51:42 2011
From: rmeggins at redhat.com (Rich Megginson)
Date: Wed, 19 Oct 2011 09:51:42 -0600
Subject: [Freeipa-devel] LDAP conflicts resolution API
In-Reply-To: <1319039211.25154.1.camel@willson.li.ssimo.org>
References: <1319038426.9647.67.camel@balmora.brq.redhat.com>
	<1319039211.25154.1.camel@willson.li.ssimo.org>
Message-ID: <4E9EF20E.8090603@redhat.com>

On 10/19/2011 09:46 AM, Simo Sorce wrote:
> On Wed, 2011-10-19 at 17:33 +0200, Martin Kosek wrote:
>> Hello all,
>>
>> I am now investigating how to deal with LDAP conflicts resolution
>> between replicas. Conflicting LDAP objects may be created if 2 LDAP
>> objects (users, hosts, etc) with the same DN are created on disconnected
>> replicas. When the replicas synchronize again, 389-ds renames one of the
>> objects to something like this:
>>
>> nsuniqueid=0a950601-435311e0-86a2f5bd-3cd26022+uid=utest,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>>
>> for users OR
>>
>> fqdn=rhel61-client3.testrelm+nsuniqueid=807bb87f-652211e0-9e848fb2-f0f04a39,cn=computers,cn=accounts,dc=testrelm
>>
>> for hosts.
>>
>> Records like this then cannot be handled via IPA commands and can cause
>> a wide range of problems. There are already 2 tickets filed:
>>
>> https://fedorahosted.org/freeipa/ticket/1025
>> https://fedorahosted.org/freeipa/ticket/1174
>>
>> Since we cannot avoid creating these objects, we can at least help
>> mitigate the consequences and help user remove the conflicts using our
>> CLI (or WebUI in the future).
>>
>> I would like to propose a simple plugin to manage these conflicts:
>>
>> 1) ipa confict-find
>> This command would find all conflicting LDAP objects using filter
>> nsds5ReplConflict=*. Since this plugin would work with all LDAP objects
>> we support, the most straightforward implementation would be to display
>> raw LDAP data.
>>
>> I am still thinking if we could make the output prettier by finding what
>> LDAP object is in conflict (user, host, sudorule) and display the
>> objects in standard way as we do in ipa user-show, ipa host-show or ipa
>> sudorule-show. I guess we could identify the conflicting object type by
>> comparing its parent DN to all known LDAP objects container_dn.
>>
>> Raw LDAP data output would look like this:
>>
>> $ ipa conflic-find
>> -----------------
>> 3 conflicts found
>> -----------------
>> dn: nsuniqueid=02631581-fa5f11e0-bb339359-34a214df+uid=utest2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>> memberOf: cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>> mepManagedEntry: cn=utest2,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>> displayName: User Test
>> cn: User Test
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalperson
>> objectClass: inetorgperson
>> objectClass: inetuser
>> objectClass: posixaccount
>> objectClass: krbprincipalaux
>> objectClass: krbticketpolicyaux
>> objectClass: ipaobject
>> objectClass: mepOriginEntry
>> loginShell: /bin/sh
>> sn: Test
>> gecos: User Test
>> homeDirectory: /home/utest2
>> krbPwdPolicyReference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,
>>   dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>> krbPrincipalName: utest2 at IDM.LAB.BOS.REDHAT.COM
>> givenName: User
>> uid: utest2
>> initials: UT
>> uidNumber: 1451000003
>> gidNumber: 1451000003
>> ipaUniqueID: 0636d5b6-fa5f-11e0-b85b-00163e6f5efc
>>
>>
>> dn: nsuniqueid=02631582-fa5f11e0-bb339359-34a214df+cn=utest2,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>> description: User private group for utest2
>> gidNumber: 1451000003
>> objectClass: posixgroup
>> objectClass: ipaobject
>> objectClass: mepManagedEntry
>> objectClass: top
>> cn: utest2
>> mepManagedBy: uid=utest2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>> ipaUniqueID: 0639ee7c-fa5f-11e0-b85b-00163e6f5efc
>>
>>
>> dn: nsuniqueid=af8a5d81-fa6011e0-bb339359-34a214df+fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>> cn: foo.example.com
>> objectClass: ipaobject
>> objectClass: nshost
>> objectClass: ipahost
>> objectClass: pkiuser
>> objectClass: ipaservice
>> objectClass: krbprincipalaux
>> objectClass: krbprincipal
>> objectClass: top
>> fqdn: foo.example.com
>> managedBy: fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,
>>   dc=redhat,dc=com
>> krbPrincipalName: host/foo.example.com at IDM.LAB.BOS.REDHAT.COM
>> serverHostName: foo
>> ipaUniqueID: d069dff8-fa60-11e0-874e-00163e6f5efc
>>
>>
>>
>> User could then copy&paste DNs to manipulate the objects further:
>>
>> 2) ipa conflict-show DN
>>
>> This command would show chosen conflicting object closer + the original object it conflicts with:
>>
>> $ ipa conflict-show 'nsuniqueid=02631582-fa5f11e0-bb339359-34a214df+cn=utest2,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'
>> dn: fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>> cn: foo.example.com
>> objectClass: ipaobject
>> objectClass: nshost
>> objectClass: ipahost
>> objectClass: pkiuser
>> objectClass: ipaservice
>> objectClass: krbprincipalaux
>> objectClass: krbprincipal
>> objectClass: top
>> fqdn: foo.example.com
>> managedBy: fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,
>>   dc=redhat,dc=com
>> krbPrincipalName: host/foo.example.com at IDM.LAB.BOS.REDHAT.COM
>> serverHostName: foo
>> ipaUniqueID: 94b378e8-fa60-11e0-867b-00163e2d6a08
>>
>> dn: nsuniqueid=af8a5d81-fa6011e0-bb339359-34a214df+fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>> cn: foo.example.com
>> objectClass: ipaobject
>> objectClass: nshost
>> objectClass: ipahost
>> objectClass: pkiuser
>> objectClass: ipaservice
>> objectClass: krbprincipalaux
>> objectClass: krbprincipal
>> objectClass: top
>> fqdn: foo.example.com
>> managedBy: fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,
>>   dc=redhat,dc=com
>> krbPrincipalName: host/foo.example.com at IDM.LAB.BOS.REDHAT.COM
>> serverHostName: foo
>> ipaUniqueID: d069dff8-fa60-11e0-874e-00163e6f5efc
>>
>>
>> 3) When user decides what to do with the conflicting object, he would use the following commands:
>>
>> ipa conflict-rename DN NEW_RDN
>>
>> This command would change the conflicting LDAP objects RDN to foo2.example.com:
>> $ ipa conflict-rename 'nsuniqueid=af8a5d81-fa6011e0-bb339359-34a214df+fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' foo2.example.com
>>
>> OR
>>
>> ipa conflict-del DN
>>
>> This command would delete conflicting LDAP objects altogether:
>> ipa conflict-del 'nsuniqueid=af8a5d81-fa6011e0-bb339359-34a214df+fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'
>>
>>
>> Thoughts, comments?
> Sounds good to me.
> But I wonder if we can tell DS to create/move these conflicting objects
> into a cn=conflicts subtree by means of configuration ?
Not automatically, no.
> It would certainly cause some entries to "disappear", but it would also
> prevent some of the issues with have those entries.
>
> Simo.
>



From ayoung at redhat.com  Wed Oct 19 19:38:42 2011
From: ayoung at redhat.com (Adam Young)
Date: Wed, 19 Oct 2011 15:38:42 -0400
Subject: [Freeipa-devel] [PATCH] 120 Improve DNS record data validation
In-Reply-To: <1319026515.9647.13.camel@balmora.brq.redhat.com>
References: <1315400728.12548.12.camel@dhcp-25-52.brq.redhat.com>
	<1315401507.12548.14.camel@dhcp-25-52.brq.redhat.com>
	<1319026515.9647.13.camel@balmora.brq.redhat.com>
Message-ID: <4E9F2742.3020109@redhat.com>

On 10/19/2011 08:15 AM, Martin Kosek wrote:
> On Wed, 2011-09-07 at 15:18 +0200, Martin Kosek wrote:
>> On Wed, 2011-09-07 at 15:05 +0200, Martin Kosek wrote:
>>> This is 3.0 Core Effort Backlog patch.
>>>
>>> The changes to API may look scary, but it should be OK, I just added
>>> validators and normalizers. I found a lot of RR types unsupported by
>>> bind-dyndb-ldap. I implemented a validator telling this information to
>>> the user. I think the message is more user-friendly than the previous
>>> LDAP schema error.
>>>
>>> Enjoy the RFCs! :-)
>>>
>>> Martin
>>>
>>> ---
>>> Implement missing validators for DNS RR types so that we can capture
>>> at least basic user errors. Additionally, a normalizer creating
>>> a fully-qualified domain name has been implemented for several RRs
>>> to prevent this common user error.
>>>
>>> https://fedorahosted.org/freeipa/ticket/1106
>>>
>> I noticed a typo in format description for LOC record validation. A
>> fixed patch attached.
>>
>> Martin
> Rebased for current master.
>
> This patch is still waiting for review. As I would like to base my next
> DNS work (structured DNS commands) on this patch I would like to have it
> reviewed soon.
>
> Thanks,
> Martin
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel


I've just given it a visual review, but it looks right.  Probably should 
have some unit tests to go with it for some of the more commonly used types.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111019/8b2bc382/attachment.htm>

From mkosek at redhat.com  Thu Oct 20 06:22:44 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Thu, 20 Oct 2011 08:22:44 +0200
Subject: [Freeipa-devel] LDAP conflicts resolution API
In-Reply-To: <4E9EF20E.8090603@redhat.com>
References: <1319038426.9647.67.camel@balmora.brq.redhat.com>
	<1319039211.25154.1.camel@willson.li.ssimo.org>
	<4E9EF20E.8090603@redhat.com>
Message-ID: <1319091766.28616.3.camel@balmora.brq.redhat.com>

On Wed, 2011-10-19 at 09:51 -0600, Rich Megginson wrote:
> On 10/19/2011 09:46 AM, Simo Sorce wrote:
> > On Wed, 2011-10-19 at 17:33 +0200, Martin Kosek wrote:
> >> Hello all,
> >>
> >> I am now investigating how to deal with LDAP conflicts resolution
> >> between replicas. Conflicting LDAP objects may be created if 2 LDAP
> >> objects (users, hosts, etc) with the same DN are created on disconnected
> >> replicas. When the replicas synchronize again, 389-ds renames one of the
> >> objects to something like this:
> >>
> >> nsuniqueid=0a950601-435311e0-86a2f5bd-3cd26022+uid=utest,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> >>
> >> for users OR
> >>
> >> fqdn=rhel61-client3.testrelm+nsuniqueid=807bb87f-652211e0-9e848fb2-f0f04a39,cn=computers,cn=accounts,dc=testrelm
> >>
> >> for hosts.
> >>
> >> Records like this then cannot be handled via IPA commands and can cause
> >> a wide range of problems. There are already 2 tickets filed:
> >>
> >> https://fedorahosted.org/freeipa/ticket/1025
> >> https://fedorahosted.org/freeipa/ticket/1174
> >>
> >> Since we cannot avoid creating these objects, we can at least help
> >> mitigate the consequences and help user remove the conflicts using our
> >> CLI (or WebUI in the future).
> >>
> >> I would like to propose a simple plugin to manage these conflicts:
> >>
> >> 1) ipa confict-find
> >> This command would find all conflicting LDAP objects using filter
> >> nsds5ReplConflict=*. Since this plugin would work with all LDAP objects
> >> we support, the most straightforward implementation would be to display
> >> raw LDAP data.
> >>
> >> I am still thinking if we could make the output prettier by finding what
> >> LDAP object is in conflict (user, host, sudorule) and display the
> >> objects in standard way as we do in ipa user-show, ipa host-show or ipa
> >> sudorule-show. I guess we could identify the conflicting object type by
> >> comparing its parent DN to all known LDAP objects container_dn.
> >>
> >> Raw LDAP data output would look like this:
> >>
> >> $ ipa conflic-find
> >> -----------------
> >> 3 conflicts found
> >> -----------------
> >> dn: nsuniqueid=02631581-fa5f11e0-bb339359-34a214df+uid=utest2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> >> memberOf: cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> >> mepManagedEntry: cn=utest2,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> >> displayName: User Test
> >> cn: User Test
> >> objectClass: top
> >> objectClass: person
> >> objectClass: organizationalperson
> >> objectClass: inetorgperson
> >> objectClass: inetuser
> >> objectClass: posixaccount
> >> objectClass: krbprincipalaux
> >> objectClass: krbticketpolicyaux
> >> objectClass: ipaobject
> >> objectClass: mepOriginEntry
> >> loginShell: /bin/sh
> >> sn: Test
> >> gecos: User Test
> >> homeDirectory: /home/utest2
> >> krbPwdPolicyReference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,
> >>   dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> >> krbPrincipalName: utest2 at IDM.LAB.BOS.REDHAT.COM
> >> givenName: User
> >> uid: utest2
> >> initials: UT
> >> uidNumber: 1451000003
> >> gidNumber: 1451000003
> >> ipaUniqueID: 0636d5b6-fa5f-11e0-b85b-00163e6f5efc
> >>
> >>
> >> dn: nsuniqueid=02631582-fa5f11e0-bb339359-34a214df+cn=utest2,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> >> description: User private group for utest2
> >> gidNumber: 1451000003
> >> objectClass: posixgroup
> >> objectClass: ipaobject
> >> objectClass: mepManagedEntry
> >> objectClass: top
> >> cn: utest2
> >> mepManagedBy: uid=utest2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> >> ipaUniqueID: 0639ee7c-fa5f-11e0-b85b-00163e6f5efc
> >>
> >>
> >> dn: nsuniqueid=af8a5d81-fa6011e0-bb339359-34a214df+fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> >> cn: foo.example.com
> >> objectClass: ipaobject
> >> objectClass: nshost
> >> objectClass: ipahost
> >> objectClass: pkiuser
> >> objectClass: ipaservice
> >> objectClass: krbprincipalaux
> >> objectClass: krbprincipal
> >> objectClass: top
> >> fqdn: foo.example.com
> >> managedBy: fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,
> >>   dc=redhat,dc=com
> >> krbPrincipalName: host/foo.example.com at IDM.LAB.BOS.REDHAT.COM
> >> serverHostName: foo
> >> ipaUniqueID: d069dff8-fa60-11e0-874e-00163e6f5efc
> >>
> >>
> >>
> >> User could then copy&paste DNs to manipulate the objects further:
> >>
> >> 2) ipa conflict-show DN
> >>
> >> This command would show chosen conflicting object closer + the original object it conflicts with:
> >>
> >> $ ipa conflict-show 'nsuniqueid=02631582-fa5f11e0-bb339359-34a214df+cn=utest2,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'
> >> dn: fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> >> cn: foo.example.com
> >> objectClass: ipaobject
> >> objectClass: nshost
> >> objectClass: ipahost
> >> objectClass: pkiuser
> >> objectClass: ipaservice
> >> objectClass: krbprincipalaux
> >> objectClass: krbprincipal
> >> objectClass: top
> >> fqdn: foo.example.com
> >> managedBy: fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,
> >>   dc=redhat,dc=com
> >> krbPrincipalName: host/foo.example.com at IDM.LAB.BOS.REDHAT.COM
> >> serverHostName: foo
> >> ipaUniqueID: 94b378e8-fa60-11e0-867b-00163e2d6a08
> >>
> >> dn: nsuniqueid=af8a5d81-fa6011e0-bb339359-34a214df+fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> >> cn: foo.example.com
> >> objectClass: ipaobject
> >> objectClass: nshost
> >> objectClass: ipahost
> >> objectClass: pkiuser
> >> objectClass: ipaservice
> >> objectClass: krbprincipalaux
> >> objectClass: krbprincipal
> >> objectClass: top
> >> fqdn: foo.example.com
> >> managedBy: fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,
> >>   dc=redhat,dc=com
> >> krbPrincipalName: host/foo.example.com at IDM.LAB.BOS.REDHAT.COM
> >> serverHostName: foo
> >> ipaUniqueID: d069dff8-fa60-11e0-874e-00163e6f5efc
> >>
> >>
> >> 3) When user decides what to do with the conflicting object, he would use the following commands:
> >>
> >> ipa conflict-rename DN NEW_RDN
> >>
> >> This command would change the conflicting LDAP objects RDN to foo2.example.com:
> >> $ ipa conflict-rename 'nsuniqueid=af8a5d81-fa6011e0-bb339359-34a214df+fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' foo2.example.com
> >>
> >> OR
> >>
> >> ipa conflict-del DN
> >>
> >> This command would delete conflicting LDAP objects altogether:
> >> ipa conflict-del 'nsuniqueid=af8a5d81-fa6011e0-bb339359-34a214df+fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'
> >>
> >>
> >> Thoughts, comments?
> > Sounds good to me.
> > But I wonder if we can tell DS to create/move these conflicting objects
> > into a cn=conflicts subtree by means of configuration ?
> Not automatically, no.

So maybe a new DS plugin should do the trick? We would just have to
store original DN to some attribute if we want to enable user to just
rename the conflicting object to its original location.

Martin

> > It would certainly cause some entries to "disappear", but it would also
> > prevent some of the issues with have those entries.
> >
> > Simo.
> >
> 




From lars at radicore.se  Thu Oct 20 08:26:47 2011
From: lars at radicore.se (=?ISO-8859-1?Q?Lars_Sj=F6str=F6m?=)
Date: Thu, 20 Oct 2011 10:26:47 +0200
Subject: [Freeipa-devel] [PATCH] Add kerberos mapping for clients outside
	the IPA domain
Message-ID: <CABRVYG6WsZu6EeOcW4m5jJLjgR2cL+M16ptWEPiXT36p_ooyFw@mail.gmail.com>

Hello,

Proposed patch for bug https://fedorahosted.org/freeipa/ticket/2006

Best regards,
Lars
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-kerberos-mapping-for-clients-outside-the-IPA-dom.patch
Type: text/x-patch
Size: 2853 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111020/ec4dc8ec/attachment.bin>

From jcholast at redhat.com  Thu Oct 20 11:20:35 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Thu, 20 Oct 2011 13:20:35 +0200
Subject: [Freeipa-devel] [PATCH] 55 Parse comma-separated lists of values in
 all parameter types
Message-ID: <4EA00403.9060703@redhat.com>

Parse comma-separated lists of values in all parameter types. This can 
enabled for a specific parameter by setting the "csvlist" option to True.

Remove List parameter type and replace all occurences with Str with 
csvlist enabled.

https://fedorahosted.org/freeipa/ticket/2007

This change will be useful for 
https://fedorahosted.org/freeipa/ticket/1487 and 
https://fedorahosted.org/freeipa/ticket/1847

Unit tests show no regressions.

Honza

-- 
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-55-comma-separated-list.patch
Type: text/x-patch
Size: 175837 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111020/7e44cb0b/attachment.bin>

From jdennis at redhat.com  Thu Oct 20 11:58:03 2011
From: jdennis at redhat.com (John Dennis)
Date: Thu, 20 Oct 2011 07:58:03 -0400
Subject: [Freeipa-devel] [PATCH 51/51] Ticket 1201 - Unable to Download
 Certificate with Browser
Message-ID: <201110201158.p9KBw34n008437@int-mx02.intmail.prod.int.phx2.redhat.com>

Certificates are passed through the IPA XML-RPC and JSON as binary
data in DER X509 format. Queries peformed against the LDAP server
also return binary DER X509 format. In all cases the binary DER
data is base-64 encoded.

PEM is standard text format for certificates. It also uses base64 to
encode the binary DER data, but had specific formatting
requirements. The base64 data must be wrapped inside PEM delimiters
and the base64 data must be line wrapped at 64 characters.

Most external software which accepts certificates as input will only
accept DER or PEM format (e.g. openssl & NSS). Although base64 is
closely related to PEM it is not PEM unless the PEM delimters are
present and the base64 data is line wrapped at 64 characters.

We already convert binary DER certificates which have been passed as
base64 in other parts of the IPA code. However this conversion has not
been available in the web UI. When the web UI presented certificates
it did so by filling a dialog box with a single line of base64 data. A
user could not copy this data and use it as input to openssl or NSS
for example.

We resolve this problem by introducing new javascript functions in
certificate.js. IPA.cert.pem_cert_format(text) will examine the text
input and if it's already in PEM format just return it unmodified,
otherwise it will line wrap the base64 data and add the PEM
delimiters. Thus it is safe to call on either a previously formated
PEM cert or a binary DER cert encoded as base64. This applies to
pem_csr_format() as well for CSR's.

Because pem_cert_format() is safe to call on either format the web UI
will see the use of the flag add_pem_delimiters was eliminated except
in the one case where the IPA.cert.download_dialog() was being abused
to display PKCS12 binary data (pkcs12 is neither a cert nor a cert
request). Because of the abuse of the cert.download_dialog() for
pkcs12 it was necessary to retain the flag which in effect said "do
not treat the data as PEM".

Modify the CSR (Certificate Signing Request) dialog box to accept a
PEM formatted CSR. Remove the artifical PEM delimiters above and below
the dialog box which were used to suggest the input needed to be sans
the delimiters. The dialog box continues to accept bare base64 thus
allowing either text format.

Also note this solves the display of certificate data in the UI
without touching anything existing code in the server or command line,
thus it's isolated.

--
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0051-Ticket-1201-Unable-to-Download-Certificate-with-Brow.patch
Type: text/x-patch
Size: 10051 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111020/009a3e9e/attachment.bin>

From pvoborni at redhat.com  Thu Oct 20 13:09:51 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Thu, 20 Oct 2011 15:09:51 +0200
Subject: [Freeipa-devel] Nesting widgets
In-Reply-To: <4E9ED74D.2020902@redhat.com>
References: <4E83BE0F.2020502@redhat.com> <4E9ED74D.2020902@redhat.com>
Message-ID: <4EA01D9F.60705@redhat.com>

Replying for the third mail of original thread (its content is on the 
end of this mail)) as it brought some thoughts.

I like the idea of composite pattern.

As I'm working on #1515 (Sudo, HBAC refactoring) I used this concept 
because sudo rule details facet uses a lot of code repetition to 
implement minor changes.

Attaching a WIP patch for with these changes:

Transforming details_section to composite_widget. The term section 
remained and sections are considered as top level widgets which serves 
for for conceptual separation in details facet(headers, folding...)

I introduced there a concept of update_info. It's an object containing 
changes in widgets. At the moment update_info consists of changes in 
fields - array of field_info  (corresponds to save(record) method) and 
array of commands. Changes in fields are used for classic entity-mod 
operation. The commands can be used for specific operations like 
enabling rules, deleting members etc. In order to use it I have created 
a new implementation of details_facet (needs to be named). The old one 
remains to be backward compatible.
  During update method call parents widget are responsible for obtaining 
and returning changes of their children or they can modify it and return 
some specific commands. New details facet execute it in a single or 
batch command (depending on the presence of fields, commands or both).

In the patch is an example how it can benefit - refactored Sudo Rules 
details facet.

There is also a slight modification of save(record) method which allows 
to fill record even from composite widgets.

Original thread:
On 10/04/2011 03:34 PM, Adam Young wrote:
 > Great input Petr, thanks for the thoughtful comments. Comments inline
 >
 >
 > On 10/04/2011 07:56 AM, Petr Vobornik wrote:
 >> On 09/29/2011 02:38 AM, Adam Young wrote:
 >>> So I decided to try to get an IP Address widget working. See the
 >>> attached patch. It was fairly trivial.
 >>>
 >>> However, this widget is not really all that useful by itself. It would
 >>> need to work as a part of a multivalued_text widget in order to replace
 >>> the widget used on the dnsrecord page. And looking at the multivalued
 >>> text widget, I think you will agree that is going to be tricky.
 >>
 >> I think we can create an extend point for validation logic (EG
 >> validator object in field's spec) instead of inheriting the widget.
 >
 > Interesting concept. Yes, this would work too, and solve the issue for
 > IP addresses validation. But there are places where we may want to
 > validate only a single IP address, and we may end up with code
 > duplication, although more likely they will both just call the same
 > utility function.
 >
 >>
 >>>
 >>> The problem is that we don't really have the API set up for nesting.
 >>> This has burnt us on the Sections as well as making more complex
 >>> widgets. Usually, instead of reusing the widgets we have, it is easier
 >>> to go straight to the HTML.
 >>>
 >>> I think the crux comes from the 1-1 mapping between widgets and fields
 >>> of the request/result JSON. For widget it is: load(record) and the load
 >>> command knows how to find the value it needs inside the record. For
 >>> save, on the other hand, it just returns the values it needs.
 >>>
 >>>
 >>> In order to make the widget scheme more nestable, the section
 >>> section.load and save can do more work, such as scoping down the piece
 >>> of the request record to just that portion required by the widget.
 >>> Bascially, it can do what widget.load does, just externally
 >>
 >> I don't think this would help. This would limit the widget. Currently
 >> most widget works with the record.[widget name]. But we can override
 >> load and save method to break the 1:1 mapping between widget and
 >> record. Widget can consist of several widgets and supply them custom
 >> record object (it can assume that the simple widget would fetch the
 >> value of its name. The name is defined by the master widget (no
 >> problem here).)
 >>
 >> The concept you mentioned could be beneficial if we abandon flat
 >> records and introduce structured ones. But I think there is no will
 >> for it. Event then I don't know if sections should be responsible for
 >> this. It's not their purpose.
 >
 > Records are already structured, just that by the time we get to the
 > individual fields, they tend to be flat. But the record is JSON and is a
 > tree structure.
 >
 > But I like what you are saying. I agree that the interface for Widget
 > and Section should be the same. Right now Section is:
 > that.save = function(record) {};
 > that.load = function(record) {);
 >
 > and load is
 > that.load = function(record) {};
 > that.save = function() {};
 >
 >
 > It is this last function that needs to be changed, but it will have far
 > reaching effects. We use save to extract the value or values from the
 > field for many uses. I think we can do this: For all widgets, rename
 > save() to get_value(); and then add a save(record) method that calls
 > get_value(); Then widget and record have the same interface, which is a
 > big first step.
 >
 >
 >>
 >> Another (maybe bigger) problem is layout. For multivalued textbox with
 >> IP address widget one of the problems can be the placement (or even
 >> behaviour) of 'undo' and 'error-link'. Possible solution could be:
 >> specifying container for these parts by its container - the containing
 >> widget could control where they would be rendered. Another one can be
 >> API notification of the state change (no visual by the widget itself)
 >> and handling it by the parent widget.
 >>
 >> For more layout demanding widgets section layout can be limiting (like
 >> in host adder dialog which force to implement custom section instead
 >> of widget). Which in my opinion is bad, but we don't have any other
 >> solution for this yet. I think there is a ticket for it.
 >
 > Perhaps for more complex widgets, we can extract the layout into its own
 > object, and pass it to the constructore. We'll provide one by default,
 > but allow overloading.
 >
 >
 >>
 >>>
 >>>
 >>> var value = record[that.name];
 >>> if (value instanceof Array) {
 >>> widget.values = value;
 >>> } else {
 >>> widget.values = value ? [value] : [];
 >>> }
 >>>
 >>> widget.writable = true;
 >>>
 >>> if (widget.param_info) {
 >>> if (widget.param_info.primary_key) {
 >>> widget.writable = false;
 >>> }
 >>>
 >>> if (widget.param_info.flags && 'no_update' in that.param_info.flags) {
 >>> widget.writable = false;
 >>> }
 >>> }
 >>>
 >>> if (widget.record.attributelevelrights) {
 >>> var rights = that.record.attributelevelrights[that.name];
 >>> if (!rights || rights.indexOf('w') < 0) {
 >>> widget.writable = false;
 >>> }
 >>> }
 >>>
 >>>
 >>> This seems to break encapsulation, but I think it might be the right
 >>> level of abstraction. We can make this code reusable by other sections
 >>> by calling it something like section.widget_load.
 >>>
 >>> load then becomes nothing more than a call to reset for most widgets.
 >>> But, for the widgets that need nesting, or that need additional
 >>> rendering logic (like select) we still have a place for them to over
 >>> ride it. I think it is telling that most of the overridden load
 >>> functions still cal the parent function first. I thik that is an
 >>> indicator that what we have can be refactored.
 >>
 >>>
 >>>
 >>> Looking through widget.js, I'd say that most of the widgets can be
 >>> safely redone this way. Text_area.load looks suspect, it should probbly
 >>> be using the load functionality from the base class. table_widget will
 >>> need some thought, but I think it will work is the value is set as an
 >>> array, and then the code is called.
 >>>
 >>> if (that.values) {
 >>> for (var i=0; i<that.values.length; i++) {
 >>> var record = that.get_record(result, i);
 >>> that.add_record(record);
 >>> }
 >>> }
 >>> that.unselect_all();
 >>>
 >>>
 >>> I think that the save functions be OK as is. the multivalue save should
 >>> be able to work with the result of calling sae from each individual 
text
 >>> area.
 >> Agree
 >>>
 >>>
 >>> So where would this help us. DNS records is probably the big one. With
 >>> users, we might have to store multiple keys or certificates. We don't
 >>> currently validate email addresses, and we could there. It would
 >>> probably simplify the code for ACIs, but there really is no reason to
 >>> put effort in to reworking that for its own sake.
 >>>
 >>>
 >>>
 >>> The other possibility is that we could redo the multivalue widget as a
 >>> section. I know we've done that else where. On the user page, the Email
 >>> addresses and phone numbers would then each go into their own
 >>> section....or we leave the multivlue widget there, but apply this
 >>> approach else where. For DNS records, this means that each record type
 >>> would basically become its own section. I don't favor this 
approach, but
 >>> I could buy the argument that redoing the widget API is too much work.
 >>
 >> What is the purpose of sections? It seems to me, that the main idea
 >> was to separate fields by their meaning with appropriate header. Not
 >> to define custom layouts for individual fields.
 >>
 >>
 > What you are seeing is the evolution of the concept. Section was
 > originally the grouping mechanism we used for the User page to allow us
 > to collapse and expand a group of fields together. We hijacked the
 > concept in the ACI Permissions pages when we needed a way to group the
 > set of fields based on the permission type. The major difference in
 > abstractions is that Widget is a single field out of the record, and a
 > section is agroup of fields. That split is, I think what is holding us
 > back. I thin we can make Section a widget, and create a scheme for
 > nesting widgets to get to an implementation of the composite pattern,
 > and have a much more usable abstraction.

-- 
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wip-freeipa-pvoborni-0002-WIP-Code-cleanup-of-HBAC-Sudo-rules.patch
Type: text/x-patch
Size: 63072 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111020/d372db0c/attachment.bin>

From nkinder at redhat.com  Thu Oct 20 14:18:21 2011
From: nkinder at redhat.com (Nathan Kinder)
Date: Thu, 20 Oct 2011 07:18:21 -0700
Subject: [Freeipa-devel] LDAP conflicts resolution API
In-Reply-To: <1319091766.28616.3.camel@balmora.brq.redhat.com>
References: <1319038426.9647.67.camel@balmora.brq.redhat.com>	
	<1319039211.25154.1.camel@willson.li.ssimo.org>	
	<4E9EF20E.8090603@redhat.com>
	<1319091766.28616.3.camel@balmora.brq.redhat.com>
Message-ID: <4EA02DAD.5000500@redhat.com>

On 10/19/2011 11:22 PM, Martin Kosek wrote:
> On Wed, 2011-10-19 at 09:51 -0600, Rich Megginson wrote:
>> On 10/19/2011 09:46 AM, Simo Sorce wrote:
>>> On Wed, 2011-10-19 at 17:33 +0200, Martin Kosek wrote:
>>>> Hello all,
>>>>
>>>> I am now investigating how to deal with LDAP conflicts resolution
>>>> between replicas. Conflicting LDAP objects may be created if 2 LDAP
>>>> objects (users, hosts, etc) with the same DN are created on disconnected
>>>> replicas. When the replicas synchronize again, 389-ds renames one of the
>>>> objects to something like this:
>>>>
>>>> nsuniqueid=0a950601-435311e0-86a2f5bd-3cd26022+uid=utest,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>>>>
>>>> for users OR
>>>>
>>>> fqdn=rhel61-client3.testrelm+nsuniqueid=807bb87f-652211e0-9e848fb2-f0f04a39,cn=computers,cn=accounts,dc=testrelm
>>>>
>>>> for hosts.
>>>>
>>>> Records like this then cannot be handled via IPA commands and can cause
>>>> a wide range of problems. There are already 2 tickets filed:
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/1025
>>>> https://fedorahosted.org/freeipa/ticket/1174
>>>>
>>>> Since we cannot avoid creating these objects, we can at least help
>>>> mitigate the consequences and help user remove the conflicts using our
>>>> CLI (or WebUI in the future).
>>>>
>>>> I would like to propose a simple plugin to manage these conflicts:
>>>>
>>>> 1) ipa confict-find
>>>> This command would find all conflicting LDAP objects using filter
>>>> nsds5ReplConflict=*. Since this plugin would work with all LDAP objects
>>>> we support, the most straightforward implementation would be to display
>>>> raw LDAP data.
>>>>
>>>> I am still thinking if we could make the output prettier by finding what
>>>> LDAP object is in conflict (user, host, sudorule) and display the
>>>> objects in standard way as we do in ipa user-show, ipa host-show or ipa
>>>> sudorule-show. I guess we could identify the conflicting object type by
>>>> comparing its parent DN to all known LDAP objects container_dn.
>>>>
>>>> Raw LDAP data output would look like this:
>>>>
>>>> $ ipa conflic-find
>>>> -----------------
>>>> 3 conflicts found
>>>> -----------------
>>>> dn: nsuniqueid=02631581-fa5f11e0-bb339359-34a214df+uid=utest2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>>>> memberOf: cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>>>> mepManagedEntry: cn=utest2,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>>>> displayName: User Test
>>>> cn: User Test
>>>> objectClass: top
>>>> objectClass: person
>>>> objectClass: organizationalperson
>>>> objectClass: inetorgperson
>>>> objectClass: inetuser
>>>> objectClass: posixaccount
>>>> objectClass: krbprincipalaux
>>>> objectClass: krbticketpolicyaux
>>>> objectClass: ipaobject
>>>> objectClass: mepOriginEntry
>>>> loginShell: /bin/sh
>>>> sn: Test
>>>> gecos: User Test
>>>> homeDirectory: /home/utest2
>>>> krbPwdPolicyReference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,
>>>>    dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>>>> krbPrincipalName: utest2 at IDM.LAB.BOS.REDHAT.COM
>>>> givenName: User
>>>> uid: utest2
>>>> initials: UT
>>>> uidNumber: 1451000003
>>>> gidNumber: 1451000003
>>>> ipaUniqueID: 0636d5b6-fa5f-11e0-b85b-00163e6f5efc
>>>>
>>>>
>>>> dn: nsuniqueid=02631582-fa5f11e0-bb339359-34a214df+cn=utest2,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>>>> description: User private group for utest2
>>>> gidNumber: 1451000003
>>>> objectClass: posixgroup
>>>> objectClass: ipaobject
>>>> objectClass: mepManagedEntry
>>>> objectClass: top
>>>> cn: utest2
>>>> mepManagedBy: uid=utest2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>>>> ipaUniqueID: 0639ee7c-fa5f-11e0-b85b-00163e6f5efc
>>>>
>>>>
>>>> dn: nsuniqueid=af8a5d81-fa6011e0-bb339359-34a214df+fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>>>> cn: foo.example.com
>>>> objectClass: ipaobject
>>>> objectClass: nshost
>>>> objectClass: ipahost
>>>> objectClass: pkiuser
>>>> objectClass: ipaservice
>>>> objectClass: krbprincipalaux
>>>> objectClass: krbprincipal
>>>> objectClass: top
>>>> fqdn: foo.example.com
>>>> managedBy: fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,
>>>>    dc=redhat,dc=com
>>>> krbPrincipalName: host/foo.example.com at IDM.LAB.BOS.REDHAT.COM
>>>> serverHostName: foo
>>>> ipaUniqueID: d069dff8-fa60-11e0-874e-00163e6f5efc
>>>>
>>>>
>>>>
>>>> User could then copy&paste DNs to manipulate the objects further:
>>>>
>>>> 2) ipa conflict-show DN
>>>>
>>>> This command would show chosen conflicting object closer + the original object it conflicts with:
>>>>
>>>> $ ipa conflict-show 'nsuniqueid=02631582-fa5f11e0-bb339359-34a214df+cn=utest2,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'
>>>> dn: fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>>>> cn: foo.example.com
>>>> objectClass: ipaobject
>>>> objectClass: nshost
>>>> objectClass: ipahost
>>>> objectClass: pkiuser
>>>> objectClass: ipaservice
>>>> objectClass: krbprincipalaux
>>>> objectClass: krbprincipal
>>>> objectClass: top
>>>> fqdn: foo.example.com
>>>> managedBy: fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,
>>>>    dc=redhat,dc=com
>>>> krbPrincipalName: host/foo.example.com at IDM.LAB.BOS.REDHAT.COM
>>>> serverHostName: foo
>>>> ipaUniqueID: 94b378e8-fa60-11e0-867b-00163e2d6a08
>>>>
>>>> dn: nsuniqueid=af8a5d81-fa6011e0-bb339359-34a214df+fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>>>> cn: foo.example.com
>>>> objectClass: ipaobject
>>>> objectClass: nshost
>>>> objectClass: ipahost
>>>> objectClass: pkiuser
>>>> objectClass: ipaservice
>>>> objectClass: krbprincipalaux
>>>> objectClass: krbprincipal
>>>> objectClass: top
>>>> fqdn: foo.example.com
>>>> managedBy: fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,
>>>>    dc=redhat,dc=com
>>>> krbPrincipalName: host/foo.example.com at IDM.LAB.BOS.REDHAT.COM
>>>> serverHostName: foo
>>>> ipaUniqueID: d069dff8-fa60-11e0-874e-00163e6f5efc
>>>>
>>>>
>>>> 3) When user decides what to do with the conflicting object, he would use the following commands:
>>>>
>>>> ipa conflict-rename DN NEW_RDN
>>>>
>>>> This command would change the conflicting LDAP objects RDN to foo2.example.com:
>>>> $ ipa conflict-rename 'nsuniqueid=af8a5d81-fa6011e0-bb339359-34a214df+fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' foo2.example.com
>>>>
>>>> OR
>>>>
>>>> ipa conflict-del DN
>>>>
>>>> This command would delete conflicting LDAP objects altogether:
>>>> ipa conflict-del 'nsuniqueid=af8a5d81-fa6011e0-bb339359-34a214df+fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'
>>>>
>>>>
>>>> Thoughts, comments?
>>> Sounds good to me.
>>> But I wonder if we can tell DS to create/move these conflicting objects
>>> into a cn=conflicts subtree by means of configuration ?
>> Not automatically, no.
> So maybe a new DS plugin should do the trick? We would just have to
> store original DN to some attribute if we want to enable user to just
> rename the conflicting object to its original location.
No, I think an RFE to change the existing replication plug-in to allow 
an alternate conflict area would be best.  Simo and I had discussed this 
possibility a long time back.  We would allow one to configure a suffix 
to put conflicts in to prevent them from being in the tree that clients use.
> Martin
>
>>> It would certainly cause some entries to "disappear", but it would also
>>> prevent some of the issues with have those entries.
>>>
>>> Simo.
>>>
>



From edewata at redhat.com  Thu Oct 20 14:20:18 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Thu, 20 Oct 2011 12:20:18 -0200
Subject: [Freeipa-devel] [PATCH] Fixed dependency problem in UI test.
Message-ID: <4EA02E22.1080709@redhat.com>

Pushed to master under one-liner/trivial rule.

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-edewata-0294-Fixed-dependency-problem-in-UI-test.patch
Type: text/x-patch
Size: 1058 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111020/816caefd/attachment.bin>

From mkosek at redhat.com  Thu Oct 20 14:57:48 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Thu, 20 Oct 2011 16:57:48 +0200
Subject: [Freeipa-devel] LDAP conflicts resolution API
In-Reply-To: <4EA02DAD.5000500@redhat.com>
References: <1319038426.9647.67.camel@balmora.brq.redhat.com>
	<1319039211.25154.1.camel@willson.li.ssimo.org>
	<4E9EF20E.8090603@redhat.com>
	<1319091766.28616.3.camel@balmora.brq.redhat.com>
	<4EA02DAD.5000500@redhat.com>
Message-ID: <1319122673.5310.15.camel@balmora.brq.redhat.com>

On Thu, 2011-10-20 at 07:18 -0700, Nathan Kinder wrote:
> On 10/19/2011 11:22 PM, Martin Kosek wrote:
> > On Wed, 2011-10-19 at 09:51 -0600, Rich Megginson wrote:
> >> On 10/19/2011 09:46 AM, Simo Sorce wrote:
> >>> On Wed, 2011-10-19 at 17:33 +0200, Martin Kosek wrote:
...
> >>>>
> >>>> 3) When user decides what to do with the conflicting object, he would use the following commands:
> >>>>
> >>>> ipa conflict-rename DN NEW_RDN
> >>>>
> >>>> This command would change the conflicting LDAP objects RDN to foo2.example.com:
> >>>> $ ipa conflict-rename 'nsuniqueid=af8a5d81-fa6011e0-bb339359-34a214df+fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' foo2.example.com
> >>>>
> >>>> OR
> >>>>
> >>>> ipa conflict-del DN
> >>>>
> >>>> This command would delete conflicting LDAP objects altogether:
> >>>> ipa conflict-del 'nsuniqueid=af8a5d81-fa6011e0-bb339359-34a214df+fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'
> >>>>
> >>>>
> >>>> Thoughts, comments?
> >>> Sounds good to me.
> >>> But I wonder if we can tell DS to create/move these conflicting objects
> >>> into a cn=conflicts subtree by means of configuration ?
> >> Not automatically, no.
> > So maybe a new DS plugin should do the trick? We would just have to
> > store original DN to some attribute if we want to enable user to just
> > rename the conflicting object to its original location.
> No, I think an RFE to change the existing replication plug-in to allow 
> an alternate conflict area would be best.  Simo and I had discussed this 
> possibility a long time back.  We would allow one to configure a suffix 
> to put conflicts in to prevent them from being in the tree that clients use.

I already implemented the conflict-find, conflict-show and
conflict-rename commands. But I really like your idea. Conflicts can
cause quite unpredictable effects for the user. Not every user can be
experienced enough to guess the replication conflicts cause that issues
and use the new conflict-* commands to fix it.

If all conflicts are stored to a special suffix, the end user experience
will be much better. I can adapt new commands so that user can manage
the conflicts when he get to it without side effects other ipa commands.

Nathan, do you think you will be able to implement this change for RHEL
6.3.0? I can create a RFE bugzilla.

Thanks,
Martin

> > Martin
> >
> >>> It would certainly cause some entries to "disappear", but it would also
> >>> prevent some of the issues with have those entries.
> >>>
> >>> Simo.
> >>>
> >
> 




From pvoborni at redhat.com  Thu Oct 20 15:03:20 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Thu, 20 Oct 2011 17:03:20 +0200
Subject: [Freeipa-devel] [PATCH] 023 Circular entity dependency
In-Reply-To: <4E9DC480.6030408@redhat.com>
References: <4E92E17B.7040701@redhat.com> <4E9C928D.90209@redhat.com>
	<4E9D76A6.5070301@redhat.com> <4E9DC480.6030408@redhat.com>
Message-ID: <4EA03838.1000908@redhat.com>

Fix for regression in unit test, introduced by previous patch.

-- 
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0027-Fixing-infinite-loop-in-UI-navigation-unit-test.patch
Type: text/x-patch
Size: 1366 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111020/c8b1e6a2/attachment.bin>

From edewata at redhat.com  Thu Oct 20 15:19:20 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Thu, 20 Oct 2011 13:19:20 -0200
Subject: [Freeipa-devel] [PATCH] 023 Circular entity dependency
In-Reply-To: <4EA03838.1000908@redhat.com>
References: <4E92E17B.7040701@redhat.com> <4E9C928D.90209@redhat.com>
	<4E9D76A6.5070301@redhat.com> <4E9DC480.6030408@redhat.com>
	<4EA03838.1000908@redhat.com>
Message-ID: <4EA03BF8.3030506@redhat.com>

On 10/20/2011 1:03 PM, Petr Vobornik wrote:
> Fix for regression in unit test, introduced by previous patch.

ACK and pushed to master.

-- 
Endi S. Dewata



From nkinder at redhat.com  Thu Oct 20 15:34:41 2011
From: nkinder at redhat.com (Nathan Kinder)
Date: Thu, 20 Oct 2011 08:34:41 -0700
Subject: [Freeipa-devel] LDAP conflicts resolution API
In-Reply-To: <1319122673.5310.15.camel@balmora.brq.redhat.com>
References: <1319038426.9647.67.camel@balmora.brq.redhat.com>		
	<1319039211.25154.1.camel@willson.li.ssimo.org>		
	<4E9EF20E.8090603@redhat.com>	
	<1319091766.28616.3.camel@balmora.brq.redhat.com>	
	<4EA02DAD.5000500@redhat.com>
	<1319122673.5310.15.camel@balmora.brq.redhat.com>
Message-ID: <4EA03F91.1010903@redhat.com>

On 10/20/2011 07:57 AM, Martin Kosek wrote:
> On Thu, 2011-10-20 at 07:18 -0700, Nathan Kinder wrote:
>> On 10/19/2011 11:22 PM, Martin Kosek wrote:
>>> On Wed, 2011-10-19 at 09:51 -0600, Rich Megginson wrote:
>>>> On 10/19/2011 09:46 AM, Simo Sorce wrote:
>>>>> On Wed, 2011-10-19 at 17:33 +0200, Martin Kosek wrote:
> ...
>>>>>> 3) When user decides what to do with the conflicting object, he would use the following commands:
>>>>>>
>>>>>> ipa conflict-rename DN NEW_RDN
>>>>>>
>>>>>> This command would change the conflicting LDAP objects RDN to foo2.example.com:
>>>>>> $ ipa conflict-rename 'nsuniqueid=af8a5d81-fa6011e0-bb339359-34a214df+fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' foo2.example.com
>>>>>>
>>>>>> OR
>>>>>>
>>>>>> ipa conflict-del DN
>>>>>>
>>>>>> This command would delete conflicting LDAP objects altogether:
>>>>>> ipa conflict-del 'nsuniqueid=af8a5d81-fa6011e0-bb339359-34a214df+fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'
>>>>>>
>>>>>>
>>>>>> Thoughts, comments?
>>>>> Sounds good to me.
>>>>> But I wonder if we can tell DS to create/move these conflicting objects
>>>>> into a cn=conflicts subtree by means of configuration ?
>>>> Not automatically, no.
>>> So maybe a new DS plugin should do the trick? We would just have to
>>> store original DN to some attribute if we want to enable user to just
>>> rename the conflicting object to its original location.
>> No, I think an RFE to change the existing replication plug-in to allow
>> an alternate conflict area would be best.  Simo and I had discussed this
>> possibility a long time back.  We would allow one to configure a suffix
>> to put conflicts in to prevent them from being in the tree that clients use.
> I already implemented the conflict-find, conflict-show and
> conflict-rename commands. But I really like your idea. Conflicts can
> cause quite unpredictable effects for the user. Not every user can be
> experienced enough to guess the replication conflicts cause that issues
> and use the new conflict-* commands to fix it.
>
> If all conflicts are stored to a special suffix, the end user experience
> will be much better. I can adapt new commands so that user can manage
> the conflicts when he get to it without side effects other ipa commands.
>
> Nathan, do you think you will be able to implement this change for RHEL
> 6.3.0? I can create a RFE bugzilla.
Go ahead and create the RFE bug against 389.  We will discuss it in our 
weekly DS bug triage on Monday to determine the timeline.
> Thanks,
> Martin
>
>>> Martin
>>>
>>>>> It would certainly cause some entries to "disappear", but it would also
>>>>> prevent some of the issues with have those entries.
>>>>>
>>>>> Simo.
>>>>>
>



From simo at redhat.com  Thu Oct 20 17:24:32 2011
From: simo at redhat.com (Simo Sorce)
Date: Thu, 20 Oct 2011 13:24:32 -0400
Subject: [Freeipa-devel] LDAP conflicts resolution API
In-Reply-To: <4EA02DAD.5000500@redhat.com>
References: <1319038426.9647.67.camel@balmora.brq.redhat.com>
	<1319039211.25154.1.camel@willson.li.ssimo.org>
	<4E9EF20E.8090603@redhat.com>
	<1319091766.28616.3.camel@balmora.brq.redhat.com>
	<4EA02DAD.5000500@redhat.com>
Message-ID: <1319131472.25154.134.camel@willson.li.ssimo.org>

On Thu, 2011-10-20 at 07:18 -0700, Nathan Kinder wrote:
> >>> But I wonder if we can tell DS to create/move these conflicting
> objects
> >>> into a cn=conflicts subtree by means of configuration ?
> >> Not automatically, no.
> > So maybe a new DS plugin should do the trick? We would just have to
> > store original DN to some attribute if we want to enable user to
> just
> > rename the conflicting object to its original location.
> No, I think an RFE to change the existing replication plug-in to
> allow 
> an alternate conflict area would be best.  Simo and I had discussed
> this 
> possibility a long time back.  We would allow one to configure a
> suffix 
> to put conflicts in to prevent them from being in the tree that
> clients use. 

Yep, Martin please open a 389ds RFE.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From edewata at redhat.com  Thu Oct 20 19:35:37 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Thu, 20 Oct 2011 17:35:37 -0200
Subject: [Freeipa-devel] [PATCH] 295 Fixed inconsistent required/optional
	attributes.
Message-ID: <4EA07809.2000709@redhat.com>

The dialogs and details pages have been modified to use the * symbol
to mark required fields. The automount map and the DNS zone dialogs
have been modified to update the required fields according to the
input type.

Ticket #1696

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-edewata-0295-Fixed-inconsistent-required-optional-attributes.patch
Type: text/x-patch
Size: 36426 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111020/6d1c99e7/attachment.bin>

From mkosek at redhat.com  Thu Oct 20 20:09:44 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Thu, 20 Oct 2011 22:09:44 +0200
Subject: [Freeipa-devel] LDAP conflicts resolution API
In-Reply-To: <4EA03F91.1010903@redhat.com>
References: <1319038426.9647.67.camel@balmora.brq.redhat.com>
	<1319039211.25154.1.camel@willson.li.ssimo.org>
	<4E9EF20E.8090603@redhat.com>
	<1319091766.28616.3.camel@balmora.brq.redhat.com>
	<4EA02DAD.5000500@redhat.com>
	<1319122673.5310.15.camel@balmora.brq.redhat.com>
	<4EA03F91.1010903@redhat.com>
Message-ID: <1319141387.2291.0.camel@priserak>

On Thu, 2011-10-20 at 08:34 -0700, Nathan Kinder wrote:
> On 10/20/2011 07:57 AM, Martin Kosek wrote:
> > On Thu, 2011-10-20 at 07:18 -0700, Nathan Kinder wrote:
> >> On 10/19/2011 11:22 PM, Martin Kosek wrote:
> >>> On Wed, 2011-10-19 at 09:51 -0600, Rich Megginson wrote:
> >>>> On 10/19/2011 09:46 AM, Simo Sorce wrote:
> >>>>> On Wed, 2011-10-19 at 17:33 +0200, Martin Kosek wrote:
> > ...
> >>>>>> 3) When user decides what to do with the conflicting object, he would use the following commands:
> >>>>>>
> >>>>>> ipa conflict-rename DN NEW_RDN
> >>>>>>
> >>>>>> This command would change the conflicting LDAP objects RDN to foo2.example.com:
> >>>>>> $ ipa conflict-rename 'nsuniqueid=af8a5d81-fa6011e0-bb339359-34a214df+fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' foo2.example.com
> >>>>>>
> >>>>>> OR
> >>>>>>
> >>>>>> ipa conflict-del DN
> >>>>>>
> >>>>>> This command would delete conflicting LDAP objects altogether:
> >>>>>> ipa conflict-del 'nsuniqueid=af8a5d81-fa6011e0-bb339359-34a214df+fqdn=foo.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'
> >>>>>>
> >>>>>>
> >>>>>> Thoughts, comments?
> >>>>> Sounds good to me.
> >>>>> But I wonder if we can tell DS to create/move these conflicting objects
> >>>>> into a cn=conflicts subtree by means of configuration ?
> >>>> Not automatically, no.
> >>> So maybe a new DS plugin should do the trick? We would just have to
> >>> store original DN to some attribute if we want to enable user to just
> >>> rename the conflicting object to its original location.
> >> No, I think an RFE to change the existing replication plug-in to allow
> >> an alternate conflict area would be best.  Simo and I had discussed this
> >> possibility a long time back.  We would allow one to configure a suffix
> >> to put conflicts in to prevent them from being in the tree that clients use.
> > I already implemented the conflict-find, conflict-show and
> > conflict-rename commands. But I really like your idea. Conflicts can
> > cause quite unpredictable effects for the user. Not every user can be
> > experienced enough to guess the replication conflicts cause that issues
> > and use the new conflict-* commands to fix it.
> >
> > If all conflicts are stored to a special suffix, the end user experience
> > will be much better. I can adapt new commands so that user can manage
> > the conflicts when he get to it without side effects other ipa commands.
> >
> > Nathan, do you think you will be able to implement this change for RHEL
> > 6.3.0? I can create a RFE bugzilla.
> Go ahead and create the RFE bug against 389.  We will discuss it in our 
> weekly DS bug triage on Monday to determine the timeline.

https://bugzilla.redhat.com/show_bug.cgi?id=747701

Thanks,
Martin

> > Thanks,
> > Martin
> >
> >>> Martin
> >>>
> >>>>> It would certainly cause some entries to "disappear", but it would also
> >>>>> prevent some of the issues with have those entries.
> >>>>>
> >>>>> Simo.
> >>>>>
> >
> 




From mkosek at redhat.com  Fri Oct 21 09:32:54 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Fri, 21 Oct 2011 11:32:54 +0200
Subject: [Freeipa-devel] [PATCH] Add kerberos mapping for clients
 outside the IPA domain
In-Reply-To: <CABRVYG6WsZu6EeOcW4m5jJLjgR2cL+M16ptWEPiXT36p_ooyFw@mail.gmail.com>
References: <CABRVYG6WsZu6EeOcW4m5jJLjgR2cL+M16ptWEPiXT36p_ooyFw@mail.gmail.com>
Message-ID: <1319189576.20112.4.camel@balmora.brq.redhat.com>

On Thu, 2011-10-20 at 10:26 +0200, Lars Sj?str?m wrote:
> Hello,
> 
> Proposed patch for bug https://fedorahosted.org/freeipa/ticket/2006
> 
> Best regards,
> Lars

Hello Lars,

thank you for your investigation of the problem and the patch!

I had to refactor the patch a little, your patch updated just the
temporary krb5.conf, not the one put permanently to /etc/krb5.conf.

I also moved DNS update before the certmonger is being configured.
Otherwise certmonger may fail because the client does not have proper
DNS record.

Patch attached.

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-154-fix-client-krb5-domain-mapping-and-dns.patch
Type: text/x-patch
Size: 4167 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111021/03158c4b/attachment.bin>

From abokovoy at redhat.com  Fri Oct 21 10:11:11 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Fri, 21 Oct 2011 13:11:11 +0300
Subject: [Freeipa-devel] [PATCH] Add kerberos mapping for clients
 outside the IPA domain
In-Reply-To: <1319189576.20112.4.camel@balmora.brq.redhat.com>
References: <CABRVYG6WsZu6EeOcW4m5jJLjgR2cL+M16ptWEPiXT36p_ooyFw@mail.gmail.com>
	<1319189576.20112.4.camel@balmora.brq.redhat.com>
Message-ID: <20111021101110.GA16631@redhat.com>

On Fri, 21 Oct 2011, Martin Kosek wrote:
> On Thu, 2011-10-20 at 10:26 +0200, Lars Sj?str?m wrote:
> > Proposed patch for bug https://fedorahosted.org/freeipa/ticket/2006
> thank you for your investigation of the problem and the patch!
> 
> I had to refactor the patch a little, your patch updated just the
> temporary krb5.conf, not the one put permanently to /etc/krb5.conf.
> 
> I also moved DNS update before the certmonger is being configured.
> Otherwise certmonger may fail because the client does not have proper
> DNS record.
> 
> Patch attached.
ACK. It took me a while but hostname is ensured to be FQDN by the 
point we do that dangerous hostname[where is the dot+1:] operation. :)

-- 
/ Alexander Bokovoy



From pvoborni at redhat.com  Fri Oct 21 11:40:21 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Fri, 21 Oct 2011 13:40:21 +0200
Subject: [Freeipa-devel] [PATCH] 295 Fixed inconsistent
 required/optional attributes.
In-Reply-To: <4EA07809.2000709@redhat.com>
References: <4EA07809.2000709@redhat.com>
Message-ID: <4EA15A25.70003@redhat.com>

On 10/20/2011 09:35 PM, Endi Sukma Dewata wrote:
> The dialogs and details pages have been modified to use the * symbol
> to mark required fields. The automount map and the DNS zone dialogs
> have been modified to update the required fields according to the
> input type.
>
> Ticket #1696
>

1) Wouldn't be better if the asterisk has different color than the 
label? Visually I don't like it that much and I think it can be 
overlook. Attaching a proposition. I used green IPAish color because red 
usually means error.

Code from browser how it was done:

<td class="section-cell-label" title="First name"><label 
name="givenname" class="field-label">First name:</label><span 
class="required" style="
     float:  right;
     font-weight: bold;
     color: #319016;
     font-size: 20px;
" title="required">*</span></td>

(style should be moved to css file)


<div style="line-height: 25px;"><span class="required" style="
     font-weight: bold;
     color: #319016;
     font-size: 20px;
     vertical-align: middle;
">*</span> required</div>

It may vary on the section type.

2) When rendering label, we should also obtain field input's id (if 
possible) for 'for' attribute of <label>. This can be done separately.

3) Should we create some common pure html widgets with certain 
semantics? IE asterisk shouldn't be directly concatenated with label 
text. It is used on more than one place which may cause maintenance issues.

IPA.form(or some other name).required_indicator = function() {
	return '*'	
};

in this case this seems unnecessary. But if the required indicator was 
like in 1) it will be useful.


Summary:
All 3 points are nice to have. If you think is not necessary then ACK.

This patch is also fixing https://fedorahosted.org/freeipa/ticket/1973 .

-- 
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: required-field.png
Type: image/png
Size: 8210 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111021/1be6d1f7/attachment.png>

From lars at radicore.se  Fri Oct 21 11:57:47 2011
From: lars at radicore.se (=?ISO-8859-1?Q?Lars_Sj=F6str=F6m?=)
Date: Fri, 21 Oct 2011 13:57:47 +0200
Subject: [Freeipa-devel] [PATCH] Add kerberos mapping for clients
 outside the IPA domain
In-Reply-To: <20111021101110.GA16631@redhat.com>
References: <CABRVYG6WsZu6EeOcW4m5jJLjgR2cL+M16ptWEPiXT36p_ooyFw@mail.gmail.com>
	<1319189576.20112.4.camel@balmora.brq.redhat.com>
	<20111021101110.GA16631@redhat.com>
Message-ID: <CABRVYG5V5nYswrcWpcXW-mtc-rA-7QUy0x55w7inD1xhOwbrdw@mail.gmail.com>

Excellent! Thanks guys! Still a chance that this can be backported
into rhel6.2 release?

Best regards,
Lars

2011/10/21 Alexander Bokovoy <abokovoy at redhat.com>:
> On Fri, 21 Oct 2011, Martin Kosek wrote:
>> On Thu, 2011-10-20 at 10:26 +0200, Lars Sj?str?m wrote:
>> > Proposed patch for bug https://fedorahosted.org/freeipa/ticket/2006
>> thank you for your investigation of the problem and the patch!
>>
>> I had to refactor the patch a little, your patch updated just the
>> temporary krb5.conf, not the one put permanently to /etc/krb5.conf.
>>
>> I also moved DNS update before the certmonger is being configured.
>> Otherwise certmonger may fail because the client does not have proper
>> DNS record.
>>
>> Patch attached.
> ACK. It took me a while but hostname is ensured to be FQDN by the
> point we do that dangerous hostname[where is the dot+1:] operation. :)
>
> --
> / Alexander Bokovoy
>



-- 
Lars Sj?str?m
Senior Consultant / Owner
Radicore AB
Mobile:?+46 (0)703 021502
Email:?lars at radicore.se
Web:?http://www.radicore.se



From mkosek at redhat.com  Fri Oct 21 12:58:48 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Fri, 21 Oct 2011 14:58:48 +0200
Subject: [Freeipa-devel] [PATCH] Add kerberos mapping for clients
 outside the IPA domain
In-Reply-To: <CABRVYG5V5nYswrcWpcXW-mtc-rA-7QUy0x55w7inD1xhOwbrdw@mail.gmail.com>
References: <CABRVYG6WsZu6EeOcW4m5jJLjgR2cL+M16ptWEPiXT36p_ooyFw@mail.gmail.com>
	<1319189576.20112.4.camel@balmora.brq.redhat.com>
	<20111021101110.GA16631@redhat.com>
	<CABRVYG5V5nYswrcWpcXW-mtc-rA-7QUy0x55w7inD1xhOwbrdw@mail.gmail.com>
Message-ID: <1319201930.20112.10.camel@balmora.brq.redhat.com>

Hello Lars,

that's the plan.

I pushed the patch to master, ipa-2-1 and set up flags for the BZ so
that we can get it to Snapshot 4.

Martin

On Fri, 2011-10-21 at 13:57 +0200, Lars Sj?str?m wrote:
> Excellent! Thanks guys! Still a chance that this can be backported
> into rhel6.2 release?
> 
> Best regards,
> Lars
> 
> 2011/10/21 Alexander Bokovoy <abokovoy at redhat.com>:
> > On Fri, 21 Oct 2011, Martin Kosek wrote:
> >> On Thu, 2011-10-20 at 10:26 +0200, Lars Sj?str?m wrote:
> >> > Proposed patch for bug https://fedorahosted.org/freeipa/ticket/2006
> >> thank you for your investigation of the problem and the patch!
> >>
> >> I had to refactor the patch a little, your patch updated just the
> >> temporary krb5.conf, not the one put permanently to /etc/krb5.conf.
> >>
> >> I also moved DNS update before the certmonger is being configured.
> >> Otherwise certmonger may fail because the client does not have proper
> >> DNS record.
> >>
> >> Patch attached.
> > ACK. It took me a while but hostname is ensured to be FQDN by the
> > point we do that dangerous hostname[where is the dot+1:] operation. :)
> >
> > --
> > / Alexander Bokovoy
> >
> 
> 
> 




From rcritten at redhat.com  Fri Oct 21 14:32:17 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 21 Oct 2011 10:32:17 -0400
Subject: [Freeipa-devel] [PATCH] 0029 hbactest fails while you have
 svcgroup in hbacrule
In-Reply-To: <20111016212815.GA9413@redhat.com>
References: <20111016212815.GA9413@redhat.com>
Message-ID: <4EA18271.2090301@redhat.com>

Alexander Bokovoy wrote:
> Hi,
>
> attached patch should fix ticket 1988. This is currently last known
> bug in hbactest and should be safe to add to 2.1.3 (even though it is
> targetting 2.1.4 milestone).
>
> Tested using rules similar to the ones in the ticket description and
> also with --service=<service group>  (where service group is the group
> specified in the rule), as well as negative cases.
>
> https://fedorahosted.org/freeipa/ticket/1988

ack, pushed to ipa-2-1 and master

rob



From rcritten at redhat.com  Fri Oct 21 15:31:29 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 21 Oct 2011 11:31:29 -0400
Subject: [Freeipa-devel] [PATCH] 151 Add --zonemgr validator
In-Reply-To: <1318835375.26757.2.camel@balmora.brq.redhat.com>
References: <1318585856.9468.7.camel@balmora.brq.redhat.com>
	<4E987B52.4060700@redhat.com>
	<1318835375.26757.2.camel@balmora.brq.redhat.com>
Message-ID: <4EA19051.6070206@redhat.com>

Martin Kosek wrote:
> On Fri, 2011-10-14 at 14:11 -0400, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> Do at least a basic validation of DNS zone manager mail address.
>>>
>>> Do not require '@' to be in the mail address as it is not used
>>> in common DNS zone configuration (in bind for example) and people
>>> may be used to configure it that way. '@' is always removed by the
>>> installer before the DNS zone is created.
>>>
>>> https://fedorahosted.org/freeipa/ticket/1966
>>
>> There is already a zonemgr_callback defined for this option, can the
>> verify_zonemgr call be either integrated or called from that?
>>
>> rob
>>
>
> Right. Please, try this one. I also added a parser error when more than
> one '@' is in the checked value.
>
> Martin

A couple of things:

In the block where you are counting @ why not add an :

else:
     raise ValueError('address is not fully qualified')

rather than looking for '.' in the result? I think it will be clearer 
that way. I wonder if the error should contain an example as well, are 
people going to know what a fully-qualified means?

The regex is very strict for e-mail addresses, perhaps too much so. It 
doesn't allow upper-case characters, periods or _, both of which are 
allowed in login names. A common e-mail format is first.last at domain.

rob



From edewata at redhat.com  Fri Oct 21 15:32:14 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Fri, 21 Oct 2011 13:32:14 -0200
Subject: [Freeipa-devel] [PATCH 51/51] Ticket 1201 - Unable to Download
 Certificate with Browser
In-Reply-To: <201110201158.p9KBw34n008437@int-mx02.intmail.prod.int.phx2.redhat.com>
References: <201110201158.p9KBw34n008437@int-mx02.intmail.prod.int.phx2.redhat.com>
Message-ID: <4EA1907E.4060901@redhat.com>

On 10/20/2011 9:58 AM, John Dennis wrote:
>

ACK, fixed jslint warnings, pushed to master and ipa-2-1.

-- 
Endi S. Dewata



From rcritten at redhat.com  Fri Oct 21 15:35:14 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 21 Oct 2011 11:35:14 -0400
Subject: [Freeipa-devel] [PATCH] Fix help system
In-Reply-To: <1318955812.31147.3.camel@balmora.brq.redhat.com>
References: <4E9DA59F.9040607@redhat.com>
	<1318955812.31147.3.camel@balmora.brq.redhat.com>
Message-ID: <4EA19132.5040506@redhat.com>

Martin Kosek wrote:
> On Tue, 2011-10-18 at 12:13 -0400, Rob Crittenden wrote:
>> Forgive me for not having this in git format. This patch fixes a couple
>> of problems in the help system:
>>
>> 1. If all commands in an object are disabled the object is still visible
>> as a topic, see ipa help aci as an example
>>
>> 2. ipa help will show you that show-mappings help is broken
>>
>> 3. You shouldn't be able to get help on disabled cli.
>>
>> diff --git a/ipalib/cli.py b/ipalib/cli.py
>> index 06e7b1c..7fe8087 100644
>> --- a/ipalib/cli.py
>> +++ b/ipalib/cli.py
>> @@ -748,6 +748,8 @@ class help(frontend.Local):
>>                self.print_commands(name)
>>            elif name in self.Command:
>>                cmd = self.Command[name]
>> +            if cmd.NO_CLI:
>> +                raise HelpError(topic=name)
>>                print unicode(_('Purpose: %s')) % unicode(_(cmd.doc)).strip()
>>                self.Backend.cli.build_parser(cmd).print_help()
>>            elif mod_name in sys.modules:
>> @@ -805,6 +807,9 @@ class help(frontend.Local):
>>                m = '%s.%s' % (self._PLUGIN_BASE_MODULE, topic)
>>                doc = (unicode(_(sys.modules[m].__doc__)) or '').strip()
>>
>> +            if topic not in self.Command and len(commands) == 0:
>> +                raise HelpError(topic=topic)
>> +
>>                print doc
>>                if len(commands)>  1:
>>                    print ''
>> @@ -814,6 +819,9 @@ class help(frontend.Local):
>>                print "\n"
>>
>>    class show_mappings(frontend.Command):
>> +    """
>> +    Show mapping of LDAP attributes to command-line option.
>> +    """
>>        takes_args = (
>>            Str('command_name',
>>                label=_('Command name'),
>>
>
> ACK. Works fine.
>
> Please, just format it properly and add a commit message with ticket ID
> https://fedorahosted.org/freeipa/ticket/1998 before pushing :-)
>
> Martin
>

Done, pushed to master and ipa-2-1



From rcritten at redhat.com  Fri Oct 21 19:28:43 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 21 Oct 2011 15:28:43 -0400
Subject: [Freeipa-devel] [PATCH] 899 more context with attribute in error
	message
Message-ID: <4EA1C7EB.8010003@redhat.com>

Depending on the context and how you are using input (-- options or 
set/addattr) you might get a different attribute name in the error 
message. This patch tries to clear that up a bit.

See the ticket for some test cases.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-899-error.patch
Type: text/x-patch
Size: 2356 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111021/083c34ea/attachment.bin>

From rcritten at redhat.com  Fri Oct 21 19:29:03 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 21 Oct 2011 15:29:03 -0400
Subject: [Freeipa-devel] [PATCH] 880 don't check for existing 389-ds
	instances
In-Reply-To: <4E7A369B.1030704@redhat.com>
References: <4E7A369B.1030704@redhat.com>
Message-ID: <4EA1C7FF.5010300@redhat.com>

Rob Crittenden wrote:
> We don't need to prohibit existing 389-ds instances when installing IPA,
> just that the ports we need are available. Remove this check.
>
> For master only.
>
> rob

Re-based patch against master.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-880-2-dsinstance.patch
Type: text/x-patch
Size: 5127 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111021/5c95a457/attachment.bin>

From ayoung at redhat.com  Fri Oct 21 20:12:43 2011
From: ayoung at redhat.com (Adam Young)
Date: Fri, 21 Oct 2011 16:12:43 -0400
Subject: [Freeipa-devel] [PATHC] 0291-show-enrollment-time-for-host.patch
Message-ID: <4EA1D23B.3060002@redhat.com>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-admiyo-0291-show-enrollment-time-for-host.patch
Type: text/x-patch
Size: 745 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111021/8334a591/attachment.bin>

From ayoung at redhat.com  Fri Oct 21 20:36:46 2011
From: ayoung at redhat.com (Adam Young)
Date: Fri, 21 Oct 2011 16:36:46 -0400
Subject: [Freeipa-devel] [PATHC] 0291-show-enrollment-time-for-host.patch
In-Reply-To: <4EA1D23B.3060002@redhat.com>
References: <4EA1D23B.3060002@redhat.com>
Message-ID: <4EA1D7DE.80306@redhat.com>

On 10/21/2011 04:12 PM, Adam Young wrote:
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
This is the better approach.  If ACKing, please specify  290 or 291
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111021/77e85754/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-admiyo-0292-remove-enrolled-column.patch
Type: text/x-patch
Size: 1069 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111021/77e85754/attachment.bin>

From mkosek at redhat.com  Mon Oct 24 08:11:20 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Mon, 24 Oct 2011 10:11:20 +0200
Subject: [Freeipa-devel] [PATCH] 151 Add --zonemgr validator
In-Reply-To: <4EA19051.6070206@redhat.com>
References: <1318585856.9468.7.camel@balmora.brq.redhat.com>
	<4E987B52.4060700@redhat.com>
	<1318835375.26757.2.camel@balmora.brq.redhat.com>
	<4EA19051.6070206@redhat.com>
Message-ID: <1319443884.32666.3.camel@balmora.brq.redhat.com>

On Fri, 2011-10-21 at 11:31 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Fri, 2011-10-14 at 14:11 -0400, Rob Crittenden wrote:
> >> Martin Kosek wrote:
> >>> Do at least a basic validation of DNS zone manager mail address.
> >>>
> >>> Do not require '@' to be in the mail address as it is not used
> >>> in common DNS zone configuration (in bind for example) and people
> >>> may be used to configure it that way. '@' is always removed by the
> >>> installer before the DNS zone is created.
> >>>
> >>> https://fedorahosted.org/freeipa/ticket/1966
> >>
> >> There is already a zonemgr_callback defined for this option, can the
> >> verify_zonemgr call be either integrated or called from that?
> >>
> >> rob
> >>
> >
> > Right. Please, try this one. I also added a parser error when more than
> > one '@' is in the checked value.
> >
> > Martin
> 
> A couple of things:
> 
> In the block where you are counting @ why not add an :
> 
> else:
>      raise ValueError('address is not fully qualified')
> 
> rather than looking for '.' in the result? I think it will be clearer 
> that way. I wonder if the error should contain an example as well, are 
> people going to know what a fully-qualified means?
> 
> The regex is very strict for e-mail addresses, perhaps too much so. It 
> doesn't allow upper-case characters, periods or _, both of which are 
> allowed in login names. A common e-mail format is first.last at domain.
> 
> rob

I reorganized the validator a little and let people enter _ in the
domain name. I also added a small explanation of what we mean by
fully-qualified.

Since we have the zonemgr validator available, why not use it for the
DNS plugin too? I enhanced the plugin to use this validator too. Please,
see attached patch.

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-151-3-add-zonemgr-validator.patch
Type: text/x-patch
Size: 7321 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111024/269fee40/attachment.bin>

From pvoborni at redhat.com  Mon Oct 24 08:29:51 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Mon, 24 Oct 2011 10:29:51 +0200
Subject: [Freeipa-devel] [PATCH] 028 Code cleanup of HBAC, Sudo rules
Message-ID: <4EA521FF.7020405@redhat.com>

https://fedorahosted.org/freeipa/ticket/1515

Changes:
  * Added functionality for widget composition. This allows to gather 
update information from nested widgets and gradually combine it to the 
facet level.
  * Details' facet update method was split to several parts to allow 
finer overriding in subclasses.
  * Sudo rule and HBAC rule details facet was reworked to use new 
functionality.

Changes in composite_widget (formal details_facet):
  * added get_update_info method (for all widgets)
  * modified save method
  * added links to parent widget and facet

Note: cleanup of sudo options section may be part of 
https://fedorahosted.org/freeipa/ticket/1690
-- 
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0028-Code-cleanup-of-HBAC-Sudo-rules.patch
Type: text/x-patch
Size: 84277 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111024/075ce5a4/attachment.bin>

From rcritten at redhat.com  Mon Oct 24 13:02:57 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 24 Oct 2011 09:02:57 -0400
Subject: [Freeipa-devel] [PATCH] 151 Add --zonemgr validator
In-Reply-To: <1319443884.32666.3.camel@balmora.brq.redhat.com>
References: <1318585856.9468.7.camel@balmora.brq.redhat.com>
	<4E987B52.4060700@redhat.com>
	<1318835375.26757.2.camel@balmora.brq.redhat.com>
	<4EA19051.6070206@redhat.com>
	<1319443884.32666.3.camel@balmora.brq.redhat.com>
Message-ID: <4EA56201.3040102@redhat.com>

Martin Kosek wrote:
> On Fri, 2011-10-21 at 11:31 -0400, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On Fri, 2011-10-14 at 14:11 -0400, Rob Crittenden wrote:
>>>> Martin Kosek wrote:
>>>>> Do at least a basic validation of DNS zone manager mail address.
>>>>>
>>>>> Do not require '@' to be in the mail address as it is not used
>>>>> in common DNS zone configuration (in bind for example) and people
>>>>> may be used to configure it that way. '@' is always removed by the
>>>>> installer before the DNS zone is created.
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/1966
>>>>
>>>> There is already a zonemgr_callback defined for this option, can the
>>>> verify_zonemgr call be either integrated or called from that?
>>>>
>>>> rob
>>>>
>>>
>>> Right. Please, try this one. I also added a parser error when more than
>>> one '@' is in the checked value.
>>>
>>> Martin
>>
>> A couple of things:
>>
>> In the block where you are counting @ why not add an :
>>
>> else:
>>       raise ValueError('address is not fully qualified')
>>
>> rather than looking for '.' in the result? I think it will be clearer
>> that way. I wonder if the error should contain an example as well, are
>> people going to know what a fully-qualified means?
>>
>> The regex is very strict for e-mail addresses, perhaps too much so. It
>> doesn't allow upper-case characters, periods or _, both of which are
>> allowed in login names. A common e-mail format is first.last at domain.
>>
>> rob
>
> I reorganized the validator a little and let people enter _ in the
> domain name. I also added a small explanation of what we mean by
> fully-qualified.
>
> Since we have the zonemgr validator available, why not use it for the
> DNS plugin too? I enhanced the plugin to use this validator too. Please,
> see attached patch.
>
> Martin

NACK, a client might not have the server sub-package installed so the 
import of bindinstance will fail.

I think that moving the validator into dns.py as a central location 
should work though.

Otherwise looks good.

rob



From mkosek at redhat.com  Mon Oct 24 13:19:55 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Mon, 24 Oct 2011 15:19:55 +0200
Subject: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support
In-Reply-To: <1318944589.19922.39.camel@balmora.brq.redhat.com>
References: <20111010134235.GB3661@redhat.com>
	<20111010140721.GC3661@redhat.com>
	<1318614966.31149.149.camel@willson.li.ssimo.org>
	<1318623241.31149.156.camel@willson.li.ssimo.org>
	<1318626347.31149.159.camel@willson.li.ssimo.org>
	<20111017112049.GB9413@redhat.com>
	<1318935379.19922.24.camel@balmora.brq.redhat.com>
	<20111018112738.GA2258@redhat.com> <20111018124809.GB2258@redhat.com>
	<1318944589.19922.39.camel@balmora.brq.redhat.com>
Message-ID: <1319462398.32666.9.camel@balmora.brq.redhat.com>

On Tue, 2011-10-18 at 15:29 +0200, Martin Kosek wrote:
> On Tue, 2011-10-18 at 15:48 +0300, Alexander Bokovoy wrote:
> > On Tue, 18 Oct 2011, Alexander Bokovoy wrote:
> > > > ipa.init was removed from the git, but it was never moved to
> > > > init/SystemV/.
> > > It should have been moved (rm+new file). I'll check what's happening 
> > > there, maybe Simo's patch omitted that one?
> > > 
> > > http://koji.fedoraproject.org/koji/taskinfo?taskID=3437275 is current 
> > > scratch build of 2.1 for F-16. It is 2.1.2+diff up to current ipa-2-1 
> > > git tree + systemd patch.
> > I did another rebase and current version of systemd support for 
> > ipa-2-1 is in systemd-ipa-2-1 branch of my tree:
> > http://fedorapeople.org/gitweb?p=abbra/public_git/freeipa.git;a=shortlog;h=refs/heads/systemd-ipa-2-1
> > 
> 
> Yep, ipa.init is now correctly moved and I was able to compile ipa on
> both F-15 and F-16. I still have few question/issues:
> 
> 1) When ipa is not configured, it is ok that ipa.service status returns
> error. However, I still got ipa.service status error after the ipa was
> configured:
> 
> # systemctl status ipa.service
> ipa.service - Identity, Policy, Audit
> 	  Loaded: loaded (/lib/systemd/system/ipa.service; disabled)
> 	  Active: failed since Tue, 18 Oct 2011 09:04:41 -0400; 1min 50s ago
> 	Main PID: 18499 (code=exited, status=6)
> 	  CGroup: name=systemd:/system/ipa.service
> # /usr/sbin/ipactl status
> IPA is not configured (see man pages of ipa-server-install for help)
> 
> # ipa-server-install
> ...
> Applying LDAP updates
> Restarting IPA to initialize updates before performing deletes:
>   [1/2]: stopping directory server
>   [2/2]: starting directory server
> done configuring dirsrv.
> Restarting the directory server
> Restarting the KDC
> Restarting the web server
> Sample zone file for bind has been created in /tmp/sample.zone.teFbNR.db
> ==============================================================================
> Setup complete
> 
> Next steps:
> 	1. You must make sure these network ports are open:
> 		TCP Ports:
> 		  * 80, 443: HTTP/HTTPS
> 		  * 389, 636: LDAP/LDAPS
> 		  * 88, 464: kerberos
> 		UDP Ports:
> 		  * 88, 464: kerberos
> 		  * 123: ntp
> 
> 	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
> 	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
> 	   and the web user interface.
> 
> Be sure to back up the CA certificate stored in /root/cacert.p12
> This file is required to create replicas. The password for this
> file is the Directory Manager password
> 
> # systemctl status ipa.service
> ipa.service - Identity, Policy, Audit
> 	  Loaded: loaded (/lib/systemd/system/ipa.service; enabled)
> 	  Active: failed since Tue, 18 Oct 2011 09:04:41 -0400; 6min ago
> 	Main PID: 18499 (code=exited, status=6)
> 	  CGroup: name=systemd:/system/ipa.service
> 
> 
> 
> 2) ipactl shows stopped dirsrv and CA service even though they should be
> up (cert-show command worked):
> 
> # ipactl status
> Directory Service: RUNNING
> KDC Service: RUNNING
> KPASSWD Service: STOPPED
> HTTP Service: RUNNING
> CA Service: STOPPED
> 
> When I restarted the ipa service, everything was OK including the status
> I mentioned in my previous mail:
> 
> # systemctl restart ipa.service
> # ipactl status
> Directory Service: RUNNING
> KDC Service: RUNNING
> KPASSWD Service: RUNNING
> HTTP Service: RUNNING
> CA Service: RUNNING
> 
> # systemctl status ipa.service
> ipa.service - Identity, Policy, Audit
> 	  Loaded: loaded (/lib/systemd/system/ipa.service; enabled)
> 	  Active: active (exited) since Tue, 18 Oct 2011 09:18:32 -0400; 2min 41s ago
> 	 Process: 20069 ExecStart=/usr/sbin/ipactl start (code=exited, status=0/SUCCESS)
> 	  CGroup: name=systemd:/system/ipa.service
> 
> 
> Martin
> 

Ok, final ACK :-) On Friday and today I did a final set of sanity tests
for both branches on F-15 and F-16. Minor issues found during the review
were fixed by Alexander and integrated to the patches.

There is just one pending issue I found - name server cannot talk to
dirsrv on F-16 due to changes in SElinux policy. It is being be tracked
here:

https://bugzilla.redhat.com/show_bug.cgi?id=748366

SELinux guys accepted the issue and it is being worked on.

Pushed to master, ipa-2-1. Good job!

Martin



From edewata at redhat.com  Mon Oct 24 14:51:11 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Mon, 24 Oct 2011 09:51:11 -0500
Subject: [Freeipa-devel] [PATHC] 0291-show-enrollment-time-for-host.patch
In-Reply-To: <4EA1D7DE.80306@redhat.com>
References: <4EA1D23B.3060002@redhat.com> <4EA1D7DE.80306@redhat.com>
Message-ID: <4EA57B5F.8080609@redhat.com>

On 10/21/2011 3:36 PM, Adam Young wrote:
>

Based on IRC discussion the column for krblastpwdchange will be removed 
for now, so:

NACK 291, ACK 292, and pushed to master.

The column for has_keytab will be added in a separate patch.

-- 
Endi S. Dewata



From mkosek at redhat.com  Mon Oct 24 15:08:06 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Mon, 24 Oct 2011 17:08:06 +0200
Subject: [Freeipa-devel] [PATCH] 151 Add --zonemgr validator
In-Reply-To: <4EA56201.3040102@redhat.com>
References: <1318585856.9468.7.camel@balmora.brq.redhat.com>
	<4E987B52.4060700@redhat.com>
	<1318835375.26757.2.camel@balmora.brq.redhat.com>
	<4EA19051.6070206@redhat.com>
	<1319443884.32666.3.camel@balmora.brq.redhat.com>
	<4EA56201.3040102@redhat.com>
Message-ID: <1319468888.32666.18.camel@balmora.brq.redhat.com>

On Mon, 2011-10-24 at 09:02 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Fri, 2011-10-21 at 11:31 -0400, Rob Crittenden wrote:
> >> Martin Kosek wrote:
> >>> On Fri, 2011-10-14 at 14:11 -0400, Rob Crittenden wrote:
> >>>> Martin Kosek wrote:
> >>>>> Do at least a basic validation of DNS zone manager mail address.
> >>>>>
> >>>>> Do not require '@' to be in the mail address as it is not used
> >>>>> in common DNS zone configuration (in bind for example) and people
> >>>>> may be used to configure it that way. '@' is always removed by the
> >>>>> installer before the DNS zone is created.
> >>>>>
> >>>>> https://fedorahosted.org/freeipa/ticket/1966
> >>>>
> >>>> There is already a zonemgr_callback defined for this option, can the
> >>>> verify_zonemgr call be either integrated or called from that?
> >>>>
> >>>> rob
> >>>>
> >>>
> >>> Right. Please, try this one. I also added a parser error when more than
> >>> one '@' is in the checked value.
> >>>
> >>> Martin
> >>
> >> A couple of things:
> >>
> >> In the block where you are counting @ why not add an :
> >>
> >> else:
> >>       raise ValueError('address is not fully qualified')
> >>
> >> rather than looking for '.' in the result? I think it will be clearer
> >> that way. I wonder if the error should contain an example as well, are
> >> people going to know what a fully-qualified means?
> >>
> >> The regex is very strict for e-mail addresses, perhaps too much so. It
> >> doesn't allow upper-case characters, periods or _, both of which are
> >> allowed in login names. A common e-mail format is first.last at domain.
> >>
> >> rob
> >
> > I reorganized the validator a little and let people enter _ in the
> > domain name. I also added a small explanation of what we mean by
> > fully-qualified.
> >
> > Since we have the zonemgr validator available, why not use it for the
> > DNS plugin too? I enhanced the plugin to use this validator too. Please,
> > see attached patch.
> >
> > Martin
> 
> NACK, a client might not have the server sub-package installed so the 
> import of bindinstance will fail.
> 
> I think that moving the validator into dns.py as a central location 
> should work though.
> 
> Otherwise looks good.
> 
> rob

Thanks. I didn't realize that user can have freeipa-admintools without
freeipa-server installed.

I placed the validator to ipalib/util.py as we cannot place it to the
dns plugin directly as all our plugins assume that we have initialized
api.

Updated patch attached.

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-151-4-add-zonemgr-validator.patch
Type: text/x-patch
Size: 7669 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111024/d5d6c510/attachment.bin>

From jcholast at redhat.com  Mon Oct 24 15:26:35 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Mon, 24 Oct 2011 17:26:35 +0200
Subject: [Freeipa-devel] [PATCH] 55 Parse comma-separated lists of
 values in all parameter types
In-Reply-To: <4EA00403.9060703@redhat.com>
References: <4EA00403.9060703@redhat.com>
Message-ID: <4EA583AB.6030906@redhat.com>

Dne 20.10.2011 13:20, Jan Cholasta napsal(a):
> Parse comma-separated lists of values in all parameter types. This can
> enabled for a specific parameter by setting the "csvlist" option to True.
>
> Remove List parameter type and replace all occurences with Str with
> csvlist enabled.
>
> https://fedorahosted.org/freeipa/ticket/2007
>
> This change will be useful for
> https://fedorahosted.org/freeipa/ticket/1487 and
> https://fedorahosted.org/freeipa/ticket/1847
>
> Unit tests show no regressions.
>
> Honza
>

Self-NACK - I have noticed that the batch command no longer works.

Updated patch attached.

Honza

-- 
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-55.1-comma-separated-list.patch
Type: text/x-patch
Size: 175702 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111024/f576b81c/attachment.bin>

From rcritten at redhat.com  Mon Oct 24 15:42:51 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 24 Oct 2011 11:42:51 -0400
Subject: [Freeipa-devel] [PATCH] 55 Parse comma-separated lists of
 values in all parameter types
In-Reply-To: <4EA583AB.6030906@redhat.com>
References: <4EA00403.9060703@redhat.com> <4EA583AB.6030906@redhat.com>
Message-ID: <4EA5877B.2020606@redhat.com>

Jan Cholasta wrote:
> Dne 20.10.2011 13:20, Jan Cholasta napsal(a):
>> Parse comma-separated lists of values in all parameter types. This can
>> enabled for a specific parameter by setting the "csvlist" option to True.
>>
>> Remove List parameter type and replace all occurences with Str with
>> csvlist enabled.
>>
>> https://fedorahosted.org/freeipa/ticket/2007
>>
>> This change will be useful for
>> https://fedorahosted.org/freeipa/ticket/1487 and
>> https://fedorahosted.org/freeipa/ticket/1847
>>
>> Unit tests show no regressions.
>>
>> Honza
>>
>
> Self-NACK - I have noticed that the batch command no longer works.
>
> Updated patch attached.
>
> Honza

What is the benefit of this over the List parameter type?

rob



From edewata at redhat.com  Mon Oct 24 16:29:04 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Mon, 24 Oct 2011 11:29:04 -0500
Subject: [Freeipa-devel] [PATCH] 028 Code cleanup of HBAC, Sudo rules
In-Reply-To: <4EA521FF.7020405@redhat.com>
References: <4EA521FF.7020405@redhat.com>
Message-ID: <4EA59250.8040506@redhat.com>

On 10/24/2011 3:29 AM, Petr Vobornik wrote:
> https://fedorahosted.org/freeipa/ticket/1515
>
> Changes:
> * Added functionality for widget composition. This allows to gather
> update information from nested widgets and gradually combine it to the
> facet level.
> * Details' facet update method was split to several parts to allow finer
> overriding in subclasses.
> * Sudo rule and HBAC rule details facet was reworked to use new
> functionality.
>
> Changes in composite_widget (formal details_facet):
> * added get_update_info method (for all widgets)
> * modified save method
> * added links to parent widget and facet
>
> Note: cleanup of sudo options section may be part of
> https://fedorahosted.org/freeipa/ticket/1690

Some issues:

1. The IPA.hbacrule_details_facet uses IPA.sudo.enable_widget(). This 
makes HBAC unnecessarily dependent on sudo. The enable_widget should be 
moved to widget.js or rule.js which is shared between HBAC and sudo.

2. The set_facet() is added to widget. I don't think we want to make 
widget dependent on facet. The facet so far is only used by 
IPA.sudo.enable_widget. In IPA.sudo.options_section the facet object is 
passed as a parameter in spec.

3. When updating sudo rule, in the original code the rule is 
enabled/disabled after all the modifications are done. In the new code 
it's reversed. I'm not sure the importance of the execution order for 
this particular situation, but suppose it is, is there a way to maintain 
the original order?

4. The IPA.header_widget is not really a widget, it's actually part of 
layout. In the current implementation a widget always corresponds to an 
attribute, so it will be loaded, saved, etc. Since there is no attribute 
name matching the header name currently this is not a problem, but it 
can pollute the namespace.

5. In details facet update(), instead of storing the callbacks in 
update_custom_on_win and update_custom_on_fail and requiring the 
subclasses to call them, it might be better to call them from the 
update() itself:

         var command = IPA.command({
             ...
             on_success: function(data, text_status, xhr) {
                 that.on_update_success(data, text_status, xhr)
                 if (on_win) on_win.call(this, data, text_status, xhr);
             },
             on_error: function(xhr, text_status, error_thrown) {
                 that.on_update_error(xhr, text_status, error_thrown);
                 if (on_fail) on_fail.call(
                     this, xhr, text_status, error_thrown);
             }
         });

6. Can IPA.batch_details_facet be combined into IPA.details_facet? I 
think the base details facet should support both regular mod and batch.

7. In sudo details page, the "As Whom" category is missing the "RunAs 
User category" radio buttons.

8. The IPA.sudo.rule_details_runas_widget uses composite widget instead 
of section. They are right now functionally identical, but I suppose the 
composite widget is an abstract class and the section will later contain 
code specific to section.

9. It's probably better to define the proper update_info and field_info 
classes rather than constructing them on the fly.

10. There are some whitespace warnings during git am.

11. The following code doesn't seem to be used:
      * param_info in details.js:469
      * update_command_name in details.js:597

-- 
Endi S. Dewata



From mkosek at redhat.com  Mon Oct 24 16:39:40 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Mon, 24 Oct 2011 18:39:40 +0200
Subject: [Freeipa-devel] [PATCH] 151 Add --zonemgr validator
In-Reply-To: <1319468888.32666.18.camel@balmora.brq.redhat.com>
References: <1318585856.9468.7.camel@balmora.brq.redhat.com>
	<4E987B52.4060700@redhat.com>
	<1318835375.26757.2.camel@balmora.brq.redhat.com>
	<4EA19051.6070206@redhat.com>
	<1319443884.32666.3.camel@balmora.brq.redhat.com>
	<4EA56201.3040102@redhat.com>
	<1319468888.32666.18.camel@balmora.brq.redhat.com>
Message-ID: <1319474382.1960.1.camel@priserak>

On Mon, 2011-10-24 at 17:08 +0200, Martin Kosek wrote:
> On Mon, 2011-10-24 at 09:02 -0400, Rob Crittenden wrote:
> > Martin Kosek wrote:
> > > On Fri, 2011-10-21 at 11:31 -0400, Rob Crittenden wrote:
> > >> Martin Kosek wrote:
> > >>> On Fri, 2011-10-14 at 14:11 -0400, Rob Crittenden wrote:
> > >>>> Martin Kosek wrote:
> > >>>>> Do at least a basic validation of DNS zone manager mail address.
> > >>>>>
> > >>>>> Do not require '@' to be in the mail address as it is not used
> > >>>>> in common DNS zone configuration (in bind for example) and people
> > >>>>> may be used to configure it that way. '@' is always removed by the
> > >>>>> installer before the DNS zone is created.
> > >>>>>
> > >>>>> https://fedorahosted.org/freeipa/ticket/1966
> > >>>>
> > >>>> There is already a zonemgr_callback defined for this option, can the
> > >>>> verify_zonemgr call be either integrated or called from that?
> > >>>>
> > >>>> rob
> > >>>>
> > >>>
> > >>> Right. Please, try this one. I also added a parser error when more than
> > >>> one '@' is in the checked value.
> > >>>
> > >>> Martin
> > >>
> > >> A couple of things:
> > >>
> > >> In the block where you are counting @ why not add an :
> > >>
> > >> else:
> > >>       raise ValueError('address is not fully qualified')
> > >>
> > >> rather than looking for '.' in the result? I think it will be clearer
> > >> that way. I wonder if the error should contain an example as well, are
> > >> people going to know what a fully-qualified means?
> > >>
> > >> The regex is very strict for e-mail addresses, perhaps too much so. It
> > >> doesn't allow upper-case characters, periods or _, both of which are
> > >> allowed in login names. A common e-mail format is first.last at domain.
> > >>
> > >> rob
> > >
> > > I reorganized the validator a little and let people enter _ in the
> > > domain name. I also added a small explanation of what we mean by
> > > fully-qualified.
> > >
> > > Since we have the zonemgr validator available, why not use it for the
> > > DNS plugin too? I enhanced the plugin to use this validator too. Please,
> > > see attached patch.
> > >
> > > Martin
> > 
> > NACK, a client might not have the server sub-package installed so the 
> > import of bindinstance will fail.
> > 
> > I think that moving the validator into dns.py as a central location 
> > should work though.
> > 
> > Otherwise looks good.
> > 
> > rob
> 
> Thanks. I didn't realize that user can have freeipa-admintools without
> freeipa-server installed.
> 
> I placed the validator to ipalib/util.py as we cannot place it to the
> dns plugin directly as all our plugins assume that we have initialized
> api.
> 
> Updated patch attached.
> 
> Martin

And now also with API.txt change. This patch must be cursed or
something.

No need to bump API version, just the validator has been added.

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-151-5-add-zonemgr-validator.patch
Type: text/x-patch
Size: 13536 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111024/fddda8a2/attachment.bin>

From jcholast at redhat.com  Mon Oct 24 16:45:20 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Mon, 24 Oct 2011 18:45:20 +0200
Subject: [Freeipa-devel] [PATCH] 55 Parse comma-separated lists of
 values in all parameter types
In-Reply-To: <4EA5877B.2020606@redhat.com>
References: <4EA00403.9060703@redhat.com> <4EA583AB.6030906@redhat.com>
	<4EA5877B.2020606@redhat.com>
Message-ID: <4EA59620.30506@redhat.com>

Dne 24.10.2011 17:42, Rob Crittenden napsal(a):
> Jan Cholasta wrote:
>> Dne 20.10.2011 13:20, Jan Cholasta napsal(a):
>>> Parse comma-separated lists of values in all parameter types. This can
>>> enabled for a specific parameter by setting the "csvlist" option to
>>> True.
>>>
>>> Remove List parameter type and replace all occurences with Str with
>>> csvlist enabled.
>>>
>>> https://fedorahosted.org/freeipa/ticket/2007
>>>
>>> This change will be useful for
>>> https://fedorahosted.org/freeipa/ticket/1487 and
>>> https://fedorahosted.org/freeipa/ticket/1847
>>>
>>> Unit tests show no regressions.
>>>
>>> Honza
>>>
>>
>> Self-NACK - I have noticed that the batch command no longer works.
>>
>> Updated patch attached.
>>
>> Honza
>
> What is the benefit of this over the List parameter type?
>
> rob

Mainly because the List parameter type is just a hack. This is the right 
thing to do if we want to use comma-separated lists of parameters of any 
type, with all the validation and other parameter type-specific features.

For example, I've added a new parameter type for IP addresses in my 
patch 46 
(http://www.redhat.com/archives/freeipa-devel/2011-September/msg00187.html) 
and use it for A and AAAA DNS records. Without this patch, we can either 
use List for the record parameters and lose validation in dnsrecord-find 
(because it is based on crud.Search, which strips all the custom 
validation rules - like _validate_ipaddr - from the command parameters, 
which is one of the causes of #1627) or use IPAddress for the record 
parameters and lose the ability to specify them as comma-separated list 
of values. With this patch, we can have both comma-separated lists and 
validation at the same time.

Besides, the patch is not as big as it looks like, all the interesting 
stuff is in ipalib/parameters.py, everything else is just 
search-and-replace. Also I need it to fix #1487 and #1847 without doing 
ugly hacks.

Honza

-- 
Jan Cholasta



From edewata at redhat.com  Mon Oct 24 20:43:46 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Mon, 24 Oct 2011 15:43:46 -0500
Subject: [Freeipa-devel] [PATCH] 295 Fixed inconsistent
 required/optional attributes.
In-Reply-To: <4EA15A25.70003@redhat.com>
References: <4EA07809.2000709@redhat.com> <4EA15A25.70003@redhat.com>
Message-ID: <4EA5CE02.505@redhat.com>

On 10/21/2011 6:40 AM, Petr Vobornik wrote:
> 1) Wouldn't be better if the asterisk has different color than the
> label? Visually I don't like it that much and I think it can be
> overlook. Attaching a proposition. I used green IPAish color because red
> usually means error.
>
> Code from browser how it was done:
>
> <td class="section-cell-label" title="First name"><label
> name="givenname" class="field-label">First name:</label><span
> class="required" style="
> float: right;
> font-weight: bold;
> color: #319016;
> font-size: 20px;
> " title="required">*</span></td>
>
> (style should be moved to css file)
>
>
> <div style="line-height: 25px;"><span class="required" style="
> font-weight: bold;
> color: #319016;
> font-size: 20px;
> vertical-align: middle;
> ">*</span> required</div>
>
> It may vary on the section type.

Fixed. I couldn't use the exact style above because it looks a bit weird 
in the details page since the labels are right aligned. I use red for 
now because it can also mean 'important', but we can adjust this again 
later.

> 2) When rendering label, we should also obtain field input's id (if
> possible) for 'for' attribute of <label>. This can be done separately.

I'd rather avoid using ID in a dynamic app like this. Adding ID into the 
fields is possible, but we'd have to do it very carefully to avoid 
conflicts.

> 3) Should we create some common pure html widgets with certain
> semantics?

We can, but as discussed elsewhere, we have to fix the current 
assumption first: each widget correspond to an attribute, it currently 
has properties and methods (e.g. metadata, load(), save()) that are only 
valid on attributes.

> IE asterisk shouldn't be directly concatenated with label
> text. It is used on more than one place which may cause maintenance issues.
>
> IPA.form(or some other name).required_indicator = function() {
> return '*'
> };
>
> in this case this seems unnecessary. But if the required indicator was
> like in 1) it will be useful.

Fixed.

> Summary:
> All 3 points are nice to have. If you think is not necessary then ACK.
>
> This patch is also fixing https://fedorahosted.org/freeipa/ticket/1973 .

Noted in the new patch.

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-edewata-0295-2-Fixed-inconsistent-required-optional-attributes.patch
Type: text/x-patch
Size: 34817 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111024/31b71f58/attachment.bin>

From edewata at redhat.com  Tue Oct 25 00:01:08 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Mon, 24 Oct 2011 19:01:08 -0500
Subject: [Freeipa-devel] [PATCH] 296 Removed HBAC deny rule warning.
Message-ID: <4EA5FC44.2090509@redhat.com>

The HBAC deny rule is no longer supported so it's no longer necessary
to show the warning.

Ticket #1444

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-edewata-0296-Removed-HBAC-deny-rule-warning.patch
Type: text/x-patch
Size: 12831 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111024/cf3d30da/attachment.bin>

From adam at younglogic.com  Tue Oct 25 00:43:44 2011
From: adam at younglogic.com (Adam Young)
Date: Mon, 24 Oct 2011 20:43:44 -0400
Subject: [Freeipa-devel] Keytab for talking to PKI CA from IPA
Message-ID: <4EA60640.80108@younglogic.com>

When setting up replication, it should not be necessary to cache any 
passwords, anywhere, until the replication agreemsnts are set up, and 
then, all caching should be using known secure mechanisms.

The two main repositories we care about are the Directory Server 
instances managed by IPA and the Certificate Authority.  Currently, 
these are not in the same Dir Srv isntance (although they could be) due 
to the fact that we expect to replicate them seperately.  Specifically, 
we expect to have more IPA instances than CA instances, and we will not 
have a CA instance without a co-located IPA instance.

During normal operations, the IPA instance should not need to talk to 
the directory server instance of the CA.  All communication between IPA 
and the CA should happen via the HTTPS secured via Certificates issued 
by the CA.

Once the replication process starts, the file generated by ipa-prepare 
replicate should not need an passwords.  Instead,  when the replicated 
server is installed, the user performing the install should get a ticket 
as an administrative user.  All authentication for the replication 
should be based on that ticket.

The very first step is to install an new Directory server for IPA.  For 
this, the replication process can generate a single use password and use 
it as the Directory server password for the local instance.  Next, the 
ticket for the adminiustrative user should be used to download a keytab 
for the Directory Server to use when communicating back to the original 
IPA directory server.With these keytab in place, the replicated IPA DS 
should be able to talk to the original IPA DS and establish the 
replication agreement.  At this point, the single use password should be 
disabled.

Once the IPA Directory server has been replicated, we can either use the 
original keytab or download a second keytab to establish a replication 
agreement between the replicated CA directory server and the original CA 
directory server.  The process would look the same as setting up the 
keytab for the IPA directory server.

Why don't we do this now?





From ayoung at redhat.com  Tue Oct 25 00:45:32 2011
From: ayoung at redhat.com (Adam Young)
Date: Mon, 24 Oct 2011 20:45:32 -0400
Subject: [Freeipa-devel] Keytab for talking to PKI CA from IPA
Message-ID: <4EA606AC.6040302@redhat.com>


When setting up replication, it should not be necessary to cache any 
passwords, anywhere, until the replication agreemsnts are set up, and 
then, all caching should be using known secure mechanisms.

The two main repositories we care about are the Directory Server 
instances managed by IPA and the Certificate Authority.  Currently, 
these are not in the same Dir Srv isntance (although they could be) due 
to the fact that we expect to replicate them seperately.  Specifically, 
we expect to have more IPA instances than CA instances, and we will not 
have a CA instance without a co-located IPA instance.

During normal operations, the IPA instance should not need to talk to 
the directory server instance of the CA.  All communication between IPA 
and the CA should happen via the HTTPS secured via Certificates issued 
by the CA.

Once the replication process starts, the file generated by ipa-prepare 
replicate should not need an passwords.  Instead,  when the replicated 
server is installed, the user performing the install should get a ticket 
as an administrative user.  All authentication for the replication 
should be based on that ticket.

The very first step is to install an new Directory server for IPA.  For 
this, the replication process can generate a single use password and use 
it as the Directory server password for the local instance.  Next, the 
ticket for the adminiustrative user should be used to download a keytab 
for the Directory Server to use when communicating back to the original 
IPA directory server.With these keytab in place, the replicated IPA DS 
should be able to talk to the original IPA DS and establish the 
replication agreement.  At this point, the single use password should be 
disabled.

Once the IPA Directory server has been replicated, we can either use the 
original keytab or download a second keytab to establish a replication 
agreement between the replicated CA directory server and the original CA 
directory server.  The process would look the same as setting up the 
keytab for the IPA directory server.

Why don't we do this now?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111024/4b42bb31/attachment.htm>

From mkosek at redhat.com  Tue Oct 25 09:00:16 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 25 Oct 2011 11:00:16 +0200
Subject: [Freeipa-devel] [PATCH] 120 Improve DNS record data validation
In-Reply-To: <4E9F2742.3020109@redhat.com>
References: <1315400728.12548.12.camel@dhcp-25-52.brq.redhat.com>
	<1315401507.12548.14.camel@dhcp-25-52.brq.redhat.com>
	<1319026515.9647.13.camel@balmora.brq.redhat.com>
	<4E9F2742.3020109@redhat.com>
Message-ID: <1319533225.14006.13.camel@balmora.brq.redhat.com>

On Wed, 2011-10-19 at 15:38 -0400, Adam Young wrote:
> On 10/19/2011 08:15 AM, Martin Kosek wrote: 
> > On Wed, 2011-09-07 at 15:18 +0200, Martin Kosek wrote:
> > > On Wed, 2011-09-07 at 15:05 +0200, Martin Kosek wrote:
> > > > This is 3.0 Core Effort Backlog patch.
> > > > 
> > > > The changes to API may look scary, but it should be OK, I just added
> > > > validators and normalizers. I found a lot of RR types unsupported by
> > > > bind-dyndb-ldap. I implemented a validator telling this information to
> > > > the user. I think the message is more user-friendly than the previous
> > > > LDAP schema error.
> > > > 
> > > > Enjoy the RFCs! :-)
> > > > 
> > > > Martin
> > > > 
> > > > ---
> > > > Implement missing validators for DNS RR types so that we can capture
> > > > at least basic user errors. Additionally, a normalizer creating
> > > > a fully-qualified domain name has been implemented for several RRs
> > > > to prevent this common user error.
> > > > 
> > > > https://fedorahosted.org/freeipa/ticket/1106
> > > > 
> > > I noticed a typo in format description for LOC record validation. A
> > > fixed patch attached.
> > > 
> > > Martin
> > Rebased for current master.
> > 
> > This patch is still waiting for review. As I would like to base my next
> > DNS work (structured DNS commands) on this patch I would like to have it
> > reviewed soon.
> > 
> > Thanks,
> > Martin
> > 
> > 
> > 
> > _______________________________________________
> > Freeipa-devel mailing list
> > Freeipa-devel at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-devel
> 
> 
> I've just given it a visual review, but it looks right.  Probably
> should have some unit tests to go with it for some of the more
> commonly used types.

Good idea. A, AAAA, NS records are already being checked, I added tests
for MX and SRV records too.

I also refactored DNS tests a little, there were many repeatedly using
hard-coded values (like default zone manager) which would be hard to fix
of anything changes.

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-120-4-improve-dns-record-data-validation.patch
Type: text/x-patch
Size: 85554 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111025/0561a7d8/attachment.bin>

From edewata at redhat.com  Tue Oct 25 12:29:43 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Tue, 25 Oct 2011 07:29:43 -0500
Subject: [Freeipa-devel] [PATCH] 297 Fixed "enroll" labels.
Message-ID: <4EA6ABB7.70805@redhat.com>

Labels using the word "enroll" (except for host enrollment) have
been modified to use more relevant words.

The IPA.add_dialog has been renamed into IPA.entity_adder_dialog
for clarity.

Ticket #1642

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-edewata-0297-Fixed-enroll-labels.patch
Type: text/x-patch
Size: 9808 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111025/76bb7fff/attachment.bin>

From pvoborni at redhat.com  Tue Oct 25 12:49:05 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Tue, 25 Oct 2011 14:49:05 +0200
Subject: [Freeipa-devel] [PATCH] 028 Code cleanup of HBAC, Sudo rules
In-Reply-To: <4EA59250.8040506@redhat.com>
References: <4EA521FF.7020405@redhat.com> <4EA59250.8040506@redhat.com>
Message-ID: <4EA6B041.5090204@redhat.com>

Comments in text. New patch not supplied yet - some topics may require 
further discussion. Most of the comments should be part of the 'Nesting 
widgets' thread.

On 10/24/2011 06:29 PM, Endi Sukma Dewata wrote:
> On 10/24/2011 3:29 AM, Petr Vobornik wrote:
>> https://fedorahosted.org/freeipa/ticket/1515
>
> Some issues:
>
> 1. The IPA.hbacrule_details_facet uses IPA.sudo.enable_widget(). This
> makes HBAC unnecessarily dependent on sudo. The enable_widget should be
> moved to widget.js or rule.js which is shared between HBAC and sudo.

  * enable_widget moved to widget.js
  * rule_association_table_widget and rule_association_adder_dialog 
moved to rule.js

> 2. The set_facet() is added to widget. I don't think we want to make
> widget dependent on facet. The facet so far is only used by
> IPA.sudo.enable_widget. In IPA.sudo.options_section the facet object is
> passed as a parameter in spec.
Are you saying that dependency on facet in ALL widgets is bad and only 
in a few is good, or in any is bad?

I think it doesn't matter if all is dependant when one is dependant.

Anyway currently all association table widgets are dependant 
(association.js:386).

Btw similar topic could be: "How to get current entity's pkey?'. 
Dependancy on facet.get_primary_key() or 
IPA.nav.get_state(that.entity.name+'-pkey') seems wrong too.

>
> 3. When updating sudo rule, in the original code the rule is
> enabled/disabled after all the modifications are done. In the new code
> it's reversed. I'm not sure the importance of the execution order for
> this particular situation, but suppose it is, is there a way to maintain
> the original order?

I was thinking about a command or widget priority. The 'mod' command 
would have some default priority or it would get it from facet. The 
commands would be sorted by priority before adding them to batch. This 
way we can set exact order in facet update.

The order which is implemented now is reflecting the order in HBAC 
details facet - there were errors when 'mod' was executed before 
clearing associations.

> 4. The IPA.header_widget is not really a widget, it's actually part of
> layout. In the current implementation a widget always corresponds to an
> attribute, so it will be loaded, saved, etc. Since there is no attribute
> name matching the header name currently this is not a problem, but it
> can pollute the namespace.

This is part of widget nesting topic. In this manner composite_widget 
isn't a proper widget too (it can correspond to several or none attribute).

Purely html rendering widgets can be separated from attribute widgets, 
but it would be nice to have them because they can provide easier form 
composing. Without them it would be required to override the create 
method (in facet or composite_widget/section) which is sometimes better 
but often it creates only code duplication with little added logic.

>
> 5. In details facet update(), instead of storing the callbacks in
> update_custom_on_win and update_custom_on_fail and requiring the
> subclasses to call them, it might be better to call them from the
> update() itself:
>
> var command = IPA.command({
> ...
> on_success: function(data, text_status, xhr) {
> that.on_update_success(data, text_status, xhr)
> if (on_win) on_win.call(this, data, text_status, xhr);
> },
> on_error: function(xhr, text_status, error_thrown) {
> that.on_update_error(xhr, text_status, error_thrown);
> if (on_fail) on_fail.call(
> this, xhr, text_status, error_thrown);
> }
> });

There are two types of success/error handlers:
1) the default ones in details facet
2) the ones supplied to update(win, fail) method.

In my implementation I have separated 1) from update method so if 
default behaviour isn't suitable these methods can be overridden without 
overriding whole update method. Overriding isn't required. This is IMHO 
good (less code duplication).


>
> 6. Can IPA.batch_details_facet be combined into IPA.details_facet? I
> think the base details facet should support both regular mod and batch.

The only point where they overlap is the update method. It's possible to 
add a logic to switch between command creations - maybe based on 
attribute (could be defined in spec). But should we do that? Isn't this 
the reason for inheriting the class?

>
> 7. In sudo details page, the "As Whom" category is missing the "RunAs
> User category" radio buttons.

Fixed

> 8. The IPA.sudo.rule_details_runas_widget uses composite widget instead
> of section. They are right now functionally identical, but I suppose the
> composite widget is an abstract class and the section will later contain
> code specific to section.

Part of widget nesting topic. This was briefly discussed with Adam (in 
that topic). The important question is what is a section? I understand 
section as top level container (in facet) which contains widgets (even 
composites) and semantically separates parts of the facet (with headers 
and section folding...). From this point of view, composite_widget isn't 
an abstract class, but it isn't used used anywhere else though.

Note: the use of composite_widget in rule_details_runas_widget was 
change to rule_details_section (should be renamed to widget) to fix 7.

> 9. It's probably better to define the proper update_info and field_info
> classes rather than constructing them on the fly.

Will do.

> 10. There are some whitespace warnings during git am.
>
> 11. The following code doesn't seem to be used:
> * param_info in details.js:469
> * update_command_name in details.js:597

Removed 469, used 597 (as configurable 'mod' command - for future 
framework use).

-- 
Petr Vobornik



From rcritten at redhat.com  Tue Oct 25 13:10:01 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 25 Oct 2011 09:10:01 -0400
Subject: [Freeipa-devel] Keytab for talking to PKI CA from IPA
In-Reply-To: <4EA60640.80108@younglogic.com>
References: <4EA60640.80108@younglogic.com>
Message-ID: <4EA6B529.3060108@redhat.com>

Adam Young wrote:
> When setting up replication, it should not be necessary to cache any
> passwords, anywhere, until the replication agreemsnts are set up, and
> then, all caching should be using known secure mechanisms.
>
> The two main repositories we care about are the Directory Server
> instances managed by IPA and the Certificate Authority. Currently, these
> are not in the same Dir Srv isntance (although they could be) due to the
> fact that we expect to replicate them seperately. Specifically, we
> expect to have more IPA instances than CA instances, and we will not
> have a CA instance without a co-located IPA instance.

Not really. I created two instances to provide logical separation and 
prevent us from having to deal with multiple naming contexts. There was 
some serious investigation over the summer to see if we could 
consolidate into a single instance. It was determined to be too much too 
late in the cycle.

> During normal operations, the IPA instance should not need to talk to
> the directory server instance of the CA. All communication between IPA
> and the CA should happen via the HTTPS secured via Certificates issued
> by the CA.

Right, this has never been in question AFAIK.

> Once the replication process starts, the file generated by ipa-prepare
> replicate should not need an passwords. Instead, when the replicated
> server is installed, the user performing the install should get a ticket
> as an administrative user. All authentication for the replication should
> be based on that ticket.
>
> The very first step is to install an new Directory server for IPA. For
> this, the replication process can generate a single use password and use
> it as the Directory server password for the local instance. Next, the
> ticket for the adminiustrative user should be used to download a keytab
> for the Directory Server to use when communicating back to the original
> IPA directory server.With these keytab in place, the replicated IPA DS
> should be able to talk to the original IPA DS and establish the
> replication agreement. At this point, the single use password should be
> disabled.

I think you mean the first step is to create a 389-ds instance for the 
CA, right?

Why not simply pre-create the keytab and ship it in the prepared file?

There is no need to disable the random DM password. Once the 
installation is complete it will be unknown so effectively disabled.

> Once the IPA Directory server has been replicated, we can either use the
> original keytab or download a second keytab to establish a replication
> agreement between the replicated CA directory server and the original CA
> directory server. The process would look the same as setting up the
> keytab for the IPA directory server.
>
> Why don't we do this now?

Because of permission issues writing the relevant entries to cn=config.

rob



From ohamada at redhat.com  Tue Oct 25 13:29:15 2011
From: ohamada at redhat.com (Ondrej Hamada)
Date: Tue, 25 Oct 2011 15:29:15 +0200
Subject: [Freeipa-devel] [PATCH] 1 Do lazy initializiation ipalib
Message-ID: <4EA6B9AB.60801@redhat.com>

https://fedorahosted.org/freeipa/ticket/1336

Lazy initialization of ipalib plugins is used under all contexts, not 
only when context = cli. Every loaded plugin is pre-finalized - a flag 
is set, which means, that the plugin needs to be finalized. Then every 
call of plugin's __gettattr__ checks the flag and finalizes the plugin 
if necessary. The code was implemented by jcholast. Time reduction of 
commands execution is quite markable:

patch [s] |   normal [s]    |   command
-----------------------------------------------------------------------
1.468      |       2.287       |   ipa user-add jsmith --firt=john 
--last=smith
1.658      |       2.235       |   ipa user-del jsmith
1.624      |       2.204       |   ipa dnsrecord-find example.com

-- 
Regards,

Ondrej Hamada
FreeIPA team
jabber: ohama at jabbim.cz
IRC: ohamada

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-ohamada-1-do-lazy-initialization-ipalib.patch
Type: text/x-patch
Size: 1569 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111025/d7b4c45a/attachment.bin>

From mkosek at redhat.com  Tue Oct 25 14:01:07 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 25 Oct 2011 16:01:07 +0200
Subject: [Freeipa-devel] [PATCH] 1 Do lazy initializiation ipalib
In-Reply-To: <4EA6B9AB.60801@redhat.com>
References: <4EA6B9AB.60801@redhat.com>
Message-ID: <1319551270.14006.20.camel@balmora.brq.redhat.com>

On Tue, 2011-10-25 at 15:29 +0200, Ondrej Hamada wrote:
> https://fedorahosted.org/freeipa/ticket/1336
> 
> Lazy initialization of ipalib plugins is used under all contexts, not 
> only when context = cli. Every loaded plugin is pre-finalized - a flag 
> is set, which means, that the plugin needs to be finalized. Then every 
> call of plugin's __gettattr__ checks the flag and finalizes the plugin 
> if necessary. The code was implemented by jcholast. Time reduction of 
> commands execution is quite markable:
> 
> patch [s] |   normal [s]    |   command
> -----------------------------------------------------------------------
> 1.468      |       2.287       |   ipa user-add jsmith --firt=john 
> --last=smith
> 1.658      |       2.235       |   ipa user-del jsmith
> 1.624      |       2.204       |   ipa dnsrecord-find example.com
> 

Thanks for submitting the patch. Ondra, just please provide the patch in
proper format (exported via command `git format-patch -M -C --patience
--full-index -1' which I sent you earlier).

Martin




From mkosek at redhat.com  Tue Oct 25 14:11:25 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 25 Oct 2011 16:11:25 +0200
Subject: [Freeipa-devel] [PATCH] 155 Fix ipa-managed-entries bind procedure
Message-ID: <1319551888.14006.21.camel@balmora.brq.redhat.com>

Make sure that when Directory Manager password is entered,
we directly do a simple bind instead of trying binding via GSSAPI.
Also capture ldap.INVALID_CREDENTIALS exception and provide nice
error message than crash.

https://fedorahosted.org/freeipa/ticket/1927

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-155-fix-ipa-managed-entries-bind-procedure.patch
Type: text/x-patch
Size: 2064 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111025/137b7165/attachment.bin>

From pvoborni at redhat.com  Tue Oct 25 14:20:35 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Tue, 25 Oct 2011 16:20:35 +0200
Subject: [Freeipa-devel] [PATCH] 295 Fixed inconsistent
 required/optional attributes.
In-Reply-To: <4EA5CE02.505@redhat.com>
References: <4EA07809.2000709@redhat.com> <4EA15A25.70003@redhat.com>
	<4EA5CE02.505@redhat.com>
Message-ID: <4EA6C5B3.1060005@redhat.com>

On 10/24/2011 10:43 PM, Endi Sukma Dewata wrote:
> On 10/21/2011 6:40 AM, Petr Vobornik wrote:
>> 1) Wouldn't be better if the asterisk has different color than the
>> label? Visually I don't like it that much and I think it can be
>> overlook. Attaching a proposition. I used green IPAish color because red
>> usually means error.
>>
>> Code from browser how it was done:
>>
>> <td class="section-cell-label" title="First name"><label
>> name="givenname" class="field-label">First name:</label><span
>> class="required" style="
>> float: right;
>> font-weight: bold;
>> color: #319016;
>> font-size: 20px;
>> " title="required">*</span></td>
>>
>> (style should be moved to css file)
>>
>>
>> <div style="line-height: 25px;"><span class="required" style="
>> font-weight: bold;
>> color: #319016;
>> font-size: 20px;
>> vertical-align: middle;
>> ">*</span> required</div>
>>
>> It may vary on the section type.
>
> Fixed. I couldn't use the exact style above because it looks a bit weird
> in the details page since the labels are right aligned. I use red for
> now because it can also mean 'important', but we can adjust this again
> later.
>
>> 2) When rendering label, we should also obtain field input's id (if
>> possible) for 'for' attribute of <label>. This can be done separately.
>
> I'd rather avoid using ID in a dynamic app like this. Adding ID into the
> fields is possible, but we'd have to do it very carefully to avoid
> conflicts.
>
>> 3) Should we create some common pure html widgets with certain
>> semantics?
>
> We can, but as discussed elsewhere, we have to fix the current
> assumption first: each widget correspond to an attribute, it currently
> has properties and methods (e.g. metadata, load(), save()) that are only
> valid on attributes.
>
>> IE asterisk shouldn't be directly concatenated with label
>> text. It is used on more than one place which may cause maintenance
>> issues.
>>
>> IPA.form(or some other name).required_indicator = function() {
>> return '*'
>> };
>>
>> in this case this seems unnecessary. But if the required indicator was
>> like in 1) it will be useful.
>
> Fixed.
>
>> Summary:
>> All 3 points are nice to have. If you think is not necessary then ACK.
>>
>> This patch is also fixing https://fedorahosted.org/freeipa/ticket/1973 .
>
> Noted in the new patch.
>

ACK

Also proposing minor visual enhancement (see attached patch).

-- 
Petr Vobornik

-------------- next part --------------
A non-text attachment was scrubbed...
Name: wip-freeipa-pvoborni-0005-Minor-visual-enhancement-of-required-indicator.patch
Type: text/x-patch
Size: 1624 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111025/fe14ad9a/attachment.bin>

From ohamada at redhat.com  Tue Oct 25 14:30:00 2011
From: ohamada at redhat.com (Ondrej Hamada)
Date: Tue, 25 Oct 2011 16:30:00 +0200
Subject: [Freeipa-devel] [PATCH] 1 Do lazy initializiation ipalib
In-Reply-To: <1319551270.14006.20.camel@balmora.brq.redhat.com>
References: <4EA6B9AB.60801@redhat.com>
	<1319551270.14006.20.camel@balmora.brq.redhat.com>
Message-ID: <4EA6C7E8.1000301@redhat.com>

On 10/25/2011 04:01 PM, Martin Kosek wrote:
> On Tue, 2011-10-25 at 15:29 +0200, Ondrej Hamada wrote:
>> https://fedorahosted.org/freeipa/ticket/1336
>>
>> Lazy initialization of ipalib plugins is used under all contexts, not
>> only when context = cli. Every loaded plugin is pre-finalized - a flag
>> is set, which means, that the plugin needs to be finalized. Then every
>> call of plugin's __gettattr__ checks the flag and finalizes the plugin
>> if necessary. The code was implemented by jcholast. Time reduction of
>> commands execution is quite markable:
>>
>> patch [s] |   normal [s]    |   command
>> -----------------------------------------------------------------------
>> 1.468      |       2.287       |   ipa user-add jsmith --firt=john
>> --last=smith
>> 1.658      |       2.235       |   ipa user-del jsmith
>> 1.624      |       2.204       |   ipa dnsrecord-find example.com
>>
> Thanks for submitting the patch. Ondra, just please provide the patch in
> proper format (exported via command `git format-patch -M -C --patience
> --full-index -1' which I sent you earlier).
>
> Martin
>
>
Sorry, correct version attached

-- 
Regards,

Ondrej Hamada
FreeIPA team
jabber: ohama at jabbim.cz
IRC: ohamada

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-ohamada-1-do-lazy-initialization-ipalib.patch
Type: text/x-patch
Size: 1944 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111025/52a651c7/attachment.bin>

From edewata at redhat.com  Tue Oct 25 15:16:05 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Tue, 25 Oct 2011 10:16:05 -0500
Subject: [Freeipa-devel] [PATCH] 295 Fixed inconsistent
 required/optional attributes.
In-Reply-To: <4EA6C5B3.1060005@redhat.com>
References: <4EA07809.2000709@redhat.com> <4EA15A25.70003@redhat.com>
	<4EA5CE02.505@redhat.com> <4EA6C5B3.1060005@redhat.com>
Message-ID: <4EA6D2B5.8030207@redhat.com>

On 10/25/2011 9:20 AM, Petr Vobornik wrote:
> ACK

Pushed to master.

> Also proposing minor visual enhancement (see attached patch).

ACK and pushed to master.

-- 
Endi S. Dewata



From pvoborni at redhat.com  Tue Oct 25 15:40:04 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Tue, 25 Oct 2011 17:40:04 +0200
Subject: [Freeipa-devel] [PATCH] 296 Removed HBAC deny rule warning.
In-Reply-To: <4EA5FC44.2090509@redhat.com>
References: <4EA5FC44.2090509@redhat.com>
Message-ID: <4EA6D854.8000706@redhat.com>

On 10/25/2011 02:01 AM, Endi Sukma Dewata wrote:
> The HBAC deny rule is no longer supported so it's no longer necessary
> to show the warning.
>
> Ticket #1444
>

Just a minor things:

1) Some references remained in testing data: hbacrule_find.json, 
hbacrule_show.json. Anyway these don't do any harm.

2) Remaining string in internal.py: hbacrule.deny (couldn't find any usage).

Maybe these don't even need to be fixed. (-> ACK on your judgement)

-- 
Petr Vobornik



From abokovoy at redhat.com  Tue Oct 25 15:44:21 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Tue, 25 Oct 2011 18:44:21 +0300
Subject: [Freeipa-devel] [PATCH] 0030 Quote worker option
Message-ID: <20111025154420.GC9038@redhat.com>

https://fedorahosted.org/freeipa/ticket/2023

-- 
/ Alexander Bokovoy
-------------- next part --------------
>From 29eb102e9319eff837d71e4da6ad45796f3e7868 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Tue, 25 Oct 2011 18:41:32 +0300
Subject: [PATCH] Quote multiple workers option

https://fedorahosted.org/freeipa/ticket/2023
---
 ipaserver/install/krbinstance.py |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index b4f0a5446be0dfb1621e256b65ac34906df7351e..ce70c231dfb7e7b6b59c0496721cced0d09f1604 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -365,7 +365,7 @@ class KrbInstance(service.Service):
         replacevars = {'KRB5REALM':self.realm}
         appendvars = {}
         if workers and cpus > 1:
-            appendvars = {'KRB5KDC_ARGS': "-w %s" % str(cpus)}
+            appendvars = {'KRB5KDC_ARGS': "'-w %s'" % str(cpus)}
         ipautil.backup_config_and_replace_variables(self.fstore, "/etc/sysconfig/krb5kdc",
                                                     replacevars=replacevars,
                                                     appendvars=appendvars)
-- 
1.7.7


From mkosek at redhat.com  Tue Oct 25 16:15:14 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 25 Oct 2011 18:15:14 +0200
Subject: [Freeipa-devel] [PATCH] 0030 Quote worker option
In-Reply-To: <20111025154420.GC9038@redhat.com>
References: <20111025154420.GC9038@redhat.com>
Message-ID: <1319559318.12717.8.camel@balmora.brq.redhat.com>

On Tue, 2011-10-25 at 18:44 +0300, Alexander Bokovoy wrote:
> https://fedorahosted.org/freeipa/ticket/2023
> 

ACK. Pushed to master, ipa-2-1.

Martin



From edewata at redhat.com  Tue Oct 25 17:57:01 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Tue, 25 Oct 2011 12:57:01 -0500
Subject: [Freeipa-devel] [PATCH] 028 Code cleanup of HBAC, Sudo rules
In-Reply-To: <4EA6B041.5090204@redhat.com>
References: <4EA521FF.7020405@redhat.com> <4EA59250.8040506@redhat.com>
	<4EA6B041.5090204@redhat.com>
Message-ID: <4EA6F86D.4070706@redhat.com>

On 10/25/2011 7:49 AM, Petr Vobornik wrote:
>> 2. The set_facet() is added to widget. I don't think we want to make
>> widget dependent on facet. The facet so far is only used by
>> IPA.sudo.enable_widget. In IPA.sudo.options_section the facet object is
>> passed as a parameter in spec.

> Are you saying that dependency on facet in ALL widgets is bad and only
> in a few is good, or in any is bad?

In general less dependency is better. More dependency will limit its 
usage. This is inline with the goal to make purely HTML widget.

But if a widget is meant to be used only with a facet then it's 
certainly ok to make it depends on facet. However, the rest should not 
become unnecessarily dependent on facet too.

> I think it doesn't matter if all is dependant when one is dependant.
>
> Anyway currently all association table widgets are dependant
> (association.js:386).

Let's use this as an example. The association table explicitly checks if 
the facet is dirty and asks the user whether to update/reset/cancel. 
Suppose we want to use this inside a dialog, it will still check whether 
the current facet is dirty instead of the dialog itself, which may not 
be what we want.

> Btw similar topic could be: "How to get current entity's pkey?'.
> Dependancy on facet.get_primary_key() or
> IPA.nav.get_state(that.entity.name+'-pkey') seems wrong too.

Yes. Ideally we should have a path (REST-style URL) instead of the 
current parameter-based URL. We should get the pkey from that path.

>> 3. When updating sudo rule, in the original code the rule is
>> enabled/disabled after all the modifications are done. In the new code
>> it's reversed. I'm not sure the importance of the execution order for
>> this particular situation, but suppose it is, is there a way to maintain
>> the original order?
>
> I was thinking about a command or widget priority. The 'mod' command
> would have some default priority or it would get it from facet. The
> commands would be sorted by priority before adding them to batch. This
> way we can set exact order in facet update.

It's possible, but managing priority could be problematic if they are 
spread out, because we have to know all existing priorities before we 
can add a new one. The original code uses an ordered list of commands.

> The order which is implemented now is reflecting the order in HBAC
> details facet - there were errors when 'mod' was executed before
> clearing associations.

Right, so for certain things the order is important.

>> 4. The IPA.header_widget is not really a widget, it's actually part of
>> layout. In the current implementation a widget always corresponds to an
>> attribute, so it will be loaded, saved, etc. Since there is no attribute
>> name matching the header name currently this is not a problem, but it
>> can pollute the namespace.
>
> This is part of widget nesting topic. In this manner composite_widget
> isn't a proper widget too (it can correspond to several or none attribute).
>
> Purely html rendering widgets can be separated from attribute widgets,
> but it would be nice to have them because they can provide easier form
> composing. Without them it would be required to override the create
> method (in facet or composite_widget/section) which is sometimes better
> but often it creates only code duplication with little added logic.

One other solution is to split widgets into non-visual fields and purely 
HTML components. Then in the facet we use separate lists for the fields 
and HTML components. The fields will have a reference to the 
corresponding HTML components. There can be more HTML components than 
fields. But this will require a significant restructuring.

>> 5. In details facet update(), instead of storing the callbacks in
>> update_custom_on_win and update_custom_on_fail and requiring the
>> subclasses to call them, it might be better to call them from the
>> update() itself:
>>
>> var command = IPA.command({
>> ...
>> on_success: function(data, text_status, xhr) {
>> that.on_update_success(data, text_status, xhr)
>> if (on_win) on_win.call(this, data, text_status, xhr);
>> },
>> on_error: function(xhr, text_status, error_thrown) {
>> that.on_update_error(xhr, text_status, error_thrown);
>> if (on_fail) on_fail.call(
>> this, xhr, text_status, error_thrown);
>> }
>> });
>
> There are two types of success/error handlers:
> 1) the default ones in details facet
> 2) the ones supplied to update(win, fail) method.
>
> In my implementation I have separated 1) from update method so if
> default behaviour isn't suitable these methods can be overridden without
> overriding whole update method. Overriding isn't required. This is IMHO
> good (less code duplication).

There is still code duplication, the subclass that overrides the 
on_update_success/error (#1) will still have to call 
update_custom_on_win/error (#2) manually. In the changes that I proposed 
you don't have to do that because #2 are called inside update().

>> 6. Can IPA.batch_details_facet be combined into IPA.details_facet? I
>> think the base details facet should support both regular mod and batch.
>
> The only point where they overlap is the update method. It's possible to
> add a logic to switch between command creations - maybe based on
> attribute (could be defined in spec). But should we do that? Isn't this
> the reason for inheriting the class?

Here's a scenario: suppose there's a subclass of IPA.details_facet that 
are so useful that it's used in many places. Then suppose we want to 
create a subclass of it but we want to do batch operation too, we'd have 
to copy the code from IPA.batch_details_facet.

I think the decision to use mod or batch should be separate from details 
facet. I'm thinking to create a separate class IPA.client which we can 
add commands into it and execute them either individually or as a batch.

-- 
Endi S. Dewata



From rcritten at redhat.com  Tue Oct 25 19:57:25 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 25 Oct 2011 15:57:25 -0400
Subject: [Freeipa-devel] [PATCH] 151 Add --zonemgr validator
In-Reply-To: <1319474382.1960.1.camel@priserak>
References: <1318585856.9468.7.camel@balmora.brq.redhat.com>
	<4E987B52.4060700@redhat.com>
	<1318835375.26757.2.camel@balmora.brq.redhat.com>
	<4EA19051.6070206@redhat.com>
	<1319443884.32666.3.camel@balmora.brq.redhat.com>
	<4EA56201.3040102@redhat.com>
	<1319468888.32666.18.camel@balmora.brq.redhat.com>
	<1319474382.1960.1.camel@priserak>
Message-ID: <4EA714A5.9050100@redhat.com>

Martin Kosek wrote:
> On Mon, 2011-10-24 at 17:08 +0200, Martin Kosek wrote:
>> On Mon, 2011-10-24 at 09:02 -0400, Rob Crittenden wrote:
>>> Martin Kosek wrote:
>>>> On Fri, 2011-10-21 at 11:31 -0400, Rob Crittenden wrote:
>>>>> Martin Kosek wrote:
>>>>>> On Fri, 2011-10-14 at 14:11 -0400, Rob Crittenden wrote:
>>>>>>> Martin Kosek wrote:
>>>>>>>> Do at least a basic validation of DNS zone manager mail address.
>>>>>>>>
>>>>>>>> Do not require '@' to be in the mail address as it is not used
>>>>>>>> in common DNS zone configuration (in bind for example) and people
>>>>>>>> may be used to configure it that way. '@' is always removed by the
>>>>>>>> installer before the DNS zone is created.
>>>>>>>>
>>>>>>>> https://fedorahosted.org/freeipa/ticket/1966
>>>>>>>
>>>>>>> There is already a zonemgr_callback defined for this option, can the
>>>>>>> verify_zonemgr call be either integrated or called from that?
>>>>>>>
>>>>>>> rob
>>>>>>>
>>>>>>
>>>>>> Right. Please, try this one. I also added a parser error when more than
>>>>>> one '@' is in the checked value.
>>>>>>
>>>>>> Martin
>>>>>
>>>>> A couple of things:
>>>>>
>>>>> In the block where you are counting @ why not add an :
>>>>>
>>>>> else:
>>>>>        raise ValueError('address is not fully qualified')
>>>>>
>>>>> rather than looking for '.' in the result? I think it will be clearer
>>>>> that way. I wonder if the error should contain an example as well, are
>>>>> people going to know what a fully-qualified means?
>>>>>
>>>>> The regex is very strict for e-mail addresses, perhaps too much so. It
>>>>> doesn't allow upper-case characters, periods or _, both of which are
>>>>> allowed in login names. A common e-mail format is first.last at domain.
>>>>>
>>>>> rob
>>>>
>>>> I reorganized the validator a little and let people enter _ in the
>>>> domain name. I also added a small explanation of what we mean by
>>>> fully-qualified.
>>>>
>>>> Since we have the zonemgr validator available, why not use it for the
>>>> DNS plugin too? I enhanced the plugin to use this validator too. Please,
>>>> see attached patch.
>>>>
>>>> Martin
>>>
>>> NACK, a client might not have the server sub-package installed so the
>>> import of bindinstance will fail.
>>>
>>> I think that moving the validator into dns.py as a central location
>>> should work though.
>>>
>>> Otherwise looks good.
>>>
>>> rob
>>
>> Thanks. I didn't realize that user can have freeipa-admintools without
>> freeipa-server installed.
>>
>> I placed the validator to ipalib/util.py as we cannot place it to the
>> dns plugin directly as all our plugins assume that we have initialized
>> api.
>>
>> Updated patch attached.
>>
>> Martin
>
> And now also with API.txt change. This patch must be cursed or
> something.
>
> No need to bump API version, just the validator has been added.
>
> Martin

ACK



From rcritten at redhat.com  Tue Oct 25 19:58:23 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 25 Oct 2011 15:58:23 -0400
Subject: [Freeipa-devel] [PATCH] 136 Fix ipa-managed-entries password
 option long form
In-Reply-To: <1317718466.27486.16.camel@dhcp-25-52.brq.redhat.com>
References: <1317718466.27486.16.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <4EA714DF.20603@redhat.com>

Martin Kosek wrote:
> https://fedorahosted.org/freeipa/ticket/1913

ACK



From edewata at redhat.com  Tue Oct 25 20:10:41 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Tue, 25 Oct 2011 15:10:41 -0500
Subject: [Freeipa-devel] [PATCH] 296 Removed HBAC deny rule warning.
In-Reply-To: <4EA6D854.8000706@redhat.com>
References: <4EA5FC44.2090509@redhat.com> <4EA6D854.8000706@redhat.com>
Message-ID: <4EA717C1.1070705@redhat.com>

On 10/25/2011 10:40 AM, Petr Vobornik wrote:
> 1) Some references remained in testing data: hbacrule_find.json,
> hbacrule_show.json. Anyway these don't do any harm.

Fixed.

> 2) Remaining string in internal.py: hbacrule.deny (couldn't find any
> usage).

The hbacrule.allow isn't used either. Fixed ipa_init.json too.

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-edewata-0296-2-Removed-HBAC-deny-rule-warning.patch
Type: text/x-patch
Size: 16743 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111025/5f790596/attachment.bin>

From edewata at redhat.com  Tue Oct 25 20:12:43 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Tue, 25 Oct 2011 15:12:43 -0500
Subject: [Freeipa-devel] [PATCH] 298 Fixed host Enrolled column.
Message-ID: <4EA7183B.5030801@redhat.com>

The Enrolled column in the host search page has been added back
to show the host enrollment status based on has_keytab attribute.

Ticket #2020

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-edewata-0298-Fixed-host-Enrolled-column.patch
Type: text/x-patch
Size: 5418 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111025/f0d05783/attachment.bin>

From rcritten at redhat.com  Tue Oct 25 20:30:41 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 25 Oct 2011 16:30:41 -0400
Subject: [Freeipa-devel] [PATCH] 1 Do lazy initializiation ipalib
In-Reply-To: <4EA6C7E8.1000301@redhat.com>
References: <4EA6B9AB.60801@redhat.com>
	<1319551270.14006.20.camel@balmora.brq.redhat.com>
	<4EA6C7E8.1000301@redhat.com>
Message-ID: <4EA71C71.6070500@redhat.com>

Ondrej Hamada wrote:
> On 10/25/2011 04:01 PM, Martin Kosek wrote:
>> On Tue, 2011-10-25 at 15:29 +0200, Ondrej Hamada wrote:
>>> https://fedorahosted.org/freeipa/ticket/1336
>>>
>>> Lazy initialization of ipalib plugins is used under all contexts, not
>>> only when context = cli. Every loaded plugin is pre-finalized - a flag
>>> is set, which means, that the plugin needs to be finalized. Then every
>>> call of plugin's __gettattr__ checks the flag and finalizes the plugin
>>> if necessary. The code was implemented by jcholast. Time reduction of
>>> commands execution is quite markable:
>>>
>>> patch [s] | normal [s] | command
>>> -----------------------------------------------------------------------
>>> 1.468 | 2.287 | ipa user-add jsmith --firt=john
>>> --last=smith
>>> 1.658 | 2.235 | ipa user-del jsmith
>>> 1.624 | 2.204 | ipa dnsrecord-find example.com
>>>
>> Thanks for submitting the patch. Ondra, just please provide the patch in
>> proper format (exported via command `git format-patch -M -C --patience
>> --full-index -1' which I sent you earlier).
>>
>> Martin
>>
>>
> Sorry, correct version attached

Wow, this is very impressive, great job Ondra and Honza!

Martin, ACK from me but I'd like a second opinion. The patch is very 
straightforward and clean, just want to make sure we're not missing a 
corner case.

I ran the self-tests and didn't see any problem there.

Before pushing please add the ticket # to the commit.

rob



From jdennis at redhat.com  Tue Oct 25 21:24:46 2011
From: jdennis at redhat.com (John Dennis)
Date: Tue, 25 Oct 2011 17:24:46 -0400
Subject: [Freeipa-devel] ipalib vs. ipapython?
Message-ID: <4EA7291E.70105@redhat.com>

Usually when I look at a source code directory layout it's fairly 
obvious what belongs in each directory. I'll be honest, I've never quite 
understood the role of ipapython vs. ipalib. From time to time I have to 
do some code refactoring, especially in the context of introducing 
common code meant to be shared across a variety of places in the code base.

So what is the role of ipalib vs. ipapython? What are their intended 
purposes? What guidelines should be followed when determining where 
shared code is located?

John

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



From mkosek at redhat.com  Wed Oct 26 06:50:22 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Wed, 26 Oct 2011 08:50:22 +0200
Subject: [Freeipa-devel] ipalib vs. ipapython?
In-Reply-To: <4EA7291E.70105@redhat.com>
References: <4EA7291E.70105@redhat.com>
Message-ID: <1319611824.27433.13.camel@balmora.brq.redhat.com>

On Tue, 2011-10-25 at 17:24 -0400, John Dennis wrote:
> Usually when I look at a source code directory layout it's fairly 
> obvious what belongs in each directory. I'll be honest, I've never quite 
> understood the role of ipapython vs. ipalib. From time to time I have to 
> do some code refactoring, especially in the context of introducing 
> common code meant to be shared across a variety of places in the code base.
> 
> So what is the role of ipalib vs. ipapython? What are their intended 
> purposes? What guidelines should be followed when determining where 
> shared code is located?
> 
> John
> 

AFAIU, these modules differs as where and how they can be used:
- ipalib: only stuff used in our server framework for LDAP operations
should be here. Its for both freeipa-server and freeipa-client packages
- ipaserver: installation + server related stuff, mainly command line
tools. Only with freeipa-server
- ipapython: both installation related stuff and general functions and
classes used in entire project. A place to store code that can be used
both in ipa-client-install and server. Its a required package for both
freeipa-server and freeipa-client

Maybe Rob can extend.

Martin



From mkosek at redhat.com  Wed Oct 26 06:54:09 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Wed, 26 Oct 2011 08:54:09 +0200
Subject: [Freeipa-devel] [PATCH] 151 Add --zonemgr validator
In-Reply-To: <4EA714A5.9050100@redhat.com>
References: <1318585856.9468.7.camel@balmora.brq.redhat.com>
	<4E987B52.4060700@redhat.com>
	<1318835375.26757.2.camel@balmora.brq.redhat.com>
	<4EA19051.6070206@redhat.com>
	<1319443884.32666.3.camel@balmora.brq.redhat.com>
	<4EA56201.3040102@redhat.com>
	<1319468888.32666.18.camel@balmora.brq.redhat.com>
	<1319474382.1960.1.camel@priserak> <4EA714A5.9050100@redhat.com>
Message-ID: <1319612051.27433.14.camel@balmora.brq.redhat.com>

On Tue, 2011-10-25 at 15:57 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Mon, 2011-10-24 at 17:08 +0200, Martin Kosek wrote:
> >> On Mon, 2011-10-24 at 09:02 -0400, Rob Crittenden wrote:
> >>> Martin Kosek wrote:
> >>>> On Fri, 2011-10-21 at 11:31 -0400, Rob Crittenden wrote:
> >>>>> Martin Kosek wrote:
> >>>>>> On Fri, 2011-10-14 at 14:11 -0400, Rob Crittenden wrote:
> >>>>>>> Martin Kosek wrote:
> >>>>>>>> Do at least a basic validation of DNS zone manager mail address.
> >>>>>>>>
> >>>>>>>> Do not require '@' to be in the mail address as it is not used
> >>>>>>>> in common DNS zone configuration (in bind for example) and people
> >>>>>>>> may be used to configure it that way. '@' is always removed by the
> >>>>>>>> installer before the DNS zone is created.
> >>>>>>>>
> >>>>>>>> https://fedorahosted.org/freeipa/ticket/1966
> >>>>>>>
> >>>>>>> There is already a zonemgr_callback defined for this option, can the
> >>>>>>> verify_zonemgr call be either integrated or called from that?
> >>>>>>>
> >>>>>>> rob
> >>>>>>>
> >>>>>>
> >>>>>> Right. Please, try this one. I also added a parser error when more than
> >>>>>> one '@' is in the checked value.
> >>>>>>
> >>>>>> Martin
> >>>>>
> >>>>> A couple of things:
> >>>>>
> >>>>> In the block where you are counting @ why not add an :
> >>>>>
> >>>>> else:
> >>>>>        raise ValueError('address is not fully qualified')
> >>>>>
> >>>>> rather than looking for '.' in the result? I think it will be clearer
> >>>>> that way. I wonder if the error should contain an example as well, are
> >>>>> people going to know what a fully-qualified means?
> >>>>>
> >>>>> The regex is very strict for e-mail addresses, perhaps too much so. It
> >>>>> doesn't allow upper-case characters, periods or _, both of which are
> >>>>> allowed in login names. A common e-mail format is first.last at domain.
> >>>>>
> >>>>> rob
> >>>>
> >>>> I reorganized the validator a little and let people enter _ in the
> >>>> domain name. I also added a small explanation of what we mean by
> >>>> fully-qualified.
> >>>>
> >>>> Since we have the zonemgr validator available, why not use it for the
> >>>> DNS plugin too? I enhanced the plugin to use this validator too. Please,
> >>>> see attached patch.
> >>>>
> >>>> Martin
> >>>
> >>> NACK, a client might not have the server sub-package installed so the
> >>> import of bindinstance will fail.
> >>>
> >>> I think that moving the validator into dns.py as a central location
> >>> should work though.
> >>>
> >>> Otherwise looks good.
> >>>
> >>> rob
> >>
> >> Thanks. I didn't realize that user can have freeipa-admintools without
> >> freeipa-server installed.
> >>
> >> I placed the validator to ipalib/util.py as we cannot place it to the
> >> dns plugin directly as all our plugins assume that we have initialized
> >> api.
> >>
> >> Updated patch attached.
> >>
> >> Martin
> >
> > And now also with API.txt change. This patch must be cursed or
> > something.
> >
> > No need to bump API version, just the validator has been added.
> >
> > Martin
> 
> ACK

Pushed to master.

Martin



From mkosek at redhat.com  Wed Oct 26 06:57:02 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Wed, 26 Oct 2011 08:57:02 +0200
Subject: [Freeipa-devel] [PATCH] 136 Fix ipa-managed-entries password
 option long form
In-Reply-To: <4EA714DF.20603@redhat.com>
References: <1317718466.27486.16.camel@dhcp-25-52.brq.redhat.com>
	<4EA714DF.20603@redhat.com>
Message-ID: <1319612224.27433.15.camel@balmora.brq.redhat.com>

On Tue, 2011-10-25 at 15:58 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > https://fedorahosted.org/freeipa/ticket/1913
> 
> ACK
> 

Pushed to master, ipa-2-1.

Martin



From pvoborni at redhat.com  Wed Oct 26 07:29:55 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Wed, 26 Oct 2011 09:29:55 +0200
Subject: [Freeipa-devel] [PATCH] 296 Removed HBAC deny rule warning.
In-Reply-To: <4EA717C1.1070705@redhat.com>
References: <4EA5FC44.2090509@redhat.com> <4EA6D854.8000706@redhat.com>
	<4EA717C1.1070705@redhat.com>
Message-ID: <4EA7B6F3.8080807@redhat.com>

On 10/25/2011 10:10 PM, Endi Sukma Dewata wrote:
> On 10/25/2011 10:40 AM, Petr Vobornik wrote:
>> 1) Some references remained in testing data: hbacrule_find.json,
>> hbacrule_show.json. Anyway these don't do any harm.
>
> Fixed.
>
>> 2) Remaining string in internal.py: hbacrule.deny (couldn't find any
>> usage).
>
> The hbacrule.allow isn't used either. Fixed ipa_init.json too.
>
ACK

-- 
Petr Vobornik



From pvoborni at redhat.com  Wed Oct 26 07:49:45 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Wed, 26 Oct 2011 09:49:45 +0200
Subject: [Freeipa-devel] [PATCH] 298 Fixed host Enrolled column.
In-Reply-To: <4EA7183B.5030801@redhat.com>
References: <4EA7183B.5030801@redhat.com>
Message-ID: <4EA7BB99.8000309@redhat.com>

On 10/25/2011 10:12 PM, Endi Sukma Dewata wrote:
> The Enrolled column in the host search page has been added back
> to show the host enrollment status based on has_keytab attribute.
>
> Ticket #2020
>

UI directly shows the value (true/false) of has_keytab in the column. 
This is wrong when using different language. It should be translated. We 
can fix it separately, it is also present in SUDO rules search facet.

-- 
Petr Vobornik



From mkosek at redhat.com  Wed Oct 26 09:29:06 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Wed, 26 Oct 2011 11:29:06 +0200
Subject: [Freeipa-devel] [PATCH] 156 Create pkey-only option for find
	commands
Message-ID: <1319621348.27433.19.camel@balmora.brq.redhat.com>

WebUI guys, please check if this behavior meet your expectations.

Thanks,
Martin

----
New option --pkey-only is available for all LDAPSearch based classes
with primary key visible in the output. This option makes LDAPSearch
commands search for primary attribute only.

This may be useful when manipulating large data sets. User can at
first retrieve all primary keys in a relatively small data package
and then run further commands with retrieved primary keys.

https://fedorahosted.org/freeipa/ticket/1262

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-156-create-pkey-only-option-for-find-commands.patch
Type: text/x-patch
Size: 42400 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111026/36f74965/attachment.bin>

From jcholast at redhat.com  Wed Oct 26 09:39:26 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Wed, 26 Oct 2011 11:39:26 +0200
Subject: [Freeipa-devel] [PATCH] 1 Do lazy initializiation ipalib
In-Reply-To: <4EA71C71.6070500@redhat.com>
References: <4EA6B9AB.60801@redhat.com>
	<1319551270.14006.20.camel@balmora.brq.redhat.com>
	<4EA6C7E8.1000301@redhat.com> <4EA71C71.6070500@redhat.com>
Message-ID: <4EA7D54E.3010300@redhat.com>

Dne 25.10.2011 22:30, Rob Crittenden napsal(a):
> Ondrej Hamada wrote:
>> On 10/25/2011 04:01 PM, Martin Kosek wrote:
>>> On Tue, 2011-10-25 at 15:29 +0200, Ondrej Hamada wrote:
>>>> https://fedorahosted.org/freeipa/ticket/1336
>>>>
>>>> Lazy initialization of ipalib plugins is used under all contexts, not
>>>> only when context = cli. Every loaded plugin is pre-finalized - a flag
>>>> is set, which means, that the plugin needs to be finalized. Then every
>>>> call of plugin's __gettattr__ checks the flag and finalizes the plugin
>>>> if necessary. The code was implemented by jcholast. Time reduction of
>>>> commands execution is quite markable:
>>>>
>>>> patch [s] | normal [s] | command
>>>> -----------------------------------------------------------------------
>>>> 1.468 | 2.287 | ipa user-add jsmith --firt=john
>>>> --last=smith
>>>> 1.658 | 2.235 | ipa user-del jsmith
>>>> 1.624 | 2.204 | ipa dnsrecord-find example.com
>>>>
>>> Thanks for submitting the patch. Ondra, just please provide the patch in
>>> proper format (exported via command `git format-patch -M -C --patience
>>> --full-index -1' which I sent you earlier).
>>>
>>> Martin
>>>
>>>
>> Sorry, correct version attached
>
> Wow, this is very impressive, great job Ondra and Honza!
>
> Martin, ACK from me but I'd like a second opinion. The patch is very
> straightforward and clean, just want to make sure we're not missing a
> corner case.
>
> I ran the self-tests and didn't see any problem there.
>
> Before pushing please add the ticket # to the commit.
>
> rob
>

I've just remembered that special methods aren't looked up through 
__getattribute__ (see the note at 
http://docs.python.org/reference/datamodel.html#more-attribute-access-for-new-style-classes). 
That might possibly cause problems in Command and subclasses, because it 
uses __call__.

Honza

-- 
Jan Cholasta



From pvoborni at redhat.com  Wed Oct 26 12:09:51 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Wed, 26 Oct 2011 14:09:51 +0200
Subject: [Freeipa-devel] [PATCH] 297 Fixed "enroll" labels.
In-Reply-To: <4EA6ABB7.70805@redhat.com>
References: <4EA6ABB7.70805@redhat.com>
Message-ID: <4EA7F88F.2090508@redhat.com>

On 10/25/2011 02:29 PM, Endi Sukma Dewata wrote:
> Labels using the word "enroll" (except for host enrollment) have
> been modified to use more relevant words.
>
> The IPA.add_dialog has been renamed into IPA.entity_adder_dialog
> for clarity.
>
> Ticket #1642
>

1) add_dialog was renamed to entity_adder_dialog but its method 
add_dialog_create wasn't renamed

-- 
Petr Vobornik



From edewata at redhat.com  Wed Oct 26 12:59:31 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 26 Oct 2011 07:59:31 -0500
Subject: [Freeipa-devel] [PATCH] 296 Removed HBAC deny rule warning.
In-Reply-To: <4EA7B6F3.8080807@redhat.com>
References: <4EA5FC44.2090509@redhat.com> <4EA6D854.8000706@redhat.com>
	<4EA717C1.1070705@redhat.com> <4EA7B6F3.8080807@redhat.com>
Message-ID: <4EA80433.7070603@redhat.com>

On 10/26/2011 2:29 AM, Petr Vobornik wrote:
> ACK

Pushed to master.

-- 
Endi S. Dewata



From edewata at redhat.com  Wed Oct 26 13:02:37 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 26 Oct 2011 08:02:37 -0500
Subject: [Freeipa-devel] [PATCH] 298 Fixed host Enrolled column.
In-Reply-To: <4EA7BB99.8000309@redhat.com>
References: <4EA7183B.5030801@redhat.com> <4EA7BB99.8000309@redhat.com>
Message-ID: <4EA804ED.2070405@redhat.com>

On 10/26/2011 2:49 AM, Petr Vobornik wrote:
> UI directly shows the value (true/false) of has_keytab in the column.
> This is wrong when using different language. It should be translated. We
> can fix it separately, it is also present in SUDO rules search facet.

Yes, also boolean values should be capitalized. I'll file separate bugs 
for these issues.

Pushed to master.

-- 
Endi S. Dewata



From mkosek at redhat.com  Wed Oct 26 13:41:10 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Wed, 26 Oct 2011 15:41:10 +0200
Subject: [Freeipa-devel] [PATCH] 1 Do lazy initializiation ipalib
In-Reply-To: <4EA7D54E.3010300@redhat.com>
References: <4EA6B9AB.60801@redhat.com>
	<1319551270.14006.20.camel@balmora.brq.redhat.com>
	<4EA6C7E8.1000301@redhat.com> <4EA71C71.6070500@redhat.com>
	<4EA7D54E.3010300@redhat.com>
Message-ID: <1319636472.27433.57.camel@balmora.brq.redhat.com>

On Wed, 2011-10-26 at 11:39 +0200, Jan Cholasta wrote:
> Dne 25.10.2011 22:30, Rob Crittenden napsal(a):
> > Ondrej Hamada wrote:
> >> On 10/25/2011 04:01 PM, Martin Kosek wrote:
> >>> On Tue, 2011-10-25 at 15:29 +0200, Ondrej Hamada wrote:
> >>>> https://fedorahosted.org/freeipa/ticket/1336
> >>>>
> >>>> Lazy initialization of ipalib plugins is used under all contexts, not
> >>>> only when context = cli. Every loaded plugin is pre-finalized - a flag
> >>>> is set, which means, that the plugin needs to be finalized. Then every
> >>>> call of plugin's __gettattr__ checks the flag and finalizes the plugin
> >>>> if necessary. The code was implemented by jcholast. Time reduction of
> >>>> commands execution is quite markable:
> >>>>
> >>>> patch [s] | normal [s] | command
> >>>> -----------------------------------------------------------------------
> >>>> 1.468 | 2.287 | ipa user-add jsmith --firt=john
> >>>> --last=smith
> >>>> 1.658 | 2.235 | ipa user-del jsmith
> >>>> 1.624 | 2.204 | ipa dnsrecord-find example.com
> >>>>
> >>> Thanks for submitting the patch. Ondra, just please provide the patch in
> >>> proper format (exported via command `git format-patch -M -C --patience
> >>> --full-index -1' which I sent you earlier).
> >>>
> >>> Martin
> >>>
> >>>
> >> Sorry, correct version attached
> >
> > Wow, this is very impressive, great job Ondra and Honza!
> >
> > Martin, ACK from me but I'd like a second opinion. The patch is very
> > straightforward and clean, just want to make sure we're not missing a
> > corner case.
> >
> > I ran the self-tests and didn't see any problem there.
> >
> > Before pushing please add the ticket # to the commit.
> >
> > rob
> >
> 
> I've just remembered that special methods aren't looked up through 
> __getattribute__ (see the note at 
> http://docs.python.org/reference/datamodel.html#more-attribute-access-for-new-style-classes). 
> That might possibly cause problems in Command and subclasses, because it 
> uses __call__.
> 
> Honza
> 

This should be investigated. All our unit tests are OK though.

I am also thinking if we shouldn't do this optimization on CLI side only
as the original ticket suggests. As server side loads and finalizes all
plugins just once at httpd start, performance should be OK. Plus, we
would know right after the start that we are ready and there is no
problem with finalizing any component.

Martin



From jcholast at redhat.com  Wed Oct 26 13:52:48 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Wed, 26 Oct 2011 15:52:48 +0200
Subject: [Freeipa-devel] [PATCH] 1 Do lazy initializiation ipalib
In-Reply-To: <1319636472.27433.57.camel@balmora.brq.redhat.com>
References: <4EA6B9AB.60801@redhat.com>
	<1319551270.14006.20.camel@balmora.brq.redhat.com>
	<4EA6C7E8.1000301@redhat.com> <4EA71C71.6070500@redhat.com>
	<4EA7D54E.3010300@redhat.com>
	<1319636472.27433.57.camel@balmora.brq.redhat.com>
Message-ID: <4EA810B0.5020307@redhat.com>

Dne 26.10.2011 15:41, Martin Kosek napsal(a):
> On Wed, 2011-10-26 at 11:39 +0200, Jan Cholasta wrote:
>> Dne 25.10.2011 22:30, Rob Crittenden napsal(a):
>>> Ondrej Hamada wrote:
>>>> On 10/25/2011 04:01 PM, Martin Kosek wrote:
>>>>> On Tue, 2011-10-25 at 15:29 +0200, Ondrej Hamada wrote:
>>>>>> https://fedorahosted.org/freeipa/ticket/1336
>>>>>>
>>>>>> Lazy initialization of ipalib plugins is used under all contexts, not
>>>>>> only when context = cli. Every loaded plugin is pre-finalized - a flag
>>>>>> is set, which means, that the plugin needs to be finalized. Then every
>>>>>> call of plugin's __gettattr__ checks the flag and finalizes the plugin
>>>>>> if necessary. The code was implemented by jcholast. Time reduction of
>>>>>> commands execution is quite markable:
>>>>>>
>>>>>> patch [s] | normal [s] | command
>>>>>> -----------------------------------------------------------------------
>>>>>> 1.468 | 2.287 | ipa user-add jsmith --firt=john
>>>>>> --last=smith
>>>>>> 1.658 | 2.235 | ipa user-del jsmith
>>>>>> 1.624 | 2.204 | ipa dnsrecord-find example.com
>>>>>>
>>>>> Thanks for submitting the patch. Ondra, just please provide the patch in
>>>>> proper format (exported via command `git format-patch -M -C --patience
>>>>> --full-index -1' which I sent you earlier).
>>>>>
>>>>> Martin
>>>>>
>>>>>
>>>> Sorry, correct version attached
>>>
>>> Wow, this is very impressive, great job Ondra and Honza!
>>>
>>> Martin, ACK from me but I'd like a second opinion. The patch is very
>>> straightforward and clean, just want to make sure we're not missing a
>>> corner case.
>>>
>>> I ran the self-tests and didn't see any problem there.
>>>
>>> Before pushing please add the ticket # to the commit.
>>>
>>> rob
>>>
>>
>> I've just remembered that special methods aren't looked up through
>> __getattribute__ (see the note at
>> http://docs.python.org/reference/datamodel.html#more-attribute-access-for-new-style-classes).
>> That might possibly cause problems in Command and subclasses, because it
>> uses __call__.
>>
>> Honza
>>
>
> This should be investigated. All our unit tests are OK though.
>
> I am also thinking if we shouldn't do this optimization on CLI side only
> as the original ticket suggests. As server side loads and finalizes all
> plugins just once at httpd start, performance should be OK. Plus, we
> would know right after the start that we are ready and there is no
> problem with finalizing any component.
>
> Martin
>

As we discussed earlier - are you sure it works that way? I did a few 
Django-based applications before and I'm pretty sure all mod_wsgi does 
is caching the bytecode, which is run from the beginning for each 
request, like what CLI does.

If it does work the way you described, the worst thing that could happen 
is that the plugins would be finalized the first time they are used and 
then stay initialized until the server terminates.

Honza

-- 
Jan Cholasta



From mkosek at redhat.com  Wed Oct 26 14:39:20 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Wed, 26 Oct 2011 16:39:20 +0200
Subject: [Freeipa-devel] [PATCH] 1 Do lazy initializiation ipalib
In-Reply-To: <4EA810B0.5020307@redhat.com>
References: <4EA6B9AB.60801@redhat.com>
	<1319551270.14006.20.camel@balmora.brq.redhat.com>
	<4EA6C7E8.1000301@redhat.com> <4EA71C71.6070500@redhat.com>
	<4EA7D54E.3010300@redhat.com>
	<1319636472.27433.57.camel@balmora.brq.redhat.com>
	<4EA810B0.5020307@redhat.com>
Message-ID: <1319639963.5652.3.camel@balmora.brq.redhat.com>

On Wed, 2011-10-26 at 15:52 +0200, Jan Cholasta wrote:
> Dne 26.10.2011 15:41, Martin Kosek napsal(a):
> > On Wed, 2011-10-26 at 11:39 +0200, Jan Cholasta wrote:
> >> Dne 25.10.2011 22:30, Rob Crittenden napsal(a):
> >>> Ondrej Hamada wrote:
> >>>> On 10/25/2011 04:01 PM, Martin Kosek wrote:
> >>>>> On Tue, 2011-10-25 at 15:29 +0200, Ondrej Hamada wrote:
> >>>>>> https://fedorahosted.org/freeipa/ticket/1336
> >>>>>>
> >>>>>> Lazy initialization of ipalib plugins is used under all contexts, not
> >>>>>> only when context = cli. Every loaded plugin is pre-finalized - a flag
> >>>>>> is set, which means, that the plugin needs to be finalized. Then every
> >>>>>> call of plugin's __gettattr__ checks the flag and finalizes the plugin
> >>>>>> if necessary. The code was implemented by jcholast. Time reduction of
> >>>>>> commands execution is quite markable:
> >>>>>>
> >>>>>> patch [s] | normal [s] | command
> >>>>>> -----------------------------------------------------------------------
> >>>>>> 1.468 | 2.287 | ipa user-add jsmith --firt=john
> >>>>>> --last=smith
> >>>>>> 1.658 | 2.235 | ipa user-del jsmith
> >>>>>> 1.624 | 2.204 | ipa dnsrecord-find example.com
> >>>>>>
> >>>>> Thanks for submitting the patch. Ondra, just please provide the patch in
> >>>>> proper format (exported via command `git format-patch -M -C --patience
> >>>>> --full-index -1' which I sent you earlier).
> >>>>>
> >>>>> Martin
> >>>>>
> >>>>>
> >>>> Sorry, correct version attached
> >>>
> >>> Wow, this is very impressive, great job Ondra and Honza!
> >>>
> >>> Martin, ACK from me but I'd like a second opinion. The patch is very
> >>> straightforward and clean, just want to make sure we're not missing a
> >>> corner case.
> >>>
> >>> I ran the self-tests and didn't see any problem there.
> >>>
> >>> Before pushing please add the ticket # to the commit.
> >>>
> >>> rob
> >>>
> >>
> >> I've just remembered that special methods aren't looked up through
> >> __getattribute__ (see the note at
> >> http://docs.python.org/reference/datamodel.html#more-attribute-access-for-new-style-classes).
> >> That might possibly cause problems in Command and subclasses, because it
> >> uses __call__.
> >>
> >> Honza
> >>
> >
> > This should be investigated. All our unit tests are OK though.
> >
> > I am also thinking if we shouldn't do this optimization on CLI side only
> > as the original ticket suggests. As server side loads and finalizes all
> > plugins just once at httpd start, performance should be OK. Plus, we
> > would know right after the start that we are ready and there is no
> > problem with finalizing any component.
> >
> > Martin
> >
> 
> As we discussed earlier - are you sure it works that way?

Yes.

>  I did a few 
> Django-based applications before and I'm pretty sure all mod_wsgi does 
> is caching the bytecode, which is run from the beginning for each 
> request, like what CLI does.

I did few Django application myself too. Its all about how mod_wsgi is
configured. You may want to learn more about WSGIDaemonProcess and
WSGIImportScript directives.

In IPA, we have API already prepared and finalized for every incoming
request.

> 
> If it does work the way you described, the worst thing that could happen 
> is that the plugins would be finalized the first time they are used and 
> then stay initialized until the server terminates.
> 
> Honza
> 

I know, I was just being conservative. As this optimization has no
effect on server performance I considered it a little bit safer to load
everything at start and be sure we are OK. But its not that hard
requirement.

Martin



From jcholast at redhat.com  Wed Oct 26 14:50:17 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Wed, 26 Oct 2011 16:50:17 +0200
Subject: [Freeipa-devel] [PATCH] 1 Do lazy initializiation ipalib
In-Reply-To: <1319639963.5652.3.camel@balmora.brq.redhat.com>
References: <4EA6B9AB.60801@redhat.com>
	<1319551270.14006.20.camel@balmora.brq.redhat.com>
	<4EA6C7E8.1000301@redhat.com> <4EA71C71.6070500@redhat.com>
	<4EA7D54E.3010300@redhat.com>
	<1319636472.27433.57.camel@balmora.brq.redhat.com>
	<4EA810B0.5020307@redhat.com>
	<1319639963.5652.3.camel@balmora.brq.redhat.com>
Message-ID: <4EA81E29.4030007@redhat.com>

Dne 26.10.2011 16:39, Martin Kosek napsal(a):
> On Wed, 2011-10-26 at 15:52 +0200, Jan Cholasta wrote:
>> Dne 26.10.2011 15:41, Martin Kosek napsal(a):
>>> On Wed, 2011-10-26 at 11:39 +0200, Jan Cholasta wrote:
>>>> Dne 25.10.2011 22:30, Rob Crittenden napsal(a):
>>>>> Ondrej Hamada wrote:
>>>>>> On 10/25/2011 04:01 PM, Martin Kosek wrote:
>>>>>>> On Tue, 2011-10-25 at 15:29 +0200, Ondrej Hamada wrote:
>>>>>>>> https://fedorahosted.org/freeipa/ticket/1336
>>>>>>>>
>>>>>>>> Lazy initialization of ipalib plugins is used under all contexts, not
>>>>>>>> only when context = cli. Every loaded plugin is pre-finalized - a flag
>>>>>>>> is set, which means, that the plugin needs to be finalized. Then every
>>>>>>>> call of plugin's __gettattr__ checks the flag and finalizes the plugin
>>>>>>>> if necessary. The code was implemented by jcholast. Time reduction of
>>>>>>>> commands execution is quite markable:
>>>>>>>>
>>>>>>>> patch [s] | normal [s] | command
>>>>>>>> -----------------------------------------------------------------------
>>>>>>>> 1.468 | 2.287 | ipa user-add jsmith --firt=john
>>>>>>>> --last=smith
>>>>>>>> 1.658 | 2.235 | ipa user-del jsmith
>>>>>>>> 1.624 | 2.204 | ipa dnsrecord-find example.com
>>>>>>>>
>>>>>>> Thanks for submitting the patch. Ondra, just please provide the patch in
>>>>>>> proper format (exported via command `git format-patch -M -C --patience
>>>>>>> --full-index -1' which I sent you earlier).
>>>>>>>
>>>>>>> Martin
>>>>>>>
>>>>>>>
>>>>>> Sorry, correct version attached
>>>>>
>>>>> Wow, this is very impressive, great job Ondra and Honza!
>>>>>
>>>>> Martin, ACK from me but I'd like a second opinion. The patch is very
>>>>> straightforward and clean, just want to make sure we're not missing a
>>>>> corner case.
>>>>>
>>>>> I ran the self-tests and didn't see any problem there.
>>>>>
>>>>> Before pushing please add the ticket # to the commit.
>>>>>
>>>>> rob
>>>>>
>>>>
>>>> I've just remembered that special methods aren't looked up through
>>>> __getattribute__ (see the note at
>>>> http://docs.python.org/reference/datamodel.html#more-attribute-access-for-new-style-classes).
>>>> That might possibly cause problems in Command and subclasses, because it
>>>> uses __call__.
>>>>
>>>> Honza
>>>>
>>>
>>> This should be investigated. All our unit tests are OK though.
>>>
>>> I am also thinking if we shouldn't do this optimization on CLI side only
>>> as the original ticket suggests. As server side loads and finalizes all
>>> plugins just once at httpd start, performance should be OK. Plus, we
>>> would know right after the start that we are ready and there is no
>>> problem with finalizing any component.
>>>
>>> Martin
>>>
>>
>> As we discussed earlier - are you sure it works that way?
>
> Yes.
>
>>   I did a few
>> Django-based applications before and I'm pretty sure all mod_wsgi does
>> is caching the bytecode, which is run from the beginning for each
>> request, like what CLI does.
>
> I did few Django application myself too. Its all about how mod_wsgi is
> configured. You may want to learn more about WSGIDaemonProcess and
> WSGIImportScript directives.
>
> In IPA, we have API already prepared and finalized for every incoming
> request.
>
>>
>> If it does work the way you described, the worst thing that could happen
>> is that the plugins would be finalized the first time they are used and
>> then stay initialized until the server terminates.
>>
>> Honza
>>
>
> I know, I was just being conservative. As this optimization has no
> effect on server performance I considered it a little bit safer to load
> everything at start and be sure we are OK. But its not that hard
> requirement.
>
> Martin
>

OK, thanks, just wanted to be sure.

Honza

-- 
Jan Cholasta



From edewata at redhat.com  Wed Oct 26 16:12:59 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 26 Oct 2011 11:12:59 -0500
Subject: [Freeipa-devel] [PATCH] 156 Create pkey-only option for find
	commands
In-Reply-To: <1319621348.27433.19.camel@balmora.brq.redhat.com>
References: <1319621348.27433.19.camel@balmora.brq.redhat.com>
Message-ID: <4EA8318B.1080103@redhat.com>

On 10/26/2011 4:29 AM, Martin Kosek wrote:
> New option --pkey-only is available for all LDAPSearch based classes
> with primary key visible in the output. This option makes LDAPSearch
> commands search for primary attribute only.
>
> This may be useful when manipulating large data sets. User can at
> first retrieve all primary keys in a relatively small data package
> and then run further commands with retrieved primary keys.
>
> https://fedorahosted.org/freeipa/ticket/1262

The new option looks good, but it's still bound by the search size limit 
so it's not returning the complete set of primary keys. The UI needs to 
get the complete set in order to compute the pagination.

To get the complete set the server probably needs to search the LDAP 
backend using simple paged results control. There's also a deferred 
ticket #81, but that's seems to be for supporting paged results in IPA's 
API.

-- 
Endi S. Dewata



From edewata at redhat.com  Wed Oct 26 17:44:45 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 26 Oct 2011 12:44:45 -0500
Subject: [Freeipa-devel] [PATCH] 297 Fixed "enroll" labels.
In-Reply-To: <4EA7F88F.2090508@redhat.com>
References: <4EA6ABB7.70805@redhat.com> <4EA7F88F.2090508@redhat.com>
Message-ID: <4EA8470D.2060009@redhat.com>

On 10/26/2011 7:09 AM, Petr Vobornik wrote:
> 1) add_dialog was renamed to entity_adder_dialog but its method
> add_dialog_create wasn't renamed

Fixed.

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-edewata-0297-2-Fixed-enroll-labels.patch
Type: text/x-patch
Size: 10435 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111026/a2a2ae24/attachment.bin>

From rcritten at redhat.com  Wed Oct 26 17:47:41 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 26 Oct 2011 13:47:41 -0400
Subject: [Freeipa-devel] [PATCH] 156 Create pkey-only option for find
 commands
In-Reply-To: <4EA8318B.1080103@redhat.com>
References: <1319621348.27433.19.camel@balmora.brq.redhat.com>
	<4EA8318B.1080103@redhat.com>
Message-ID: <4EA847BD.6000401@redhat.com>

Endi Sukma Dewata wrote:
> On 10/26/2011 4:29 AM, Martin Kosek wrote:
>> New option --pkey-only is available for all LDAPSearch based classes
>> with primary key visible in the output. This option makes LDAPSearch
>> commands search for primary attribute only.
>>
>> This may be useful when manipulating large data sets. User can at
>> first retrieve all primary keys in a relatively small data package
>> and then run further commands with retrieved primary keys.
>>
>> https://fedorahosted.org/freeipa/ticket/1262
>
> The new option looks good, but it's still bound by the search size limit
> so it's not returning the complete set of primary keys. The UI needs to
> get the complete set in order to compute the pagination.
>
> To get the complete set the server probably needs to search the LDAP
> backend using simple paged results control. There's also a deferred
> ticket #81, but that's seems to be for supporting paged results in IPA's
> API.
>

For huge installations there is no way we can do unbound queries. There 
will always be some limit on the number of entries returned, searched, etc.

rob



From edewata at redhat.com  Wed Oct 26 17:52:10 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 26 Oct 2011 12:52:10 -0500
Subject: [Freeipa-devel] [PATCH] 156 Create pkey-only option for find
 commands
In-Reply-To: <4EA847BD.6000401@redhat.com>
References: <1319621348.27433.19.camel@balmora.brq.redhat.com>
	<4EA8318B.1080103@redhat.com> <4EA847BD.6000401@redhat.com>
Message-ID: <4EA848CA.60202@redhat.com>

On 10/26/2011 12:47 PM, Rob Crittenden wrote:
>> The new option looks good, but it's still bound by the search size limit
>> so it's not returning the complete set of primary keys. The UI needs to
>> get the complete set in order to compute the pagination.
>>
>> To get the complete set the server probably needs to search the LDAP
>> backend using simple paged results control. There's also a deferred
>> ticket #81, but that's seems to be for supporting paged results in IPA's
>> API.

> For huge installations there is no way we can do unbound queries. There
> will always be some limit on the number of entries returned, searched, etc.

Yes, but the search limit using paged results needs to be reasonably 
bigger than the standard 100 entries, enough to be used in most deployments.

-- 
Endi S. Dewata



From edewata at redhat.com  Wed Oct 26 17:59:16 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 26 Oct 2011 12:59:16 -0500
Subject: [Freeipa-devel] [PATCH] 299 Merged widget's metadata and param_info.
Message-ID: <4EA84A74.1030000@redhat.com>

The metadata and param_info attributes in widget have been merged
because they are redundant.

Ticket #1436

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-edewata-0299-Merged-widget-s-metadata-and-param_info.patch
Type: text/x-patch
Size: 30574 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111026/f4dbc5ee/attachment.bin>

From edewata at redhat.com  Wed Oct 26 18:09:54 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 26 Oct 2011 13:09:54 -0500
Subject: [Freeipa-devel] [PATCH] 300 Refactored validation code.
Message-ID: <4EA84CF2.7050005@redhat.com>

The validation code in details facet, dialog, and sections have
been modified to work more consistently.

This is required by patch #301.

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-edewata-0300-Refactored-validation-code.patch
Type: text/x-patch
Size: 7166 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111026/60db3493/attachment.bin>

From edewata at redhat.com  Wed Oct 26 18:11:27 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 26 Oct 2011 13:11:27 -0500
Subject: [Freeipa-devel] [PATCH] 301 Added password field in user adder
	dialog.
Message-ID: <4EA84D4F.6030901@redhat.com>

The user adder dialog has been modified to provide optional fields
to specify password during user creation.

Ticket #1646

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-edewata-0301-Added-password-field-in-user-adder-dialog.patch
Type: text/x-patch
Size: 3154 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111026/5621580c/attachment.bin>

From mkosek at redhat.com  Wed Oct 26 18:21:36 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Wed, 26 Oct 2011 20:21:36 +0200
Subject: [Freeipa-devel] [PATCH] 156 Create pkey-only option for find
 commands
In-Reply-To: <4EA848CA.60202@redhat.com>
References: <1319621348.27433.19.camel@balmora.brq.redhat.com>
	<4EA8318B.1080103@redhat.com> <4EA847BD.6000401@redhat.com>
	<4EA848CA.60202@redhat.com>
Message-ID: <1319653298.2173.3.camel@priserak>

On Wed, 2011-10-26 at 12:52 -0500, Endi Sukma Dewata wrote:
> On 10/26/2011 12:47 PM, Rob Crittenden wrote:
> >> The new option looks good, but it's still bound by the search size limit
> >> so it's not returning the complete set of primary keys. The UI needs to
> >> get the complete set in order to compute the pagination.
> >>
> >> To get the complete set the server probably needs to search the LDAP
> >> backend using simple paged results control. There's also a deferred
> >> ticket #81, but that's seems to be for supporting paged results in IPA's
> >> API.
> 
> > For huge installations there is no way we can do unbound queries. There
> > will always be some limit on the number of entries returned, searched, etc.
> 
> Yes, but the search limit using paged results needs to be reasonably 
> bigger than the standard 100 entries, enough to be used in most deployments.
> 

Btw. this is just our arbitrary limit. The default value is 100, but it
can be modified via ipa config-mod --searchrecordslimit=INT. You can
also use --sizelimit and --timelimit parameters for most of *-find
commands to control the limits.

I tried:
ipa user-find --pkey-only --sizelimit=0

and it returned all 300 records in 5.4 seconds.

Martin



From edewata at redhat.com  Wed Oct 26 18:32:21 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 26 Oct 2011 13:32:21 -0500
Subject: [Freeipa-devel] [PATCH] 156 Create pkey-only option for find
 commands
In-Reply-To: <1319653298.2173.3.camel@priserak>
References: <1319621348.27433.19.camel@balmora.brq.redhat.com>
	<4EA8318B.1080103@redhat.com> <4EA847BD.6000401@redhat.com>
	<4EA848CA.60202@redhat.com> <1319653298.2173.3.camel@priserak>
Message-ID: <4EA85235.1040403@redhat.com>

On 10/26/2011 1:21 PM, Martin Kosek wrote:
>>> For huge installations there is no way we can do unbound queries. There
>>> will always be some limit on the number of entries returned, searched, etc.
>>
>> Yes, but the search limit using paged results needs to be reasonably
>> bigger than the standard 100 entries, enough to be used in most deployments.
>
> Btw. this is just our arbitrary limit. The default value is 100, but it
> can be modified via ipa config-mod --searchrecordslimit=INT. You can
> also use --sizelimit and --timelimit parameters for most of *-find
> commands to control the limits.
>
> I tried:
> ipa user-find --pkey-only --sizelimit=0
>
> and it returned all 300 records in 5.4 seconds.

I think we probably need 2 different size limits: one for regular 
queries (set on LDAP server) and the other for pulling primary keys 
(maintained by IPA server).

Suppose we have a system with 5000 users, we need to be able to pull all 
5000 primary keys. But for regular queries we probably still want to 
keep a smaller limit.

-- 
Endi S. Dewata



From mkosek at redhat.com  Wed Oct 26 18:43:46 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Wed, 26 Oct 2011 20:43:46 +0200
Subject: [Freeipa-devel] [PATCH] 156 Create pkey-only option for find
 commands
In-Reply-To: <4EA85235.1040403@redhat.com>
References: <1319621348.27433.19.camel@balmora.brq.redhat.com>
	<4EA8318B.1080103@redhat.com> <4EA847BD.6000401@redhat.com>
	<4EA848CA.60202@redhat.com> <1319653298.2173.3.camel@priserak>
	<4EA85235.1040403@redhat.com>
Message-ID: <1319654628.2173.9.camel@priserak>

On Wed, 2011-10-26 at 13:32 -0500, Endi Sukma Dewata wrote:
> On 10/26/2011 1:21 PM, Martin Kosek wrote:
> >>> For huge installations there is no way we can do unbound queries. There
> >>> will always be some limit on the number of entries returned, searched, etc.
> >>
> >> Yes, but the search limit using paged results needs to be reasonably
> >> bigger than the standard 100 entries, enough to be used in most deployments.
> >
> > Btw. this is just our arbitrary limit. The default value is 100, but it
> > can be modified via ipa config-mod --searchrecordslimit=INT. You can
> > also use --sizelimit and --timelimit parameters for most of *-find
> > commands to control the limits.
> >
> > I tried:
> > ipa user-find --pkey-only --sizelimit=0
> >
> > and it returned all 300 records in 5.4 seconds.
> 
> I think we probably need 2 different size limits: one for regular 
> queries (set on LDAP server) and the other for pulling primary keys 
> (maintained by IPA server).
> 
> Suppose we have a system with 5000 users, we need to be able to pull all 
> 5000 primary keys. But for regular queries we probably still want to 
> keep a smaller limit.
> 

This is true, but I am not sure how can we help on server side with
this. Limits are something that CLI user or Web UI should control via
--sizelimit and --timelimit parameters and the config-mod setting I
referred to. Can you use --pkey-only, --sizelimit and --timelimit
parameters to manage large data sets in WebUI or would you need another
tweak?

What we can do is to make sure that all our *-find commands have
--sizelimit and --timelimit parameters. I see that for example
delegation-find does not have one.

Martin



From edewata at redhat.com  Wed Oct 26 19:07:37 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 26 Oct 2011 14:07:37 -0500
Subject: [Freeipa-devel] [PATCH] 156 Create pkey-only option for find
 commands
In-Reply-To: <1319654628.2173.9.camel@priserak>
References: <1319621348.27433.19.camel@balmora.brq.redhat.com>
	<4EA8318B.1080103@redhat.com> <4EA847BD.6000401@redhat.com>
	<4EA848CA.60202@redhat.com> <1319653298.2173.3.camel@priserak>
	<4EA85235.1040403@redhat.com> <1319654628.2173.9.camel@priserak>
Message-ID: <4EA85A79.5070909@redhat.com>

On 10/26/2011 1:43 PM, Martin Kosek wrote:
>> I think we probably need 2 different size limits: one for regular
>> queries (set on LDAP server) and the other for pulling primary keys
>> (maintained by IPA server).
>>
>> Suppose we have a system with 5000 users, we need to be able to pull all
>> 5000 primary keys. But for regular queries we probably still want to
>> keep a smaller limit.
>
> This is true, but I am not sure how can we help on server side with
> this. Limits are something that CLI user or Web UI should control via
> --sizelimit and --timelimit parameters and the config-mod setting I
> referred to. Can you use --pkey-only, --sizelimit and --timelimit
> parameters to manage large data sets in WebUI or would you need another
> tweak?

The UI can add a --sizelimit param with a bigger limit, but if the limit 
is stored in the UI it will be static. The UI can provide an interface 
to change it but it's only temporary and specific to one browser.

> What we can do is to make sure that all our *-find commands have
> --sizelimit and --timelimit parameters. I see that for example
> delegation-find does not have one.

I think it's better to store this limit on the server. When the server 
receives a *-find command with --pkey-only it will add this size limit 
by default.

-- 
Endi S. Dewata



From rcritten at redhat.com  Wed Oct 26 22:06:07 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 26 Oct 2011 18:06:07 -0400
Subject: [Freeipa-devel] [PATCH] 900 fix users in nis netgroup
Message-ID: <4EA8844F.4040300@redhat.com>

Users weren't appearing in ypcat output in the netgroup map due to a 
syntax error. This patch should fix new and existing installations.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-900-nis.patch
Type: text/x-patch
Size: 5156 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111026/be5394c9/attachment.bin>

From edewata at redhat.com  Wed Oct 26 22:31:12 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 26 Oct 2011 17:31:12 -0500
Subject: [Freeipa-devel] [PATCH] 302 Fixed inconsistent image names.
Message-ID: <4EA88A30.8040203@redhat.com>

The images have been renamed to be more consistent and moved into
the "images" directory to mimic the original jQuery UI structure.

Ticket #1613

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-edewata-0302-Fixed-inconsistent-image-names.patch
Type: text/x-patch
Size: 48559 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111026/0dd8e438/attachment.bin>

From edewata at redhat.com  Wed Oct 26 23:39:38 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 26 Oct 2011 18:39:38 -0500
Subject: [Freeipa-devel] [PATCH] 303 Fixed inconsistent details facet
	validation.
Message-ID: <4EA89A3A.9060502@redhat.com>

The details facet validation has been moved out of update() such
that all subclasses perform consistent validation.

Ticket #1455

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-edewata-0303-Fixed-inconsistent-details-facet-validation.patch
Type: text/x-patch
Size: 5086 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111026/eee16f1a/attachment.bin>

From edewata at redhat.com  Wed Oct 26 23:57:03 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 26 Oct 2011 18:57:03 -0500
Subject: [Freeipa-devel] [PATCH] 304 Fixed problem clearing validation error
	on checkboxes.
Message-ID: <4EA89E4F.1060808@redhat.com>

The IPA.checkboxes_widget has been modified such that it performs
validation when the checkboxes are clicked. This will also clear any
validation errors.

Pushed under one-liner/trivial rule.

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-edewata-0304-Fixed-problem-clearing-validation-error-on-checkboxe.patch
Type: text/x-patch
Size: 989 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111026/9c2ed0b9/attachment.bin>

From pvoborni at redhat.com  Thu Oct 27 07:07:56 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Thu, 27 Oct 2011 09:07:56 +0200
Subject: [Freeipa-devel] [PATCH] 297 Fixed "enroll" labels.
In-Reply-To: <4EA8470D.2060009@redhat.com>
References: <4EA6ABB7.70805@redhat.com> <4EA7F88F.2090508@redhat.com>
	<4EA8470D.2060009@redhat.com>
Message-ID: <4EA9034C.5080706@redhat.com>

On 10/26/2011 07:44 PM, Endi Sukma Dewata wrote:
> On 10/26/2011 7:09 AM, Petr Vobornik wrote:
>> 1) add_dialog was renamed to entity_adder_dialog but its method
>> add_dialog_create wasn't renamed
>
> Fixed.
>
ACK

-- 
Petr Vobornik



From pvoborni at redhat.com  Thu Oct 27 07:22:54 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Thu, 27 Oct 2011 09:22:54 +0200
Subject: [Freeipa-devel] [PATCH] 299 Merged widget's metadata and
	param_info.
In-Reply-To: <4EA84A74.1030000@redhat.com>
References: <4EA84A74.1030000@redhat.com>
Message-ID: <4EA906CE.2050506@redhat.com>

On 10/26/2011 07:59 PM, Endi Sukma Dewata wrote:
> The metadata and param_info attributes in widget have been merged
> because they are redundant.
>
> Ticket #1436

ACK


-- 
Petr Vobornik



From pvoborni at redhat.com  Thu Oct 27 07:42:22 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Thu, 27 Oct 2011 09:42:22 +0200
Subject: [Freeipa-devel] [PATCH] 300 Refactored validation code.
In-Reply-To: <4EA84CF2.7050005@redhat.com>
References: <4EA84CF2.7050005@redhat.com>
Message-ID: <4EA90B5E.9050903@redhat.com>

On 10/26/2011 08:09 PM, Endi Sukma Dewata wrote:
> The validation code in details facet, dialog, and sections have
> been modified to work more consistently.
>
> This is required by patch #301.
>

ACK

-- 
Petr Vobornik



From pvoborni at redhat.com  Thu Oct 27 07:58:07 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Thu, 27 Oct 2011 09:58:07 +0200
Subject: [Freeipa-devel] [PATCH] 301 Added password field in user adder
 dialog.
In-Reply-To: <4EA84D4F.6030901@redhat.com>
References: <4EA84D4F.6030901@redhat.com>
Message-ID: <4EA90F0F.2000508@redhat.com>

On 10/26/2011 08:11 PM, Endi Sukma Dewata wrote:
> The user adder dialog has been modified to provide optional fields
> to specify password during user creation.
>
> Ticket #1646
>

1)  message in: 'field2.show_error('Passwords do not match');' should 
use translated string.

-- 
Petr Vobornik



From mkosek at redhat.com  Thu Oct 27 07:58:43 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Thu, 27 Oct 2011 09:58:43 +0200
Subject: [Freeipa-devel] [PATCH] 900 fix users in nis netgroup
In-Reply-To: <4EA8844F.4040300@redhat.com>
References: <4EA8844F.4040300@redhat.com>
Message-ID: <1319702325.26374.0.camel@balmora.brq.redhat.com>

On Wed, 2011-10-26 at 18:06 -0400, Rob Crittenden wrote:
> Users weren't appearing in ypcat output in the netgroup map due to a 
> syntax error. This patch should fix new and existing installations.
> 
> rob

ACK. Works great for both update and new installations.

Pushed to master, ipa-2-1.

Martin



From pvoborni at redhat.com  Thu Oct 27 08:36:14 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Thu, 27 Oct 2011 10:36:14 +0200
Subject: [Freeipa-devel] [PATCH] 302 Fixed inconsistent image names.
In-Reply-To: <4EA88A30.8040203@redhat.com>
References: <4EA88A30.8040203@redhat.com>
Message-ID: <4EA917FE.7090303@redhat.com>

On 10/27/2011 12:31 AM, Endi Sukma Dewata wrote:
> The images have been renamed to be more consistent and moved into
> the "images" directory to mimic the original jQuery UI structure.
>
> Ticket #1613

ACK

-- 
Petr Vobornik



From mkosek at redhat.com  Thu Oct 27 08:39:31 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Thu, 27 Oct 2011 10:39:31 +0200
Subject: [Freeipa-devel] [PATCH] 156 Create pkey-only option for find
 commands
In-Reply-To: <4EA85A79.5070909@redhat.com>
References: <1319621348.27433.19.camel@balmora.brq.redhat.com>
	<4EA8318B.1080103@redhat.com> <4EA847BD.6000401@redhat.com>
	<4EA848CA.60202@redhat.com> <1319653298.2173.3.camel@priserak>
	<4EA85235.1040403@redhat.com> <1319654628.2173.9.camel@priserak>
	<4EA85A79.5070909@redhat.com>
Message-ID: <1319704774.26374.12.camel@balmora.brq.redhat.com>

On Wed, 2011-10-26 at 14:07 -0500, Endi Sukma Dewata wrote:
> On 10/26/2011 1:43 PM, Martin Kosek wrote:
> >> I think we probably need 2 different size limits: one for regular
> >> queries (set on LDAP server) and the other for pulling primary keys
> >> (maintained by IPA server).
> >>
> >> Suppose we have a system with 5000 users, we need to be able to pull all
> >> 5000 primary keys. But for regular queries we probably still want to
> >> keep a smaller limit.
> >
> > This is true, but I am not sure how can we help on server side with
> > this. Limits are something that CLI user or Web UI should control via
> > --sizelimit and --timelimit parameters and the config-mod setting I
> > referred to. Can you use --pkey-only, --sizelimit and --timelimit
> > parameters to manage large data sets in WebUI or would you need another
> > tweak?
> 
> The UI can add a --sizelimit param with a bigger limit, but if the limit 
> is stored in the UI it will be static. The UI can provide an interface 
> to change it but it's only temporary and specific to one browser.
> 
> > What we can do is to make sure that all our *-find commands have
> > --sizelimit and --timelimit parameters. I see that for example
> > delegation-find does not have one.
> 
> I think it's better to store this limit on the server. When the server 
> receives a *-find command with --pkey-only it will add this size limit 
> by default.
> 

IIUC your idea is to have 2 new config-mod options like this:

# ipa config-show --all
...
  Search time limit: 2
  Search size limit: 100
  Search time limit with pkey-only: 10
  Search size limit with pkey-only: 5000

Hm, I am still not sold for this behavior. I don't think that user would
expect that when he asks for smaller data package via --pkey-only we
would silently undercover change --sizelimit and --timelimit parameters
to different value than he is used to.

I would you a second opinion on this. Rob?

Martin



From pvoborni at redhat.com  Thu Oct 27 09:29:29 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Thu, 27 Oct 2011 11:29:29 +0200
Subject: [Freeipa-devel] [PATCH] 303 Fixed inconsistent details facet
 validation.
In-Reply-To: <4EA89A3A.9060502@redhat.com>
References: <4EA89A3A.9060502@redhat.com>
Message-ID: <4EA92479.30608@redhat.com>

On 10/27/2011 01:39 AM, Endi Sukma Dewata wrote:
> The details facet validation has been moved out of update() such
> that all subclasses perform consistent validation.
>
> Ticket #1455
>

ACK with a small doubt.

I'm not sure if moving the validation call to update button's click 
handler is the right move. I think, this way the handler is doing more 
things than it should do. However I'm fond of changing the update method 
to be more override friendly.

-- 
Petr Vobornik



From pvoborni at redhat.com  Thu Oct 27 09:57:11 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Thu, 27 Oct 2011 11:57:11 +0200
Subject: [Freeipa-devel] [PATCH] 029 Page is cleared before it is visible
Message-ID: <4EA92AF7.8080609@redhat.com>

https://fedorahosted.org/freeipa/ticket/1459

Changes:
  * added clear method to widgets, section, search, details, association 
facets
  * clear method in facet is called only if key/filter was changed
-- 
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0029-Page-is-cleared-before-it-is-visible.patch
Type: text/x-patch
Size: 9770 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111027/abb784c9/attachment.bin>

From mkosek at redhat.com  Thu Oct 27 11:22:36 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Thu, 27 Oct 2011 13:22:36 +0200
Subject: [Freeipa-devel] [PATCH] 157 Add --delattr option to complement
	--setattr/--addattr
Message-ID: <1319714558.26374.13.camel@balmora.brq.redhat.com>

Add a --delattr option to round out multi-valued attribute manipulation.
The new option is be available for all LDAPUpdate based commands.

--delattr is evaluated last, it can remove any value present either
in --addattr/--setattr options or stored in LDAP.

https://fedorahosted.org/freeipa/ticket/1929

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-157-add-delattr-option-to-complement-setattr-addattr.patch
Type: text/x-patch
Size: 78944 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111027/e5774111/attachment.bin>

From jcholast at redhat.com  Thu Oct 27 12:08:43 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Thu, 27 Oct 2011 14:08:43 +0200
Subject: [Freeipa-devel] [PATCH] 56 Add new Param method for marshalling
 values from complex data types
Message-ID: <4EA949CB.40804@redhat.com>

Add new Param method for marshalling values from complex data types to 
primitive data types suitable for transmission over RPC.

This change makes it possible to use complex data types (like 
python-netaddr IPAddress) in parameters.

https://fedorahosted.org/freeipa/ticket/2033

This will help implementing IP address parameter types properly in 
https://fedorahosted.org/freeipa/ticket/1487 .

-- 
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-56-param-marshal.patch
Type: text/x-patch
Size: 6895 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111027/7ef83734/attachment.bin>

From mkosek at redhat.com  Thu Oct 27 12:56:41 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Thu, 27 Oct 2011 14:56:41 +0200
Subject: [Freeipa-devel] [PATCH] 880 don't check for existing 389-ds
 instances
In-Reply-To: <4EA1C7FF.5010300@redhat.com>
References: <4E7A369B.1030704@redhat.com> <4EA1C7FF.5010300@redhat.com>
Message-ID: <1319720203.26374.17.camel@balmora.brq.redhat.com>

On Fri, 2011-10-21 at 15:29 -0400, Rob Crittenden wrote:
> Rob Crittenden wrote:
> > We don't need to prohibit existing 389-ds instances when installing IPA,
> > just that the ports we need are available. Remove this check.
> >
> > For master only.
> >
> > rob
> 
> Re-based patch against master.
> 
> rob

Works ok, I was able to install IPA server next to other dirsrv sitting
on another port. The installation could get to trouble if another DS
would sit on a standard port but would be stopped at the moment, i.e.
ports 389 and 636 would be free. But I think this is a risk we can take.

My only concern is with uninstallation - we shutdown all dirsrv
instances during the process. Thus, in the end the custom dirsrv
instance remains stopped.

Martin



From ayoung at redhat.com  Thu Oct 27 13:03:02 2011
From: ayoung at redhat.com (Adam Young)
Date: Thu, 27 Oct 2011 09:03:02 -0400
Subject: [Freeipa-devel] ipalib vs. ipapython?
In-Reply-To: <4EA7291E.70105@redhat.com>
References: <4EA7291E.70105@redhat.com>
Message-ID: <4EA95686.6070500@redhat.com>

On 10/25/2011 05:24 PM, John Dennis wrote:
> Usually when I look at a source code directory layout it's fairly 
> obvious what belongs in each directory. I'll be honest, I've never 
> quite understood the role of ipapython vs. ipalib. From time to time I 
> have to do some code refactoring, especially in the context of 
> introducing common code meant to be shared across a variety of places 
> in the code base.
>
> So what is the role of ipalib vs. ipapython? What are their intended 
> purposes? What guidelines should be followed when determining where 
> shared code is located?
>
> John
>


Agreed.  I've had this confusion myself.  I would expect as an outsider 
that ipalib would be an ELF,  and that ipapython would be the bindings 
to it.  I know the project well enough to understand why that is not the 
case.


We have 3 distinct deployment scenarios:

server with admin
client without admin
client with admin.

[ayoung at ayoung freeipa]$ rpm -q --whatrequires freeipa-python
freeipa-client-2.1.1-1.fc15.x86_64
freeipa-admintools-2.1.1-1.fc15.x86_64
freeipa-server-2.1.1-1.fc15.x86_64

client and admintool both depend on freeipa-python
server requires pretty much everything

so it seems we should really only have 4 packages:  server,  client, 
admintools, and python.  I think what Martin was saying is that we 
distinguish between the pieces for install and ldap manipulation from 
the pieces used for ongoing operations,  but that seems like an 
artificial distinction.








From rcritten at redhat.com  Thu Oct 27 13:19:50 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 27 Oct 2011 09:19:50 -0400
Subject: [Freeipa-devel] ipalib vs. ipapython?
In-Reply-To: <4EA95686.6070500@redhat.com>
References: <4EA7291E.70105@redhat.com> <4EA95686.6070500@redhat.com>
Message-ID: <4EA95A76.4000208@redhat.com>

Adam Young wrote:
> On 10/25/2011 05:24 PM, John Dennis wrote:
>> Usually when I look at a source code directory layout it's fairly
>> obvious what belongs in each directory. I'll be honest, I've never
>> quite understood the role of ipapython vs. ipalib. From time to time I
>> have to do some code refactoring, especially in the context of
>> introducing common code meant to be shared across a variety of places
>> in the code base.
>>
>> So what is the role of ipalib vs. ipapython? What are their intended
>> purposes? What guidelines should be followed when determining where
>> shared code is located?
>>
>> John
>>
>
>
> Agreed. I've had this confusion myself. I would expect as an outsider
> that ipalib would be an ELF, and that ipapython would be the bindings to
> it. I know the project well enough to understand why that is not the case.
>
>
> We have 3 distinct deployment scenarios:
>
> server with admin
> client without admin
> client with admin.
>
> [ayoung at ayoung freeipa]$ rpm -q --whatrequires freeipa-python
> freeipa-client-2.1.1-1.fc15.x86_64
> freeipa-admintools-2.1.1-1.fc15.x86_64
> freeipa-server-2.1.1-1.fc15.x86_64
>
> client and admintool both depend on freeipa-python
> server requires pretty much everything
>
> so it seems we should really only have 4 packages: server, client,
> admintools, and python. I think what Martin was saying is that we
> distinguish between the pieces for install and ldap manipulation from
> the pieces used for ongoing operations, but that seems like an
> artificial distinction.

The breakdown is more framework vs non-framework. There are a lot of 
routines in ipapython independent of the framework: the config 
backup/restore handling, nss routines, dogtag routines, running 
command-line programs, etc.

There is still an outside goal of being able to make the framework 
usable in other projects.

rob



From pvoborni at redhat.com  Thu Oct 27 13:39:22 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Thu, 27 Oct 2011 15:39:22 +0200
Subject: [Freeipa-devel] [PATCH] 028 Code cleanup of HBAC, Sudo rules
In-Reply-To: <4EA6F86D.4070706@redhat.com>
References: <4EA521FF.7020405@redhat.com> <4EA59250.8040506@redhat.com>
	<4EA6B041.5090204@redhat.com> <4EA6F86D.4070706@redhat.com>
Message-ID: <4EA95F0A.5060903@redhat.com>

I'll rebase this patch on recent patches (which will be soon pushed).

This effort is doing too many things, I'll split the patch into several.


On 10/25/2011 07:57 PM, Endi Sukma Dewata wrote:
> On 10/25/2011 7:49 AM, Petr Vobornik wrote:
>>> 2. The set_facet() is added to widget. I don't think we want to make
>>> widget dependent on facet. The facet so far is only used by
>>> IPA.sudo.enable_widget. In IPA.sudo.options_section the facet object is
>>> passed as a parameter in spec.
>
>> Are you saying that dependency on facet in ALL widgets is bad and only
>> in a few is good, or in any is bad?
>
> In general less dependency is better. More dependency will limit its
> usage. This is inline with the goal to make purely HTML widget.
>
> But if a widget is meant to be used only with a facet then it's
> certainly ok to make it depends on facet. However, the rest should not
> become unnecessarily dependent on facet too.
>> I think it doesn't matter if all is dependant when one is dependant.
>>
>> Anyway currently all association table widgets are dependant
>> (association.js:386).
>
> Let's use this as an example. The association table explicitly checks if
> the facet is dirty and asks the user whether to update/reset/cancel.
> Suppose we want to use this inside a dialog, it will still check whether
> the current facet is dirty instead of the dialog itself, which may not
> be what we want.

Removed. Using instead: that.entity.get_facet() and 
that.entity.get_primary_key().

But still I think it would be better to be able to get container 
(facet/dialog) for a widget. As you wrote, that.entity.get_facet() may 
not always be what we want.

>
>> Btw similar topic could be: "How to get current entity's pkey?'.
>> Dependancy on facet.get_primary_key() or
>> IPA.nav.get_state(that.entity.name+'-pkey') seems wrong too.
>
> Yes. Ideally we should have a path (REST-style URL) instead of the
> current parameter-based URL. We should get the pkey from that path.

 From dependency point of view, widgets would be still dependant on the 
implementation of navigation (IMHO bad).

But it seems that using entity.get_primary key partially solves the problem.

Maybe it would be better if navigation would inject pkey to entity. 
Entity wouldn't be that much dependant on navigation implementation.

>>> 3. When updating sudo rule, in the original code the rule is
>>> enabled/disabled after all the modifications are done. In the new code
>>> it's reversed. I'm not sure the importance of the execution order for
>>> this particular situation, but suppose it is, is there a way to maintain
>>> the original order?
>>
>> I was thinking about a command or widget priority. The 'mod' command
>> would have some default priority or it would get it from facet. The
>> commands would be sorted by priority before adding them to batch. This
>> way we can set exact order in facet update.
>
> It's possible, but managing priority could be problematic if they are
> spread out, because we have to know all existing priorities before we
> can add a new one.

The priority could be part of update info. As there is a field_info we 
can create a command_info: { command, priority }.
 > The original code uses an ordered list of commands.
Before adding commands to batch_command, array of command_info objects 
would joined with 'mod' command with default priority and then sorted by 
priority.

If the priority was set on each widget, priority management will be on 
facet level, which may be fine. There can be some corner case like 
dynamic change of priority.

>> The order which is implemented now is reflecting the order in HBAC
>> details facet - there were errors when 'mod' was executed before
>> clearing associations.
>
> Right, so for certain things the order is important.
>
>>> 4. The IPA.header_widget is not really a widget, it's actually part of
>>> layout. In the current implementation a widget always corresponds to an
>>> attribute, so it will be loaded, saved, etc. Since there is no attribute
>>> name matching the header name currently this is not a problem, but it
>>> can pollute the namespace.
>>
>> This is part of widget nesting topic. In this manner composite_widget
>> isn't a proper widget too (it can correspond to several or none
>> attribute).
>>
>> Purely html rendering widgets can be separated from attribute widgets,
>> but it would be nice to have them because they can provide easier form
>> composing. Without them it would be required to override the create
>> method (in facet or composite_widget/section) which is sometimes better
>> but often it creates only code duplication with little added logic.
>
> One other solution is to split widgets into non-visual fields and purely
> HTML components. Then in the facet we use separate lists for the fields
> and HTML components. The fields will have a reference to the
> corresponding HTML components. There can be more HTML components than
> fields. But this will require a significant restructuring.

Maybe we can use hybrid solution: html widgets would be simple object 
with some properties and create() method. They should not be called 
widgets. They would not be part of sections fields. Rendering would be 
done in widgets/sections create() method (as it is now).
Pros:
  - reusable layouts, headers...
  - not polluting field names
Cons:
  - not so declarative - need to override update method, create custom 
section/widget factories - same as now

Question:
  - what with widget nesting? rule_details_section is in fact a 
composite widget. I would like to keep the concept, because it offers 
better code reuse.

These questions should be considered when designing UI extending.

>>> 5. In details facet update(), instead of storing the callbacks in
>>> update_custom_on_win and update_custom_on_fail and requiring the
>>> subclasses to call them, it might be better to call them from the
>>> update() itself:
>>>
>>> var command = IPA.command({
>>> ...
>>> on_success: function(data, text_status, xhr) {
>>> that.on_update_success(data, text_status, xhr)
>>> if (on_win) on_win.call(this, data, text_status, xhr);
>>> },
>>> on_error: function(xhr, text_status, error_thrown) {
>>> that.on_update_error(xhr, text_status, error_thrown);
>>> if (on_fail) on_fail.call(
>>> this, xhr, text_status, error_thrown);
>>> }
>>> });
>>
>> There are two types of success/error handlers:
>> 1) the default ones in details facet
>> 2) the ones supplied to update(win, fail) method.
>>
>> In my implementation I have separated 1) from update method so if
>> default behaviour isn't suitable these methods can be overridden without
>> overriding whole update method. Overriding isn't required. This is IMHO
>> good (less code duplication).
>
> There is still code duplication, the subclass that overrides the
> on_update_success/error (#1) will still have to call
> update_custom_on_win/error (#2) manually. In the changes that I proposed
> you don't have to do that because #2 are called inside update().
>
Changed to proposed solution.

>>> 6. Can IPA.batch_details_facet be combined into IPA.details_facet? I
>>> think the base details facet should support both regular mod and batch.
>>
>> The only point where they overlap is the update method. It's possible to
>> add a logic to switch between command creations - maybe based on
>> attribute (could be defined in spec). But should we do that? Isn't this
>> the reason for inheriting the class?
>
> Here's a scenario: suppose there's a subclass of IPA.details_facet that
> are so useful that it's used in many places. Then suppose we want to
> create a subclass of it but we want to do batch operation too, we'd have
> to copy the code from IPA.batch_details_facet.
Will merge.

> I think the decision to use mod or batch should be separate from details
> facet. I'm thinking to create a separate class IPA.client which we can
> add commands into it and execute them either individually or as a batch.

What would be the IPA.client's responsibilities? It'll be only a 
container for commands with different executing strategies?

-- 
Petr Vobornik



From edewata at redhat.com  Thu Oct 27 14:00:39 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Thu, 27 Oct 2011 09:00:39 -0500
Subject: [Freeipa-devel] [PATCH] 297 Fixed "enroll" labels.
In-Reply-To: <4EA9034C.5080706@redhat.com>
References: <4EA6ABB7.70805@redhat.com> <4EA7F88F.2090508@redhat.com>
	<4EA8470D.2060009@redhat.com> <4EA9034C.5080706@redhat.com>
Message-ID: <4EA96407.4080509@redhat.com>

On 10/27/2011 2:07 AM, Petr Vobornik wrote:
> ACK

Pushed to master.

-- 
Endi S. Dewata



From edewata at redhat.com  Thu Oct 27 14:01:56 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Thu, 27 Oct 2011 09:01:56 -0500
Subject: [Freeipa-devel] [PATCH] 299 Merged widget's metadata and
	param_info.
In-Reply-To: <4EA906CE.2050506@redhat.com>
References: <4EA84A74.1030000@redhat.com> <4EA906CE.2050506@redhat.com>
Message-ID: <4EA96454.7030901@redhat.com>

On 10/27/2011 2:22 AM, Petr Vobornik wrote:
> ACK

Pushed to master.

-- 
Endi S. Dewata



From edewata at redhat.com  Thu Oct 27 14:09:30 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Thu, 27 Oct 2011 09:09:30 -0500
Subject: [Freeipa-devel] [PATCH] 302 Fixed inconsistent image names.
In-Reply-To: <4EA917FE.7090303@redhat.com>
References: <4EA88A30.8040203@redhat.com> <4EA917FE.7090303@redhat.com>
Message-ID: <4EA9661A.6090906@redhat.com>

On 10/27/2011 3:36 AM, Petr Vobornik wrote:
> ACK

Pushed to master.

-- 
Endi S. Dewata



From edewata at redhat.com  Thu Oct 27 14:21:12 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Thu, 27 Oct 2011 09:21:12 -0500
Subject: [Freeipa-devel] [PATCH] 156 Create pkey-only option for find
 commands
In-Reply-To: <1319704774.26374.12.camel@balmora.brq.redhat.com>
References: <1319621348.27433.19.camel@balmora.brq.redhat.com>
	<4EA8318B.1080103@redhat.com> <4EA847BD.6000401@redhat.com>
	<4EA848CA.60202@redhat.com> <1319653298.2173.3.camel@priserak>
	<4EA85235.1040403@redhat.com> <1319654628.2173.9.camel@priserak>
	<4EA85A79.5070909@redhat.com>
	<1319704774.26374.12.camel@balmora.brq.redhat.com>
Message-ID: <4EA968D8.4010108@redhat.com>

On 10/27/2011 3:39 AM, Martin Kosek wrote:
> IIUC your idea is to have 2 new config-mod options like this:
>
> # ipa config-show --all
> ...
>    Search time limit: 2
>    Search size limit: 100
>    Search time limit with pkey-only: 10
>    Search size limit with pkey-only: 5000
>
> Hm, I am still not sold for this behavior. I don't think that user would
> expect that when he asks for smaller data package via --pkey-only we
> would silently undercover change --sizelimit and --timelimit parameters
> to different value than he is used to.
>
> I would you a second opinion on this. Rob?

As discussed in the meeting, for the pkey-only we can rely on the 
default limits imposed by the LDAP server which should be big enough. 
The UI will add sizelimit=0 as part of ticket #981. The IPA server 
doesn't need additional changes.

ACK and pushed to master.

-- 
Endi S. Dewata



From edewata at redhat.com  Thu Oct 27 14:59:46 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Thu, 27 Oct 2011 09:59:46 -0500
Subject: [Freeipa-devel] [PATCH] 301 Added password field in user adder
 dialog.
In-Reply-To: <4EA90F0F.2000508@redhat.com>
References: <4EA84D4F.6030901@redhat.com> <4EA90F0F.2000508@redhat.com>
Message-ID: <4EA971E2.3070106@redhat.com>

On 10/27/2011 2:58 AM, Petr Vobornik wrote:
> 1) message in: 'field2.show_error('Passwords do not match');' should use
> translated string.

Fixed. I'm considering to move the password fields into a reusable 
section, but that will be a separate issue.

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-edewata-0301-2-Added-password-field-in-user-adder-dialog.patch
Type: text/x-patch
Size: 3171 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111027/c22b06ee/attachment.bin>

From pvoborni at redhat.com  Thu Oct 27 15:04:40 2011
From: pvoborni at redhat.com (Petr Vobornik)
Date: Thu, 27 Oct 2011 17:04:40 +0200
Subject: [Freeipa-devel] [PATCH] 301 Added password field in user adder
 dialog.
In-Reply-To: <4EA971E2.3070106@redhat.com>
References: <4EA84D4F.6030901@redhat.com> <4EA90F0F.2000508@redhat.com>
	<4EA971E2.3070106@redhat.com>
Message-ID: <4EA97308.30602@redhat.com>

On 10/27/2011 04:59 PM, Endi Sukma Dewata wrote:
> On 10/27/2011 2:58 AM, Petr Vobornik wrote:
>> 1) message in: 'field2.show_error('Passwords do not match');' should use
>> translated string.
>
> Fixed. I'm considering to move the password fields into a reusable
> section, but that will be a separate issue.
>
ACK

-- 
Petr Vobornik



From edewata at redhat.com  Thu Oct 27 15:21:14 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Thu, 27 Oct 2011 10:21:14 -0500
Subject: [Freeipa-devel] [PATCH] 303 Fixed inconsistent details facet
 validation.
In-Reply-To: <4EA92479.30608@redhat.com>
References: <4EA89A3A.9060502@redhat.com> <4EA92479.30608@redhat.com>
Message-ID: <4EA976EA.507@redhat.com>

On 10/27/2011 4:29 AM, Petr Vobornik wrote:
> ACK with a small doubt.
>
> I'm not sure if moving the validation call to update button's click
> handler is the right move. I think, this way the handler is doing more
> things than it should do. However I'm fond of changing the update method
> to be more override friendly.

I pushed this to master for now, but I agree with your concern. Suppose 
there are other buttons that need to do similar operation (like in 
entity adder dialog) they will need to repeat the same code. We probably 
can refactor it into a new function that calls validate() and update().

I also think we can move save() outside of update() too, and probably 
use the result for validation and update instead of calling it multiple 
times. This will require some more thinking, so let's do it separately.

-- 
Endi S. Dewata



From edewata at redhat.com  Thu Oct 27 15:24:26 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Thu, 27 Oct 2011 10:24:26 -0500
Subject: [Freeipa-devel] [PATCH] 301 Added password field in user adder
 dialog.
In-Reply-To: <4EA97308.30602@redhat.com>
References: <4EA84D4F.6030901@redhat.com> <4EA90F0F.2000508@redhat.com>
	<4EA971E2.3070106@redhat.com> <4EA97308.30602@redhat.com>
Message-ID: <4EA977AA.3090406@redhat.com>

On 10/27/2011 10:04 AM, Petr Vobornik wrote:
> ACK

Pushed to master.

-- 
Endi S. Dewata



From ayoung at redhat.com  Thu Oct 27 15:59:18 2011
From: ayoung at redhat.com (Adam Young)
Date: Thu, 27 Oct 2011 11:59:18 -0400
Subject: [Freeipa-devel] Extending the IPA-API
Message-ID: <4EA97FD6.6000807@redhat.com>

We had a pretty good discussion about the apporach we are looking at to 
allow end sites to extend their IPA  implementations without getting in 
the way of upgrades etc.  Here are some of the things I took away from 
that meeting.

We want to maintain the namespace as it is.  A site might decide it 
wants to deploy customer-user.py and have an entity named 
customer-user,  but the  group plugin will still talk to the user.py 
plugin internally.  However,  if all interaction is done via the 
function calls, customer-user.py can replace user.py as the code that 
handles, for example, user_add.

However, Rob Has ann approach that will allow an end site to extend an 
existing plugin.  His proof-of-concept was:

from ipalib.plugins.user import user, user_add
from ipapython import ipautil
from ipalib import api, errors
from ipalib import Str
from ipalib import _

class extend_user(user):
     user.takes_params = user.takes_params + (
         Str('foo',
             cli_name='foo',
             label=_('Foo'),
         ),
     )




Which would add the attribute foo to the existing user object.  This 
will show up in the next metadata call, so the web UI can use it as well.

We discussed in depth whether this mechanism should succeed or fail if 
the newly added name already exists in the Plugin.  One option is to 
succeed, but log the error.  This means that if a user adds afield that 
we late go bck and retrofit,  the IPA site will work, but custom code 
made by the end user will be ignored.  The alternative is for IPA server 
to fail to start,  but allow all of the other components (KDC, LDAP) to 
run.  Then a user will just lose the ability to administer their site 
until they address the conflict,  but key services will still be available.



The web UI can implement a similar mechanism.  We do not want end sites 
modifying the .js files shipped with the IPA server RPM,  other wise, 
they could inject columns and fields there, but they would be 
susceptible to breaking during upgrade.  Instead, we will provide an 
extension mechanism similar to the Library back end:

The Apache server will provide access to the file 
/etc/ipa/html/extensions.json. By default, this file will contain the 
simplest valid JSON possible:
  {}

This file will be fetched via AJAX and evaluated during the 
initialization of Entities.  THe format of the file will indicate what 
fields will be hidden in the UI, and what fields to add. As much as 
possible, the format will match the Java script  that is used to 
poulated the entities.

Something along the lines of:

{entity:user,
     search:{add:['foo'],
                   hide:['manager']},
     details:{add:[  {identity: ['foo','bar']}],
                   hide:['manager']},
}


This would add one field to the search results, and two fields to the 
details page, inside the identity section.

For the first pass, all added fields would be added as text fields.

On the second pass,  the JSON  listed above can be extended to allow 
custom widgets in the field declarations.

On the third pass, we add in a second file:  
/etc/ipa/html/custom_widgets.js.  By default it will be blank.

This file will be added to the index.html  of the webUI, and evaluated 
after all of the other widgets, but before the entities.  This will 
allow the end sites to not only add in their own widgets, but to 
possibly change the definition of some of the baseline widgets as well.
















From jdennis at redhat.com  Thu Oct 27 21:41:29 2011
From: jdennis at redhat.com (John Dennis)
Date: Thu, 27 Oct 2011 17:41:29 -0400
Subject: [Freeipa-devel] minimum python?
Message-ID: <4EA9D009.8070702@redhat.com>

So I looked in our freeipa spec file and I didn't see a minimum Python 
version specified. Do we have a minimum version of Python we require to 
run? Do we just make the assumption it's 2.6 since that's what's in RHEL?

I also assume that means any Python feature added in 2.7 cannot be used, 
correct?

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



From edewata at redhat.com  Thu Oct 27 21:51:56 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Thu, 27 Oct 2011 16:51:56 -0500
Subject: [Freeipa-devel] [PATCH] 028 Code cleanup of HBAC, Sudo rules
In-Reply-To: <4EA95F0A.5060903@redhat.com>
References: <4EA521FF.7020405@redhat.com> <4EA59250.8040506@redhat.com>
	<4EA6B041.5090204@redhat.com> <4EA6F86D.4070706@redhat.com>
	<4EA95F0A.5060903@redhat.com>
Message-ID: <4EA9D27C.8060207@redhat.com>

On 10/27/2011 8:39 AM, Petr Vobornik wrote:
> But still I think it would be better to be able to get container
> (facet/dialog) for a widget. As you wrote, that.entity.get_facet() may
> not always be what we want.

One possibility is to convert the facet & dialog into subclasses of an 
abstract container class. The container needs to provide functions such 
as refresh() so the widget doesn't need to know whether it's a facet or 
dialog.

>>> Btw similar topic could be: "How to get current entity's pkey?'.
>>> Dependancy on facet.get_primary_key() or
>>> IPA.nav.get_state(that.entity.name+'-pkey') seems wrong too.
>>
>> Yes. Ideally we should have a path (REST-style URL) instead of the
>> current parameter-based URL. We should get the pkey from that path.
>
>  From dependency point of view, widgets would be still dependant on the
> implementation of navigation (IMHO bad).
>
> But it seems that using entity.get_primary key partially solves the
> problem.

It could be argued that since this is a web app everything will have a 
path, but for now getting primary key from entity is fine since 
everything also has an associated entity.

> Maybe it would be better if navigation would inject pkey to entity.
> Entity wouldn't be that much dependant on navigation implementation.

We might need to distinguish 2 different usages of 'entity'. The first 
one represents a collection of entries:

   var users = IPA.get_entity('user');
   users.add([ 'test' ], { givenName: 'Test', ... });
   var result = users.find('t*');

The second one represents individual entry:

   var user = result.result[0];
   user.update({ sn: 'User' });

The entity collection should be 'stateless', it will be used in search 
pages. The individual entity will be 'stateful', it contains the pkey 
and the values of its attributes, and it will be used in the details page.

The entity.get_primary_key() is an interface to get the primary keys for 
a particular entity from the current path. So when you open a URL for an 
entry's details facet, it will execute the following command:

   var pkeys = entity.get_primary_key();
   var object = entity.get(pkeys);

Then the facet will use the object to populate the page.

> The priority could be part of update info. As there is a field_info we
> can create a command_info: { command, priority }.

> Before adding commands to batch_command, array of command_info objects
> would joined with 'mod' command with default priority and then sorted by
> priority.
>
> If the priority was set on each widget, priority management will be on
> facet level, which may be fine. There can be some corner case like
> dynamic change of priority.

I'd have to see how it's implemented.

>> One other solution is to split widgets into non-visual fields and purely
>> HTML components. Then in the facet we use separate lists for the fields
>> and HTML components. The fields will have a reference to the
>> corresponding HTML components. There can be more HTML components than
>> fields. But this will require a significant restructuring.
>
> Maybe we can use hybrid solution: html widgets would be simple object
> with some properties and create() method. They should not be called
> widgets. They would not be part of sections fields. Rendering would be
> done in widgets/sections create() method (as it is now).

I'm not very clear, we could be talking about the same thing. The 
(non-HTML) fields could be defined like this:

   fields: [
       {
           name: 'cn',
           widget: 'identity.cn'
       },
       {
           name: 'email',
           widget: 'identity.email'
       },
       {
           factory: IPA.password_field,
           name: 'userpassword',
           widgets: [ 'account.password1', 'account.password2' ]
       }
   ]

The specs above will be used to create IPA.field objects (not widget) to 
assist loading/saving attributes. Then we could also define the HTML 
components (let's call it widget) separately:

   widgets: [
       {
           factory: IPA.table_section,
           name: 'identity',
           label: 'Identity'
           widgets: [
               {
                   factory: IPA.text_widget,
                   name: 'cn'
               },
               {
                   factory: IPA.multivalued_widget,
                   name: 'email',
                   widget: IPA.text_widget
               }
           ]
       }
   ]

The specs above will be used to create IPA.widget objects to generate 
the HTML content. If there is no widget specs specified, we could 
generate it automatically from the field specs.

> Pros:
> - reusable layouts, headers...
> - not polluting field names
> Cons:
> - not so declarative - need to override update method, create custom
> section/widget factories - same as now

The above example should be quite declarative.

> Question:
> - what with widget nesting? rule_details_section is in fact a composite
> widget. I would like to keep the concept, because it offers better code
> reuse.

As shown above, widget (not field) nesting is possible.

A section is a composite widget with a specific layout: it has a header, 
it's collapsible, and it has nested widgets.

A table section is a section that uses 2 columns to display the nested 
widgets: one for the field label and the other for the widget itself.

A multivalued widget is a composite widget with one type of nested 
widgets and it has an Add and Undo All links.

The rule_details_section is a section with radio buttons (for the 
category) and some tables.

>> I think the decision to use mod or batch should be separate from details
>> facet. I'm thinking to create a separate class IPA.client which we can
>> add commands into it and execute them either individually or as a batch.
>
> What would be the IPA.client's responsibilities? It'll be only a
> container for commands with different executing strategies?

The IPA.client will represent a connection to the IPA server. In a 
browser IPA.client can only connect to the server it's loaded from:

   var client = IPA.client();

but in a JS engine like Rhino the IPA.client can connect to any IPA server:

    var client = IPA.client('ipa.example.com');

The IPA.client can be used to execute commands:

    var command = IPA.command(...);
    client.execute(command);

or start a batch:

    client.start_batch();
    client.execute(command1);
    client.execute(command2);
    client.end_batch();

or get the entities:

    var users = client.get_entity('user');

-- 
Endi S. Dewata



From rcritten at redhat.com  Thu Oct 27 22:08:13 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 27 Oct 2011 18:08:13 -0400
Subject: [Freeipa-devel] minimum python?
In-Reply-To: <4EA9D009.8070702@redhat.com>
References: <4EA9D009.8070702@redhat.com>
Message-ID: <4EA9D64D.9010903@redhat.com>

John Dennis wrote:
> So I looked in our freeipa spec file and I didn't see a minimum Python
> version specified. Do we have a minimum version of Python we require to
> run? Do we just make the assumption it's 2.6 since that's what's in RHEL?
>
> I also assume that means any Python feature added in 2.7 cannot be used,
> correct?
>

Correct. For the client we need to support 2.4 so keep that in mind too, 
but we can (and do) work around that on a per-client basis if we have to.

rob



From abokovoy at redhat.com  Thu Oct 27 22:36:13 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Fri, 28 Oct 2011 01:36:13 +0300
Subject: [Freeipa-devel] minimum python?
In-Reply-To: <4EA9D009.8070702@redhat.com>
References: <4EA9D009.8070702@redhat.com>
Message-ID: <20111027223612.GB28472@redhat.com>

On Thu, 27 Oct 2011, John Dennis wrote:
> So I looked in our freeipa spec file and I didn't see a minimum
> Python version specified. Do we have a minimum version of Python we
> require to run? Do we just make the assumption it's 2.6 since that's
> what's in RHEL?
Yes. I'm not sure we tried hard to keep 2.4 working but 2.6 is 
definitely supported.

> I also assume that means any Python feature added in 2.7 cannot be
> used, correct?
Yes. I had to rewrite code recently from views to sets due to the fact 
that dictionary views were added after 2.6...
-- 
/ Alexander Bokovoy



From ayoung at redhat.com  Thu Oct 27 23:39:07 2011
From: ayoung at redhat.com (Adam Young)
Date: Thu, 27 Oct 2011 19:39:07 -0400
Subject: [Freeipa-devel] [PATCH] 028 Code cleanup of HBAC, Sudo rules
In-Reply-To: <4EA9D27C.8060207@redhat.com>
References: <4EA521FF.7020405@redhat.com> <4EA59250.8040506@redhat.com>
	<4EA6B041.5090204@redhat.com> <4EA6F86D.4070706@redhat.com>
	<4EA95F0A.5060903@redhat.com> <4EA9D27C.8060207@redhat.com>
Message-ID: <4EA9EB9B.6050909@redhat.com>

On 10/27/2011 05:51 PM, Endi Sukma Dewata wrote:
> On 10/27/2011 8:39 AM, Petr Vobornik wrote:
>> But still I think it would be better to be able to get container
>> (facet/dialog) for a widget. As you wrote, that.entity.get_facet() may
>> not always be what we want.
>
> One possibility is to convert the facet & dialog into subclasses of an 
> abstract container class. The container needs to provide functions 
> such as refresh() so the widget doesn't need to know whether it's a 
> facet or dialog.
>
>>>> Btw similar topic could be: "How to get current entity's pkey?'.
>>>> Dependancy on facet.get_primary_key() or
>>>> IPA.nav.get_state(that.entity.name+'-pkey') seems wrong too.
>>>
>>> Yes. Ideally we should have a path (REST-style URL) instead of the
>>> current parameter-based URL. We should get the pkey from that path.
>>
>>  From dependency point of view, widgets would be still dependant on the
>> implementation of navigation (IMHO bad).
>>
>> But it seems that using entity.get_primary key partially solves the
>> problem.
>


> It could be argued that since this is a web app everything will have a 
> path, but for now getting primary key from entity is fine since 
> everything also has an associated entity.
>
>> Maybe it would be better if navigation would inject pkey to entity.
>> Entity wouldn't be that much dependant on navigation implementation.
>
> We might need to distinguish 2 different usages of 'entity'. The first 
> one represents a collection of entries:

Call that an instance.  Entity is the  term that is the analogue of  Class

So we want to distinguish getting the primary key field for the entity, 
as opposed to the primary key of the instance.

>
>   var users = IPA.get_entity('user');
>   users.add([ 'test' ], { givenName: 'Test', ... });
>   var result = users.find('t*');
>
> The second one represents individual entry:
>
>   var user = result.result[0];
>   user.update({ sn: 'User' });
>
> The entity collection should be 'stateless', it will be used in search 
> pages. The individual entity will be 'stateful', it contains the pkey 
> and the values of its attributes, and it will be used in the details 
> page.
>
> The entity.get_primary_key() is an interface to get the primary keys 
> for a particular entity from the current path. So when you open a URL 
> for an entry's details facet, it will execute the following command:
>
>   var pkeys = entity.get_primary_key();
>   var object = entity.get(pkeys);
>
> Then the facet will use the object to populate the page.
>
>> The priority could be part of update info. As there is a field_info we
>> can create a command_info: { command, priority }.

I'm a little unclear on the usage of priority.
>
>> Before adding commands to batch_command, array of command_info objects
>> would joined with 'mod' command with default priority and then sorted by
>> priority.
>>
>> If the priority was set on each widget, priority management will be on
>> facet level, which may be fine. There can be some corner case like
>> dynamic change of priority.
>
> I'd have to see how it's implemented.
>
>>> One other solution is to split widgets into non-visual fields and 
>>> purely
>>> HTML components. Then in the facet we use separate lists for the fields
>>> and HTML components. The fields will have a reference to the
>>> corresponding HTML components. There can be more HTML components than
>>> fields. But this will require a significant restructuring.
>>
>> Maybe we can use hybrid solution: html widgets would be simple object
>> with some properties and create() method. They should not be called
>> widgets. They would not be part of sections fields. Rendering would be
>> done in widgets/sections create() method (as it is now).

I think this is  not quite right.  Widget is just a generic term for an 
element of the UI object model.  It is intentionally generic.  A Widget 
can be just about anything.  Some bind down to the individual fields, or 
in somcses, even smaller, but widget could easily be the base class for 
Facets, sections and the widget we have now.

>
> I'm not very clear, we could be talking about the same thing. The 
> (non-HTML) fields could be defined like this:
>
>   fields: [
>       {
>           name: 'cn',
>           widget: 'identity.cn'
>       },
>       {
>           name: 'email',
>           widget: 'identity.email'
>       },
>       {
>           factory: IPA.password_field,
>           name: 'userpassword',
>           widgets: [ 'account.password1', 'account.password2' ]
>       }
>   ]
>
> The specs above will be used to create IPA.field objects (not widget) 
> to assist loading/saving attributes. Then we could also define the 
> HTML components (let's call it widget) separately:
>
>   widgets: [
>       {
>           factory: IPA.table_section,
>           name: 'identity',
>           label: 'Identity'
>           widgets: [
>               {
>                   factory: IPA.text_widget,
>                   name: 'cn'
>               },
>               {
>                   factory: IPA.multivalued_widget,
>                   name: 'email',
>                   widget: IPA.text_widget
>               }
>           ]
>       }
>   ]
>
> The specs above will be used to create IPA.widget objects to generate 
> the HTML content. If there is no widget specs specified, we could 
> generate it automatically from the field specs.
>
>> Pros:
>> - reusable layouts, headers...
>> - not polluting field names
>> Cons:
>> - not so declarative - need to override update method, create custom
>> section/widget factories - same as now
>
> The above example should be quite declarative.
>
>> Question:
>> - what with widget nesting? rule_details_section is in fact a composite
>> widget. I would like to keep the concept, because it offers better code
>> reuse.
>
> As shown above, widget (not field) nesting is possible.
>
> A section is a composite widget with a specific layout: it has a 
> header, it's collapsible, and it has nested widgets.
>
> A table section is a section that uses 2 columns to display the nested 
> widgets: one for the field label and the other for the widget itself.
>
> A multivalued widget is a composite widget with one type of nested 
> widgets and it has an Add and Undo All links.
>
> The rule_details_section is a section with radio buttons (for the 
> category) and some tables.
>
>>> I think the decision to use mod or batch should be separate from 
>>> details
>>> facet. I'm thinking to create a separate class IPA.client which we can
>>> add commands into it and execute them either individually or as a 
>>> batch.
>>
>> What would be the IPA.client's responsibilities? It'll be only a
>> container for commands with different executing strategies?
>
> The IPA.client will represent a connection to the IPA server. In a 
> browser IPA.client can only connect to the server it's loaded from:

>
>   var client = IPA.client();
>
> but in a JS engine like Rhino the IPA.client can connect to any IPA 
> server:
>
>    var client = IPA.client('ipa.example.com');

This will work now, but you will not be able to see the results of the 
command.  Integrations like this are how  the Like buttons from Facebook 
work.  Cross site posting is tricky, but permitted, and might be useful 
in some cases.  Possibly we should call it connection.
>
> The IPA.client can be used to execute commands:
>
>    var command = IPA.command(...);
>    client.execute(command);
>
> or start a batch:
>
>    client.start_batch();
>    client.execute(command1);
>    client.execute(command2);
>    client.end_batch();
>
> or get the entities:
>
>    var users = client.get_entity('user');
>



From edewata at redhat.com  Fri Oct 28 00:40:51 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Thu, 27 Oct 2011 19:40:51 -0500
Subject: [Freeipa-devel] Extending the IPA-API
In-Reply-To: <4EA97FD6.6000807@redhat.com>
References: <4EA97FD6.6000807@redhat.com>
Message-ID: <4EA9FA13.3060500@redhat.com>

On 10/27/2011 10:59 AM, Adam Young wrote:
> The web UI can implement a similar mechanism. We do not want end sites
> modifying the .js files shipped with the IPA server RPM, other wise,
> they could inject columns and fields there, but they would be
> susceptible to breaking during upgrade. Instead, we will provide an
> extension mechanism similar to the Library back end:
>
> The Apache server will provide access to the file
> /etc/ipa/html/extensions.json. By default, this file will contain the
> simplest valid JSON possible:
> {}
>
> This file will be fetched via AJAX and evaluated during the
> initialization of Entities. THe format of the file will indicate what
> fields will be hidden in the UI, and what fields to add. As much as
> possible, the format will match the Java script that is used to poulated
> the entities.
>
> Something along the lines of:
>
> {entity:user,
> search:{add:['foo'],
> hide:['manager']},
> details:{add:[ {identity: ['foo','bar']}],
> hide:['manager']},
> }

I'd rather not use a descriptive language to perform object modification 
because it's very limited. For example, the 'add' operation doesn't say 
where the 'foo' should be added, whether it should be at the beginning 
or the end, or before/after certain fields, etc. We could continue 
expanding the language to support more complex logic, but why not just 
use JS directly.

> This would add one field to the search results, and two fields to the
> details page, inside the identity section.
>
> For the first pass, all added fields would be added as text fields.
>
> On the second pass, the JSON listed above can be extended to allow
> custom widgets in the field declarations.
>
> On the third pass, we add in a second file:
> /etc/ipa/html/custom_widgets.js. By default it will be blank.

I'd say we go directly with custom JS file and provide a good extensible 
JS API. It will require the least effort from us.

Somewhere in the code we can define the default entities:

   IPA.register('user', IPA.user.User);
   IPA.register('group', IPA.group.Group);

Then in the custom JS file we can override the default entity:

   IPA.register('user', com.example.user.User);

The custom entity can be defined as follows:

   com.example.user.User = function(spec) {

       // extend the default entity
       var that = IPA.user.User(spec);

       var init = function() {

           // replace the original search facet
           that.add_facet(com.example.user.SearchFacet({
               name: 'search'
           });
       };

       init();

       return that;
   };

   com.example.user.SearchFacet = function(spec) {

       // extend the default search facet
       var that = IPA.user.SearchFacet(spec);

       var init = function() {

           // find phone's position
           var i = that.get_field_index('phone');

           // add fax after phone
           that.add_field(i+1, 'fax');
       };

       init();

       return that;
   };

Then later we can design a descriptive language that will cover most 
common use cases.

> This file will be added to the index.html of the webUI, and evaluated
> after all of the other widgets, but before the entities. This will allow
> the end sites to not only add in their own widgets, but to possibly
> change the definition of some of the baseline widgets as well.

-- 
Endi S. Dewata



From edewata at redhat.com  Fri Oct 28 00:55:37 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Thu, 27 Oct 2011 19:55:37 -0500
Subject: [Freeipa-devel] [PATCH] 028 Code cleanup of HBAC, Sudo rules
In-Reply-To: <4EA9EB9B.6050909@redhat.com>
References: <4EA521FF.7020405@redhat.com> <4EA59250.8040506@redhat.com>
	<4EA6B041.5090204@redhat.com> <4EA6F86D.4070706@redhat.com>
	<4EA95F0A.5060903@redhat.com> <4EA9D27C.8060207@redhat.com>
	<4EA9EB9B.6050909@redhat.com>
Message-ID: <4EA9FD89.2080206@redhat.com>

On 10/27/2011 6:39 PM, Adam Young wrote:
>> We might need to distinguish 2 different usages of 'entity'. The first
>> one represents a collection of entries:
>
> Call that an instance. Entity is the term that is the analogue of Class

Not sure I understand correctly. You mean entity is a class which is a 
collection, similar to a table in database? And instance is an object or 
individual entry or row in a table?

> So we want to distinguish getting the primary key field for the entity,
> as opposed to the primary key of the instance.

 From the URL we want to get the primary key for a particular 
instance/object to show in the detail page.

>> The IPA.client will represent a connection to the IPA server. In a
>> browser IPA.client can only connect to the server it's loaded from:
>>
>> var client = IPA.client();
>>
>> but in a JS engine like Rhino the IPA.client can connect to any IPA
>> server:
>>
>> var client = IPA.client('ipa.example.com');
>
> This will work now, but you will not be able to see the results of the
> command. Integrations like this are how the Like buttons from Facebook
> work. Cross site posting is tricky, but permitted, and might be useful
> in some cases. Possibly we should call it connection.

The second code is not supposed to be used inside a browser. This is 
suppose you're writing a JS script running in Rhino, you need to specify 
the IPA server you're connecting to. I haven't tried this, but I suppose 
in Rhino we will be able to set the Referer to match the server name.

I'd rather call it IPA.client because it will do other things too, not 
just connection.

-- 
Endi S. Dewata



From ayoung at redhat.com  Sat Oct 29 01:45:37 2011
From: ayoung at redhat.com (Adam Young)
Date: Fri, 28 Oct 2011 21:45:37 -0400
Subject: [Freeipa-devel] [PATCH] 028 Code cleanup of HBAC, Sudo rules
In-Reply-To: <4EA9FD89.2080206@redhat.com>
References: <4EA521FF.7020405@redhat.com> <4EA59250.8040506@redhat.com>
	<4EA6B041.5090204@redhat.com> <4EA6F86D.4070706@redhat.com>
	<4EA95F0A.5060903@redhat.com> <4EA9D27C.8060207@redhat.com>
	<4EA9EB9B.6050909@redhat.com> <4EA9FD89.2080206@redhat.com>
Message-ID: <4EAB5AC1.6030005@redhat.com>

On 10/27/2011 08:55 PM, Endi Sukma Dewata wrote:
> On 10/27/2011 6:39 PM, Adam Young wrote:
>>> We might need to distinguish 2 different usages of 'entity'. The first
>>> one represents a collection of entries:
>>
>> Call that an instance. Entity is the term that is the analogue of Class
>
> Not sure I understand correctly. You mean entity is a class which is a 
> collection, similar to a table in database? And instance is an object 
> or individual entry or row in a table?
Yes, that is a pretty good analogy.
>> So we want to distinguish getting the primary key field for the entity,
>> as opposed to the primary key of the instance.
>
> From the URL we want to get the primary key for a particular 
> instance/object to show in the detail page.
Yes.  In a RESTful  scheme it would be /IPA/entities/users/ayoung  to 
get my user object
>
>>> The IPA.client will represent a connection to the IPA server. In a
>>> browser IPA.client can only connect to the server it's loaded from:
>>>
>>> var client = IPA.client();
>>>
>>> but in a JS engine like Rhino the IPA.client can connect to any IPA
>>> server:
>>>
>>> var client = IPA.client('ipa.example.com');
>>
>> This will work now, but you will not be able to see the results of the
>> command. Integrations like this are how the Like buttons from Facebook
>> work. Cross site posting is tricky, but permitted, and might be useful
>> in some cases. Possibly we should call it connection.
>
> The second code is not supposed to be used inside a browser. This is 
> suppose you're writing a JS script running in Rhino, you need to 
> specify the IPA server you're connecting to. I haven't tried this, but 
> I suppose in Rhino we will be able to set the Referer to match the 
> server name.
>
> I'd rather call it IPA.client because it will do other things too, not 
> just connection.
>



From simo at redhat.com  Sun Oct 30 13:42:41 2011
From: simo at redhat.com (Simo Sorce)
Date: Sun, 30 Oct 2011 09:42:41 -0400
Subject: [Freeipa-devel] [PATCH] 300 Refactored validation code.
In-Reply-To: <4EA90B5E.9050903@redhat.com>
References: <4EA84CF2.7050005@redhat.com>  <4EA90B5E.9050903@redhat.com>
Message-ID: <1319982161.7734.0.camel@willson.li.ssimo.org>

On Thu, 2011-10-27 at 09:42 +0200, Petr Vobornik wrote:
> On 10/26/2011 08:09 PM, Endi Sukma Dewata wrote:
> > The validation code in details facet, dialog, and sections have
> > been modified to work more consistently.
> >
> > This is required by patch #301.
> >
> 
> ACK

Given 301 was pushed I assume this was pushed as well.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From simo at redhat.com  Sun Oct 30 16:08:16 2011
From: simo at redhat.com (Simo Sorce)
Date: Sun, 30 Oct 2011 12:08:16 -0400
Subject: [Freeipa-devel] Expired certs and certmonger in FreeIPA
Message-ID: <1319990896.7734.79.camel@willson.li.ssimo.org>

So my personal home installation is now more than 6 months old.
How do I know that ? I know because originally we had a 6 months
expiration period in SSL cert profiles and that was the exp. period of
all my certs.

So coming home I got a new laptop for my wife and I wanted to put it in
the FreeIPA domain. I kinit as admin on the server and try to run an ipa
commend, and I get back an error that certs are expired :-(

So, knowing certmonger should run I try to check that certmonger is a
live, it isn't and messagebus isn't either. (This is an F15 issue so
only relevant for the following behavior).

Ok I start messagebus and certmonger and then issue a getcert list ..
and it says the certs will expire in 2013 ... uhmm strange I think.

Ok issue the ipa command again, and no luck, it still complains that
certs are expired.

So as a last attempt, before trying to manually issue new certs I just
issue a service httpd restart ... and now the ipa command works again.

So appaerently this means apache is not able to find out it has new
certs available, even after the certs it is currently using are expired.

The question is: should we try to fix apache to be able to reread the
cert store ? Or should we add to certmonger the ability to restart
services when it renews certs ? Or when the previous ones finally
expire ?

I'd say the former but it might be a lot more difficult than the second.

Thoughts ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From edewata at redhat.com  Sun Oct 30 16:36:13 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Sun, 30 Oct 2011 11:36:13 -0500
Subject: [Freeipa-devel] [PATCH] 300 Refactored validation code.
In-Reply-To: <1319982161.7734.0.camel@willson.li.ssimo.org>
References: <4EA84CF2.7050005@redhat.com> <4EA90B5E.9050903@redhat.com>
	<1319982161.7734.0.camel@willson.li.ssimo.org>
Message-ID: <4EAD7CFD.8060803@redhat.com>

On 10/30/2011 8:42 AM, Simo Sorce wrote:
>> ACK
>
> Given 301 was pushed I assume this was pushed as well.

Ah, yes... sorry I forgot to send the push email.

-- 
Endi S. Dewata



From dpal at redhat.com  Mon Oct 31 01:22:12 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Sun, 30 Oct 2011 21:22:12 -0400
Subject: [Freeipa-devel] Expired certs and certmonger in FreeIPA
In-Reply-To: <1319990896.7734.79.camel@willson.li.ssimo.org>
References: <1319990896.7734.79.camel@willson.li.ssimo.org>
Message-ID: <4EADF844.1080402@redhat.com>

On 10/30/2011 12:08 PM, Simo Sorce wrote:
> So my personal home installation is now more than 6 months old.
> How do I know that ? I know because originally we had a 6 months
> expiration period in SSL cert profiles and that was the exp. period of
> all my certs.
>
> So coming home I got a new laptop for my wife and I wanted to put it in
> the FreeIPA domain. I kinit as admin on the server and try to run an ipa
> commend, and I get back an error that certs are expired :-(
>
> So, knowing certmonger should run I try to check that certmonger is a
> live, it isn't and messagebus isn't either. (This is an F15 issue so
> only relevant for the following behavior).
>
> Ok I start messagebus and certmonger and then issue a getcert list ..
> and it says the certs will expire in 2013 ... uhmm strange I think.
>
> Ok issue the ipa command again, and no luck, it still complains that
> certs are expired.
>
> So as a last attempt, before trying to manually issue new certs I just
> issue a service httpd restart ... and now the ipa command works again.
>
> So appaerently this means apache is not able to find out it has new
> certs available, even after the certs it is currently using are expired.
>
> The question is: should we try to fix apache to be able to reread the
> cert store ? Or should we add to certmonger the ability to restart
> services when it renews certs ? Or when the previous ones finally
> expire ?
>
> I'd say the former but it might be a lot more difficult than the second.
>
> Thoughts ?
>
> Simo.
>
Please open two bugs. I think we should implement workaround and let
apache address it at its own pace.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From jcholast at redhat.com  Mon Oct 31 11:18:46 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Mon, 31 Oct 2011 12:18:46 +0100
Subject: [Freeipa-devel] [PATCH] 1 Do lazy initializiation ipalib
In-Reply-To: <4EA81E29.4030007@redhat.com>
References: <4EA6B9AB.60801@redhat.com>
	<1319551270.14006.20.camel@balmora.brq.redhat.com>
	<4EA6C7E8.1000301@redhat.com> <4EA71C71.6070500@redhat.com>
	<4EA7D54E.3010300@redhat.com>
	<1319636472.27433.57.camel@balmora.brq.redhat.com>
	<4EA810B0.5020307@redhat.com>
	<1319639963.5652.3.camel@balmora.brq.redhat.com>
	<4EA81E29.4030007@redhat.com>
Message-ID: <4EAE8416.4060401@redhat.com>

Dne 26.10.2011 16:50, Jan Cholasta napsal(a):
> Dne 26.10.2011 16:39, Martin Kosek napsal(a):
>> On Wed, 2011-10-26 at 15:52 +0200, Jan Cholasta wrote:
>>> Dne 26.10.2011 15:41, Martin Kosek napsal(a):
>>>> On Wed, 2011-10-26 at 11:39 +0200, Jan Cholasta wrote:
>>>>> Dne 25.10.2011 22:30, Rob Crittenden napsal(a):
>>>>>> Ondrej Hamada wrote:
>>>>>>> On 10/25/2011 04:01 PM, Martin Kosek wrote:
>>>>>>>> On Tue, 2011-10-25 at 15:29 +0200, Ondrej Hamada wrote:
>>>>>>>>> https://fedorahosted.org/freeipa/ticket/1336
>>>>>>>>>
>>>>>>>>> Lazy initialization of ipalib plugins is used under all
>>>>>>>>> contexts, not
>>>>>>>>> only when context = cli. Every loaded plugin is pre-finalized -
>>>>>>>>> a flag
>>>>>>>>> is set, which means, that the plugin needs to be finalized.
>>>>>>>>> Then every
>>>>>>>>> call of plugin's __gettattr__ checks the flag and finalizes the
>>>>>>>>> plugin
>>>>>>>>> if necessary. The code was implemented by jcholast. Time
>>>>>>>>> reduction of
>>>>>>>>> commands execution is quite markable:
>>>>>>>>>
>>>>>>>>> patch [s] | normal [s] | command
>>>>>>>>> -----------------------------------------------------------------------
>>>>>>>>>
>>>>>>>>> 1.468 | 2.287 | ipa user-add jsmith --firt=john
>>>>>>>>> --last=smith
>>>>>>>>> 1.658 | 2.235 | ipa user-del jsmith
>>>>>>>>> 1.624 | 2.204 | ipa dnsrecord-find example.com
>>>>>>>>>
>>>>>>>> Thanks for submitting the patch. Ondra, just please provide the
>>>>>>>> patch in
>>>>>>>> proper format (exported via command `git format-patch -M -C
>>>>>>>> --patience
>>>>>>>> --full-index -1' which I sent you earlier).
>>>>>>>>
>>>>>>>> Martin
>>>>>>>>
>>>>>>>>
>>>>>>> Sorry, correct version attached
>>>>>>
>>>>>> Wow, this is very impressive, great job Ondra and Honza!
>>>>>>
>>>>>> Martin, ACK from me but I'd like a second opinion. The patch is very
>>>>>> straightforward and clean, just want to make sure we're not missing a
>>>>>> corner case.
>>>>>>
>>>>>> I ran the self-tests and didn't see any problem there.
>>>>>>
>>>>>> Before pushing please add the ticket # to the commit.
>>>>>>
>>>>>> rob
>>>>>>
>>>>>
>>>>> I've just remembered that special methods aren't looked up through
>>>>> __getattribute__ (see the note at
>>>>> http://docs.python.org/reference/datamodel.html#more-attribute-access-for-new-style-classes).
>>>>>
>>>>> That might possibly cause problems in Command and subclasses,
>>>>> because it
>>>>> uses __call__.
>>>>>
>>>>> Honza
>>>>>
>>>>
>>>> This should be investigated. All our unit tests are OK though.
>>>>
>>>> I am also thinking if we shouldn't do this optimization on CLI side
>>>> only
>>>> as the original ticket suggests. As server side loads and finalizes all
>>>> plugins just once at httpd start, performance should be OK. Plus, we
>>>> would know right after the start that we are ready and there is no
>>>> problem with finalizing any component.
>>>>
>>>> Martin
>>>>
>>>
>>> As we discussed earlier - are you sure it works that way?
>>
>> Yes.
>>
>>> I did a few
>>> Django-based applications before and I'm pretty sure all mod_wsgi does
>>> is caching the bytecode, which is run from the beginning for each
>>> request, like what CLI does.
>>
>> I did few Django application myself too. Its all about how mod_wsgi is
>> configured. You may want to learn more about WSGIDaemonProcess and
>> WSGIImportScript directives.
>>
>> In IPA, we have API already prepared and finalized for every incoming
>> request.
>>
>>>
>>> If it does work the way you described, the worst thing that could happen
>>> is that the plugins would be finalized the first time they are used and
>>> then stay initialized until the server terminates.
>>>
>>> Honza
>>>
>>
>> I know, I was just being conservative. As this optimization has no
>> effect on server performance I considered it a little bit safer to load
>> everything at start and be sure we are OK. But its not that hard
>> requirement.
>>
>> Martin
>>
>
> OK, thanks, just wanted to be sure.
>
> Honza
>

Added finalization for __call__ and the check for CLI. Patch attached.

Honza

-- 
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-57-lazy-finalize.patch
Type: text/x-patch
Size: 2674 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111031/2db3cbcb/attachment.bin>

From abokovoy at redhat.com  Mon Oct 31 12:19:05 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Mon, 31 Oct 2011 14:19:05 +0200
Subject: [Freeipa-devel] [PATCH] 1 Do lazy initializiation ipalib
In-Reply-To: <4EAE8416.4060401@redhat.com>
References: <4EA6B9AB.60801@redhat.com>
	<1319551270.14006.20.camel@balmora.brq.redhat.com>
	<4EA6C7E8.1000301@redhat.com> <4EA71C71.6070500@redhat.com>
	<4EA7D54E.3010300@redhat.com>
	<1319636472.27433.57.camel@balmora.brq.redhat.com>
	<4EA810B0.5020307@redhat.com>
	<1319639963.5652.3.camel@balmora.brq.redhat.com>
	<4EA81E29.4030007@redhat.com> <4EAE8416.4060401@redhat.com>
Message-ID: <20111031121904.GA9412@redhat.com>

On Mon, 31 Oct 2011, Jan Cholasta wrote:
> Added finalization for __call__ and the check for CLI. Patch attached.
ACK from my side but see below.

> +    def __getattribute__(self, name):
> +        if not name.startswith('_Plugin__') and not name.startswith('_ReadOnly__') and name != 'finalize_late':
> +            self.finalize_late()
> +        return object.__getattribute__(self, name)
Could you get faster than three string comparisons? As 
__getattribute__ is fairly often called it would make sense to keep 
these operations to absolute minimum.

-- 
/ Alexander Bokovoy



From simo at redhat.com  Mon Oct 31 13:03:33 2011
From: simo at redhat.com (Simo Sorce)
Date: Mon, 31 Oct 2011 09:03:33 -0400
Subject: [Freeipa-devel] [PATCH] 1 Do lazy initializiation ipalib
In-Reply-To: <20111031121904.GA9412@redhat.com>
References: <4EA6B9AB.60801@redhat.com>
	<1319551270.14006.20.camel@balmora.brq.redhat.com>
	<4EA6C7E8.1000301@redhat.com> <4EA71C71.6070500@redhat.com>
	<4EA7D54E.3010300@redhat.com>
	<1319636472.27433.57.camel@balmora.brq.redhat.com>
	<4EA810B0.5020307@redhat.com>
	<1319639963.5652.3.camel@balmora.brq.redhat.com>
	<4EA81E29.4030007@redhat.com> <4EAE8416.4060401@redhat.com>
	<20111031121904.GA9412@redhat.com>
Message-ID: <1320066213.7734.186.camel@willson.li.ssimo.org>

On Mon, 2011-10-31 at 14:19 +0200, Alexander Bokovoy wrote:
> On Mon, 31 Oct 2011, Jan Cholasta wrote:
> > Added finalization for __call__ and the check for CLI. Patch attached.
> ACK from my side but see below.
> 
> > +    def __getattribute__(self, name):
> > +        if not name.startswith('_Plugin__') and not name.startswith('_ReadOnly__') and name != 'finalize_late':
> > +            self.finalize_late()
> > +        return object.__getattribute__(self, name)
> Could you get faster than three string comparisons? As 
> __getattribute__ is fairly often called it would make sense to keep 
> these operations to absolute minimum.

How common it is for name to match the above expressions ?
If they always match then yes, we have an issue with the full strings
being compared fully each time. If they seldom match and the name
normally differ from the very first characters then these string
comparisons would be really quick and not too worrying.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From abokovoy at redhat.com  Mon Oct 31 13:22:40 2011
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Mon, 31 Oct 2011 15:22:40 +0200
Subject: [Freeipa-devel] [PATCH] 1 Do lazy initializiation ipalib
In-Reply-To: <1320066213.7734.186.camel@willson.li.ssimo.org>
References: <4EA6C7E8.1000301@redhat.com> <4EA71C71.6070500@redhat.com>
	<4EA7D54E.3010300@redhat.com>
	<1319636472.27433.57.camel@balmora.brq.redhat.com>
	<4EA810B0.5020307@redhat.com>
	<1319639963.5652.3.camel@balmora.brq.redhat.com>
	<4EA81E29.4030007@redhat.com> <4EAE8416.4060401@redhat.com>
	<20111031121904.GA9412@redhat.com>
	<1320066213.7734.186.camel@willson.li.ssimo.org>
Message-ID: <20111031132240.GB9412@redhat.com>

On Mon, 31 Oct 2011, Simo Sorce wrote:
> On Mon, 2011-10-31 at 14:19 +0200, Alexander Bokovoy wrote:
> > On Mon, 31 Oct 2011, Jan Cholasta wrote:
> > > Added finalization for __call__ and the check for CLI. Patch attached.
> > ACK from my side but see below.
> > 
> > > +    def __getattribute__(self, name):
> > > +        if not name.startswith('_Plugin__') and not name.startswith('_ReadOnly__') and name != 'finalize_late':
> > > +            self.finalize_late()
> > > +        return object.__getattribute__(self, name)
> > Could you get faster than three string comparisons? As 
> > __getattribute__ is fairly often called it would make sense to keep 
> > these operations to absolute minimum.
> 
> How common it is for name to match the above expressions ?
> If they always match then yes, we have an issue with the full strings
> being compared fully each time. If they seldom match and the name
> normally differ from the very first characters then these string
> comparisons would be really quick and not too worrying.
This is Plugin class, i.e. every instance of Command and Object.

Look at 'not name.startswith() and' clause -- it forces for each non 
_Plugin__/_ReadOnly__ prefixed attribute (i.e. all attributes added to 
HasParam, Command, Object, and their derivatives) to go through three 
comparisons before getting to the actual attribute fetching -- it means on every 
access to Object.foo, for example.

-- 
/ Alexander Bokovoy



From ayoung at redhat.com  Mon Oct 31 14:19:02 2011
From: ayoung at redhat.com (Adam Young)
Date: Mon, 31 Oct 2011 10:19:02 -0400
Subject: [Freeipa-devel] Extending the IPA-API
In-Reply-To: <4EA9FA13.3060500@redhat.com>
References: <4EA97FD6.6000807@redhat.com> <4EA9FA13.3060500@redhat.com>
Message-ID: <4EAEAE56.9090208@redhat.com>

On 10/27/2011 08:40 PM, Endi Sukma Dewata wrote:
> On 10/27/2011 10:59 AM, Adam Young wrote:
>> The web UI can implement a similar mechanism. We do not want end sites
>> modifying the .js files shipped with the IPA server RPM, other wise,
>> they could inject columns and fields there, but they would be
>> susceptible to breaking during upgrade. Instead, we will provide an
>> extension mechanism similar to the Library back end:
>>
>> The Apache server will provide access to the file
>> /etc/ipa/html/extensions.json. By default, this file will contain the
>> simplest valid JSON possible:
>> {}
>>
>> This file will be fetched via AJAX and evaluated during the
>> initialization of Entities. THe format of the file will indicate what
>> fields will be hidden in the UI, and what fields to add. As much as
>> possible, the format will match the Java script that is used to poulated
>> the entities.
>>
>> Something along the lines of:
>>
>> {entity:user,
>> search:{add:['foo'],
>> hide:['manager']},
>> details:{add:[ {identity: ['foo','bar']}],
>> hide:['manager']},
>> }
>
> I'd rather not use a descriptive language to perform object 
> modification because it's very limited. For example, the 'add' 
> operation doesn't say where the 'foo' should be added, whether it 
> should be at the beginning or the end, or before/after certain fields, 
> etc. We could continue expanding the language to support more complex 
> logic, but why not just use JS directly.

I think you are right.  I'd like to focus on a form that looks as 
declarative as possible,  as it is likely going to be performed by 
system administrators, and done in the context of editing a 
configuration file.


>
>> This would add one field to the search results, and two fields to the
>> details page, inside the identity section.
>>
>> For the first pass, all added fields would be added as text fields.
>>
>> On the second pass, the JSON listed above can be extended to allow
>> custom widgets in the field declarations.
>>
>> On the third pass, we add in a second file:
>> /etc/ipa/html/custom_widgets.js. By default it will be blank.
>
> I'd say we go directly with custom JS file and provide a good 
> extensible JS API. It will require the least effort from us.
>
> Somewhere in the code we can define the default entities:
>
>   IPA.register('user', IPA.user.User);
>   IPA.register('group', IPA.group.Group);
>
> Then in the custom JS file we can override the default entity:
>
>   IPA.register('user', com.example.user.User);
>
> The custom entity can be defined as follows:
>
>   com.example.user.User = function(spec) {
>
>       // extend the default entity
>       var that = IPA.user.User(spec);
>
>       var init = function() {
>
>           // replace the original search facet
>           that.add_facet(com.example.user.SearchFacet({
>               name: 'search'
>           });
>       };
>
>       init();
>
>       return that;
>   };
>
>   com.example.user.SearchFacet = function(spec) {
>
>       // extend the default search facet
>       var that = IPA.user.SearchFacet(spec);
>
>       var init = function() {
>
>           // find phone's position
>           var i = that.get_field_index('phone');
>
>           // add fax after phone
>           that.add_field(i+1, 'fax');
>       };
>
>       init();
>
>       return that;
>   };


>
> Then later we can design a descriptive language that will cover most 
> common use cases.

Sounds like a plan.  Just try to keep the descriptive approach in the 
forefront of your mind so that we don't have to implement twice.

>
>> This file will be added to the index.html of the webUI, and evaluated
>> after all of the other widgets, but before the entities. This will allow
>> the end sites to not only add in their own widgets, but to possibly
>> change the definition of some of the baseline widgets as well.
>



From jcholast at redhat.com  Mon Oct 31 15:03:04 2011
From: jcholast at redhat.com (Jan Cholasta)
Date: Mon, 31 Oct 2011 16:03:04 +0100
Subject: [Freeipa-devel] [PATCH] 1 Do lazy initializiation ipalib
In-Reply-To: <20111031121904.GA9412@redhat.com>
References: <4EA6B9AB.60801@redhat.com>
	<1319551270.14006.20.camel@balmora.brq.redhat.com>
	<4EA6C7E8.1000301@redhat.com> <4EA71C71.6070500@redhat.com>
	<4EA7D54E.3010300@redhat.com>
	<1319636472.27433.57.camel@balmora.brq.redhat.com>
	<4EA810B0.5020307@redhat.com>
	<1319639963.5652.3.camel@balmora.brq.redhat.com>
	<4EA81E29.4030007@redhat.com> <4EAE8416.4060401@redhat.com>
	<20111031121904.GA9412@redhat.com>
Message-ID: <4EAEB8A8.7010805@redhat.com>

Dne 31.10.2011 13:19, Alexander Bokovoy napsal(a):
> On Mon, 31 Oct 2011, Jan Cholasta wrote:
>> Added finalization for __call__ and the check for CLI. Patch attached.
> ACK from my side but see below.
>
>> +    def __getattribute__(self, name):
>> +        if not name.startswith('_Plugin__') and not name.startswith('_ReadOnly__') and name != 'finalize_late':
>> +            self.finalize_late()
>> +        return object.__getattribute__(self, name)
> Could you get faster than three string comparisons? As
> __getattribute__ is fairly often called it would make sense to keep
> these operations to absolute minimum.
>

Is there any noticable slowdown?

Honza

-- 
Jan Cholasta



From edewata at redhat.com  Mon Oct 31 22:38:29 2011
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Mon, 31 Oct 2011 17:38:29 -0500
Subject: [Freeipa-devel] [PATCH] 029 Page is cleared before it is visible
In-Reply-To: <4EA92AF7.8080609@redhat.com>
References: <4EA92AF7.8080609@redhat.com>
Message-ID: <4EAF2365.8000005@redhat.com>

On 10/27/2011 4:57 AM, Petr Vobornik wrote:
> https://fedorahosted.org/freeipa/ticket/1459
>
> Changes:
> * added clear method to widgets, section, search, details, association
> facets
> * clear method in facet is called only if key/filter was changed

Some issues:

1. The new clear() method is called during refresh(), so the facet with 
the old data is still shown for a brief moment before it's cleared.

Take a look at the following code in IPA.entity.display():

     // same entity, same facet, and doesn't need updating => return
     if (that == prev_entity
         && that.facet == prev_facet
         && !that.facet.needs_update()) {
         return;
     }

     ...

     that.facet.show();
     that.facet.header.select_tab();
     that.facet.refresh();

The clear() should be called before show(). However, if the pkey/filter 
is unchanged (check using needs_update()) we just need to show() the 
facet, no need to clear() and refresh() again. The above logic needs to 
be fixed.

The we will need to override the needs_update() for search and 
association facets because the default one always returns true.

2. The following code in association.js and search.js will call clear() 
if there's no old pkey/filter, is this intentional? No old pkey/filter 
means the page is just loaded, so it probably doesn't need clearing.

if (!old_pkey || old_pkey[0] !== pkey[0]) {
     that.clear();
}

if (!old_filter || old_filter[0] !== filter[0]) {
     that.clear();
}

-- 
Endi S. Dewata