Re: [Freeipa-devel] [PATCH] 324 add errors.NotImplementedError
On Tue, 2009-12-01 at 17:23 -0500, Rob Crittenden wrote: > This deprecates a similar patch from John last month. The server-side > baseclass rabase defines a framework for CA plugins. When I added this > code I set it up to return errors.NotImplementedError but didn't > actually include that error class in the commit. > > I'm adding that in now, favoring it over the python built-in exception > of the same name because it is more friendly to the client (they get a > "command not implemented" instead of an InternalError. > > Ideally we should not register commands that aren't implemented, I'll > tackle that soon but for now this will fill in the gap. > > This also wraps the call to cert_revoke() in the service plugin to not > blow up if using the selfsign CA which doesn't implement revocation. > > rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 323 type argument for x509.load_certificate()
On Tue, 2009-12-01 at 17:20 -0500, Rob Crittenden wrote: > Add a type argument (PEM or DER) for x509.load_certificate(). Certs are > coming out of LDAP as binary so we need to be able to handle that too. > Seems more sane to add an argument that to base64-encode it. > > rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 322 set minimum level of python-pyasn1
On Tue, 2009-12-01 at 14:04 -0500, Rob Crittenden wrote: > Update the spec to set minimum version of python-pyasn1 to 0.0.9a so we > can have the ASN.1 Any type needed by the PKCS#10 parser. > > rob nack. This introduces a bug in the spec: error: line 89: Unknown tag: pequires: libcap ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 325 test for cert plugin
An extremely basic test for the cert plugin. Only tests the cert-request command but it's a start. rob freeipa-325-certtest.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 324 add errors.NotImplementedError
This deprecates a similar patch from John last month. The server-side baseclass rabase defines a framework for CA plugins. When I added this code I set it up to return errors.NotImplementedError but didn't actually include that error class in the commit. I'm adding that in now, favoring it over the python built-in exception of the same name because it is more friendly to the client (they get a "command not implemented" instead of an InternalError. Ideally we should not register commands that aren't implemented, I'll tackle that soon but for now this will fill in the gap. This also wraps the call to cert_revoke() in the service plugin to not blow up if using the selfsign CA which doesn't implement revocation. rob freeipa-324-errors.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 323 type argument for x509.load_certificate()
Add a type argument (PEM or DER) for x509.load_certificate(). Certs are coming out of LDAP as binary so we need to be able to handle that too. Seems more sane to add an argument that to base64-encode it. rob freeipa-323-cert.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Ask the user before overwriting /etc/named.conf
Martin Nagy wrote: On Tue, 2009-12-01 at 10:15 -0500, Rob Crittenden wrote: Martin Nagy wrote: Martin ack. As an aside, it might be nice if the actual package name(s) were used to make it easier for the user to know exactly what they are missing for BIND and the BIND LDAP plug-in. Yeah, I guess you're right. New patch attached. Martin Cool, lots better! ack rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add idnsUpdatePolicy into the dns plug-in
Martin Nagy wrote: On Tue, 2009-12-01 at 10:17 -0500, Rob Crittenden wrote: Martin Nagy wrote: Martin Should there be a validator on idnsUpdatePolicy to ensure that each policy is terminated by a ;? If one wants to have multiple policies is it set with idnspolicy="policy1;policy2;policy3;"? Should the formatting be included in the doc message, or an example of usage be added? That might not be that easy to do, we would probably need to do more than that, e.g. make sure bind can accept the policy string. For now, I'm only adding the idnsupdatepolicy into the dns plugin so that I can use it to create zones with it during installation (patch will follow soon). Might I add the other bits later after I'm done with this? Martin Sure, that makes sense. ack. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 322 set minimum level of python-pyasn1
Update the spec to set minimum version of python-pyasn1 to 0.0.9a so we can have the ASN.1 Any type needed by the PKCS#10 parser. rob freeipa-322-pyasn1.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 321 better LDAP error handling in client
On Mon, 2009-11-30 at 15:50 -0500, Rob Crittenden wrote: > This improves the LDAP exception handling in the client. The existing > code spit out a slew of deprecation errors because of the use of the > message attribute. > > rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 320 remove /etc/ipa/ipa.conf
On Tue, 2009-12-01 at 10:36 -0500, Rob Crittenden wrote: > Jason Gerard DeRose wrote: > > On Wed, 2009-11-25 at 17:43 -0500, Rob Crittenden wrote: > >> The configuration file /etc/ipa/ipa.conf was used by the v1 clients and > >> servers to manually set realm, domain and server(s). This has been > >> renamed to /etc/ipa/default.conf in v2. > >> > >> Some old utilities still referenced this old file and we still created > >> it. This patch should completely remove it. > >> > >> rob > > > > This isn't applying to the current master: > > > > Applying: Replace /etc/ipa/ipa.conf with /etc/ipa/default.conf > > error: patch failed: ipa.spec.in:473 > > error: ipa.spec.in: patch does not apply > > Patch failed at 0001 Replace /etc/ipa/ipa.conf > > with /etc/ipa/default.conf > > > > > > Boy that spec file trips me up ever time. New patch attached. > > rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Ask the user before overwriting /etc/named.conf
On Tue, 2009-12-01 at 10:15 -0500, Rob Crittenden wrote:
> Martin Nagy wrote:
> > Martin
> >
>
> ack.
>
> As an aside, it might be nice if the actual package name(s) were used to
> make it easier for the user to know exactly what they are missing for
> BIND and the BIND LDAP plug-in.
Yeah, I guess you're right. New patch attached.
Martin
>From 258092b18fcba45631202833975e71817b647450 Mon Sep 17 00:00:00 2001
From: Martin Nagy
Date: Fri, 13 Nov 2009 16:57:51 +0100
Subject: [PATCH] Ask the user before overwriting /etc/named.conf
---
install/tools/ipa-replica-install |6 ++
install/tools/ipa-server-install |6 ++
ipaserver/install/bindinstance.py | 10 +-
3 files changed, 13 insertions(+), 9 deletions(-)
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index e8fabd7..9827bef 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -251,10 +251,8 @@ def check_dirsrv():
sys.exit(1)
def check_bind():
-if not bindinstance.check_inst():
-print "--setup-dns was specified but bind or the BIND LDAP plug-in"
-print "is not installed on the system"
-print "Please install bind and the LDAP plug-in and restart the setup program"
+if not bindinstance.check_inst(unattended=True):
+print "Aborting installation"
sys.exit(1)
def main():
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 748101d..34ddb0f 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -541,10 +541,8 @@ def main():
# check bind packages are installed
if options.setup_dns:
-if not bindinstance.check_inst():
-print "--setup-dns was specified but bind or the BIND LDAP plug-in"
-print "is not installed on the system"
-print "Please install bind and the LDAP plug-in and restart the setup program"
+if not bindinstance.check_inst(options.unattended):
+print "Aborting installation"
return 1
if options.ca:
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 2a922a3..e2edcd3 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -30,17 +30,25 @@ from ipapython import sysrestore
from ipapython import ipautil
from ipalib import api, util
-def check_inst():
+def check_inst(unattended):
# So far this file is always present in both RHEL5 and Fedora if all the necessary
# bind packages are installed (RHEL5 requires also the pkg: caching-nameserver)
if not os.path.exists('/etc/named.rfc1912.zones'):
+print "BIND was not found on this system"
+print "Please install the bind package and start the installation again"
return False
# Also check for the LDAP BIND plug-in
if not os.path.exists('/usr/lib/bind/ldap.so') and \
not os.path.exists('/usr/lib64/bind/ldap.so'):
+print "The BIND LDAP plug-in was not found on this system"
+print "Please install the bind-dyndb-ldap package and start the installation again"
return False
+if not unattended and os.path.exists('/etc/named.conf'):
+msg = "Existing BIND configuration detected, overwrite?"
+return ipautil.user_input(msg, False)
+
return True
class BindInstance(service.Service):
--
1.6.2.5
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Change object_class of group object.
Pavel Zůna wrote: Rob Crittenden wrote: Pavel Zuna wrote: Some groups created by default don't have ipaUserGroup and won't show up in searches. Pavel nack, isn't the better approach to fix up the groups that are created by default without the ipaUserGroup objectclass? It is. Fixed patch attached. rob Pavel ack, pushed to master. NOTE: we should probably revisit the editors group to see if it is needed/wanted in the new UI. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add {user, host, sourcehost}Category to HBAC and make accessTime multivalue.
Pavel Zůna wrote: Rob Crittenden wrote: Pavel Zuna wrote: Rob Crittenden wrote: Pavel Zuna wrote: Due to the format of accessTime (it has commas and spaces in it), we can't use the List parameter type. I made it so that accessTime values have to be entered one by one using new commands. We also agreed, that we're going to rename GeneralizedTime parameter to AccessTime to prevent confusion with RFC 4517 standard. I attached a separate patch for clarity. Pavel A couple of questions: - Would it make sense to leave time in as an option that takes a singular value? If someone wants multiple times they can use the new add interface, right? It would and I think it's a good idea, updated patch attached. - What are these new enums for? If there is only one choice do you really have a choice? Well for now, we only have the 'all' in categories, but the list is expected to grow. At first I didn't include categories in the plugin, because of this, but Sumit wanted it to be complete. - We still need some tests for GeneralizedTime/AccessTime. Ok, added to my TODO list. The patch isn't applying for me: $ patch -p1 --dry-run < 0003-Fix-takes_options-in-automount-plugin.patch patching file ipalib/plugins/hbac.py patching file tests/test_xmlrpc/test_hbac_plugin.py Hunk #1 FAILED at 52. Hunk #2 FAILED at 84. 2 out of 3 hunks FAILED -- saving rejects to file tests/test_xmlrpc/test_hbac_plugin.py.rej Since you have to mess with this anyway, can you: - add another test to also test adding the access time on the add. You added back the capability but the tests are still removed AFAICT. - add a FUTURE or FIXME comment indicating that the enumerators are future-proofing things by making them a 1-option enumerator for now? rob Fixed patch attached. Pavel ack x2, push master x2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add idnsUpdatePolicy into the dns plug-in
On Tue, 2009-12-01 at 10:17 -0500, Rob Crittenden wrote: > Martin Nagy wrote: > > Martin > > > > Should there be a validator on idnsUpdatePolicy to ensure that each > policy is terminated by a ;? If one wants to have multiple policies is > it set with idnspolicy="policy1;policy2;policy3;"? > > Should the formatting be included in the doc message, or an example of > usage be added? That might not be that easy to do, we would probably need to do more than that, e.g. make sure bind can accept the policy string. For now, I'm only adding the idnsupdatepolicy into the dns plugin so that I can use it to create zones with it during installation (patch will follow soon). Might I add the other bits later after I'm done with this? Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 320 remove /etc/ipa/ipa.conf
Jason Gerard DeRose wrote: On Wed, 2009-11-25 at 17:43 -0500, Rob Crittenden wrote: The configuration file /etc/ipa/ipa.conf was used by the v1 clients and servers to manually set realm, domain and server(s). This has been renamed to /etc/ipa/default.conf in v2. Some old utilities still referenced this old file and we still created it. This patch should completely remove it. rob This isn't applying to the current master: Applying: Replace /etc/ipa/ipa.conf with /etc/ipa/default.conf error: patch failed: ipa.spec.in:473 error: ipa.spec.in: patch does not apply Patch failed at 0001 Replace /etc/ipa/ipa.conf with /etc/ipa/default.conf Boy that spec file trips me up ever time. New patch attached. rob freeipa-320.2-conf.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add idnsUpdatePolicy into the dns plug-in
Martin Nagy wrote: Martin Should there be a validator on idnsUpdatePolicy to ensure that each policy is terminated by a ;? If one wants to have multiple policies is it set with idnspolicy="policy1;policy2;policy3;"? Should the formatting be included in the doc message, or an example of usage be added? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Ask the user before overwriting /etc/named.conf
Martin Nagy wrote: Martin ack. As an aside, it might be nice if the actual package name(s) were used to make it easier for the user to know exactly what they are missing for BIND and the BIND LDAP plug-in. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Remove unnecessary "error: " prefixes
Martin Nagy wrote: Martin ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add idnsUpdatePolicy into the dns plug-in
Martin
>From 2831a904c8ab270e1f326ae300dc373361dcc8a4 Mon Sep 17 00:00:00 2001
From: Martin Nagy
Date: Tue, 10 Nov 2009 13:12:21 +0100
Subject: [PATCH] Add idnsUpdatePolicy into the dns plug-in
The idnsUpdatePolicy takes a list of BIND dynamic update policies, each
of which must be terminated by ";". Also fix a minor error in the
documentation string.
---
ipalib/plugins/dns.py |6 +-
1 files changed, 5 insertions(+), 1 deletions(-)
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index b956b7f..d04803a 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -25,7 +25,7 @@ the BIND LDAP plugin.
EXAMPLES:
Add new zone;
- ipa dns-create example.com nameserver.example.com ad...@example.com
+ ipa dns-add example.com nameserver.example.com ad...@example.com
Add second nameserver for example.com:
ipa dns-add-rr example.com @ NS nameserver2.example.com
@@ -160,6 +160,10 @@ class dns(Object):
cli_name='allow_dynupdate',
doc='allow dynamic update?',
),
+Str('idnsupdatepolicy?',
+cli_name='update_policy',
+doc='BIND update policy',
+),
)
api.register(dns)
--
1.6.2.5
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Ask the user before overwriting /etc/named.conf
Martin
>From 2ecd67588206abadeb992360c3cd6f0c31938edc Mon Sep 17 00:00:00 2001
From: Martin Nagy
Date: Fri, 13 Nov 2009 16:57:51 +0100
Subject: [PATCH] Ask the user before overwriting /etc/named.conf
---
install/tools/ipa-replica-install |6 ++
install/tools/ipa-server-install |6 ++
ipaserver/install/bindinstance.py | 10 +-
3 files changed, 13 insertions(+), 9 deletions(-)
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index e8fabd7..9827bef 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -251,10 +251,8 @@ def check_dirsrv():
sys.exit(1)
def check_bind():
-if not bindinstance.check_inst():
-print "--setup-dns was specified but bind or the BIND LDAP plug-in"
-print "is not installed on the system"
-print "Please install bind and the LDAP plug-in and restart the setup program"
+if not bindinstance.check_inst(unattended=True):
+print "Aborting installation"
sys.exit(1)
def main():
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 748101d..34ddb0f 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -541,10 +541,8 @@ def main():
# check bind packages are installed
if options.setup_dns:
-if not bindinstance.check_inst():
-print "--setup-dns was specified but bind or the BIND LDAP plug-in"
-print "is not installed on the system"
-print "Please install bind and the LDAP plug-in and restart the setup program"
+if not bindinstance.check_inst(options.unattended):
+print "Aborting installation"
return 1
if options.ca:
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 2a922a3..810ee12 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -30,17 +30,25 @@ from ipapython import sysrestore
from ipapython import ipautil
from ipalib import api, util
-def check_inst():
+def check_inst(unattended):
# So far this file is always present in both RHEL5 and Fedora if all the necessary
# bind packages are installed (RHEL5 requires also the pkg: caching-nameserver)
if not os.path.exists('/etc/named.rfc1912.zones'):
+print "BIND was not found on this system"
+print "Please install BIND and start the installation again"
return False
# Also check for the LDAP BIND plug-in
if not os.path.exists('/usr/lib/bind/ldap.so') and \
not os.path.exists('/usr/lib64/bind/ldap.so'):
+print "The BIND LDAP plug-in was not found on this system"
+print "Please install BIND LDAP plug-in and start the installation again"
return False
+if not unattended and os.path.exists('/etc/named.conf'):
+msg = "Existing BIND configuration detected, overwrite?"
+return ipautil.user_input(msg, False)
+
return True
class BindInstance(service.Service):
--
1.6.2.5
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Remove unnecessary "error: " prefixes
Martin
>From 96c64ff2a1051c1e8bdcad9e8aef9488f0e26e87 Mon Sep 17 00:00:00 2001
From: Martin Nagy
Date: Mon, 23 Nov 2009 08:42:30 +0100
Subject: [PATCH] Remove unnecessary "error: " prefixes
The parser.error() method prepends the "error: " prefix itself. Adding
it to the error string is not necessary and doesn't look good.
---
install/tools/ipa-replica-prepare |2 +-
install/tools/ipa-server-install | 10 +-
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare
index 3dc0ccc..bc86a41 100755
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -59,7 +59,7 @@ def parse_options():
pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin]
cnt = pkcs12.count(None)
if cnt > 0 and cnt < 4:
-parser.error("error: All PKCS#12 options are required if any are used.")
+parser.error("All PKCS#12 options are required if any are used.")
if len(args) != 1:
parser.error("must provide the fully-qualified name of the replica")
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index be525f7..9b5946a 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -131,11 +131,11 @@ def parse_options():
if (options.ds_user or options.realm_name or
options.dm_password or options.admin_password or
options.master_password):
-parser.error("error: In uninstall mode, -u, r, -p and -P options are not allowed")
+parser.error("In uninstall mode, -u, r, -p and -P options are not allowed")
elif options.unattended:
if (not options.ds_user or not options.realm_name or
not options.dm_password or not options.admin_password):
-parser.error("error: In unattended mode you need to provide at least -u, -r, -p and -a options")
+parser.error("In unattended mode you need to provide at least -u, -r, -p and -a options")
if options.setup_dns:
if not options.forwarders and not options.no_forwarders:
parser.error("You must specify at least one --forwarder option or --no-forwarders option")
@@ -146,14 +146,14 @@ def parse_options():
pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin]
cnt = pkcs12.count(None)
if cnt > 0 and cnt < 4:
-parser.error("error: All PKCS#12 options are required if any are used.")
+parser.error("All PKCS#12 options are required if any are used.")
if (options.external_cert_file or options.external_ca_file) and not options.ca:
-parser.error("error: --ca required to use the external CA options.")
+parser.error("--ca required to use the external CA options.")
if ((options.external_cert_file and not options.external_ca_file) or
(not options.external_cert_file and options.external_ca_file)):
-parser.error("error: if either external option is used, both are required.")
+parser.error("if either external option is used, both are required.")
if options.external_ca and not options.ca:
# Go ahead and be nice and fix things up
--
1.6.2.5
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] jderose 027 Extensible return values
Rob Crittenden wrote:
Jason Gerard DeRose wrote:
On Wed, 2009-11-25 at 12:05 -0500, Rob Crittenden wrote:
This is purely from reading the patch, I haven't applied and tested
it yet.
ipalib/output.py:
+primary_key = Output('primary_key', unicode,
+'The primary key of the deleted entry'
+)
This isn't only for deleted entries, right?
Ah, yeah, that should be made more generic. This doc message is only
used by developers, though.
This import doesn't seem to be used:
from inspect import getdoc
What is dont_output_for_cli()? Is this an effort to make things work
while we're in transition?
Yeah, I just renamed some methods so we can reference how they were
implemented. Temporary.
You seem to have disabled the raw option in LDAPSearch, was that
intentional?
Originally I got the impression we weren't going to keep both --raw and
--all, but this can be changed.
Is cli_name being dropped for label? I'm ok with that but should we
remove it from all the plugins?
No, here is how they work:
`cli_name` is used for the optparse names and defaults to Param.name,
like:
--first
`label` is a human readable, translatable string. It's used in the
webUI, and to prompt show entries on cli, like:
First name: John Doe
`doc` is human readable help passed to optparse.make_option(help=doc).
It default to the value of the label. It's used like this:
--uid=INTUID (use this option to set it manually)
In the above case the `label` is "UID" (not shown) but the `doc` is this
longer string.
The user plugins provide good examples of how I think these should be
used.
I'll submit a patch later documented these different string uses.
rob
We'll also need to determine what we'll do about all the plugins. The
cert plugin, for example, isn't ported to this new return value system
and blows up in many places.
There are also some labels missing, such as for fqdn in the host plugin.
These are both quite easy to fix, I think we just need to coordinate
things. Perhaps if Pavel and I split up the plugins and fix anything
that needs fixing and commit all the patches at one time to avoid any
period of breakage.
rob
Just did a fast forward through the big patch. It looks mostly OK, but
as Rob said - it breaks a few things. I don't mind fixing all the
plugins - it shouldn't be too hard, because at this point most of them
are just extensions of baseldap.py classes. I'm going to apply the patch
on my tree and see what I can do in the second half of this week.
One thing I noticed:
+return dict(
+result=entry_attrs,
+primary_key=keys[0],
+)
This will work on most plugins, but you should use keys[-1], because
keys might contain parent object keys as well. The last key is always
the primary key of the object in question.
Pavel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Change object_class of group object.
Rob Crittenden wrote: Pavel Zuna wrote: Some groups created by default don't have ipaUserGroup and won't show up in searches. Pavel nack, isn't the better approach to fix up the groups that are created by default without the ipaUserGroup objectclass? It is. Fixed patch attached. rob Pavel 0014-Add-ipaUserGroup-objectClass-to-default-groups-where.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add {user, host, sourcehost}Category to HBAC and make accessTime multivalue.
Rob Crittenden wrote: Pavel Zuna wrote: Rob Crittenden wrote: Pavel Zuna wrote: Due to the format of accessTime (it has commas and spaces in it), we can't use the List parameter type. I made it so that accessTime values have to be entered one by one using new commands. We also agreed, that we're going to rename GeneralizedTime parameter to AccessTime to prevent confusion with RFC 4517 standard. I attached a separate patch for clarity. Pavel A couple of questions: - Would it make sense to leave time in as an option that takes a singular value? If someone wants multiple times they can use the new add interface, right? It would and I think it's a good idea, updated patch attached. - What are these new enums for? If there is only one choice do you really have a choice? Well for now, we only have the 'all' in categories, but the list is expected to grow. At first I didn't include categories in the plugin, because of this, but Sumit wanted it to be complete. - We still need some tests for GeneralizedTime/AccessTime. Ok, added to my TODO list. The patch isn't applying for me: $ patch -p1 --dry-run < 0003-Fix-takes_options-in-automount-plugin.patch patching file ipalib/plugins/hbac.py patching file tests/test_xmlrpc/test_hbac_plugin.py Hunk #1 FAILED at 52. Hunk #2 FAILED at 84. 2 out of 3 hunks FAILED -- saving rejects to file tests/test_xmlrpc/test_hbac_plugin.py.rej Since you have to mess with this anyway, can you: - add another test to also test adding the access time on the add. You added back the capability but the tests are still removed AFAICT. - add a FUTURE or FIXME comment indicating that the enumerators are future-proofing things by making them a 1-option enumerator for now? rob Fixed patch attached. Pavel 0001-Add-user-host-sourcehost-Category-to-HBAC-and-make.patch Description: application/mbox 0002-Rename-GeneralizedTime-to-AccessTime.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
