From mkosek at redhat.com Fri Nov 1 08:39:38 2013 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 01 Nov 2013 09:39:38 +0100 Subject: [Freeipa-devel] [PATCHES] 122-123 Remove generation and handling of LM hashes In-Reply-To: <20131030214451.GA2783@localhost.localdomain> References: <20131030113441.GO2783@localhost.localdomain> <20131030122833.GJ25335@redhat.com> <527105B7.50900@redhat.com> <20131030214451.GA2783@localhost.localdomain> Message-ID: <527368CA.4000102@redhat.com> On 10/30/2013 10:44 PM, Sumit Bose wrote: > On Wed, Oct 30, 2013 at 02:12:23PM +0100, Martin Kosek wrote: >> On 10/30/2013 01:28 PM, Alexander Bokovoy wrote: >>> On Wed, 30 Oct 2013, Sumit Bose wrote: >>> >>>> Hi, >>>> >>>> those two patches try to fix >>>> https://fedorahosted.org/freeipa/ticket/3795 (Remove LANMAN hash >>>> support). The first patch removes to option to enable the support while >>>> the second removes all the related C-code. >>> ACK on these patches but see below. >> >> I have few comments on the patches: >> >> 1) In util/ipa_pwd_ntlm.c, we can now also remove parity_table. >> >> 2) In util/ipa_pwd_ntlm.c, in encode_ntlm_keys, upperPasswd is no longer needed >> (i.e. the UTF upper-casing calls in caller functions are not needed either). I >> am thinking we could simplify the function just to: >> >> int encode_nt_key(char *newPasswd, >> uint8_t *ntHash) >> >> i.e. it seems to me that ntlm_keys structure may not be needed now, since we >> removed one item of two in it. keys->lm is not used anywhere anyway. > > I removed/changed the code as you suggested. New version attached. > >> >>>> Although the ticket is schedule for the 3.3.x bugfix release I'm not >>>> sure if it is a good idea to remove the support in a minor release. >>>> Since the LM hashes are not enabled by default I would expect that in >>>> setups where it is enabled the hashes are needed one way or the other. >>>> Those setup should get time to adopt. >>> We should add removal of the 'allowlmhash' from the IPA config with >>> upgrade plugin. >> >> Not sure this is the best way. With Sumit's patches, generation of the LM hash >> is not stopped despite the configuration. So if someone still needs an old IPA >> server where these hashes are used, they are still generated and used there. >> >> If you remove allowlmhash from the config, once you install a patched IPA >> replica, the value would get replicated and old IPA server would not generate >> the hashes. > > We discussed this and came to the conclusion that we might want to add a > script which removes existing LM hashes and config entries from the > directory tree. This way the admin can decide based on his environment > when is the best time to remove them. > > bye, > Sumit ACK, pushed your 2 patches to master, ipa-3-3. I also pushed a small patch removing the config string allowing LM hashes (attached) which was ACK-ed via IRC by Alexander. Note that I also filed https://fedorahosted.org/freeipa/ticket/4009 to let us prepare a script removing existing LM hashes for all users. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-438-remove-deprecated-allowlmhash-config.patch Type: text/x-patch Size: 1011 bytes Desc: not available URL: From tbabej at redhat.com Fri Nov 1 11:19:19 2013 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 01 Nov 2013 12:19:19 +0100 Subject: [Freeipa-devel] [PATCH 0128] ipatests: Add integration tests for legacy clients Message-ID: <52738E37.2020905@redhat.com> Hi, This implements the test cases for legacy clients using SSSD, nss-ldap and nss-pam-ldapd. Part of: https://fedorahosted.org/freeipa/ticket/3833 -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0128-ipatests-Add-integration-tests-for-legacy-clients.patch Type: text/x-patch Size: 10413 bytes Desc: not available URL: From abokovoy at redhat.com Fri Nov 1 11:35:46 2013 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 1 Nov 2013 13:35:46 +0200 Subject: [Freeipa-devel] [PATCH 0128] ipatests: Add integration tests for legacy clients In-Reply-To: <52738E37.2020905@redhat.com> References: <52738E37.2020905@redhat.com> Message-ID: <20131101113545.GV25335@redhat.com> On Fri, 01 Nov 2013, Tomas Babej wrote: >Hi, > >This implements the test cases for legacy clients using SSSD, >nss-ldap and nss-pam-ldapd. > >Part of: https://fedorahosted.org/freeipa/ticket/3833 > >-- >Tomas Babej >Associate Software Engeneer | Red Hat | Identity Management >RHCE | Brno Site | IRC: tbabej | freeipa.org > > >From c68d67d6502c576d23e50838be54c0fe7c343c95 Mon Sep 17 00:00:00 2001 >From: Tomas Babej >Date: Wed, 30 Oct 2013 16:52:25 +0100 >Subject: [PATCH] ipatests: Add integration tests for legacy clients > >Part of: https://fedorahosted.org/freeipa/ticket/3833 >--- > ipatests/test_integration/test_legacy_clients.py | 271 +++++++++++++++++++++++ > 1 file changed, 271 insertions(+) > create mode 100644 ipatests/test_integration/test_legacy_clients.py > >diff --git a/ipatests/test_integration/test_legacy_clients.py b/ipatests/test_integration/test_legacy_clients.py >new file mode 100644 >index 0000000000000000000000000000000000000000..d0b1fd20a4ef21811e418e88bb7d45194fd230d1 >--- /dev/null >+++ b/ipatests/test_integration/test_legacy_clients.py >@@ -0,0 +1,271 @@ >+# Authors: >+# Tomas Babej >+# >+# Copyright (C) 2013 Red Hat >+# see file 'COPYING' for use and warranty information >+# >+# This program is free software; you can redistribute it and/or modify >+# it under the terms of the GNU General Public License as published by >+# the Free Software Foundation, either version 3 of the License, or >+# (at your option) any later version. >+# >+# This program is distributed in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU General Public License for more details. >+# >+# You should have received a copy of the GNU General Public License >+# along with this program. If not, see . >+ >+import re >+ >+import nose >+ >+from ipatests.test_integration import tasks >+ >+# the 'as' part is a workaround around Nose agressive execution of Test classes >+from ipatests.test_integration import test_trust as trust_tests Can you explain what does this 'agressive execution' mean? >+class BaseTestLegacyClient(trust_tests.TestEnforcedPosixADTrust): >+ """ >+ Tests legacy client support. >+ """ >+ >+ advice_id = None >+ legacy_client_role = None >+ backup_files = ['/etc/sysconfig/authconfig', >+ '/etc/pam.d', >+ '/etc/openldap/cacerts', >+ '/etc/openldap/ldap.conf', >+ '/etc/nsswitch.conf', >+ '/etc/sssd/sssd.conf'] >+ >+ @classmethod >+ def setup_class(cls): >+ super(BaseTestLegacyClient, cls).setup_class() >+ cls.ad = cls.ad_domains[0].ads[0] >+ >+ cls.legacy_client = cls.host_by_role(cls.legacy_client_role) >+ cls.prepare_host(cls.legacy_client) >+ tasks.apply_common_fixes(cls.legacy_client) >+ >+ for f in cls.backup_files: >+ tasks.backup_file(cls.legacy_client, f) >+ >+ def test_remove_trust_with_posix_attributes(self): >+ pass >+ >+ def test_apply_advice(self): >+ # Obtain the advice from the server >+ tasks.kinit_admin(self.master) >+ result = self.master.run_command(['ipa-advise', self.advice_id]) >+ advice = result.stdout_text >+ >+ # Apply the advice on the legacy client >+ self.legacy_client.put_file_contents('/root/advice.sh', advice) >+ result = self.legacy_client.run_command(['bash', '-x', '-e', >+ '/root/advice.sh']) >+ >+ assert result.returncode == 0 >+ >+ # Restart SSHD to load new PAM configuration >+ self.legacy_client.run_command(['/sbin/service', 'sshd', 'restart']) At least for openssh you don't need to restart sshd when changing PAM configuration. Due to privilege separation all authentication always happens in a new process and PAM stack initialized there. -- / Alexander Bokovoy From akrivoka at redhat.com Fri Nov 1 11:59:47 2013 From: akrivoka at redhat.com (Ana Krivokapic) Date: Fri, 01 Nov 2013 12:59:47 +0100 Subject: [Freeipa-devel] Reminder: Patchwork In-Reply-To: <1383243842.8612.144.camel@willson.li.ssimo.org> References: <527298CA.3080305@redhat.com> <1383243842.8612.144.camel@willson.li.ssimo.org> Message-ID: <527397B3.8080100@redhat.com> On 10/31/2013 07:24 PM, Simo Sorce wrote: > On Thu, 2013-10-31 at 18:52 +0100, Ana Krivokapic wrote: >> Hello IPA developers, >> >> I would like to remind everyone about our Patchwork instance[1]. This tool helps >> us to better coordinate work and be more efficient, so let's try to remember to >> use it consistently. It takes only a few seconds of extra work per patch >> submission/review, which could potentially save us much more time. It is >> especially useful to mark the patch as 'Under Review' when you start reviewing >> it, so that others are aware of it and they don't start reviewing the same >> patch. That way, we can avoid the situation of two people accidentally doing the >> review of the same patch at the same time. >> >> I have just cleaned up the Patchwork instance as best as I could so it should >> now hopefully reflect the real situation on the state of patches. >> >> We also have some instructions on how to use it on our wiki[2]. >> >> Thanks! >> >> [1] https://patchwork.acksyn.org/project/FreeIPA/list/ >> [2] http://www.freeipa.org/page/Contribute/Code#Tracking_patches_.28Experimental.29 > Ana, > thanks for going through it, I try to keep it up to date but have had > little time recently. > I > Incidentally the machine run out of memory and the database crashed :-( > I added more memory and restarted the instance, please let me know if > everything is ok, it looks good to me. > > Simo. > Everything seems ok, I'll report back if I find any problems. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. From pviktori at redhat.com Fri Nov 1 12:29:03 2013 From: pviktori at redhat.com (Petr Viktorin) Date: Fri, 01 Nov 2013 13:29:03 +0100 Subject: [Freeipa-devel] [PATCHES] 106-113 Access raw LDAP values directly from LDAPEntry In-Reply-To: <526FD17E.7020607@redhat.com> References: <512E26E1.5010302@redhat.com> <52419527.70200@redhat.com> <524426F5.6010006@redhat.com> <525544A3.6080807@redhat.com> <52565B09.2090909@redhat.com> <525BB27C.1000507@redhat.com> <525EBB0D.9040003@redhat.com> <526FAB52.5080300@redhat.com> <526FD17E.7020607@redhat.com> Message-ID: <52739E8F.9070209@redhat.com> On 10/29/2013 04:17 PM, Petr Viktorin wrote: [...] > 106 - 121: ACK > I've either rushed review, or introduced a conflict with my ACI refactors. It turns out patch 112 broke a permission plugin test: ====================================================================== FAIL: test_permission[22]: permission_find: Search for permissions by attr with a limit of 1 (truncated) ---------------------------------------------------------------------- Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest self.test(*self.arg) File "/home/pviktori/freeipa/ipatests/test_xmlrpc/xmlrpc_test.py", line 283, in func = lambda: self.check(nice, **test) File "/home/pviktori/freeipa/ipatests/test_xmlrpc/xmlrpc_test.py", line 301, in check self.check_output(nice, cmd, args, options, expected, extra_check) File "/home/pviktori/freeipa/ipatests/test_xmlrpc/xmlrpc_test.py", line 341, in check_output assert_deepequal(expected, got, nice) File "/home/pviktori/freeipa/ipatests/util.py", line 344, in assert_deepequal assert_deepequal(e_sub, g_sub, doc, stack + (key,)) File "/home/pviktori/freeipa/ipatests/util.py", line 332, in assert_deepequal assert_deepequal(e_sub, g_sub, doc, stack + (i,)) File "/home/pviktori/freeipa/ipatests/util.py", line 338, in assert_deepequal doc, sorted(missing), sorted(extra), expected, got, stack AssertionError: assert_deepequal: dict keys mismatch. test_permission[22]: permission_find: Search for permissions by attr with a limit of 1 (truncated) missing keys = ['memberindirect_role'] extra keys = [] expected = {'dn': ipapython.dn.DN('cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'), 'cn': [u'Modify HBAC rule'], 'member_privilege': [u'HBAC Administrator'], 'subtree': u'ldap:///ipauniqueid=*,cn=hbac,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com', 'attrs': [u'servicecategory', u'sourcehostcategory', u'cn', u'description', u'ipaenabledflag', u'accesstime', u'usercategory', u'hostcategory', u'accessruletype', u'sourcehost'], 'memberindirect_role': [u'IT Security Specialist'], 'permissions': [u'write']} got = {'dn': u'cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com', 'cn': (u'Modify SELinux User Maps',), 'member_privilege': (u'SELinux User Map Administrators',), 'subtree': u'ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com', 'attrs': (u'cn', u'memberuser', u'memberhost', u'seealso', u'ipaselinuxuser', u'ipaenabledflag'), 'permissions': (u'write',)} path = ('result', 0) ---------------------------------------------------------------------- Ran 64 tests in 19.128s FAILED (failures=1) ====================================================================== FAILED under '/usr/bin/python2.7' Can you reproduce this? I can look into it when I have time. -- Petr? From tbabej at redhat.com Fri Nov 1 12:47:33 2013 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 01 Nov 2013 13:47:33 +0100 Subject: [Freeipa-devel] [PATCH 0128] ipatests: Add integration tests for legacy clients In-Reply-To: <20131101113545.GV25335@redhat.com> References: <52738E37.2020905@redhat.com> <20131101113545.GV25335@redhat.com> Message-ID: <5273A2E5.40906@redhat.com> On 11/01/2013 12:35 PM, Alexander Bokovoy wrote: > On Fri, 01 Nov 2013, Tomas Babej wrote: > >> Hi, >> >> This implements the test cases for legacy clients using SSSD, >> nss-ldap and nss-pam-ldapd. >> >> Part of: https://fedorahosted.org/freeipa/ticket/3833 >> >> -- >> Tomas Babej >> Associate Software Engeneer | Red Hat | Identity Management >> RHCE | Brno Site | IRC: tbabej | freeipa.org >> >> > >> From c68d67d6502c576d23e50838be54c0fe7c343c95 Mon Sep 17 00:00:00 2001 >> From: Tomas Babej >> Date: Wed, 30 Oct 2013 16:52:25 +0100 >> Subject: [PATCH] ipatests: Add integration tests for legacy clients >> >> Part of: https://fedorahosted.org/freeipa/ticket/3833 >> --- >> ipatests/test_integration/test_legacy_clients.py | 271 >> +++++++++++++++++++++++ >> 1 file changed, 271 insertions(+) >> create mode 100644 ipatests/test_integration/test_legacy_clients.py >> >> diff --git a/ipatests/test_integration/test_legacy_clients.py >> b/ipatests/test_integration/test_legacy_clients.py >> new file mode 100644 >> index >> 0000000000000000000000000000000000000000..d0b1fd20a4ef21811e418e88bb7d45194fd230d1 >> --- /dev/null >> +++ b/ipatests/test_integration/test_legacy_clients.py >> @@ -0,0 +1,271 @@ >> +# Authors: >> +# Tomas Babej >> +# >> +# Copyright (C) 2013 Red Hat >> +# see file 'COPYING' for use and warranty information >> +# >> +# This program is free software; you can redistribute it and/or modify >> +# it under the terms of the GNU General Public License as published by >> +# the Free Software Foundation, either version 3 of the License, or >> +# (at your option) any later version. >> +# >> +# This program is distributed in the hope that it will be useful, >> +# but WITHOUT ANY WARRANTY; without even the implied warranty of >> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >> +# GNU General Public License for more details. >> +# >> +# You should have received a copy of the GNU General Public License >> +# along with this program. If not, see . >> + >> +import re >> + >> +import nose >> + >> +from ipatests.test_integration import tasks >> + >> +# the 'as' part is a workaround around Nose agressive execution of >> Test classes >> +from ipatests.test_integration import test_trust as trust_tests > > Can you explain what does this 'agressive execution' mean? > > This was done to make Nose not execute the imported test class (since it starts with Test prefix). It was necessary to import whole module under a different name. >> +class BaseTestLegacyClient(trust_tests.TestEnforcedPosixADTrust): >> + """ >> + Tests legacy client support. >> + """ >> + >> + advice_id = None >> + legacy_client_role = None >> + backup_files = ['/etc/sysconfig/authconfig', >> + '/etc/pam.d', >> + '/etc/openldap/cacerts', >> + '/etc/openldap/ldap.conf', >> + '/etc/nsswitch.conf', >> + '/etc/sssd/sssd.conf'] >> + >> + @classmethod >> + def setup_class(cls): >> + super(BaseTestLegacyClient, cls).setup_class() >> + cls.ad = cls.ad_domains[0].ads[0] >> + >> + cls.legacy_client = cls.host_by_role(cls.legacy_client_role) >> + cls.prepare_host(cls.legacy_client) >> + tasks.apply_common_fixes(cls.legacy_client) >> + >> + for f in cls.backup_files: >> + tasks.backup_file(cls.legacy_client, f) >> + >> + def test_remove_trust_with_posix_attributes(self): >> + pass >> + >> + def test_apply_advice(self): >> + # Obtain the advice from the server >> + tasks.kinit_admin(self.master) >> + result = self.master.run_command(['ipa-advise', >> self.advice_id]) >> + advice = result.stdout_text >> + >> + # Apply the advice on the legacy client >> + self.legacy_client.put_file_contents('/root/advice.sh', advice) >> + result = self.legacy_client.run_command(['bash', '-x', '-e', >> + '/root/advice.sh']) >> + >> + assert result.returncode == 0 >> + >> + # Restart SSHD to load new PAM configuration >> + self.legacy_client.run_command(['/sbin/service', 'sshd', >> 'restart']) > At least for openssh you don't need to restart sshd when changing PAM > configuration. Due to privilege separation all authentication always > happens in a new process and PAM stack initialized there. > Even so, this shouldn't hurt. Since we're working with legacy clients / different platforms / old package versions, I'd rather make as few assumptions as possible. -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org From abokovoy at redhat.com Fri Nov 1 13:28:25 2013 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 1 Nov 2013 15:28:25 +0200 Subject: [Freeipa-devel] [PATCH 0128] ipatests: Add integration tests for legacy clients In-Reply-To: <5273A2E5.40906@redhat.com> References: <52738E37.2020905@redhat.com> <20131101113545.GV25335@redhat.com> <5273A2E5.40906@redhat.com> Message-ID: <20131101132825.GW25335@redhat.com> On Fri, 01 Nov 2013, Tomas Babej wrote: >>>+# the 'as' part is a workaround around Nose agressive execution >>>of Test classes >>>+from ipatests.test_integration import test_trust as trust_tests >> >>Can you explain what does this 'agressive execution' mean? >> >> > >This was done to make Nose not execute the imported test class (since >it starts with Test prefix). >It was necessary to import whole module under a different name. Ok, that's what I thought. Maybe it is better to write "Import test_trust under different name to avoid Nose executing base class instead of the specific tests"? >>>+ def test_apply_advice(self): >>>+ # Obtain the advice from the server >>>+ tasks.kinit_admin(self.master) >>>+ result = self.master.run_command(['ipa-advise', >>>self.advice_id]) >>>+ advice = result.stdout_text >>>+ >>>+ # Apply the advice on the legacy client >>>+ self.legacy_client.put_file_contents('/root/advice.sh', advice) >>>+ result = self.legacy_client.run_command(['bash', '-x', '-e', >>>+ '/root/advice.sh']) >>>+ >>>+ assert result.returncode == 0 >>>+ >>>+ # Restart SSHD to load new PAM configuration >>>+ self.legacy_client.run_command(['/sbin/service', 'sshd', >>>'restart']) >>At least for openssh you don't need to restart sshd when changing PAM >>configuration. Due to privilege separation all authentication always >>happens in a new process and PAM stack initialized there. >> > >Even so, this shouldn't hurt. Since we're working with legacy clients >/ different platforms / old package versions, >I'd rather make as few assumptions as possible. Ok. -- / Alexander Bokovoy From pspacek at redhat.com Fri Nov 1 13:32:45 2013 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 01 Nov 2013 14:32:45 +0100 Subject: [Freeipa-devel] [PATCH 0202-0203] Improve performance of initial LDAP synchronizationDetect end of initial LDAP synchronization phase Message-ID: <5273AD7D.5020402@redhat.com> Hello, Improve performance of initial LDAP synchronization. Changes are not journaled and SOA serial is not incremented during initial LDAP synchronization. This eliminates unnecessary synchronous writes to journal and also unnecessary SOA serial writes to LDAP. See commit messages and comments in syncrepl.c for all the gory details. -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0202-Detect-end-of-initial-LDAP-synchronization-phase.patch Type: text/x-patch Size: 20266 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0203-Improve-performance-of-initial-LDAP-synchronization.patch Type: text/x-patch Size: 5920 bytes Desc: not available URL: From tbabej at redhat.com Fri Nov 1 14:18:17 2013 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 01 Nov 2013 15:18:17 +0100 Subject: [Freeipa-devel] [PATCH 0125] ipatests: Add which package to legacy client advice In-Reply-To: <52723ABB.9010603@redhat.com> References: <52712338.2030509@redhat.com> <52723ABB.9010603@redhat.com> Message-ID: <5273B829.1070907@redhat.com> On 10/31/2013 12:10 PM, Ana Krivokapic wrote: > On 10/30/2013 04:18 PM, Tomas Babej wrote: >> Hi, >> >> Adds which package to the requirements, since older distros do not >> have it by default. >> >> Part of: https://fedorahosted.org/freeipa/ticket/3833 >> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > You can use the bash built-in command `command`, instead of `which`, > to find out if a program exists: > > command -v cacertdir_rehash > > In other words, just replace `which` with `command -v`; there's no > need to install any additional packages. > -- > Regards, > > Ana Krivokapic > Associate Software Engineer > FreeIPA team > Red Hat Inc. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Thanks! Updated patch attached. -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0125-2-ipatests-Add-which-package-to-legacy-client-advice-r.patch Type: text/x-patch Size: 1546 bytes Desc: not available URL: From tbabej at redhat.com Fri Nov 1 14:20:59 2013 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 01 Nov 2013 15:20:59 +0100 Subject: [Freeipa-devel] [PATCH 0128] ipatests: Add integration tests for legacy clients In-Reply-To: <52738E37.2020905@redhat.com> References: <52738E37.2020905@redhat.com> Message-ID: <5273B8CB.9050806@redhat.com> On 11/01/2013 12:19 PM, Tomas Babej wrote: > Hi, > > This implements the test cases for legacy clients using SSSD, nss-ldap > and nss-pam-ldapd. > > Part of: https://fedorahosted.org/freeipa/ticket/3833 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Attaching a new version of the patch and a fix for AD integration test. -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0128-2-ipatests-Add-integration-tests-for-legacy-clients.patch Type: text/x-patch Size: 10473 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0129-ipatests-test_trust-use-domain-name-instead-of-realm.patch Type: text/x-patch Size: 1929 bytes Desc: not available URL: From akrivoka at redhat.com Fri Nov 1 14:27:29 2013 From: akrivoka at redhat.com (Ana Krivokapic) Date: Fri, 01 Nov 2013 15:27:29 +0100 Subject: [Freeipa-devel] [PATCH 0125] ipatests: Add which package to legacy client advice In-Reply-To: <5273B829.1070907@redhat.com> References: <52712338.2030509@redhat.com> <52723ABB.9010603@redhat.com> <5273B829.1070907@redhat.com> Message-ID: <5273BA51.8030208@redhat.com> On 11/01/2013 03:18 PM, Tomas Babej wrote: > On 10/31/2013 12:10 PM, Ana Krivokapic wrote: >> On 10/30/2013 04:18 PM, Tomas Babej wrote: >>> Hi, >>> >>> Adds which package to the requirements, since older distros do not have it >>> by default. >>> >>> Part of: https://fedorahosted.org/freeipa/ticket/3833 >>> >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> You can use the bash built-in command `command`, instead of `which`, to find >> out if a program exists: >> >> command -v cacertdir_rehash >> >> In other words, just replace `which` with `command -v`; there's no need to >> install any additional packages. >> -- >> Regards, >> >> Ana Krivokapic >> Associate Software Engineer >> FreeIPA team >> Red Hat Inc. >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Thanks! > > Updated patch attached. > > > > -- > Tomas Babej > Associate Software Engeneer | Red Hat | Identity Management > RHCE | Brno Site | IRC: tbabej | freeipa.org Looks good! Please just amend the commit message to reflect the new content of the patch. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pviktori at redhat.com Fri Nov 1 14:26:12 2013 From: pviktori at redhat.com (Petr Viktorin) Date: Fri, 01 Nov 2013 15:26:12 +0100 Subject: [Freeipa-devel] [PATCHES] 0258-0265 Add schema updater based on IPA schema files In-Reply-To: <523340D5.4090505@redhat.com> References: <51FA7645.6090702@redhat.com> <523340D5.4090505@redhat.com> Message-ID: <5273BA04.9040703@redhat.com> On 09/13/2013 06:44 PM, Petr Viktorin wrote: > On 08/01/2013 04:52 PM, Petr Viktorin wrote: >> Hello, >> With these patches, schema updates will be based on the ldif files we >> use for installation. >> >> https://fedorahosted.org/freeipa/ticket/3454 >> >> This is a RFE, here is the design doc: >> http://www.freeipa.org/page/V3/Improved_schema_updater >> > > I found and filed a bug in python-ldap[0]: it sometimes ignores parts of > schema LDIFs when parsing them. > Patch 0275 works around the bug. Please apply on top of 0258-0265 (they > still apply cleanly). > > > [0] https://bugzilla.redhat.com/show_bug.cgi?id=1007820 > The recent ipaldap patches resulted in a small conflict. Attaching rebased patches. -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0258.2-ldapupdate-Factor-out-connection-code.patch Type: text/x-patch Size: 4845 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0259.2-dsinstance-Move-the-list-of-schema-filenames-to-a-co.patch Type: text/x-patch Size: 2098 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0260.2-Add-schema-updater-based-on-IPA-schema-files.patch Type: text/x-patch Size: 13114 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0261.2-Update-the-man-page-for-ipa-ldap-updater.patch Type: text/x-patch Size: 2118 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0262.2-Remove-schema-modifications-from-update-files.patch Type: text/x-patch Size: 57061 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0263.2-Remove-schema-special-casing-from-the-LDAP-updater.patch Type: text/x-patch Size: 10209 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0264.2-Make-schema-files-conform-to-new-updater.patch Type: text/x-patch Size: 27262 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0265.2-Add-formerly-update-only-schema.patch Type: text/x-patch Size: 10413 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0275.2-Unify-capitalization-of-attribute-names-in-schema-fi.patch Type: text/x-patch Size: 11040 bytes Desc: not available URL: From tbabej at redhat.com Fri Nov 1 14:30:56 2013 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 01 Nov 2013 15:30:56 +0100 Subject: [Freeipa-devel] [PATCH 0125] ipatests: Add which package to legacy client advice In-Reply-To: <5273BA51.8030208@redhat.com> References: <52712338.2030509@redhat.com> <52723ABB.9010603@redhat.com> <5273B829.1070907@redhat.com> <5273BA51.8030208@redhat.com> Message-ID: <5273BB20.3090706@redhat.com> On 11/01/2013 03:27 PM, Ana Krivokapic wrote: > On 11/01/2013 03:18 PM, Tomas Babej wrote: >> On 10/31/2013 12:10 PM, Ana Krivokapic wrote: >>> On 10/30/2013 04:18 PM, Tomas Babej wrote: >>>> Hi, >>>> >>>> Adds which package to the requirements, since older distros do not >>>> have it by default. >>>> >>>> Part of: https://fedorahosted.org/freeipa/ticket/3833 >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >>> You can use the bash built-in command `command`, instead of `which`, >>> to find out if a program exists: >>> >>> command -v cacertdir_rehash >>> >>> In other words, just replace `which` with `command -v`; there's no >>> need to install any additional packages. >>> -- >>> Regards, >>> >>> Ana Krivokapic >>> Associate Software Engineer >>> FreeIPA team >>> Red Hat Inc. >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> Thanks! >> >> Updated patch attached. >> >> >> >> -- >> Tomas Babej >> Associate Software Engeneer | Red Hat | Identity Management >> RHCE | Brno Site | IRC: tbabej | freeipa.org > > Looks good! Please just amend the commit message to reflect the new > content of the patch. > > -- > Regards, > > Ana Krivokapic > Associate Software Engineer > FreeIPA team > Red Hat Inc. Good catch. Fixed. -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0125-3-ipatests-Use-command-v-instead-of-which-in-legacy-cl.patch Type: text/x-patch Size: 1547 bytes Desc: not available URL: From akrivoka at redhat.com Fri Nov 1 14:34:24 2013 From: akrivoka at redhat.com (Ana Krivokapic) Date: Fri, 01 Nov 2013 15:34:24 +0100 Subject: [Freeipa-devel] [PATCH 0125] ipatests: Add which package to legacy client advice In-Reply-To: <5273BB20.3090706@redhat.com> References: <52712338.2030509@redhat.com> <52723ABB.9010603@redhat.com> <5273B829.1070907@redhat.com> <5273BA51.8030208@redhat.com> <5273BB20.3090706@redhat.com> Message-ID: <5273BBF0.4040001@redhat.com> On 11/01/2013 03:30 PM, Tomas Babej wrote: > On 11/01/2013 03:27 PM, Ana Krivokapic wrote: >> On 11/01/2013 03:18 PM, Tomas Babej wrote: >>> On 10/31/2013 12:10 PM, Ana Krivokapic wrote: >>>> On 10/30/2013 04:18 PM, Tomas Babej wrote: >>>>> Hi, >>>>> >>>>> Adds which package to the requirements, since older distros do not have it >>>>> by default. >>>>> >>>>> Part of: https://fedorahosted.org/freeipa/ticket/3833 >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-devel mailing list >>>>> Freeipa-devel at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> >>>> You can use the bash built-in command `command`, instead of `which`, to >>>> find out if a program exists: >>>> >>>> command -v cacertdir_rehash >>>> >>>> In other words, just replace `which` with `command -v`; there's no need to >>>> install any additional packages. >>>> -- >>>> Regards, >>>> >>>> Ana Krivokapic >>>> Associate Software Engineer >>>> FreeIPA team >>>> Red Hat Inc. >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >>> Thanks! >>> >>> Updated patch attached. >>> >>> >>> >>> -- >>> Tomas Babej >>> Associate Software Engeneer | Red Hat | Identity Management >>> RHCE | Brno Site | IRC: tbabej | freeipa.org >> >> Looks good! Please just amend the commit message to reflect the new content >> of the patch. >> >> -- >> Regards, >> >> Ana Krivokapic >> Associate Software Engineer >> FreeIPA team >> Red Hat Inc. > > Good catch. Fixed. > > -- > Tomas Babej > Associate Software Engeneer | Red Hat | Identity Management > RHCE | Brno Site | IRC: tbabej | freeipa.org ACK -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pviktori at redhat.com Fri Nov 1 14:39:14 2013 From: pviktori at redhat.com (Petr Viktorin) Date: Fri, 01 Nov 2013 15:39:14 +0100 Subject: [Freeipa-devel] [PATCH 0128] ipatests: Add integration tests for legacy clients In-Reply-To: <5273B8CB.9050806@redhat.com> References: <52738E37.2020905@redhat.com> <5273B8CB.9050806@redhat.com> Message-ID: <5273BD12.7070901@redhat.com> On 11/01/2013 03:20 PM, Tomas Babej wrote: > On 11/01/2013 12:19 PM, Tomas Babej wrote: >> Hi, >> >> This implements the test cases for legacy clients using SSSD, nss-ldap >> and nss-pam-ldapd. >> >> Part of: https://fedorahosted.org/freeipa/ticket/3833 A nitpick: assert result.returncode == 0 run_command will do this for you (unless you give raiseonerr=False) -- Petr? From pviktori at redhat.com Fri Nov 1 14:41:16 2013 From: pviktori at redhat.com (Petr Viktorin) Date: Fri, 01 Nov 2013 15:41:16 +0100 Subject: [Freeipa-devel] [PATCH 0125] ipatests: Add which package to legacy client advice In-Reply-To: <5273BBF0.4040001@redhat.com> References: <52712338.2030509@redhat.com> <52723ABB.9010603@redhat.com> <5273B829.1070907@redhat.com> <5273BA51.8030208@redhat.com> <5273BB20.3090706@redhat.com> <5273BBF0.4040001@redhat.com> Message-ID: <5273BD8C.3070209@redhat.com> On 11/01/2013 03:34 PM, Ana Krivokapic wrote: > On 11/01/2013 03:30 PM, Tomas Babej wrote: >> On 11/01/2013 03:27 PM, Ana Krivokapic wrote: >>> On 11/01/2013 03:18 PM, Tomas Babej wrote: >>>> On 10/31/2013 12:10 PM, Ana Krivokapic wrote: >>>>> On 10/30/2013 04:18 PM, Tomas Babej wrote: >>>>>> Hi, >>>>>> >>>>>> Adds which package to the requirements, since older distros do not >>>>>> have it by default. >>>>>> >>>>>> Part of: https://fedorahosted.org/freeipa/ticket/3833 >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-devel mailing list >>>>>> Freeipa-devel at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>> >>>>> You can use the bash built-in command `command`, instead of >>>>> `which`, to find out if a program exists: >>>>> >>>>> command -v cacertdir_rehash >>>>> >>>>> In other words, just replace `which` with `command -v`; there's no >>>>> need to install any additional packages. >>>>> -- >>>>> Regards, >>>>> >>>>> Ana Krivokapic >>>>> Associate Software Engineer >>>>> FreeIPA team >>>>> Red Hat Inc. >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-devel mailing list >>>>> Freeipa-devel at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> >>>> Thanks! >>>> >>>> Updated patch attached. >>>> >>>> >>>> >>>> -- >>>> Tomas Babej >>>> Associate Software Engeneer | Red Hat | Identity Management >>>> RHCE | Brno Site | IRC: tbabej | freeipa.org >>> >>> Looks good! Please just amend the commit message to reflect the new >>> content of the patch. >>> >>> -- >>> Regards, >>> >>> Ana Krivokapic >>> Associate Software Engineer >>> FreeIPA team >>> Red Hat Inc. >> >> Good catch. Fixed. >> >> -- >> Tomas Babej >> Associate Software Engeneer | Red Hat | Identity Management >> RHCE | Brno Site | IRC: tbabej | freeipa.org > > ACK Pushed to: master: 00c0878b90f0fbbe33f90cad145fefffdaaaa4aa ipa-3-3: 33ea1496572aa2f8545b853cc2b3bb4e3d5cc967 -- Petr? From tbabej at redhat.com Fri Nov 1 14:42:56 2013 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 01 Nov 2013 15:42:56 +0100 Subject: [Freeipa-devel] [PATCH 0128] ipatests: Add integration tests for legacy clients In-Reply-To: <5273BD12.7070901@redhat.com> References: <52738E37.2020905@redhat.com> <5273B8CB.9050806@redhat.com> <5273BD12.7070901@redhat.com> Message-ID: <5273BDF0.107@redhat.com> On 11/01/2013 03:39 PM, Petr Viktorin wrote: > On 11/01/2013 03:20 PM, Tomas Babej wrote: >> On 11/01/2013 12:19 PM, Tomas Babej wrote: >>> Hi, >>> >>> This implements the test cases for legacy clients using SSSD, nss-ldap >>> and nss-pam-ldapd. >>> >>> Part of: https://fedorahosted.org/freeipa/ticket/3833 > > > A nitpick: > assert result.returncode == 0 > > run_command will do this for you (unless you give raiseonerr=False) > Right. Updated patch attached. -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0128-3-ipatests-Add-integration-tests-for-legacy-clients.patch Type: text/x-patch Size: 10116 bytes Desc: not available URL: From tbabej at redhat.com Fri Nov 1 15:02:43 2013 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 01 Nov 2013 16:02:43 +0100 Subject: [Freeipa-devel] [PATCH 0128] ipatests: Add integration tests for legacy clients In-Reply-To: <5273BDF0.107@redhat.com> References: <52738E37.2020905@redhat.com> <5273B8CB.9050806@redhat.com> <5273BD12.7070901@redhat.com> <5273BDF0.107@redhat.com> Message-ID: <5273C293.40001@redhat.com> On 11/01/2013 03:42 PM, Tomas Babej wrote: > On 11/01/2013 03:39 PM, Petr Viktorin wrote: >> On 11/01/2013 03:20 PM, Tomas Babej wrote: >>> On 11/01/2013 12:19 PM, Tomas Babej wrote: >>>> Hi, >>>> >>>> This implements the test cases for legacy clients using SSSD, nss-ldap >>>> and nss-pam-ldapd. >>>> >>>> Part of: https://fedorahosted.org/freeipa/ticket/3833 >> >> >> A nitpick: >> assert result.returncode == 0 >> >> run_command will do this for you (unless you give raiseonerr=False) >> > > Right. Updated patch attached. > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Updating comments in patches 128 and 129 upon Alexander's request. -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0129-2-ipatests-test_trust-use-domain-name-instead-of-realm.patch Type: text/x-patch Size: 2166 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0128-4-ipatests-Add-integration-tests-for-legacy-clients.patch Type: text/x-patch Size: 10153 bytes Desc: not available URL: From abokovoy at redhat.com Fri Nov 1 15:14:16 2013 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 1 Nov 2013 17:14:16 +0200 Subject: [Freeipa-devel] [PATCH 0128] ipatests: Add integration tests for legacy clients In-Reply-To: <5273C293.40001@redhat.com> References: <52738E37.2020905@redhat.com> <5273B8CB.9050806@redhat.com> <5273BD12.7070901@redhat.com> <5273BDF0.107@redhat.com> <5273C293.40001@redhat.com> Message-ID: <20131101151416.GX25335@redhat.com> On Fri, 01 Nov 2013, Tomas Babej wrote: > On 11/01/2013 03:42 PM, Tomas Babej wrote: >> On 11/01/2013 03:39 PM, Petr Viktorin wrote: >>> On 11/01/2013 03:20 PM, Tomas Babej wrote: >>>> On 11/01/2013 12:19 PM, Tomas Babej wrote: >>>>> Hi, >>>>> >>>>> This implements the test cases for legacy clients using SSSD, nss-ldap >>>>> and nss-pam-ldapd. >>>>> >>>>> Part of: https://fedorahosted.org/freeipa/ticket/3833 >>> >>> >>> A nitpick: >>> assert result.returncode == 0 >>> >>> run_command will do this for you (unless you give raiseonerr=False) >>> >> >> Right. Updated patch attached. >> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > Updating comments in patches 128 and 129 upon Alexander's request. ACK. -- / Alexander Bokovoy From mkosek at redhat.com Fri Nov 1 15:30:02 2013 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 01 Nov 2013 16:30:02 +0100 Subject: [Freeipa-devel] [PATCH 0128] ipatests: Add integration tests for legacy clients In-Reply-To: <20131101151416.GX25335@redhat.com> References: <52738E37.2020905@redhat.com> <5273B8CB.9050806@redhat.com> <5273BD12.7070901@redhat.com> <5273BDF0.107@redhat.com> <5273C293.40001@redhat.com> <20131101151416.GX25335@redhat.com> Message-ID: <5273C8FA.5070202@redhat.com> On 11/01/2013 04:14 PM, Alexander Bokovoy wrote: > On Fri, 01 Nov 2013, Tomas Babej wrote: > >> On 11/01/2013 03:42 PM, Tomas Babej wrote: >>> On 11/01/2013 03:39 PM, Petr Viktorin wrote: >>>> On 11/01/2013 03:20 PM, Tomas Babej wrote: >>>>> On 11/01/2013 12:19 PM, Tomas Babej wrote: >>>>>> Hi, >>>>>> >>>>>> This implements the test cases for legacy clients using SSSD, nss-ldap >>>>>> and nss-pam-ldapd. >>>>>> >>>>>> Part of: https://fedorahosted.org/freeipa/ticket/3833 >>>> >>>> >>>> A nitpick: >>>> assert result.returncode == 0 >>>> >>>> run_command will do this for you (unless you give raiseonerr=False) >>>> >>> >>> Right. Updated patch attached. >>> >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> >> Updating comments in patches 128 and 129 upon Alexander's request. > ACK. > Pushed 128 and 129 to master, ipa-3-3. Martin From mkosek at redhat.com Fri Nov 1 19:16:19 2013 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 01 Nov 2013 20:16:19 +0100 Subject: [Freeipa-devel] Announcing FreeIPA 3.3.3 Message-ID: <5273FE03.30007@redhat.com> The FreeIPA team is proud to announce FreeIPA v3.3.3! It can be downloaded from http://www.freeipa.org/page/Downloads. Fedora 19 and Fedora 20 builds are already on their way to updates-testing repo. == Highlights in 3.3.3 == === Enhancements === * New ipa-advise plugins for configuring legacy clients via nss-pam-ldapd * New ipa-advise plugins for configuring legacy clients via nss_ldap * FreeIPA server can now co-exist with mod_ssl serving other non-443 ports === Bug fixes === * ipa-replica-install no longer crashes when being installed with a CA support * winsync reinitialization no longer prints error * Samba configuration added by ipa-adtrust-install is now properly removed * Administrative password changes (e.g. by Directory Manager) now respect maximum password life as defined in password policy * nsds5ReplicaStripAttrs is now properly set on replication agreements, avoiding potential replication issues * ... and numerous other small fixes === Test improvements === * New integration test for external CA installation * New integration tests for AD Trust legacy clients feature * Numerous small fixes in test framework and beaker integration === Deprecated functionality === * DNS can no longer be configured with --no-serial-autoincrement option. Serial autoincrement is a requirement for several DNS main features, including zone transfers and future DNSSEC support * LanMan hash is no longer supported or generated. LanMan hash has several security weaknesses allowing attacker to crack it in a reasonable time. As such, the LanMan hash was already not allowed in a default configuration and had to be explicitly enabled. == Upgrading == An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance. === Upgrading old FreeIPA servers with CA === Upgrades of FreeIPA servers with CA installed prior to 3.1 requires manual migration procedure. Please note that if you are doing the upgrade in special environment (e.g. FedUp) which does not allow running the LDAP server during upgrade process, upgrade scripts need to be run manually after the first boot: # ipa-upgradeconfig # ipa-ldap-updater --upgrade Also note that the performance improvements require an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of users may require several minutes to finish. If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks, not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded. Downgrading a server once upgraded is not supported. Upgrading from 2.2.0 and later versions is supported. Upgrading from previous versions is not supported and has not been tested. An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode. == Detailed Changelog since 3.3.2 == === Ana Krivokapic (4): === * Add ipa-advise plugins for nss-pam-ldapd legacy clients * Do not roll back failed client installation on server * Make sure nsds5ReplicaStripAttrs is set on agreements * Add test for external CA installation === Jakub Hrozek (1): === * trusts: combine filters with AND to make sure only the intended domain matches === Jan Cholasta (1): === * Track DS certificate with certmonger on replicas. === Martin Kosek (14): === * Do not allow '%' in DM password * Remove --no-serial-autoincrement * PKI installation on replica failing due to missing proxy conf * Use consistent realm name in cainstance and dsinstance * Winsync re-initialize should not run memberOf fixup task * Installer should always wait until CA starts up * Administrative password change does not respect password policy * Do not add kadmin/changepw ACIs on new installs * Make set_directive and get_directive more strict * Remove mod_ssl conflict * Add nsswitch.conf to FILES section of ipa-client-install man page * Remove ipa-pwd-extop and ipa-enrollment duplicate error strings * Remove deprecated AllowLMhash config * Become IPA 3.3.3 === Petr Viktorin (6): === * test_caless.TestCertInstall: Fix 'test_no_ds_password' test case * Use new CLI options in certinstall tests * test_simple_replication: Fix waiting for replication * freeipa.spec: Fix changelog dates * Tests: mkdir_recursive: Don't fail when top-level directory doesn't exist * beakerlib plugin: Don't try to submit logs if they are missing === Petr Vobornik (1): === * Fix password expiration notification === Sumit Bose (3): === * Use the right attribute with ipapwd_entry_checks for MagicRegen * Remove AllowLMhash from the allowed IPA config strings * Remove generation and handling of LM hashes === Tomas Babej (23): === * trusts: Do not create ranges for subdomains in case of POSIX trust * ipa-upgradeconfig: Remove backed up smb.conf * ipa-adtrust-install: Add warning that we will break existing samba configuration * adtrustinstance: Properly handle uninstall of AD trust instance * adtrustinstance: Move attribute definitions from setup to init method * ipatests: Extend the order plugin to properly handle inheritance * Get the created range type in case of re-establishing trust * ipatests: Add Active Directory support to configuration * ipatests: Extend domain object with 'ad' role support and WinHosts * ipatests: Extend IntegrationTest with multiple AD domain support * ipatests: Create util module for ipatests * ipatests: Add WinHost class * ipatests: Add AD-integration related tasks * ipatests: Add AD integration test case * trusts: Fix typo in error message for realm-domain mismatch * advice: Add legacy client configuration script using nss-ldap * ipatests: Extend clear_sssd_cache to support non-systemd platforms * ipatests: Restore SELinux context after restoring files from backup * ipatests: Do not use /usr/bin hardcoded paths * ipatests: Add support for extra roles referenced by a keyword * ipatests: Use command -v instead of which in legacy client advice * ipatests: Add integration tests for legacy clients * ipatests: test_trust: use domain name instead of realm for user lookups From alee at redhat.com Sun Nov 3 18:53:10 2013 From: alee at redhat.com (Ade Lee) Date: Sun, 03 Nov 2013 13:53:10 -0500 Subject: [Freeipa-devel] Announcing the release of Dogtag 10.0.6 Message-ID: <1383504790.7216.52.camel@aleeredhat.laptop> The Dogtag team is proud to announce the sixth errata build for Dogtag 10.0. Builds are available for Fedora 18 and Fedora 19 in the updates-testing repositories. Please try them out and provide karma to move them to the F18 and F19 stable repositories. Karma can be provided at https://admin.fedoraproject.org/updates for each package. == Build Versions == pki-core-10.0.6-1 pki-ra-10.0.6-1 pki-tps-10.0.6-1 dogtag-pki-10.0.6-1 dogtag-pki-theme-10.0.6-1 pki-console-10.0.6-1 == Highlights since Dogtag 10.0.5 == * Some commands in the pki CLI have been renamed for better consistency. The old commands will continue to work, but they have no been deprecated, and will be displayed accordingly in the usage and man pages. The commands that have been renamed are: * old command -> new command * client-find-cert -> client-cert-find * client-import-cert -> client-cert-import * client-remove-cert -> client-cert-del * group-add-member -> group-member-add * group-find-member -> group-member-find * group-show-member -> group-member-show * group-remove-member -> group-member-remove * user-add-cert -> user-cert-add * user-find-cert -> user-cert-find * user-show-cert -> user-cert-show * user-remove-cert -> user-cert-del * user-add-membership -> user-membership-add * user-find-membership -> user-membership-find * user-show-membership -> user-membership-show * user-remove-membership -> user-membership-del * The upgrade scripts have been modified to backup the files used to track the upgrade process. For instance specific upgrade scripts, this is CS.cfg. * A missing jar link to apache-commons-io prevented IPA replica installs from completing successfully on RHEL 7. The required link has been added. (BZ 1024679) * Due to a bug in the configuration code, when installing a non-cloned CA, the certificate for the admin user configured during the install was signed with SHA1 by default. With the fix, the admin cert is signed with SHA256 by default. It is possible to override this setting by changing values in the caAdminCert.cfg profile prior to configuration. (BZ 1024445) * ipa-cert-remove-hold used to return a server error. The error handling code for this servlet has been modified to return the correct error message (BZ 999722) * java-abrt crashes were being generated during IPA server installs due to exceptions being thrown during tomcat shutdown. This was due to the shutdown code being called multiple times internally. This code has been fixed. (BZ 1018268) == Detailed Changes since Dogtag 10.0.5 == alee (3): #743 fix tmpfiles.d references in spec files to reference /run/lock instead of /var/lock #776 IPA CA replica installation crashes on pkispawn (bz 1024679) #781 Admin cert signed with SHA1, should be SHA256 (bz 1024445) edewata(5): #779 Renaming Dogtag 10.0 pki commands #763 Backup tracker files during upgrade #775 Fix errors during tomcat shutdown (BZ 1018628) #739 ipa-cert-remove-hold returns server error (BZ 999722) #780 Unable to get user principal in servlet From pviktori at redhat.com Mon Nov 4 11:00:06 2013 From: pviktori at redhat.com (Petr Viktorin) Date: Mon, 04 Nov 2013 12:00:06 +0100 Subject: [Freeipa-devel] [PATCH] 0315 Fix debug output in integration test Message-ID: <52777E36.7010500@redhat.com> Recent ipaldap refactoring broke the simple_replication test; here is a fix. Pushed as one-liner to master: 1f6880c59059496f5002111cd0b5f16cc51961db -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0315-Fix-debug-output-in-integration-test.patch Type: text/x-patch Size: 976 bytes Desc: not available URL: From pviktori at redhat.com Mon Nov 4 13:49:23 2013 From: pviktori at redhat.com (Petr Viktorin) Date: Mon, 04 Nov 2013 14:49:23 +0100 Subject: [Freeipa-devel] [RFE] Anonymous and All permissions Message-ID: <5277A5E3.8050901@redhat.com> Hello, During discussions about fine-grained read ACIs [0], it became clear that we need to grant permissions to "all authenticated" and "all, even anonymous" users. Here is a design document for the feature: http://www.freeipa.org/page/V3/Anonymous_and_All_permissions [0] http://www.redhat.com/archives/freeipa-devel/2013-October/msg00050.html -- Petr? From abokovoy at redhat.com Mon Nov 4 15:24:09 2013 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 4 Nov 2013 17:24:09 +0200 Subject: [Freeipa-devel] [PATCH] 0126 Guard ipa-server-install from missing trusts support Message-ID: <20131104152409.GB25335@redhat.com> Hi! Attached patch is needed to cover the case when freeipa-server-trust-ad package is not installed since FreeIPA 3.3.3 does now import adtrustinstance to handle ipa-server-install --uninstall. We need to issue a package update to all releases where FreeIPA 3.3.3 packages are available. -- / Alexander Bokovoy -------------- next part -------------- >From 52b021a16cbafc17eb48092bae81976242c53422 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 4 Nov 2013 17:15:23 +0200 Subject: [PATCH] Guard import of adtrustinstance for case without trusts https://fedorahosted.org/freeipa/ticket/4011 --- install/tools/ipa-server-install | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index b3dcf6d..458ebba 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -40,7 +40,12 @@ import pwd import textwrap from optparse import OptionGroup, OptionValueError -from ipaserver.install import adtrustinstance +try: + from ipaserver.install import adtrustinstance + _server_trust_ad_installed = True +except ImportError: + _server_trust_ad_installed = False + from ipaserver.install import dsinstance from ipaserver.install import krbinstance from ipaserver.install import bindinstance @@ -493,7 +498,8 @@ def uninstall(): httpinstance.HTTPInstance(fstore).uninstall() krbinstance.KrbInstance(fstore).uninstall() dsinstance.DsInstance(fstore=fstore).uninstall() - adtrustinstance.ADTRUSTInstance(fstore).uninstall() + if _server_trust_ad_installed: + adtrustinstance.ADTRUSTInstance(fstore).uninstall() memcacheinstance.MemcacheInstance().uninstall() otpdinstance.OtpdInstance().uninstall() ipaservices.restore_network_configuration(fstore, sstore) -- 1.8.3.1 From mkosek at redhat.com Mon Nov 4 15:33:55 2013 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 04 Nov 2013 16:33:55 +0100 Subject: [Freeipa-devel] [RFE] Anonymous and All permissions In-Reply-To: <5277A5E3.8050901@redhat.com> References: <5277A5E3.8050901@redhat.com> Message-ID: <5277BE63.1000707@redhat.com> On 11/04/2013 02:49 PM, Petr Viktorin wrote: > Hello, > > During discussions about fine-grained read ACIs [0], it became clear that we > need to grant permissions to "all authenticated" and "all, even anonymous" users. > > Here is a design document for the feature: > http://www.freeipa.org/page/V3/Anonymous_and_All_permissions > > > [0] http://www.redhat.com/archives/freeipa-devel/2013-October/msg00050.html > Looks good to me. Pretty much reflects what were talking about in person. Kudos for also writing the Test Cases. I am just thinking we may also want to do some "functional" tests and e.g. add an anonymous permission to read some hidden attribute and then to try to read it with anonymous LDAP search. Martin From mkosek at redhat.com Mon Nov 4 15:44:42 2013 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 04 Nov 2013 16:44:42 +0100 Subject: [Freeipa-devel] [PATCH] 0126 Guard ipa-server-install from missing trusts support In-Reply-To: <20131104152409.GB25335@redhat.com> References: <20131104152409.GB25335@redhat.com> Message-ID: <5277C0EA.9040200@redhat.com> On 11/04/2013 04:24 PM, Alexander Bokovoy wrote: > Hi! > > Attached patch is needed to cover the case when freeipa-server-trust-ad > package is not installed since FreeIPA 3.3.3 does now import > adtrustinstance to handle ipa-server-install --uninstall. > > We need to issue a package update to all releases where FreeIPA 3.3.3 > packages are available. ACK. Pushed to master, ipa-3-3. I will fire new Fedora 19 and Fedora 20 builds with this patch included. Martin From pviktori at redhat.com Mon Nov 4 15:48:08 2013 From: pviktori at redhat.com (Petr Viktorin) Date: Mon, 04 Nov 2013 16:48:08 +0100 Subject: [Freeipa-devel] [PATCHES] 0289-0302 Managed Read permissions In-Reply-To: <526532AD.6050909@redhat.com> References: <524A8E59.8010605@redhat.com> <524BDBBA.6060506@redhat.com> <1135777364.287904.1380712053236.JavaMail.root@redhat.com> <524C02C8.9030300@redhat.com> <524D49FB.1040801@redhat.com> <52614590.8020105@redhat.com> <526532AD.6050909@redhat.com> Message-ID: <5277C1B8.6010600@redhat.com> On 10/21/2013 03:57 PM, Martin Kosek wrote: > On 10/18/2013 04:28 PM, Petr Viktorin wrote: [...] >> >> Alright, I'm crafting an updated design page with the above in mind. Here are >> the main differences. >> >> >> New permissions won't (necessarily) be in $SUFFIX, so old IPA servers will not >> be able to modify them. >> Extra attribute types needed in addition to ipaPerm*Attributes would be: >> - ipaPermBindType (anonymous/any authenticated user/normal permission) >> - ipaPermDN (container DN where the ACI is stored) >> >> And objectclasses to group them: >> >> 'ipaPermissionV2' SUP ipaPermission AUXILIARY MUST ( ipaPermBindType $ ipaPermDN ) >> 'ipaManagedPermission' SUP ipaPermissionV2 AUXILIARY MAY ( ipaPermDefaultAttrs >> $ ipaPermAllowedAttrs $ ipaPermExcludedAttrs ) >> >> As for 'ipaPermissionV2', all non-SYSTEM permissions should be updated to it. >> Maybe a better name is needed. >> >> >> Another idea I had is to store all variable parts of the ACI in the permission >> entry. This would mean we'd not need to parse ACIs to read, search, or update >> them, which should make these operations faster and the code could be simplified. >> Doing this would require these new attribute types: >> - ipaPermRight (add, update, read, delete, etc.) >> - ipaPermObjectType >> - ipaPermMemberof >> - ipaPermFilter >> - ipaPermSubtree >> - ipaPermTargetgroup >> >> Would that make sense? The more I think about this, the more I want to go this way after all. > It partially makes sense - it would speed up permission-find commands. However, > it would also duplicate information and sets it in 2 places. Which smells like > a bucket of potential bugs to me. True. However, this has to be weighed against the status quo. The current code is complicated. Converting ACIs to dicts and back, calling IPA commands from within IPA commands, incorrect error handling, entry_attrs vs. options in callbacks -- all these details come together to make the code very hard to change, or even verify it works as it should. I fear that a bucket of real bugs is already hiding in the code, and that incremental changes are bound to create more. > What if somebody changes ipaPermObjectType, but ACI update fails or is > interrupted for some reason? It would create inconsistency between permission > entry and the ACI itself. Which should prevail? Obviously the DS would only take the ACI into consideration. Conceptually the permission would prevail, the ACI would be rewritten the next time the permission is updated. This is an error state, comparable to e.g. an UPG not being created for a user, or the memberOf plugin failing to update membership info. (In an ideal world the ACI updates would be done in a DS plugin that can leverage transactions.) The existing implementation has this problem with renames - if a permission is renamed by the ACI is for some reason not updated, an old ACI will stay behind, and it will be pretty hard to find. (We should have an audit tool that checks out-of-sync ACIs -- it would be helpful even if the status quo stays.) > Unless permission-find performance is not a problem (yet?), I would not add > these new attributes and only add ipaPermDN as this information is required. Performance is only part of the problem. Code simplicity is another -- simple code usually has less bugs, and is easier to work on/review, etc. > I am thinking if we need to add a special objectClass for this new attribute, > it could be added as MAY to ipaPermission, along with ipaPermDefaultAttrs, > ipaPermAllowedAttrs, ipaPermExcludedAttrs. When the DN is not there, it would > simply default to SUFFIX DN. Sounds right. I'll think about the schema more in the context of designing a backwards compatibility story. -- Petr? From mkosek at redhat.com Mon Nov 4 15:55:48 2013 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 04 Nov 2013 16:55:48 +0100 Subject: [Freeipa-devel] [PATCHES] 0289-0302 Managed Read permissions In-Reply-To: <5277C1B8.6010600@redhat.com> References: <524A8E59.8010605@redhat.com> <524BDBBA.6060506@redhat.com> <1135777364.287904.1380712053236.JavaMail.root@redhat.com> <524C02C8.9030300@redhat.com> <524D49FB.1040801@redhat.com> <52614590.8020105@redhat.com> <526532AD.6050909@redhat.com> <5277C1B8.6010600@redhat.com> Message-ID: <5277C384.4020607@redhat.com> On 11/04/2013 04:48 PM, Petr Viktorin wrote: > On 10/21/2013 03:57 PM, Martin Kosek wrote: >> On 10/18/2013 04:28 PM, Petr Viktorin wrote: > [...] >>> >>> Alright, I'm crafting an updated design page with the above in mind. Here are >>> the main differences. >>> >>> >>> New permissions won't (necessarily) be in $SUFFIX, so old IPA servers will not >>> be able to modify them. >>> Extra attribute types needed in addition to ipaPerm*Attributes would be: >>> - ipaPermBindType (anonymous/any authenticated user/normal permission) >>> - ipaPermDN (container DN where the ACI is stored) >>> >>> And objectclasses to group them: >>> >>> 'ipaPermissionV2' SUP ipaPermission AUXILIARY MUST ( ipaPermBindType $ >>> ipaPermDN ) >>> 'ipaManagedPermission' SUP ipaPermissionV2 AUXILIARY MAY ( ipaPermDefaultAttrs >>> $ ipaPermAllowedAttrs $ ipaPermExcludedAttrs ) >>> >>> As for 'ipaPermissionV2', all non-SYSTEM permissions should be updated to it. >>> Maybe a better name is needed. >>> >>> >>> Another idea I had is to store all variable parts of the ACI in the permission >>> entry. This would mean we'd not need to parse ACIs to read, search, or update >>> them, which should make these operations faster and the code could be >>> simplified. >>> Doing this would require these new attribute types: >>> - ipaPermRight (add, update, read, delete, etc.) >>> - ipaPermObjectType >>> - ipaPermMemberof >>> - ipaPermFilter >>> - ipaPermSubtree >>> - ipaPermTargetgroup >>> >>> Would that make sense? > > The more I think about this, the more I want to go this way after all. > >> It partially makes sense - it would speed up permission-find commands. However, >> it would also duplicate information and sets it in 2 places. Which smells like >> a bucket of potential bugs to me. > > True. However, this has to be weighed against the status quo. > The current code is complicated. Converting ACIs to dicts and back, calling IPA > commands from within IPA commands, incorrect error handling, entry_attrs vs. > options in callbacks -- all these details come together to make the code very > hard to change, or even verify it works as it should. I fear that a bucket of > real bugs is already hiding in the code, and that incremental changes are bound > to create more. > >> What if somebody changes ipaPermObjectType, but ACI update fails or is >> interrupted for some reason? It would create inconsistency between permission >> entry and the ACI itself. Which should prevail? > > Obviously the DS would only take the ACI into consideration. > Conceptually the permission would prevail, the ACI would be rewritten the next > time the permission is updated. > This is an error state, comparable to e.g. an UPG not being created for a user, > or the memberOf plugin failing to update membership info. > (In an ideal world the ACI updates would be done in a DS plugin that can > leverage transactions.) > > The existing implementation has this problem with renames - if a permission is > renamed by the ACI is for some reason not updated, an old ACI will stay behind, > and it will be pretty hard to find. > (We should have an audit tool that checks out-of-sync ACIs -- it would be > helpful even if the status quo stays.) > >> Unless permission-find performance is not a problem (yet?), I would not add >> these new attributes and only add ipaPermDN as this information is required. > > Performance is only part of the problem. Code simplicity is another -- simple > code usually has less bugs, and is easier to work on/review, etc. Makes sense to me, please continue investigaing this way then. The audit tool may indeed be very useful, if admin want's to check if ACIs did not get out of sync. Martin From pviktori at redhat.com Mon Nov 4 16:07:39 2013 From: pviktori at redhat.com (Petr Viktorin) Date: Mon, 04 Nov 2013 17:07:39 +0100 Subject: [Freeipa-devel] [RFE] Anonymous and All permissions In-Reply-To: <5277BE63.1000707@redhat.com> References: <5277A5E3.8050901@redhat.com> <5277BE63.1000707@redhat.com> Message-ID: <5277C64B.1080204@redhat.com> On 11/04/2013 04:33 PM, Martin Kosek wrote: > On 11/04/2013 02:49 PM, Petr Viktorin wrote: >> Hello, >> >> During discussions about fine-grained read ACIs [0], it became clear that we >> need to grant permissions to "all authenticated" and "all, even anonymous" users. >> >> Here is a design document for the feature: >> http://www.freeipa.org/page/V3/Anonymous_and_All_permissions >> >> >> [0] http://www.redhat.com/archives/freeipa-devel/2013-October/msg00050.html >> > > Looks good to me. Pretty much reflects what were talking about in person. > > Kudos for also writing the Test Cases. I am just thinking we may also want to > do some "functional" tests and e.g. add an anonymous permission to read some > hidden attribute and then to try to read it with anonymous LDAP search. I'll have some functional tests in the upcoming read permissions design. -- Petr? From mbasti at redhat.com Tue Nov 5 09:34:34 2013 From: mbasti at redhat.com (Martin Basti) Date: Tue, 05 Nov 2013 10:34:34 +0100 Subject: [Freeipa-devel] [PATCHES] 0019-0020 Broken Firefox configuration files in freeipa-client package Message-ID: <1383644074.2457.3.camel@unused-4-145.brq.redhat.com> ipa-client-install now allows to configure firefox using --configure-firefox option and optionally with --firefox-dir=INSTALL_DIR option. Old configuration files was removed. Patches attached. Ticket: https://fedorahosted.org/freeipa/ticket/3821 -- Martin^2 Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0019-ipa-client-install-Added-options-to-configure-firefo.patch Type: text/x-patch Size: 11784 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0020-Removed-old-firefox-configuration-scripts.patch Type: text/x-patch Size: 10719 bytes Desc: not available URL: From thozza at redhat.com Tue Nov 5 11:29:44 2013 From: thozza at redhat.com (Tomas Hozza) Date: Tue, 5 Nov 2013 06:29:44 -0500 (EST) Subject: [Freeipa-devel] [PATCH 0202-0203] Improve performance of initial LDAP synchronizationDetect end of initial LDAP synchronization phase In-Reply-To: <5273AD7D.5020402@redhat.com> References: <5273AD7D.5020402@redhat.com> Message-ID: <1939839260.12480070.1383650984710.JavaMail.root@redhat.com> ----- Original Message ----- > Hello, > > Improve performance of initial LDAP synchronization. > > Changes are not journaled and SOA serial is not incremented during initial > LDAP synchronization. > > This eliminates unnecessary synchronous writes to journal and also > unnecessary SOA serial writes to LDAP. > > See commit messages and comments in syncrepl.c for all the gory details. ACK. Patches look good. AXFR and IXFR works as expected. Also BIND starts up much faster with these patches. Good job... :) Regards, Tomas From pviktori at redhat.com Tue Nov 5 12:57:16 2013 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 05 Nov 2013 13:57:16 +0100 Subject: [Freeipa-devel] [PATCHES] 106-113 Access raw LDAP values directly from LDAPEntry In-Reply-To: <526FD17E.7020607@redhat.com> References: <512E26E1.5010302@redhat.com> <52419527.70200@redhat.com> <524426F5.6010006@redhat.com> <525544A3.6080807@redhat.com> <52565B09.2090909@redhat.com> <525BB27C.1000507@redhat.com> <525EBB0D.9040003@redhat.com> <526FAB52.5080300@redhat.com> <526FD17E.7020607@redhat.com> Message-ID: <5278EB2C.3080502@redhat.com> On 10/29/2013 04:17 PM, Petr Viktorin wrote: > On 10/29/2013 01:34 PM, Jan Cholasta wrote: >> On 16.10.2013 18:13, Petr Viktorin wrote: >>> On 10/14/2013 10:59 AM, Jan Cholasta wrote: >>>> On 10.10.2013 09:45, Jan Cholasta wrote: >>>>> On 9.10.2013 13:57, Petr Viktorin wrote: > [...] >>>>>> 109. Decode and encode attribute values in LDAPEntry on demand. >>>>>> >>>>>> The syncing looks rather over-engineered to me. >>>>>> Did you consider a custom MutableSequence for the values? >>>>>> I think it would be much cleaner in the end than merging two sets of >>>>>> changes together. >>>>> >>>>> I'm not entirely happy about it either, but it works. I did consider a >>>>> custom sequence type, but I didn't feel like it was the right time to >>>>> this kind of change in this patchset. >>>>> >>>>> Unlike the (DN, dict) -> LDAPEntry >>>>> transition, this change won't be backward compatible and there is a >>>>> lot >>>>> of isinstance(value, list) and entry[attr] = list() kind of things in >>>>> the framework code. >>> >>> That's what I was afraid of. >>> >>> We could live with `isinstance(value, list)`; hopefully we could get rid >>> of `type(value) == list` that is the real problem. >>> With `entry[attr] = list()` we could convert automatically. >>> >>> But OK, let's settle for a worse solution in the meantime. >>> >>> >>> To be frank I don't particularly like the LDAPEntryView. >>> While the dict-like interface is great, there isn't a case for storing a >>> Raw view long-term, i.e. you'd always want to do something like >>> values = entry.raw[x] >>> ... >>> entry.raw[x] = new_values >>> rather than >>> raw = entry.raw >>> values = raw[x] >>> ... >>> raw[x] = new_values >>> The latter is confusing because LDAPEntryView and RawLDAPEntryView are >>> two classes that have exactly the same interface, but do something >>> different. In a duck-typed world that's a recipe for disaster. >>> I think it would be better if the view implemented just the dict >>> protocol, and not `conn`, `dn`, `nice`, `raw`, etc. >>> The code would also be much simpler without the elaborate view class >>> hierarchy. >>> >>> If you don't agree then at least don't make `raw` available on raw views >>> and `nice` on nice views; the programmer *always* needs to know which >>> version they're working with so these aren't necessary. >> >> I agree. Most of the attributes are leftovers from a previous >> implementation, which didn't work very well. I should have removed them >> a long time ago. Thanks for pointing this out! >> >> Updated the views to provide only the dict interface, removed "nice" and >> "multi_value" properties and also removed "single_value" from the raw >> view. > > Looks much better now. Hopefully _sync_attr can dissappear one day. > >>>>>> I think it would also help (in the future?) to make the value lists >>>>>> more >>>>>> set-like, since the order doesn't matter. >>>>> >>>>> +1 >>>>> >>>>> Honza >>>>> >>>> >>>> Updated patches attached. >>>> >>> >>> 110. >>> It can't hurt to have this in for now. >>> >>> 111 - 121 look great! > > 106 - 121: ACK > >>> 169. >>> For reasons I said before I'd prefer if single_value stayed a simple >>> function. >> >> IMO a view better matches its semantics, plus I changed the code, so I >> would like to keep it a view, if you don't mind. > > OK, ACK to that one as well, but I'd rather wait a few weeks (until 3.3 > churn dies out) before pushing it, since it could complicate backporting > patches. > Pushed 169 to master: df5f4ee81d1aff1122dd92ab1b56eb335294c3a7 -- Petr? From pviktori at redhat.com Tue Nov 5 13:00:54 2013 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 05 Nov 2013 14:00:54 +0100 Subject: [Freeipa-devel] Summary of ipaldap changes in master Message-ID: <5278EC06.4070402@redhat.com> Hello, In master (IPA 3.4), an ipaldap entry's `single_value` is now a dict-like object, rather than a function: entry = ldap.get_entry(dn) print 'Hello, %s!' % entry.single_value['cn'] entry.single_value['wasGreeted'] = True Additionally, there is now a `raw` dict-like view that bypasses IPA's type conversions. This should be useful if you are working with unknown schema (e.g. AD). entry.raw['someBooleanValue'] = ['TRUE'] Happy hacking! -- Petr? From pviktori at redhat.com Tue Nov 5 13:02:44 2013 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 05 Nov 2013 14:02:44 +0100 Subject: [Freeipa-devel] [PATCH] 0316 Remove unused utf8_encode_value functions Message-ID: <5278EC74.9010407@redhat.com> Honza's recent LDAP refactoring left some unused helper functions around. This patch removes them. -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0316-Remove-unused-utf8_encode_value-functions.patch Type: text/x-patch Size: 1145 bytes Desc: not available URL: From mbasti at redhat.com Tue Nov 5 16:13:23 2013 From: mbasti at redhat.com (Martin Basti) Date: Tue, 05 Nov 2013 17:13:23 +0100 Subject: [Freeipa-devel] Internationalized domain names in freeIPA Message-ID: <1383668003.8056.8.camel@unused-4-145.brq.redhat.com> Hi list, I'm working on ticket: https://fedorahosted.org/freeipa/ticket/3169 UTF-8 DNS names will be converted to punycode ASCII string and stored But there is a question, how to show DNS names to user (in UI or dnsrecord-show/find): * show them in punycode * convert them to UTF-8 and show * both ways * add options to show them in UTF-8 I'll be thankful for your opinion. -- Martin^2 Basti From jdennis at redhat.com Tue Nov 5 16:53:38 2013 From: jdennis at redhat.com (John Dennis) Date: Tue, 05 Nov 2013 11:53:38 -0500 Subject: [Freeipa-devel] Internationalized domain names in freeIPA In-Reply-To: <1383668003.8056.8.camel@unused-4-145.brq.redhat.com> References: <1383668003.8056.8.camel@unused-4-145.brq.redhat.com> Message-ID: <52792292.4030505@redhat.com> On 11/05/2013 11:13 AM, Martin Basti wrote: > Hi list, > > I'm working on ticket: https://fedorahosted.org/freeipa/ticket/3169 > UTF-8 DNS names will be converted to punycode ASCII string and stored > > But there is a question, how to show DNS names to user (in UI or > dnsrecord-show/find): > * show them in punycode > * convert them to UTF-8 and show > * both ways > * add options to show them in UTF-8 > > I'll be thankful for your opinion. > We have a rule that all strings use UCS and that UCS be interchanged by encoding UCS text in UTF-8. Therefore it seems to me the only time punycode should ever exist is when it's necessary to encode/decode punycode for dns operations. Since punycode is a standard Python codec this should be trivial, you just need to determine where you do the encode/decode (perhaps also validating user input can be successfully encoded). -- John From pviktori at redhat.com Tue Nov 5 17:04:13 2013 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 05 Nov 2013 18:04:13 +0100 Subject: [Freeipa-devel] Internationalized domain names in freeIPA In-Reply-To: <52792292.4030505@redhat.com> References: <1383668003.8056.8.camel@unused-4-145.brq.redhat.com> <52792292.4030505@redhat.com> Message-ID: <5279250D.9060006@redhat.com> On 11/05/2013 05:53 PM, John Dennis wrote: > On 11/05/2013 11:13 AM, Martin Basti wrote: >> Hi list, >> >> I'm working on ticket: https://fedorahosted.org/freeipa/ticket/3169 >> UTF-8 DNS names will be converted to punycode ASCII string and stored >> >> But there is a question, how to show DNS names to user (in UI or >> dnsrecord-show/find): >> * show them in punycode >> * convert them to UTF-8 and show >> * both ways >> * add options to show them in UTF-8 >> >> I'll be thankful for your opinion. >> > > We have a rule that all strings use UCS and that UCS be interchanged by > encoding UCS text in UTF-8. Therefore it seems to me the only time > punycode should ever exist is when it's necessary to encode/decode > punycode for dns operations. Since punycode is a standard Python codec > this should be trivial, you just need to determine where you do the > encode/decode (perhaps also validating user input can be successfully > encoded). In LDAP the values need to be in punycode, so bind-dyndb-ldap can process them. IMO all layers above that -- API, CLI, WebUI -- should use Unicode, except with the `--raw` flag. -- Petr? From jdennis at redhat.com Tue Nov 5 17:08:33 2013 From: jdennis at redhat.com (John Dennis) Date: Tue, 05 Nov 2013 12:08:33 -0500 Subject: [Freeipa-devel] Internationalized domain names in freeIPA In-Reply-To: <5279250D.9060006@redhat.com> References: <1383668003.8056.8.camel@unused-4-145.brq.redhat.com> <52792292.4030505@redhat.com> <5279250D.9060006@redhat.com> Message-ID: <52792611.2010001@redhat.com> On 11/05/2013 12:04 PM, Petr Viktorin wrote: > On 11/05/2013 05:53 PM, John Dennis wrote: >> On 11/05/2013 11:13 AM, Martin Basti wrote: >>> Hi list, >>> >>> I'm working on ticket: https://fedorahosted.org/freeipa/ticket/3169 >>> UTF-8 DNS names will be converted to punycode ASCII string and stored >>> >>> But there is a question, how to show DNS names to user (in UI or >>> dnsrecord-show/find): >>> * show them in punycode >>> * convert them to UTF-8 and show >>> * both ways >>> * add options to show them in UTF-8 >>> >>> I'll be thankful for your opinion. >>> >> >> We have a rule that all strings use UCS and that UCS be interchanged by >> encoding UCS text in UTF-8. Therefore it seems to me the only time >> punycode should ever exist is when it's necessary to encode/decode >> punycode for dns operations. Since punycode is a standard Python codec >> this should be trivial, you just need to determine where you do the >> encode/decode (perhaps also validating user input can be successfully >> encoded). > > In LDAP the values need to be in punycode, so bind-dyndb-ldap can > process them. This suggests the LDAP type conversion is the right location for encode/decode. > > IMO all layers above that -- API, CLI, WebUI -- should use Unicode, > except with the `--raw` flag. > -- John From akrivoka at redhat.com Tue Nov 5 17:44:01 2013 From: akrivoka at redhat.com (Ana Krivokapic) Date: Tue, 05 Nov 2013 18:44:01 +0100 Subject: [Freeipa-devel] [PATCH] 0082 Use EXTERNAL auth mechanism in ldapmodify Message-ID: <52792E61.2070209@redhat.com> Hello, This patch addresses ticket https://fedorahosted.org/freeipa/ticket/3895. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-akrivoka-0082-Use-EXTERNAL-auth-mechanism-in-ldapmodify.patch Type: text/x-patch Size: 2607 bytes Desc: not available URL: From mkosek at redhat.com Tue Nov 5 18:22:16 2013 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 05 Nov 2013 19:22:16 +0100 Subject: [Freeipa-devel] [PATCH] 439 Allow kernel keyring CCACHE when supported Message-ID: <52793758.9020407@redhat.com> Server and client installer should allow kernel keyring ccache when supported. https://fedorahosted.org/freeipa/ticket/4013 -- Martin Kosek Supervisor, Software Engineering - Identity Management Team Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-439-allow-kernel-keyring-ccache-when-supported.patch Type: text/x-patch Size: 4611 bytes Desc: not available URL: From mkosek at redhat.com Wed Nov 6 09:19:32 2013 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 06 Nov 2013 10:19:32 +0100 Subject: [Freeipa-devel] [PATCH] 440 Server does not detect different server and IPA domain Message-ID: <527A09A4.50306@redhat.com> Server installer does not properly recognize a situation when server fqdn is not in a subdomain of the IPA domain, but shares the same suffix. For example, if server FQDN is ipa-idm.example.com and domain is idm.example.com, server's FQDN is not in the main domain, but installer does not recognize that. proper Kerberos realm-domain mapping is not created in this case and server does not work (httpd reports gssapi errors). https://fedorahosted.org/freeipa/ticket/4012 -- Martin Kosek Supervisor, Software Engineering - Identity Management Team Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-440-server-does-not-detect-different-server-and-ipa-doma.patch Type: text/x-patch Size: 2507 bytes Desc: not available URL: From pviktori at redhat.com Wed Nov 6 12:28:14 2013 From: pviktori at redhat.com (Petr Viktorin) Date: Wed, 06 Nov 2013 13:28:14 +0100 Subject: [Freeipa-devel] [PATCH] 0317 Improve LDAPEntry.__repr__ for freshly created entries Message-ID: <527A35DE.1080405@redhat.com> Hello Honza, This is a simple enough patch, but I'd like you to check if it's consistent with your vision of the framework. -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0317-Improve-LDAPEntry.__repr__-for-freshly-created-entri.patch Type: text/x-patch Size: 1012 bytes Desc: not available URL: From akrivoka at redhat.com Wed Nov 6 12:34:52 2013 From: akrivoka at redhat.com (Ana Krivokapic) Date: Wed, 06 Nov 2013 13:34:52 +0100 Subject: [Freeipa-devel] [PATCH] 0083 Remove internaldb pasword from password.conf Message-ID: <527A376C.40006@redhat.com> Hello, This patch addresses ticket https://fedorahosted.org/freeipa/ticket/4005. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-akrivoka-0083-Remove-internaldb-pasword-from-password.conf.patch Type: text/x-patch Size: 1227 bytes Desc: not available URL: From mkosek at redhat.com Wed Nov 6 12:37:42 2013 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 06 Nov 2013 13:37:42 +0100 Subject: [Freeipa-devel] [PATCH] 0125 Trusts documentation update In-Reply-To: <20131017104544.GF25335@redhat.com> References: <20131016153132.GB25335@redhat.com> <20131017103151.GA3517@localhost.localdomain> <20131017104544.GF25335@redhat.com> Message-ID: <527A3816.301@redhat.com> On 10/17/2013 12:45 PM, Alexander Bokovoy wrote: > On Thu, 17 Oct 2013, Sumit Bose wrote: > >> On Wed, Oct 16, 2013 at 06:31:32PM +0300, Alexander Bokovoy wrote: >>> Hi! >>> >>> Attached is first update to AD trusts documentation for FreeIPA user >>> guide. I've fixed number of outdated statements and added some more >>> material. >>> >>> More patches will follow to cover functionality up to FreeIPA 3.3.2. >> >> The new content looks good, I only found a few minor issues, see below. > Thanks! > > I've fixed mentioned issues. New patch is attached. This patch got left behind. ACK, pushed to master. Martin From akrivoka at redhat.com Wed Nov 6 12:41:16 2013 From: akrivoka at redhat.com (Ana Krivokapic) Date: Wed, 06 Nov 2013 13:41:16 +0100 Subject: [Freeipa-devel] [PATCH] 0083 Remove internaldb pasword from password.conf In-Reply-To: <527A376C.40006@redhat.com> References: <527A376C.40006@redhat.com> Message-ID: <527A38EC.4090603@redhat.com> On 11/06/2013 01:34 PM, Ana Krivokapic wrote: > Hello, > > This patch addresses ticket https://fedorahosted.org/freeipa/ticket/4005. > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel And now, with correct spelling in the commit message... -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-akrivoka-0083-Remove-internaldb-pasword-from-password.conf.patch Type: text/x-patch Size: 1229 bytes Desc: not available URL: From akrivoka at redhat.com Wed Nov 6 13:20:46 2013 From: akrivoka at redhat.com (Ana Krivokapic) Date: Wed, 06 Nov 2013 14:20:46 +0100 Subject: [Freeipa-devel] [PATCH] 0316 Remove unused utf8_encode_value functions In-Reply-To: <5278EC74.9010407@redhat.com> References: <5278EC74.9010407@redhat.com> Message-ID: <527A422E.7070007@redhat.com> On 11/05/2013 02:02 PM, Petr Viktorin wrote: > Honza's recent LDAP refactoring left some unused helper functions around. This > patch removes them. > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu Nov 7 08:41:17 2013 From: mbasti at redhat.com (Martin Basti) Date: Thu, 07 Nov 2013 09:41:17 +0100 Subject: [Freeipa-devel] Internationalized domain names in freeIPA In-Reply-To: <5279250D.9060006@redhat.com> References: <1383668003.8056.8.camel@unused-4-145.brq.redhat.com> <52792292.4030505@redhat.com> <5279250D.9060006@redhat.com> Message-ID: <1383813677.16060.1.camel@unused-4-145.brq.redhat.com> On Tue, 2013-11-05 at 18:04 +0100, Petr Viktorin wrote: > On 11/05/2013 05:53 PM, John Dennis wrote: > > On 11/05/2013 11:13 AM, Martin Basti wrote: > >> Hi list, > >> > >> I'm working on ticket: https://fedorahosted.org/freeipa/ticket/3169 > >> UTF-8 DNS names will be converted to punycode ASCII string and stored > >> > >> But there is a question, how to show DNS names to user (in UI or > >> dnsrecord-show/find): > >> * show them in punycode > >> * convert them to UTF-8 and show > >> * both ways > >> * add options to show them in UTF-8 > >> > >> I'll be thankful for your opinion. > >> > > > > We have a rule that all strings use UCS and that UCS be interchanged by > > encoding UCS text in UTF-8. Therefore it seems to me the only time > > punycode should ever exist is when it's necessary to encode/decode > > punycode for dns operations. Since punycode is a standard Python codec > > this should be trivial, you just need to determine where you do the > > encode/decode (perhaps also validating user input can be successfully > > encoded). > > In LDAP the values need to be in punycode, so bind-dyndb-ldap can > process them. > > IMO all layers above that -- API, CLI, WebUI -- should use Unicode, > except with the `--raw` flag. > Thanks for your opinions. I will do that as Petr wrote. -- Martin^2 Basti From pviktori at redhat.com Thu Nov 7 11:45:11 2013 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 07 Nov 2013 12:45:11 +0100 Subject: [Freeipa-devel] [RFE] Permissions V2 Message-ID: <527B7D47.8030806@redhat.com> Hello, I'm splitting up ACI work into several designs to make it more manageable. This one is about - Moving ACIs out of $SUFFIX - Storing all ACI data in the permission entry - Permission flag system for ensuring backwards compatibility Summary of the backcompat story: - Attributes, rights, etc. of new permissions may not be modified or read on old servers (not possible since the ACIs aren't in $SUFFIX) - Old permissions convert to new ones when they're modified on a new server - Any server can assign (or remove) both old and new permissions to privileges There is a bit of shuffling in API/CLI option names, since the API option name needs to match the LDAP attributeTypes. The WIP design document is here: http://www.freeipa.org/page/V3/Permissions_V2 -- Petr? From pviktori at redhat.com Thu Nov 7 12:59:40 2013 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 07 Nov 2013 13:59:40 +0100 Subject: [Freeipa-devel] Internationalized domain names in freeIPA In-Reply-To: <52792611.2010001@redhat.com> References: <1383668003.8056.8.camel@unused-4-145.brq.redhat.com> <52792292.4030505@redhat.com> <5279250D.9060006@redhat.com> <52792611.2010001@redhat.com> Message-ID: <527B8EBC.3060101@redhat.com> On 11/05/2013 06:08 PM, John Dennis wrote: > On 11/05/2013 12:04 PM, Petr Viktorin wrote: >> On 11/05/2013 05:53 PM, John Dennis wrote: >>> On 11/05/2013 11:13 AM, Martin Basti wrote: >>>> Hi list, >>>> >>>> I'm working on ticket: https://fedorahosted.org/freeipa/ticket/3169 >>>> UTF-8 DNS names will be converted to punycode ASCII string and stored >>>> >>>> But there is a question, how to show DNS names to user (in UI or >>>> dnsrecord-show/find): >>>> * show them in punycode >>>> * convert them to UTF-8 and show >>>> * both ways >>>> * add options to show them in UTF-8 >>>> >>>> I'll be thankful for your opinion. >>>> >>> >>> We have a rule that all strings use UCS and that UCS be interchanged by >>> encoding UCS text in UTF-8. Therefore it seems to me the only time >>> punycode should ever exist is when it's necessary to encode/decode >>> punycode for dns operations. Since punycode is a standard Python codec >>> this should be trivial, you just need to determine where you do the >>> encode/decode (perhaps also validating user input can be successfully >>> encoded). >> >> In LDAP the values need to be in punycode, so bind-dyndb-ldap can >> process them. > > This suggests the LDAP type conversion is the right location for > encode/decode. > >> IMO all layers above that -- API, CLI, WebUI -- should use Unicode, >> except with the `--raw` flag. The reason for this is that UTF-8 isn't as canonical a represenation of Punicode as, say, a DN object for DNs or a bool for boolean values. Admins might reasonably want to see the raw value. Also, these values end up in DNs; I fear converting them at the LDAP wrapper level could open a can of worms. Do we have resources to give this the testing it needs? I think converting them in the DNS plugin is the way to go. -- Petr? From mkosek at redhat.com Thu Nov 7 13:14:13 2013 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 07 Nov 2013 14:14:13 +0100 Subject: [Freeipa-devel] Internationalized domain names in freeIPA In-Reply-To: <527B8EBC.3060101@redhat.com> References: <1383668003.8056.8.camel@unused-4-145.brq.redhat.com> <52792292.4030505@redhat.com> <5279250D.9060006@redhat.com> <52792611.2010001@redhat.com> <527B8EBC.3060101@redhat.com> Message-ID: <527B9225.5040309@redhat.com> On 11/07/2013 01:59 PM, Petr Viktorin wrote: > On 11/05/2013 06:08 PM, John Dennis wrote: >> On 11/05/2013 12:04 PM, Petr Viktorin wrote: >>> On 11/05/2013 05:53 PM, John Dennis wrote: >>>> On 11/05/2013 11:13 AM, Martin Basti wrote: >>>>> Hi list, >>>>> >>>>> I'm working on ticket: https://fedorahosted.org/freeipa/ticket/3169 >>>>> UTF-8 DNS names will be converted to punycode ASCII string and stored >>>>> >>>>> But there is a question, how to show DNS names to user (in UI or >>>>> dnsrecord-show/find): >>>>> * show them in punycode >>>>> * convert them to UTF-8 and show >>>>> * both ways >>>>> * add options to show them in UTF-8 >>>>> >>>>> I'll be thankful for your opinion. >>>>> >>>> >>>> We have a rule that all strings use UCS and that UCS be interchanged by >>>> encoding UCS text in UTF-8. Therefore it seems to me the only time >>>> punycode should ever exist is when it's necessary to encode/decode >>>> punycode for dns operations. Since punycode is a standard Python codec >>>> this should be trivial, you just need to determine where you do the >>>> encode/decode (perhaps also validating user input can be successfully >>>> encoded). >>> >>> In LDAP the values need to be in punycode, so bind-dyndb-ldap can >>> process them. >> >> This suggests the LDAP type conversion is the right location for >> encode/decode. >> >>> IMO all layers above that -- API, CLI, WebUI -- should use Unicode, >>> except with the `--raw` flag. > > The reason for this is that UTF-8 isn't as canonical a represenation of > Punicode as, say, a DN object for DNs or a bool for boolean values. Admins > might reasonably want to see the raw value. > > Also, these values end up in DNs; I fear converting them at the LDAP wrapper > level could open a can of worms. Do we have resources to give this the testing > it needs? > > I think converting them in the DNS plugin is the way to go. > Just to clarify the terms here: DNS plugin === dns.py plugin in FreeIPA, not bind-dyndb-ldap. Martin From akrivoka at redhat.com Thu Nov 7 13:34:30 2013 From: akrivoka at redhat.com (Ana Krivokapic) Date: Thu, 07 Nov 2013 14:34:30 +0100 Subject: [Freeipa-devel] [PATCHES] 0258-0265 Add schema updater based on IPA schema files In-Reply-To: <5273BA04.9040703@redhat.com> References: <51FA7645.6090702@redhat.com> <523340D5.4090505@redhat.com> <5273BA04.9040703@redhat.com> Message-ID: <527B96E6.9060702@redhat.com> On 11/01/2013 03:26 PM, Petr Viktorin wrote: > On 09/13/2013 06:44 PM, Petr Viktorin wrote: >> On 08/01/2013 04:52 PM, Petr Viktorin wrote: >>> Hello, >>> With these patches, schema updates will be based on the ldif files we >>> use for installation. >>> >>> https://fedorahosted.org/freeipa/ticket/3454 >>> >>> This is a RFE, here is the design doc: >>> http://www.freeipa.org/page/V3/Improved_schema_updater >>> >> >> I found and filed a bug in python-ldap[0]: it sometimes ignores parts of >> schema LDIFs when parsing them. >> Patch 0275 works around the bug. Please apply on top of 0258-0265 (they >> still apply cleanly). >> >> >> [0] https://bugzilla.redhat.com/show_bug.cgi?id=1007820 >> > > The recent ipaldap patches resulted in a small conflict. Attaching rebased > patches. > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel I have tested the patches and overall they seem to work fine. Some questions/comments are below. Patch 258: You catch `ldap.LOCAL_ERROR` in the `connect()` function, which is called from `__init__()`, so no need to catch it again in `__init__()`. Patch 259: ACK Patch 260: > # Usually the modlist order does not matter. > # However, for schema updates, we want 'attributetypes' before > # 'objectclasses'. > # A simple sort will ensure this. > modlist.sort() Since `modlist` is a list of tuples, it is sorted by the first elements in the tuples, then by the seconds elements, etc. Which means the resulting list will be sorted by the modification type first (`MOD_ADD`, `MOD_DELETE`, etc), and by `attributetypes`/`objectclasses` second. Was this the desired effect? Patch 261: Man page updates look good, but several options in the man page have 3 dashes in the long form instead of 2. I have attached a mini-patch that fixes this along with a couple of typos in the man page. Feel free to squash it to your patch 261. Patch 262: Whitespace warnings. In `60-trusts.update` there are still some `replace:attributeTypes:` lines. Can those be removed safely? Patch 263: + if not force_replace: + modlist.append((ldap.MOD_DELETE, key, removes)) + elif new_values == []: # delete an empty value + modlist.append((ldap.MOD_DELETE, key, removes)) can be combined into one: + if not force_replace or not new_values: + modlist.append((ldap.MOD_DELETE, key, removes)) Patch 264: ACK Patch 265: ACK Patch 275: ACK -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-ipa-ldap-updater-man-page-fixes.patch Type: text/x-patch Size: 2938 bytes Desc: not available URL: From akrivoka at redhat.com Thu Nov 7 16:25:50 2013 From: akrivoka at redhat.com (Ana Krivokapic) Date: Thu, 07 Nov 2013 17:25:50 +0100 Subject: [Freeipa-devel] [PATCH] 0084 Make sure state of services is preserved after client uninstall Message-ID: <527BBF0E.6070902@redhat.com> Hello, This patch addresses ticket https://fedorahosted.org/freeipa/ticket/3790. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-akrivoka-0084-Make-sure-state-of-services-is-preserved-after-clien.patch Type: text/x-patch Size: 4828 bytes Desc: not available URL: From npmccallum at redhat.com Thu Nov 7 18:48:10 2013 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Thu, 07 Nov 2013 13:48:10 -0500 Subject: [Freeipa-devel] [PATCH 0015] Add support for managing user auth types In-Reply-To: <5252C3A4.3070408@redhat.com> References: <1378353865.19352.9.camel@localhost> <522DCE8B.9040009@redhat.com> <1379533870.1629.5.camel@localhost> <52403FC4.6070807@redhat.com> <1380142275.2046.2.camel@localhost> <5252C3A4.3070408@redhat.com> Message-ID: <1383850090.21178.2.camel@localhost.localdomain> On Mon, 2013-10-07 at 16:22 +0200, Petr Viktorin wrote: > Sorry for the delay. > > > On 09/25/2013 10:51 PM, Nathaniel McCallum wrote: > > On Mon, 2013-09-23 at 15:19 +0200, Petr Viktorin wrote: > >> Great, we're getting close! > >> > [...] > >> There's another test failure when trying to rename a manager user. I > >> didn't investigate in detail why that happens. > > > > Does the failure happen without the patch? > > No. It seems the added objectclasses attribute conflicts with renaming a > user who's a manager. > > > Is this just a standard make check? > > It's the standard make test; specifically: > ./make-test ipatests/test_xmlrpc/test_user_plugin.py > It should pass on a newly installed server, with `make` being run in > advance. Make sure to have ~/.ipa/default.conf set up. Fixed. Nathaniel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-npmccallum-0015-5-Add-support-for-managing-user-auth-types.patch Type: text/x-patch Size: 11334 bytes Desc: not available URL: From pviktori at redhat.com Fri Nov 8 09:13:49 2013 From: pviktori at redhat.com (Petr Viktorin) Date: Fri, 08 Nov 2013 10:13:49 +0100 Subject: [Freeipa-devel] Internationalized domain names in freeIPA In-Reply-To: <527B9225.5040309@redhat.com> References: <1383668003.8056.8.camel@unused-4-145.brq.redhat.com> <52792292.4030505@redhat.com> <5279250D.9060006@redhat.com> <52792611.2010001@redhat.com> <527B8EBC.3060101@redhat.com> <527B9225.5040309@redhat.com> Message-ID: <527CAB4D.60509@redhat.com> On 11/07/2013 02:14 PM, Martin Kosek wrote: > On 11/07/2013 01:59 PM, Petr Viktorin wrote: >> On 11/05/2013 06:08 PM, John Dennis wrote: >>> On 11/05/2013 12:04 PM, Petr Viktorin wrote: >>>> On 11/05/2013 05:53 PM, John Dennis wrote: >>>>> On 11/05/2013 11:13 AM, Martin Basti wrote: >>>>>> Hi list, >>>>>> >>>>>> I'm working on ticket: https://fedorahosted.org/freeipa/ticket/3169 >>>>>> UTF-8 DNS names will be converted to punycode ASCII string and stored >>>>>> >>>>>> But there is a question, how to show DNS names to user (in UI or >>>>>> dnsrecord-show/find): >>>>>> * show them in punycode >>>>>> * convert them to UTF-8 and show >>>>>> * both ways >>>>>> * add options to show them in UTF-8 >>>>>> >>>>>> I'll be thankful for your opinion. >>>>>> >>>>> >>>>> We have a rule that all strings use UCS and that UCS be interchanged by >>>>> encoding UCS text in UTF-8. Therefore it seems to me the only time >>>>> punycode should ever exist is when it's necessary to encode/decode >>>>> punycode for dns operations. Since punycode is a standard Python codec >>>>> this should be trivial, you just need to determine where you do the >>>>> encode/decode (perhaps also validating user input can be successfully >>>>> encoded). >>>> >>>> In LDAP the values need to be in punycode, so bind-dyndb-ldap can >>>> process them. >>> >>> This suggests the LDAP type conversion is the right location for >>> encode/decode. >>> >>>> IMO all layers above that -- API, CLI, WebUI -- should use Unicode, >>>> except with the `--raw` flag. >> >> The reason for this is that UTF-8 isn't as canonical a represenation of >> Punicode as, say, a DN object for DNs or a bool for boolean values. Admins >> might reasonably want to see the raw value. >> >> Also, these values end up in DNs; I fear converting them at the LDAP wrapper >> level could open a can of worms. Do we have resources to give this the testing >> it needs? >> >> I think converting them in the DNS plugin is the way to go. >> > > Just to clarify the terms here: DNS plugin === dns.py plugin in FreeIPA, not > bind-dyndb-ldap. dns.py; sorry for the confusion. -- Petr? From mkosek at redhat.com Fri Nov 8 09:18:55 2013 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 08 Nov 2013 10:18:55 +0100 Subject: [Freeipa-devel] [PATCH][DOC] 432 Add direct bug reporting links to Feedback section In-Reply-To: <525FB629.1090403@redhat.com> References: <525E9547.3030905@redhat.com> <525EF029.9090802@redhat.com> <1381971967.31620.1.camel@willson.li.ssimo.org> <525F74DA.1020804@redhat.com> <525FB629.1090403@redhat.com> Message-ID: <527CAC7F.5070608@redhat.com> On 10/17/2013 12:04 PM, Martin Kosek wrote: > On 10/17/2013 07:25 AM, Petr Spacek wrote: >> On 17.10.2013 03:06, Simo Sorce wrote: >>> On Wed, 2013-10-16 at 21:59 +0200, Petr Spacek wrote: >>>> On 16.10.2013 15:31, Martin Kosek wrote: >>>>> This change should enable faster and easier filing of new bugs. Patch >>>>> also simplifies the section for both redhat and fedora variants. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/3754 >>>> >>>> Hmm, is there a way to add the "Report a bug" link to each page footer (in >>>> HTML output)? I think that people should see this option all the time. >>>> >>>> >>>> This recalls me another thing: >>>> Could we add TICKET_CREATE privilege to anonymous 'subject' in the Trac? This >>>> should allow anyone to create ticket even without registration/logging in, >>>> which lowers the barrier. >>> >>> Bad idea, you'll soon be submerge by the worst looking spam, seriously, >>> don't do it. >>> >>> Besides you wouldn't be able to notify the reporter that you need more >>> info and so on, its not worth to have fire-and-forget reports. >> >> There is an input box for reporter's e-mail... > > Yeah, I wonder who would fill it. I would personally leave it as is, when > someone really does not not want to register to Fedora, he can send a mail to > freeipa-users (and thus also give as a way to ask back). > > Martin I hope that this question was resolved. As for "Report a bug" link on each page footer, I am not sure if Publican can do that and I am also not sure if it would not be disturbing. I would rather like to let us review the requested change and provided patch. IMO the provided Trac/Bugzilla links makes the bug filing easier, which was the point of the ticket - please review. Let us review the change and continue with other doc improvements, there is a lot of those on our plate in this area. Martin From pviktori at redhat.com Fri Nov 8 11:50:01 2013 From: pviktori at redhat.com (Petr Viktorin) Date: Fri, 08 Nov 2013 12:50:01 +0100 Subject: [Freeipa-devel] [PATCH 0015] Add support for managing user auth types In-Reply-To: <1383850090.21178.2.camel@localhost.localdomain> References: <1378353865.19352.9.camel@localhost> <522DCE8B.9040009@redhat.com> <1379533870.1629.5.camel@localhost> <52403FC4.6070807@redhat.com> <1380142275.2046.2.camel@localhost> <5252C3A4.3070408@redhat.com> <1383850090.21178.2.camel@localhost.localdomain> Message-ID: <527CCFE9.1020102@redhat.com> On 11/07/2013 07:48 PM, Nathaniel McCallum wrote: > On Mon, 2013-10-07 at 16:22 +0200, Petr Viktorin wrote: >> Sorry for the delay. >> >> >> On 09/25/2013 10:51 PM, Nathaniel McCallum wrote: >>> On Mon, 2013-09-23 at 15:19 +0200, Petr Viktorin wrote: >>>> Great, we're getting close! >>>> >> [...] >>>> There's another test failure when trying to rename a manager user. I >>>> didn't investigate in detail why that happens. >>> >>> Does the failure happen without the patch? >> >> No. It seems the added objectclasses attribute conflicts with renaming a >> user who's a manager. >> >>> Is this just a standard make check? >> >> It's the standard make test; specifically: >> ./make-test ipatests/test_xmlrpc/test_user_plugin.py >> It should pass on a newly installed server, with `make` being run in >> advance. Make sure to have ~/.ipa/default.conf set up. > > Fixed. > > Nathaniel > Thanks! ACK, pushed to master: 3f85f09a83f1cd25078c7c11a68d457bb198d66f I've also pushed my tests from earlier in the thread: 6c7a59a906ca46d1fbdf38739ac8b33f3136de9e -- Petr? From pviktori at redhat.com Fri Nov 8 11:52:21 2013 From: pviktori at redhat.com (Petr Viktorin) Date: Fri, 08 Nov 2013 12:52:21 +0100 Subject: [Freeipa-devel] [PATCH] 0316 Remove unused utf8_encode_value functions In-Reply-To: <527A422E.7070007@redhat.com> References: <5278EC74.9010407@redhat.com> <527A422E.7070007@redhat.com> Message-ID: <527CD075.7040406@redhat.com> On 11/06/2013 02:20 PM, Ana Krivokapic wrote: > On 11/05/2013 02:02 PM, Petr Viktorin wrote: >> Honza's recent LDAP refactoring left some unused helper functions >> around. This patch removes them. >> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > ACK Thanks! Pushed to master: 196379d126f4c86cb0979d3bae16919858bd7c19 -- Petr? From pviktori at redhat.com Fri Nov 8 12:26:24 2013 From: pviktori at redhat.com (Petr Viktorin) Date: Fri, 08 Nov 2013 13:26:24 +0100 Subject: [Freeipa-devel] [PATCH 0016] Add RADIUS proxy support to ipalib CLI In-Reply-To: <1380142563.2046.3.camel@localhost> References: <1378353973.19352.11.camel@localhost> <1379018880.2210.1.camel@localhost> <1379695123.1629.10.camel@localhost> <1380142563.2046.3.camel@localhost> Message-ID: <527CD870.9080102@redhat.com> On 09/25/2013 10:56 PM, Nathaniel McCallum wrote: > On Fri, 2013-09-20 at 12:38 -0400, Nathaniel McCallum wrote: >> On Thu, 2013-09-12 at 16:48 -0400, Nathaniel McCallum wrote: >>> On Thu, 2013-09-05 at 00:06 -0400, Nathaniel McCallum wrote: >>>> patch attached >>> >>> Update for ./makeapi attached. >> >> Version 3. This should fix all the current review issues, including the >> use of the referential integrity plugin. I had to make one schema change >> in order to make the referential integrity modification work. Note also >> that the command name prefix is changed from radius to radiusproxy. > > Version 4. This patch fixes my failure to increment the minor version > number in the VERSION file. > > Nathaniel We've since decided that we'll carry LDAP "content" updates only in update files, so you can leave indices.ldif & referint-conf.ldif unchanged. Schema, on the other hand, will still be in ldif files (and soon *only* in ldif files). The patch needs a rebase. -- Petr? From pviktori at redhat.com Fri Nov 8 14:14:28 2013 From: pviktori at redhat.com (Petr Viktorin) Date: Fri, 08 Nov 2013 15:14:28 +0100 Subject: [Freeipa-devel] [PATCHES] 198-202 Refactor indirect membership processing In-Reply-To: <52725F17.2020800@redhat.com> References: <52725F17.2020800@redhat.com> Message-ID: <527CF1C4.8070805@redhat.com> On 10/31/2013 02:45 PM, Jan Cholasta wrote: > Hi, > > the attached patches fix . > > Tested with 25000 users. > > Honza Patch 198: Also update ipaldap's find_entries docstring, it no longer uses IPA defaults. While you're touching this part of code, I had some other improvements in mind -- you can consider them: In find_entries, attrs_list = [a.lower() for a in attrs_list] to make sure 'memberindirect' is case insensitive In get_memberof, construct `indirect` as a set, for ?(1) remove(). Changing MEMBERS_ALL et.al. from numbers to descriptive strings, for easier debugging. Patch 199: Looks great Patch 200: objtype, res_list, red_id, res_ctrls = result Minor typo ----------^ This construction won't work as you'd expect in Python 2: try: (possibly raise interesting exception) (*) except: try: (possibly raise exception to ignore) (**) except: pass raise # (***) The problem is that the exception in (**) overwrites the "current active exception" caught in (*). In (***) the exception from cleanup will be raised. The solution is to store the wanted exception info, including the traceback: exc_type, exc_value, exc_traceback = sys.exc_info() and then re-raise explicitly: raise exc_type, exc_value, exc_traceback Also, please log the ignored exception from cancelling the paged search. -- Petr? From pvoborni at redhat.com Fri Nov 8 15:28:45 2013 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 08 Nov 2013 16:28:45 +0100 Subject: [Freeipa-devel] [PATCHES] 0019-0020 Broken Firefox configuration files in freeipa-client package In-Reply-To: <1383644074.2457.3.camel@unused-4-145.brq.redhat.com> References: <1383644074.2457.3.camel@unused-4-145.brq.redhat.com> Message-ID: <527D032D.6020807@redhat.com> On 11/05/2013 10:34 AM, Martin Basti wrote: > ipa-client-install now allows to configure firefox using > --configure-firefox option and optionally with --firefox-dir=INSTALL_DIR > option. > > Old configuration files was removed. > > Patches attached. > > Ticket: https://fedorahosted.org/freeipa/ticket/3821 > Thanks for the patch. 1) Remove "pref("network.negotiate-auth.delegation-uris", ".$DOMAIN");" from the FIREFOX_CONFIG_TEMPLATE. Delegation is not a thing you want to have enabled unless there is no other way (Web UI doesn't need it since version 2.2 or 2.3). Otherwise it works fine on F19. -- Petr Vobornik From pviktori at redhat.com Fri Nov 8 16:56:57 2013 From: pviktori at redhat.com (Petr Viktorin) Date: Fri, 08 Nov 2013 17:56:57 +0100 Subject: [Freeipa-devel] [PATCHES] 198-202 Refactor indirect membership processing In-Reply-To: <527CF1C4.8070805@redhat.com> References: <52725F17.2020800@redhat.com> <527CF1C4.8070805@redhat.com> Message-ID: <527D17D9.5070805@redhat.com> I hid Send by mistake; continuing review: On 11/08/2013 03:14 PM, Petr Viktorin wrote: > On 10/31/2013 02:45 PM, Jan Cholasta wrote: >> Hi, >> >> the attached patches fix . >> >> Tested with 25000 users. >> >> Honza > > Patch 198: > > Also update ipaldap's find_entries docstring, it no longer uses IPA > defaults. > > > While you're touching this part of code, I had some other improvements > in mind -- you can consider them: > > In find_entries, > attrs_list = [a.lower() for a in attrs_list] > to make sure 'memberindirect' is case insensitive > In get_memberof, construct `indirect` as a set, for ?(1) remove(). ^ ignore that, it's nuked in 201 \o/ > Changing MEMBERS_ALL et.al. from numbers to descriptive strings, for > easier debugging. ^ these can be removed entirely in 201 > > Patch 199: Looks great > > > Patch 200: > > objtype, res_list, red_id, res_ctrls = result > Minor typo ----------^ > > > This construction won't work as you'd expect in Python 2: > > try: > (possibly raise interesting exception) (*) > except: > try: > (possibly raise exception to ignore) (**) > except: > pass > raise # (***) > > The problem is that the exception in (**) overwrites the "current active > exception" raised in (*). In (***) the exception from the cleanup will be > re-raised. > The solution is to store the wanted exception info, including the > traceback: > exc_type, exc_value, exc_traceback = sys.exc_info() > and then re-raise explicitly: > raise exc_type, exc_value, exc_traceback > > Also, please log the ignored exception from cancelling the paged search. > > Patch 201: Great patch! A nitpick, I'd rename _process_member{,of} to _process_member{,of}indirect Patch 202: Looks good While we're on the subject: Each Plugin has an "api" attribute. It would be nice if we started preferring `self.api` instead of the global singleton wherever possible, even though they're currently always the same. -- Petr? From akrivoka at redhat.com Fri Nov 8 17:07:53 2013 From: akrivoka at redhat.com (Ana Krivokapic) Date: Fri, 08 Nov 2013 18:07:53 +0100 Subject: [Freeipa-devel] [PATCH] 440 Server does not detect different server and IPA domain In-Reply-To: <527A09A4.50306@redhat.com> References: <527A09A4.50306@redhat.com> Message-ID: <527D1A69.6000308@redhat.com> On 11/06/2013 10:19 AM, Martin Kosek wrote: > Server installer does not properly recognize a situation when server > fqdn is not in a subdomain of the IPA domain, but shares the same > suffix. > > For example, if server FQDN is ipa-idm.example.com and domain > is idm.example.com, server's FQDN is not in the main domain, but > installer does not recognize that. proper Kerberos realm-domain > mapping is not created in this case and server does not work > (httpd reports gssapi errors). > > https://fedorahosted.org/freeipa/ticket/4012 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Mon Nov 11 08:28:25 2013 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 11 Nov 2013 09:28:25 +0100 Subject: [Freeipa-devel] [PATCH] 440 Server does not detect different server and IPA domain In-Reply-To: <527D1A69.6000308@redhat.com> References: <527A09A4.50306@redhat.com> <527D1A69.6000308@redhat.com> Message-ID: <52809529.8050309@redhat.com> On 11/08/2013 06:07 PM, Ana Krivokapic wrote: > On 11/06/2013 10:19 AM, Martin Kosek wrote: >> Server installer does not properly recognize a situation when server >> fqdn is not in a subdomain of the IPA domain, but shares the same >> suffix. >> >> For example, if server FQDN is ipa-idm.example.com and domain >> is idm.example.com, server's FQDN is not in the main domain, but >> installer does not recognize that. proper Kerberos realm-domain >> mapping is not created in this case and server does not work >> (httpd reports gssapi errors). >> >> https://fedorahosted.org/freeipa/ticket/4012 >> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > ACK > Thanks. Pushed to master, ipa-3-3. Martin From pviktori at redhat.com Mon Nov 11 11:32:34 2013 From: pviktori at redhat.com (Petr Viktorin) Date: Mon, 11 Nov 2013 12:32:34 +0100 Subject: [Freeipa-devel] [PATCHES] 0258-0265 Add schema updater based on IPA schema files In-Reply-To: <527B96E6.9060702@redhat.com> References: <51FA7645.6090702@redhat.com> <523340D5.4090505@redhat.com> <5273BA04.9040703@redhat.com> <527B96E6.9060702@redhat.com> Message-ID: <5280C052.5000806@redhat.com> On 11/07/2013 02:34 PM, Ana Krivokapic wrote: > On 11/01/2013 03:26 PM, Petr Viktorin wrote: >> On 09/13/2013 06:44 PM, Petr Viktorin wrote: >>> On 08/01/2013 04:52 PM, Petr Viktorin wrote: >>>> Hello, >>>> With these patches, schema updates will be based on the ldif files we >>>> use for installation. >>>> >>>> https://fedorahosted.org/freeipa/ticket/3454 >>>> >>>> This is a RFE, here is the design doc: >>>> http://www.freeipa.org/page/V3/Improved_schema_updater >>>> >>> >>> I found and filed a bug in python-ldap[0]: it sometimes ignores parts of >>> schema LDIFs when parsing them. >>> Patch 0275 works around the bug. Please apply on top of 0258-0265 (they >>> still apply cleanly). >>> >>> >>> [0] https://bugzilla.redhat.com/show_bug.cgi?id=1007820 >>> >> >> The recent ipaldap patches resulted in a small conflict. Attaching >> rebased patches. > > I have tested the patches and overall they seem to work fine. Some > questions/comments are below. > > > Patch 258: > You catch `ldap.LOCAL_ERROR` in the `connect()` function, which is > called from `__init__()`, so no need to catch it again in `__init__()`. I've added a comment instead of the try/catch > Patch 259: > ACK > > Patch 260: > > > # Usually the modlist order does not matter. > > # However, for schema updates, we want 'attributetypes' before > > # 'objectclasses'. > > # A simple sort will ensure this. > > modlist.sort() > > Since `modlist` is a list of tuples, it is sorted by the first elements > in the tuples, then by the seconds elements, etc. Which means the > resulting list will be sorted by the modification type first (`MOD_ADD`, > `MOD_DELETE`, etc), and by `attributetypes`/`objectclasses` second. Was > this the desired effect? I've added a sort key; it should be safer now. > Patch 261: > Man page updates look good, but several options in the man page have 3 > dashes in the long form instead of 2. I have attached a mini-patch that > fixes this along with a couple of typos in the man page. Feel free to > squash it to your patch 261. Nice catch! Squashed. > Patch 262: > Whitespace warnings. I didn't see any with my settings; could you be more specific? > In `60-trusts.update` there are still some `replace:attributeTypes:` > lines. Can those be removed safely? Yes! I've checked they match the ldif, and removed them. > Patch 263: > > + if not force_replace: > + modlist.append((ldap.MOD_DELETE, key, removes)) > + elif new_values == []: # delete an empty value > + modlist.append((ldap.MOD_DELETE, key, removes)) > > can be combined into one: > > + if not force_replace or not new_values: > + modlist.append((ldap.MOD_DELETE, key, removes)) Done > Patch 264: > ACK > > Patch 265: > ACK > > Patch 275: > ACK Thanks for the review! Updated patches attached. -- Petr? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0258.3-ldapupdate-Factor-out-connection-code.patch Type: text/x-patch Size: 4880 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0259.3-dsinstance-Move-the-list-of-schema-filenames-to-a-co.patch Type: text/x-patch Size: 2098 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0260.3-Add-schema-updater-based-on-IPA-schema-files.patch Type: text/x-patch Size: 13148 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0261.3-Update-the-man-page-for-ipa-ldap-updater.patch Type: text/x-patch Size: 3638 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0262.3-Remove-schema-modifications-from-update-files.patch Type: text/x-patch Size: 60196 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0263.3-Remove-schema-special-casing-from-the-LDAP-updater.patch Type: text/x-patch Size: 10094 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0264.3-Make-schema-files-conform-to-new-updater.patch Type: text/x-patch Size: 27262 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0265.3-Add-formerly-update-only-schema.patch Type: text/x-patch Size: 10413 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0275.3-Unify-capitalization-of-attribute-names-in-schema-fi.patch Type: text/x-patch Size: 11040 bytes Desc: not available URL: From pspacek at redhat.com Mon Nov 11 11:53:36 2013 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 11 Nov 2013 12:53:36 +0100 Subject: [Freeipa-devel] [PATCH 0204] Remove obsolete zr_get_rbt() function from zone register Message-ID: <5280C540.8030604@redhat.com> Hello, Remove obsolete zr_get_rbt() function from zone register. -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0204-Remove-obsolete-zr_get_rbt-function-from-zone-regist.patch Type: text/x-patch Size: 1347 bytes Desc: not available URL: From pspacek at redhat.com Mon Nov 11 12:03:32 2013 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 11 Nov 2013 13:03:32 +0100 Subject: [Freeipa-devel] [PATCH 0205] Fix race condition during write to internal RBTDB Message-ID: <5280C794.3060503@redhat.com> Hello, Fix race condition during write to internal RBTDB. RBTDB implementation allows to open only one RBTDB instance for writing at the same time. This patch adds mutex to newversion() implementation in ldap_driver.c. See comments around ldapdb_t, newversion() and closeversion(). -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0205-Fix-race-condition-during-write-to-internal-RBTDB.patch Type: text/x-patch Size: 7956 bytes Desc: not available URL: From akrivoka at redhat.com Mon Nov 11 13:53:27 2013 From: akrivoka at redhat.com (Ana Krivokapic) Date: Mon, 11 Nov 2013 14:53:27 +0100 Subject: [Freeipa-devel] [PATCHES] 0258-0265 Add schema updater based on IPA schema files In-Reply-To: <5280C052.5000806@redhat.com> References: <51FA7645.6090702@redhat.com> <523340D5.4090505@redhat.com> <5273BA04.9040703@redhat.com> <527B96E6.9060702@redhat.com> <5280C052.5000806@redhat.com> Message-ID: <5280E157.6050406@redhat.com> On 11/11/2013 12:32 PM, Petr Viktorin wrote: > On 11/07/2013 02:34 PM, Ana Krivokapic wrote: >> On 11/01/2013 03:26 PM, Petr Viktorin wrote: >>> On 09/13/2013 06:44 PM, Petr Viktorin wrote: >>>> On 08/01/2013 04:52 PM, Petr Viktorin wrote: >>>>> Hello, >>>>> With these patches, schema updates will be based on the ldif files we >>>>> use for installation. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/3454 >>>>> >>>>> This is a RFE, here is the design doc: >>>>> http://www.freeipa.org/page/V3/Improved_schema_updater >>>>> >>>> >>>> I found and filed a bug in python-ldap[0]: it sometimes ignores parts of >>>> schema LDIFs when parsing them. >>>> Patch 0275 works around the bug. Please apply on top of 0258-0265 (they >>>> still apply cleanly). >>>> >>>> >>>> [0] https://bugzilla.redhat.com/show_bug.cgi?id=1007820 >>>> >>> >>> The recent ipaldap patches resulted in a small conflict. Attaching >>> rebased patches. > >> >> I have tested the patches and overall they seem to work fine. Some >> questions/comments are below. >> >> >> Patch 258: >> You catch `ldap.LOCAL_ERROR` in the `connect()` function, which is >> called from `__init__()`, so no need to catch it again in `__init__()`. > > I've added a comment instead of the try/catch > >> Patch 259: >> ACK >> >> Patch 260: >> >> > # Usually the modlist order does not matter. >> > # However, for schema updates, we want 'attributetypes' before >> > # 'objectclasses'. >> > # A simple sort will ensure this. >> > modlist.sort() >> >> Since `modlist` is a list of tuples, it is sorted by the first elements >> in the tuples, then by the seconds elements, etc. Which means the >> resulting list will be sorted by the modification type first (`MOD_ADD`, >> `MOD_DELETE`, etc), and by `attributetypes`/`objectclasses` second. Was >> this the desired effect? > > I've added a sort key; it should be safer now. Hmm, the key you added still retains the default sorting behavior - it will sort by the first elements of the tuples first. Since we need sorting by the second elements, I think the key here should be: key=lambda m: m[1].lower() > >> Patch 261: >> Man page updates look good, but several options in the man page have 3 >> dashes in the long form instead of 2. I have attached a mini-patch that >> fixes this along with a couple of typos in the man page. Feel free to >> squash it to your patch 261. > > Nice catch! Squashed. > >> Patch 262: >> Whitespace warnings. > > I didn't see any with my settings; could you be more specific? $ git am ~/freeipa-pviktori-0262.3-Remove-schema-modifications-from-update-files.patch Applying: Remove schema modifications from update files /home/ana/freeipa/.git/rebase-apply/patch:497: new blank line at EOF. + /home/ana/freeipa/.git/rebase-apply/patch:693: new blank line at EOF. + warning: 2 lines add whitespace errors. > >> In `60-trusts.update` there are still some `replace:attributeTypes:` >> lines. Can those be removed safely? > > Yes! I've checked they match the ldif, and removed them. > >> Patch 263: >> >> + if not force_replace: >> + modlist.append((ldap.MOD_DELETE, key, removes)) >> + elif new_values == []: # delete an empty value >> + modlist.append((ldap.MOD_DELETE, key, removes)) >> >> can be combined into one: >> >> + if not force_replace or not new_values: >> + modlist.append((ldap.MOD_DELETE, key, removes)) > > Done > >> Patch 264: >> ACK >> >> Patch 265: >> ACK >> >> Patch 275: >> ACK > > Thanks for the review! > Updated patches attached. > > -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. From rcritten at redhat.com Mon Nov 11 14:56:31 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 11 Nov 2013 09:56:31 -0500 Subject: [Freeipa-devel] [RFE] Permissions V2 In-Reply-To: <527B7D47.8030806@redhat.com> References: <527B7D47.8030806@redhat.com> Message-ID: <5280F01F.7020907@redhat.com> Petr Viktorin wrote: > Hello, > I'm splitting up ACI work into several designs to make it more manageable. > > This one is about > - Moving ACIs out of $SUFFIX > - Storing all ACI data in the permission entry > - Permission flag system for ensuring backwards compatibility > > Summary of the backcompat story: > - Attributes, rights, etc. of new permissions may not be modified or > read on old servers (not possible since the ACIs aren't in $SUFFIX) > - Old permissions convert to new ones when they're modified on a new server > - Any server can assign (or remove) both old and new permissions to > privileges > > There is a bit of shuffling in API/CLI option names, since the API > option name needs to match the LDAP attributeTypes. > > The WIP design document is here: > http://www.freeipa.org/page/V3/Permissions_V2 > Data in the permission entry I think the schema needs to be described better. I'm assuming that ipaPermTarget is the equivalent of current targetgroup option? And targetfilter is the equivalent of current filter option? If you are placing the ACI into the container based on type, then you probably don't need the filter within the ACI (it is implicit). In general I think some examples would be helpful. Modifying and Upgrading Permissions Under what conditions would there be an old or a new permission and no associated ACI? Option/Attribute mapping Performing a search on the filter is a good idea but realize that it has its limits. It is possible to create a legal filter that makes no (or little) sense. If type is only going to specify the location of the ACI then perhaps it shouldn't be in the mutually exclusive list. rob From akrivoka at redhat.com Mon Nov 11 15:18:14 2013 From: akrivoka at redhat.com (Ana Krivokapic) Date: Mon, 11 Nov 2013 16:18:14 +0100 Subject: [Freeipa-devel] [PATCHES] 0258-0265 Add schema updater based on IPA schema files In-Reply-To: <5280E157.6050406@redhat.com> References: <51FA7645.6090702@redhat.com> <523340D5.4090505@redhat.com> <5273BA04.9040703@redhat.com> <527B96E6.9060702@redhat.com> <5280C052.5000806@redhat.com> <5280E157.6050406@redhat.com> Message-ID: <5280F536.2090900@redhat.com> On 11/11/2013 02:53 PM, Ana Krivokapic wrote: > On 11/11/2013 12:32 PM, Petr Viktorin wrote: >> On 11/07/2013 02:34 PM, Ana Krivokapic wrote: >>> On 11/01/2013 03:26 PM, Petr Viktorin wrote: >>>> On 09/13/2013 06:44 PM, Petr Viktorin wrote: >>>>> On 08/01/2013 04:52 PM, Petr Viktorin wrote: >>>>>> Hello, >>>>>> With these patches, schema updates will be based on the ldif files we >>>>>> use for installation. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/3454 >>>>>> >>>>>> This is a RFE, here is the design doc: >>>>>> http://www.freeipa.org/page/V3/Improved_schema_updater >>>>>> >>>>> I found and filed a bug in python-ldap[0]: it sometimes ignores parts of >>>>> schema LDIFs when parsing them. >>>>> Patch 0275 works around the bug. Please apply on top of 0258-0265 (they >>>>> still apply cleanly). >>>>> >>>>> >>>>> [0] https://bugzilla.redhat.com/show_bug.cgi?id=1007820 >>>>> >>>> The recent ipaldap patches resulted in a small conflict. Attaching >>>> rebased patches. >>> I have tested the patches and overall they seem to work fine. Some >>> questions/comments are below. >>> >>> >>> Patch 258: >>> You catch `ldap.LOCAL_ERROR` in the `connect()` function, which is >>> called from `__init__()`, so no need to catch it again in `__init__()`. >> I've added a comment instead of the try/catch >> >>> Patch 259: >>> ACK >>> >>> Patch 260: >>> >>> > # Usually the modlist order does not matter. >>> > # However, for schema updates, we want 'attributetypes' before >>> > # 'objectclasses'. >>> > # A simple sort will ensure this. >>> > modlist.sort() >>> >>> Since `modlist` is a list of tuples, it is sorted by the first elements >>> in the tuples, then by the seconds elements, etc. Which means the >>> resulting list will be sorted by the modification type first (`MOD_ADD`, >>> `MOD_DELETE`, etc), and by `attributetypes`/`objectclasses` second. Was >>> this the desired effect? >> I've added a sort key; it should be safer now. > Hmm, the key you added still retains the default sorting behavior - it will sort > by the first elements of the tuples first. Since we need sorting by the second > elements, I think the key here should be: key=lambda m: m[1].lower() > >>> Patch 261: >>> Man page updates look good, but several options in the man page have 3 >>> dashes in the long form instead of 2. I have attached a mini-patch that >>> fixes this along with a couple of typos in the man page. Feel free to >>> squash it to your patch 261. >> Nice catch! Squashed. >> >>> Patch 262: >>> Whitespace warnings. >> I didn't see any with my settings; could you be more specific? > $ git am > ~/freeipa-pviktori-0262.3-Remove-schema-modifications-from-update-files.patch > Applying: Remove schema modifications from update files > /home/ana/freeipa/.git/rebase-apply/patch:497: new blank line at EOF. > + > /home/ana/freeipa/.git/rebase-apply/patch:693: new blank line at EOF. > + > warning: 2 lines add whitespace errors. > > >>> In `60-trusts.update` there are still some `replace:attributeTypes:` >>> lines. Can those be removed safely? >> Yes! I've checked they match the ldif, and removed them. >> >>> Patch 263: >>> >>> + if not force_replace: >>> + modlist.append((ldap.MOD_DELETE, key, removes)) >>> + elif new_values == []: # delete an empty value >>> + modlist.append((ldap.MOD_DELETE, key, removes)) >>> >>> can be combined into one: >>> >>> + if not force_replace or not new_values: >>> + modlist.append((ldap.MOD_DELETE, key, removes)) >> Done >> >>> Patch 264: >>> ACK >>> >>> Patch 265: >>> ACK >>> >>> Patch 275: >>> ACK >> Thanks for the review! >> Updated patches attached. >> >> > I'm also seeing some errors when testing the patches. During ipa-server-install, restarting of DS is failing: [22/38]: restarting directory server ipa : CRITICAL Failed to restart the directory server (Command '/bin/systemctl restart dirsrv at IDM-LAB-ENG-BRQ-REDHAT-COM.service' returned non-zero exit status 1). See the installation log for details. The dirsrv log indicates that one of the ldif files is not syntactically valid: [11/Nov/2013:16:10:21 +0100] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IDM-LAB-ENG-BRQ-REDHAT-COM/schema/60basev3.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - object class (2.16.840.1.113730.3.8.12.7 NAME 'ipaKrb5DelegationACL' SUP groupOfPrincipals STRUCTURAL MAY ( ipaAllowToImpersonate $ ipaAllowedTarget ) EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v3' ): Failed to parse objectclass, error(2) at ( distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v3' )) [11/Nov/2013:16:10:21 +0100] dse - Please edit the file to correct the reported problems and then restart the server. Are you seeing this in your setup? -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. From tjaalton at ubuntu.com Mon Nov 11 15:25:08 2013 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Mon, 11 Nov 2013 17:25:08 +0200 Subject: [Freeipa-devel] Building FreeIPA on Debian Unstable In-Reply-To: <5272AD52.5030507@redhat.com> References: <5272AD52.5030507@redhat.com> Message-ID: <5280F6D4.3050106@ubuntu.com> On 31.10.2013 21:19, Adam Young wrote: > I'm about to take off for a week, and want to make sure that I don't > lose the momentum I've put in so far. I spent agood portion of > yesterday and today trying to get a Debian build going, and I think that > this is worth sharing with the larger team. Since FreeIPA has been RPM > focused thus far, I suspect that there is a need to prime-the-pump on > Debian development. Thanks! The debian packaging of 2.2.x managed to compile the server bits too, but I hadn't tested any newer versions, just built the client for those.. so it bitrot over the time. > 1. Installed Debian testing in a VM via an ISO. I've had this VM for a > while, so really just had to clone it and boot it. > 2. Set the repos to be the sid (unstable) repos instead of Jessie > (testing) by editing the file /etc/apt/sources.list and replacing > jessie with sid > 3. created a file /etc/apt/apt.conf with just the following line: > APT::Default-Release "unstable"; > 4.apt-get dist-upgrade > 5. Reboot. > 6. Loggd in and cloned the debian repo: > git clone git://anonscm.debian.org/git/pkg-freeipa/freeipa.git > > Technically, that is a lie...I had another FreeIPA repo already cloned, > so instead I edited the .git/config file to add support for the above > repo, and then did a fetch and checkout of the debian-unstable branch. > > > OK...now I am in trial and error state. I've tried doing two different > tasks, both related, but I am not sure how. > > > I used this as a guide > http://www.debian.org/doc/manuals/maint-guide/build.en.html > > > To build the package I ran: > > dpkg-buildpackage You can limit building just the binaries by giving it '-b' argument, then it won't complain about the missing tarball either. also, 'debuild' is a wrapper for dpkg-buildpackage which is what I'm using.. and then there's git-buildpackage but I've still not 'migrated' to that, but it does have some features to overcome the usual errors when working with a git repo (not having a clean tree, uncommitted changes etc). Just running debuild/dpkg-buildpackage is enough for quick'n'dirty testing though. > Which told me about all of the missing packages. I had to modify the > control file as some of the packages are no longer supporting the same > files. Onechange I made, which is suspect is shown here: > > diff --git a/debian/control b/debian/control > index 66aedb4..e69cf6c 100644 > --- a/debian/control > +++ b/debian/control > @@ -33,9 +33,7 @@ Build-Depends: quilt, debhelper (>= 9), dh-autoreconf, > python-support, > # server > 389-ds-base-dev (>= 1.1.3), > - libndr-dev, > - libndr-standard-dev, > - libsamba-util-dev, > + samba-dev, > libsvrcore-dev, > libtevent-dev, > uuid-dev, I've updated the git repo with various changes, including the above. Too bad the machine hosting the repos will be down for maintenance for some days since it had some disk issues corrupting the RAID.. I'll probably push it to github or sth so we can work on stuff until alioth.d.o is fixed. > Eventully this failed because I need a tarball to build a package. In > FreeIPA, this is done via > > make tarballs > > but that failed early on. Rob's suggestion was to run > > make version-update tarballs > > which seemed to fix the issue somewhat. You can also use 'uscan --download-current' to fetch the tarball. > The dpkg-buildpackage seems to be applying patches in place in the git > repo. I suspect that I should be running it with different command line > switches telling it where to put the interim files etc. > > I was able to fake out the process above by doing > > cd .. > tar -zcf freeipa_3.2.1.orig.tar.gz freeipa > > and re-running dpkg-buildpackage. That was how I identified that the > the krad.h files were not in libkrb-dev. I comment them out with the > below patch: I've pushed an updated krb5 package to the freeipa team PPA (for 'trusty') that should work just fine on sid too: https://launchpad.net/~freeipa/+archive/ppa ok I lied, the upload got rejected for some reason but I'll sort it out.. Also, something I had completely forgotten since two years ago.. xmlrpc-c in Debian is obsolete (1.16.xx), and the package is pretty much abandoned by the maintainer (who also went AWOL since) so I updated it to 1.33.06 and pushed to the PPA. Hopefully it'll get sponsored to sid soon.. > And...that was pretty much as far as I got. with the updated repo + updates from the ppa the build succeeds but tests fail, and those are harder for me to parse. Full build log at http://pastebin.com/G40VMENn > Once we get a working process we can clean up the documentation. > > Looks like we need 1.12 of Kerberos to get Radius support, worth pinging > the Debian krb supporters to see if they have a package in the works. I filed a bug about it, we'll see how it goes. Maybe 1.12 is ready soon enough. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729291 Also, since I submitted the patches for client support I did work on them to fix the issues I found, but never sent any status update to the previous thread. IIRC there is one issue left with how to handle updating pam configs, or maybe just leave it up to the package to deal instead of ipa-client-install.. (since enabling them by default on package install isn't a huge deal) -- t From pviktori at redhat.com Mon Nov 11 15:48:41 2013 From: pviktori at redhat.com (Petr Viktorin) Date: Mon, 11 Nov 2013 16:48:41 +0100 Subject: [Freeipa-devel] [RFE] Permissions V2 In-Reply-To: <5280F01F.7020907@redhat.com> References: <527B7D47.8030806@redhat.com> <5280F01F.7020907@redhat.com> Message-ID: <5280FC59.9050003@redhat.com> On 11/11/2013 03:56 PM, Rob Crittenden wrote: > Petr Viktorin wrote: >> Hello, >> I'm splitting up ACI work into several designs to make it more >> manageable. >> >> This one is about >> - Moving ACIs out of $SUFFIX >> - Storing all ACI data in the permission entry >> - Permission flag system for ensuring backwards compatibility >> >> Summary of the backcompat story: >> - Attributes, rights, etc. of new permissions may not be modified or >> read on old servers (not possible since the ACIs aren't in $SUFFIX) >> - Old permissions convert to new ones when they're modified on a new >> server >> - Any server can assign (or remove) both old and new permissions to >> privileges >> >> There is a bit of shuffling in API/CLI option names, since the API >> option name needs to match the LDAP attributeTypes. >> >> The WIP design document is here: >> http://www.freeipa.org/page/V3/Permissions_V2 >> > > Data in the permission entry > > I think the schema needs to be described better. I'm assuming that > ipaPermTarget is the equivalent of current targetgroup option? And > targetfilter is the equivalent of current filter option? ipaPermTarget is the raw ACI target, i.e. the DN. targetgroup is just the name If the targetgroup option is specified, it effectively just finds the group and sets the ipaPermTarget option to its DN. And if ipaPermTarget contains a group DN, targetgroup will be populated with the cn on output (in addition to ipaPermTarget with the full DN). The next update will have examples. > If you are placing the ACI into the container based on type, then you > probably don't need the filter within the ACI (it is implicit). Sorry; that should have been target, not fiter. The target is a bit more explicit; it has e.g. "uid=*" in addition to the user container DN, so I'd like to keep both. > In general I think some examples would be helpful. I'll add some. > Modifying and Upgrading Permissions > > Under what conditions would there be an old or a new permission and no > associated ACI? If a command failed unexpectedly, and also failed to clean up. For example if the DS shuts down at the right time in the middle of a permission-mod. > Option/Attribute mapping > > Performing a search on the filter is a good idea but realize that it has > its limits. It is possible to create a legal filter that makes no (or > little) sense. Of course. This is just a syntax check. > If type is only going to specify the location of the ACI then perhaps it > shouldn't be in the mutually exclusive list. Yes. Martin just pointed out ticket 2355_ (Allow filter and subtree to be added in same permission) to me today. I'll redo the mutual exclusivity so more things are possible together. _2355 :https://fedorahosted.org/freeipa/ticket/2355 -- Petr? From rcritten at redhat.com Mon Nov 11 20:08:19 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 11 Nov 2013 15:08:19 -0500 Subject: [Freeipa-devel] Recovering from expired CA subsystem certificates in IPA 2.x Message-ID: <52813933.9070301@redhat.com> There have been a number of questions about expiring CA subsystem certificates for users running 2.x and unable to upgrade to 3.x where this is handled automatically, so I wrote http://www.freeipa.org/page/IPA_2x_Certificate_Renewal Now you'll see why we automated it. It can cause premature baldness, so beware. I ran through it twice, once to write it and once to verify that it actually did what I said and it WORKSFORME. YMMV. rob From npmccallum at redhat.com Mon Nov 11 23:17:55 2013 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Mon, 11 Nov 2013 18:17:55 -0500 Subject: [Freeipa-devel] [PATCH 0016] Add RADIUS proxy support to ipalib CLI In-Reply-To: <527CD870.9080102@redhat.com> References: <1378353973.19352.11.camel@localhost> <1379018880.2210.1.camel@localhost> <1379695123.1629.10.camel@localhost> <1380142563.2046.3.camel@localhost> <527CD870.9080102@redhat.com> Message-ID: <1384211875.5798.18.camel@localhost.localdomain> On Fri, 2013-11-08 at 13:26 +0100, Petr Viktorin wrote: > On 09/25/2013 10:56 PM, Nathaniel McCallum wrote: > > On Fri, 2013-09-20 at 12:38 -0400, Nathaniel McCallum wrote: > >> On Thu, 2013-09-12 at 16:48 -0400, Nathaniel McCallum wrote: > >>> On Thu, 2013-09-05 at 00:06 -0400, Nathaniel McCallum wrote: > >>>> patch attached > >>> > >>> Update for ./makeapi attached. > >> > >> Version 3. This should fix all the current review issues, including the > >> use of the referential integrity plugin. I had to make one schema change > >> in order to make the referential integrity modification work. Note also > >> that the command name prefix is changed from radius to radiusproxy. > > > > Version 4. This patch fixes my failure to increment the minor version > > number in the VERSION file. > > > > Nathaniel > > We've since decided that we'll carry LDAP "content" updates only in > update files, so you can leave indices.ldif & referint-conf.ldif unchanged. > Schema, on the other hand, will still be in ldif files (and soon *only* > in ldif files). Fixed. > The patch needs a rebase. Fixed. Also fixed: two other bugs I found when testing the above fixes. Tests pass. Nathaniel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-npmccallum-0016-5-Add-RADIUS-proxy-support-to-ipalib-CLI.patch Type: text/x-patch Size: 32018 bytes Desc: not available URL: From abokovoy at redhat.com Tue Nov 12 09:41:49 2013 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 12 Nov 2013 11:41:49 +0200 Subject: [Freeipa-devel] [PATCH] 0127 Map NT_STATUS_INVALID_PARAMETER to a most likely error cause Message-ID: <20131112094149.GI21264@redhat.com> Hi, I stumbled upon another case of clock skew breaking trust-add code and in this case we actually get a separate error code -- NT_STATUS_INVALID_PARAMETER that, along with a specific case we get it in, allows to deduce that there is a possible clock skew without parsing debug output from Samba client libraries. I made this small patch that suggests there is indeed clock skew between IPA and an AD DC. -- / Alexander Bokovoy -------------- next part -------------- >From b491bd33b4776343af6a1cd18510f1e84b54c0ee Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Tue, 12 Nov 2013 11:36:22 +0200 Subject: [PATCH 2/2] Map NT_STATUS_INVALID_PARAMETER to most likely error cause: clock skew When we get NT_STATUS_INVALID_PARAMETER in response to establish DCE RPC pipe with Kerberos, the most likely reason is clock skew. Suggest that it is so in the error message. --- ipaserver/dcerpc.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 86bb428..55acfa8 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -82,6 +82,9 @@ dcerpc_error_codes = { -1073741614: access_denied_error, -1073741603: errors.ValidationError(name=_('AD domain controller'), error=_('unsupported functional level')), + -1073741811: # NT_STATUS_INVALID_PARAMETER + error.RemoteRetrieveError( + reason=_('AD domain controller complains about communication sequence. It may mean unsynchronized time on both sides, for example')), } dcerpc_error_messages = { -- 1.8.3.1 From akrivoka at redhat.com Tue Nov 12 12:27:53 2013 From: akrivoka at redhat.com (Ana Krivokapic) Date: Tue, 12 Nov 2013 13:27:53 +0100 Subject: [Freeipa-devel] [PATCHES] 0080-0081 Add userClass attributes for users and hosts In-Reply-To: <680482948.14270903.1383166612061.JavaMail.root@redhat.com> References: <526F84AA.3090004@redhat.com> <526F9F17.6090702@redhat.com> <1383051873.2826.13.camel@willson.li.ssimo.org> <52714977.8010101@redhat.com> <1383156680.8612.22.camel@willson.li.ssimo.org> <680482948.14270903.1383166612061.JavaMail.root@redhat.com> Message-ID: <52821EC9.4050001@redhat.com> On 10/30/2013 09:56 PM, Martin Kosek wrote: > ----- Original Message ----- >> From: "Simo Sorce" >> To: "Ana Krivokapic" >> Cc: "Martin Kosek" , "freeipa-devel" >> Sent: Wednesday, October 30, 2013 7:11:20 PM >> Subject: Re: [Freeipa-devel] [PATCHES] 0080-0081 Add userClass attributes for users and hosts >> >> On Wed, 2013-10-30 at 19:01 +0100, Ana Krivokapic wrote: >>> On 10/29/2013 02:04 PM, Simo Sorce wrote: >>>> On Tue, 2013-10-29 at 12:42 +0100, Martin Kosek wrote: >>>>> On 10/29/2013 10:49 AM, Ana Krivokapic wrote: >>>>>> Hello, >>>>>> >>>>>> Patch 0080 adds userClass attribute for users to IPA CLI. >>>>>> Patch 0081 adds userClass attribute for users and hosts to the web UI. >>>>>> >>>>>> Design page: >>>>>> http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems >>>>>> >>>>>> Tickets: >>>>>> https://fedorahosted.org/freeipa/ticket/3588 >>>>>> https://fedorahosted.org/freeipa/ticket/3590 >>>>> NACK to just extending posixAccount objectclass. This is a standard >>>>> objectclass >>>>> defined by RFC 2307 and we cannot just simply extend and overwrite it as >>>>> we wish. >>>> Uhh indeed this is a big No-no. >>>> >>>>> We will need to come up with some custom objectclass, like ipaUser. This >>>>> is the >>>>> reason why I wrote to ticket "A second goal of this ticket is to review >>>>> current >>>>> objectClass hierarchy of users and do changes if needed." so that we can >>>>> pick >>>>> the best option where to place it. >>>> userClass is used in ipaHost, so I guess it could be instead add to an >>>> ipa objectclass. ipaObject might be used perhaps, otherwise we'll need a >>>> new ipaUser objectlass. >>>> >>>> Simo. >>>> >>> If there are no objections to using the ipaObject objectclass, the attached >>> patches implement this approach. >> After some thinking ipaObject is more generic than just users, not sure >> that attaching userClass there is appropriate. I think we really need >> ipaUser at this point. > +1. I also do not think that ipaObject is the right OC to place the attribute, it is just too general. > > Let's go with the ipaUser objectClass, looking something like that: > > ( NAME 'ipaUser' AUXILIARY MUST ( uid ) MAY ( userClass ) X-ORIGIN 'IPA v3' ) > > We will need to add the OC when needed, we cannot just add it to default list. Ideally, we could also implement > https://fedorahosted.org/freeipa/ticket/3922 > in scope of this effort as this need to add additional OCs is piling up. > > Martin This implementation introduces a new objectclass 'ipaUser'. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-akrivoka-0080-03-Add-userClass-attribute-for-users.patch Type: text/x-patch Size: 13437 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-akrivoka-0081-02-WebUI-Add-userClass-attribute-to-user-and-host-pages.patch Type: text/x-patch Size: 2223 bytes Desc: not available URL: From mbasti at redhat.com Tue Nov 12 12:48:29 2013 From: mbasti at redhat.com (Martin Basti) Date: Tue, 12 Nov 2013 13:48:29 +0100 Subject: [Freeipa-devel] [PATCHES] 0019-0020 Broken Firefox configuration files in freeipa-client package In-Reply-To: <527D032D.6020807@redhat.com> References: <1383644074.2457.3.camel@unused-4-145.brq.redhat.com> <527D032D.6020807@redhat.com> Message-ID: <1384260509.2256.1.camel@unused-4-145.brq.redhat.com> On Fri, 2013-11-08 at 16:28 +0100, Petr Vobornik wrote: > On 11/05/2013 10:34 AM, Martin Basti wrote: > > ipa-client-install now allows to configure firefox using > > --configure-firefox option and optionally with --firefox-dir=INSTALL_DIR > > option. > > > > Old configuration files was removed. > > > > Patches attached. > > > > Ticket: https://fedorahosted.org/freeipa/ticket/3821 > > > > Thanks for the patch. > > 1) Remove "pref("network.negotiate-auth.delegation-uris", ".$DOMAIN");" > from the FIREFOX_CONFIG_TEMPLATE. Delegation is not a thing you want to > have enabled unless there is no other way (Web UI doesn't need it since > version 2.2 or 2.3). > > Otherwise it works fine on F19. > Removed line. Fixed patch attached. Thanks for review. -- Martin^2 Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0019.2-ipa-client-install-Added-options-to-configure-firefo.patch Type: text/x-patch Size: 11723 bytes Desc: not available URL: From mbasti at redhat.com Tue Nov 12 13:12:53 2013 From: mbasti at redhat.com (Martin Basti) Date: Tue, 12 Nov 2013 14:12:53 +0100 Subject: [Freeipa-devel] [PATCH] 0021 Documentation error in FreeIPA guide "Setting up a Kerberized NFS Server" Message-ID: <1384261973.2256.3.camel@unused-4-145.brq.redhat.com> One liner, missing example added. https://fedorahosted.org/freeipa/ticket/3997 -- Martin^2 Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0021-Added-missing-example-in-setting-up-kerberized-NFS-s.patch Type: text/x-patch Size: 1212 bytes Desc: not available URL: From akrivoka at redhat.com Tue Nov 12 13:56:06 2013 From: akrivoka at redhat.com (Ana Krivokapic) Date: Tue, 12 Nov 2013 14:56:06 +0100 Subject: [Freeipa-devel] [PATCH] 0085 Fix regression which prevents creating a winsync agreement Message-ID: <52823376.8050004@redhat.com> Hello, This patch should fix the regression introduced by the original fix for ticket https://fedorahosted.org/freeipa/ticket/3989. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-akrivoka-0085-Fix-regression-which-prevents-creating-a-winsync-agr.patch Type: text/x-patch Size: 1116 bytes Desc: not available URL: From abokovoy at redhat.com Tue Nov 12 14:03:53 2013 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 12 Nov 2013 16:03:53 +0200 Subject: [Freeipa-devel] [PATCH] 0127 Map NT_STATUS_INVALID_PARAMETER to a most likely error cause In-Reply-To: <20131112094149.GI21264@redhat.com> References: <20131112094149.GI21264@redhat.com> Message-ID: <20131112140353.GK21264@redhat.com> On Tue, 12 Nov 2013, Alexander Bokovoy wrote: > Hi, > > I stumbled upon another case of clock skew breaking trust-add code and > in this case we actually get a separate error code -- > NT_STATUS_INVALID_PARAMETER that, along with a specific case we get it > in, allows to deduce that there is a possible clock skew without parsing > debug output from Samba client libraries. > > I made this small patch that suggests there is indeed clock skew between > IPA and an AD DC. Ticket #4024. https://fedorahosted.org/freeipa/ticket/4024 -- / Alexander Bokovoy From abokovoy at redhat.com Tue Nov 12 14:52:42 2013 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 12 Nov 2013 16:52:42 +0200 Subject: [Freeipa-devel] Internationalized domain names in freeIPA In-Reply-To: <1383813677.16060.1.camel@unused-4-145.brq.redhat.com> References: <1383668003.8056.8.camel@unused-4-145.brq.redhat.com> <52792292.4030505@redhat.com> <5279250D.9060006@redhat.com> <1383813677.16060.1.camel@unused-4-145.brq.redhat.com> Message-ID: <20131112145242.GL21264@redhat.com> On Thu, 07 Nov 2013, Martin Basti wrote: >On Tue, 2013-11-05 at 18:04 +0100, Petr Viktorin wrote: >> On 11/05/2013 05:53 PM, John Dennis wrote: >> > On 11/05/2013 11:13 AM, Martin Basti wrote: >> >> Hi list, >> >> >> >> I'm working on ticket: https://fedorahosted.org/freeipa/ticket/3169 >> >> UTF-8 DNS names will be converted to punycode ASCII string and stored >> >> >> >> But there is a question, how to show DNS names to user (in UI or >> >> dnsrecord-show/find): >> >> * show them in punycode >> >> * convert them to UTF-8 and show >> >> * both ways >> >> * add options to show them in UTF-8 >> >> >> >> I'll be thankful for your opinion. >> >> >> > >> > We have a rule that all strings use UCS and that UCS be interchanged by >> > encoding UCS text in UTF-8. Therefore it seems to me the only time >> > punycode should ever exist is when it's necessary to encode/decode >> > punycode for dns operations. Since punycode is a standard Python codec >> > this should be trivial, you just need to determine where you do the >> > encode/decode (perhaps also validating user input can be successfully >> > encoded). >> >> In LDAP the values need to be in punycode, so bind-dyndb-ldap can >> process them. >> >> IMO all layers above that -- API, CLI, WebUI -- should use Unicode, >> except with the `--raw` flag. >> > >Thanks for your opinions. >I will do that as Petr wrote. After discussing ticket #4020 (ipasam changes for iDNS), please make sure realmdomains are always written *without* punycode. realmdomains are just an attribute with UTF8, it is not used by named so it will not affect DNS driver. However, keeping realmdomains values in UTF8 will help us by not requiring any modification to ipasam module. >-- >Martin^2 Basti > >_______________________________________________ >Freeipa-devel mailing list >Freeipa-devel at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-devel -- / Alexander Bokovoy From pspacek at redhat.com Tue Nov 12 15:08:20 2013 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 12 Nov 2013 16:08:20 +0100 Subject: [Freeipa-devel] [PATCH 0206] Publish zones only after all LDAP events have been processed Message-ID: <52824464.2070503@redhat.com> Hello, Publish zones only after all LDAP events have been processed. Zones are not exposed in _default DNS view until all events generated before LDAP intermediate message have been processed. This prevents BIND from returning NXDOMAIN for some names from a zone but NOERROR answers for other names in the same zone. It would be pretty confusing and not easy to debug. I use 100 zones each with 100 records for testing + I'm artificially slowing the link down to get more time for testing. Dig for any record from any zone in LDAP should return NXDOMAIN until all records and zones are loaded. My magic recipe is attached. iptables rules mark the traffic which should be slowed down (all the traffic except SSH and the communication with IP gateway) and tc.sh script configures traffic controls in Linux kernel to slow it down. -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0206-Publish-zones-only-after-all-LDAP-events-have-been-p.patch Type: text/x-patch Size: 5975 bytes Desc: not available URL: -------------- next part -------------- # Generated by iptables-save v1.4.19.1 on Mon Nov 11 16:42:54 2013 *mangle :PREROUTING ACCEPT [27244:1530324] :INPUT ACCEPT [26518:1452710] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [9916:468159437] :POSTROUTING ACCEPT [6945:412550827] # do not limit SSH -A POSTROUTING -p tcp -m tcp --sport 22 -j ACCEPT # do not limit gateway, DNS etc. -A POSTROUTING -s 10.0.0.0/30 -j ACCEPT -A POSTROUTING -d 10.0.0.0/30 -j ACCEPT -A POSTROUTING -j MARK --set-xmark 0xb/0xffffffff COMMIT # Completed on Mon Nov 11 16:42:54 2013 # Generated by iptables-save v1.4.19.1 on Mon Nov 11 16:42:54 2013 *filter :INPUT ACCEPT [27172:1503998] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [10331:468208656] COMMIT # Completed on Mon Nov 11 16:42:54 2013 -------------- next part -------------- A non-text attachment was scrubbed... Name: tc.sh Type: application/x-shellscript Size: 844 bytes Desc: not available URL: From pspacek at redhat.com Tue Nov 12 15:13:15 2013 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 12 Nov 2013 16:13:15 +0100 Subject: [Freeipa-devel] [PATCH 0202-0203] Improve performance of initial LDAP synchronizationDetect end of initial LDAP synchronization phase In-Reply-To: <1939839260.12480070.1383650984710.JavaMail.root@redhat.com> References: <5273AD7D.5020402@redhat.com> <1939839260.12480070.1383650984710.JavaMail.root@redhat.com> Message-ID: <5282458B.4000808@redhat.com> On 5.11.2013 12:29, Tomas Hozza wrote: > ----- Original Message ----- >> Hello, >> >> Improve performance of initial LDAP synchronization. >> >> Changes are not journaled and SOA serial is not incremented during initial >> LDAP synchronization. >> >> This eliminates unnecessary synchronous writes to journal and also >> unnecessary SOA serial writes to LDAP. >> >> See commit messages and comments in syncrepl.c for all the gory details. > > > ACK. > > Patches look good. AXFR and IXFR works as expected. Also BIND starts up much > faster with these patches. Good job... :) > > Regards, > > Tomas Hmm, further testing revealed that patch 203 changed behavior little bit: Zones were loaded from LDAP correctly, but the SOA serial wasn't changed at all. As a result, zone transfers return inconsistent results if the data in LDAP are changed when BIND was not running. Patch 203-v2 imitates the old behavior from bind-dyndb-ldap 3.x: Zone serial is bumped *once* for each zone, so any changed in LDAP will be transferred correctly (with new serial). -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0203-2-Improve-performance-of-initial-LDAP-synchronization.patch Type: text/x-patch Size: 6789 bytes Desc: not available URL: From akrivoka at redhat.com Tue Nov 12 15:53:03 2013 From: akrivoka at redhat.com (Ana Krivokapic) Date: Tue, 12 Nov 2013 16:53:03 +0100 Subject: [Freeipa-devel] [PATCH] 0127 Map NT_STATUS_INVALID_PARAMETER to a most likely error cause In-Reply-To: <20131112094149.GI21264@redhat.com> References: <20131112094149.GI21264@redhat.com> Message-ID: <52824EDF.8030600@redhat.com> On 11/12/2013 10:41 AM, Alexander Bokovoy wrote: > + -1073741811: # NT_STATUS_INVALID_PARAMETER > + error.RemoteRetrieveError( ^^^^^ should be "errors" > + reason=_('AD domain controller complains about communication sequence. It may mean unsynchronized time on both sides, for example')), With this change, the patch works fine. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. From abokovoy at redhat.com Tue Nov 12 15:55:37 2013 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 12 Nov 2013 17:55:37 +0200 Subject: [Freeipa-devel] [PATCH] 0127 Map NT_STATUS_INVALID_PARAMETER to a most likely error cause In-Reply-To: <52824EDF.8030600@redhat.com> References: <20131112094149.GI21264@redhat.com> <52824EDF.8030600@redhat.com> Message-ID: <20131112155537.GM21264@redhat.com> On Tue, 12 Nov 2013, Ana Krivokapic wrote: >On 11/12/2013 10:41 AM, Alexander Bokovoy wrote: >> + -1073741811: # NT_STATUS_INVALID_PARAMETER >> + error.RemoteRetrieveError( > ^^^^^ should be "errors" >> + reason=_('AD domain controller complains about communication sequence. It may mean unsynchronized time on both sides, for example')), > >With this change, the patch works fine. What can you break in three lines? :) Thanks! Fixed and added the ticket number to commit message. -- / Alexander Bokovoy -------------- next part -------------- >From 9a245088ec6551cbbe348ba4155b0d5729c3665a Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Tue, 12 Nov 2013 11:36:22 +0200 Subject: [PATCH 2/2] Map NT_STATUS_INVALID_PARAMETER to most likely error cause: clock skew When we get NT_STATUS_INVALID_PARAMETER in response to establish DCE RPC pipe with Kerberos, the most likely reason is clock skew. Suggest that it is so in the error message. https://fedorahosted.org/freeipa/ticket/4024 --- ipaserver/dcerpc.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 86bb428..0dde347 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -82,6 +82,9 @@ dcerpc_error_codes = { -1073741614: access_denied_error, -1073741603: errors.ValidationError(name=_('AD domain controller'), error=_('unsupported functional level')), + -1073741811: # NT_STATUS_INVALID_PARAMETER + errors.RemoteRetrieveError( + reason=_('AD domain controller complains about communication sequence. It may mean unsynchronized time on both sides, for example')), } dcerpc_error_messages = { -- 1.8.3.1 From npmccallum at redhat.com Tue Nov 12 15:59:23 2013 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Tue, 12 Nov 2013 10:59:23 -0500 Subject: [Freeipa-devel] [PATCH 0025] Add support to ipa-kdb for keyless principals Message-ID: <1384271963.1822.4.camel@localhost.localdomain> https://fedorahosted.org/freeipa/ticket/3779 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-npmccallum-0025-Add-support-to-ipa-kdb-for-keyless-principals.patch Type: text/x-patch Size: 1964 bytes Desc: not available URL: From akrivoka at redhat.com Tue Nov 12 16:05:51 2013 From: akrivoka at redhat.com (Ana Krivokapic) Date: Tue, 12 Nov 2013 17:05:51 +0100 Subject: [Freeipa-devel] [PATCH] 0127 Map NT_STATUS_INVALID_PARAMETER to a most likely error cause In-Reply-To: <20131112155537.GM21264@redhat.com> References: <20131112094149.GI21264@redhat.com> <52824EDF.8030600@redhat.com> <20131112155537.GM21264@redhat.com> Message-ID: <528251DF.80203@redhat.com> On 11/12/2013 04:55 PM, Alexander Bokovoy wrote: > On Tue, 12 Nov 2013, Ana Krivokapic wrote: >> On 11/12/2013 10:41 AM, Alexander Bokovoy wrote: >>> + -1073741811: # NT_STATUS_INVALID_PARAMETER >>> + error.RemoteRetrieveError( >> ^^^^^ should be "errors" >>> + reason=_('AD domain controller complains about communication >>> sequence. It may mean unsynchronized time on both sides, for example')), >> >> With this change, the patch works fine. > What can you break in three lines? :) > > Thanks! > > Fixed and added the ticket number to commit message. > Thanks, ACK -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. From npmccallum at redhat.com Tue Nov 12 20:00:06 2013 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Tue, 12 Nov 2013 15:00:06 -0500 Subject: [Freeipa-devel] [PATCH] 0085 Fix regression which prevents creating a winsync agreement In-Reply-To: <52823376.8050004@redhat.com> References: <52823376.8050004@redhat.com> Message-ID: <1384286406.1822.6.camel@localhost.localdomain> On Tue, 2013-11-12 at 14:56 +0100, Ana Krivokapic wrote: > Hello, > > This patch should fix the regression introduced by the original fix for ticket > https://fedorahosted.org/freeipa/ticket/3989. ACK From npmccallum at redhat.com Tue Nov 12 20:01:25 2013 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Tue, 12 Nov 2013 15:01:25 -0500 Subject: [Freeipa-devel] [PATCH] 0021 Documentation error in FreeIPA guide "Setting up a Kerberized NFS Server" In-Reply-To: <1384261973.2256.3.camel@unused-4-145.brq.redhat.com> References: <1384261973.2256.3.camel@unused-4-145.brq.redhat.com> Message-ID: <1384286485.1822.7.camel@localhost.localdomain> On Tue, 2013-11-12 at 14:12 +0100, Martin Basti wrote: > One liner, missing example added. > > https://fedorahosted.org/freeipa/ticket/3997 ACK From mkosek at redhat.com Wed Nov 13 11:22:35 2013 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 13 Nov 2013 12:22:35 +0100 Subject: [Freeipa-devel] [PATCH] 0085 Fix regression which prevents creating a winsync agreement In-Reply-To: <1384286406.1822.6.camel@localhost.localdomain> References: <52823376.8050004@redhat.com> <1384286406.1822.6.camel@localhost.localdomain> Message-ID: <528360FB.3090704@redhat.com> On 11/12/2013 09:00 PM, Nathaniel McCallum wrote: > On Tue, 2013-11-12 at 14:56 +0100, Ana Krivokapic wrote: >> Hello, >> >> This patch should fix the regression introduced by the original fix for ticket >> https://fedorahosted.org/freeipa/ticket/3989. > > ACK > Pushed to master, ipa-3-3. Martin From mkosek at redhat.com Wed Nov 13 11:25:37 2013 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 13 Nov 2013 12:25:37 +0100 Subject: [Freeipa-devel] [PATCH] 0021 Documentation error in FreeIPA guide "Setting up a Kerberized NFS Server" In-Reply-To: <1384286485.1822.7.camel@localhost.localdomain> References: <1384261973.2256.3.camel@unused-4-145.brq.redhat.com> <1384286485.1822.7.camel@localhost.localdomain> Message-ID: <528361B1.9050505@redhat.com> On 11/12/2013 09:01 PM, Nathaniel McCallum wrote: > On Tue, 2013-11-12 at 14:12 +0100, Martin Basti wrote: >> One liner, missing example added. >> >> https://fedorahosted.org/freeipa/ticket/3997 > > ACK > Pushed to master. Martin From mkosek at redhat.com Wed Nov 13 11:29:05 2013 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 13 Nov 2013 12:29:05 +0100 Subject: [Freeipa-devel] [PATCH] 0127 Map NT_STATUS_INVALID_PARAMETER to a most likely error cause In-Reply-To: <528251DF.80203@redhat.com> References: <20131112094149.GI21264@redhat.com> <52824EDF.8030600@redhat.com> <20131112155537.GM21264@redhat.com> <528251DF.80203@redhat.com> Message-ID: <52836281.5010201@redhat.com> On 11/12/2013 05:05 PM, Ana Krivokapic wrote: > On 11/12/2013 04:55 PM, Alexander Bokovoy wrote: >> On Tue, 12 Nov 2013, Ana Krivokapic wrote: >>> On 11/12/2013 10:41 AM, Alexander Bokovoy wrote: >>>> + -1073741811: # NT_STATUS_INVALID_PARAMETER >>>> + error.RemoteRetrieveError( >>> ^^^^^ should be "errors" >>>> + reason=_('AD domain controller complains about communication >>>> sequence. It may mean unsynchronized time on both sides, for example')), >>> >>> With this change, the patch works fine. >> What can you break in three lines? :) >> >> Thanks! >> >> Fixed and added the ticket number to commit message. >> > > Thanks, ACK > Pushed to master, ipa-3-3. Martin From akrivoka at redhat.com Wed Nov 13 12:33:47 2013 From: akrivoka at redhat.com (Ana Krivokapic) Date: Wed, 13 Nov 2013 13:33:47 +0100 Subject: [Freeipa-devel] [PATCHES] 0080-0081 Add userClass attributes for users and hosts In-Reply-To: <52821EC9.4050001@redhat.com> References: <526F84AA.3090004@redhat.com> <526F9F17.6090702@redhat.com> <1383051873.2826.13.camel@willson.li.ssimo.org> <52714977.8010101@redhat.com> <1383156680.8612.22.camel@willson.li.ssimo.org> <680482948.14270903.1383166612061.JavaMail.root@redhat.com> <52821EC9.4050001@redhat.com> Message-ID: <528371AB.1020604@redhat.com> On 11/12/2013 01:27 PM, Ana Krivokapic wrote: > On 10/30/2013 09:56 PM, Martin Kosek wrote: >> ----- Original Message ----- >>> From: "Simo Sorce" >>> To: "Ana Krivokapic" >>> Cc: "Martin Kosek" , "freeipa-devel" >>> Sent: Wednesday, October 30, 2013 7:11:20 PM >>> Subject: Re: [Freeipa-devel] [PATCHES] 0080-0081 Add userClass attributes for users and hosts >>> >>> On Wed, 2013-10-30 at 19:01 +0100, Ana Krivokapic wrote: >>>> On 10/29/2013 02:04 PM, Simo Sorce wrote: >>>>> On Tue, 2013-10-29 at 12:42 +0100, Martin Kosek wrote: >>>>>> On 10/29/2013 10:49 AM, Ana Krivokapic wrote: >>>>>>> Hello, >>>>>>> >>>>>>> Patch 0080 adds userClass attribute for users to IPA CLI. >>>>>>> Patch 0081 adds userClass attribute for users and hosts to the web UI. >>>>>>> >>>>>>> Design page: >>>>>>> http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems >>>>>>> >>>>>>> Tickets: >>>>>>> https://fedorahosted.org/freeipa/ticket/3588 >>>>>>> https://fedorahosted.org/freeipa/ticket/3590 >>>>>> NACK to just extending posixAccount objectclass. This is a standard >>>>>> objectclass >>>>>> defined by RFC 2307 and we cannot just simply extend and overwrite it as >>>>>> we wish. >>>>> Uhh indeed this is a big No-no. >>>>> >>>>>> We will need to come up with some custom objectclass, like ipaUser. This >>>>>> is the >>>>>> reason why I wrote to ticket "A second goal of this ticket is to review >>>>>> current >>>>>> objectClass hierarchy of users and do changes if needed." so that we can >>>>>> pick >>>>>> the best option where to place it. >>>>> userClass is used in ipaHost, so I guess it could be instead add to an >>>>> ipa objectclass. ipaObject might be used perhaps, otherwise we'll need a >>>>> new ipaUser objectlass. >>>>> >>>>> Simo. >>>>> >>>> If there are no objections to using the ipaObject objectclass, the attached >>>> patches implement this approach. >>> After some thinking ipaObject is more generic than just users, not sure >>> that attaching userClass there is appropriate. I think we really need >>> ipaUser at this point. >> +1. I also do not think that ipaObject is the right OC to place the attribute, it is just too general. >> >> Let's go with the ipaUser objectClass, looking something like that: >> >> ( NAME 'ipaUser' AUXILIARY MUST ( uid ) MAY ( userClass ) X-ORIGIN 'IPA v3' ) >> >> We will need to add the OC when needed, we cannot just add it to default list. Ideally, we could also implement >> https://fedorahosted.org/freeipa/ticket/3922 >> in scope of this effort as this need to add additional OCs is piling up. >> >> Martin > This implementation introduces a new objectclass 'ipaUser'. > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel The web UI patch needed an update as well, as we need to allow writing the userClass attribute even when the ipaUser objectclass is not (yet) set on the user object. Thanks Petr for pointing it out. Attaching both patches again (the CLI patch has not changed since the last iteration). -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-akrivoka-0081-03-WebUI-Add-userClass-attribute-to-user-and-host-pages.patch Type: text/x-patch Size: 2344 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-akrivoka-0080-03-Add-userClass-attribute-for-users.patch Type: text/x-patch Size: 13437 bytes Desc: not available URL: From tbabej at redhat.com Wed Nov 13 13:56:23 2013 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 13 Nov 2013 14:56:23 +0100 Subject: [Freeipa-devel] [PATCH 0130] platform: Add Fedora 19 platform file Message-ID: <52838507.8040801@redhat.com> Hi, Part of: https://fedorahosted.org/freeipa/ticket/3504 -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0130-platform-Add-Fedora-19-platform-file.patch Type: text/x-patch Size: 6175 bytes Desc: not available URL: From tbabej at redhat.com Wed Nov 13 13:57:53 2013 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 13 Nov 2013 14:57:53 +0100 Subject: [Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store In-Reply-To: <52453E4B.1000303@redhat.com> References: <52416363.8050800@redhat.com> <524168C1.1050602@redhat.com> <524177C2.8030802@redhat.com> <20130924161443.GC23991@redhat.com> <52441266.1020804@redhat.com> <524413A2.2070601@redhat.com> <524448B5.405@redhat.com> <52453E4B.1000303@redhat.com> Message-ID: <52838561.7090701@redhat.com> On 09/27/2013 10:14 AM, Martin Kosek wrote: > On 09/26/2013 04:46 PM, Jan Cholasta wrote: >> On 26.9.2013 12:59, Tomas Babej wrote: >>> On 09/26/2013 12:54 PM, Jan Cholasta wrote: >>>> On 24.9.2013 18:14, Nalin Dahyabhai wrote: >>>>> On Tue, Sep 24, 2013 at 01:30:10PM +0200, Jan Cholasta wrote: >>>>>> We discussed this with Tom?? off-line and it turns out that >>>>>> ipa-client-install fails if the CA cert is not added to >>>>>> /etc/pki/nssdb. >>>>>> >>>>>> However, according to p11-kit docs it should work: >>>>>> . I >>>>>> wonder what needs to be done to make it work in IPA... >>>>> >>>>> On my system, there's no symlink to libnssckbi.so (or the right >>>>> location >>>>> in the link farm under /etc/alternatives) in /etc/pki/nssdb, so that >>>>> database isn't going to automatically pull in the list of trusted CAs >>>>> that p11-kit maintains. >>>>> >>>>> Whether the database under /etc/pki/nssdb should automatically >>>>> include >>>>> the usual set of trust anchors is probably a different conversation. >>>> >>>> Thanks for the info. >>>> >>>> Tom??, the patch is fine then. I have one more nitpick though: why did >>>> you change "the default NSS database" to "the NSS database"? The >>>> database in /etc/pki/nssdb *is* the default NSS database, so please >>>> change it back. Also I think "systemwide CA trust database" is better >>>> than "systemwide CA store". >>>> >>>> Honza >>>> >>> I fixed the descriptions. Updated patch attached. >>> >>> Tomas >>> >> >> Thanks. >> >> There's one more thing: we should probably check if >> /usr/bin/update-ca-trust >> exists before using it, for the sake of cross-distro compatibility. >> > > Right. I am also thinking if this functionality should not be somehow > integrated into the platform files so that it can be overriden in > platforms that do not have the systemwide storage. > > Martin Updated patch attached, requires my patch 130. -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0111-3-ipa-client-install-Publish-CA-certificate-to-systemw.patch Type: text/x-patch Size: 7564 bytes Desc: not available URL: From mkosek at redhat.com Wed Nov 13 14:08:20 2013 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 13 Nov 2013 15:08:20 +0100 Subject: [Freeipa-devel] [PATCHES] 0068-0070 Automember rebuild membership In-Reply-To: <526F9C64.5000301@redhat.com> References: <523AFC1E.4080005@redhat.com> <52407D33.6000009@redhat.com> <52458177.30301@redhat.com> <52458455.6040403@redhat.com> <52493029.7060501@redhat.com> <525D68BF.9050901@redhat.com> <526F9C64.5000301@redhat.com> Message-ID: <528387D4.3030803@redhat.com> On 10/29/2013 12:30 PM, Ana Krivokapic wrote: > On 10/15/2013 06:09 PM, Ana Krivokapic wrote: >> On 09/30/2013 10:02 AM, Petr Viktorin wrote: >>> On 09/27/2013 03:12 PM, Martin Kosek wrote: >>>> On 09/27/2013 03:00 PM, Jan Cholasta wrote: >>>>> On 23.9.2013 19:41, Ana Krivokapic wrote: >>>>>> On 09/19/2013 03:29 PM, Ana Krivokapic wrote: >>>> ... >>>>> Patch 69: >>>>> >>>>> I think the changes in the update file should be also done in the >>>>> right LDIF >>>>> files in install/share, though I don't know what is the recent >>>>> consensus on this. >>>>> >>>>> >>>>> Honza >>>>> >>>> Last time I checked, we used to do the change both in LDIF and update >>>> file. Just to avoid the LDIF become obsolete. >>>> >>>> Martin >>> Rob recently said his preference is to move everything from LDIF to updates, >>> and out of the the LDIF files: >>> http://www.redhat.com/archives/freeipa-devel/2013-September/msg00106.html >>> >>> I would agree, having two places with the same information is redundant and >>> error-prone. >>> >> Thanks Honza for the review. >> >> I incorporated your suggestions in this updated patchset. I attached all the >> patches for more convenient reviewing, but only patches 68 and 70 have changed. >> >> I haven't done any changes in the LDIF files since the consensus seems to be not >> to do that. > > Patch 70 needed a rebase, attaching the whole patchset again. This works pretty fine, I have few comments though: 1) 0068: the task should be run only for users/hosts base DN - this is where we confine our automember and I think admin may be surprised that the rebuild call is does not respect it. 2) 0068: I am missing some examples for automember-rebuild in the help. At least for running rebuild for all users/hosts and for running it for specified user/host. 3) 0068: I think that the labels/doc for the new command/options should be improved. It is not obvious, that automember-rebuild can run for all users/hosts, at least from following doc: # ipa help automember ... automember-rebuild Rebuild auto membership for specified entries. ... Maybe we should remove the "for specified entries" part? As for the options, we now have this: # ipa help automember-rebuild Usage: ipa [global-options] automember-rebuild [options] Rebuild auto membership for specified entries. Options: -h, --help show this help message and exit --type=['group', 'hostgroup'] Grouping to which the rule applies <--completely stray --users=STR Users for which the rebuild task will be run --hosts=STR Hosts for which the rebuild task will be run We should probably also do not mention specified entries here. As for option help, maybe the following would better show that it can be run for all entries? --type=['group', 'hostgroup'] Rebuild membership for all members of a grouping --users=STR Rebuild membership for specified users --hosts=STR Rebuild membership for specified hosts This makes me thinking we may want to forbid entering both --type and --users/--hosts - i.e. either rebuild all or just selected ones - to make the selection even more clear. But I am open to discussion on this one. 4) 0069: Add Automember Export Updates Task is currently redundant. I think we should either have permissions for all 3 possible tasks or for just the one we use. 5) 0069: permissions should be of SYSTEM type as the ACI is out of SUFFIX, so that user does not try to modify them (will be able to in future versions). Adding Petr3 to CC for heads up on this one. Martin From tbabej at redhat.com Wed Nov 13 14:56:23 2013 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 13 Nov 2013 15:56:23 +0100 Subject: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer In-Reply-To: <524433AF.7050403@redhat.com> References: <5243F02D.9020005@redhat.com> <52440A58.6000506@redhat.com> <52442878.9030702@redhat.com> <52442AD3.8020408@redhat.com> <52442C4F.8060707@redhat.com> <52442F88.40906@redhat.com> <524433AF.7050403@redhat.com> Message-ID: <52839317.7010400@redhat.com> On 09/26/2013 03:16 PM, Petr Viktorin wrote: > On 09/26/2013 02:58 PM, Martin Kosek wrote: >> On 09/26/2013 02:45 PM, Jan Cholasta wrote: >>> On 26.9.2013 14:38, Martin Kosek wrote: >>>> On 09/26/2013 02:28 PM, Tomas Babej wrote: >>>>> On 09/26/2013 12:20 PM, Jan Cholasta wrote: >> ... >>>>> I just found --no-nisdomain more descriptive and explicit. If >>>>> there is a >>>>> consensus, I can remove it. >>>>> >>>> >>>> I am not aware of any precedent that would warrant --nisdomain="". > > We sort of have precedent in `ipa` in multivalued options, leaving > those empty deletes the values. > >>> I have seen concerns about the number of ipa-client-install options >>> in the past >>> (not by me). >> >> IMHO, we are currently OK on this front. Having options categorized in >> sections, as we already do, helps. >> >>>> IMO --no-nisdomain is more consistent with rest of the options. >>> >>> I don't see any other --