Re: [Freeipa-devel] [PATCH] 632 add migration cmd docs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/07/2010 05:50 PM, Rob Crittenden wrote: Add some documentation to the migrate-ds command. rob Ack -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz/by8ACgkQHsardTLnvCV1XQCgw2UlwVDpJ6KYwJHGkVg3MDbJ qbUAoOE4rXu6jBxUCc7wzXvyPEFcs4AN =3+EP -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0026 Split replica installation in dsinstance
On Wed, 8 Dec 2010 08:25:25 +0100 Jan Zelený jzel...@redhat.com wrote: Simo Sorce sso...@redhat.com wrote: This patch allows patch 0025 to work properly for replica installation so it is a prereq for it now. It split installation so that certain steps can be done after the tree has been replicated without having them wiped out, like the creation of the replica master entry under cn=masters,cn=ipa,cn=etc It also introduce a dependency on the replica file having the ca.crt in it. And installs it by default under /etc/ipa/ca.crt (the httpinstance later on also stores it also under /usr/share/ipa/html/ca.crt) This patch also makes sure the memberof fixup task is run *after* initial replication, just to make sure. Technically the memberof plugin is already activated so memberof entries should be properly created while replication goes through. But better be thorough. replication is now started within dsinstance.py and not after ds is setup as one of the dsinstance creation steps. Initial testing gave no issues to me. Simo. Can you please attach the patch? ;-) Oh, I thought you'd just trust me :-D Attached. Simo. -- Simo Sorce * Red Hat, Inc * New York From 738f0a315eccdb8788f56768ff312bfb1aa08a7f Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Tue, 7 Dec 2010 18:23:05 -0500 Subject: [PATCH] Split dsinstance configuration This is so that master and replica creation can perform different operations as they need slightly diffeent settings to be applied. --- install/tools/ipa-replica-install | 59 --- ipaserver/install/dsinstance.py | 110 +++-- ipaserver/install/replication.py |3 +- 3 files changed, 106 insertions(+), 66 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 65107f027fddcf888a51d7270cc48ce7bcdd8a10..46153565f11239ec487e59dc712bdc54eca23763 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -26,14 +26,14 @@ from ConfigParser import SafeConfigParser from ipapython import ipautil -from ipaserver.install import dsinstance, replication, installutils, krbinstance, service +from ipaserver.install import dsinstance, installutils, krbinstance, service from ipaserver.install import bindinstance, httpinstance, ntpinstance, certs from ipaserver.plugins.ldap2 import ldap2 from ipapython import version from ipalib import api, errors, util from ipapython.config import IPAOptionParser -CACERT=/usr/share/ipa/html/ca.crt +CACERT=/etc/ipa/ca.crt class HostnameLocalhost(Exception): pass @@ -163,7 +163,7 @@ def install_ca(config): return ca -def install_ds(config): +def install_replica_ds(config): dsinstance.check_existing_installation() dsinstance.check_ports() @@ -176,13 +176,10 @@ def install_ds(config): config.dir + /dirsrv_pin.txt) ds = dsinstance.DsInstance() -# idstart and idmax are configured so that the range is seen as depleted -# by the DNA plugin and the replica will go and get a new range from the -# master. -# This way all servers use the initially defined range by default. -ds.create_instance(config.ds_user, config.realm_name, config.host_name, - config.domain_name, config.dirman_password, - pkcs12_info, idstart=1101, idmax=1100) +ds.create_replica(config.ds_user, config.realm_name, + config.master_host_name, config.host_name, + config.domain_name, config.dirman_password, + pkcs12_info) return ds @@ -203,13 +200,16 @@ def install_krb(config, setup_pkinit=False): setup_pkinit, pkcs12_info) def install_ca_cert(config): -if ipautil.file_exists(config.dir + /ca.crt): -try: -shutil.copy(config.dir + /ca.crt, CACERT) -os.chmod(CACERT, 0444) -except Exception, e: -print error copying files: + str(e) -sys.exit(1) +cafile = config.dir + /ca.crt +if not ipautil.file_exists(cafile): +raise RuntimeError(Ca cert file is not available) + +try: +shutil.copy(cafile, CACERT) +os.chmod(CACERT, 0444) +except Exception, e: +print error copying files: + str(e) +sys.exit(1) def install_http(config): # if we have a pkcs12 file, create the cert db from @@ -354,13 +354,16 @@ def main(): if options.setup_pkinit: check_pkinit() +# Install CA cert so that we can do SSL connections with ldap +install_ca_cert(config) + # Try out the password -ldapuri = 'ldap://%s' % config.master_host_name +ldapuri = 'ldaps://%s' % config.master_host_name try: conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='') -conn.connect( -bind_dn='cn=directory manager',
Re: [Freeipa-devel] [PATCH] 633 add selfservice aci plugin
On 12/07/2010 10:54 PM, Rob Crittenden wrote: Adam Young wrote: On 12/07/2010 04:33 PM, Rob Crittenden wrote: Add plugin for manage self-service ACIs This is just a thin wrapper around the aci plugin, controlling what types of ACIs can be added. Right now only ACIs in the basedn can be managed with this plugin. I've got an e-mail into the UI folks to see if we can enhance this and ask the type of object we're creating a selfservice entry for. This way we can put the aci into the proper container. Otherwise I'm going to need to follow up to this and move a couple of self-service ACI's that are now in containers into the basedn. ticket 531 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Probably related to the failure above, after that, doin ipa permission-find gave an error with the following in the log: Sun Dec 05 20:09:51 2010] [error] ipa: ERROR: non-public: TypeError: tuple indices must be integers, not str [Sun Dec 05 20:09:51 2010] [error] Traceback (most recent call last): [Sun Dec 05 20:09:51 2010] [error] File /usr/lib/python2.6/site-packages/ipaserver/rpcserver.py, line 211, in wsgi_execute [Sun Dec 05 20:09:51 2010] [error] result = self.Command[name](*args, **options) [Sun Dec 05 20:09:51 2010] [error] File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 417, in __call__ [Sun Dec 05 20:09:51 2010] [error] ret = self.run(*args, **options) [Sun Dec 05 20:09:51 2010] [error] File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 690, in run [Sun Dec 05 20:09:51 2010] [error] return self.execute(*args, **options) [Sun Dec 05 20:09:51 2010] [error] File /usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py, line 1228, in execute [Sun Dec 05 20:09:51 2010] [error] more = callback(ldap, entries, truncated, *args, **options) [Sun Dec 05 20:09:51 2010] [error] File /usr/lib/python2.6/site-packages/ipalib/plugins/permission.py, line 313, in post_callback [Sun Dec 05 20:09:51 2010] [error] if aci['permission'] == entry['cn']: [Sun Dec 05 20:09:51 2010] [error] TypeError: tuple indices must be integers, not str This would be a separate problem, can you file a ticket on it? rob Well, it happened after I applied the patch, so I think it is probably due to the selfservice patch. Is it really a new issue, or is it a regression that shouldn't have been introduced? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 3] Adding CLI Enable/Disable Operations for SudoRules
This patch address's the CLI Operations needed to toggle enable / disable on the SudoRules. I will need to work with Nalin to adjust the Compat Plugin so that 'disabled' rules are ignored for Compat translation. On 12/8/10 7:39 AM, Endi Sukma Dewata edew...@redhat.com wrote: On 12/7/2010 6:25 PM, JR Aquino wrote: This patch Addresses items: 1. The UI needs a rule status with values active inactive. The CLI doesn't have this attribute. HBAC has ipaenabledflag attribute which can be managed using hbac-enable/disable operations. 2. The UI needs a user category for the Who section. The CLI doesn't have this attribute. HBAC has usercategory attribute which can be managed using hbac-add/mod operations. 3. The UI needs a host category for the Access this host section. The CLI doesn't have this attribute. HBAC has hostcategory attribute which can be managed using hbac-add/mod operations. Hi JR, thanks for the patch. I have tested it, items #2 and #3 work. However, for item #1 it's still missing the sudorule-enable/disable operations which are needed to set the ipaenabledflag. This patch itself is fine, so I pushed it to master. You could submit the enable/disable operations in a separate patch. Thanks! -- Endi S. Dewata freeipa-jraquino-0003-Enable-Disable-SudoRule.patch Description: freeipa-jraquino-0003-Enable-Disable-SudoRule.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 3] Adding CLI Enable/Disable Operations for SudoRules
On 12/8/2010 10:03 AM, JR Aquino wrote: This patch address's the CLI Operations needed to toggle enable / disable on the SudoRules. Thanks for such a quick response! ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 633 add selfservice aci plugin
On 12/08/2010 12:48 PM, Adam Young wrote: On 12/08/2010 11:02 AM, Rob Crittenden wrote: Adam Young wrote: On 12/07/2010 10:54 PM, Rob Crittenden wrote: Adam Young wrote: On 12/07/2010 04:33 PM, Rob Crittenden wrote: Add plugin for manage self-service ACIs This is just a thin wrapper around the aci plugin, controlling what types of ACIs can be added. Right now only ACIs in the basedn can be managed with this plugin. I've got an e-mail into the UI folks to see if we can enhance this and ask the type of object we're creating a selfservice entry for. This way we can put the aci into the proper container. Otherwise I'm going to need to follow up to this and move a couple of self-service ACI's that are now in containers into the basedn. ticket 531 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Probably related to the failure above, after that, doin ipa permission-find gave an error with the following in the log: Sun Dec 05 20:09:51 2010] [error] ipa: ERROR: non-public: TypeError: tuple indices must be integers, not str [Sun Dec 05 20:09:51 2010] [error] Traceback (most recent call last): [Sun Dec 05 20:09:51 2010] [error] File /usr/lib/python2.6/site-packages/ipaserver/rpcserver.py, line 211, in wsgi_execute [Sun Dec 05 20:09:51 2010] [error] result = self.Command[name](*args, **options) [Sun Dec 05 20:09:51 2010] [error] File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 417, in __call__ [Sun Dec 05 20:09:51 2010] [error] ret = self.run(*args, **options) [Sun Dec 05 20:09:51 2010] [error] File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 690, in run [Sun Dec 05 20:09:51 2010] [error] return self.execute(*args, **options) [Sun Dec 05 20:09:51 2010] [error] File /usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py, line 1228, in execute [Sun Dec 05 20:09:51 2010] [error] more = callback(ldap, entries, truncated, *args, **options) [Sun Dec 05 20:09:51 2010] [error] File /usr/lib/python2.6/site-packages/ipalib/plugins/permission.py, line 313, in post_callback [Sun Dec 05 20:09:51 2010] [error] if aci['permission'] == entry['cn']: [Sun Dec 05 20:09:51 2010] [error] TypeError: tuple indices must be integers, not str This would be a separate problem, can you file a ticket on it? rob Well, it happened after I applied the patch, so I think it is probably due to the selfservice patch. Is it really a new issue, or is it a regression that shouldn't have been introduced? Ok, not sure how my patch affected this but here is an updated patch with it fixed. rob So far so good, but it still has the issue with the perms being displayed Base64. Note that this is only on what is shown back the the user after they execute the command and are prompted for the permissions ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 636 Properly handle multi-valued attributes when using setattr/addattr
The problem was that the normalizer was returning each value as a tuple which we were then appending to a list, so it looked like [(u'value1',), (u'value2',),...]. If there was a single value we could end up adding a tuple to a list which would fail. Additionally python-ldap doesn't like lists of lists so it was failing later in the process as well. I've added some simple tests for setattr and addattr. ticket 565 rob From 7fcd53c685f981f7fd1343f1145476dd0dca1050 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Wed, 8 Dec 2010 13:26:27 -0500 Subject: [PATCH] Properly handle multi-valued attributes when using setattr/addattr. The problem was that the normalizer was returning each value as a tuple which we were then appending to a list, so it looked like [(u'value1',), (u'value2',),...]. If there was a single value we could end up adding a tuple to a list which would fail. Additionally python-ldap doesn't like lists of lists so it was failing later in the process as well. I've added some simple tests for setattr and addattr. ticket 565 --- ipalib/frontend.py | 10 ++- ipalib/plugins/baseldap.py |2 +- tests/test_xmlrpc/objectclasses.py |1 - tests/test_xmlrpc/test_attr.py | 178 4 files changed, 187 insertions(+), 4 deletions(-) create mode 100644 tests/test_xmlrpc/test_attr.py diff --git a/ipalib/frontend.py b/ipalib/frontend.py index ac1f67e..6be50ba 100644 --- a/ipalib/frontend.py +++ b/ipalib/frontend.py @@ -538,9 +538,15 @@ class Command(HasParam): if attr in self.params: value = self.params[attr](value) if append and attr in newdict: -newdict[attr].append(value) +if type(value) in (tuple,): +newdict[attr] += list(value) +else: +newdict[attr].append(value) else: -newdict[attr] = [value] +if type(value) in (tuple,): +newdict[attr] = list(value) +else: +newdict[attr] = [value] return newdict def __attributes_2_entry(self, kw): diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 99d3d4f..7413e19 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -745,7 +745,7 @@ class LDAPUpdate(LDAPQuery, crud.Update): for a in old_entry: if not isinstance(entry_attrs[a], (list, tuple)): entry_attrs[a] = [entry_attrs[a]] -entry_attrs[a] += old_entry[a] +entry_attrs[a] = list(entry_attrs[a]) + old_entry[a] if options.get('all', False): attrs_list = ['*'] + self.obj.default_attributes diff --git a/tests/test_xmlrpc/objectclasses.py b/tests/test_xmlrpc/objectclasses.py index 54c8c28..5f230b4 100644 --- a/tests/test_xmlrpc/objectclasses.py +++ b/tests/test_xmlrpc/objectclasses.py @@ -30,7 +30,6 @@ user = [ u'posixaccount', u'krbprincipalaux', u'krbticketpolicyaux', -u'radiusprofile', u'ipaobject', ] diff --git a/tests/test_xmlrpc/test_attr.py b/tests/test_xmlrpc/test_attr.py new file mode 100644 index 000..523065f --- /dev/null +++ b/tests/test_xmlrpc/test_attr.py @@ -0,0 +1,178 @@ +# Authors: +# Rob Crittenden rcrit...@redhat.com +# +# Copyright (C) 2010 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + + +Test --setattr and --addattr + + +from ipalib import api, errors +from tests.test_xmlrpc import objectclasses +from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid + + +user_memberof = (u'cn=ipausers,cn=groups,cn=accounts,%s' % api.env.basedn,) +user1=u'tuser1' + + +class test_attr(Declarative): + +cleanup_commands = [ +('user_del', [user1], {}), +] + +tests = [ + +dict( +desc='Create %r' % user1, +command=( +'user_add', [user1], dict(givenname=u'Test', sn=u'User1') +), +expected=dict( +value=user1, +summary=u'Added user tuser1', +result=dict( +gecos=[user1], +givenname=[u'Test'], +
Re: [Freeipa-devel] [PATCH] 633 add selfservice aci plugin
On 12/08/2010 01:34 PM, Rob Crittenden wrote: Adam Young wrote: On 12/08/2010 12:48 PM, Adam Young wrote: On 12/08/2010 11:02 AM, Rob Crittenden wrote: Adam Young wrote: On 12/07/2010 10:54 PM, Rob Crittenden wrote: Adam Young wrote: On 12/07/2010 04:33 PM, Rob Crittenden wrote: Add plugin for manage self-service ACIs This is just a thin wrapper around the aci plugin, controlling what types of ACIs can be added. Right now only ACIs in the basedn can be managed with this plugin. I've got an e-mail into the UI folks to see if we can enhance this and ask the type of object we're creating a selfservice entry for. This way we can put the aci into the proper container. Otherwise I'm going to need to follow up to this and move a couple of self-service ACI's that are now in containers into the basedn. ticket 531 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Probably related to the failure above, after that, doin ipa permission-find gave an error with the following in the log: Sun Dec 05 20:09:51 2010] [error] ipa: ERROR: non-public: TypeError: tuple indices must be integers, not str [Sun Dec 05 20:09:51 2010] [error] Traceback (most recent call last): [Sun Dec 05 20:09:51 2010] [error] File /usr/lib/python2.6/site-packages/ipaserver/rpcserver.py, line 211, in wsgi_execute [Sun Dec 05 20:09:51 2010] [error] result = self.Command[name](*args, **options) [Sun Dec 05 20:09:51 2010] [error] File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 417, in __call__ [Sun Dec 05 20:09:51 2010] [error] ret = self.run(*args, **options) [Sun Dec 05 20:09:51 2010] [error] File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 690, in run [Sun Dec 05 20:09:51 2010] [error] return self.execute(*args, **options) [Sun Dec 05 20:09:51 2010] [error] File /usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py, line 1228, in execute [Sun Dec 05 20:09:51 2010] [error] more = callback(ldap, entries, truncated, *args, **options) [Sun Dec 05 20:09:51 2010] [error] File /usr/lib/python2.6/site-packages/ipalib/plugins/permission.py, line 313, in post_callback [Sun Dec 05 20:09:51 2010] [error] if aci['permission'] == entry['cn']: [Sun Dec 05 20:09:51 2010] [error] TypeError: tuple indices must be integers, not str This would be a separate problem, can you file a ticket on it? rob Well, it happened after I applied the patch, so I think it is probably due to the selfservice patch. Is it really a new issue, or is it a regression that shouldn't have been introduced? Ok, not sure how my patch affected this but here is an updated patch with it fixed. rob So far so good, but it still has the issue with the perms being displayed Base64. Note that this is only on what is shown back the the user after they execute the command and are prompted for the permissions Updated patch attached ACK. Pushed to master rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 637 group to group delegation
Round out our trio of access control plugins. This adds group to group delegation where you can grant group A the ability to write a set of attributes of group B (v1-style delegation). rob From e374d8886280d515088c63cc4e0d707e97f0bf42 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Wed, 8 Dec 2010 16:50:02 -0500 Subject: [PATCH] Add group to group delegation plugin. This is a thin wrapper around the ACI plugin that manages granting group A the ability to write a set of attributes of group B. ticket 532 --- ipalib/plugins/aci.py | 41 +- ipalib/plugins/delegation.py| 204 +++ tests/test_xmlrpc/test_delegation_plugin.py | 192 + 3 files changed, 434 insertions(+), 3 deletions(-) create mode 100644 ipalib/plugins/delegation.py create mode 100644 tests/test_xmlrpc/test_delegation_plugin.py diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py index d5f7d99..740be8f 100644 --- a/ipalib/plugins/aci.py +++ b/ipalib/plugins/aci.py @@ -124,6 +124,8 @@ from ipalib import Flag, Int, List, Str, StrEnum from ipalib.aci import ACI from ipalib import output from ipalib import _, ngettext +if api.env.in_server and api.env.context in ['lite', 'server']: +from ldap import explode_dn import logging _type_map = { @@ -272,7 +274,9 @@ def _aci_to_kw(ldap, a, test=False): # See if the target is a group. If so we set the # targetgroup attr, otherwise we consider it a subtree if api.env.container_group in target: -kw['targetgroup'] = unicode(target) +targetdn = unicode(target.replace('ldap:///','')) +(dn, entry_attrs) = ldap.get_entry(targetdn, ['cn']) +kw['targetgroup'] = entry_attrs['cn'][0] else: kw['subtree'] = unicode(target) @@ -655,8 +659,8 @@ class aci_find(crud.Search): # uncomment next line if you add more search criteria # acis = list(results) -for a in acis: -if 'type' in kw: +if 'type' in kw: +for a in acis: if 'target' in a.target: target = a.target['target']['expression'] else: @@ -681,6 +685,37 @@ class aci_find(crud.Search): except ValueError: pass +if 'group' in kw: +for a in acis: +groupdn = a.bindrule['expression'] +groupdn = groupdn.replace('ldap:///','') +cn = None +if groupdn.startswith('cn='): +cn = explode_dn(groupdn)[0] +cn = cn.replace('cn=','') +if cn is None or cn != kw['group']: +try: +results.remove(a) +except ValueError: +pass + +if 'targetgroup' in kw: +for a in acis: +found = False +if 'target' in a.target: +target = a.target['target']['expression'] +if api.env.container_group in target: +targetdn = unicode(target.replace('ldap:///','')) +cn = explode_dn(targetdn)[0] +cn = cn.replace('cn=','') +if cn == kw['targetgroup']: +found = True +if not found: +try: +results.remove(a) +except ValueError: +pass + # TODO: searching by: filter, subtree acis = [] diff --git a/ipalib/plugins/delegation.py b/ipalib/plugins/delegation.py new file mode 100644 index 000..c71c83c --- /dev/null +++ b/ipalib/plugins/delegation.py @@ -0,0 +1,204 @@ +# Authors: +# Rob Crittenden rcrit...@redhat.com +# +# Copyright (C) 2010 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +Group to Group Delegation + +A permission enables fine-grained delegation of permissions. Access Control +Rules, or instructions (ACIs), grant permission to permissions to perform +given tasks such as adding a user, modifying a group, etc. +
Re: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates
I just had a chance to revisit this. It appears that the host piece still doesn't work quite right. This time, I am missing the sudoHost translation entirely. dn: ipaUniqueID=e52c8e06-0315-11e0-b2dd-8a3d259cb0b9,cn=sudorules,dc=example,dc =com objectClass: ipaassociation objectClass: ipasudorule ipaEnabledFlag: TRUE cn: devel ipaUniqueID: e52c8e06-0315-11e0-b2dd-8a3d259cb0b9 memberAllowCmd: cn=readonly,cn=sudocmdgroups,cn=accounts,dc=example,dc=com memberHost: cn=prod,cn=hostgroups,cn=accounts,dc=example,dc=com memberUser: cn=ops,cn=groups,cn=accounts,dc=example,dc=com dn: cn=devel,cn=sudoers,dc=example,dc=com objectClass: sudoRole sudoUser: %ops sudoCommand: /usr/bin/less cn: devel On 11/30/10 3:38 PM, Nalin Dahyabhai na...@redhat.com wrote: This is what I've got now; I think it's correct. - fix quoting in the netgroup compat configuration entry - don't bother looking for members of netgroups by looking for entries which list memberOf: $netgroup -- the netgroup should list them as member or memberUser or memberHost values - use newer slapi-nis functionality to produce cn=sudoers - drop the real cn=sudoers container to make room for the compat container Feel free to adjust the schema-compat-container-group for the cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config entry -- the location of the compat sudo entries is of no concern to me. Cheers, Nalin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 634 fix automount tests
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/07/2010 11:19 PM, Rob Crittenden wrote: While testing Jakub's patch I discovered that the automount tests were pretty badly broken (not related to his changes). This should fix things. rob All tests pass now. Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 4] dbe instead of lde (ipa-compat-manage/ipa-nis-manage)
The error handling refers to lde as a typo... When the exception occurs due to a database error, it gets captured as: dbe. This is a One line bug fix for compat and nis tools freeipa-jaquino-0004-dbe-instead-of-lde.patch Description: freeipa-jaquino-0004-dbe-instead-of-lde.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates
This is what I see when I manually add the ipaSudoRule entry to my test server: dn: cn=devel,cn=sudoers,dc=example,dc=com objectClass: sudoRole sudoUser: %ops sudoHost: auth4.ops.expertcity.com sudoCommand: /usr/bin/less cn: devel That's assuming the group and host entries you're using are still the same as the sample ones from a while back, of course. In the currently proposed configuration, the expansion of memberHost attribute values depends on functionality that's new in slapi-nis 0.20 and later. Which version are you using? Nalin After a refresh: I can confirm that I also have the same info as you. I guess the piece that is still missing then is: Instead of: sudoHost: hostname.com It should be: sudoHost: +production - which is the group assigned to the ipasudorule. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates
On Wed, Dec 08, 2010 at 11:12:34PM +, JR Aquino wrote: I guess the piece that is still missing then is: Instead of: sudoHost: hostname.com It should be: sudoHost: +production - which is the group assigned to the ipasudorule. The memberHost cn=prod,cn=hostgroups,cn=accounts,dc=example,dc=com in the rule is a hostgroup but not a netgroup, so I think it's doing the right thing by resolving the group down to its members' names. Nalin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH/0028] Make selfsign CA creation an independent step
When we are creating a selfsign file based CA, do it at the same time we would do the dogtag CA creation instead of doing it within the dsinstance. Also move around or changes some other related minor details to clean-up a bit the code. Automatically publishes the CA cert to /etc/ipa/ca.crt, this fixes #544 as now the code gets the cert from there and the cert is put there at CA creation time before any instance has been invoked. Simo. -- Simo Sorce * Red Hat, Inc * New York From f9e2aa80f4a259895bd3349b90650550201c1139 Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Wed, 8 Dec 2010 16:35:12 -0500 Subject: [PATCH 2/2] Move Selfsigned CA creation out of dsinstance This allows us to have the CA ready to serve out certs for any operation even before the dsinstance is created. The CA is independent of the dsinstance anyway. Also fixes: https://fedorahosted.org/freeipa/ticket/544 --- install/tools/ipa-replica-install|2 +- install/tools/ipa-replica-prepare| 13 ++- install/tools/ipa-server-certinstall |2 +- install/tools/ipa-server-install | 13 +-- ipaserver/install/cainstance.py | 10 +++--- ipaserver/install/certs.py | 10 +- ipaserver/install/dsinstance.py |9 ++--- ipaserver/install/httpinstance.py| 56 -- ipaserver/install/krbinstance.py |9 ++ 9 files changed, 62 insertions(+), 62 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 46153565f11239ec487e59dc712bdc54eca23763..91f91e6cc764273feaba1848f299de1d7c0bc69b 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -158,7 +158,7 @@ def install_ca(config): cs = cainstance.CADSInstance() cs.create_instance(config.ds_user, config.realm_name, config.host_name, config.domain_name, config.dirman_password) -ca = cainstance.CAInstance(config.realm_name) +ca = cainstance.CAInstance(config.realm_name, certs.NSS_DIR) ca.configure_instance(pkiuser, config.host_name, config.dirman_password, config.dirman_password, pkcs12_info=(cafile,), master_host=config.master_host_name, subject_base=config.subject_base) return ca diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index d70741f1a1208ca6a2a1a6cad4d09ae4962b8040..b9e3425ea5636f3e3be9855dd7653d624665d4ea 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -27,7 +27,7 @@ import krbV from optparse import OptionParser from ipapython import ipautil -from ipaserver.install import bindinstance, dsinstance, installutils, certs, httpinstance +from ipaserver.install import bindinstance, dsinstance, installutils, certs from ipaserver.install.bindinstance import add_zone, add_reverze_zone, add_rr, add_ptr_rr from ipaserver.plugins.ldap2 import ldap2 from ipapython import version @@ -123,14 +123,9 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname, subjec try: self_signed = certs.ipa_self_signed() -db = certs.CertDB(dir, realm_name, subject_base=subject_base) +db = certs.CertDB(realm_name, nssdir=dir, subject_base=subject_base) db.create_passwd_file() -#if self_signed: -#ca_db = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))) -#db.create_from_cacert(ca_db.cacert_fname) -#else: -#ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host) -ca_db = certs.CertDB(httpinstance.NSS_DIR, realm_name, host_name=api.env.host, subject_base=subject_base) +ca_db = certs.CertDB(realm_name, host_name=api.env.host, subject_base=subject_base) if is_kdc: ca_db.create_kdc_cert(KDC-Cert, hostname, dir) else: @@ -177,7 +172,7 @@ def export_ra_pkcs12(dir, dm_password): try: try: -db = certs.CertDB(httpinstance.NSS_DIR, api.env.realm, host_name=api.env.host) +db = certs.CertDB(api.env.realm, host_name=api.env.host) if db.has_nickname(ipaCert): pkcs12_fname = %s/ra.p12 % dir diff --git a/install/tools/ipa-server-certinstall b/install/tools/ipa-server-certinstall index 4b460535dbce22eb907c9ff195a7c5b1272dec1d..5c6b25bc7272768af03288a8cc4404fedf8c64e4 100755 --- a/install/tools/ipa-server-certinstall +++ b/install/tools/ipa-server-certinstall @@ -89,7 +89,7 @@ def choose_server_cert(server_certs): return server_certs[num - 1] def import_cert(dirname, pkcs12_fname, pkcs12_passwd, db_password): -cdb = certs.CertDB(dirname, api.env.realm) +cdb = certs.CertDB(api.env.realm, nssdir=dirname) cdb.create_passwd_file(db_password) cdb.create_certdbs() [pw_fd, pw_name] = tempfile.mkstemp() diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index