[Freeipa-devel] Re: [PATCHES] Migration wrap-up.
Pavel Zůna wrote: Okey, I think my migration patches are ready for submission. What's new? - No more forced password change after migration, unless the password doesn't meet IPA password policy. Expiration time sets correctly (hooray!). - Migration mode (adding entries with pre-hashed passwords) can now be turned ON/OFF using the ipaMigrationEnabled attribute in ipaConfig entry. - New fancy password migration page using HTML form based authentication. (CSS and looks in general will probably have to change to visually go with the rest of the webUI.) - Better error/log messages and some general code clean up. I didn't change the migration plugin to use IPA commands. Believe me, I tried. There's just too much overhead and additional work: - We need to sanitize data from DS before we feed it to the IPA commands and it's not just converting them to unicode. - There are attributes our commands do not accept as parameters and setattr/addattr doesn't really help that much there. It's going to be even worst when custom schemas kick in. Our commands also make some assumptions about attributes - like givenName/sn being required etc. It's just too hard to do it properly in a generic way. - Using IPA commands generates at least 4 times more LDAP requests. - The code is also longer. The migration plugin might still need some work and I'm thinking of ways to make it better, more readable and maintainable, but if the other patches pass and there's no big problems with it, I say we should push it, so that QE can do some testing. I'm currently writing a wiki page with step by step migration guide, but I left it open at the office and I'm sick at home at the moment, so I'm going to resume when back. I will also setup a testing environment on the blades for DS to IPA migration. Pavel Oups, I forgot to change the spec file. Patch attached. Pavel 0001-Add-password-migration-page-files-to-the-spec-file.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Make ldap2.convert_attr_synonyms more robust against schema lookup fails.
On Fri, 2009-11-20 at 09:32 -0500, Rob Crittenden wrote:
> Pavel Zuna wrote:
> > Rob Crittenden wrote:
> >> Pavel Zuna wrote:
> >>> Rob Crittenden wrote:
> Pavel Zuna wrote:
> > Rob Crittenden wrote:
> >> The user plugin is crapping out on line 317 of ldap2.py because
> >> attr is coming back None. The attribute it is looking for is member.
> >>
> >> I think the fix involves setting member_attributes = ['member'] to
> >> the user plugin.
> >>
> >> I wonder if we need to make the ldap2 plugin a bit more robust too
> >> so it can handle it better if the schema lookup returns None.
> >>
> >> rob
> > This should fix the issue.
> >
>
> Yes, this will fix it (I did a similar fix to work around it) but
> what does it mean if there is no attribute found? Is that possible?
>
> Should we catch it and return a more specific error message instead?
>
> rob
> >>>
> >>> If it doesn't find the attribute, PROBABLY nothing will happen...
> >>>
> >>> Fortunately, we don't have to worry about it anymore. I played with
> >>> python-ldap a bit today and it seems to have the
> >>> convert_attr_synonyms functionality built-in. :)
> >>>
> >>> Here's a replacement patch.
> >>>
> >>> Pavel
> >>
> >> nack. I don't see where python-ldap is replacing it. We weren't seeing
> >> it done before were we?
> > That's because we were doing it wrong.
> >
> > We were requesting all attributes ('*') + ACIs ('aci'). After this patch
> > we explicitly request all attributes in the new entry (i.e. all
> > attributes that are going to be updated) and python-ldap will always
> > return them named as they were requested. In other words: If we request
> > localityName as l, python-ldap will return it as l, if we request it as
> > localityName, python-ldap will return it as localityName.
> >
> >> Also, we need to request the 'aci' attribute for the aci plugin to work.
> > And we do so, because after this patch, we're requesting all attributes
> > explicitly.
> >
>
> Well, no, you're requesting all attributes in the current entry. The
> code looked like this once before and caused the aci plugin to break. I
> guess some other change fixed that, things are working as expected.
>
> ack
>
> rob
Pushed to master.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Ask the user before overwriting /etc/named.conf
On Tue, 2009-12-01 at 15:31 -0500, Rob Crittenden wrote: > Martin Nagy wrote: > > On Tue, 2009-12-01 at 10:15 -0500, Rob Crittenden wrote: > >> Martin Nagy wrote: > >>> Martin > >>> > >> ack. > >> > >> As an aside, it might be nice if the actual package name(s) were used to > >> make it easier for the user to know exactly what they are missing for > >> BIND and the BIND LDAP plug-in. > > > > Yeah, I guess you're right. New patch attached. > > > > Martin > > > > Cool, lots better! ack > > rob Pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add idnsUpdatePolicy into the dns plug-in
On Tue, 2009-12-01 at 15:30 -0500, Rob Crittenden wrote: > Martin Nagy wrote: > > On Tue, 2009-12-01 at 10:17 -0500, Rob Crittenden wrote: > >> Martin Nagy wrote: > >>> Martin > >>> > >> Should there be a validator on idnsUpdatePolicy to ensure that each > >> policy is terminated by a ;? If one wants to have multiple policies is > >> it set with idnspolicy="policy1;policy2;policy3;"? > >> > >> Should the formatting be included in the doc message, or an example of > >> usage be added? > > > > That might not be that easy to do, we would probably need to do more > > than that, e.g. make sure bind can accept the policy string. For now, > > I'm only adding the idnsupdatepolicy into the dns plugin so that I can > > use it to create zones with it during installation (patch will follow > > soon). Might I add the other bits later after I'm done with this? > > > > Martin > > > > Sure, that makes sense. ack. > > rob Pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Remove unnecessary "error: " prefixes
On Tue, 2009-12-01 at 10:12 -0500, Rob Crittenden wrote: > Martin Nagy wrote: > > Martin > > ack Pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Re: [PATCHES] Migration wrap-up.
Pavel Zůna wrote: Oups, I forgot to change the spec file. Patch attached. Pavel There was a missing * to handle .pyc/.pyo files. Updated patch attached. Pavel 0001-Add-password-migration-page-files-to-the-spec-file.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Problem with ipa installation: certutil
Hi,
I'm trying to install ipa and am getting a python traceback (attached).
It seems that running certutil didn't succeed so I added a debugging
print before it's execution and tried to run it manually. This is what I
get:
# /usr/bin/certutil -d /etc/httpd/alias -S -n 'CA certificate' -s
'cn=IPA Test Certificate Authority' -x -t 'CT,,C' -1 -2 -5 -m 1056 -v
120 -z /etc/httpd/alias/noise.txt -f /etc/httpd/alias/pwdfile.txt
certutil -o: unable to open "tempcertreq" for writing (-5950, 2)
Exit 255
(The "Exit 255" is from my shell saying that certutil exited returning
255). I did a git grep tempcertreq in freeipa git tree but didn't find
anything, so I'm assuming we weren't creating it or anything. Does
anyone know what might be causing this error?
Martin
ipa: DEBUG: [Errno 32] Broken pipe
File "/usr/sbin/ipa-server-install", line 791, in
sys.exit(main())
File "/usr/sbin/ipa-server-install", line 673, in main
ds.create_instance(ds_user, realm_name, host_name, domain_name,
dm_password, self_signed_ca=not options.ca, uidstart=options.uidstart,
gidstart=options.gidstart)
File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py", line
193, in create_instance
self.start_creation("Configuring directory server:")
File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line
171, in start_creation
method()
File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py", line
342, in __enable_ssl
cadb.create_self_signed()
File "/usr/lib/python2.6/site-packages/ipaserver/install/certs.py", line 826,
in create_self_signed
self.create_ca_cert()
File "/usr/lib/python2.6/site-packages/ipaserver/install/certs.py", line 357,
in create_ca_cert
p.stdin.write("0\n1\n5\n9\ny\n")
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 322 set minimum level of python-pyasn1
Jason Gerard DeRose wrote: On Tue, 2009-12-01 at 14:04 -0500, Rob Crittenden wrote: Update the spec to set minimum version of python-pyasn1 to 0.0.9a so we can have the ASN.1 Any type needed by the PKCS#10 parser. rob nack. This introduces a bug in the spec: error: line 89: Unknown tag: pequires: libcap Uhyeah, it's a new directive when doing a python requires, hence pequires instead of Requires. That's my story and I'm sticking with it. New patch attached. rob freeipa-322.2-pyasn1.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Problem with ipa installation: certutil
Martin Nagy wrote: Hi, I'm trying to install ipa and am getting a python traceback (attached). It seems that running certutil didn't succeed so I added a debugging print before it's execution and tried to run it manually. This is what I get: # /usr/bin/certutil -d /etc/httpd/alias -S -n 'CA certificate' -s 'cn=IPA Test Certificate Authority' -x -t 'CT,,C' -1 -2 -5 -m 1056 -v 120 -z /etc/httpd/alias/noise.txt -f /etc/httpd/alias/pwdfile.txt certutil -o: unable to open "tempcertreq" for writing (-5950, 2) Exit 255 (The "Exit 255" is from my shell saying that certutil exited returning 255). I did a git grep tempcertreq in freeipa git tree but didn't find anything, so I'm assuming we weren't creating it or anything. Does anyone know what might be causing this error? Martin This message comes directly from certutil itself. It tries to open the file "tempcertreq" in the cwd. Odd since you are installing this as root, right? Perhaps you are in a directory that no longer exists? I seem to recall running into this in v1 as well and though we did a chdir(). Maybe we do that in some places and not others. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 325 test for cert plugin
On 12/01/2009 11:19 PM, Rob Crittenden wrote: An extremely basic test for the cert plugin. Only tests the cert-request command but it's a start. I think the test should also check for the correct return type. For instance shouldn't assert res['subject'] == 'CN=ipatestcert.greyoak.com' by followed (or preceded by) assert type(res['subject']) is unicode Also, is this going to deprecate checks/check_ra.py? -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 325 test for cert plugin
John Dennis wrote: On 12/01/2009 11:19 PM, Rob Crittenden wrote: An extremely basic test for the cert plugin. Only tests the cert-request command but it's a start. I think the test should also check for the correct return type. For instance shouldn't assert res['subject'] == 'CN=ipatestcert.greyoak.com' by followed (or preceded by) assert type(res['subject']) is unicode Also, is this going to deprecate checks/check_ra.py? Ah, excellent point. What it probably really should do is call xmlrpc_test.assert_attr_equal() which should do the unicode enforcement. If we need additional types we can add an expected type argument, defaulting to unicode. I'm reluctant to tackle this just yet with Jason's big patch looming. It contains a bunch of changes to the test infrastructure to handle the new return values. Perhaps I'll shelve this patch for a few days until we can get his patch committed, then rebase this and add in the type enforcement and resubmit. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] multiple plugin loads?
I haven't had a chance to look at the source code for an explanation yet but I'm wondering if what I see in the debug logs is correct. I see loading all plugin modules in xxx/ipalib/plugins ... and loading all plugin modules in xxx/ipaserver/plugins ... 3 or 4 times when the server initializes (not always the identical list). Some plugins do get loaded multiple times. Is that expected? -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] multiple plugin loads?
John Dennis wrote: I haven't had a chance to look at the source code for an explanation yet but I'm wondering if what I see in the debug logs is correct. I see loading all plugin modules in xxx/ipalib/plugins ... and loading all plugin modules in xxx/ipaserver/plugins ... 3 or 4 times when the server initializes (not always the identical list). Some plugins do get loaded multiple times. Is that expected? If you're seeing it in the Apache logs this is expected. It loads for each Apache process loading the server. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 322 set minimum level of python-pyasn1
On Wed, 2009-12-02 at 09:12 -0500, Rob Crittenden wrote: > Jason Gerard DeRose wrote: > > On Tue, 2009-12-01 at 14:04 -0500, Rob Crittenden wrote: > >> Update the spec to set minimum version of python-pyasn1 to 0.0.9a so we > >> can have the ASN.1 Any type needed by the PKCS#10 parser. > >> > >> rob > > > > nack. This introduces a bug in the spec: > > > > error: line 89: Unknown tag: pequires: libcap > > > > > > Uhyeah, it's a new directive when doing a python requires, hence > pequires instead of Requires. That's my story and I'm sticking with it. > > New patch attached. > > rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 326 bump IPA install version
We store a rough version of IPA at install time in the base object, bump this up to V2.0 rob freeipa-326-version.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] service record conundrum
Here is sort of a tricky problem, need some advice (LONG). When we bootstrap an IPA server we create a number of principals for the server itself. We create a host/, HTTP/ and ldap/ principal using kadmin.local. By using kadmin.local this entry is put into cn=kerberos,dc=example,dc=com. This has the nice side effect of making these records not appear as service entries so they are unmodifiable by anyone, meaning an admin will have a really hard time hosing their server. The downside is that these records do not appear as service entries, so if you search for services on the IPA server you'll get nothing. Even worse it means you can't request certificates for these services, because they don't exist. Not that one really should since we also generate certificates for these at bootstrap, but we don't store them anywhere because there isn't any place to put them. This also means that we can't track expiration of these. To make things even more fun we have the DS uniqueness plugin configured so there can be no duplication in principal names. Since this is in the RDN of service records we can't even create a bit of a bogus entry to still protect the principals and yet be able to store certificates. Remember too that these records are creating during installation, effectively bootstrapping the real services (httpd, dirsrv), so we have limited options for how to generate them to begin with. One idea I had is to continue to use kadmin.local to create the principals and then move them out of cn=kerberos into cn=services, adding whatever additional data we need. This way we would maintain the principalkeys. Then we'd need to insert the certificates we generate. Unfortunately 389-DS doesn't seem to support newsuperior so I guess we'd have to move it ourselves via delete and re-add. So I'm basically stuck right now. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] jderose 028 Lossless datetime round-trip
As per John's request, this patch allows lossless round-tripping of
Python datetime.datetime objects.
Unfortunately, the xmlrpclib dumps() and loads() functions use funny
wrapper objects like xmlrpclib.DateTime rather than directly serializing
to/from standard Python types like datetime.datetime. This makes
lossless round-tripping pretty cumbersome to implement.
Doing a loads(foo, use_datetime=True) would work, but the `use_datetime`
kwarg is only available in Python2.5 and newer, so I instead extended my
xml_wrap() and xml_unwrap() functions.
>From 92ce9fa408f4b2e05cb61e3e40498b56cb709960 Mon Sep 17 00:00:00 2001
From: Jason Gerard DeRose
Date: Wed, 2 Dec 2009 21:41:24 -0700
Subject: [PATCH] Allow lossless round-trip of datetime objects over XML-RPC
---
ipalib/rpc.py |9 +++--
tests/test_ipalib/test_rpc.py | 28 +---
2 files changed, 32 insertions(+), 5 deletions(-)
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 62f1d77..61af52d 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -35,7 +35,10 @@ import threading
import socket
import os
import errno
-from xmlrpclib import Binary, Fault, dumps, loads, ServerProxy, Transport, ProtocolError
+from datetime import datetime
+from xmlrpclib import dumps, loads
+from xmlrpclib import Binary, Fault, DateTime, ProtocolError
+from xmlrpclib import ServerProxy, Transport
import kerberos
from ipalib.backend import Connectible
from ipalib.errors import public_errors, PublicError, UnknownError, NetworkError
@@ -89,7 +92,7 @@ def xml_wrap(value):
)
if type(value) is str:
return Binary(value)
-assert type(value) in (unicode, int, float, bool, NoneType)
+assert type(value) in (unicode, int, float, bool, datetime, NoneType)
return value
@@ -122,6 +125,8 @@ def xml_unwrap(value, encoding='UTF-8'):
if isinstance(value, Binary):
assert type(value.data) is str
return value.data
+if isinstance(value, DateTime):
+return datetime(*value.timetuple()[0:6])
assert type(value) in (unicode, int, float, bool, NoneType)
return value
diff --git a/tests/test_ipalib/test_rpc.py b/tests/test_ipalib/test_rpc.py
index d5dd38c..ea0620f 100644
--- a/tests/test_ipalib/test_rpc.py
+++ b/tests/test_ipalib/test_rpc.py
@@ -22,7 +22,8 @@ Test the `ipalib.rpc` module.
"""
import threading
-from xmlrpclib import Binary, Fault, dumps, loads, ServerProxy
+from xmlrpclib import Binary, DateTime, Fault, dumps, loads, ServerProxy
+from datetime import datetime
from tests.util import raises, assert_equal, PluginTester, DummyClass
from tests.data import binary_bytes, utf8_bytes, unicode_str
from ipalib.frontend import Command
@@ -53,6 +54,9 @@ def test_round_trip():
This tests the two functions together with ``xmlrpclib.dumps()`` and
``xmlrpclib.loads()`` in a full wrap/dumps/loads/unwrap round trip.
"""
+dt_utc = datetime.utcfromtimestamp(1234567890)
+dt_loc = datetime.fromtimestamp(1234567890)
+
# We first test that our assumptions about xmlrpclib module in the Python
# standard library are correct:
assert_equal(dump_n_load(utf8_bytes), unicode_str)
@@ -65,6 +69,13 @@ def test_round_trip():
assert_equal(dump_n_load(u''), '')
assert dump_n_load(None) is None
+dnl_utc = dump_n_load(dt_utc)
+assert_equal(dnl_utc, DateTime(dt_utc))
+assert isinstance(dnl_utc, DateTime)
+dnl_loc = dump_n_load(dt_loc)
+assert_equal(dnl_loc, DateTime(1234567890))
+assert isinstance(dnl_loc, DateTime)
+
# Now we test our wrap and unwrap methods in combination with dumps, loads:
# All str should come back str (because they get wrapped in
# xmlrpclib.Binary(). All unicode should come back unicode because str
@@ -78,8 +89,19 @@ def test_round_trip():
assert_equal(round_trip(''), '')
assert_equal(round_trip(u''), u'')
assert round_trip(None) is None
-compound = [utf8_bytes, None, binary_bytes, (None, unicode_str),
-dict(utf8=utf8_bytes, chars=unicode_str, data=binary_bytes)
+
+assert_equal(round_trip(dt_utc), dt_utc)
+assert isinstance(dt_utc, datetime)
+assert_equal(round_trip(dt_loc), dt_loc)
+assert isinstance(dt_loc, datetime)
+
+compound = [utf8_bytes, None, binary_bytes, (None, unicode_str), dt_loc,
+dict(
+utf8=utf8_bytes,
+chars=unicode_str,
+data=binary_bytes,
+datetime=dt_utc,
+),
]
assert round_trip(compound) == tuple(compound)
--
1.6.3.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
