<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Thank you for the patch, I checked it, I just changed permission
name to have all first letters in uppercase as others.<br>
Updated merged patch attached.<br>
<br>
<div class="moz-cite-prefix">On 08/18/2015 05:34 PM, thierry bordaz
wrote:<br>
</div>
<blockquote cite="mid:55D35097.6010902@redhat.com" type="cite">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<div class="moz-cite-prefix">On 08/18/2015 04:13 PM, thierry
bordaz wrote:<br>
</div>
<blockquote cite="mid:55D33D81.301@redhat.com" type="cite">
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 08/18/2015 04:04 PM, Martin
Basti wrote:<br>
</div>
<blockquote cite="mid:55D33B6D.7050701@redhat.com" type="cite">
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
<br>
<br>
<div class="moz-cite-prefix">On 08/18/2015 03:49 PM, thierry
bordaz wrote:<br>
</div>
<blockquote cite="mid:55D33804.6000201@redhat.com" type="cite">
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 08/18/2015 03:06 PM, Martin
Basti wrote:<br>
</div>
<blockquote cite="mid:55D32DD3.3050501@redhat.com"
type="cite">
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
<br>
<br>
<div class="moz-cite-prefix">On 08/18/2015 11:32 AM,
thierry bordaz wrote:<br>
</div>
<blockquote cite="mid:55D2FBAC.2030801@redhat.com"
type="cite">
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 08/18/2015 10:02 AM,
Martin Basti wrote:<br>
</div>
<blockquote cite="mid:55D2E68F.7080601@redhat.com"
type="cite">
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
<br>
<br>
<div class="moz-cite-prefix">On 08/18/2015 09:59 AM,
thierry bordaz wrote:<br>
</div>
<blockquote cite="mid:55D2E5C9.7030703@redhat.com"
type="cite">
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 08/18/2015 09:55 AM,
Martin Basti wrote:<br>
</div>
<blockquote cite="mid:55D2E4E0.6010005@redhat.com"
type="cite">
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
<br>
<br>
<div class="moz-cite-prefix">On 08/18/2015 09:50
AM, thierry bordaz wrote:<br>
</div>
<blockquote cite="mid:55D2E3C1.2030404@redhat.com"
type="cite">
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 08/17/2015 08:33
PM, Martin Basti wrote:<br>
</div>
<blockquote
cite="mid:55D2290F.3030509@redhat.com"
type="cite">Hello, <br>
<br>
the 'user-stage' command replaces
'stageuser-add --from-delete' command. <br>
<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://fedorahosted.org/freeipa/ticket/5041">https://fedorahosted.org/freeipa/ticket/5041</a>
<br>
<br>
Thierry can you check If I don't break
everything, it works for me, but the one never
knows. <br>
<br>
Honza can you please check the framework side?
I use self.api.Object.stageuser.add.* in user
command, I'm not sure if this is right way,
but it works. <br>
<br>
Patch attached. I created it in hurry, I'm
expecting NACK :D <br>
<br>
<br>
Just question at the end: should I implement
way Active user -> stageuser? IMHO it would
be implemented internally by calling 'user-del
--preserve' inside 'user-stage'. <br>
<br>
<br>
<br>
</blockquote>
<font face="Times New Roman, Times, serif">Hi
Martin,<br>
<br>
There is a small failure with VERSION (edewata
pushed his patch first ;-) )<br>
<br>
</font>
<blockquote><tt>git apply -v
/tmp/freeipa-mbasti-0297-Add-user-stage-command.patch</tt><br>
<tt>Checking patch API.txt...</tt><br>
<tt>Checking patch VERSION...</tt><br>
<tt>error: while searching for:</tt><br>
<tt>#
#</tt><br>
<tt>########################################################</tt><br>
<tt>IPA_API_VERSION_MAJOR=2</tt><br>
<tt>IPA_API_VERSION_MINOR=148</tt><br>
<tt># Last change: ftweedal - add --out option
to user-show</tt><br>
<br>
<tt>error: patch failed: VERSION:90</tt><br>
<tt>error: VERSION: patch does not apply</tt><br>
<tt>Checking patch
ipalib/plugins/stageuser.py...</tt><br>
<tt>Checking patch ipalib/plugins/user.py...</tt><br>
</blockquote>
<font face="Times New Roman, Times, serif"><br>
</font> </blockquote>
There is many pending patches that may change
VERSION number, I will change it to right one
before push.<br>
<br>
Does code looks good for you?<br>
</blockquote>
<font face="Times New Roman, Times, serif">Hi
Martin,<br>
<br>
Just a question, there is no additional
permission. Did you test being 'admin' ?<br>
<br>
thanks<br>
theirry<br>
</font> </blockquote>
No I didn't,.<br>
<br>
I preserver all permission, the original permissions
should work.<br>
<br>
Martin<br>
</blockquote>
<font face="Times New Roman, Times, serif">Hi Martin,<br>
<br>
Running a test script, I have an issue with<br>
<br>
</font>
<blockquote><tt>ipa stageuser-add --first=t --last=b tb1</tt><br>
<tt>ipa: ERROR: an internal error has occurred</tt><br>
<br>
<br>
<tt>[Tue Aug 18 11:16:56.440658 2015] [wsgi:error]
[pid 10486] ipa: INFO: [jsonserver_kerb] <a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:stageadm@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM"><a class="moz-txt-link-abbreviated" href="mailto:stageadm@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">stageadm@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a></a>:
stageuser_add(u'tb1', givenname=u't', sn=u'b',
cn=u't b', displayname=u't b', initials=u'tb',
gecos=u't b', krbprincipalname=u'<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:tb1@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM"><a class="moz-txt-link-abbreviated" href="mailto:tb1@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">tb1@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a></a>',
random=False, all=False, raw=False,
version=u'2.149', no_members=False): AttributeError</tt><br>
<tt>[Tue Aug 18 11:21:25.198021 2015] [wsgi:error]
[pid 10485] ipa: ERROR: non-public: AttributeError:
'DN' object has no attribute 'setdefault'</tt><br>
<tt>[Tue Aug 18 11:21:25.198053 2015] [wsgi:error]
[pid 10485] Traceback (most recent call last):</tt><br>
<tt>[Tue Aug 18 11:21:25.198058 2015] [wsgi:error]
[pid 10485] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py",
line 347, in wsgi_execute</tt><br>
<tt>[Tue Aug 18 11:21:25.198062 2015] [wsgi:error]
[pid 10485] result = self.Command[name](*args,
**options)</tt><br>
<tt>[Tue Aug 18 11:21:25.198066 2015] [wsgi:error]
[pid 10485] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py",
line 443, in __call__</tt><br>
<tt>[Tue Aug 18 11:21:25.198070 2015] [wsgi:error]
[pid 10485] ret = self.run(*args, **options)</tt><br>
<tt>[Tue Aug 18 11:21:25.198081 2015] [wsgi:error]
[pid 10485] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py",
line 760, in run</tt><br>
<tt>[Tue Aug 18 11:21:25.198133 2015] [wsgi:error]
[pid 10485] return self.execute(*args,
**options)</tt><br>
<tt>[Tue Aug 18 11:21:25.198139 2015] [wsgi:error]
[pid 10485] File
"/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py",
line 1227, in execute</tt><br>
<tt>[Tue Aug 18 11:21:25.198144 2015] [wsgi:error]
[pid 10485] *keys, **options)</tt><br>
<tt>[Tue Aug 18 11:21:25.198147 2015] [wsgi:error]
[pid 10485] File
"/usr/lib/python2.7/site-packages/ipalib/plugins/stageuser.py",
line 373, in pre_callback</tt><br>
<tt>[Tue Aug 18 11:21:25.198151 2015] [wsgi:error]
[pid 10485] attrs_list, *keys, **options)</tt><br>
<tt>[Tue Aug 18 11:21:25.198155 2015] [wsgi:error]
[pid 10485] File
"/usr/lib/python2.7/site-packages/ipalib/plugins/stageuser.py",
line 277, in set_default_values_pre_callback</tt><br>
<tt>[Tue Aug 18 11:21:25.198159 2015] [wsgi:error]
[pid 10485]
entry_attrs.setdefault('description', [])</tt><br>
<tt>[Tue Aug 18 11:21:25.198163 2015] [wsgi:error]
[pid 10485] AttributeError: 'DN' object has no
attribute 'setdefault'</tt><br>
<tt>[Tue Aug 18 11:21:25.199276 2015] [wsgi:error]
[pid 10485] ipa: INFO: [jsonserver_session] <a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:stageadm@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM"><a class="moz-txt-link-abbreviated" href="mailto:stageadm@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">stageadm@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a></a>:
stageuser_add(u'tb1', givenname=u't', sn=u'b',
cn=u't b', displayname=u't b', initials=u'tb',
gecos=u't b', krbprincipalname=u'<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:tb1@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM"><a class="moz-txt-link-abbreviated" href="mailto:tb1@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">tb1@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a></a>',
random=False, all=False, raw=False,
version=u'2.149', no_members=False): AttributeError</tt><br>
</blockquote>
<font face="Times New Roman, Times, serif"><br>
The new set_default_values_pre_callback, can not use
the set_default function. It is not clear why.
entry_attrs is one of pre_callback parameter.<br>
Should </font><font face="Times New Roman, Times,
serif">set_default_values_pre_callback be a
subfonction of pre_callback ?<br>
<br>
<br>
thanks<br>
thierry<br>
</font> </blockquote>
<br>
Thank you,<br>
<br>
updated patch attached.<br>
</blockquote>
<br>
<font face="Times New Roman, Times, serif">So far, tests are
ok.<br>
Just one comment, the 'user-stage' command description is
wrong, as it moves an active user into the staged area<br>
<br>
</font><tt>user-stage Move
deleted user into staged area</tt><font face="Times New
Roman, Times, serif"><br>
</font> </blockquote>
No, it's not doing that.<br>
<br>
user-stage is replacement of stageuser-add --from-delete, it
doesn't work for active users.<br>
The support to move active user to staged area is RFE, I did
not implemented it yet, and I dont know if this will fit IPA
4.2 timeframe<br>
</blockquote>
<font face="Times New Roman, Times, serif">Ok. thanks. <br>
Sure user-stage (active->stage) will not fit into IPA 4.2
timeframe.<br>
<br>
Running the tests being admin, there is no problem.<br>
I have a permission issue, when running as 'Stage
administrator'. The 'delete' entry being moved to 'stage'
container, we need the a special permission for it.<br>
</font></blockquote>
<br>
<font face="Times New Roman, Times, serif">Hello, <br>
<br>
I tested this new permission to grant 'Stage user
administrator' to do a 'user-stage'.<br>
Is it ok to add it to your patch ?<br>
<br>
thanks<br>
thierry<br>
</font>
<blockquote cite="mid:55D33D81.301@redhat.com" type="cite"><font
face="Times New Roman, Times, serif"> <br>
</font><tt>[root@vm-141 ~]# ipa user-del ttest1 --preserve</tt><tt><br>
</tt><tt>---------------------</tt><tt><br>
</tt><tt>Deleted user "ttest1"</tt><tt><br>
</tt><tt>---------------------</tt><tt><br>
</tt><tt><br>
</tt><tt>[root@vm-141 ~]# ipa user-stage ttest1</tt><tt><br>
</tt><tt>ipa: ERROR: Insufficient access: Insufficient 'moddn'
privilege to move an entry to 'cn=staged
users,cn=accounts,cn=provisioning,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'.</tt><tt><br>
<br>
</tt><tt>[root@vm-141 ~]# klist</tt><tt><br>
</tt><tt>Ticket cache: KEYRING:persistent:0:krb_ccache_hw3P667</tt><tt><br>
</tt><tt>Default principal: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:stageadm@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">stageadm@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a></tt><tt><br>
</tt><tt><br>
</tt><tt>Valid starting Expires Service
principal</tt><tt><br>
</tt><tt>08/18/2015 15:45:43 08/19/2015 15:45:42 <a
moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:ldap/vm-141.abc.idm.lab.eng.brq.redhat.com@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM"><a class="moz-txt-link-abbreviated" href="mailto:ldap/vm-141.abc.idm.lab.eng.brq.redhat.com@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">ldap/vm-141.abc.idm.lab.eng.brq.redhat.com@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a></a></tt><tt><br>
</tt><tt>08/18/2015 15:45:42 08/19/2015 15:45:42 <a
moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:krbtgt/ABC.IDM.LAB.ENG.BRQ.REDHAT.COM@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM"><a class="moz-txt-link-abbreviated" href="mailto:krbtgt/ABC.IDM.LAB.ENG.BRQ.REDHAT.COM@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">krbtgt/ABC.IDM.LAB.ENG.BRQ.REDHAT.COM@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a></a></tt><tt><br>
</tt><tt><br>
</tt><tt>[root@vm-141 ~]# kinit admin</tt><tt><br>
</tt><tt>Password for <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:admin@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">admin@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a>:
</tt><tt><br>
</tt><tt>[root@vm-141 ~]# ipa user-stage ttest1</tt><tt><br>
</tt><tt>----------------------------</tt><tt><br>
</tt><tt>Staged user account "ttest1"</tt><tt><br>
</tt><tt>----------------------------</tt><tt><br>
</tt><tt>[root@vm-141 ~]# ipa stageuser-find ttest1</tt><tt><br>
</tt><tt>--------------</tt><tt><br>
</tt><tt>1 user matched</tt><tt><br>
</tt><tt>--------------</tt><tt><br>
</tt><tt> User login: ttest1</tt><tt><br>
</tt><tt> First name: t</tt><tt><br>
</tt><tt> Last name: test1</tt><tt><br>
</tt><tt> Home directory: /home/ttest1</tt><tt><br>
</tt><tt> Login shell: /bin/sh</tt><tt><br>
</tt><tt> Email address: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:ttest1@abc.idm.lab.eng.brq.redhat.com">ttest1@abc.idm.lab.eng.brq.redhat.com</a></tt><tt><br>
</tt><tt> UID: 1814000011</tt><tt><br>
</tt><tt> GID: 1814000011</tt><tt><br>
</tt><tt> Password: False</tt><tt><br>
</tt><tt> Kerberos keys available: False</tt><tt><br>
</tt><tt>----------------------------</tt><tt><br>
</tt><tt>Number of entries returned 1</tt><tt><br>
</tt><tt>----------------------------</tt><font face="Times New
Roman, Times, serif"><br>
<br>
<br>
</font> </blockquote>
<br>
</blockquote>
<br>
</body>
</html>