[Freeipa-devel] [PATCH] 104 Fixed parameter for user city.
Previously the user's city parameter is defined to use the 'locality' attribute. This was a problem because the attribute would be returned as 'l' by the directory server causing a mismatch. Now the parameter has been changed to use the 'l' attribute. https://fedorahosted.org/freeipa/ticket/985 -- Endi S. Dewata From c2075a750c8655532aec448b7c47318def92636f Mon Sep 17 00:00:00 2001 From: Endi S. Dewata Date: Fri, 18 Feb 2011 00:12:04 -0600 Subject: [PATCH] Fixed parameter for user city. Previously the user's city parameter is defined to use the 'locality' attribute. This was a problem because the attribute would be returned as 'l' by the directory server causing a mismatch. Now the parameter has been changed to use the 'l' attribute. --- API.txt | 12 ++-- ipalib/plugins/user.py|4 ++-- tests/test_xmlrpc/test_user_plugin.py |4 ++-- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/API.txt b/API.txt index 2dbc50bdf6c37a472202dc480265eafdf692c145..9fd8ae4a05149e9dfd94b4db0ee6f8d7cbb52af8 100644 --- a/API.txt +++ b/API.txt @@ -2542,8 +2542,8 @@ option: Password('userpassword', attribute=True, cli_name='password', exclude='w option: Int('uidnumber', attribute=True, autofill=True, cli_name='uid', default=999, label=Gettext('UID', domain='ipa', localedir=None), minvalue=1, multivalue=False, required=False) option: Int('gidnumber', attribute=True, cli_name='gidnumber', default_from=DefaultFrom(, 'uid'), label=Gettext('GID', domain='ipa', localedir=None), multivalue=False, required=False) option: Str('street', attribute=True, cli_name='street', label=Gettext('Street address', domain='ipa', localedir=None), multivalue=False, required=False) -option: Str('locality', attribute=True, cli_name='city', label=Gettext('City', domain='ipa', localedir=None), multivalue=False, required=False) -option: Str('st', attribute=True, cli_name='state', label=Gettext('State', domain='ipa', localedir=None), multivalue=False, required=False) +option: Str('l', attribute=True, cli_name='city', label=Gettext('City', domain='ipa', localedir=None), multivalue=False, required=False) +option: Str('st', attribute=True, cli_name='state', label=Gettext('State/Province', domain='ipa', localedir=None), multivalue=False, required=False) option: Int('postalcode', attribute=True, cli_name='postalcode', label=Gettext('ZIP', domain='ipa', localedir=None), multivalue=False, required=False) option: Str('telephonenumber', attribute=True, cli_name='phone', label=Gettext('Telephone Number', domain='ipa', localedir=None), multivalue=True, required=False) option: Str('mobile', attribute=True, cli_name='mobile', label=Gettext('Mobile Telephone Number', domain='ipa', localedir=None), multivalue=True, required=False) @@ -2598,8 +2598,8 @@ option: Password('userpassword', attribute=True, autofill=False, cli_name='passw option: Int('uidnumber', attribute=True, autofill=False, cli_name='uid', default=999, label=Gettext('UID', domain='ipa', localedir=None), minvalue=1, multivalue=False, query=True, required=False) option: Int('gidnumber', attribute=True, autofill=False, cli_name='gidnumber', default_from=DefaultFrom(, 'uid'), label=Gettext('GID', domain='ipa', localedir=None), multivalue=False, query=True, required=False) option: Str('street', attribute=True, autofill=False, cli_name='street', label=Gettext('Street address', domain='ipa', localedir=None), multivalue=False, query=True, required=False) -option: Str('locality', attribute=True, autofill=False, cli_name='city', label=Gettext('City', domain='ipa', localedir=None), multivalue=False, query=True, required=False) -option: Str('st', attribute=True, autofill=False, cli_name='state', label=Gettext('State', domain='ipa', localedir=None), multivalue=False, query=True, required=False) +option: Str('l', attribute=True, autofill=False, cli_name='city', label=Gettext('City', domain='ipa', localedir=None), multivalue=False, query=True, required=False) +option: Str('st', attribute=True, autofill=False, cli_name='state', label=Gettext('State/Province', domain='ipa', localedir=None), multivalue=False, query=True, required=False) option: Int('postalcode', attribute=True, autofill=False, cli_name='postalcode', label=Gettext('ZIP', domain='ipa', localedir=None), multivalue=False, query=True, required=False) option: Str('telephonenumber', attribute=True, autofill=False, cli_name='phone', label=Gettext('Telephone Number', domain='ipa', localedir=None), multivalue=True, query=True, required=False) option: Str('mobile', attribute=True, autofill=False, cli_name='mobile', label=Gettext('Mobile Telephone Number', domain='ipa', localedir=None), multivalue=True, query=True, required=False) @@ -2641,8 +2641,8 @@ option: Password('userpassword', attribute=True, autofill=False, cli_name='passw option: Int('uidnumber', attribute=True, autofill=False, cli_name='uid', default=999, label=Gettext('UID', domain='ipa', localedir=None), minvalue=1
[Freeipa-devel] [PATCH] 105 Updated json_metadata and i18n_messages.
The json_metadata() has been updated to return ipa.Objects and ipa.Methods. The i18n_messages() has been updated to include other messages that are not available from the metadata. https://fedorahosted.org/freeipa/ticket/899 -- Endi S. Dewata From 95713cc08453380ed686f265eeb0836b76388a87 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata Date: Fri, 18 Feb 2011 00:02:51 -0600 Subject: [PATCH] Updated json_metadata and i18n_messages. The json_metadata() has been updated to return ipa.Objects and ipa.Methods. The i18n_messages() has been updated to include other messages that are not available from the metadata. --- API.txt| 10 +- ipalib/plugins/baseldap.py | 10 ++ ipalib/plugins/hbacrule.py |4 + ipalib/plugins/host.py |1 + ipalib/plugins/internal.py | 298 --- ipalib/plugins/service.py |1 + 6 files changed, 299 insertions(+), 25 deletions(-) diff --git a/API.txt b/API.txt index 6e532da8805c9bff0bc1d95dbd683f073b06fccf..cb0eb514fac6aa1551d17a6df7efa1db726c91c9 100644 --- a/API.txt +++ b/API.txt @@ -1280,7 +1280,7 @@ option: Str('nsosversion', attribute=True, cli_name='os', label=Gettext('Operati option: Str('userpassword', attribute=True, cli_name='password', label=Gettext('User password', domain='ipa', localedir=None), multivalue=False, required=False) option: Flag('random', attribute=True, autofill=True, cli_name='random', default=False, flags=['no_search'], label=FixMe('random'), multivalue=False, required=False) option: Bytes('usercertificate', validate_certificate, attribute=True, cli_name='certificate', label=Gettext('Certificate', domain='ipa', localedir=None), multivalue=False, required=False) -option: Flag('force', autofill=True, default=False,lag('force', autofill=True, default=False, doc=Gettext('force host name even if not in DNS', domain='ipa', localedir=None)) +option: Flag('force', autofill=True, default=False, label=Gettext('Force', domain='ipa', localedir=None)) option: Flag('no_reverse', autofill=True, default=False,lag('no_reverse', autofill=True, default=False, doc=Gettext('skip reverse DNS detection', domain='ipa', localedir=None)) option: Str('ip_address?', validate_ipaddr,tr('ip_address?', validate_ipaddr, doc=Gettext('Add the host to DNS with this IP address', domain='ipa', localedir=None)) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui', flags=['no_output']) @@ -1472,9 +1472,11 @@ command: i18n_messages args: 0,0,1 output: Output('messages', , Gettext('Dict of I18N messages', domain='ipa', localedir=None)) command: json_metadata -args: 1,0,1 +args: 2,0,2 arg: Str('objname?',tr('objname?', doc=Gettext('Name of object to export', domain='ipa', localedir=None)) -output: Output('metadata', , Gettext('Dict of JSON encoded IPA Objects', domain='ipa', localedir=None)) +arg: Str('methodname?',tr('methodname?', doc=Gettext('Name of method to export', domain='ipa', localedir=None)) +output: Output('objects', , Gettext('Dict of JSON encoded IPA Objects', domain='ipa', localedir=None)) +output: Output('methods', , Gettext('Dict of JSON encoded IPA Methods', domain='ipa', localedir=None)) command: krbtpolicy_mod args: 1,8,3 arg: Str('uid', attribute=True, cli_name='user', label=Gettext('User name', domain='ipa', localedir=None), multivalue=False, primary_key=True, query=True, required=False) @@ -2082,7 +2084,7 @@ command: service_add args: 1,5,3 arg: Str('krbprincipalname', validate_principal, attribute=True, cli_name='principal', label=Gettext('Principal', domain='ipa', localedir=None), multivalue=False, normalizer=, primary_key=True, required=True) option: Bytes('usercertificate', validate_certificate, attribute=True, cli_name='certificate', flags=['no_search'], label=Gettext('Certificate', domain='ipa', localedir=None), multivalue=False, required=False) -option: Flag('force', autofill=True, default=False,lag('force', autofill=True, default=False, doc=Gettext('force principal name even if not in DNS', domain='ipa', localedir=None)) +option: Flag('force', autofill=True, default=False, label=Gettext('Force', domain='ipa', localedir=None)) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui', flags=['no_output']) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui', flags=['no_output']) option: Str('version?', exclude='webui', flags=['no_option', 'no_output']) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 2d25219daa2e4a464d650705665aaa6ff33f1a16..2e284274b219180c3c2e35504f58d23b5a816593 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -620,6 +620,16 @@ class LDAPCreate(CallbackInterface, crud.Create): def exc_callback(self, keys, options, exc, call_func, *call_args, **call_kwargs): raise exc +# list of attributes we want exported to JSON +json_friendly_attributes = ( +'takes_options', +) + +def __json__(self
Re: [Freeipa-devel] Localization patches.
On 2011-02-17 22:52, Rob Crittenden wrote: Pavel Zůna wrote: On 2011-02-17 05:09, Rob Crittenden wrote: Pavel Zůna wrote: My efforts in fixing localization all around the framework and preparing it for localizing docstrings have resulted in a lot of patches. Because I understand they have become a bit hard to track, I decided to post them all together in this thread to make review easier. After this is committed, there will be one more patch that switches xgettext for pygettext. Then hopefully, we'll be pretty much set when it comes to i18n. Pavel Patch 81 isn't applying for me. Help is not working for me either, this is due to patch 80. $ ipa help user ipa: ERROR: NameError: global name '_' is not defined Traceback (most recent call last): File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1087, in run api.finalize() File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 619, in finalize plugin_iter(base, (magic[k] for k in magic)) File "/home/rcrit/redhat/freeipa-version/ipalib/base.py", line 397, in __init__ sorted(members, key=lambda m: getattr(m, name_attr)) File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 608, in plugin_iter plugins[klass] = PluginInstance(klass) File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 585, in __init__ self.instance = klass() File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 184, in __init__ self.doc = _(inspect.getdoc(cls)) NameError: global name '_' is not defined ipa: ERROR: an internal error has occurred Patches 69, 71 and 73 are still working fine. What is switching from xgettext to pygettext going to do? This was answered by John Dennis: xgettext doesn't parse python docstrings. rob Rebased version of 81 attached. It should also fix the traceback you're getting. Pavel Something is still not working. I'm having a hard time reproducing how I got this but with LANG=es_US.UTF-8 for a while I was getting this with every ipa user-* request: ipa: ERROR: UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in position 20: ordinal not in range(128) Traceback (most recent call last): File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1090, in run sys.exit(api.Backend.cli.run(argv)) File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 917, in run rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, **options) File "/home/rcrit/redhat/freeipa-version/ipalib/frontend.py", line 953, in output_for_cli textui.print_entries(result, order, labels, flags, print_all) File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 346, in print_entries self.print_entry(entry, order, labels, flags, print_all, format, indent) File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 378, in print_entry label, value, format, indent, one_value_per_line File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 309, in print_attribute self.print_indented(format % (attr, text[0]), indent) File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 232, in print_indented print (CLI_TAB * indent + text) UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in position 20: ordinal not in range(128) ipa: ERROR: ha ocurrido un error interno I think it is blowing up on this user: User login: jose First name: Jose Last name: contraseñas Home directory: /home/jose Login shell: /bin/sh Account disabled: TRUE Member of groups: ipausers Then all of a sudden things started working fine, so I'm not sure what's going on. Is this traceback meaningful to you? rob This looks like a bug in the textui backend. You get this error when you do something like this: >>> a = u'\xf1' >>> a.decode('utf-8') Traceback (most recent call last): File "", line 1, in File "/usr/lib/python2.6/encodings/utf_8.py", line 16, in decode return codecs.utf_8_decode(input, errors, True) UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in position 0: ordinal not in range(128) It means we're not handling encoding/decoding from/to the CLI right somewhere. The character \xf1 corresponds to the small N with tilde in Jose's last name. I'm going to look into it, but I don't think it's related to the localization patches. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 732 don't ignore nss_shutdown errors
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/18/2011 05:19 AM, Rob Crittenden wrote: > Right before rc1 I discovered a problem in ipa-replica-prepare. It was > crashign when trying to generate the SSL certificates. The first time it > failed on nss_shutdown() claiming that NSS wasn't initialized. The > second time because some object was still in use. > > I tracked this down to a change that enables replication. This happens > using an SSL connection to the server. I'm thinking this is some > interaction the openldap NSS connection. > > The fix is to use an ldapi connection instead. > > ticket 965 > > rob > Ack -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1eYrsACgkQHsardTLnvCVrhACfbMgmrHYnpyT5ibnLcB/M7Sef It8AnRhxzl5Pteq18rcIg/L+rA+TDGtE =JEWp -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 061 Validate NAPTR records
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm not sure about checking the flags - this might be a little too much validation. https://fedorahosted.org/freeipa/ticket/840 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1eY7MACgkQHsardTLnvCUDvwCgipqeB9MLUJqm/LZnVhlmAxRi rQ8AnjzZLU41MqL8lahQhWUEFJurtvBI =7rSZ -END PGP SIGNATURE- From a0fa22d28602d09c9cb8358a9ef7876e3029b171 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 18 Feb 2011 11:00:36 +0100 Subject: [PATCH] Validate NAPTR records https://fedorahosted.org/freeipa/ticket/840 --- API.txt |8 ipalib/plugins/dns.py | 26 ++ 2 files changed, 30 insertions(+), 4 deletions(-) diff --git a/API.txt b/API.txt index 1f956ec..91b33c1 100644 --- a/API.txt +++ b/API.txt @@ -515,7 +515,7 @@ option: List('keyrecord?', attribute=True, cli_name='key_rec',ist('keyrecord?', option: List('kxrecord?', attribute=True, cli_name='kx_rec',ist('kxrecord?', attribute=True, cli_name='kx_rec', doc='comma-separated list of KX records', label='KX record', multivalue=True) option: List('locrecord?', attribute=True, cli_name='loc_rec',ist('locrecord?', attribute=True, cli_name='loc_rec', doc='comma-separated list of LOC records', label='LOC record', multivalue=True) option: List('mxrecord?', _validate_mx, attribute=True, cli_name='mx_rec',ist('mxrecord?', _validate_mx, attribute=True, cli_name='mx_rec', doc='comma-separated list of MX records', label='MX record', multivalue=True) -option: List('naptrrecord?', attribute=True, cli_name='naptr_rec',ist('naptrrecord?', attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True) +option: List('naptrrecord?', _validate_naptr, attribute=True, cli_name='naptr_rec',ist('naptrrecord?', _validate_naptr, attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True) option: List('nsrecord?', attribute=True, cli_name='ns_rec',ist('nsrecord?', attribute=True, cli_name='ns_rec', doc='comma-separated list of NS records', label='NS record', multivalue=True) option: List('nsecrecord?', attribute=True, cli_name='nsec_rec',ist('nsecrecord?', attribute=True, cli_name='nsec_rec', doc='comma-separated list of NSEC records', label='NSEC record', multivalue=True) option: List('nsec3record?', attribute=True, cli_name='nsec3_rec',ist('nsec3record?', attribute=True, cli_name='nsec3_rec', doc='comma-separated list of NSEC3 records', label='NSEC3 record', multivalue=True) @@ -559,7 +559,7 @@ option: List('keyrecord?', attribute=True, cli_name='key_rec',ist('keyrecord?', option: List('kxrecord?', attribute=True, cli_name='kx_rec',ist('kxrecord?', attribute=True, cli_name='kx_rec', doc='comma-separated list of KX records', label='KX record', multivalue=True) option: List('locrecord?', attribute=True, cli_name='loc_rec',ist('locrecord?', attribute=True, cli_name='loc_rec', doc='comma-separated list of LOC records', label='LOC record', multivalue=True) option: List('mxrecord?', _validate_mx, attribute=True, cli_name='mx_rec',ist('mxrecord?', _validate_mx, attribute=True, cli_name='mx_rec', doc='comma-separated list of MX records', label='MX record', multivalue=True) -option: List('naptrrecord?', attribute=True, cli_name='naptr_rec',ist('naptrrecord?', attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True) +option: List('naptrrecord?', _validate_naptr, attribute=True, cli_name='naptr_rec',ist('naptrrecord?', _validate_naptr, attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True) option: List('nsrecord?', attribute=True, cli_name='ns_rec',ist('nsrecord?', attribute=True, cli_name='ns_rec', doc='comma-separated list of NS records', label='NS record', multivalue=True) option: List('nsecrecord?', attribute=True, cli_name='nsec_rec',ist('nsecrecord?', attribute=True, cli_name='nsec_rec', doc='comma-separated list of NSEC records', label='NSEC record', multivalue=True) option: List('nsec3record?', attribute=True, cli_name='nsec3_rec',ist('nsec3record?', attribute=True, cli_name='nsec3_rec', doc='comma-separated list of NSEC3 records', label='NSEC3 record', multivalue=True) @@ -604,7 +604,7 @@ option: List('keyrecord?', attribute=True, cli_name='key_rec',ist('keyrecord?', option: List('kxrecord?', attribute=True, cli_name='kx_rec',ist('kxrecord?', attribute=True, cli_name='kx_rec', doc='comma-separated list of KX records', label='KX record', multivalue=True) option: List('locrecord?', attribute=True, cli_name='loc_rec',ist('locrecord?', attribute=True, cli_name='loc_rec', doc='comma-separated list of LOC records', label='LOC record', multivalue=True) option: List('mxrecord?', _validate_mx, attribute=True, cli_name='mx_rec',ist('mxrecord?', _va
[Freeipa-devel] [PATCH] 062 Set SRV discovery for clients only if it succeeded during installation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This is a minor optimization that didn't occur to me yesterday when I was reviewing Rob's patch - sorry. The patch only adds _srv_ as the first entry if service discovery succeeded during ipa-client-install. This gets rid of the DNS timeout for cases where Bind is not included. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1eY8EACgkQHsardTLnvCUjIwCgwGpPaONk8xp3TGdvE+CiMpvg IvYAoIWZStIoBd5JuMT+co88AwTNq18i =zA4P -END PGP SIGNATURE- From f2eb0ec3cf4c2bcc698454bba97ed4501deb12b6 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 18 Feb 2011 10:24:40 +0100 Subject: [PATCH] Set SRV discovery for clients only if it succeeded during installation --- ipa-client/ipa-install/ipa-client-install |6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 4b9bd29..f1e3184 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -477,7 +477,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, options): except: print "certmonger request for host certificate failed" -def configure_sssd_conf(fstore, cli_domain, cli_server, options): +def configure_sssd_conf(fstore, cli_domain, cli_server, dnsok, options): fstore.backup_file("/etc/sssd/sssd.conf") sssdconfig = SSSDConfig.SSSDConfig() sssdconfig.new_config() @@ -485,7 +485,7 @@ def configure_sssd_conf(fstore, cli_domain, cli_server, options): domain = sssdconfig.new_domain(cli_domain) domain.add_provider('ipa', 'id') -domain.set_option('ipa_server', '_srv_, %s' % cli_server) +domain.set_option('ipa_server', dnsok and '_srv_, %s' % cli_server or cli_server) domain.set_option('ipa_domain', cli_domain) # Might need this if /bin/hostname doesn't return a FQDN @@ -817,7 +817,7 @@ def main(): print "Created /etc/ipa/default.conf" if options.sssd: -if configure_sssd_conf(fstore, cli_domain, cli_server, options): +if configure_sssd_conf(fstore, cli_domain, cli_server, dnsok, options): return 1 print "Configured /etc/sssd/sssd.conf" else: -- 1.7.4 jhrozek-freeipa-062-discovery.patch.sig Description: PGP signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Scripting the SUDO setup for a client
On Fri, 18 Feb 2011 05:06:34 + JR Aquino wrote: > On Feb 17, 2011, at 8:38 PM, "Adam Young" wrote: > > > I tried to follow the steps to setup Sudo on a client here: > > https://fedoraproject.org/wiki/QA:Testcase_freeipav2_sudo > > > > Of course, since my serve wasn't example.com, I had to modify the > > LDAP fitlers. I got something wrong. > > > > What would I use to script this in keeping with the ipa server > > technoliges we use? I need to modify a bunch of config files. > > This seems like a task for something like augeas, and I know we use > > some library to do it. > > I believe authconfig is used to populate ldap.conf and maybe even > nsswitch.conf. > > Be aware though that Sudo needs to have an unprivileged binddn User > and password configured in the ldap.conf file... That's the piece > that I've been thinking most about. I'm not sure what to do except > prompt the user during the install script. This is necessary only when you prevent anonymous binds, right ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Scripting the SUDO setup for a client
On Feb 18, 2011, at 5:01 AM, "Simo Sorce" wrote: > On Fri, 18 Feb 2011 05:06:34 + > JR Aquino wrote: > >> On Feb 17, 2011, at 8:38 PM, "Adam Young" wrote: >> >>> I tried to follow the steps to setup Sudo on a client here: >>> https://fedoraproject.org/wiki/QA:Testcase_freeipav2_sudo >>> >>> Of course, since my serve wasn't example.com, I had to modify the >>> LDAP fitlers. I got something wrong. >>> >>> What would I use to script this in keeping with the ipa server >>> technoliges we use? I need to modify a bunch of config files. >>> This seems like a task for something like augeas, and I know we use >>> some library to do it. >> >> I believe authconfig is used to populate ldap.conf and maybe even >> nsswitch.conf. >> >> Be aware though that Sudo needs to have an unprivileged binddn User >> and password configured in the ldap.conf file... That's the piece >> that I've been thinking most about. I'm not sure what to do except >> prompt the user during the install script. > > This is necessary only when you prevent anonymous binds, right ? > > Simo. I'm afraid not Simo. As you recall. Both /etc/sudoers and the 2 Sudo containers in FreeIPA are protected. There is a deliberate default aci which prevents anonymous users from enumerating everyones Sudo information. This means it is necessary for Sudo to initiate some form of authenticated bind. And as we discovered, the SUDO SASL implementation is suboptimal in that it seems to want a cronjob to sit around kinit'ing the /etc/krb5.keytab in order to use it's ccache. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 063 Better doc for idnssoaminimum, minimum parameter values
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The doc= value was misleading. The "minimum" value in SOA record defines how long should NXDOMAIN responses be cached. As per RFC 2308, the maximum allowed value should be 3 hours. Also, many parameters allowed negative values which really don't make sense there (and RFC 1035 disallows them). -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1edZgACgkQHsardTLnvCW7lgCg1o7RSKtRH46f2ryGTjGqzmHW lMkAoNno3uzNROjetA5iXsqhAQNYBnQm =3j51 -END PGP SIGNATURE- From ef3ee6ac3da9c95c57287b687a29bf7ea61f5613 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 18 Feb 2011 13:53:27 +0100 Subject: [PATCH] Better doc for idnssoaminimum --- API.txt | 30 +++--- ipalib/plugins/dns.py |8 +++- 2 files changed, 22 insertions(+), 16 deletions(-) diff --git a/API.txt b/API.txt index 91b33c1..77b3f7c 100644 --- a/API.txt +++ b/API.txt @@ -697,11 +697,11 @@ args: 1,18,3 arg: Str('idnsname', attribute=True, cli_name='name', label=Gettext('Zone name', domain='ipa', localedir=None), multivalue=False, normalizer=, primary_key=True, required=True) option: Str('idnssoamname', attribute=True, cli_name='name_server', label=Gettext('Authoritative name server', domain='ipa', localedir=None), multivalue=False, required=True) option: Str('idnssoarname', attribute=True, cli_name='admin_email', default_from=DefaultFrom(, 'idnsname'), label=Gettext('Administrator e-mail address', domain='ipa', localedir=None), multivalue=False, normalizer=_rname_normalizer, required=True) -option: Int('idnssoaserial', attribute=True, autofill=True, cli_name='serial', create_default=_create_zone_serial, label=Gettext('SOA serial', domain='ipa', localedir=None), multivalue=False, required=False) -option: Int('idnssoarefresh', attribute=True, autofill=True, cli_name='refresh', default=3600, label=Gettext('SOA refresh', domain='ipa', localedir=None), multivalue=False, required=False) -option: Int('idnssoaretry', attribute=True, autofill=True, cli_name='retry', default=900, label=Gettext('SOA retry', domain='ipa', localedir=None), multivalue=False, required=False) -option: Int('idnssoaexpire', attribute=True, autofill=True, cli_name='expire', default=1209600, label=Gettext('SOA expire', domain='ipa', localedir=None), multivalue=False, required=False) -option: Int('idnssoaminimum', attribute=True, autofill=True, cli_name='minimum', default=3600, label=Gettext('SOA minimum', domain='ipa', localedir=None), multivalue=False, required=False) +option: Int('idnssoaserial', attribute=True, autofill=True, cli_name='serial', create_default=_create_zone_serial, label=Gettext('SOA serial', domain='ipa', localedir=None), minvalue=1, multivalue=False, required=False) +option: Int('idnssoarefresh', attribute=True, autofill=True, cli_name='refresh', default=3600, label=Gettext('SOA refresh', domain='ipa', localedir=None), minvalue=0, multivalue=False, required=False) +option: Int('idnssoaretry', attribute=True, autofill=True, cli_name='retry', default=900, label=Gettext('SOA retry', domain='ipa', localedir=None), minvalue=0, multivalue=False, required=False) +option: Int('idnssoaexpire', attribute=True, autofill=True, cli_name='expire', default=1209600, label=Gettext('SOA expire', domain='ipa', localedir=None), minvalue=0, multivalue=False, required=False) +option: Int('idnssoaminimum', attribute=True, autofill=True, cli_name='minimum', default=3600, label=Gettext('SOA minimum', domain='ipa', localedir=None), maxvalue=10800, minvalue=0, multivalue=False, required=False) option: Int('dnsttl', attribute=True, cli_name='ttl', label=Gettext('SOA time to live', domain='ipa', localedir=None), multivalue=False, required=False) option: StrEnum('dnsclass', attribute=True, cli_name='class', label=Gettext('SOA class', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'IN', u'CS', u'CH', u'HS')) option: Str('idnsupdatepolicy', attribute=True, cli_name='update_policy', label=Gettext('BIND update policy', domain='ipa', localedir=None), multivalue=False, required=False) @@ -741,11 +741,11 @@ arg: Str('criteria?') option: Str('idnsname', attribute=True, autofill=False, cli_name='name', label=Gettext('Zone name', domain='ipa', localedir=None), multivalue=False, normalizer=, primary_key=True, query=True, required=False) option: Str('idnssoamname', attribute=True, autofill=False, cli_name='name_server', label=Gettext('Authoritative name server', domain='ipa', localedir=None), multivalue=False, query=True, required=False) option: Str('idnssoarname', attribute=True, autofill=False, cli_name='admin_email', default_from=DefaultFrom(, 'idnsname'), label=Gettext('Administrator e-mail address', domain='ipa', localedir=None), multivalue=False, normalizer=_rname_normalizer, query=True, required=False) -option: Int('idnssoaserial', attribute=True, autofill=False, cli_name='serial
Re: [Freeipa-devel] Scripting the SUDO setup for a client
On Fri, 18 Feb 2011 13:18:36 + JR Aquino wrote: > I'm afraid not Simo. > As you recall. Both /etc/sudoers and the 2 Sudo containers in FreeIPA > are protected. There is a deliberate default aci which prevents > anonymous users from enumerating everyones Sudo information. > > This means it is necessary for Sudo to initiate some form of > authenticated bind. > > And as we discovered, the SUDO SASL implementation is suboptimal in > that it seems to want a cronjob to sit around kinit'ing > the /etc/krb5.keytab in order to use it's ccache. Ouch, I forgot about the ACIs ... I guess we should document how to remove them as an alternative too ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Scripting the SUDO setup for a client
On 2/18/11 5:49 AM, "Simo Sorce" wrote: >On Fri, 18 Feb 2011 13:18:36 + >JR Aquino wrote: > >> I'm afraid not Simo. >> As you recall. Both /etc/sudoers and the 2 Sudo containers in FreeIPA >> are protected. There is a deliberate default aci which prevents >> anonymous users from enumerating everyones Sudo information. >> >> This means it is necessary for Sudo to initiate some form of >> authenticated bind. >> >> And as we discovered, the SUDO SASL implementation is suboptimal in >> that it seems to want a cronjob to sit around kinit'ing >> the /etc/krb5.keytab in order to use it's ccache. > >Ouch, I forgot about the ACIs ... I guess we should document how to >remove them as an alternative too ? > >Simo. There is indeed a ticket to create a 2.1 feature for opening the ACI. Documentation for opening the default ACI will be written in red for those who wish to ignore best security practices... By default the ACI's were decided to prohibit anonymous access. On a standalone system /etc/sudoers is set to root:root with 440. Sudo information is critically sensitive security information that should be treated at a similar level to passwords in terms of protections. A binduser is instead suggested as a means to accommodate sudo, and it is written into the beginnings of the documentation. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 031 Remove WebUI identifiers from global namespace
On 02/18/2011 04:10 AM, Martin Kosek wrote: On Thu, 2011-02-17 at 12:29 -0500, Adam Young wrote: Looks good. Only problem is on braces. we have a code standard that is like this IPA.something = function () { not IPA.something = function () { This is due to Javascript being ambiguous in certain circumstances about where it puts an implicit end of statement. https://fedorahosted.org/freeipa/wiki/Javascript_Coding_Standards Yes. The same convention is for C/Python code. All those functions violating a code standard were already in UI, I just moved them to sub-namespace in the preceding patch. Nevertheless, I went through all function definitions and I believe I fixed all occurrences of this issue. For name shortening, sudo.sudorule_ should be sudo.rule_ Obviously :-) On the patch I sent you as an example, I broke the "View Cert" button. I didn't test that here. Did you make sure that still works? Yes, this was already fixed. It was also related to the JSLint warnings in your patch that you mentioned earlier. But just to be sure I double-checked this and its OK. Patch attached. JSLint, test suite OK. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Added expand/collapse all.
On 02/11/2011 03:32 PM, Adam Young wrote: On 02/10/2011 10:57 PM, Endi Sukma Dewata wrote: Hi Kyle, I added the expand/collapse all link into the details page. See the following demo: http://edewata.fedorapeople.org/freeipa/install/ui/index.html#navigation=0&identity=0&user-facet=details&user-pkey=kfrog Please let me know if this is sufficient for this ticket: https://fedorahosted.org/freeipa/ticket/737 Thanks! ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK on the implementation. But the link certainly can't stay there, so hold until UXD looks at it. You can view the implementation here: http://admiyo.fedorapeople.org/ipa/ui/#navigation=0&identity=0&user-facet=details&user-pkey=kfrog ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fixed in ipa-server-install help and man page
David O'Brien wrote: Jan Zelený wrote: Rob Crittenden wrote: Jan Zelený wrote: https://fedorahosted.org/freeipa/ticket/831 Jan I think I'd like David's take on this, but my initial reaction is I'd prefer the word maximum to maximal. rob The second patch is in attachment. Based on David's recommendation you can pick and push the right one one. Jan Yes, pick "maximum" maximum it is, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 728 default roles
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/17/2011 04:35 AM, Rob Crittenden wrote: > Add default roles and permissions for HBAC, SUDO and pw policy > > Created some default roles as examples. In doing so I realized that we > were completely missing default rules for HBAC, SUDO and password policy > so I added those as well. > > I ran into a problem when the updater has a default record and an add at > the same time, it should handle it better now. > > ticket 585 > > rob > I'm not sure about the HBAC rules ACIs. They are specified as: 'target = "ldap:///cn=*,cn=hbac,$SUFFIX";' while HBAC rules' DN is: 'ipauniqueid=*,cn=hbac,$SUFFIX'. But HBAC rules do have a cn: attribute, so maybe the ACIs would work? The patch also needs rebasing on top of recent changes to install/updates/Makefile.am Other than that, looks OK to me. btw when I was reviewing this patch, I noticed we add a "DNS Administrators" privilege in dns.ldif. Would it make sense to add DNS administration to "Security Architect" (replication management) and "IT Specialist" (hosts management)? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1eirkACgkQHsardTLnvCUSeACgzxH00FEw+065sYEji+hlOkZQ nBQAniLmDvUV24cnqw3bArlBckAl5gsL =O/zW -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 105 Updated json_metadata and i18n_messages.
On 02/18/2011 03:13 AM, Endi Sukma Dewata wrote: The json_metadata() has been updated to return ipa.Objects and ipa.Methods. The i18n_messages() has been updated to include other messages that are not available from the metadata. https://fedorahosted.org/freeipa/ticket/899 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 104 Fixed parameter for user city.
On 02/18/2011 03:11 AM, Endi Sukma Dewata wrote: Previously the user's city parameter is defined to use the 'locality' attribute. This was a problem because the attribute would be returned as 'l' by the directory server causing a mismatch. Now the parameter has been changed to use the 'l' attribute. https://fedorahosted.org/freeipa/ticket/985 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 106 I18n update.
On 02/18/2011 03:14 AM, Endi Sukma Dewata wrote: Hard-coded messages through out the code have been replaced by i18n messages obtained from json_metadata and i18n_messages. https://fedorahosted.org/freeipa/ticket/899 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Needs rebase, due to mkosek's big patch. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 732 don't ignore nss_shutdown errors
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/18/2011 05:19 AM, Rob Crittenden wrote: Right before rc1 I discovered a problem in ipa-replica-prepare. It was crashign when trying to generate the SSL certificates. The first time it failed on nss_shutdown() claiming that NSS wasn't initialized. The second time because some object was still in use. I tracked this down to a change that enables replication. This happens using an SSL connection to the server. I'm thinking this is some interaction the openldap NSS connection. The fix is to use an ldapi connection instead. ticket 965 rob Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Reset target DN when generated UUID is used as RDN
Nathan Kinder wrote: Works for me, I thought I acked this last night. I guess not so ACK. pushed to master. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 107 Updated test data files.
On 02/18/2011 03:15 AM, Endi Sukma Dewata wrote: https://fedorahosted.org/freeipa/ticket/899 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel If applied without 106 it breaks the unit tests, so hold on this until 106 is rebased ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 728 default roles
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/17/2011 04:35 AM, Rob Crittenden wrote: Add default roles and permissions for HBAC, SUDO and pw policy Created some default roles as examples. In doing so I realized that we were completely missing default rules for HBAC, SUDO and password policy so I added those as well. I ran into a problem when the updater has a default record and an add at the same time, it should handle it better now. ticket 585 rob I'm not sure about the HBAC rules ACIs. They are specified as: 'target = "ldap:///cn=*,cn=hbac,$SUFFIX";' while HBAC rules' DN is: 'ipauniqueid=*,cn=hbac,$SUFFIX'. But HBAC rules do have a cn: attribute, so maybe the ACIs would work? No, you're right, this is wrong. I'll fix it up and resubmit. The patch also needs rebasing on top of recent changes to install/updates/Makefile.am Other than that, looks OK to me. btw when I was reviewing this patch, I noticed we add a "DNS Administrators" privilege in dns.ldif. Would it make sense to add DNS administration to "Security Architect" (replication management) and "IT Specialist" (hosts management)? The DNS stuff is added only if DNS is enabled on the server so I can't add them by default. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 22/22] Update Polish & Ukrainian translations
John Dennis wrote: pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 059 Use unicode parameters in the host plugin
Jakub Hrozek wrote: On Thu, Feb 17, 2011 at 11:30:03AM +0100, Jan Zelený wrote: Better, thanks. I'd also like to change the code which is using this function, so the conversion doesn't take place twice. I think it's safe. The documentation on unicode() says: --- More precisely, if object is a Unicode string or subclass it will return that Unicode string without any additional decoding applied. pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 19 Cleanup for netgroup search
Jan Zeleny wrote: JR Aquino wrote: On 2/17/11 3:23 AM, "Jan Zelený" wrote: JR Aquino wrote: This patch fixes the netgroup plugin's behavior of adding duplicate entries when the managed entry plugin creates a netgroup with a mepManagedEntry This problem is documented in ticket: https://fedorahosted.org/freeipa/ticket/963 As noted by Endi for issue #3 in the History: "3. Just out of curiosity, I tried adding a netgroup with the same name as the hostgroup. I expected it to conflict with the managed netgroup, but it actually worked. Searching the directory will return 2 netgroups with the same name:" Historically the netgroup plugin had inappropriately defined: rdn_attribute = 'ipauniqueid' This caused the ability of duplication with the creation of native netgroups using the ipaUniqueId as the DN and as the Managed Entry netgroups utilizing the cn as the DN. Patch includes adjustments for the netgroup plugin and corresponding test_netgroup_plugin Please verify that the items requested in #963 are now complete and please confirm that the corresponding tests all pass. One test fails: FAIL: test_netgroup[30]: netgroup_remove_member: Remove netgroup u'netgroup2' >from netgroup u'netgroup1' Command ipa host-show still shows: Member of netgroups: testhostgroup Also a little bit of nitpicking, I think the changed code in chunk 2 would better look something like this: search_kw = {} search_kw['objectclass'] = ['mepManagedEntry'] if not options['private']: local_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_NONE) else: local_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_ALL) filter = ldap.combine_filters((local_filter, filter), rules=ldap.MATCH_ALL) -- Jan It was determined that the ipauniqueid is required for the DN on these objects. It's an ipaAssociation which uses it as the rdn, if we change the problems cascade This patch has now changed to reflect the optimization in the netgroup search instead. It provides a cleaner method of performing a netgroup search for native netgroups and allows for the --private search to only display the mepManagedEntry netgroups, rather than ALL netgroups. Previously --private would return ALL netgroups. This means there is no need to modify test_netgroup_plugin. Please verify that the optimization / bugfix passes the standard test_netgroup_plugin. Ack Jan pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 44 Fixes in ipa-join man page
David O'Brien wrote: Jan Zelený wrote: "David O'Brien" wrote: Jan Zelený wrote: https://fedorahosted.org/freeipa/ticket/784 https://fedorahosted.org/freeipa/ticket/786 https://fedorahosted.org/freeipa/ticket/787 Jan nack A few typos and style issues: - _("File were to store the keytab information"), _("Keytab File Name") }, + _("File were to store the keytab information"), _("filename") }, s/were/where I would actually reword it: "Specifies where to store keytab information." s/kerberos/Kerberos/g (unless lowercase is required for some reason.) +The hostname of IPA server (FQDN). "The hostname of the IPA server (FQDN)." Join IPA domain and retrieve a keytab with kerberos credentials. "Join an IPA domain and retrieve a keytab using Kerberos credentials." Ok, here is the second version of the patch. David, not all changes you proposed are in the patch, I believe they are out of its scope. If we go this way, I think a review should be done for all man pages, so we don't fix just a couple of mistakes in this page and leave the same mistakes in other man pages. Jan Yes, this topic of "global fixes" has come up elsewhere, and resources are unavailable for a review of all man pages. ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 055 Set ldap_netgroup_search_base for in ipa-client-install
Jan Zeleny wrote: Jakub Hrozek wrote: https://fedorahosted.org/freeipa/ticket/932 ack Jan The sssd project has added this for us so we no longer need to do this. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 733 add exit code info to ipa man page
Add exit code info to the ipa command man page. The tool I use, manedit, also escaped all dashes. Seems benign so I left it. ticket 803 rob freeipa-rcrit-733-man.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 733 add exit code info to ipa man page
On Fri, Feb 18, 2011 at 11:11:25AM -0500, Rob Crittenden wrote: > Add exit code info to the ipa command man page. > > The tool I use, manedit, also escaped all dashes. Seems benign so I left it. Yep, renders OK. > > ticket 803 > > rob Ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 730 managed netgroups immutable
On 2/17/11 2:20 PM, "Rob Crittenden" wrote: >JR Aquino wrote: >> On 2/17/11 11:02 AM, "Rob Crittenden" wrote: >> >>> Make managed netgroups (those created as a result of creating a >>> hostgroup) should be immutable. This aci will deny writes to a managed >>> netgroup. >>> >>> ticket 962 >>> >>> rob >>> ___ >>> Freeipa-devel mailing list >>> Freeipa-devel@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> nack >> Rebase? >> Patch does not apply cleanly. >> >> # git apply freeipa-rcrit-730-netgroup.patch >> freeipa-rcrit-730-netgroup.patch:18: new blank line at EOF. >> + >> error: patch failed: install/updates/Makefile.am:5 >> error: install/updates/Makefile.am: patch does not apply >> > >Updated patch attached. > >Rob ACK # ipa hostgroup-add testing1 Description: test -- Added hostgroup "testing1" -- Host-group: testing1 Description: test [root@auth2 freeipa]# ipa netgroup-find --- 0 netgroups matched --- Number of entries returned 0 [root@auth2 freeipa]# ipa netgroup-find --private -- 1 netgroup matched -- Netgroup name: testing1 Description: ipaNetgroup testing1 NIS domain name: example.com Member Hostgroup: testing1 Number of entries returned 1 [root@auth2 freeipa]# ipa netgroup-add testing1 Description: test ipa: ERROR: Constraint violation: Another entry with the same attribute value already exists (attribute: "cn") [root@auth2 freeipa]# ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 733 add exit code info to ipa man page
Jakub Hrozek wrote: On Fri, Feb 18, 2011 at 11:11:25AM -0500, Rob Crittenden wrote: Add exit code info to the ipa command man page. The tool I use, manedit, also escaped all dashes. Seems benign so I left it. Yep, renders OK. ticket 803 rob Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 062 Set SRV discovery for clients only if it succeeded during installation
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This is a minor optimization that didn't occur to me yesterday when I was reviewing Rob's patch - sorry. The patch only adds _srv_ as the first entry if service discovery succeeded during ipa-client-install. This gets rid of the DNS timeout for cases where Bind is not included. This seems like a good idea but I'm not seeing an extended delay right after sssd is restarted. The advantage of leaving this in there is if they end up adding SRV records later they will be automatically picked up. So not a nack, this is more of a policy question. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 730 managed netgroups immutable
JR Aquino wrote: On 2/17/11 2:20 PM, "Rob Crittenden" wrote: JR Aquino wrote: On 2/17/11 11:02 AM, "Rob Crittenden" wrote: Make managed netgroups (those created as a result of creating a hostgroup) should be immutable. This aci will deny writes to a managed netgroup. ticket 962 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel nack Rebase? Patch does not apply cleanly. # git apply freeipa-rcrit-730-netgroup.patch freeipa-rcrit-730-netgroup.patch:18: new blank line at EOF. + error: patch failed: install/updates/Makefile.am:5 error: install/updates/Makefile.am: patch does not apply Updated patch attached. Rob ACK # ipa hostgroup-add testing1 Description: test -- Added hostgroup "testing1" -- Host-group: testing1 Description: test [root@auth2 freeipa]# ipa netgroup-find --- 0 netgroups matched --- Number of entries returned 0 [root@auth2 freeipa]# ipa netgroup-find --private -- 1 netgroup matched -- Netgroup name: testing1 Description: ipaNetgroup testing1 NIS domain name: example.com Member Hostgroup: testing1 Number of entries returned 1 [root@auth2 freeipa]# ipa netgroup-add testing1 Description: test ipa: ERROR: Constraint violation: Another entry with the same attribute value already exists (attribute: "cn") [root@auth2 freeipa]# pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 063 Better doc for idnssoaminimum, minimum parameter values
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The doc= value was misleading. The "minimum" value in SOA record defines how long should NXDOMAIN responses be cached. As per RFC 2308, the maximum allowed value should be 3 hours. Also, many parameters allowed negative values which really don't make sense there (and RFC 1035 disallows them). ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 062 Set SRV discovery for clients only if it succeeded during installation
On Fri, 18 Feb 2011 15:27:59 -0500 Rob Crittenden wrote: > Jakub Hrozek wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > This is a minor optimization that didn't occur to me yesterday when > > I was reviewing Rob's patch - sorry. > > > > The patch only adds _srv_ as the first entry if service discovery > > succeeded during ipa-client-install. This gets rid of the DNS > > timeout for cases where Bind is not included. > > This seems like a good idea but I'm not seeing an extended delay > right after sssd is restarted. > > The advantage of leaving this in there is if they end up adding SRV > records later they will be automatically picked up. > > So not a nack, this is more of a policy question. I would not add this patch for this reason. I don;t think it will add any substantial delay to SSSD as searching for SRV when they do not exists will get back an immediate response. I think the main issue we may face here is when someone installs an sssd client and there is also an AD domain around and SRV records point to it. Perhaps we should provide a manual flag to disable using dns records ... Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0086 add loginShell to winsynced users
Fixes #266 I haven't been able to test this as the Windows machine we have available decided to not behave today. I may try again next week assuming I have time. Simo. -- Simo Sorce * Red Hat, Inc * New York >From c8044a8ba346c0b0e5858e327a8b6e949bea6dd1 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 18 Feb 2011 10:54:31 -0500 Subject: [PATCH] Set the loginShell attribute on winsynced entries if configured Fixes: https://fedorahosted.org/freeipa/ticket/266 --- .../ipa-winsync/ipa-winsync-conf.ldif |1 + .../ipa-winsync/ipa-winsync-config.c | 53 .../ipa-slapi-plugins/ipa-winsync/ipa-winsync.c|6 ++ .../ipa-slapi-plugins/ipa-winsync/ipa-winsync.h|7 ++- 4 files changed, 66 insertions(+), 1 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-conf.ldif b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-conf.ldif index 5b5c56acb311569ab76b37da8c9094d6cedf6fa8..e1e397f9054c6bef2ee295c314195a5249a6560e 100644 --- a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-conf.ldif +++ b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-conf.ldif @@ -19,6 +19,7 @@ ipaWinSyncNewEntryFilter: (cn=ipaConfig) ipaWinSyncNewUserOCAttr: ipauserobjectclasses ipaWinSyncUserFlatten: true ipaWinsyncHomeDirAttr: ipaHomesRootDir +ipaWinsyncLoginShellAttr: ipaDefaultLoginShell ipaWinSyncDefaultGroupAttr: ipaDefaultPrimaryGroup ipaWinSyncDefaultGroupFilter: (gidNumber=*)(objectclass=posixGroup)(objectclass=groupOfNames) ipaWinSyncAcctDisable: both diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c index a61cabb142a5e90f404fc563720bbdfa3f17ccfc..b089d3d1486e7d5420b204a8de3eb2118cf05af9 100644 --- a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c +++ b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c @@ -238,6 +238,15 @@ ipa_winsync_validate_config (Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_E goto done2; } +/* get login_shell_attr */ +if (slapi_entry_attr_find(e, IPA_WINSYNC_LOGIN_SHELL_ATTR, + &testattr) || +(NULL == testattr)) { +PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE, +"Warning: no value given for %s", +IPA_WINSYNC_LOGIN_SHELL_ATTR); +} + /* get default_group_attr */ if (slapi_entry_attr_find(e, IPA_WINSYNC_DEFAULTGROUP_ATTR, &testattr) || @@ -372,6 +381,7 @@ ipa_winsync_apply_config (Slapi_PBlock *pb, Slapi_Entry* entryBefore, char *new_entry_filter = NULL; char *new_user_oc_attr = NULL; /* don't care about groups for now */ char *homedir_prefix_attr = NULL; +char *login_shell_attr = NULL; char *default_group_attr = NULL; char *default_group_filter = NULL; char *acct_disable = NULL; @@ -436,6 +446,15 @@ ipa_winsync_apply_config (Slapi_PBlock *pb, Slapi_Entry* entryBefore, goto done3; } +/* get login_shell_attr */ +login_shell_attr = slapi_entry_attr_get_charptr(e, +IPA_WINSYNC_LOGIN_SHELL_ATTR); +if (!login_shell_attr) { +PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE, +"Warning: no value given for %s", +IPA_WINSYNC_LOGIN_SHELL_ATTR); +} + /* get default_group_attr */ if (!(default_group_attr = slapi_entry_attr_get_charptr( e, IPA_WINSYNC_DEFAULTGROUP_ATTR))) { @@ -567,6 +586,11 @@ ipa_winsync_apply_config (Slapi_PBlock *pb, Slapi_Entry* entryBefore, slapi_ch_free_string(&theConfig.homedir_prefix_attr); theConfig.homedir_prefix_attr = homedir_prefix_attr; homedir_prefix_attr = NULL; +if (login_shell_attr) { +slapi_ch_free_string(&theConfig.login_shell_attr); +theConfig.login_shell_attr = login_shell_attr; +login_shell_attr = NULL; +} slapi_ch_free_string(&theConfig.default_group_attr); theConfig.default_group_attr = default_group_attr; default_group_attr = NULL; @@ -594,6 +618,7 @@ done3: slapi_ch_free_string(&new_entry_filter); slapi_ch_free_string(&new_user_oc_attr); slapi_ch_free_string(&homedir_prefix_attr); +slapi_ch_free_string(&login_shell_attr); slapi_ch_free_string(&default_group_attr); slapi_ch_free_string(&default_group_filter); slapi_ch_array_free(attrsvals); @@ -636,6 +661,7 @@ ipa_winsync_config_destroy_domain( iwdc->domain_e = NULL; slapi_ch_free_string(&iwdc->realm_name); slapi_ch_free_string(&iwdc->homedir_prefix); +slapi_ch_free_string(&iwdc->login_shell); slapi_ch_free_string(&iwdc->inactivated_group_dn); slapi_ch_free_string(&iwdc->activated_group_dn); slapi_ch_free((void **)&iwdc); @@ -752,6 +778,7 @@ ipa_winsync_config_refresh_domain( char *new_entry_filter = NULL; char *new_user_oc_attr = NULL; /* don't
Re: [Freeipa-devel] [PATCH] 0086 add loginShell to winsynced users
On 02/18/2011 03:10 PM, Simo Sorce wrote: Fixes #266 I haven't been able to test this as the Windows machine we have available decided to not behave today. I may try again next week assuming I have time. ack Simo. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 108 Applied plugin framework on user and group.
This patch demonstrates how to use the plugin framework with the existing entities. The plugin framework provides a name space for the classes, functions and variables specific for the plugin. Any code executed inside the init() method will be 'safe' because at that point the metadata and i18n messages have been loaded. -- Endi S. Dewata From 4a57d06d2caf658ba9dc7ec38b11acfaf0dc0a4c Mon Sep 17 00:00:00 2001 From: Endi S. Dewata Date: Fri, 18 Feb 2011 17:25:05 -0600 Subject: [PATCH] Applied plugin framework on user and group. This patch demonstrates how to use the plugin framework with the existing entities. The plugin framework provides a name space for the classes, functions and variables specific for the plugin. Any code executed inside the init() method will be 'safe' because at that point the metadata and i18n messages have been loaded. --- install/ui/entity.js |2 ++ install/ui/group.js | 19 +++ install/ui/ipa.js|5 ++--- install/ui/user.js | 22 -- 4 files changed, 27 insertions(+), 21 deletions(-) diff --git a/install/ui/entity.js b/install/ui/entity.js index 01ad47eb71c63228b10e6387ccb7bbd4050bc1ad..44bb836f71b57e03dc22a0b3bc6dc765e216baae 100644 --- a/install/ui/entity.js +++ b/install/ui/entity.js @@ -238,6 +238,8 @@ IPA.entity = function (spec) { that.entity_init = that.init; +IPA.add_entity(that); + return that; }; diff --git a/install/ui/group.js b/install/ui/group.js index d2e35e258461361dd6d4dbda3e832ceab1ffd990..1ea9e794173b43796dcaa00bfc5b3a595687269b 100644 --- a/install/ui/group.js +++ b/install/ui/group.js @@ -24,9 +24,13 @@ /* REQUIRES: ipa.js, details.js, search.js, add.js, entity.js */ -IPA.entity_factories.group = function () { +IPA.group = IPA.plugin({ +name: 'group' +}); -return IPA.entity({ +IPA.group.init = function() { + +IPA.entity({ 'name': 'group' }). facet( @@ -58,7 +62,7 @@ IPA.entity_factories.group = function () { input({name: 'description'}). input({name: 'gidnumber' }))). facet( -IPA.group_member_user_facet({ +IPA.group.member_user_facet({ 'name': 'member_user' })). facet( @@ -76,11 +80,11 @@ IPA.entity_factories.group = function () { name: 'memberof_role', associator: IPA.serial_associator })). -standard_associations(); +standard_associations(). +init(); }; - -IPA.group_member_user_facet = function (spec) { +IPA.group.member_user_facet = function(spec) { spec = spec || {}; @@ -136,5 +140,4 @@ IPA.group_member_user_facet = function (spec) { }; return that; - -}; \ No newline at end of file +}; diff --git a/install/ui/ipa.js b/install/ui/ipa.js index fbebb228364b22785e60ae595ae16435354e71a3..51f427a813ca9dbffac0712c434e18725a1c2351 100644 --- a/install/ui/ipa.js +++ b/install/ui/ipa.js @@ -124,10 +124,10 @@ var IPA = ( function () { return that.entities_by_name[name]; }; -function add_entity(entity) { +that.add_entity = function(entity) { that.entities.push(entity); that.entities_by_name[entity.name] = entity; -} +}; that.start_entities = function(){ var factory; @@ -135,7 +135,6 @@ var IPA = ( function () { for (name in that.entity_factories){ factory = that.entity_factories[name]; var entity = factory(); -add_entity(entity); entity.init(); } }; diff --git a/install/ui/user.js b/install/ui/user.js index 66a1b8d15650b11062289bc06f773e2066446fda..81534320994788400550e10503f32428c286657d 100644 --- a/install/ui/user.js +++ b/install/ui/user.js @@ -23,9 +23,13 @@ /* REQUIRES: ipa.js, details.js, search.js, add.js, entity.js */ -IPA.entity_factories.user = function() { +IPA.user = IPA.plugin({ +name: 'user' +}); -return IPA.entity({ +IPA.user.init = function() { + +IPA.entity({ name: 'user' }). facet( @@ -55,9 +59,9 @@ IPA.entity_factories.user = function() { input({name:'initials'})). section( IPA.stanza({name: 'account', label: IPA.messages.objects.user.account}). -custom_input(IPA.user_status_widget({name:'nsaccountlock'})). +custom_input(IPA.user.status_widget({name:'nsaccountlock'})). input({name:'uid'}). -custom_input(IPA.user_password_widget({name:'userpassword'})). +custom_input(IPA.user.password_widget({name:'userpassword'})). input({name:'uidnumber'}). input({name:'gidnumber'}). input({name:'loginshell'}). @@ -97,13 +101,11 @@ IPA.entity_factories.user = function() { name: 'memberof_role', associato
[Freeipa-devel] [PATCH] 109 Applied plugin framework on aci.
-- Endi S. Dewata From 945f937059587c2fe00a4874e6752baa3412c9f4 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata Date: Fri, 18 Feb 2011 18:15:21 -0600 Subject: [PATCH] Applied plugin framework on aci. --- install/ui/aci.js| 87 +++-- install/ui/test/aci_tests.js |6 +- 2 files changed, 52 insertions(+), 41 deletions(-) diff --git a/install/ui/aci.js b/install/ui/aci.js index ea220f9af28fd908d218fb4c2583095fbb0e4ca8..9db572d4ff4a219822bda0fbfd7b3718d672bc90 100644 --- a/install/ui/aci.js +++ b/install/ui/aci.js @@ -24,7 +24,19 @@ /* REQUIRES: ipa.js, details.js, search.js, add.js, entity.js */ -IPA.attributes_widget = function(spec) { +IPA.aci = IPA.plugin({ +name: 'aci' +}); + +IPA.aci.init = function() { +IPA.aci.role(); +IPA.aci.privilege(); +IPA.aci.permission(); +IPA.aci.selfservice(); +IPA.aci.delegation(); +}; + +IPA.aci.attributes_widget = function(spec) { spec = spec || {}; @@ -174,7 +186,7 @@ IPA.attributes_widget = function(spec) { return that; }; -IPA.rights_widget = function(spec) { +IPA.aci.rights_widget = function(spec) { var that = IPA.checkboxes_widget(spec); @@ -190,8 +202,7 @@ IPA.rights_widget = function(spec) { return that; }; - -IPA.rights_section = function() { +IPA.aci.rights_section = function() { var spec = { name: 'rights', @@ -200,7 +211,7 @@ IPA.rights_section = function() { var that = IPA.details_section(spec); -that.add_field(IPA.rights_widget({ +that.add_field(IPA.aci.rights_widget({ name: 'permissions', join: true })); @@ -208,8 +219,7 @@ IPA.rights_section = function() { return that; }; - -IPA.target_section = function(spec) { +IPA.aci.target_section = function(spec) { spec = spec || {}; @@ -225,7 +235,7 @@ IPA.target_section = function(spec) { that.group_select = IPA.entity_select_widget( {name: 'targetgroup', entity:'group', undo: that.undo}); that.type_select = IPA.select_widget({name: 'type', undo: that.undo}); -that.attribute_table = IPA.attributes_widget({ +that.attribute_table = IPA.aci.attributes_widget({ name: 'attrs', undo: that.undo}); that.add_field(that.filter_text); @@ -507,7 +517,7 @@ IPA.target_section = function(spec) { return that; }; -IPA.permission_details_facet = function(spec) { +IPA.aci.permission_details_facet = function(spec) { spec = spec || {}; @@ -541,9 +551,9 @@ IPA.permission_details_facet = function(spec) { return that; }; -IPA.entity_factories.permission = function() { +IPA.aci.permission = function() { -return IPA.entity({ +IPA.entity({ 'name': 'permission' }). facet( @@ -556,33 +566,34 @@ IPA.entity_factories.permission = function() { width: '700px' }). field(IPA.text_widget({name: 'cn', undo: false})). -field(IPA.rights_widget({ +field(IPA.aci.rights_widget({ name: 'permissions', join: true, undo: false})). -section(IPA.target_section({ +section(IPA.aci.target_section({ name: 'target', label: IPA.messages.objects.permission.target, undo: false }. facet( -IPA.permission_details_facet({ name: 'details' }). +IPA.aci.permission_details_facet({ name: 'details' }). section( IPA.stanza({ name:'identity', label: IPA.messages.objects.permission.identity }). input({name: 'cn', read_only: true})). -section(IPA.rights_section()). -section(IPA.target_section({ +section(IPA.aci.rights_section()). +section(IPA.aci.target_section({ name: 'target', label: IPA.messages.objects.permission.target }))). -standard_associations(); +standard_associations(). +init(); }; +IPA.aci.privilege = function() { -IPA.entity_factories.privilege = function() { -var that = IPA.entity({ +IPA.entity({ 'name': 'privilege' }). facet( @@ -620,14 +631,13 @@ IPA.entity_factories.privilege = function() { remove_method: 'remove_permission' })). -standard_associations(); - -return that; +standard_associations(). +init(); }; +IPA.aci.role = function() { -IPA.entity_factories.role = function() { -return IPA.entity({ +IPA.entity({ 'name': 'role' }). facet( @@ -658,12 +668,13 @@ IPA.entity_factories.role = function() {
Re: [Freeipa-devel] [PATCH] 108 Applied plugin framework on user and group.
On 02/18/2011 06:48 PM, Endi Sukma Dewata wrote: This patch demonstrates how to use the plugin framework with the existing entities. The plugin framework provides a name space for the classes, functions and variables specific for the plugin. Any code executed inside the init() method will be 'safe' because at that point the metadata and i18n messages have been loaded. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel NACK. The approach is close, but not the design we should go with for the long term. This is a decent proof of concept, but should not be implemented as is. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] ipa-client-sudo
Here's a rough hack. It follows the steps in the test script. I tested it out and it works. BASEDN=`awk '/basedn/ {print $3}' < /etc/ipa/default.conf` IPASERVER=`awk '/server/ {print $3}' < /etc/ipa/default.conf` DOMAIN=`awk '/domain/ {print $3}' < /etc/ipa/default.conf` CONFDIR=`mktemp -d` BACKUPDIR=/tmp/etcbackup mkdir -p $CONFDIR/etc/sssd mkdir -p $CONFDIR/etc/rc.d/ cp /etc/sssd/sssd.conf $CONFDIR/etc/sssd cp /etc/nsswitch.conf $CONFDIR/etc cp /etc/rc.d/rc.local $CONFDIR/etc/rc.d/rc.local mkdir -p $BACKUPDIR/etc/sssd mkdir -p $BACKUPDIR/etc/rc.d/ cp /etc/sssd/sssd.conf $BACKUPDIR/etc/sssd cp /etc/nsswitch.conf $BACKUPDIR/etc cp /etc/rc.d/rc.local $BACKUPDIR/etc/rc.d/rc.local BINDUID=$1 BINDPASS=$2 usage(){ echo " usage $0 uid password" } if [ -z ""$BINDUID ] || [ -z ""$BINDPASS ] then usage exit 1 fi # this will go into /etc/nsswitch.conf echosudoers:ldap >> $CONFDIR/etc/nsswitch.conf #this will go into sssd.conf awk -v basedn=$BASEDN '{print $0 } /^ipa_server/ { print "ldap_netgroup_search_base = cn=ng,cn=compat,"basedn }' < $CONFDIR/etc/sssd/sssd.conf > $CONFDIR/etc/sssd/sssd.conf.new mv $CONFDIR/etc/sssd/sssd.conf.new $CONFDIR/etc/sssd/sssd.conf #this will go in /etc/nss_ldap.conf cat > $CONFDIR/etc/nss_ldap.conf << END_TEXT sudoers_base ou=SUDOers,$BASEDN binddn uid=$BINDUID,cn=users,cn=accounts,$BASEDN bindpw $BINDPASS ssl start_tls tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes bind_timelimit 5 timelimit 15 uri ldap://$IPASERVER END_TEXT ln -s $CONFDIR/etc/nss_ldap.conf $CONFDIR/etc/ldap.conf echo nisdomainname $DOMAIN >> $CONFDIR/etc/rc.d/rc.local cp $CONFDIR/etc/sssd/sssd.conf /etc/sssd cp $CONFDIR/etc/nsswitch.conf /etc cp $CONFDIR/etc/rc.d/rc.local /etc/rc.d/rc.local cp $CONFDIR/etc/nss_ldap.conf /etc cp $CONFDIR/etc/ldap.conf /etc rm -rf $CONFDIR echo execute these commands: echo nisdomainname $DOMAIN echo service sssd restart ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 106 I18n update.
On 02/18/2011 05:12 PM, Endi Sukma Dewata wrote: On 2/18/2011 1:08 PM, Endi Sukma Dewata wrote: Hard-coded messages through out the code have been replaced by i18n messages obtained from json_metadata and i18n_messages. https://fedorahosted.org/freeipa/ticket/899 Needs rebase, due to mkosek's big patch. Attached is an updated version. I had to change IPA.cert into an entity because it has to be initialized after IPA.init() finishes loading the metadata & messages. We might want to introduce a concept of plugin for Web UI (similar to plugin for ipalib). The first step is to rename IPA.entity_factories into IPA.plugins, but most of the work will be splitting the IPA.entity into plugin and real entity. Patch #107 can be used without rebase. Attached is a new version using the plugin framework. Please see certificate.js. Every function is an Object. There is no reason to create an object, and then have an init method on it. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 106 I18n update.
On 2/18/2011 10:35 PM, Adam Young wrote: Hard-coded messages through out the code have been replaced by i18n messages obtained from json_metadata and i18n_messages. https://fedorahosted.org/freeipa/ticket/899 Needs rebase, due to mkosek's big patch. Attached is an updated version. I had to change IPA.cert into an entity because it has to be initialized after IPA.init() finishes loading the metadata & messages. We might want to introduce a concept of plugin for Web UI (similar to plugin for ipalib). The first step is to rename IPA.entity_factories into IPA.plugins, but most of the work will be splitting the IPA.entity into plugin and real entity. Patch #107 can be used without rebase. Attached is a new version using the plugin framework. Please see certificate.js. Every function is an Object. There is no reason to create an object, and then have an init method on it. I haven't got a chance to provide a long explanation for this, but please try to apply all patches that I've submitted (until 109) and see the user.js, group.js and certificate.js. I think they are clearly structured and easy to understand. Try to think "plugins" as "modules", and "init()" as "start()" or "main()", or some other terms. Once all entity files are converted to use this framework, it maybe possible to remove init() from entity/facet/widget. The init() is not an unnecessary duplication of constructor, but it's a callback to indicate that the messages are loaded. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel