<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div class="moz-cite-prefix">On 08/20/2015 11:27 AM, Jan Cholasta
wrote:<br>
</div>
<blockquote cite="mid:55D59D9B.3060409@redhat.com" type="cite">On
19.8.2015 10:57, Jan Cholasta wrote:
<br>
<blockquote type="cite">On 19.8.2015 10:47, thierry bordaz wrote:
<br>
<blockquote type="cite">On 08/19/2015 10:34 AM, Jan Cholasta
wrote:
<br>
<blockquote type="cite">On 19.8.2015 09:39, thierry bordaz
wrote:
<br>
<blockquote type="cite">Hi,
<br>
<br>
It worked like a charm.
<br>
I had a problem to commit it because of the VERSION stuff
that changed.
<br>
<br>
Except that (changing VERSION), the fix looks good to me
<br>
<br>
thanks
<br>
thierry
<br>
On 08/18/2015 07:21 PM, Martin Basti wrote:
<br>
<blockquote type="cite">Thank you for the patch, I checked
it, I just changed permission name
<br>
to have all first letters in uppercase as others.
<br>
Updated merged patch attached.
<br>
<br>
On 08/18/2015 05:34 PM, thierry bordaz wrote:
<br>
<blockquote type="cite">On 08/18/2015 04:13 PM, thierry
bordaz wrote:
<br>
<blockquote type="cite">On 08/18/2015 04:04 PM, Martin
Basti wrote:
<br>
<blockquote type="cite">
<br>
<br>
On 08/18/2015 03:49 PM, thierry bordaz wrote:
<br>
<blockquote type="cite">On 08/18/2015 03:06 PM,
Martin Basti wrote:
<br>
<blockquote type="cite">
<br>
<br>
On 08/18/2015 11:32 AM, thierry bordaz wrote:
<br>
<blockquote type="cite">On 08/18/2015 10:02
AM, Martin Basti wrote:
<br>
<blockquote type="cite">
<br>
<br>
On 08/18/2015 09:59 AM, thierry bordaz
wrote:
<br>
<blockquote type="cite">On 08/18/2015
09:55 AM, Martin Basti wrote:
<br>
<blockquote type="cite">
<br>
<br>
On 08/18/2015 09:50 AM, thierry bordaz
wrote:
<br>
<blockquote type="cite">On 08/17/2015
08:33 PM, Martin Basti wrote:
<br>
<blockquote type="cite">Hello,
<br>
<br>
the 'user-stage' command replaces
'stageuser-add
<br>
--from-delete' command.
<br>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/5041">https://fedorahosted.org/freeipa/ticket/5041</a>
<br>
<br>
Thierry can you check If I don't
break everything, it works
<br>
for me, but the one never knows.
<br>
<br>
Honza can you please check the
framework side? I use
<br>
self.api.Object.stageuser.add.* in
user command, I'm not
<br>
sure if this is right way, but it
works.
<br>
<br>
Patch attached. I created it in
hurry, I'm expecting
<br>
NACK :D
<br>
<br>
<br>
Just question at the end: should I
implement way Active
<br>
user -> stageuser? IMHO it
would be implemented internally
<br>
by calling 'user-del --preserve'
inside 'user-stage'.
<br>
<br>
<br>
<br>
</blockquote>
Hi Martin,
<br>
<br>
There is a small failure with
VERSION (edewata pushed his
<br>
patch first ;-) )
<br>
<br>
git apply -v
<br>
/tmp/freeipa-mbasti-0297-Add-user-stage-command.patch
<br>
Checking patch API.txt...
<br>
Checking patch VERSION...
<br>
error: while searching for:
<br>
# #
<br>
########################################################
<br>
IPA_API_VERSION_MAJOR=2
<br>
IPA_API_VERSION_MINOR=148
<br>
# Last change: ftweedal - add
--out option to user-show
<br>
<br>
error: patch failed: VERSION:90
<br>
error: VERSION: patch does not
apply
<br>
Checking patch
ipalib/plugins/stageuser.py...
<br>
Checking patch
ipalib/plugins/user.py...
<br>
<br>
<br>
</blockquote>
There is many pending patches that may
change VERSION number,
<br>
I will change it to right one before
push.
<br>
<br>
Does code looks good for you?
<br>
</blockquote>
Hi Martin,
<br>
<br>
Just a question, there is no additional
permission. Did you
<br>
test being 'admin' ?
<br>
<br>
thanks
<br>
theirry
<br>
</blockquote>
No I didn't,.
<br>
<br>
I preserver all permission, the original
permissions should
<br>
work.
<br>
<br>
Martin
<br>
</blockquote>
Hi Martin,
<br>
<br>
Running a test script, I have an issue with
<br>
<br>
ipa stageuser-add --first=t --last=b tb1
<br>
ipa: ERROR: an internal error has
occurred
<br>
<br>
<br>
[Tue Aug 18 11:16:56.440658 2015]
[wsgi:error] [pid 10486]
<br>
ipa: INFO: [jsonserver_kerb]
<br>
<a class="moz-txt-link-abbreviated" href="mailto:stageadm@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">stageadm@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a>:
<br>
stageuser_add(u'tb1', givenname=u't',
sn=u'b', cn=u't b',
<br>
displayname=u't b', initials=u'tb',
gecos=u't b',
<br>
krbprincipalname=u'<a class="moz-txt-link-abbreviated" href="mailto:tb1@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">tb1@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a>',
<br>
random=False, all=False, raw=False,
version=u'2.149',
<br>
no_members=False): AttributeError
<br>
[Tue Aug 18 11:21:25.198021 2015]
[wsgi:error] [pid 10485]
<br>
ipa: ERROR: non-public: AttributeError:
'DN' object has no
<br>
attribute 'setdefault'
<br>
[Tue Aug 18 11:21:25.198053 2015]
[wsgi:error] [pid 10485]
<br>
Traceback (most recent call last):
<br>
[Tue Aug 18 11:21:25.198058 2015]
[wsgi:error] [pid 10485]
<br>
File
<br>
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py",
<br>
line 347, in wsgi_execute
<br>
[Tue Aug 18 11:21:25.198062 2015]
[wsgi:error] [pid
<br>
10485] result =
self.Command[name](*args, **options)
<br>
[Tue Aug 18 11:21:25.198066 2015]
[wsgi:error] [pid 10485]
<br>
File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py",
<br>
line 443, in __call__
<br>
[Tue Aug 18 11:21:25.198070 2015]
[wsgi:error] [pid
<br>
10485] ret = self.run(*args,
**options)
<br>
[Tue Aug 18 11:21:25.198081 2015]
[wsgi:error] [pid 10485]
<br>
File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py",
<br>
line 760, in run
<br>
[Tue Aug 18 11:21:25.198133 2015]
[wsgi:error] [pid
<br>
10485] return self.execute(*args,
**options)
<br>
[Tue Aug 18 11:21:25.198139 2015]
[wsgi:error] [pid 10485]
<br>
File
<br>
"/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py",
<br>
line 1227, in execute
<br>
[Tue Aug 18 11:21:25.198144 2015]
[wsgi:error] [pid
<br>
10485] *keys, **options)
<br>
[Tue Aug 18 11:21:25.198147 2015]
[wsgi:error] [pid 10485]
<br>
File
<br>
"/usr/lib/python2.7/site-packages/ipalib/plugins/stageuser.py",
<br>
line 373, in pre_callback
<br>
[Tue Aug 18 11:21:25.198151 2015]
[wsgi:error] [pid
<br>
10485] attrs_list, *keys, **options)
<br>
[Tue Aug 18 11:21:25.198155 2015]
[wsgi:error] [pid 10485]
<br>
File
<br>
"/usr/lib/python2.7/site-packages/ipalib/plugins/stageuser.py",
<br>
line 277, in
set_default_values_pre_callback
<br>
[Tue Aug 18 11:21:25.198159 2015]
[wsgi:error] [pid 10485]
<br>
entry_attrs.setdefault('description',
[])
<br>
[Tue Aug 18 11:21:25.198163 2015]
[wsgi:error] [pid 10485]
<br>
AttributeError: 'DN' object has no
attribute 'setdefault'
<br>
[Tue Aug 18 11:21:25.199276 2015]
[wsgi:error] [pid 10485]
<br>
ipa: INFO: [jsonserver_session]
<br>
<a class="moz-txt-link-abbreviated" href="mailto:stageadm@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">stageadm@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a>:
<br>
stageuser_add(u'tb1', givenname=u't',
sn=u'b', cn=u't b',
<br>
displayname=u't b', initials=u'tb',
gecos=u't b',
<br>
krbprincipalname=u'<a class="moz-txt-link-abbreviated" href="mailto:tb1@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">tb1@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a>',
<br>
random=False, all=False, raw=False,
version=u'2.149',
<br>
no_members=False): AttributeError
<br>
<br>
<br>
The new set_default_values_pre_callback, can
not use the
<br>
set_default function. It is not clear why.
entry_attrs is one of
<br>
pre_callback parameter.
<br>
Should set_default_values_pre_callback be a
subfonction of
<br>
pre_callback ?
<br>
<br>
<br>
thanks
<br>
thierry
<br>
</blockquote>
<br>
Thank you,
<br>
<br>
updated patch attached.
<br>
</blockquote>
<br>
So far, tests are ok.
<br>
Just one comment, the 'user-stage' command
description is wrong,
<br>
as it moves an active user into the staged area
<br>
<br>
user-stage Move
deleted user into
<br>
staged area
<br>
</blockquote>
No, it's not doing that.
<br>
<br>
user-stage is replacement of stageuser-add
--from-delete, it
<br>
doesn't work for active users.
<br>
The support to move active user to staged area is
RFE, I did not
<br>
implemented it yet, and I dont know if this will
fit IPA 4.2
<br>
timeframe
<br>
</blockquote>
Ok. thanks.
<br>
Sure user-stage (active->stage) will not fit into
IPA 4.2 timeframe.
<br>
<br>
Running the tests being admin, there is no problem.
<br>
I have a permission issue, when running as 'Stage
administrator'.
<br>
The 'delete' entry being moved to 'stage' container,
we need the a
<br>
special permission for it.
<br>
</blockquote>
<br>
Hello,
<br>
<br>
I tested this new permission to grant 'Stage user
administrator' to
<br>
do a 'user-stage'.
<br>
Is it ok to add it to your patch ?
<br>
<br>
thanks
<br>
thierry
<br>
<blockquote type="cite">
<br>
[root@vm-141 ~]# ipa user-del ttest1 --preserve
<br>
---------------------
<br>
Deleted user "ttest1"
<br>
---------------------
<br>
<br>
[root@vm-141 ~]# ipa user-stage ttest1
<br>
ipa: ERROR: Insufficient access: Insufficient
'moddn' privilege to
<br>
move an entry to 'cn=staged
<br>
users,cn=accounts,cn=provisioning,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'.
<br>
<br>
<br>
<br>
[root@vm-141 ~]# klist
<br>
Ticket cache:
KEYRING:persistent:0:krb_ccache_hw3P667
<br>
Default principal:
<a class="moz-txt-link-abbreviated" href="mailto:stageadm@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">stageadm@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a>
<br>
<br>
Valid starting Expires Service
principal
<br>
08/18/2015 15:45:43 08/19/2015 15:45:42
<br>
<a class="moz-txt-link-abbreviated" href="mailto:ldap/vm-141.abc.idm.lab.eng.brq.redhat.com@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">ldap/vm-141.abc.idm.lab.eng.brq.redhat.com@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a>
<br>
<br>
<br>
08/18/2015 15:45:42 08/19/2015 15:45:42
<br>
<a class="moz-txt-link-abbreviated" href="mailto:krbtgt/ABC.IDM.LAB.ENG.BRQ.REDHAT.COM@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">krbtgt/ABC.IDM.LAB.ENG.BRQ.REDHAT.COM@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a>
<br>
<br>
[root@vm-141 ~]# kinit admin
<br>
Password for <a class="moz-txt-link-abbreviated" href="mailto:admin@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">admin@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a>:
<br>
[root@vm-141 ~]# ipa user-stage ttest1
<br>
----------------------------
<br>
Staged user account "ttest1"
<br>
----------------------------
<br>
[root@vm-141 ~]# ipa stageuser-find ttest1
<br>
--------------
<br>
1 user matched
<br>
--------------
<br>
User login: ttest1
<br>
First name: t
<br>
Last name: test1
<br>
Home directory: /home/ttest1
<br>
Login shell: /bin/sh
<br>
Email address:
<a class="moz-txt-link-abbreviated" href="mailto:ttest1@abc.idm.lab.eng.brq.redhat.com">ttest1@abc.idm.lab.eng.brq.redhat.com</a>
<br>
UID: 1814000011
<br>
GID: 1814000011
<br>
Password: False
<br>
Kerberos keys available: False
<br>
----------------------------
<br>
Number of entries returned 1
<br>
----------------------------
<br>
<br>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
NACK.
<br>
<br>
1) Use ADD+DEL instead of MODRDN as we agreed before:
<br>
<a class="moz-txt-link-rfc2396E" href="https://www.redhat.com/archives/freeipa-devel/2015-August/msg00148.html"><https://www.redhat.com/archives/freeipa-devel/2015-August/msg00148.html></a>.
<br>
<br>
<br>
</blockquote>
<br>
Hi,
<br>
<br>
I have a slight preference doing MODRDN than ADD+DEL but I
think it is
<br>
for corner case.
<br>
Before preserving a user, the user was active and could be
updated. If
<br>
the user gets updated on a replica (e.g. change its
phonenumer) but for
<br>
some reason the update is not immediately replicated, then a
later
<br>
'user-del --preserve' + 'user-stage' will stage the user
without the
<br>
updated phonenumber.
<br>
<br>
In addition, doing 2 ops rather than one costs more and is not
atomic
<br>
(more complex to handle failure).
<br>
</blockquote>
<br>
The same problem exists for stageuser_activate, and unless you
want to
<br>
change it to use MODRDN as well, user_stage must use ADD+DEL.
<br>
<br>
This was already discussed quite thoroughly and we reached the
decision
<br>
to use ADD+DEL, because it is consistent with the rest of the
user code.
<br>
I don't see a point in discussing this further and rehashing
what was
<br>
already said.
<br>
<br>
<blockquote type="cite">
<br>
thank
<br>
thierry
<br>
<blockquote type="cite">
<br>
2) You can't use the entry preparation code from
stageuser-add in
<br>
user-stage - it is supposed to normalize user input, not
already
<br>
normalized data from LDAP, and could lead to subtle and hard
to track
<br>
errors.
<br>
<br>
Honza
<br>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
I have updated Martin's patch with fixes for the above. See
attachment.
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
LGTM,<br>
<br>
what do you think thierry?<br>
<br>
<br>
<br>
</body>
</html>