[Freeipa-devel] [PATCH] 319 add -s option to ipa-join
In ipa-client-install we do the ipa-join before creating any of the configuration files. I added a -s option to ipa-join to specify the IPA server since it won't be defined in /etc/ipa/default.conf yet. I discovered to my chagrin that previous testing of this worked because /etc/ipa/default.conf isn't owned by our packages. I'll fix this in a future patch. rob freeipa-319-join.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 313 fix aci plugin host helper
On Thu, 2009-11-12 at 13:23 -0500, Rob Crittenden wrote: When creating an aci to cover host objects the wrong attribute is used in the DN. It should be using fqdn, not cn. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 285 CRL publishing
Rob Crittenden wrote: This enables CRL publishing by dogtag to a place where Apache can get the files. I have to do a couple of tricks here because dogtag is an optional component. This is why in the installer I first see if the dogtag SELinux policy is installed and if not add it. Similarly the installer will remove it upon uninstall. The policy itself just lets dogtag write to some Apache-labeled directories. dogtag uses symlinks to mark the latest CRL hence the permissions for links. rob The patch looks fine, except that it doesn't apply on the current tree. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] jderose 027 Extensible return values
Jason Gerard DeRose wrote:
On Wed, 2009-11-25 at 12:05 -0500, Rob Crittenden wrote:
This is purely from reading the patch, I haven't applied and tested it yet.
ipalib/output.py:
+primary_key = Output('primary_key', unicode,
+'The primary key of the deleted entry'
+)
This isn't only for deleted entries, right?
Ah, yeah, that should be made more generic. This doc message is only
used by developers, though.
This import doesn't seem to be used:
from inspect import getdoc
What is dont_output_for_cli()? Is this an effort to make things work
while we're in transition?
Yeah, I just renamed some methods so we can reference how they were
implemented. Temporary.
You seem to have disabled the raw option in LDAPSearch, was that
intentional?
Originally I got the impression we weren't going to keep both --raw and
--all, but this can be changed.
Is cli_name being dropped for label? I'm ok with that but should we
remove it from all the plugins?
No, here is how they work:
`cli_name` is used for the optparse names and defaults to Param.name,
like:
--first
`label` is a human readable, translatable string. It's used in the
webUI, and to prompt show entries on cli, like:
First name: John Doe
`doc` is human readable help passed to optparse.make_option(help=doc).
It default to the value of the label. It's used like this:
--uid=INTUID (use this option to set it manually)
In the above case the `label` is UID (not shown) but the `doc` is this
longer string.
The user plugins provide good examples of how I think these should be
used.
I'll submit a patch later documented these different string uses.
rob
We'll also need to determine what we'll do about all the plugins. The
cert plugin, for example, isn't ported to this new return value system
and blows up in many places.
There are also some labels missing, such as for fqdn in the host plugin.
These are both quite easy to fix, I think we just need to coordinate
things. Perhaps if Pavel and I split up the plugins and fix anything
that needs fixing and commit all the patches at one time to avoid any
period of breakage.
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 285 CRL publishing
On Wed, 2009-11-25 at 15:09 -0500, Rob Crittenden wrote: Jason Gerard DeRose wrote: On Wed, 2009-11-25 at 13:45 -0500, Rob Crittenden wrote: Jason Gerard DeRose wrote: On Tue, 2009-11-17 at 15:06 -0500, Rob Crittenden wrote: This enables CRL publishing by dogtag to a place where Apache can get the files. I have to do a couple of tricks here because dogtag is an optional component. This is why in the installer I first see if the dogtag SELinux policy is installed and if not add it. Similarly the installer will remove it upon uninstall. The policy itself just lets dogtag write to some Apache-labeled directories. dogtag uses symlinks to mark the latest CRL hence the permissions for links. rob can't get this to apply: Applying: Add SELinux policy for CRL file publishing. error: patch failed: ipa.spec.in:379 error: ipa.spec.in: patch does not apply error: patch failed: selinux/Makefile:1 error: selinux/Makefile: patch does not apply Patch failed at 0001 Add SELinux policy for CRL file publishing. When you have resolved this problem run git am --resolved. If you would prefer to skip this patch, instead run git am --skip. To restore the original branch and stop patching run git am --abort. Rebased patch attached. nack. This seems to be breaking the installer. This was a clean build and install: Failed to populate the realm structure in kerberos Command '/usr/kerberos/sbin/kdb5_ldap_util -D uid=kdc,cn=sysaccounts,cn=etc,dc=example,dc=com -w Xlt%3j8}VX create -s -P grbc/F+Sh` -r EXAMPLE.COM -subtrees dc=example,dc=com -sscope sub' returned non-zero exit status 1 [6/13]: adding default keytypes root: CRITICAL Failed to load default-keytypes.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpdRo9BD -f /tmp/tmpdls3uk' returned non-zero exit status 32 ipa: CRITICAL: Failed to load default-keytypes.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpdRo9BD -f /tmp/tmpdls3uk' returned non-zero exit status 32 [7/13]: creating a keytab for the directory Unexpected error - see ipaserver-install.log for details: Command '/usr/kerberos/sbin/kadmin.local -q addprinc -randkey ldap/fedora11.example@example.com' returned non-zero exit status 1 I attached the log. Very strange, I can't reproduce this. What release are you on? What version of krb5-server do you have installed? rob Hmm, I must have had something weird in my tree. I just did two clean build and installs without error. ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
