[Freeipa-devel] [PATCH] Add contributors file

2010-02-23 Thread John Dennis 
Add contributors file. This gets installed along side the LICENSE and 
README files in the doc dir for each rpm package.

--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
>From 7e14f978f41f9d575511af469bdb5b7ca3509681 Mon Sep 17 00:00:00 2001
From: John Dennis 
Date: Tue, 23 Feb 2010 17:12:06 -0500
Subject: [PATCH] Add contributors file
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

---
 Contributors.txt |   65 ++
 ipa.spec.in  |   12 +-
 2 files changed, 71 insertions(+), 6 deletions(-)
 create mode 100644 Contributors.txt

diff --git a/Contributors.txt b/Contributors.txt
new file mode 100644
index 000..1d40c6d
--- /dev/null
+++ b/Contributors.txt
@@ -0,0 +1,65 @@
+# -*- coding: utf-8 -*-
+
+The following people have contributed to the FreeIPA project.
+(Listed in alphabetical order within category)
+
+Developers:
+	Rob Crittenden 
+	Frank Cusac
+	Nalin Dahyabhai 
+	Don Davis
+	John Dennis 
+	Jason DeRose
+	Gunther Deschner
+	Endi Dewata
+	Steven Gallagher
+	Jakub Hrozek
+	Nathan Kinder
+	Karl MacMillan
+	Jon McCann
+	Kevin McCarthy
+	Rich Megginson 
+	Jim Meyering
+	Martin Nagy
+	Pete Rowley
+	Andreas Schneider
+	Simo Sorce 
+	Andrew Wnuk
+	Pavel Zůna 
+
+Documentation:
+	David O'Brien
+ 
+Testing:
+	Jenny Galipeau
+	Michael Gregg
+	Suzanne Hillman
+	Chandrasekar Kannan
+	Gowrishankar Rayaiyan
+	Yi Zhang
+
+Translators:
+Héctor Daniel Cabrera
+Teguh DC
+Piotr Drąg
+Gundachandru
+Andrew Martynov
+Sankarshan Mukhopadhyay
+
+Wiki, Solution and Idea Contributors:
+  Viji V Nair
+  Ryan Thompson
+  David Zeuthen
+
+Graphic Design and User Interaction Design:
+	Máirín Duffy
+
+Managment:
+	Scott Haines
+	Bob Lord
+	Dmitri Pal 
+	Kevin Unthank
+	Karl Wirth
+
+
+
diff --git a/ipa.spec.in b/ipa.spec.in
index 0607dd7..f053bab 100644
--- a/ipa.spec.in
+++ b/ipa.spec.in
@@ -368,7 +368,7 @@ fi
 
 %if ! %{ONLY_CLIENT}
 %files server
-%doc LICENSE README
+%doc LICENSE README Contributors.txt
 %defattr(-,root,root,-)
 %{_sbindir}/ipa-dns-install
 %{_sbindir}/ipa-server-install
@@ -435,7 +435,7 @@ fi
 %endif
 
 %files client
-%doc LICENSE README
+%doc LICENSE README Contributors.txt
 %{_sbindir}/ipa-client-install
 %{_sbindir}/ipa-getkeytab
 %{_sbindir}/ipa-rmkeytab
@@ -455,7 +455,7 @@ fi
 
 %if ! %{ONLY_CLIENT}
 %files admintools
-%doc LICENSE README
+%doc LICENSE README Contributors.txt
 %defattr(-,root,root,-)
 %{_bindir}/ipa
 %{_sbindir}/ipa-fix-CVE-2008-3274
@@ -466,7 +466,7 @@ fi
 %endif
 
 %files python -f %{gettext_domain}.lang
-%doc LICENSE README
+%doc LICENSE README Contributors.txt
 %defattr(-,root,root,-)
 %dir %{python_sitelib}/ipapython
 %{python_sitelib}/ipapython/*.py*
@@ -479,13 +479,13 @@ fi
 
 %if %{WITH_RADIUS}
 %files radius-server
-%doc LICENSE README
+%doc LICENSE README Contributors.txt
 %{_usr}/share/ipa/ipaserver/plugins/*
 %dir %{_usr}/share/ipa/plugins
 %{_usr}/share/ipa/plugins/radius.radiusd.conf.template
 
 %files radius-admintools
-%doc LICENSE README
+%doc LICENSE README Contributors.txt
 %{_sbindir}/ipa-addradiusclient
 %{_sbindir}/ipa-addradiusprofile
 %{_sbindir}/ipa-delradiusclient
-- 
1.6.6

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] fix typo in install/updates/30-automount.update

2010-02-23 Thread Rob Crittenden 

Nalin Dahyabhai wrote:

This'll keep cn=default,cn=automount,$SUFFIX from getting a second "cn"
value that it doesn't need.

Nalin


ack, pushed to master

Note, I slightly tweaked the patch description.

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Complete netgroup attributes.

2010-02-23 Thread Rob Crittenden 

Pavel Zůna wrote:
Add missing attributes to the netgroup plugin. The plugin will now 
correctly display membership information and allow searching for 
netgroups by UUID.


Pavel


ack, pushed to master

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Replace incorrect use of str.index with str.find in host plugin.

2010-02-23 Thread Rob Crittenden 

Martin Nagy wrote:

On Tue, 2010-02-23 at 15:33 +0100, Pavel Zůna wrote:

index was used as if it was find in the validation function.

Pavel


Ack.
Martin


pushed to master

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Fix bug where parameter cloning didn't clone validating rules.

2010-02-23 Thread Rob Crittenden 

Pavel Zůna wrote:

I thought we had validation fixed, but this little bit was still missing.

Pavel


ack, pushed to master

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Make the --all option work in Add/Remove Member commands.

2010-02-23 Thread Rob Crittenden 

Pavel Zůna wrote:

Add/Remove Member commands didn't work with the --all option. They do now.

Pavel


Nack, it causes 5 tests to fail.

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] mod_wsgi troubles

2010-02-23 Thread Simo Sorce 
On Tue, 23 Feb 2010 09:22:05 -0700
Jason Gerard DeRose  wrote:

> So I've been working on migrating freeIPA from mod_python to mod_wsgi.
> This isn't a big change as the IPA server is already all WSGI
> internally, but I've run into 2 unexpected problems.
> 
> 
> mod_wsgi daemon mode
> 
> 
> First, the easy problem.  The mod_wsgi documentation clearly states
> that the daemon mode is the preferred way to deploy.  See the
> "Defining Process Groups" section in:
> 
> http://code.google.com/p/modwsgi/wiki/ConfigurationGuidelines
> 
> In daemon mode, Apache starts mod_wsgi in a separate process and
> communicates with it via a Unix socket.  Unfortunately, Fedora12
> doesn't support daemon mode nicely out of the box and tries create
> the socket in /etc/httpd/run, which of course make selinux mad (as it
> should).  I believe Apache is being run with the Apache home set
> to /etc/httpd (which itself seems weird to me, not sure if this is a
> bug).
> 
> Anyway, we can fix this with the WSGISocketPrefix directive.  But this
> directive is server-scope (can't be virtual-host-scope), so we really
> need to fix this in the mod_wsgi package.  We just need to add this
> to /etc/httpd/conf.d/wsgi.conf:
> 
> WSGISocketPrefix /var/run/httpd/wsgi
> 
> This config file is owned by mod_wsgi, not IPA, so I don't think IPA
> should be writing stuff to this during it's install.  Again, needs to
> be fixed in the mod_wsgi package.  I haven't tried this under
> Fedora11 yet, so I don't know if the same problem is present there.

Shouldn't you open a bug against mod_wsgi in fedora and have it fixed
there ?

> Simplify Kerberos protected URLs
> 
> 
> Currently in our URL space we have:
> 
> /ipa/xml   -  Kerberos protected
> /ipa/json  -  Kerberos protected
> /ipa/ui-  Kerberos protected
> /ipa/errors - Not protected
> /ipa/config - Not protected
> /ipa/crl- Not protected
> 
> Under mod_python, we have separate handlers for the xml, json, and ui
> URLs.  My upcoming patch has a new WSGI middleware component this is a
> single entry point at /ipa.  I did this so that the LDAP auth and
> session stuff is handled in exactly the same way regardless of which
> app is the final target.
> 
> Anyway, right now we have to handle stuff in a pretty funky way
> (including under mod_python).  We turn on Kerb auth for /ipa, then
> turn it off for /ipa/errors and friends.  I would really like us to
> have two base URLs, something like this:
> 
> /ipa/*- Kerberos projected
> /ipa-static/* - Not projected

When you say "kerberos protected" do you mean it uses mod_auth_kerb for
each access, or does it include also pages you can access only if you
previously authenticated but are just using a session to validate it ?

I would say

/ipa/auth/* - only authenticated access
/ipa/* - anything else

> Doesn't have to be called ipa-static, just throwing a name out there.
> We can work around this (as we already do), but there 2 reasons I
> think we should do this:
> 
> 1. Security - our current approach is confusing and opens us up to
>mistakes (our mistakes or a sysadmin's).
> 
> 2. Extensibility - in the V2 cycle we have added several new
> things in /ipa/*, some Kerberos protected, some not.  I'm sure this
> will happen again in the future, so we might as well clean this up
>now.
> 
> What do people think?  I'm not sure I explained this well, but look in
> install/conf/ipa.conf and you'll see what I mean.

your proposal looks sane I think we already tried to do that once,
better discipline should be used, but also a better, clear naming will
help. Perhaps adding a README in the directory that server /ipa/ that
explains what should go where, might help ?

Simo.


-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] jderose 048 Translatable Param.label, Param.doc

2010-02-23 Thread John Dennis 

On 02/19/2010 11:15 AM, Jason Gerard DeRose wrote:

This patch:

1. Changes Param.label, Param.doc so they can be either text.Gettext or
str instances.  This is transitional till we get any outstanding patches
merged in, then they will only allow text.Gettext instances.

2. Adds a docstring to the ipalib/parameters.py module explaining the
difference between cli_name, label, and doc.  It also has some style
guidelines for the label and doc.

3. Marks all Param.label and Param.doc for translation, does some
cleanup to hopefully make things a bit more consistent.

4. Various small changes needed to adjust to Param.label, Param.doc
being text.Gettext instances.


ACK

Sometime in the near future (it can be part of another patch) I'd like 
to see the doc for cli_name expanded upon to explain it's only purpose 
is to provide a name for the command line argument (e.g. --foo) and how 
this is completely independent of the label used for prompts and 
displaying a value. Also the text.FixMe class needs some documentation 
on how we plan on using it to find unstranslated strings.


--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] jderose 049 Consolidate to single WSGI entry point

2010-02-23 Thread Jason Gerard DeRose 
This is part1 of the mod_wsgi transition.  It provides a new plugin:
api.Backend.session.  This is a WSGI middleware component that will
create the LDAP connection and then route the request to the appropriate
WSGI application (/xml or /json or /ui).

The end result is that we have a single entry point (/ipa) instead of 3,
and we also use the exact same code path to create and destroy the LDAP
connection (which is obviously good for security).

All this still is running under mod_python, but my next patch switches
things to mod_wsgi (still have a few issues on that front).
>From 541616b0290d309a686bf66febb370ef0cade06a Mon Sep 17 00:00:00 2001
From: Jason Gerard DeRose 
Date: Tue, 23 Feb 2010 10:53:47 -0700
Subject: [PATCH] Consolidate to single WSGI entry point

---
 install/conf/ipa.conf  |   81 +++--
 ipalib/constants.py|2 +-
 ipaserver/__init__.py  |4 +
 ipaserver/plugins/xmlserver.py |   10 +--
 ipaserver/rpcserver.py |  149 +---
 ipawebui/__init__.py   |   11 +--
 lite-server.py |6 +-
 tests/test_ipaserver/test_rpcserver.py |   96 -
 8 files changed, 276 insertions(+), 83 deletions(-)

diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index b956293..f5987fb 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -11,14 +11,6 @@ PythonImport ipaserver main_interpreter
 # This is required so the auto-configuration works with Firefox 2+
 AddType application/java-archivejar
 
-# This is where we redirect on failed auth
-Alias /ipa/errors "/usr/share/ipa/html"
-
-# For the MIT Windows config files
-Alias /ipa/config "/usr/share/ipa/html"
-
-# For CRL publishing
-Alias /ipa/crl "/var/lib/pki-ca/publish"
 
 
 
@@ -32,34 +24,42 @@ Alias /ipa/crl "/var/lib/pki-ca/publish"
   KrbSaveCredentials on
   Require valid-user
   ErrorDocument 401 /ipa/errors/unauthorized.html
-
 
-
   SetHandler python-program
   PythonInterpreter main_interpreter
-  PythonHandler ipaserver::xmlrpc
+  PythonHandler ipaserver::handler
   PythonDebug Off
-  PythonOption SCRIPT_NAME /ipa/xml
+  PythonOption SCRIPT_NAME /ipa
   PythonAutoReload Off
-
 
-
-  SetHandler python-program
-  PythonInterpreter main_interpreter
-  PythonHandler ipaserver::jsonrpc
-  PythonDebug Off
-  PythonOption SCRIPT_NAME /ipa/json
-  PythonAutoReload Off
 
 
-
-  SetHandler python-program
-  PythonInterpreter main_interpreter
-  PythonHandler ipaserver::webui
-  PythonDebug Off
-  PythonOption SCRIPT_NAME /ipa/ui
-  PythonAutoReload Off
-
+#
+#  SetHandler python-program
+#  PythonInterpreter main_interpreter
+#  PythonHandler ipaserver::xmlrpc
+#  PythonDebug Off
+#  PythonOption SCRIPT_NAME /ipa/xml
+#  PythonAutoReload Off
+#
+
+#
+#  SetHandler python-program
+#  PythonInterpreter main_interpreter
+#  PythonHandler ipaserver::jsonrpc
+#  PythonDebug Off
+#  PythonOption SCRIPT_NAME /ipa/json
+#  PythonAutoReload Off
+#
+
+#
+#  SetHandler python-program
+#  PythonInterpreter main_interpreter
+#  PythonHandler ipaserver::webui
+#  PythonDebug Off
+#  PythonOption SCRIPT_NAME /ipa/ui
+#  PythonAutoReload Off
+#
 
 Alias /ipa-assets/ "/var/cache/ipa/assets/"
 
@@ -72,14 +72,39 @@ Alias /ipa-assets/ "/var/cache/ipa/assets/"
 
 
 
+
+  SetHandler None
+
+
+
+  SetHandler None
+
+
+
+  SetHandler None
+
+
+
+# This is where we redirect on failed auth
+Alias /ipa/errors "/usr/share/ipa/html"
+
+# For the MIT Windows config files
+Alias /ipa/config "/usr/share/ipa/html"
+
 # Do no authentication on the directory that contains error messages
 
+  SetHandler None
   AllowOverride None
   Satisfy Any
   Allow from all
 
 
+
+# For CRL publishing
+Alias /ipa/crl "/var/lib/pki-ca/publish"
+
 
+  SetHandler None
   AllowOverride None
   Options Indexes FollowSymLinks
   Satisfy Any
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 79ddbca..a942076 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -108,7 +108,7 @@ DEFAULT_CONFIG = (
 ('mount_ipa', '/ipa/'),
 ('mount_xmlserver', 'xml'),
 ('mount_jsonserver', 'json'),
-('mount_webui', 'ui/'),
+('mount_webui', 'ui'),
 ('mount_webui_assets', '/ipa-assets/'),
 
 # WebUI stuff:
diff --git a/ipaserver/__init__.py b/ipaserver/__init__.py
index 1b62255..874ac3e 100644
--- a/ipaserver/__init__.py
+++ b/ipaserver/__init__.py
@@ -222,3 +222,7 @@ def webui(req):
 mod_python handler for web-UI requests (place holder).
 """
 return adapter(req, ui)
+
+
+def handler(req):
+return adapter(req, api.Backend.session)
diff --git a/ipaserver/plugins/xmlserver.py b/ipaserver/plugins/xmlserver.py
index cbbf148..290bef6 100644
--- a/ipaserver/plugins/xmlserver.py
+++ b/ipaserver/plugins/xmlserver.py
@@ -19,17 +19,13 @@
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 
 """
-XML-RPC client plugin.
+Loads WSGI server plugins.
 """
 
 from ip

Re: [Freeipa-devel] [DOC] about netgroups

2010-02-23 Thread Dmitri Pal 
Dmitri Pal wrote:
> Pavel Zůna wrote:
>   
>> I was asked to complete the documentation of IPA commands on the
>> internal wiki. Unfortunatly, I currently don't have access to it and
>> have decided to put some of the information I've been gathering here
>> on freeipa-devel. It's not a secret after all and is easier to review
>> by other team members. I'm going to put this on the wiki as soon as I
>> can.
>>
>> 
>
> Try now...
>
>   
>> So, in the first (and possibly last) issue of CommandDocs(tm), we're
>> going to look at netgroups and commands related to them.
>>
>> What are netgroups?
>> ===
>> Netgroups are a concept introduced in the directory service NIS. They
>> are supposed to contain users, hosts (machines) and other netgroups.
>> Here are a few examples of why such groups can be useful:
>>
>> http://directory.fedoraproject.org/wiki/Howto:Netgroups#What_are_NIS_netgroups_good_for.3F
>>
>>
>> Don't continue reading after the "What are NIS netgroups good for?"
>> part. Netgroup entries are different in IPA.
>> 
>
>
> Though they are different it is important to underline that there are
> two plugins in IPA that make the data in the new format available via
> NIS or old standard RFC2307/2307bis LDAP schema.  For details see the
> documentation and examples here: https://fedorahosted.org/slapi-nis/
> The entries stored using the new schema are converted into the standard
> NIS netgroup map and served via the NIS protocol by the first plugin
> described on the slapi-nis project page and the compatibility plugin can
> be used to create a virtual LDAP view that matches the standard 2307 or
> 2307bis schema  for netgroups using the IPA specific schema.
> I am not sure that we have it configured by default. This is something
> that Nalin would be able to clarify. Nalin?
> But anyways it is definitely possible to configure the compatibility
> plugin to automatically translate the IPA netgroups schema  into schema
> that standard nss_ldap client expects.
>  
>   

And Nalin confirmed that this is in the default configuration.



>> Some more info about netgroups (optional reading; I'll explain most of
>> the important stuff):
>> http://www.softpanorama.org/Net/Application_layer/NIS/nis_netgroups.shtml
>>
>> How do we store netgroups in the IPA backend (LDAP)?
>> 
>> NIS groups traditionally contain a so called netgroup triple of the
>> format:
>>
>> (machine, user, domain)
>>
>> machine - machine name, a host name
>> user - user name
>> domain - NIS domain of the machine and user
>>
>> Note that there is no necessary relationship between the machine and
>> the user. Only one of those fields is usually used at a time to avoid
>> confusion.
>>
>> In IPA, we don't use the triple anymore. It's ugly and unclear.
>> Instead we use the membership relationship between LDAP entries. You
>> simple add users, host and even their groups as members of a netgroup.
>> The domain field is constant for each netgroup and defaults to the
>> current IPA domain.
>>
>> Example of a netgroup displayed using the IPA CLI:
>>
>> # ipa netgroup-show net1
>>   Netgroup name: net1
>>   Description: test netgroup
>>   NIS domain name: pzuna
>>   Member User: admin
>>   Member Host: testbox.pzuna
>>
>> What commands are available in IPA for handling netgroups?
>> ==
>> The management plugin for netgroups in IPA conforms to the CRUD
>> command naming conventions used in all other plugins, that come with
>> the default
>> IPA installation.
>>
>> Creating new netgroups
>> --
>>  ipa netgroup-add NAME [--desc=DESCRIPTION] [--nisdomain=NISDOMAIN]
>>
>> NAME is the name of the netgroup (can be anything, but must be unique)
>> DESCRIPTION is the netgroup description (required)
>> NISDOMAIN is the NIS domain name, defaults to the current IPA domain
>>
>> Deleting netgroups
>> --
>>  ipa netgroup-del NAME
>>
>> Displaying netgroups
>> 
>>  ipa netgroup-show NAME
>>
>> Modifying netgroups
>> ---
>>  ipa netgroup-mod NAME [--desc=DESCRIPTION] [--nisdomain=NISDOMAIN]
>>
>> Same as `ipa netgroup-add`, except modifying description is required
>> and NISDOMAIN doesn't default to anything.
>>
>> Searching for netgroups
>> ---
>>  ipa netgroup-find [CRITERIA] [--name=NAME] [--desc=DESCRIPTION]
>>   [--nisdomain=NISDOMAIN] [--uuid=UUID]
>>
>> CRITERIA is an optional substring, that has to appear in either the
>> name, the description or the NIS domain of the groups you're looking for
>>
>> Other options are the same as `ipa netgroup-add`, except nothing is
>> required and doesn't default to anything. There's a new UUID option,
>> that allows searching netgroups by ipaUniqueID. If one of these
>> options is set, the command returns only exact matches of this option.
>>
>> Adding users and hosts to netgroups
>

[Freeipa-devel] [PATCH] Add more Spanish translations

2010-02-23 Thread John Dennis 

Add more Spanish translations:

Current translation status:

ipa.pot has 133 messages. There are 6 po translation files.
bn_IN:14/133  10.5%  106 po untranslated,   13 missing,  119 
untranslated
es:  124/133  93.2%9 po untranslated,0 missing,9 
untranslated
id:  107/133  80.5%   13 po untranslated,   13 missing,   26 
untranslated
kn:   20/133  15.0%  113 po untranslated,0 missing,  113 
untranslated
pl:  133/133 100.0%0 po untranslated,0 missing,0 
untranslated
ru:  120/133  90.2%0 po untranslated,   13 missing,   13 
untranslated


--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
>From fb5165f3253a75ebae073d0bd09aa7d7e6400c0d Mon Sep 17 00:00:00 2001
From: John Dennis 
Date: Tue, 23 Feb 2010 11:11:27 -0500
Subject: [PATCH] Add more Spanish translations
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

---
 install/po/es.po |  166 +++---
 1 files changed, 83 insertions(+), 83 deletions(-)

diff --git a/install/po/es.po b/install/po/es.po
index acbccf3..e5c5e97 100644
--- a/install/po/es.po
+++ b/install/po/es.po
@@ -216,155 +216,155 @@ msgstr[1] ""
 #: ../../ipalib/errors.py:674
 #, python-format
 msgid "overlapping arguments and options: %(names)r"
-msgstr ""
+msgstr "superponiendo argumentos y opciones: %(names)r"
 
 #: ../../ipalib/errors.py:690
 #, python-format
 msgid "%(name)r is required"
-msgstr ""
+msgstr "%(name)r es necesario"
 
 #: ../../ipalib/errors.py:706
 #: ../../ipalib/errors.py:722
 #, python-format
 msgid "invalid %(name)r: %(error)s"
-msgstr ""
+msgstr "%(name)r inválido: %(error)s"
 
 #: ../../ipalib/errors.py:738
 #, python-format
 msgid "api has no such namespace: %(name)r"
-msgstr ""
+msgstr "api no posee tal nombre de espacio: %(name)r"
 
 #: ../../ipalib/errors.py:747
 msgid "Passwords do not match"
-msgstr ""
+msgstr "Las contraseñas no coinciden"
 
 #: ../../ipalib/errors.py:755
 msgid "Command not implemented"
-msgstr ""
+msgstr "El comando no se ha implementado"
 
 #: ../../ipalib/errors.py:783
 #: ../../ipalib/errors.py:1023
 #, python-format
 msgid "%(reason)s"
-msgstr ""
+msgstr "%(reason)s"
 
 #: ../../ipalib/errors.py:799
 msgid "This entry already exists"
-msgstr ""
+msgstr "Esta entrada ya existe"
 
 #: ../../ipalib/errors.py:815
 msgid "You must enroll a host in order to create a host service"
-msgstr ""
+msgstr "Debe registrar un equipo para poder generar un servicio de equipo"
 
 #: ../../ipalib/errors.py:831
 #, python-format
 msgid "Service principal is not of the form: service/fully-qualified host name: %(reason)s"
-msgstr ""
+msgstr "El servicio principal no tiene la forma de servicio/nombre de equipo totalmente calificado: %(reason)s"
 
 #: ../../ipalib/errors.py:847
 msgid "The realm for the principal does not match the realm for this IPA server"
-msgstr ""
+msgstr "El reinado para el principal no coincide con el reinado para este servidor IPA"
 
 #: ../../ipalib/errors.py:863
 msgid "This command requires root access"
-msgstr ""
+msgstr "Este comando necesita acceso de usuario root"
 
 #: ../../ipalib/errors.py:879
 msgid "This is already a posix group"
-msgstr ""
+msgstr "Este ya es un grupo posix"
 
 #: ../../ipalib/errors.py:895
 #, python-format
 msgid "Principal is not of the form u...@realm: %(principal)r"
-msgstr ""
+msgstr "El principal no tiene la forma usua...@reinado: %(principal)r"
 
 #: ../../ipalib/errors.py:911
 msgid "This entry is already unlocked"
-msgstr ""
+msgstr "Esta entrada ya se encuentra desbloqueada"
 
 #: ../../ipalib/errors.py:927
 msgid "This entry is already locked"
-msgstr ""
+msgstr "Esta entrada ya se encuentra bloqueada"
 
 #: ../../ipalib/errors.py:943
 msgid "This entry has nsAccountLock set, it cannot be locked or unlocked"
-msgstr ""
+msgstr "Esta entrada posee definido nsAccountLock, no puede ser bloqueada ni desbloqueada"
 
 #: ../../ipalib/errors.py:959
 msgid "This entry is not a member of the group"
-msgstr ""
+msgstr "Esta entrada no es miembro del grupo"
 
 #: ../../ipalib/errors.py:975
 msgid "A group may not be a member of itself"
-msgstr ""
+msgstr "Un grupo no puede ser miembro de sí mismo"
 
 #: ../../ipalib/errors.py:991
 msgid "This entry is already a member of the group"
-msgstr ""
+msgstr "Esta entrada ya es miembro del grupo"
 
 #: ../../ipalib/errors.py:1007
 #, python-format
 msgid "Base64 decoding failed: %(reason)s"
-msgstr ""
+msgstr "Falló la decodificación base64: %(reason)s"
 
 #: ../../ipalib/errors.py:1039
 msgid "A group may not be added as a member of itself"
-msgstr ""
+msgstr "Un grupo no puede ser agregado como miembro de sí mismo"
 
 #: ../../ipalib/errors.py:1055
 msgid "The default users group cannot be removed"
-msgstr ""
+msgstr "El grupo de usuarios predeterminado no puede ser eliminado"
 
 #: ../../ipalib/errors.py:1078
 #, python-format
 msgid "no command nor help topic %(topic)r"
-msgstr ""
+msgstr "no existe un coma

[Freeipa-devel] mod_wsgi troubles

2010-02-23 Thread Jason Gerard DeRose 
So I've been working on migrating freeIPA from mod_python to mod_wsgi.
This isn't a big change as the IPA server is already all WSGI
internally, but I've run into 2 unexpected problems.


mod_wsgi daemon mode


First, the easy problem.  The mod_wsgi documentation clearly states that
the daemon mode is the preferred way to deploy.  See the "Defining
Process Groups" section in:

http://code.google.com/p/modwsgi/wiki/ConfigurationGuidelines

In daemon mode, Apache starts mod_wsgi in a separate process and
communicates with it via a Unix socket.  Unfortunately, Fedora12 doesn't
support daemon mode nicely out of the box and tries create the socket
in /etc/httpd/run, which of course make selinux mad (as it should).  I
believe Apache is being run with the Apache home set to /etc/httpd
(which itself seems weird to me, not sure if this is a bug).

Anyway, we can fix this with the WSGISocketPrefix directive.  But this
directive is server-scope (can't be virtual-host-scope), so we really
need to fix this in the mod_wsgi package.  We just need to add this
to /etc/httpd/conf.d/wsgi.conf:

WSGISocketPrefix /var/run/httpd/wsgi

This config file is owned by mod_wsgi, not IPA, so I don't think IPA
should be writing stuff to this during it's install.  Again, needs to be
fixed in the mod_wsgi package.  I haven't tried this under Fedora11 yet,
so I don't know if the same problem is present there.


Simplify Kerberos protected URLs


Currently in our URL space we have:

/ipa/xml   -  Kerberos protected
/ipa/json  -  Kerberos protected
/ipa/ui-  Kerberos protected
/ipa/errors - Not protected
/ipa/config - Not protected
/ipa/crl- Not protected

Under mod_python, we have separate handlers for the xml, json, and ui
URLs.  My upcoming patch has a new WSGI middleware component this is a
single entry point at /ipa.  I did this so that the LDAP auth and
session stuff is handled in exactly the same way regardless of which app
is the final target.

Anyway, right now we have to handle stuff in a pretty funky way
(including under mod_python).  We turn on Kerb auth for /ipa, then turn
it off for /ipa/errors and friends.  I would really like us to have two
base URLs, something like this:

/ipa/*- Kerberos projected
/ipa-static/* - Not projected

Doesn't have to be called ipa-static, just throwing a name out there.
We can work around this (as we already do), but there 2 reasons I think
we should do this:

1. Security - our current approach is confusing and opens us up to
   mistakes (our mistakes or a sysadmin's).

2. Extensibility - in the V2 cycle we have added several new things
   in /ipa/*, some Kerberos protected, some not.  I'm sure this will
   happen again in the future, so we might as well clean this up
   now.

What do people think?  I'm not sure I explained this well, but look in
install/conf/ipa.conf and you'll see what I mean.


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [DOC] about netgroups

2010-02-23 Thread Dmitri Pal 
Pavel Zůna wrote:
> I was asked to complete the documentation of IPA commands on the
> internal wiki. Unfortunatly, I currently don't have access to it and
> have decided to put some of the information I've been gathering here
> on freeipa-devel. It's not a secret after all and is easier to review
> by other team members. I'm going to put this on the wiki as soon as I
> can.
>

Try now...

> So, in the first (and possibly last) issue of CommandDocs(tm), we're
> going to look at netgroups and commands related to them.
>
> What are netgroups?
> ===
> Netgroups are a concept introduced in the directory service NIS. They
> are supposed to contain users, hosts (machines) and other netgroups.
> Here are a few examples of why such groups can be useful:
>
> http://directory.fedoraproject.org/wiki/Howto:Netgroups#What_are_NIS_netgroups_good_for.3F
>
>
> Don't continue reading after the "What are NIS netgroups good for?"
> part. Netgroup entries are different in IPA.


Though they are different it is important to underline that there are
two plugins in IPA that make the data in the new format available via
NIS or old standard RFC2307/2307bis LDAP schema.  For details see the
documentation and examples here: https://fedorahosted.org/slapi-nis/
The entries stored using the new schema are converted into the standard
NIS netgroup map and served via the NIS protocol by the first plugin
described on the slapi-nis project page and the compatibility plugin can
be used to create a virtual LDAP view that matches the standard 2307 or
2307bis schema  for netgroups using the IPA specific schema.
I am not sure that we have it configured by default. This is something
that Nalin would be able to clarify. Nalin?
But anyways it is definitely possible to configure the compatibility
plugin to automatically translate the IPA netgroups schema  into schema
that standard nss_ldap client expects.
 
>
> Some more info about netgroups (optional reading; I'll explain most of
> the important stuff):
> http://www.softpanorama.org/Net/Application_layer/NIS/nis_netgroups.shtml
>
> How do we store netgroups in the IPA backend (LDAP)?
> 
> NIS groups traditionally contain a so called netgroup triple of the
> format:
>
> (machine, user, domain)
>
> machine - machine name, a host name
> user - user name
> domain - NIS domain of the machine and user
>
> Note that there is no necessary relationship between the machine and
> the user. Only one of those fields is usually used at a time to avoid
> confusion.
>
> In IPA, we don't use the triple anymore. It's ugly and unclear.
> Instead we use the membership relationship between LDAP entries. You
> simple add users, host and even their groups as members of a netgroup.
> The domain field is constant for each netgroup and defaults to the
> current IPA domain.
>
> Example of a netgroup displayed using the IPA CLI:
>
> # ipa netgroup-show net1
>   Netgroup name: net1
>   Description: test netgroup
>   NIS domain name: pzuna
>   Member User: admin
>   Member Host: testbox.pzuna
>
> What commands are available in IPA for handling netgroups?
> ==
> The management plugin for netgroups in IPA conforms to the CRUD
> command naming conventions used in all other plugins, that come with
> the default
> IPA installation.
>
> Creating new netgroups
> --
>  ipa netgroup-add NAME [--desc=DESCRIPTION] [--nisdomain=NISDOMAIN]
>
> NAME is the name of the netgroup (can be anything, but must be unique)
> DESCRIPTION is the netgroup description (required)
> NISDOMAIN is the NIS domain name, defaults to the current IPA domain
>
> Deleting netgroups
> --
>  ipa netgroup-del NAME
>
> Displaying netgroups
> 
>  ipa netgroup-show NAME
>
> Modifying netgroups
> ---
>  ipa netgroup-mod NAME [--desc=DESCRIPTION] [--nisdomain=NISDOMAIN]
>
> Same as `ipa netgroup-add`, except modifying description is required
> and NISDOMAIN doesn't default to anything.
>
> Searching for netgroups
> ---
>  ipa netgroup-find [CRITERIA] [--name=NAME] [--desc=DESCRIPTION]
>   [--nisdomain=NISDOMAIN] [--uuid=UUID]
>
> CRITERIA is an optional substring, that has to appear in either the
> name, the description or the NIS domain of the groups you're looking for
>
> Other options are the same as `ipa netgroup-add`, except nothing is
> required and doesn't default to anything. There's a new UUID option,
> that allows searching netgroups by ipaUniqueID. If one of these
> options is set, the command returns only exact matches of this option.
>
> Adding users and hosts to netgroups
> ---
>  ipa netgroup-add-member NAME [--users=USERS] [--groups=GROUPS]
>   [--hosts=HOSTS] [--hostgroups=HOSTGROUPS]
>   [--netgroups=NETGROUPS]
>
> USERS,GROUPS,H

[Freeipa-devel] [Transifex] File submitted via email to FreeIPA | master

2010-02-23 Thread admin 
Hello freeipa, this is Transifex at http://www.transifex.net.

The following attached files were submitted to FreeIPA | master by logan 
 

Please, visit Transifex at 
http://www.transifex.net/projects/p/freeipa/c/master/ in order to see the 
component page.

Thank you,
Transifex
# Fedora Spanish translation of freeipa.master.ipa.
# This file is distributed under the same license as the freeipa.master.ipa 
package.
#
# Héctor Daniel Cabrera , 2010.
#
msgid ""
msgstr ""
"Project-Id-Version: freeipa.master.ipa\n"
"Report-Msgid-Bugs-To: 
https://hosted.fedoraproject.org/projects/freeipa/newticket\n";
"POT-Creation-Date: 2010-02-15 14:55-0500\n"
"PO-Revision-Date: \n"
"Last-Translator: Héctor Daniel Cabrera \n"
"Language-Team: Fedora Spanisg \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Poedit-Language: Spanish\n"
"X-Poedit-Country: ARGENTINA\n"

#: ../../ipalib/parameters.py:224
msgid "incorrect type"
msgstr "tipo incorrecto"

#: ../../ipalib/parameters.py:227
msgid "Only one value is allowed"
msgstr "Sólo se permite un valor"

#: ../../ipalib/parameters.py:791
msgid "must be True or False"
msgstr "debe ser True o False"

#: ../../ipalib/parameters.py:892
msgid "must be an integer"
msgstr "debe ser un entero"

#: ../../ipalib/parameters.py:943
#, python-format
msgid "must be at least %(minvalue)d"
msgstr "debe ser como mínimo %(minvalue)d"

#: ../../ipalib/parameters.py:953
#, python-format
msgid "can be at most %(maxvalue)d"
msgstr "puede ser como máximo %(maxvalue)d"

#: ../../ipalib/parameters.py:963
msgid "must be a decimal number"
msgstr "debe ser un número decimal"

#: ../../ipalib/parameters.py:985
#, python-format
msgid "must be at least %(minvalue)f"
msgstr "debe ser como mínimo %(minvalue)f"

#: ../../ipalib/parameters.py:995
#, python-format
msgid "can be at most %(maxvalue)f"
msgstr "puede ser como máximo %(maxvalue)f"

#: ../../ipalib/parameters.py:1055
#, python-format
msgid "must match pattern \"%(pattern)s\""
msgstr "debe coincidir con el modelo \"%(pattern)s"

#: ../../ipalib/parameters.py:1073
msgid "must be binary data"
msgstr "debe ser un dato binario"

#: ../../ipalib/parameters.py:1088
#, python-format
msgid "must be at least %(minlength)d bytes"
msgstr "debe ser como mínimo de %(minlength)d bytes"

#: ../../ipalib/parameters.py:1098
#, python-format
msgid "can be at most %(maxlength)d bytes"
msgstr "puede ser a lo sumo de %(maxlength)d bytes"

#: ../../ipalib/parameters.py:1108
#, python-format
msgid "must be exactly %(length)d bytes"
msgstr "debe ser exactamente de %(length)d bytes"

#: ../../ipalib/parameters.py:1126
msgid "must be Unicode text"
msgstr "debe ser texto Unicode"

#: ../../ipalib/parameters.py:1156
#, python-format
msgid "must be at least %(minlength)d characters"
msgstr "debe tener como mínimo %(minlength)d caracteres"

#: ../../ipalib/parameters.py:1166
#, python-format
msgid "can be at most %(maxlength)d characters"
msgstr "puede tener a lo sumo %(maxlength)d caracteres"

#: ../../ipalib/parameters.py:1176
#, python-format
msgid "must be exactly %(length)d characters"
msgstr "debe tener exactamente %(length)d caracteres"

#: ../../ipalib/parameters.py:1215
#, python-format
msgid "must be one of %(values)r"
msgstr "debe ser uno de %(values)r"

#: ../../ipalib/cli.py:505
#, python-format
msgid "Enter %(label)s again to verify: "
msgstr "ngrese %(label)s nuevamente para su verificación: "

#: ../../ipalib/cli.py:509
msgid "Passwords do not match!"
msgstr "¡Las contraseñas no coinciden!"

#: ../../ipalib/cli.py:514
msgid "Cancelled."
msgstr "Cancelado."

#: ../../ipalib/frontend.py:377
msgid "Results are truncated, try a more specific search"
msgstr "Los resultados se encuentran truncados, intente realizar una búsqueda 
más específica"

#: ../../ipalib/errors.py:297
#, python-format
msgid "%(cver)s client incompatible with %(sver)s server at %(server)r"
msgstr "el cliente %(cver)s no es compatible con el servidor %(sver)s en 
%(server)r"

#: ../../ipalib/errors.py:315
#, python-format
msgid "unknown error %(code)d from %(server)s: %(error)s"
msgstr "error %(code)d desconocido de %(server)s: %(error)s"

#: ../../ipalib/errors.py:331
msgid "an internal error has occurred"
msgstr "ha ocurrido un error interno"

#: ../../ipalib/errors.py:353
#, python-format
msgid "an internal error has occurred on server at %(server)r"
msgstr "ha ocurrido un error interno en el servidor en %(server)r"

#: ../../ipalib/errors.py:369
#, python-format
msgid "unknown command %(name)r"
msgstr "comando desconocido %(name)r"

#: ../../ipalib/errors.py:386
#: ../../ipalib/errors.py:411
#, python-format
msgid "error on server %(server)r: %(error)s"
msgstr "error en el servidor %(server)r: %(error)s"

#: ../../ipalib/errors.py:402
#, python-format
msgid "cannot connect to %(uri)r: %(error)s"
msgstr "no es posible conectar con %(uri)r: %(error)s"

#: ../../ipalib/errors.py:420
#, python-format
msgid "Invalid JSON-RPC request: %(error)s"
msg

Re: [Freeipa-devel] [PATCH] Replace incorrect use of str.index with str.find in host plugin.

2010-02-23 Thread Martin Nagy 
On Tue, 2010-02-23 at 15:33 +0100, Pavel Zůna wrote:
> index was used as if it was find in the validation function.
> 
> Pavel

Ack.
Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [DOC] about netgroups

2010-02-23 Thread Pavel Zůna 
I was asked to complete the documentation of IPA commands on the 
internal wiki. Unfortunatly, I currently don't have access to it and 
have decided to put some of the information I've been gathering here on 
freeipa-devel. It's not a secret after all and is easier to review by 
other team members. I'm going to put this on the wiki as soon as I can.


So, in the first (and possibly last) issue of CommandDocs(tm), we're 
going to look at netgroups and commands related to them.


What are netgroups?
===
Netgroups are a concept introduced in the directory service NIS. They 
are supposed to contain users, hosts (machines) and other netgroups. 
Here are a few examples of why such groups can be useful:


http://directory.fedoraproject.org/wiki/Howto:Netgroups#What_are_NIS_netgroups_good_for.3F

Don't continue reading after the "What are NIS netgroups good for?" 
part. Netgroup entries are different in IPA.


Some more info about netgroups (optional reading; I'll explain most of 
the important stuff):

http://www.softpanorama.org/Net/Application_layer/NIS/nis_netgroups.shtml

How do we store netgroups in the IPA backend (LDAP)?

NIS groups traditionally contain a so called netgroup triple of the format:

(machine, user, domain)

machine - machine name, a host name
user - user name
domain - NIS domain of the machine and user

Note that there is no necessary relationship between the machine and the 
user. Only one of those fields is usually used at a time to avoid 
confusion.


In IPA, we don't use the triple anymore. It's ugly and unclear. Instead 
we use the membership relationship between LDAP entries. You simple add 
users, host and even their groups as members of a netgroup. The domain 
field is constant for each netgroup and defaults to the current IPA domain.


Example of a netgroup displayed using the IPA CLI:

# ipa netgroup-show net1
  Netgroup name: net1
  Description: test netgroup
  NIS domain name: pzuna
  Member User: admin
  Member Host: testbox.pzuna

What commands are available in IPA for handling netgroups?
==
The management plugin for netgroups in IPA conforms to the CRUD command 
naming conventions used in all other plugins, that come with the default

IPA installation.

Creating new netgroups
--
 ipa netgroup-add NAME [--desc=DESCRIPTION] [--nisdomain=NISDOMAIN]

NAME is the name of the netgroup (can be anything, but must be unique)
DESCRIPTION is the netgroup description (required)
NISDOMAIN is the NIS domain name, defaults to the current IPA domain

Deleting netgroups
--
 ipa netgroup-del NAME

Displaying netgroups

 ipa netgroup-show NAME

Modifying netgroups
---
 ipa netgroup-mod NAME [--desc=DESCRIPTION] [--nisdomain=NISDOMAIN]

Same as `ipa netgroup-add`, except modifying description is required and 
NISDOMAIN doesn't default to anything.


Searching for netgroups
---
 ipa netgroup-find [CRITERIA] [--name=NAME] [--desc=DESCRIPTION]
  [--nisdomain=NISDOMAIN] [--uuid=UUID]

CRITERIA is an optional substring, that has to appear in either the 
name, the description or the NIS domain of the groups you're looking for


Other options are the same as `ipa netgroup-add`, except nothing is 
required and doesn't default to anything. There's a new UUID option, 
that allows searching netgroups by ipaUniqueID. If one of these options 
is set, the command returns only exact matches of this option.


Adding users and hosts to netgroups
---
 ipa netgroup-add-member NAME [--users=USERS] [--groups=GROUPS]
  [--hosts=HOSTS] [--hostgroups=HOSTGROUPS]
  [--netgroups=NETGROUPS]

USERS,GROUPS,HOSTS,HOSTGROUPS,NETGROUPS are comma-separated lists of 
names of the appropriate objects.


Removing users and hosts from netgroups
---
 ipa netgroup-remove-member NAME [--users=USERS] [--groups=GROUPS]
 [--hosts=HOSTS]
 [--hostgroups=HOSTGROUPS]
 [--netgroups=NETGROUPS]

Same as `netgroup-add-member`.

Examples

# ipa netgroup-add net0 --desc="test netgroup"
  Netgroup name: net0
  Description: test netgroup
  NIS domain name: pzuna
  IPA unique ID: 9e6e089c-2089-11df-b677-5452004c033a

# ipa netgroup-mod net0 --desc="description change"
  Netgroup name: net0
  Description: description change
  NIS domain name: pzuna

# ipa netgroup-add-member net0 --users=admin --hosts=testbox.pzuna
  Netgroup name: net0
  Description: description change
  NIS domain name: pzuna
  Member User: admin
  Member Host: testbox.pzuna
-
Number of members added 2
-

# ipa netgroup-remove-member net0 --users=admin
  Netgroup name: net0

[Freeipa-devel] [PATCH] Make the --all option work in Add/Remove Member commands.

2010-02-23 Thread Pavel Zůna 

Add/Remove Member commands didn't work with the --all option. They do now.

Pavel


0001-Make-the-all-option-work-in-Add-Remove-Member-comman.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Complete netgroup attributes.

2010-02-23 Thread Pavel Zůna 
Add missing attributes to the netgroup plugin. The plugin will now 
correctly display membership information and allow searching for 
netgroups by UUID.


Pavel


0003-Complete-netgroup-attributes.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Replace incorrect use of str.index with str.find in host plugin.

2010-02-23 Thread Pavel Zůna 

index was used as if it was find in the validation function.

Pavel


0002-Replace-incorrect-use-of-str.index-with-str.find-in-.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Fix bug where parameter cloning didn't clone validating rules.

2010-02-23 Thread Pavel Zůna 

I thought we had validation fixed, but this little bit was still missing.

Pavel


0001-Fix-bug-where-parameter-cloning-didn-t-clone-validat.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 387 fix test failures

2010-02-23 Thread Pavel Zůna 

Rob Crittenden wrote:
This fixes the failures in the Env due to switching to unicode 
internally. Now that --all works this also adds the dn to the output in 
the XML-RPC tests.


rob


ack.

Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel