<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 08/22/2013 06:13 PM, Tomas Babej
wrote:<br>
</div>
<blockquote cite="mid:5216389F.1070907@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 08/20/2013 04:14 PM, Ana
Krivokapic wrote:<br>
</div>
<blockquote cite="mid:521379DD.5050607@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 08/09/2013 05:35 PM, Tomas Babej
wrote:<br>
</div>
<blockquote cite="mid:52050C3E.4020101@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 08/09/2013 04:03 PM, Ana
Krivokapic wrote:<br>
</div>
<blockquote cite="mid:5204F6CC.2090503@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 08/09/2013 09:39 AM, Tomas
Babej wrote:<br>
</div>
<blockquote cite="mid:52049C9F.6080706@redhat.com"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 08/08/2013 04:09 PM, Ana
Krivokapic wrote:<br>
</div>
<blockquote cite="mid:5203A683.4040907@redhat.com"
type="cite">
<pre wrap="">Hello,
This patch should fix the failing unit tests.
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/3852">https://fedorahosted.org/freeipa/ticket/3852</a>
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-devel mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></pre>
</blockquote>
<br>
There are two tests failing on my machine when running the
tests after ipa-adtrust-install with your patch applied:<br>
</blockquote>
<br>
You say there are two tests failing but I only see one
below. <br>
<br>
</blockquote>
<br>
That was just debris from trying to break your patch too much,
one of my comments rendered invalid in the end :)<br>
<br>
<blockquote cite="mid:5204F6CC.2090503@redhat.com" type="cite">
<blockquote cite="mid:52049C9F.6080706@redhat.com"
type="cite"> <br>
======================================================================<br>
FAIL: test_group[24]: group_find: Search for POSIX groups<br>
----------------------------------------------------------------------<br>
Traceback (most recent call last):<br>
[...]<br>
AssertionError: assert_deepequal: dict keys mismatch.<br>
test_group[24]: group_find: Search for POSIX groups<br>
missing keys = []<br>
extra keys = ['ipantsecurityidentifier']<br>
expected = {'dn':
ipapython.dn.DN('cn=editors,cn=groups,cn=accounts,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'),
'cn': [u'editors'], 'objectclass': Fuzzy(None, None,
<function <lambda> at 0x3768c08>),
'gidnumber': [Fuzzy('^\\d+$', <type 'basestring'>,
None)], 'ipauniqueid':
[Fuzzy('^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$',
<type 'unicode'>, None)], 'description': [u'Limited
admins who can edit other users']}<br>
got = {'dn':
u'cn=editors,cn=groups,cn=accounts,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com',
'cn': (u'editors',), 'objectclass': (u'top',
u'groupofnames', u'posixgroup', u'ipausergroup',
u'ipaobject', u'nestedGroup', u'ipantgroupattrs'),
'ipantsecurityidentifier':
(u'S-1-5-21-1457515837-642396627-3509099663-1002',),
'gidnumber': (u'1804600002',), 'ipauniqueid':
(u'7c6e1672-0039-11e3-9567-001a4a2221fb',), 'description':
(u'Limited admins who can edit other users',)}<br>
path = ('result', 1)<br>
<br>
I think you need the wrap the dictionary discribing the
editor's group entry with the add_sid wrapper, and its
objectclasses using the add_oc wrapper.<br>
<br>
[tbabej@vm-139 freeipa]$ git diff<br>
diff --git a/ipatests/test_xmlrpc/test_group_plugin.py
b/ipatests/test_xmlrpc/test_group_plugin.py<br>
index d380fe5..14c70cd 100644<br>
--- a/ipatests/test_xmlrpc/test_group_plugin.py<br>
+++ b/ipatests/test_xmlrpc/test_group_plugin.py<br>
@@ -447,14 +447,15 @@ class test_group(Declarative):<br>
objectclasses.posixgroup,
u'ipantgroupattrs')),<br>
'ipauniqueid': [fuzzy_uuid],<br>
}),<br>
- {<br>
+ add_sid({<br>
'dn': get_group_dn('editors'),<br>
'gidnumber': [fuzzy_digits],<br>
'cn': [u'editors'],<br>
'description': [u'Limited admins
who can edit other users'],<br>
- 'objectclass':
fuzzy_set_ci(objectclasses.posixgroup),<br>
+ 'objectclass':
fuzzy_set_ci(add_oc(<br>
+ objectclasses.posixgroup,
u'ipantgroupattrs')),<br>
'ipauniqueid': [fuzzy_uuid],<br>
- },<br>
+ }),<br>
dict(<br>
dn=get_group_dn(group1),<br>
cn=[group1],<br>
<br>
<br>
These changes were sufficient for me to have the unit test
suite run without errors.<br>
<pre class="moz-signature" cols="72">--
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org</pre>
</blockquote>
<br>
I retested the patch and the tests are passing in my setup.
The editors group definitely does not have the
ipantsecurityidentifier attribute nor the ipantgroupattrs
objectclass:<br>
<br>
[akrivoka@vm-181 freeipa]$ ipa group-show editors --all<br>
dn:
cn=editors,cn=groups,cn=accounts,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com<br>
Group name: editors<br>
Description: Limited admins who can edit other users<br>
GID: 1977000002<br>
ipauniqueid: 91b3597e-00f3-11e3-92ae-001a4a22217b<br>
objectclass: top, groupofnames, posixgroup, ipausergroup,
ipaobject, nestedGroup<br>
<br>
What I noticed though, is that if I delete and re-create the
editors group (after ipa-adtrust-install has been run), it
then gets the above mentioned attribute and objectclass.
Maybe you did some similar manipulation in your setup,
resulting in the test failing?<br>
<br>
</blockquote>
I think it does depend on whether you have ran the ipa-sidgen
task when running the ipa-adtrust-install.<br>
<br>
Do you think we can cover both cases here?<br>
<br>
<blockquote cite="mid:5204F6CC.2090503@redhat.com" type="cite">
<br>
<pre class="moz-signature" cols="80">--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org</pre>
</blockquote>
<br>
Updated patch should detect the situation when ipa-sidgen task
was run, and add the required attribute/objectclass accordingly.<br>
<br>
<pre class="moz-signature" cols="80">--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.</pre>
</blockquote>
<br>
+<br>
+<br>
+class sidgen_was_run(Command):<br>
+ NO_CLI = True<br>
+<br>
+ __doc__ = _('Determine whether ipa-adtrust-install has been
run with '<br>
+ 'sidgen task')<br>
+<br>
+ def execute(self, *keys, **options):<br>
+ ldap = self.api.Backend.ldap2<br>
+ editors_dn = DN(<br>
+ ('cn', 'editors'),<br>
+ ('cn', 'groups'),<br>
+ ('cn', 'accounts'),<br>
+ api.env.basedn<br>
+ )<br>
+<br>
+ try:<br>
+ editors_entry = ldap.get_entry(editors_dn)<br>
+ except errors.NotFound:<br>
+ return dict(result=False)<br>
+<br>
+ attr = editors_entry.get('ipaNTSecurityIdentifier')<br>
+ if not attr:<br>
+ return dict(result=False)<br>
+<br>
+ return dict(result=True)<br>
+<br>
+api.register(sidgen_was_run)<br>
<br>
The problem with this detection is that it uses the editors group,
which might not exist,<br>
and in such case, it might return improper result (false negative
for IPA server without<br>
editors group).<br>
<br>
It works well for our use case in the unit tests, since other unit
tests expect that this<br>
group exists as well. However, if we're adding a new command to
the API, I'd prefer<br>
something more reliable, so that it can be reused it the future.<br>
<br>
Unfortunately, I was unable to find any way how to detect this.
Running ipa-sidgen-task<br>
on the server leaves no permanent trace in the LDAP, and we setup
the task configuration<br>
in either case.<br>
<br>
So without setting a flag somewhere (which would be IMHO overkill
for this use case)<br>
I guess we're left with the approach implemented in the patch.<br>
<br>
I'm personally OK with that, but we should include docstrings that
point out that this<br>
command might provide false negatives in case the editors group
does not exist.<br>
<br>
If nobody has objections, with the documentation improved this
patch has an ACK<br>
from me.<br>
<pre class="moz-signature" cols="72">--
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org</pre>
</blockquote>
<br>
I added a docstring explaining that the command depends on the
presence of "editors" group. I also changed the behavior so the
command now raises an exception if the "editors" group does not
exist, instead of returning false negative.<br>
<br>
Also, please note that this command is hidden from the CLI (it can
only be called using the API).<br>
<br>
Updated patch is attached.<br>
<br>
<pre class="moz-signature" cols="80">--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.</pre>
</body>
</html>