Re: [Freeipa-devel] [PATCH] 397 raise exception on empty mod
On Fri, 2010-03-05 at 13:47 -0500, Rob Crittenden wrote: > Raise an error if no modifications were performed in an update. > > This will alert the user that nothing was done and is handy when used > with --attr=''. This can be used to delete a non-required attribute but > can be set to any valid attribute, present or not. We should alert the > user if they attempt to delete a non-existant value. > > rob Tiny conflict, but I'm not going to guess. :) Can you rebase this? error: patch failed: ipalib/plugins/baseldap.py:272 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 403 correct installation CA output
On Wed, 2010-03-10 at 12:00 -0500, Rob Crittenden wrote: > Better customize the message regarding the CA based on the install options. > > There are now 3 cases: > > - Install a dogtag CA and issue server certs using that > - Install a selfsign CA and issue server certs using that > - Install using either dogtag or selfsign and use the provided PKCS#12 > files for the server certs. The installed CA will still be used by the > cert plugin to issue any server certs. > > rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 402 location of root CA
On Wed, 2010-03-10 at 11:59 -0500, Rob Crittenden wrote: > Make CA PKCS#12 location arg for ipa-replica-prepare, default > /root/cacert.p12 > > pki-silent puts a copy of the root CA into /root/tmp-ca.p12. Rename this > to /root/cacert.p12. > > rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 401 fix ipa-server-certinstall
On Wed, 2010-03-10 at 11:17 -0500, Rob Crittenden wrote: > This command was broken because the api needed to be bootstrapped. I > also switched to a new function in certs that makes it easier to trust > all CAs found in a PKCS#12 file. > > rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 400 fix pwpolicy plugin
On Fri, 2010-03-05 at 16:15 -0500, Rob Crittenden wrote: > This patch relies on patch #399 > > Fix a number of bugs in the pwpolicy plugin > > This fixes: > - Consistent usage of priority vs cospriority in options > - Fixes bug introduced with recent patch where global policy couldn't be > updated > - Doesn't allow cospriority to be removed for groups (#570536) > - returns the priority with group policy so it can be displayed > - Properly unicode encode group names for display > > rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 399 Include params in Method.output_params
On Tue, 2010-03-09 at 16:50 -0500, Rob Crittenden wrote: > Pavel Zuna wrote: > > Rob Crittenden wrote: > >> Method overrides the Command get_output_params() method and only > >> returns the object params, not anything defined within the method > >> itself. Return > >> those as well so they are displayed in output. Some care needs to be > >> taken to avoid returning duplicate values. In the case of duplicates > >> the value in obj.params wins. > >> > >> I tested this with the pwpolicy plugin which is a Method and defines > >> its own takes_options. I need this to display the priority to the user. > >> > >> rob > >> > > Applies with minor modifications due to recent gettext patches. > > Shouldn't there be a check for 'no_output' when going through > > self.obj.params? > > > > Pavel > > Yup, new patch attached, good catch. > > rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 397 raise exception on empty mod
Jason Gerard DeRose wrote: On Fri, 2010-03-05 at 13:47 -0500, Rob Crittenden wrote: Raise an error if no modifications were performed in an update. This will alert the user that nothing was done and is handy when used with --attr=''. This can be used to delete a non-required attribute but can be set to any valid attribute, present or not. We should alert the user if they attempt to delete a non-existant value. rob Tiny conflict, but I'm not going to guess. :) Can you rebase this? error: patch failed: ipalib/plugins/baseldap.py:272 Re-based patch attached. rob freeipa-397-2.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 404 ensure priority is unique
On Fri, 2010-03-12 at 18:01 -0500, Rob Crittenden wrote: > Ensure that the group policy priority is unique. > > We use CoS to determine the order in which group policy is applied. The > behavior in CoS is undefined for multiple entries with the same > cospriority. > > This likely relies on some other outstanding pwpolicy patches. > > rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 405 Fix the client make target
On Mon, 2010-03-15 at 13:41 -0400, Rob Crittenden wrote: > Fix the client make target. It was broken due to the addition of the > i18n code which lives inside the server code. > > rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 406 add option for pam_mkhomedirs to client installer
On Mon, 2010-03-15 at 13:42 -0400, Rob Crittenden wrote: > Add a new option, --mkhomedirs, to the ipa-client-install script. We > pass this along to authconfig so that pam_mkhomedirs is configured. > > rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 407 make ipautil.run() logging more flexible
On Mon, 2010-03-15 at 17:08 -0400, Rob Crittenden wrote: > Provide mechanism in ipautil.run() to not log all arguments. > > This is primarily designed to not log passwords but it could have other > uses. > > rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 397 raise exception on empty mod
On Fri, 2010-03-19 at 09:48 -0400, Rob Crittenden wrote: > Jason Gerard DeRose wrote: > > On Fri, 2010-03-05 at 13:47 -0500, Rob Crittenden wrote: > >> Raise an error if no modifications were performed in an update. > >> > >> This will alert the user that nothing was done and is handy when used > >> with --attr=''. This can be used to delete a non-required attribute but > >> can be set to any valid attribute, present or not. We should alert the > >> user if they attempt to delete a non-existant value. > >> > >> rob > > > > Tiny conflict, but I'm not going to guess. :) Can you rebase this? > > > > error: patch failed: ipalib/plugins/baseldap.py:272 > > > > > > Re-based patch attached. > > rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 404 ensure priority is unique
Jason Gerard DeRose wrote: On Fri, 2010-03-12 at 18:01 -0500, Rob Crittenden wrote: Ensure that the group policy priority is unique. We use CoS to determine the order in which group policy is applied. The behavior in CoS is undefined for multiple entries with the same cospriority. This likely relies on some other outstanding pwpolicy patches. rob ack. pushed to master. The patch works, but I find the way it checks for priority uniqueness highly ineffective. It pulls out all policies and then retrieves their CoS entries one by one to do the checking. Instead it should just make a search for a CoS entry with the given priority. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add new pwpolicy plugin based on baseldap classes.
Last week, I spent a good amount of time investigating about the way we build/normalize DNs. Most issues, that came up recently originated in the password policy plugin as it needed specially crafted DNs for class of service (CoS) entries. As I was playing around with it, I decided to rewrite it, so that it blends with all the other "baseldap plugins" we have. I didn't want to override Rob's original pwpolicy plugin right away, so I named it pwpolicy2, so that we can have both plugins available for now. pwpolicy2 includes all functionality the original plugin had including the latest changes like priority uniqueness etc. There is a small interface change - group names are entered as the first positional argument. If no group is specified, the plugin assumes the global password policy. It supports --all/--raw and has fine grained searching capabilities (the original plugin was only able to return all policies). It also shows priority when displaying policies. There is a lot of technical changes. It's a complete rewrite. Everything is based on baseldap classes, so the code should be a bit simpler and commands behavior more consistent with other plugins. CoS objects are modeled separately and have their own CRUD commands. I flagged the CoS commands as INTERNAL (see my recent patch), so that users aren't able to access CoS entries directly, but pwpolicy2 can take advantage of our plugin infrastructure to manage them. I think this is a good example of how internal plugin are useful. It's also very handy for testing, you can just remove the INTERNAL flag and use `ipa cosentry-find --all --raw` to check if the entries were created/modified/whatever correctly. Unit test included. Pavel 0005-Add-new-pwpolicy-plugin-based-on-baseldap-classes.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add new pwpolicy plugin based on baseldap classes.
Pavel Zuna wrote: Last week, I spent a good amount of time investigating about the way we build/normalize DNs. Most issues, that came up recently originated in the password policy plugin as it needed specially crafted DNs for class of service (CoS) entries. As I was playing around with it, I decided to rewrite it, so that it blends with all the other "baseldap plugins" we have. I didn't want to override Rob's original pwpolicy plugin right away, so I named it pwpolicy2, so that we can have both plugins available for now. pwpolicy2 includes all functionality the original plugin had including the latest changes like priority uniqueness etc. There is a small interface change - group names are entered as the first positional argument. If no group is specified, the plugin assumes the global password policy. It supports --all/--raw and has fine grained searching capabilities (the original plugin was only able to return all policies). It also shows priority when displaying policies. There is a lot of technical changes. It's a complete rewrite. Everything is based on baseldap classes, so the code should be a bit simpler and commands behavior more consistent with other plugins. CoS objects are modeled separately and have their own CRUD commands. I flagged the CoS commands as INTERNAL (see my recent patch), so that users aren't able to access CoS entries directly, but pwpolicy2 can take advantage of our plugin infrastructure to manage them. I think this is a good example of how internal plugin are useful. It's also very handy for testing, you can just remove the INTERNAL flag and use `ipa cosentry-find --all --raw` to check if the entries were created/modified/whatever correctly. Unit test included. Pavel This patch depends on: [PATCH] Enable LDAPObject subclasses to disable DN normalization in their methods. [PATCH] Don't escape DN characters between quotes in attribute values. and this (it will work w/o it, but users will be able to access cosentry CRUD commands): [PATCH] Add INTERNAL flag to frontend plugins. If set, the plugin won't show up in UI. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 404 ensure priority is unique
Pavel Zuna wrote: Jason Gerard DeRose wrote: On Fri, 2010-03-12 at 18:01 -0500, Rob Crittenden wrote: Ensure that the group policy priority is unique. We use CoS to determine the order in which group policy is applied. The behavior in CoS is undefined for multiple entries with the same cospriority. This likely relies on some other outstanding pwpolicy patches. rob ack. pushed to master. The patch works, but I find the way it checks for priority uniqueness highly ineffective. It pulls out all policies and then retrieves their CoS entries one by one to do the checking. Instead it should just make a search for a CoS entry with the given priority. Pavel Well, we may need to store the group policy entries in a subtree then. All CoS policies are currently dumped into the same place making this impossible. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 410 enable anonymous VLV
Rob Crittenden wrote: Modify the VLV aci to allow anonymous searches. This will allow Solaris clients to function properly. A similar patch will need to be committed to the freeipa-1.2 branch. rob I'm going to withdraw this patch and do it another way. We don't need to enable this by default, only when the compat plugin is enabled. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add new pwpolicy plugin based on baseldap classes.
Pavel Zuna wrote: Last week, I spent a good amount of time investigating about the way we build/normalize DNs. Most issues, that came up recently originated in the password policy plugin as it needed specially crafted DNs for class of service (CoS) entries. As I was playing around with it, I decided to rewrite it, so that it blends with all the other "baseldap plugins" we have. I didn't want to override Rob's original pwpolicy plugin right away, so I named it pwpolicy2, so that we can have both plugins available for now. pwpolicy2 includes all functionality the original plugin had including the latest changes like priority uniqueness etc. There is a small interface change - group names are entered as the first positional argument. If no group is specified, the plugin assumes the global password policy. It supports --all/--raw and has fine grained searching capabilities (the original plugin was only able to return all policies). It also shows priority when displaying policies. There is a lot of technical changes. It's a complete rewrite. Everything is based on baseldap classes, so the code should be a bit simpler and commands behavior more consistent with other plugins. CoS objects are modeled separately and have their own CRUD commands. I flagged the CoS commands as INTERNAL (see my recent patch), so that users aren't able to access CoS entries directly, but pwpolicy2 can take advantage of our plugin infrastructure to manage them. I think this is a good example of how internal plugin are useful. It's also very handy for testing, you can just remove the INTERNAL flag and use `ipa cosentry-find --all --raw` to check if the entries were created/modified/whatever correctly. Unit test included. Pavel nack. There should be a comment expressing why the policy entry is named the way it is and why the DN can't be normalized. cos entries other than password policy are stored in cn=cosTemplates so the uniqueness check will return false positives. It is not legal for a group policy to not have a cospriority so there is no need to catch this condition in pwpolicy2_mod. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 410 enable anonymous VLV
Rob Crittenden wrote: Rob Crittenden wrote: Modify the VLV aci to allow anonymous searches. This will allow Solaris clients to function properly. A similar patch will need to be committed to the freeipa-1.2 branch. rob I'm going to withdraw this patch and do it another way. We don't need to enable this by default, only when the compat plugin is enabled. rob Revised patch attached. I don't see a need to enable this in all cases, just when the compat plugin is enabled. rob freeipa-410-2-vlv.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 386 replica management
Rob Crittenden wrote: ipa-replica-manage used to require the DM password for every operation. This adds a couple of ACIs so a privileged user can use the 'list' and 'del' commands. Doing add is possible but tricky since we use the same replication password for all replicas (currently the DM password). We'd probably want to create a separate user for each replica if this were the case and prompt for a password to use. This also has a problem where it can't distinguish between "there are no replication agreements" and "you aren't allowed to see them" because queries to cn=config don't return an error if you are not authorized. Pavel is in the process of switching to using ldap2 for all LDAP access and this module already has Get Effective Rights support. Once the switch is done we can improve the logic here. rob I got an ack from Rich Megginson from the 389-ds team who ok'd the aci work I did. He mentioned that we're using LDAPv2-style dn escaping and should switch this but I'm going to take that up as a separate task. pushed to master. David, this provides a new way to do an old thing. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
