<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 08/20/2015 05:21 PM, Martin Basti
wrote:<br>
</div>
<blockquote cite="mid:55D5F086.7090202@redhat.com" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<br>
<br>
<div class="moz-cite-prefix">On 08/20/2015 11:27 AM, Jan Cholasta
wrote:<br>
</div>
<blockquote cite="mid:55D59D9B.3060409@redhat.com" type="cite">On
19.8.2015 10:57, Jan Cholasta wrote: <br>
<blockquote type="cite">On 19.8.2015 10:47, thierry bordaz
wrote: <br>
<blockquote type="cite">On 08/19/2015 10:34 AM, Jan Cholasta
wrote: <br>
<blockquote type="cite">On 19.8.2015 09:39, thierry bordaz
wrote: <br>
<blockquote type="cite">Hi, <br>
<br>
It worked like a charm. <br>
I had a problem to commit it because of the VERSION
stuff that changed. <br>
<br>
Except that (changing VERSION), the fix looks good to me
<br>
<br>
thanks <br>
thierry <br>
On 08/18/2015 07:21 PM, Martin Basti wrote: <br>
<blockquote type="cite">Thank you for the patch, I
checked it, I just changed permission name <br>
to have all first letters in uppercase as others. <br>
Updated merged patch attached. <br>
<br>
On 08/18/2015 05:34 PM, thierry bordaz wrote: <br>
<blockquote type="cite">On 08/18/2015 04:13 PM,
thierry bordaz wrote: <br>
<blockquote type="cite">On 08/18/2015 04:04 PM,
Martin Basti wrote: <br>
<blockquote type="cite"> <br>
<br>
On 08/18/2015 03:49 PM, thierry bordaz wrote: <br>
<blockquote type="cite">On 08/18/2015 03:06 PM,
Martin Basti wrote: <br>
<blockquote type="cite"> <br>
<br>
On 08/18/2015 11:32 AM, thierry bordaz
wrote: <br>
<blockquote type="cite">On 08/18/2015 10:02
AM, Martin Basti wrote: <br>
<blockquote type="cite"> <br>
<br>
On 08/18/2015 09:59 AM, thierry bordaz
wrote: <br>
<blockquote type="cite">On 08/18/2015
09:55 AM, Martin Basti wrote: <br>
<blockquote type="cite"> <br>
<br>
On 08/18/2015 09:50 AM, thierry
bordaz wrote: <br>
<blockquote type="cite">On
08/17/2015 08:33 PM, Martin Basti
wrote: <br>
<blockquote type="cite">Hello, <br>
<br>
the 'user-stage' command
replaces 'stageuser-add <br>
--from-delete' command. <br>
<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://fedorahosted.org/freeipa/ticket/5041">https://fedorahosted.org/freeipa/ticket/5041</a>
<br>
<br>
Thierry can you check If I don't
break everything, it works <br>
for me, but the one never knows.
<br>
<br>
Honza can you please check the
framework side? I use <br>
self.api.Object.stageuser.add.*
in user command, I'm not <br>
sure if this is right way, but
it works. <br>
<br>
Patch attached. I created it in
hurry, I'm expecting <br>
NACK :D <br>
<br>
<br>
Just question at the end: should
I implement way Active <br>
user -> stageuser? IMHO it
would be implemented internally
<br>
by calling 'user-del --preserve'
inside 'user-stage'. <br>
<br>
<br>
<br>
</blockquote>
Hi Martin, <br>
<br>
There is a small failure with
VERSION (edewata pushed his <br>
patch first ;-) ) <br>
<br>
git apply -v <br>
/tmp/freeipa-mbasti-0297-Add-user-stage-command.patch
<br>
Checking patch API.txt... <br>
Checking patch VERSION... <br>
error: while searching for: <br>
# # <br>
########################################################
<br>
IPA_API_VERSION_MAJOR=2 <br>
IPA_API_VERSION_MINOR=148 <br>
# Last change: ftweedal - add
--out option to user-show <br>
<br>
error: patch failed:
VERSION:90 <br>
error: VERSION: patch does not
apply <br>
Checking patch
ipalib/plugins/stageuser.py... <br>
Checking patch
ipalib/plugins/user.py... <br>
<br>
<br>
</blockquote>
There is many pending patches that
may change VERSION number, <br>
I will change it to right one before
push. <br>
<br>
Does code looks good for you? <br>
</blockquote>
Hi Martin, <br>
<br>
Just a question, there is no
additional permission. Did you <br>
test being 'admin' ? <br>
<br>
thanks <br>
theirry <br>
</blockquote>
No I didn't,. <br>
<br>
I preserver all permission, the original
permissions should <br>
work. <br>
<br>
Martin <br>
</blockquote>
Hi Martin, <br>
<br>
Running a test script, I have an issue
with <br>
<br>
ipa stageuser-add --first=t --last=b
tb1 <br>
ipa: ERROR: an internal error has
occurred <br>
<br>
<br>
[Tue Aug 18 11:16:56.440658 2015]
[wsgi:error] [pid 10486] <br>
ipa: INFO: [jsonserver_kerb] <br>
<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:stageadm@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">stageadm@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a>:
<br>
stageuser_add(u'tb1', givenname=u't',
sn=u'b', cn=u't b', <br>
displayname=u't b', initials=u'tb',
gecos=u't b', <br>
krbprincipalname=u'<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:tb1@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">tb1@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a>',
<br>
random=False, all=False, raw=False,
version=u'2.149', <br>
no_members=False): AttributeError <br>
[Tue Aug 18 11:21:25.198021 2015]
[wsgi:error] [pid 10485] <br>
ipa: ERROR: non-public:
AttributeError: 'DN' object has no <br>
attribute 'setdefault' <br>
[Tue Aug 18 11:21:25.198053 2015]
[wsgi:error] [pid 10485] <br>
Traceback (most recent call last): <br>
[Tue Aug 18 11:21:25.198058 2015]
[wsgi:error] [pid 10485] <br>
File <br>
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py",
<br>
line 347, in wsgi_execute <br>
[Tue Aug 18 11:21:25.198062 2015]
[wsgi:error] [pid <br>
10485] result =
self.Command[name](*args, **options) <br>
[Tue Aug 18 11:21:25.198066 2015]
[wsgi:error] [pid 10485] <br>
File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py",
<br>
line 443, in __call__ <br>
[Tue Aug 18 11:21:25.198070 2015]
[wsgi:error] [pid <br>
10485] ret = self.run(*args,
**options) <br>
[Tue Aug 18 11:21:25.198081 2015]
[wsgi:error] [pid 10485] <br>
File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py",
<br>
line 760, in run <br>
[Tue Aug 18 11:21:25.198133 2015]
[wsgi:error] [pid <br>
10485] return self.execute(*args,
**options) <br>
[Tue Aug 18 11:21:25.198139 2015]
[wsgi:error] [pid 10485] <br>
File <br>
"/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py",
<br>
line 1227, in execute <br>
[Tue Aug 18 11:21:25.198144 2015]
[wsgi:error] [pid <br>
10485] *keys, **options) <br>
[Tue Aug 18 11:21:25.198147 2015]
[wsgi:error] [pid 10485] <br>
File <br>
"/usr/lib/python2.7/site-packages/ipalib/plugins/stageuser.py",
<br>
line 373, in pre_callback <br>
[Tue Aug 18 11:21:25.198151 2015]
[wsgi:error] [pid <br>
10485] attrs_list, *keys,
**options) <br>
[Tue Aug 18 11:21:25.198155 2015]
[wsgi:error] [pid 10485] <br>
File <br>
"/usr/lib/python2.7/site-packages/ipalib/plugins/stageuser.py",
<br>
line 277, in
set_default_values_pre_callback <br>
[Tue Aug 18 11:21:25.198159 2015]
[wsgi:error] [pid 10485] <br>
entry_attrs.setdefault('description',
[]) <br>
[Tue Aug 18 11:21:25.198163 2015]
[wsgi:error] [pid 10485] <br>
AttributeError: 'DN' object has no
attribute 'setdefault' <br>
[Tue Aug 18 11:21:25.199276 2015]
[wsgi:error] [pid 10485] <br>
ipa: INFO: [jsonserver_session] <br>
<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:stageadm@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">stageadm@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a>:
<br>
stageuser_add(u'tb1', givenname=u't',
sn=u'b', cn=u't b', <br>
displayname=u't b', initials=u'tb',
gecos=u't b', <br>
krbprincipalname=u'<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:tb1@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">tb1@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a>',
<br>
random=False, all=False, raw=False,
version=u'2.149', <br>
no_members=False): AttributeError <br>
<br>
<br>
The new set_default_values_pre_callback,
can not use the <br>
set_default function. It is not clear why.
entry_attrs is one of <br>
pre_callback parameter. <br>
Should set_default_values_pre_callback be
a subfonction of <br>
pre_callback ? <br>
<br>
<br>
thanks <br>
thierry <br>
</blockquote>
<br>
Thank you, <br>
<br>
updated patch attached. <br>
</blockquote>
<br>
So far, tests are ok. <br>
Just one comment, the 'user-stage' command
description is wrong, <br>
as it moves an active user into the staged
area <br>
<br>
user-stage Move
deleted user into <br>
staged area <br>
</blockquote>
No, it's not doing that. <br>
<br>
user-stage is replacement of stageuser-add
--from-delete, it <br>
doesn't work for active users. <br>
The support to move active user to staged area
is RFE, I did not <br>
implemented it yet, and I dont know if this will
fit IPA 4.2 <br>
timeframe <br>
</blockquote>
Ok. thanks. <br>
Sure user-stage (active->stage) will not fit
into IPA 4.2 timeframe. <br>
<br>
Running the tests being admin, there is no
problem. <br>
I have a permission issue, when running as 'Stage
administrator'. <br>
The 'delete' entry being moved to 'stage'
container, we need the a <br>
special permission for it. <br>
</blockquote>
<br>
Hello, <br>
<br>
I tested this new permission to grant 'Stage user
administrator' to <br>
do a 'user-stage'. <br>
Is it ok to add it to your patch ? <br>
<br>
thanks <br>
thierry <br>
<blockquote type="cite"> <br>
[root@vm-141 ~]# ipa user-del ttest1 --preserve <br>
--------------------- <br>
Deleted user "ttest1" <br>
--------------------- <br>
<br>
[root@vm-141 ~]# ipa user-stage ttest1 <br>
ipa: ERROR: Insufficient access: Insufficient
'moddn' privilege to <br>
move an entry to 'cn=staged <br>
users,cn=accounts,cn=provisioning,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'.
<br>
<br>
<br>
<br>
[root@vm-141 ~]# klist <br>
Ticket cache:
KEYRING:persistent:0:krb_ccache_hw3P667 <br>
Default principal: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:stageadm@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">stageadm@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a>
<br>
<br>
Valid starting Expires Service
principal <br>
08/18/2015 15:45:43 08/19/2015 15:45:42 <br>
<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:ldap/vm-141.abc.idm.lab.eng.brq.redhat.com@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">ldap/vm-141.abc.idm.lab.eng.brq.redhat.com@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a>
<br>
<br>
<br>
08/18/2015 15:45:42 08/19/2015 15:45:42 <br>
<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:krbtgt/ABC.IDM.LAB.ENG.BRQ.REDHAT.COM@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">krbtgt/ABC.IDM.LAB.ENG.BRQ.REDHAT.COM@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a>
<br>
<br>
[root@vm-141 ~]# kinit admin <br>
Password for <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:admin@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">admin@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a>:
<br>
[root@vm-141 ~]# ipa user-stage ttest1 <br>
---------------------------- <br>
Staged user account "ttest1" <br>
---------------------------- <br>
[root@vm-141 ~]# ipa stageuser-find ttest1 <br>
-------------- <br>
1 user matched <br>
-------------- <br>
User login: ttest1 <br>
First name: t <br>
Last name: test1 <br>
Home directory: /home/ttest1 <br>
Login shell: /bin/sh <br>
Email address: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:ttest1@abc.idm.lab.eng.brq.redhat.com">ttest1@abc.idm.lab.eng.brq.redhat.com</a>
<br>
UID: 1814000011 <br>
GID: 1814000011 <br>
Password: False <br>
Kerberos keys available: False <br>
---------------------------- <br>
Number of entries returned 1 <br>
---------------------------- <br>
<br>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
NACK. <br>
<br>
1) Use ADD+DEL instead of MODRDN as we agreed before: <br>
<a moz-do-not-send="true" class="moz-txt-link-rfc2396E"
href="https://www.redhat.com/archives/freeipa-devel/2015-August/msg00148.html"><https://www.redhat.com/archives/freeipa-devel/2015-August/msg00148.html></a>.
<br>
<br>
<br>
</blockquote>
<br>
Hi, <br>
<br>
I have a slight preference doing MODRDN than ADD+DEL but I
think it is <br>
for corner case. <br>
Before preserving a user, the user was active and could be
updated. If <br>
the user gets updated on a replica (e.g. change its
phonenumer) but for <br>
some reason the update is not immediately replicated, then a
later <br>
'user-del --preserve' + 'user-stage' will stage the user
without the <br>
updated phonenumber. <br>
<br>
In addition, doing 2 ops rather than one costs more and is
not atomic <br>
(more complex to handle failure). <br>
</blockquote>
<br>
The same problem exists for stageuser_activate, and unless you
want to <br>
change it to use MODRDN as well, user_stage must use ADD+DEL.
<br>
<br>
This was already discussed quite thoroughly and we reached the
decision <br>
to use ADD+DEL, because it is consistent with the rest of the
user code. <br>
I don't see a point in discussing this further and rehashing
what was <br>
already said. <br>
<br>
<blockquote type="cite"> <br>
thank <br>
thierry <br>
<blockquote type="cite"> <br>
2) You can't use the entry preparation code from
stageuser-add in <br>
user-stage - it is supposed to normalize user input, not
already <br>
normalized data from LDAP, and could lead to subtle and
hard to track <br>
errors. <br>
<br>
Honza <br>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
I have updated Martin's patch with fixes for the above. See
attachment. <br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
LGTM,<br>
<br>
what do you think thierry?<br>
<br>
<br>
<br>
</blockquote>
<font face="Times New Roman, Times, serif"><br>
I have to go outside for 45min, I will test it when I will be
back.. sorry for the delay<br>
</font>
</body>
</html>