Re: [Freeipa-devel] [PATCH] Enable filtering search results by member attributes.
Pavel Zůna wrote: LDAPSearch base class has now the ability to generate additional options for objects with member attributes. These options are used to filter search results - search only for objects without the specified members. Any class that extends LDAPSearch can benefit from this functionality. This patch enables it for the following objects: group, netgroup, rolegroup, hostgroup, taskgroup Example: ipa group-find --no-users=admin Only direct members are taken into account, but if we need indirect members as well - it's not a problem. Ticket #288 Pavel This works as advertised but I wonder what would happen if a huge list of members was passed in to ignore. Is there a limit on the search filter size (remember that the member will be translated into a full dn so will quickly grow in size). Should we impose a cofigurable limit on the # of members to be excluded? Is there a max search filter size and should we check that we haven't exceeded that before doing a search? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Host groups and netgroups
On 11/24/10 11:19 AM, "Dmitri Pal" wrote: >Hello, > >It is well known that with IPA we want to try to move people from the >netgroups to host groups but many companies currently use netgroups as >hostgroups. To simplify migration I suggest that we by default always >create a managed "nisnetgroup" entry that would map 1-1 to the host >group using managed entry plugin. The logic would work the following way: > >1) When the host group is created the netgroup also will be created with >the same name and memberHost attribute pointing to the DN of the newly >created host group >2) The deletion of the host group will automatically remove managed >netgroup >3) The rename of the host group (if allowed) should cause the managed >group to be renamed too. > >In the UI/CLI we will filter out managed netgroups in all cases related >to identity part of the server (list of netgroups, users members of the >netgroup, hosts members of netgroup, ect.). The netgroups will be >available only in the special cases like SUDO plugin. > >The work will consist of: >1) Defining the managed entry plugin config for this case >2) Adding this configuration to the installation sequence >3) Updating netgroup searches to filter out managed entries >4) Allow all netgroups in SUDO plugin (I think this is already the case). > >If this proposal looks reasonable I will open a ticket. >JR will you be able to provide a patch that does all of this since this >is not exactly what we originally planned? This proposal looks reasonable. I will be working this week to explore handling this in either the 'Managed Entries' or 'Plugin' Route to see which is the most appropriate. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 017 Init smods to prevent crash if encode_keys fails
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 If encode_keys() failed, we would free the variable smods which is unitilialized at the time. Ok, seems simple enough. Ack, pushed to master. btw I've seen encode_keys() fail on me during ber-encoding of the octet part of the key..which is how I found this bug. I'm not able to reproduce it ATM and I've been upgrading to 389-ds 1.2.7 just before that, so maybe it was related to the upgrade..should I just file a bug or check if I can reproduce it again? Yes, if you can find a reproducer please file a bug. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Error message handling in HBAC module
Pavel Zuna wrote: On 11/29/2010 11:20 AM, Jan Zelený wrote: This patch contains a part of my original 0008 patch. The rest of it is solved differently (see my patch 0010). ACK. Pavel Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 620 add ipaUniqueId to UPGs
Add ipaUniqueId to user private groups. If we didn't then when the group
is detached we need to add it and this makes the acis more problematic.
I had to move where we load the UPG ldif until after the restart so the
schema is available.
rob
>From c840ce52cead0979f18cb2bbcb748550557b1478 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Mon, 29 Nov 2010 17:09:35 -0500
Subject: [PATCH] Create user private groups with a uniqueid.
If we don't then we need to add it when a group is detached causing
aci issues.
I had to move where we create the UPG template until after the DS
restart so the schema is available.
ticket 542
---
install/share/user_private_groups.ldif |4 +++-
ipalib/plugins/group.py|2 +-
ipaserver/install/dsinstance.py|2 +-
3 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/install/share/user_private_groups.ldif b/install/share/user_private_groups.ldif
index 070d6e0..6a3f49d 100644
--- a/install/share/user_private_groups.ldif
+++ b/install/share/user_private_groups.ldif
@@ -3,7 +3,9 @@ changetype: add
objectclass: mepTemplateEntry
cn: UPG Template
mepRDNAttr: cn
-mepStaticAttr: objectclass: posixGroup
+mepStaticAttr: objectclass: posixgroup
+mepStaticAttr: objectclass: ipaobject
+mepStaticAttr: ipaUniqueId: autogenerate
mepMappedAttr: cn: $$uid
mepMappedAttr: gidNumber: $$uidNumber
mepMappedAttr: description: User private group for $$uid
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index a8c4af6..88e0e0d 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -272,7 +272,7 @@ class group_remove_member(LDAPRemoveMember):
api.register(group_remove_member)
-class group_detach(LDAPRemoveMember):
+class group_detach(LDAPQuery):
"""
Detach a managed group from a user
"""
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 1584762..ed60c6f 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -213,7 +213,6 @@ class DsInstance(service.Service):
self.step("enabling memberof plugin", self.__add_memberof_module)
self.step("enabling referential integrity plugin", self.__add_referint_module)
self.step("enabling winsync plugin", self.__add_winsync_module)
-self.step("configuring user private groups", self.__user_private_groups)
self.step("configuring replication version plugin", self.__config_version_module)
self.step("enabling IPA enrollment plugin", self.__add_enrollment_module)
self.step("enabling ldapi", self.__enable_ldapi)
@@ -224,6 +223,7 @@ class DsInstance(service.Service):
self.step("configuring ssl for ds instance", self.__enable_ssl)
self.step("configuring certmap.conf", self.__certmap_conf)
self.step("restarting directory server", self.__restart_instance)
+self.step("configuring user private groups", self.__user_private_groups)
self.step("adding default layout", self.__add_default_layout)
self.step("adding delegation layout", self.__add_delegation_layout)
self.step("configuring Posix uid/gid generation as first master",
--
1.7.2.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0100-top-nav-index
On 11/29/2010 12:08 PM, Endi Sukma Dewata wrote: On 11/25/2010 8:24 PM, Adam Young wrote: Updated version that doesn't break SUDO or HBAC. The third level nesting in the tabs set is only used for this kind of navigation now, but should be used for Action panel shortly. Conditional ACK... :) There are some additional changes that need to be done to get SUDO navigation working properly. Please take a look at the attached patch. If this is OK we can commit both patches together. ACKed on IRC. Pushed both patches to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0100-top-nav-index
On 11/25/2010 8:24 PM, Adam Young wrote:
Updated version that doesn't break SUDO or HBAC. The third level nesting
in the tabs set is only used for this kind of navigation now, but should
be used for Action panel shortly.
Conditional ACK... :)
There are some additional changes that need to be done to get SUDO
navigation working properly. Please take a look at the attached patch.
If this is OK we can commit both patches together.
--
Endi S. Dewata
From 45394c8afaace87d3e17eed723239f38b4d4a2f5 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata
Date: Mon, 29 Nov 2010 11:52:08 -0600
Subject: [PATCH] Fixed navigation problem with nested entities.
Replaced _entity with -entity in IPA.tab_state().
Replaced sudo-entity with sudorule-entity.
---
install/static/navigation.js |2 +-
install/static/sudocmd.js |4 ++--
install/static/sudocmdgroup.js |4 ++--
install/static/sudorule.js |4 ++--
install/static/webui.js|2 +-
5 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/install/static/navigation.js b/install/static/navigation.js
index 240ee959208247e73bd8707f78041d48734c2785..98c13a923677ec734f11550bc2c42b7027f830a3 100644
--- a/install/static/navigation.js
+++ b/install/static/navigation.js
@@ -138,7 +138,7 @@ function _nav_update_tabs(nls, container,depth)
// TODO: do not hard-code
if (entity_name == 'hbac' && nav_get_state('hbac-entity')) entity_name = nav_get_state('hbac-entity');
-if (entity_name == 'sudorule' && nav_get_state('sudo-entity')) entity_name = nav_get_state('sudo-entity');
+if (entity_name == 'sudorule' && nav_get_state('sudorule-entity')) entity_name = nav_get_state('sudorule-entity');
var entity = IPA.get_entity(entity_name);
entity.setup(container2);
diff --git a/install/static/sudocmd.js b/install/static/sudocmd.js
index 4255a31e3b415811b32c0bb88b26029d1b7194b8..b4492c254cfddb5621fc3a5ff96737243a97ce4e 100755
--- a/install/static/sudocmd.js
+++ b/install/static/sudocmd.js
@@ -125,7 +125,7 @@ function ipa_sudocmd_search_facet(spec) {
var li = $('li[title=sudorule]', action_panel);
li.click(function() {
var state = {};
-state['sudo-entity'] = 'sudorule';
+state['sudorule-entity'] = 'sudorule';
nav_push_state(state);
return false;
});
@@ -133,7 +133,7 @@ function ipa_sudocmd_search_facet(spec) {
li = $('li[title=sudocmdgroup]', action_panel);
li.click(function() {
var state = {};
-state['sudo-entity'] = 'sudocmdgroup';
+state['sudorule-entity'] = 'sudocmdgroup';
nav_push_state(state);
return false;
});
diff --git a/install/static/sudocmdgroup.js b/install/static/sudocmdgroup.js
index 6fddafb155e144d1f1f167262832679189239ab5..2e53ce791816859f5aad0afddc2ba8b4baf0225b 100755
--- a/install/static/sudocmdgroup.js
+++ b/install/static/sudocmdgroup.js
@@ -140,7 +140,7 @@ function ipa_sudocmdgroup_search_facet(spec) {
var li = $('li[title=sudorule]', action_panel);
li.click(function() {
var state = {};
-state['sudo-entity'] = 'sudorule';
+state['sudorule-entity'] = 'sudorule';
nav_push_state(state);
return false;
});
@@ -148,7 +148,7 @@ function ipa_sudocmdgroup_search_facet(spec) {
li = $('li[title=sudocmd]', action_panel);
li.click(function() {
var state = {};
-state['sudo-entity'] = 'sudocmd';
+state['sudorule-entity'] = 'sudocmd';
nav_push_state(state);
return false;
});
diff --git a/install/static/sudorule.js b/install/static/sudorule.js
index f936ebcde8198575e48d06257d44f0ae23ace366..023cafde29a1f0c35c043642e798cf9f27363fd4 100755
--- a/install/static/sudorule.js
+++ b/install/static/sudorule.js
@@ -124,7 +124,7 @@ function ipa_sudorule_search_facet(spec) {
var li = $('li[title=sudocmd]', action_panel);
li.click(function() {
var state = {};
-state['sudo-entity'] = 'sudocmd';
+state['sudorule-entity'] = 'sudocmd';
nav_push_state(state);
return false;
});
@@ -132,7 +132,7 @@ function ipa_sudorule_search_facet(spec) {
li = $('li[title=sudocmdgroup]', action_panel);
li.click(function() {
var state = {};
-state['sudo-entity'] = 'sudocmdgroup';
+state['sudorule-entity'] = 'sudocmdgroup';
nav_push_state(state);
return false;
});
diff --git a/install/static/webui.js b/install/static/webui.js
index 093d32b22b4adc079054256e364f01aaeeccbbbd..0e3adb27d6d6418211738c77a44db4010b5b184e 100644
--- a/install/static/webui.js
+++ b/install/static/webui.js
@@ -83,7 +83,7 @@ IPA.tab_state = function(entity_name){
if (nested_entities[nested_index].name ===
Re: [Freeipa-devel] [PATCH] build tweaks
Nalin Dahyabhai wrote: The attached patch modifies autogen.sh so that it runs autoreconf with the -f flag, too, so that a source rpm package built on an F14 system will successfully build on a system which has older autotools versions. It also tells automake to run in its 'foreign' mode and dispenses with some workarounds for when we were running it in 'gnu' mode. Nalin Works for me. I built in F-12, shipped the srpm to F-14, built that, then send the srpm from F-14 back to F-12 and rebuilt again and all is well. Pushed to master. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 611 increase default username len
David O'Brien wrote: Rob Crittenden wrote: Increase default username length to 32 and max for users and groups to 255. rob There doesn't appear to be a default max groupname length like there is for usernames. Does that mean it defaults to 255? /dob It just isn't configurable like usernames are. The max is also 255. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Error message handling in HBAC module
On 11/29/2010 11:20 AM, Jan Zelený wrote: This patch contains a part of my original 0008 patch. The rest of it is solved differently (see my patch 0010). ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
