[Freeipa-devel] [PATCH] 422 reorder some things in client installer
Reorder some things in the client installer - Fetch the CA cert before running certmonger - Delete entries from the keytab before removing /etc/krb5.conf - Add and remove the IPA CA to /etc/pki/nssdb rob freeipa-422-install.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Use escapes in DNs instead of quoting.
Pavel Zůna wrote: On 4/16/2010 5:09 PM, Rob Crittenden wrote: Pavel Zuna wrote: This patch effectively removes all LDAPv2 style quoted DNs and makes sure we don't use them anymore. KDC doesn't seem to have any problems with LDAPv3 style DNs, but I kept the option to disable DN normalization for now. I also had to add a new dollar variable for LDIF files: $ESCAPED_SUFFIX. We need it to create entries that contain the DN of another entry in their own, like the account activated/inactivated CoS entries. what I tested: - playing around with password policies and CoS entries using both pwpolicy and pwpolicy2 - changing user passwords to see if the policies apply - re-installing IPA to see if the activated/inactived CoS entries where OK - user-lock/user-unlock The patch depends on the pwpolicy2 plugin. Well, it doesn't depend on it, but won't apply without. I didn't realize before committing and couldn't get it back by re-basing, so... Pavel This fails to apply because the pwpolicy2 plugin hasn't been committed yet. You had suggested that this patch shouldn't be applied yet. Should I remove the pwpolicy2 part of this patch and push, rebase it, or what? rob I rebased the patch - attached. It no longer depends on pwpolicy2. I'm going to release an updated pwpolicy2 patch with quoting gone along with this one. Pavel I made a couple of changes to the patch: - added ESCAPED_SUFFIX to the dsinstance sub_dict so installations work - added back some extra lines to pwpolicy_del() that actually deleted the entries rob 0001-Use-escapes-in-DNs-instead-of-quoting.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Enable LDAPObject subclasses to disable DN normalization in their methods.
Pavel Zůna wrote: Rob Crittenden wrote: Pavel Zuna wrote: New attribute in LDAPObject: normalize_dn Defaults to True. If False, LDAP* methods won't normalize DNs before passing them to python-ldap. Pavel This also makes entries returned by LDAPSearch a list instead of a tuple. What is the purpose of that? It enables *-find plugins to easily add/remove entries in post_callback. rob Pavel Ok, ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add new pwpolicy plugin based on baseldap classes
Don't mind the numbering. This is a completely independent patch. It adds a new pwpolicy plugin based on baseldap.py classes. It has the same functionality as the current pwpolicy plugin, but a more clean and consistent interface, fine grained search capabilities, etc. This is actually an updated version of a patch I released some time ago, but it never got fully reviewed. Pavel 0002-Add-new-pwpolicy-plugin-based-on-baseldap-classes.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Use escapes in DNs instead of quoting.
On 4/16/2010 5:09 PM, Rob Crittenden wrote: Pavel Zuna wrote: This patch effectively removes all LDAPv2 style quoted DNs and makes sure we don't use them anymore. KDC doesn't seem to have any problems with LDAPv3 style DNs, but I kept the option to disable DN normalization for now. I also had to add a new dollar variable for LDIF files: $ESCAPED_SUFFIX. We need it to create entries that contain the DN of another entry in their own, like the account activated/inactivated CoS entries. what I tested: - playing around with password policies and CoS entries using both pwpolicy and pwpolicy2 - changing user passwords to see if the policies apply - re-installing IPA to see if the activated/inactived CoS entries where OK - user-lock/user-unlock The patch depends on the pwpolicy2 plugin. Well, it doesn't depend on it, but won't apply without. I didn't realize before committing and couldn't get it back by re-basing, so... Pavel This fails to apply because the pwpolicy2 plugin hasn't been committed yet. You had suggested that this patch shouldn't be applied yet. Should I remove the pwpolicy2 part of this patch and push, rebase it, or what? rob I rebased the patch - attached. It no longer depends on pwpolicy2. I'm going to release an updated pwpolicy2 patch with quoting gone along with this one. Pavel 0001-Use-escapes-in-DNs-instead-of-quoting.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add interface for baseldap plugins to register additional callbacks.
Pavel Zůna wrote: Rob Crittenden wrote: Pavel Zůna wrote: This is somewhat of a tech-preview patch. It works, but the whole concept might need some more work/thinking done. It adds another way to extend plugins without resorting to the versioning system. Until now, every baseldap command had two callbacks. The pre-callback called before data was passed to python-ldap and the post-callback called after. This patch introduces class methods, that enable the registration of new pre/post callbacks. It supports top level functions as well, so you don't have to touch the original class at all. It works likes this: from ipalib.plugins.user import user_show def test_callback(inst, ldap, dn, attrs_list, *keys, **options): inst.log.info('hello callback world!') attrs_list = ['uid'] # only retrieve the user name return dn user_show.register_pre_callback(test_callback) The original callbacks defined in the class are always called first. Pavel I think I'd like another registration argument, sort of a hint on where you'd like this plugin registered: first or last (defaulting to last). We wouldn't necessarily guarantee where the plugin would get registered but we could easily handle prepending or appending the new registration. The argument is already there, but as you said, it doesn't guarantee a specific order. The "in-class" callback is added when the plugin instance is created and is inserted at the beginning of the list. More callbacks could be theoretically added later before this one, but that probably won't happen. Not sure how complicated we want this to be but we could also add a dependency system, so that if some other callback is registered, then this one comes first (or registration fails), etc. A priority system might be better and easier to implement in this case. I'm also thinking of making the callback signature common for all commands (even though they have different "needs") and adding a context variable callbacks could use to pass data to each other. rob By the way, the approach with class methods and class attributes I'm using is 100% compatible with the versioning system I proposed before. You can do this for example: class user_show(...): VERSION = (1, 0) ... user_show.register_pre_callback(some_callback) user.show_register_pre_callback(some_other_callback) class user_show(user_show): VERSION = (1, 1) ... And the new user_show class will have all the callbacks for the previous version. Isn't that cool? Man, I love python. It's the hackers holy grail. :D Pavel ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix output of env plugin. It displayed more than it should.
Pavel Zůna wrote: Some outputs were missing the 'no_display' flag. Pavel ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 410 enable anonymous VLV
John Dennis wrote: On 03/19/2010 04:56 PM, Rob Crittenden wrote: Rob Crittenden wrote: Rob Crittenden wrote: Modify the VLV aci to allow anonymous searches. This will allow Solaris clients to function properly. A similar patch will need to be committed to the freeipa-1.2 branch. rob I'm going to withdraw this patch and do it another way. We don't need to enable this by default, only when the compat plugin is enabled. rob Revised patch attached. I don't see a need to enable this in all cases, just when the compat plugin is enabled. Looks harmless, ACK pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 409 configure CRL URI
John Dennis wrote: On 03/17/2010 03:03 PM, Rob Crittenden wrote: Configure the CRL URI in dogtag. Also print out a restart message after applying the custom subject. It takes a while to restart dogtag and this lets the user know things are moving forward. ACK pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 10/10] Add gettext translation test using test language.
John Dennis wrote: On 03/12/2010 03:24 PM, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/12/2010 01:09 PM, John Dennis wrote: Just a minor nitpick, but it's more traditional to use the notation $(MAKE) -C install/po test_lang rather than explicitly changing into that directory first. If I remember correctly, make will log it to the screen explicitly this way. O.K. good suggestion. Whoever applies the patch can make this edit under the 1 line rule, or I'll tweak it later. pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] strip .po file suffix in translation statistics
John Dennis wrote: The goal is to get the statistics to line up in columns and not exceed an 80 character line which might cause wrapping. Removing .po suffix from the translation name gives us 3 extra characters. Formatting problems were observed when bn_IN.po was added. Instead of: ipa.pot has 133 messages bn_IN.po: 14/133 10.5% 106 po untranslated, 13 missing, 119 untranslated id.po: 107/133 80.5% 13 po untranslated, 13 missing, 26 untranslated kn.po: 4/133 3.0% 116 po untranslated, 13 missing, 129 untranslated pl.po: 120/133 90.2%0 po untranslated, 13 missing, 13 untranslated [jden...@jdennis po]$ make msg-stats the statistics now read: ipa.pot has 133 messages bn_IN:14/133 10.5% 106 po untranslated, 13 missing, 119 untranslated id: 107/133 80.5% 13 po untranslated, 13 missing, 26 untranslated kn:4/133 3.0% 116 po untranslated, 13 missing, 129 untranslated pl: 120/133 90.2%0 po untranslated, 13 missing, 13 untranslated I don't see any specific ACK or push messages for this patch but the changes are applied in any case. Just closing the loop. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Use ldap2 instead of legacy LDAP code from v1 in installer scripts.
On 4/15/2010 8:18 PM, Rob Crittenden wrote: Pavel Zůna wrote: On 4/14/2010 4:35 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 03/30/2010 10:27 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 03/23/2010 09:40 PM, Rob Crittenden wrote: Pavel Zuna wrote: This is the first in a series of patches, that replace all the legacy code from v1 related to LDAP. I did some limited testing of the installer after this patch and nothing seems to break, but I didn't do replicas etc... Pavel nack. This breaks at least ipa-replica-manage, ipa-replica-prepare, ipa-server-certinstall and ipa-replica-install. rob Fixed patch attached. Pavel I'm not sure if you attached the wrong patch or not (it's dated 3/24) but things are still not working: # ipa-replica-install replica-info-tiger.example.com.gpg Directory Manager (existing master) password: creation of replica failed: 'Env' object has no attribute 'basedn' Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. rob Sorry for a late reply. Here's a patch that should finally work. I did a lot more testing and setting up a replica went smoothly every time. Pavel Lots better. I was able to create and manage replicas but ipa-dns-install isn't working: # ipa-dns-install The log file for this installation can be found in /var/log/ipaserver-install.log == This program will setup DNS for the FreeIPA Server. This includes: * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Existing BIND configuration detected, overwrite? [no]: y Do you wish to configure DNS forwarders? [no]: No DNS forwarders configured Directory Manager password: Unexpected error - see ipaserver-install.log for details: 'API' object has no attribute 'env_host' Ouch, sorry about that. New patch attached. Pavel Still not working: root : CRITICAL Could not modify principal's krbprincipalname=DNS/lion.greyoak@greyoak.com,cn=services,cn=accounts,dc=greyoak,dc=com entry Unexpected error - see ipaserver-install.log for details: The backtrace is: File "/usr/sbin/ipa-dns-install", line 172, in sys.exit(main()) File "/usr/sbin/ipa-dns-install", line 158, in main bind.create_instance() File "/usr/lib/python2.6/site-packages/ipaserver/install/bindinstance.py", line 195, in create_instance self.start_creation("Configuring named:") File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 237, in start_creation method() File "/usr/lib/python2.6/site-packages/ipaserver/install/bindinstance.py", line 293, in __setup_principal raise e ('expected a string in the list', u'k') rob This is fixed in the ipa-dns-install patch I posted yesterday. I thought this wasn't caused by the changes made by the "Use ldap2..." patch. The problem here is that we call python-ldap with a unicode string. The string is generated from api.env constants that have become unicode a month or two ago. Anyway, I can always move the fix to this problem from the ipa-dns-install patch into this one. However I need to talk to Martin about the bindinstance.py file - I'll make sure to resolve this by the end of today. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel