<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 08/09/2013 05:35 PM, Tomas Babej
wrote:<br>
</div>
<blockquote cite="mid:52050C3E.4020101@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 08/09/2013 04:03 PM, Ana
Krivokapic wrote:<br>
</div>
<blockquote cite="mid:5204F6CC.2090503@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 08/09/2013 09:39 AM, Tomas Babej
wrote:<br>
</div>
<blockquote cite="mid:52049C9F.6080706@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 08/08/2013 04:09 PM, Ana
Krivokapic wrote:<br>
</div>
<blockquote cite="mid:5203A683.4040907@redhat.com" type="cite">
<pre wrap="">Hello,
This patch should fix the failing unit tests.
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/3852">https://fedorahosted.org/freeipa/ticket/3852</a>
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-devel mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></pre>
</blockquote>
<br>
There are two tests failing on my machine when running the
tests after ipa-adtrust-install with your patch applied:<br>
</blockquote>
<br>
You say there are two tests failing but I only see one below. <br>
<br>
</blockquote>
<br>
That was just debris from trying to break your patch too much, one
of my comments rendered invalid in the end :)<br>
<br>
<blockquote cite="mid:5204F6CC.2090503@redhat.com" type="cite">
<blockquote cite="mid:52049C9F.6080706@redhat.com" type="cite">
<br>
======================================================================<br>
FAIL: test_group[24]: group_find: Search for POSIX groups<br>
----------------------------------------------------------------------<br>
Traceback (most recent call last):<br>
[...]<br>
AssertionError: assert_deepequal: dict keys mismatch.<br>
test_group[24]: group_find: Search for POSIX groups<br>
missing keys = []<br>
extra keys = ['ipantsecurityidentifier']<br>
expected = {'dn':
ipapython.dn.DN('cn=editors,cn=groups,cn=accounts,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'),
'cn': [u'editors'], 'objectclass': Fuzzy(None, None,
<function <lambda> at 0x3768c08>), 'gidnumber':
[Fuzzy('^\\d+$', <type 'basestring'>, None)],
'ipauniqueid':
[Fuzzy('^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$',
<type 'unicode'>, None)], 'description': [u'Limited
admins who can edit other users']}<br>
got = {'dn':
u'cn=editors,cn=groups,cn=accounts,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com',
'cn': (u'editors',), 'objectclass': (u'top', u'groupofnames',
u'posixgroup', u'ipausergroup', u'ipaobject', u'nestedGroup',
u'ipantgroupattrs'), 'ipantsecurityidentifier':
(u'S-1-5-21-1457515837-642396627-3509099663-1002',),
'gidnumber': (u'1804600002',), 'ipauniqueid':
(u'7c6e1672-0039-11e3-9567-001a4a2221fb',), 'description':
(u'Limited admins who can edit other users',)}<br>
path = ('result', 1)<br>
<br>
I think you need the wrap the dictionary discribing the
editor's group entry with the add_sid wrapper, and its
objectclasses using the add_oc wrapper.<br>
<br>
[tbabej@vm-139 freeipa]$ git diff<br>
diff --git a/ipatests/test_xmlrpc/test_group_plugin.py
b/ipatests/test_xmlrpc/test_group_plugin.py<br>
index d380fe5..14c70cd 100644<br>
--- a/ipatests/test_xmlrpc/test_group_plugin.py<br>
+++ b/ipatests/test_xmlrpc/test_group_plugin.py<br>
@@ -447,14 +447,15 @@ class test_group(Declarative):<br>
objectclasses.posixgroup,
u'ipantgroupattrs')),<br>
'ipauniqueid': [fuzzy_uuid],<br>
}),<br>
- {<br>
+ add_sid({<br>
'dn': get_group_dn('editors'),<br>
'gidnumber': [fuzzy_digits],<br>
'cn': [u'editors'],<br>
'description': [u'Limited admins who
can edit other users'],<br>
- 'objectclass':
fuzzy_set_ci(objectclasses.posixgroup),<br>
+ 'objectclass': fuzzy_set_ci(add_oc(<br>
+ objectclasses.posixgroup,
u'ipantgroupattrs')),<br>
'ipauniqueid': [fuzzy_uuid],<br>
- },<br>
+ }),<br>
dict(<br>
dn=get_group_dn(group1),<br>
cn=[group1],<br>
<br>
<br>
These changes were sufficient for me to have the unit test
suite run without errors.<br>
<pre class="moz-signature" cols="72">--
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org</pre>
</blockquote>
<br>
I retested the patch and the tests are passing in my setup. The
editors group definitely does not have the
ipantsecurityidentifier attribute nor the ipantgroupattrs
objectclass:<br>
<br>
[akrivoka@vm-181 freeipa]$ ipa group-show editors --all<br>
dn:
cn=editors,cn=groups,cn=accounts,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com<br>
Group name: editors<br>
Description: Limited admins who can edit other users<br>
GID: 1977000002<br>
ipauniqueid: 91b3597e-00f3-11e3-92ae-001a4a22217b<br>
objectclass: top, groupofnames, posixgroup, ipausergroup,
ipaobject, nestedGroup<br>
<br>
What I noticed though, is that if I delete and re-create the
editors group (after ipa-adtrust-install has been run), it then
gets the above mentioned attribute and objectclass. Maybe you
did some similar manipulation in your setup, resulting in the
test failing?<br>
<br>
</blockquote>
I think it does depend on whether you have ran the ipa-sidgen task
when running the ipa-adtrust-install.<br>
<br>
Do you think we can cover both cases here?<br>
<br>
<blockquote cite="mid:5204F6CC.2090503@redhat.com" type="cite"> <br>
<pre class="moz-signature" cols="80">--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org</pre>
</blockquote>
<br>
Updated patch should detect the situation when ipa-sidgen task was
run, and add the required attribute/objectclass accordingly.<br>
<br>
<pre class="moz-signature" cols="80">--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.</pre>
</body>
</html>