<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 12.05.2016 11:01, Martin Basti
wrote:<br>
</div>
<blockquote
cite="mid:a4f0ca8c-4099-9356-aa2b-6417e5897d8b@redhat.com"
type="cite">
<br>
<br>
On 11.05.2016 09:41, Martin Basti wrote:
<br>
<blockquote type="cite">
<br>
<br>
On 10.05.2016 18:56, Petr Spacek wrote:
<br>
<blockquote type="cite">On 10.5.2016 15:38, Petr Spacek wrote:
<br>
<blockquote type="cite">On 10.5.2016 15:26, Martin Basti
wrote:
<br>
<blockquote type="cite">
<br>
On 10.05.2016 15:23, Petr Spacek wrote:
<br>
<blockquote type="cite">On 10.5.2016 14:44, Martin Basti
wrote:
<br>
<blockquote type="cite">On 10.05.2016 14:33, Petr Spacek
wrote:
<br>
<blockquote type="cite">On 6.5.2016 10:20, Martin
Basti wrote:
<br>
<blockquote type="cite"><a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/2008">https://fedorahosted.org/freeipa/ticket/2008</a>
<br>
<br>
Patches attached.
<br>
<br>
<br>
freeipa-mbasti-0473-DNS-Locations-Always-create-DNS-related-privileges.patch
<br>
<br>
<br>
From 9a936740da7cdacec150acc92a45041a98ce7cb3
Mon Sep 17 00:00:00 2001
<br>
From: Martin Basti <a class="moz-txt-link-rfc2396E" href="mailto:mbasti@redhat.com"><mbasti@redhat.com></a>
<br>
Date: Wed, 4 May 2016 17:33:52 +0200
<br>
Subject: [PATCH 1/4] DNS Locations: Always create
DNS related privileges
<br>
<br>
DNS privileges are important for handling DNS
locations which can be
<br>
created without DNS servers in IPA topology. We
will also need this
<br>
privileges presented for future feature 'External
DNS support'
<br>
</blockquote>
Seems reasonable, ACK.
<br>
<br>
<br>
<blockquote type="cite">freeipa-mbasti-0474-DNS-Locations-add-new-attributes-and-objectclasses.patch
<br>
<br>
<br>
From a7766da5fd1a72884308d4206c9cde262f5c8d35
Mon Sep 17 00:00:00 2001
<br>
From: Martin Basti <a class="moz-txt-link-rfc2396E" href="mailto:mbasti@redhat.com"><mbasti@redhat.com></a>
<br>
Date: Thu, 5 May 2016 11:12:00 +0200
<br>
Subject: [PATCH 2/4] DNS Locations: add new
attributes and objectclasses
<br>
<br>
<a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/V4/DNS_Location_Mechanism">http://www.freeipa.org/page/V4/DNS_Location_Mechanism</a>
<br>
<br>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/2008">https://fedorahosted.org/freeipa/ticket/2008</a>
<br>
---
<br>
install/share/60ipadns.ldif | 4 ++++
<br>
1 file changed, 4 insertions(+)
<br>
<br>
diff --git a/install/share/60ipadns.ldif
b/install/share/60ipadns.ldif
<br>
index
<br>
e0ed0ab869cea0478d9640bb509c6267abed1a01..31c2f71f8566d04a05709f1359b20e6fa51921ce
<br>
<br>
100644
<br>
--- a/install/share/60ipadns.ldif
<br>
+++ b/install/share/60ipadns.ldif
<br>
@@ -70,9 +70,13 @@ attributeTypes: (
2.16.840.1.113730.3.8.5.25 NAME
<br>
'idnsSecKeyRevoke' DESC 'DNSKE
<br>
attributeTypes: ( 2.16.840.1.113730.3.8.5.26
NAME 'idnsSecKeySep' DESC
<br>
'DNSKEY SEP flag (equivalent to bit 15): RFC 4035'
EQUALITY booleanMatch
<br>
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE
X-ORIGIN 'IPA v4.1' )
<br>
attributeTypes: ( 2.16.840.1.113730.3.8.5.27
NAME 'idnsSecAlgorithm' DESC
<br>
'DNSKEY algorithm: string used as mnemonic'
EQUALITY caseIgnoreIA5Match
<br>
SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.26
<br>
SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
<br>
attributeTypes: ( 2.16.840.1.113730.3.8.5.28
NAME 'idnsSecKeyRef' DESC
<br>
'PKCS#11 URI of the key' EQUALITY caseExactMatch
SINGLE-VALUE SYNTAX
<br>
1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.1'
)
<br>
+attributeTypes: ( 2.16.840.1.113730.3.8.5.32 NAME
'ipaLocation' DESC
<br>
'Reference to IPA location' EQUALITY
distinguishedNameMatch SYNTAX
<br>
1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE
X-ORIGIN 'IPA v4.4' )
<br>
+attributeTypes: ( 2.16.840.1.113730.3.8.5.33 NAME
'ipaLocationWeight' DESC
<br>
'Weight for the server in IPA location' EQUALITY
integerMatch SYNTAX
<br>
1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE
X-ORIGIN 'IPA v4.4' )
<br>
objectClasses: ( 2.16.840.1.113730.3.8.6.0
NAME 'idnsRecord' DESC 'dns
<br>
Record, usually a host' SUP top STRUCTURAL MUST
idnsName MAY ( cn $
<br>
idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $
aAAARecord $ a6Record $
<br>
nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $
tXTRecord $ mXRecord $
<br>
mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord
$ SigRecord $ KeyRecord
<br>
$ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $
certRecord $ dNameRecord
<br>
$ dSRecord $ sSHFPRecord $ rRSIGRecord $
nSECRecord $ DLVRecord $
<br>
TLSARecord $ UnknownRecord $ RPRecord $ APLRecord
$ IPSECKEYRecord $
<br>
DHCIDRecord $ HIPRecord $ SPFRecord ) )
<br>
objectClasses: ( 2.16.840.1.113730.3.8.6.1
NAME 'idnsZone' DESC 'Zone
<br>
class' SUP idnsRecord STRUCTURAL MUST (
idnsZoneActive $ idnsSOAmName $
<br>
idnsSOArName $ idnsSOAserial $ idnsSOArefresh $
idnsSOAretry $
<br>
idnsSOAexpire $ idnsSOAminimum ) MAY (
idnsUpdatePolicy $ idnsAllowQuery $
<br>
idnsAllowTransfer $ idnsAllowSyncPTR $
idnsForwardPolicy $ idnsForwarders $
<br>
idnsSecInlineSigning $ nSEC3PARAMRecord ) )
<br>
objectClasses: ( 2.16.840.1.113730.3.8.6.2
NAME 'idnsConfigObject' DESC
<br>
'DNS global config options' STRUCTURAL MAY (
idnsForwardPolicy $
<br>
idnsForwarders $ idnsAllowSyncPTR $
idnsZoneRefresh $
<br>
idnsPersistentSearch ) )
<br>
objectClasses: ( 2.16.840.1.113730.3.8.12.18
NAME 'ipaDNSZone' SUP top
<br>
AUXILIARY MUST idnsName MAY managedBy X-ORIGIN
'IPA v3' )
<br>
objectClasses: ( 2.16.840.1.113730.3.8.6.3
NAME 'idnsForwardZone' DESC
<br>
'Forward Zone class' SUP top STRUCTURAL MUST (
idnsName $ idnsZoneActive )
<br>
MAY ( idnsForwarders $ idnsForwardPolicy ) )
<br>
objectClasses: ( 2.16.840.1.113730.3.8.6.4
NAME 'idnsSecKey' DESC 'DNSSEC
<br>
key metadata' STRUCTURAL MUST ( idnsSecKeyRef $
idnsSecKeyCreated $
<br>
idnsSecAlgorithm ) MAY ( idnsSecKeyPublish $
idnsSecKeyActivate $
<br>
idnsSecKeyInactive $ idnsSecKeyDelete $
idnsSecKeyZone $ idnsSecKeyRevoke $
<br>
idnsSecKeySep $ cn ) X-ORIGIN 'IPA v4.1' )
<br>
+objectClasses: ( 2.16.840.1.113730.3.8.6.7 NAME
'ipaLocationObject' DESC
<br>
'Object for storing IPA server location' AUXILIARY
MUST ( idnsName ) MAY (
<br>
description ) X-ORIGIN 'IPA v4.4' )
<br>
</blockquote>
Why is it AUXILIARY? AFAIK it should be STRUCTURAL
because there will not be
<br>
any other object class on the location object (at
least not in the
<br>
beginning).
<br>
<br>
<blockquote type="cite">+objectClasses: (
2.16.840.1.113730.3.8.6.8 NAME 'ipaLocationMember'
DESC
<br>
'Member object of IPA location' AUXILIARY MAY (
ipaLocation $
<br>
ipaLocationWeight ) X-ORIGIN 'IPA v4.4' )
<br>
</blockquote>
Conditional ACK if you fix ipaLocationObject.
<br>
<br>
<br>
<blockquote type="cite">freeipa-mbasti-0475-DNS-Locations-Add-location-commands.patch
<br>
<br>
<br>
From 407b935ecd6df0ed98c6df6d45a575229ef3cd09
Mon Sep 17 00:00:00 2001
<br>
From: Martin Basti <a class="moz-txt-link-rfc2396E" href="mailto:mbasti@redhat.com"><mbasti@redhat.com></a>
<br>
Date: Thu, 5 May 2016 11:13:07 +0200
<br>
Subject: [PATCH 3/4] DNS Locations: Add location-*
commands
<br>
<br>
Added location-{add,mod,del,find,show} commands.
Command are just
<br>
prototypes and does not provide any information
about server (will be
<br>
done later)
<br>
<br>
<a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/V4/DNS_Location_Mechanism">http://www.freeipa.org/page/V4/DNS_Location_Mechanism</a>
<br>
<br>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/2008">https://fedorahosted.org/freeipa/ticket/2008</a>
<br>
---
<br>
ACI.txt | 8 ++
<br>
API.txt | 59
++++++++++++++
<br>
VERSION | 4 +-
<br>
install/share/bootstrap-template.ldif | 6 ++
<br>
install/updates/37-locations.update | 4 +
<br>
install/updates/Makefile.am | 1 +
<br>
ipalib/constants.py | 1 +
<br>
ipalib/plugins/location.py | 142
<br>
+++++++++++++++++++++++++++++++++-
<br>
8 files changed, 222 insertions(+), 3
deletions(-)
<br>
</blockquote>
[...]
<br>
<br>
<blockquote type="cite">diff --git a/VERSION
b/VERSION
<br>
index
<br>
aedebd185821d42fa48608f4c5fdf9ff510ace3f..7e3def151e9986454509a580515b9d34dc220a60
<br>
<br>
100644
<br>
--- a/VERSION
<br>
+++ b/VERSION
<br>
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
<br>
# #
<br>
########################################################
<br>
IPA_API_VERSION_MAJOR=2
<br>
-IPA_API_VERSION_MINOR=165
<br>
-# Last change: mbasti - limit
ipamaxusernamelength value to 255
<br>
+IPA_API_VERSION_MINOR=166
<br>
+# Last change: mbasti - location-* commands
<br>
</blockquote>
Needs rebase.
<br>
<br>
<br>
<blockquote type="cite">diff --git
a/install/share/bootstrap-template.ldif
<br>
b/install/share/bootstrap-template.ldif
<br>
index
<br>
628a8e2e0f5483b9f6f565b0c7d11eb000a5912d..83be4399508a905f8eae7e2f59140a6b4051b661
<br>
<br>
100644
<br>
--- a/install/share/bootstrap-template.ldif
<br>
+++ b/install/share/bootstrap-template.ldif
<br>
@@ -119,6 +119,12 @@ objectClass: nsContainer
<br>
objectClass: top
<br>
cn: etc
<br>
+dn: cn=locations,cn=etc,$SUFFIX
<br>
+changetype: add
<br>
+objectClass: nsContainer
<br>
+objectClass: top
<br>
+cn: locations
<br>
+
<br>
dn: cn=sysaccounts,cn=etc,$SUFFIX
<br>
changetype: add
<br>
objectClass: nsContainer
<br>
diff --git a/install/updates/37-locations.update
<br>
b/install/updates/37-locations.update
<br>
index
<br>
e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..cf47e6d6296af830a76aad2c9b9f5a6ea5d9f3a1
<br>
<br>
100644
<br>
--- a/install/updates/37-locations.update
<br>
+++ b/install/updates/37-locations.update
<br>
@@ -0,0 +1,4 @@
<br>
+dn: cn=locations,cn=etc,$SUFFIX
<br>
+default: objectClass: nsContainer
<br>
+default: objectClass: top
<br>
+default: cn: locations
<br>
</blockquote>
Ok.
<br>
<br>
[...]
<br>
<br>
<blockquote type="cite">diff --git
a/ipalib/plugins/location.py
b/ipalib/plugins/location.py
<br>
index
<br>
8090bb1637c4d826b9a746a82b98ece903e321cc..d52d2baeb8bfb2fddeac40b281268622d47c6aeb
<br>
<br>
100644
<br>
--- a/ipalib/plugins/location.py
<br>
+++ b/ipalib/plugins/location.py
<br>
</blockquote>
[...]
<br>
<blockquote type="cite">+__doc__ = _("""
<br>
+IPA locations
<br>
+""") + _("""
<br>
+Manipulate with DNS locations
<br>
</blockquote>
IMHO "with" should be omited. [...]
<br>
<br>
<br>
<blockquote type="cite">+@register()
<br>
+class location(LDAPObject):
<br>
+ """
<br>
+ IPA locations
<br>
+ """
<br>
</blockquote>
[...]
<br>
<br>
<blockquote type="cite">+
permission_filter_objectclasses =
['ipaLocationObject']
<br>
+ managed_permissions = {
<br>
+ 'System: Read IPA Locations': {
<br>
+ 'ipapermright': {'read', 'search',
'compare'},
<br>
+ 'ipapermdefaultattr': {
<br>
+ 'objectclass', 'idnsname',
'description',
<br>
+ },
<br>
+ 'default_privileges': {'DNS
Administrators'},
<br>
+ },
<br>
+ 'System: Add IPA Locations': {
<br>
+ 'ipapermright': {'add'},
<br>
+ 'default_privileges': {'DNS
Administrators'},
<br>
+ },
<br>
+ 'System: Remove IPA Locations': {
<br>
+ 'ipapermright': {'delete'},
<br>
+ 'default_privileges': {'DNS
Administrators'},
<br>
+ },
<br>
+ 'System: Modify IPA Locations': {
<br>
+ 'ipapermright': {'write'},
<br>
+ 'ipapermdefaultattr': {
<br>
+ 'description',
<br>
+ },
<br>
+ 'default_privileges': {'DNS
Administrators'},
<br>
+ },
<br>
+ }
<br>
</blockquote>
Sounds reasonable. ACI does not allow renaming
location but IMHO this is
<br>
okay.
<br>
Less renames we support the better.
<br>
<br>
<br>
<blockquote type="cite">+
<br>
+ takes_params = (
<br>
+ DNSNameParam(
<br>
+ 'idnsname',
<br>
+ cli_name='name',
<br>
+ primary_key=True,
<br>
+ label=_('Location name'),
<br>
+ doc=_('IPA location name'),
<br>
+ # dns name must be relative, we will
put it into middle of
<br>
+ # location domain name for location
records
<br>
+ only_relative=True,
<br>
+ ),
<br>
</blockquote>
Okay. We need to make sure that relative names with
multiple labels work -
<br>
but
<br>
this should automagically work as long as we are
handling DNS names using
<br>
proper data types (not as strings).
<br>
<br>
<br>
<blockquote type="cite">+ Str(
<br>
+ 'description?',
<br>
+ label=_('Description'),
<br>
+ doc=_('IPA Location description'),
<br>
+ ),
<br>
</blockquote>
After discussion with Honza we will keep description
as single-value in the
<br>
IPA framework and ignore that description attribute
is multi-value in LDAP.
<br>
This is done for consitency with mistakes from the
past.
<br>
<br>
[...]
<br>
<br>
<blockquote type="cite">+@register()
<br>
+class location_mod(LDAPUpdate):
<br>
+ __doc__ = _('Modify information about an IPA
location .')
<br>
</blockquote>
This should say 'Modify description' because nothing
else can be modified.
<br>
More specific text would hopefully stop some people
from looking for rename
<br>
options.
<br>
</blockquote>
I disagree, this is general description about the
modify command, see
<br>
privilege-add it is the same as I made. I can see in
future that we will
<br>
forgot to update description of command if we add
something new there.
<br>
</blockquote>
This is really an invalid argument.
<br>
<br>
"We must not touch XYZ because its documentation might
become obsolete in
<br>
future if we forget to update it!" :-)
<br>
<br>
</blockquote>
How about inconsistency with description of older
commands? I don't think that
<br>
command description should describe attributes that are
allowed to change.
<br>
Allowed attributes are shown in --help output
<br>
</blockquote>
I do not agree but push whatever variant you like, it costed
too much already.
<br>
</blockquote>
NACK anyway. ipa-dns-install screams if you install a server
without DNS and
<br>
run ipa-dns-install later on:
<br>
<br>
The log contains this:
<br>
<br>
add objectClass:
<br>
top
<br>
groupofnames
<br>
nestedgroup
<br>
add cn:
<br>
DNS Administrators
<br>
add description:
<br>
DNS Administrators
<br>
adding new entry "cn=DNS
<br>
Administrators,cn=privileges,cn=pbac,dc=dom-033,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com"
<br>
<br>
<br>
2016-05-10T16:53:05Z DEBUG stderr=ldap_initialize(
<br>
ldapi://%2Fvar%2Frun%2Fslapd-DOM-033-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket/??base
<br>
)
<br>
SASL/EXTERNAL authentication started
<br>
SASL username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
<br>
SASL SSF: 0
<br>
ldap_add: Already exists (68)
<br>
<br>
2016-05-10T16:53:05Z CRITICAL Failed to load dns.ldif: Command
<br>
'/usr/bin/ldapmodify -v -f /tmp/tmpMvWMaT -H
<br>
ldapi://%2fvar%2frun%2fslapd-DOM-033-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
-Y
<br>
EXTERNAL' returned non-zero exit status 68
<br>
<br>
</blockquote>
Well I cannot reproduce it, this should be resolved by patch 473
<br>
<br>
</blockquote>
<br>
Updated patches attached
<br>
<br>
I found that IDNA did not work with previous version, fixed + IDNA
tests added
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
Fixed here, I sent wrong patches before<br>
<br>
<br>
</body>
</html>