[Freeipa-devel] [PATCH] 457 fall back to DM password in ipa-replica-manage
ipa-replica-manage can use the current kerberos credentials for some commands now. To make it a bit nicer to use fall back to prompt for the DM password if there are no credentials. I've found it handy to have this in development. I also fix up the errors when deleting a replica too (my test case for the fallback). The error message was a bit mis-formatted. rob freeipa-457-replica.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 456 replica creation
If a host is already enrolled (either as a client or a former replica) then ipa-replica-install will fail spectacularly with an error about a missing keytab. This is because some entries already exist and it totally confuses things. We need to start this host from scratch, so catch this condition and give the admin some hints on how to fix it. rob freeipa-456-replica.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 455 upgrade over ldapi
For v2 upgrades we want the LDAP server to be quiet so we will shut it down, disable its TCP listeners and bring it back up to update over ldapi. This also enables autobind so we can bind as root and perform operations as Directory Manager and not require a password. To use this mode run ipa-ldap-updater --upgrade. rob freeipa-455-upgrade.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 454 add su-l hbac service
On 05/27/2010 10:59 AM, Rob Crittenden wrote: Add another default hbac service, su-l. rob Ack -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 453 fix gpg2 usage
Stephen Gallagher wrote: On 05/26/2010 03:24 PM, Rob Crittenden wrote: Replica preparation and installation is not working in F-13 because of gpg2. It now requires the --batch argument when using the --passphrase* options. This patch is for ipa-1.2.2 but the same principal applies to master as well. Note that this fixes some whitespace issues as well. rob Ack. pushed to ipa-1-2 and master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 454 add su-l hbac service
Add another default hbac service, su-l. rob freeipa-454-hbac.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 452 add missing hbac update file
Pavel Zuna wrote: On 05/26/2010 03:50 PM, Rob Crittenden wrote: I moved these contents into an update so that each entry could get its own UUID. The templater for ldif files is a little less robust and can only assign a single UUID per file. If this is ever an issue we can address it then butit isn't a problem for now. This is needed for patch 450 to work properly. rob ack. Pavel pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 450 fixes for HBAC services
Sumit Bose wrote: On Wed, May 26, 2010 at 09:51:21AM -0400, Rob Crittenden wrote: Sumit Bose wrote: On Fri, May 21, 2010 at 04:30:12PM -0400, Rob Crittenden wrote: Add the ipqUniqueID object to HBAC services and make sure that they get the memberOf attribute if they are members of service groups. rob I think 30-hbacsvc.update is missing. bye, Sumit I'd have sworn I added that file... Anyway, I made a new patch, 452, to add this file in. ok, with this patch everything works as expected. Thanks. Great, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 449 renumber IPA schema OIDs
Dmitri Pal wrote: Rob Crittenden wrote: Dmitri Pal wrote: Rob Crittenden wrote: Use correct OID base for ipaVolumeKey (its an objectClass, not an attribute). Re-number to use contiguous values. There were some pretty big gaps. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Nack Here are couple suggestions: * Let us not add schema that we do not use and do not need. The policy schema though well desinged has not been implemented. There is a risk that it would require some changes if ever implemented. I suggest we keep it in the tree but not include in the install. * The volume key management schema is not used either. I would suggest we extract it and save in a file aside but do not add into the main schema. As things stand not this schema will not be used. * For v2 we should use only 3,4,5,6. 1 and are reserved for v1 So the things would look like in the attached files. I have not had a chance to make sure they load but I hope I did not miss anything. I made a few slight modifications but this is basically the set of files you provided. Updated patch attached. rob Visual ack. Ok, pushed to master. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 448 fix default hbac rule, add default services
Pavel Zuna wrote: On 05/20/2010 07:54 PM, Rob Crittenden wrote: Add the 'all' serviceCategory to the default allow_all HBAC rule and add some standard services: ftp, login, sshd, su, sudo. rob ack. Pavel pushed to master. I'm going to submit a separate patch for su-l as requested by Steve. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 447 load dogtag selinux rules in spec
Pavel Zuna wrote: On 05/20/2010 05:56 PM, Rob Crittenden wrote: Move the dogtag SELinux rules loading into the spec file I couldn't put the dogtag rules into the spec file until we required dogtag as a component. If it wasn't pre-loaded them the rules loading would fail because types would be missing. rob This doesn't apply after your 446 patch, because it includes it. So either drop 446 or remove the CAInstance part from 447 and apply both. Pavel I'm not sure how I managed that one but I removed the duplicate section from 447. pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 446 fix clone from a clone
Pavel Zuna wrote: On 05/19/2010 07:28 PM, Rob Crittenden wrote: Include -clone_uri argument to pkisilent setting the clone URI. This makes creating a clone from a clone work as expected. Note that this depends on some fixes in the pki-ca, pki-common and pki-silent packages. I tested this against pre-release versions. This means you can do something like this: Install IPA on server A Prepare a replica file on server A for server B Install the IPA replica on server B Preparea replica file for server C on server B Install the IPA replica on server C The replication topology looks like: A <-> B <-> C This isn't really recommended but it at least frees us from having a single point of failure regarding the CA. The CAs are now independent, though they replicate over a difference channel than IPA user data. rob ack. Pavel pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 450 fixes for HBAC services
On 05/21/2010 10:30 PM, Rob Crittenden wrote: Add the ipqUniqueID object to HBAC services and make sure that they get the memberOf attribute if they are members of service groups. rob ack. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 452 add missing hbac update file
On 05/26/2010 03:50 PM, Rob Crittenden wrote: I moved these contents into an update so that each entry could get its own UUID. The templater for ldif files is a little less robust and can only assign a single UUID per file. If this is ever an issue we can address it then butit isn't a problem for now. This is needed for patch 450 to work properly. rob ack. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 451 fix i18n test
On 05/21/2010 11:35 PM, Rob Crittenden wrote: Fix this test to work from source tree root It would work if you ran the test from its location in tests/test_ipalib but this isn't the most common method. If you want to run it individually you can do: $ ./make-test tests/test_ipalib/test_text.py rob Maybe I'm doing something wrong, but I'm still getting this one error: == ERROR: Test gettext translation -- Traceback (most recent call last): File "/usr/lib/python2.6/site-packages/nose/case.py", line 183, in runTest self.test(*self.arg) File "/root/freeipa/tests/test_ipalib/test_text.py", line 89, in test_gettext msgid = get_msgid(test_file) File "/root/freeipa/tests/test_ipalib/test_text.py", line 43, in get_msgid f = open(po_file) IOError: [Errno 2] No such file or directory: 'install/po/test.po' Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 448 fix default hbac rule, add default services
On 05/20/2010 07:54 PM, Rob Crittenden wrote: Add the 'all' serviceCategory to the default allow_all HBAC rule and add some standard services: ftp, login, sshd, su, sudo. rob ack. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 447 load dogtag selinux rules in spec
On 05/20/2010 05:56 PM, Rob Crittenden wrote: Move the dogtag SELinux rules loading into the spec file I couldn't put the dogtag rules into the spec file until we required dogtag as a component. If it wasn't pre-loaded them the rules loading would fail because types would be missing. rob This doesn't apply after your 446 patch, because it includes it. So either drop 446 or remove the CAInstance part from 447 and apply both. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 446 fix clone from a clone
On 05/19/2010 07:28 PM, Rob Crittenden wrote: Include -clone_uri argument to pkisilent setting the clone URI. This makes creating a clone from a clone work as expected. Note that this depends on some fixes in the pki-ca, pki-common and pki-silent packages. I tested this against pre-release versions. This means you can do something like this: Install IPA on server A Prepare a replica file on server A for server B Install the IPA replica on server B Preparea replica file for server C on server B Install the IPA replica on server C The replication topology looks like: A <-> B <-> C This isn't really recommended but it at least frees us from having a single point of failure regarding the CA. The CAs are now independent, though they replicate over a difference channel than IPA user data. rob ack. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 450 fixes for HBAC services
On Wed, May 26, 2010 at 09:51:21AM -0400, Rob Crittenden wrote: > Sumit Bose wrote: > >On Fri, May 21, 2010 at 04:30:12PM -0400, Rob Crittenden wrote: > >>Add the ipqUniqueID object to HBAC services and make sure that they > >>get the memberOf attribute if they are members of service groups. > >> > >>rob > > > >I think 30-hbacsvc.update is missing. > > > >bye, > >Sumit > > I'd have sworn I added that file... > > Anyway, I made a new patch, 452, to add this file in. > ok, with this patch everything works as expected. Thanks. bye, Sumit > thanks > > rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel