On 08/10/2012 11:45 PM, Rob Crittenden wrote: > Robert Crittenden wrote: >> This looks good, I just want to amend the commit with the tickets that this >> addresses before pushing. >> >> It seems that this covers 1670-1674. Is 1392 included as well? >> >> rob >> >> ----- Original Message ----- >> From: "John Dennis" <[email protected]> >> To: "freeipa-devel" <[email protected]> >> Sent: Friday, August 10, 2012 1:11:23 PM >> Subject: [Freeipa-devel] [PATCH 76] Use DN objects instead of strings >> >> Due to the size and disruptive nature of this patch it was reviewed and >> tested outside the normal patch review process, see the thread "DN patch >> and documentation" as well as other threads on this list. This patch is >> the cumulative result of that review process. >> >> John >> > > Posting this since I haven't pushed the patch yet. I found this installing > with > --selfsign: > > diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py > index 1bbee35..eebaa48 100644 > --- a/ipaserver/install/certs.py > +++ b/ipaserver/install/certs.py > @@ -1048,7 +1048,7 @@ class CertDB(object): > # Prepare a simple cert request > req_dict = dict(PASSWORD=self.gen_password(), > SUBJBASE=self.subject_base, > - CERTNAME=DN('CN', nickname)) > + CERTNAME=DN(('CN', nickname))) > req_template = ipautil.SHARE_DIR + reqcfg + ".template" > conf = ipautil.template_file(req_template, req_dict) > fd = open(reqcfg, "w+") >
Good job John, I think we are very close to push. I am attaching 2 patch to fix the last major issues I found. One for "ipa-replica-manage list" which crashed when winsync agreements were on and also few blocking issues in migration plugin. Both patches are tested and issues resolved. winsync replica agreements setup will need one more patch. But this issue is not originated in DN - I will send a separate patch based on top of your work. Martin
>From c588f2b7579542ac6247bf82400109b69a8d81b6 Mon Sep 17 00:00:00 2001 From: Martin Kosek <[email protected]> Date: Mon, 13 Aug 2012 10:20:01 +0200 Subject: [PATCH 1/2] Fix DN usage in ipa-replica-manage list ipa-replica-manage list crashes when winsync replica was configured. --- install/tools/ipa-replica-manage | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index d4b551fab1e1b4c3219af501e2914c855e2e0bd9..b2e819d1e48d0cf56c5fbd2641ecf039a3b54dfc 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -146,9 +146,7 @@ def list_replicas(realm, host, replica, dirman_passwd, verbose): pass else: for ent in entries: - peers[ent.getValue('cn')] = ent.ipaconfigstring.split(':') - - + peers[ent.getValue('cn')] = ent.getValue('ipaConfigString').split(':') if not replica: for k, p in peers.iteritems(): -- 1.7.11.2
>From 1129c3492c074ff7e526c246badb510476960edd Mon Sep 17 00:00:00 2001 From: Martin Kosek <[email protected]> Date: Mon, 13 Aug 2012 13:43:27 +0200 Subject: [PATCH 2/2] Fix DN usage in migration plugin migration failed when baseDN was being read from remote rootDSE. python-ldap also does not like [] being passed as an attribute to new LDAP entry. --- ipalib/plugins/migration.py | 13 ++++++------- ipaserver/plugins/ldap2.py | 7 ++++--- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py index 6002f0b6d9510b64eb0d591861e3457942f2aa49..157ab4447e08ccf441df11f3528a16bc896fe449 100644 --- a/ipalib/plugins/migration.py +++ b/ipalib/plugins/migration.py @@ -580,11 +580,9 @@ can use their Kerberos accounts.''') def _get_search_bases(self, options, ds_base_dn, migrate_order): search_bases = dict() - ds_base_dn = DN(ds_base_dn) for ldap_obj_name in migrate_order: container = options.get('%scontainer' % to_cli(ldap_obj_name)) if container: - container = DN(container) # Don't append base dn if user already appended it in the container dn if container.endswith(ds_base_dn): search_base = container @@ -592,7 +590,7 @@ can use their Kerberos accounts.''') search_base = DN(container, ds_base_dn) else: search_base = ds_base_dn - search_bases[ldap_obj_name] = str(search_base) + search_bases[ldap_obj_name] = search_base return search_bases def migrate(self, ldap, config, ds_ldap, ds_base_dn, options): @@ -749,7 +747,8 @@ can use their Kerberos accounts.''') config = ldap.get_ipa_config()[1] ds_base_dn = options.get('basedn') - assert isinstance(ds_base_dn, DN) + if ds_base_dn is not None: + assert isinstance(ds_base_dn, DN) # check if migration mode is enabled if config.get('ipamigrationenabled', ('FALSE', ))[0] == 'FALSE': @@ -773,15 +772,15 @@ can use their Kerberos accounts.''') if not ds_base_dn: # retrieve base DN from remote LDAP server (entries, truncated) = ds_ldap.find_entries( - '', ['namingcontexts', 'defaultnamingcontext'], '', + '', ['namingcontexts', 'defaultnamingcontext'], DN(''), _ldap.SCOPE_BASE, size_limit=-1, time_limit=0, ) if 'defaultnamingcontext' in entries[0][1]: - ds_base_dn = entries[0][1]['defaultnamingcontext'][0] + ds_base_dn = DN(entries[0][1]['defaultnamingcontext'][0]) assert isinstance(ds_base_dn, DN) else: try: - ds_base_dn = entries[0][1]['namingcontexts'][0] + ds_base_dn = DN(entries[0][1]['namingcontexts'][0]) assert isinstance(ds_base_dn, DN) except (IndexError, KeyError), e: raise StandardError(str(e)) diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index 988ec0c9a438c179dc75d0abf5453159dc04c330..a0b91fd5d7214b181cb660c1788d9cbd6062c097 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -898,10 +898,11 @@ class ldap2(CrudBackend): if normalize: dn = self.normalize_dn(dn) - # remove all None values, python-ldap hates'em + # remove all None or [] values, python-ldap hates'em entry_attrs = dict( - # FIXME, shouldn't None values be an error? - (k, v) for (k, v) in entry_attrs.iteritems() if v is not None + # FIXME, shouldn't these values be an error? + (k, v) for (k, v) in entry_attrs.iteritems() + if v is not None and v != [] ) try: self.conn.add_s(dn, list(entry_attrs.iteritems())) -- 1.7.11.2
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
