<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div class="moz-cite-prefix">On 08/20/2015 07:17 PM, thierry bordaz
wrote:<br>
</div>
<blockquote cite="mid:55D60BBA.2050304@redhat.com" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 08/20/2015 05:21 PM, Martin Basti
wrote:<br>
</div>
<blockquote cite="mid:55D5F086.7090202@redhat.com" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<br>
<br>
<div class="moz-cite-prefix">On 08/20/2015 11:27 AM, Jan
Cholasta wrote:<br>
</div>
<blockquote cite="mid:55D59D9B.3060409@redhat.com" type="cite">On
19.8.2015 10:57, Jan Cholasta wrote: <br>
<blockquote type="cite">On 19.8.2015 10:47, thierry bordaz
wrote: <br>
<blockquote type="cite">On 08/19/2015 10:34 AM, Jan Cholasta
wrote: <br>
<blockquote type="cite">On 19.8.2015 09:39, thierry bordaz
wrote: <br>
<blockquote type="cite">Hi, <br>
<br>
It worked like a charm. <br>
I had a problem to commit it because of the VERSION
stuff that changed. <br>
<br>
Except that (changing VERSION), the fix looks good to
me <br>
<br>
thanks <br>
thierry <br>
On 08/18/2015 07:21 PM, Martin Basti wrote: <br>
<blockquote type="cite">Thank you for the patch, I
checked it, I just changed permission name <br>
to have all first letters in uppercase as others. <br>
Updated merged patch attached. <br>
<br>
On 08/18/2015 05:34 PM, thierry bordaz wrote: <br>
<blockquote type="cite">On 08/18/2015 04:13 PM,
thierry bordaz wrote: <br>
<blockquote type="cite">On 08/18/2015 04:04 PM,
Martin Basti wrote: <br>
<blockquote type="cite"> <br>
<br>
On 08/18/2015 03:49 PM, thierry bordaz wrote:
<br>
<blockquote type="cite">On 08/18/2015 03:06
PM, Martin Basti wrote: <br>
<blockquote type="cite"> <br>
<br>
On 08/18/2015 11:32 AM, thierry bordaz
wrote: <br>
<blockquote type="cite">On 08/18/2015
10:02 AM, Martin Basti wrote: <br>
<blockquote type="cite"> <br>
<br>
On 08/18/2015 09:59 AM, thierry bordaz
wrote: <br>
<blockquote type="cite">On 08/18/2015
09:55 AM, Martin Basti wrote: <br>
<blockquote type="cite"> <br>
<br>
On 08/18/2015 09:50 AM, thierry
bordaz wrote: <br>
<blockquote type="cite">On
08/17/2015 08:33 PM, Martin
Basti wrote: <br>
<blockquote type="cite">Hello, <br>
<br>
the 'user-stage' command
replaces 'stageuser-add <br>
--from-delete' command. <br>
<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://fedorahosted.org/freeipa/ticket/5041">https://fedorahosted.org/freeipa/ticket/5041</a>
<br>
<br>
Thierry can you check If I
don't break everything, it
works <br>
for me, but the one never
knows. <br>
<br>
Honza can you please check the
framework side? I use <br>
self.api.Object.stageuser.add.*
in user command, I'm not <br>
sure if this is right way, but
it works. <br>
<br>
Patch attached. I created it
in hurry, I'm expecting <br>
NACK :D <br>
<br>
<br>
Just question at the end:
should I implement way Active
<br>
user -> stageuser? IMHO it
would be implemented
internally <br>
by calling 'user-del
--preserve' inside
'user-stage'. <br>
<br>
<br>
<br>
</blockquote>
Hi Martin, <br>
<br>
There is a small failure with
VERSION (edewata pushed his <br>
patch first ;-) ) <br>
<br>
git apply -v <br>
/tmp/freeipa-mbasti-0297-Add-user-stage-command.patch
<br>
Checking patch API.txt... <br>
Checking patch VERSION... <br>
error: while searching for:
<br>
# # <br>
########################################################
<br>
IPA_API_VERSION_MAJOR=2 <br>
IPA_API_VERSION_MINOR=148 <br>
# Last change: ftweedal -
add --out option to user-show <br>
<br>
error: patch failed:
VERSION:90 <br>
error: VERSION: patch does
not apply <br>
Checking patch
ipalib/plugins/stageuser.py... <br>
Checking patch
ipalib/plugins/user.py... <br>
<br>
<br>
</blockquote>
There is many pending patches that
may change VERSION number, <br>
I will change it to right one
before push. <br>
<br>
Does code looks good for you? <br>
</blockquote>
Hi Martin, <br>
<br>
Just a question, there is no
additional permission. Did you <br>
test being 'admin' ? <br>
<br>
thanks <br>
theirry <br>
</blockquote>
No I didn't,. <br>
<br>
I preserver all permission, the
original permissions should <br>
work. <br>
<br>
Martin <br>
</blockquote>
Hi Martin, <br>
<br>
Running a test script, I have an issue
with <br>
<br>
ipa stageuser-add --first=t --last=b
tb1 <br>
ipa: ERROR: an internal error has
occurred <br>
<br>
<br>
[Tue Aug 18 11:16:56.440658 2015]
[wsgi:error] [pid 10486] <br>
ipa: INFO: [jsonserver_kerb] <br>
<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:stageadm@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">stageadm@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a>:
<br>
stageuser_add(u'tb1',
givenname=u't', sn=u'b', cn=u't b', <br>
displayname=u't b', initials=u'tb',
gecos=u't b', <br>
krbprincipalname=u'<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:tb1@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM"><a class="moz-txt-link-abbreviated" href="mailto:tb1@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">tb1@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a></a>',
<br>
random=False, all=False, raw=False,
version=u'2.149', <br>
no_members=False): AttributeError <br>
[Tue Aug 18 11:21:25.198021 2015]
[wsgi:error] [pid 10485] <br>
ipa: ERROR: non-public:
AttributeError: 'DN' object has no <br>
attribute 'setdefault' <br>
[Tue Aug 18 11:21:25.198053 2015]
[wsgi:error] [pid 10485] <br>
Traceback (most recent call last): <br>
[Tue Aug 18 11:21:25.198058 2015]
[wsgi:error] [pid 10485] <br>
File <br>
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py",
<br>
line 347, in wsgi_execute <br>
[Tue Aug 18 11:21:25.198062 2015]
[wsgi:error] [pid <br>
10485] result =
self.Command[name](*args, **options) <br>
[Tue Aug 18 11:21:25.198066 2015]
[wsgi:error] [pid 10485] <br>
File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py",
<br>
line 443, in __call__ <br>
[Tue Aug 18 11:21:25.198070 2015]
[wsgi:error] [pid <br>
10485] ret = self.run(*args,
**options) <br>
[Tue Aug 18 11:21:25.198081 2015]
[wsgi:error] [pid 10485] <br>
File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py",
<br>
line 760, in run <br>
[Tue Aug 18 11:21:25.198133 2015]
[wsgi:error] [pid <br>
10485] return
self.execute(*args, **options) <br>
[Tue Aug 18 11:21:25.198139 2015]
[wsgi:error] [pid 10485] <br>
File <br>
"/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py",
<br>
line 1227, in execute <br>
[Tue Aug 18 11:21:25.198144 2015]
[wsgi:error] [pid <br>
10485] *keys, **options) <br>
[Tue Aug 18 11:21:25.198147 2015]
[wsgi:error] [pid 10485] <br>
File <br>
"/usr/lib/python2.7/site-packages/ipalib/plugins/stageuser.py",
<br>
line 373, in pre_callback <br>
[Tue Aug 18 11:21:25.198151 2015]
[wsgi:error] [pid <br>
10485] attrs_list, *keys,
**options) <br>
[Tue Aug 18 11:21:25.198155 2015]
[wsgi:error] [pid 10485] <br>
File <br>
"/usr/lib/python2.7/site-packages/ipalib/plugins/stageuser.py",
<br>
line 277, in
set_default_values_pre_callback <br>
[Tue Aug 18 11:21:25.198159 2015]
[wsgi:error] [pid 10485] <br>
entry_attrs.setdefault('description',
[]) <br>
[Tue Aug 18 11:21:25.198163 2015]
[wsgi:error] [pid 10485] <br>
AttributeError: 'DN' object has no
attribute 'setdefault' <br>
[Tue Aug 18 11:21:25.199276 2015]
[wsgi:error] [pid 10485] <br>
ipa: INFO: [jsonserver_session] <br>
<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:stageadm@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">stageadm@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a>:
<br>
stageuser_add(u'tb1',
givenname=u't', sn=u'b', cn=u't b', <br>
displayname=u't b', initials=u'tb',
gecos=u't b', <br>
krbprincipalname=u'<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:tb1@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM"><a class="moz-txt-link-abbreviated" href="mailto:tb1@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">tb1@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a></a>',
<br>
random=False, all=False, raw=False,
version=u'2.149', <br>
no_members=False): AttributeError <br>
<br>
<br>
The new set_default_values_pre_callback,
can not use the <br>
set_default function. It is not clear
why. entry_attrs is one of <br>
pre_callback parameter. <br>
Should set_default_values_pre_callback
be a subfonction of <br>
pre_callback ? <br>
<br>
<br>
thanks <br>
thierry <br>
</blockquote>
<br>
Thank you, <br>
<br>
updated patch attached. <br>
</blockquote>
<br>
So far, tests are ok. <br>
Just one comment, the 'user-stage' command
description is wrong, <br>
as it moves an active user into the staged
area <br>
<br>
user-stage Move
deleted user into <br>
staged area <br>
</blockquote>
No, it's not doing that. <br>
<br>
user-stage is replacement of stageuser-add
--from-delete, it <br>
doesn't work for active users. <br>
The support to move active user to staged area
is RFE, I did not <br>
implemented it yet, and I dont know if this
will fit IPA 4.2 <br>
timeframe <br>
</blockquote>
Ok. thanks. <br>
Sure user-stage (active->stage) will not fit
into IPA 4.2 timeframe. <br>
<br>
Running the tests being admin, there is no
problem. <br>
I have a permission issue, when running as
'Stage administrator'. <br>
The 'delete' entry being moved to 'stage'
container, we need the a <br>
special permission for it. <br>
</blockquote>
<br>
Hello, <br>
<br>
I tested this new permission to grant 'Stage user
administrator' to <br>
do a 'user-stage'. <br>
Is it ok to add it to your patch ? <br>
<br>
thanks <br>
thierry <br>
<blockquote type="cite"> <br>
[root@vm-141 ~]# ipa user-del ttest1 --preserve
<br>
--------------------- <br>
Deleted user "ttest1" <br>
--------------------- <br>
<br>
[root@vm-141 ~]# ipa user-stage ttest1 <br>
ipa: ERROR: Insufficient access: Insufficient
'moddn' privilege to <br>
move an entry to 'cn=staged <br>
users,cn=accounts,cn=provisioning,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'.
<br>
<br>
<br>
<br>
[root@vm-141 ~]# klist <br>
Ticket cache:
KEYRING:persistent:0:krb_ccache_hw3P667 <br>
Default principal: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:stageadm@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">stageadm@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a>
<br>
<br>
Valid starting Expires
Service principal <br>
08/18/2015 15:45:43 08/19/2015 15:45:42 <br>
<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:ldap/vm-141.abc.idm.lab.eng.brq.redhat.com@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">ldap/vm-141.abc.idm.lab.eng.brq.redhat.com@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a>
<br>
<br>
<br>
08/18/2015 15:45:42 08/19/2015 15:45:42 <br>
<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:krbtgt/ABC.IDM.LAB.ENG.BRQ.REDHAT.COM@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">krbtgt/ABC.IDM.LAB.ENG.BRQ.REDHAT.COM@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a>
<br>
<br>
[root@vm-141 ~]# kinit admin <br>
Password for <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:admin@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">admin@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a>:
<br>
[root@vm-141 ~]# ipa user-stage ttest1 <br>
---------------------------- <br>
Staged user account "ttest1" <br>
---------------------------- <br>
[root@vm-141 ~]# ipa stageuser-find ttest1 <br>
-------------- <br>
1 user matched <br>
-------------- <br>
User login: ttest1 <br>
First name: t <br>
Last name: test1 <br>
Home directory: /home/ttest1 <br>
Login shell: /bin/sh <br>
Email address: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:ttest1@abc.idm.lab.eng.brq.redhat.com">ttest1@abc.idm.lab.eng.brq.redhat.com</a>
<br>
UID: 1814000011 <br>
GID: 1814000011 <br>
Password: False <br>
Kerberos keys available: False <br>
---------------------------- <br>
Number of entries returned 1 <br>
---------------------------- <br>
<br>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
NACK. <br>
<br>
1) Use ADD+DEL instead of MODRDN as we agreed before: <br>
<a moz-do-not-send="true" class="moz-txt-link-rfc2396E"
href="https://www.redhat.com/archives/freeipa-devel/2015-August/msg00148.html"><https://www.redhat.com/archives/freeipa-devel/2015-August/msg00148.html></a>.
<br>
<br>
<br>
</blockquote>
<br>
Hi, <br>
<br>
I have a slight preference doing MODRDN than ADD+DEL but I
think it is <br>
for corner case. <br>
Before preserving a user, the user was active and could be
updated. If <br>
the user gets updated on a replica (e.g. change its
phonenumer) but for <br>
some reason the update is not immediately replicated, then
a later <br>
'user-del --preserve' + 'user-stage' will stage the user
without the <br>
updated phonenumber. <br>
<br>
In addition, doing 2 ops rather than one costs more and is
not atomic <br>
(more complex to handle failure). <br>
</blockquote>
<br>
The same problem exists for stageuser_activate, and unless
you want to <br>
change it to use MODRDN as well, user_stage must use
ADD+DEL. <br>
<br>
This was already discussed quite thoroughly and we reached
the decision <br>
to use ADD+DEL, because it is consistent with the rest of
the user code. <br>
I don't see a point in discussing this further and rehashing
what was <br>
already said. <br>
<br>
<blockquote type="cite"> <br>
thank <br>
thierry <br>
<blockquote type="cite"> <br>
2) You can't use the entry preparation code from
stageuser-add in <br>
user-stage - it is supposed to normalize user input, not
already <br>
normalized data from LDAP, and could lead to subtle and
hard to track <br>
errors. <br>
<br>
Honza <br>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
I have updated Martin's patch with fixes for the above. See
attachment. <br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
LGTM,<br>
<br>
what do you think thierry?<br>
<br>
<br>
<br>
</blockquote>
<font face="Times New Roman, Times, serif">Hi,<br>
<br>
It works like a charm and regarding the fix looks great as well.<br>
<br>
ACK<br>
<br>
thanks<br>
theirry<br>
</font> </blockquote>
Thanks<br>
<br>
Pushed to:<br>
master: fb98e77104cee4fb23223a25128e75d88cfe5ba8<br>
ipa-4-2: 6b8623848e46dec074cd2894c9fbcd0eb47d3247<br>
</body>
</html>