[Freeipa-devel] [PATCH] 023 Clarify ipa-replica-install error message
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Just a cosmetic fix to the replica installation error message, there's no ticket for this. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0HR9EACgkQHsardTLnvCUYBgCeObN9/PWMNKGf8/TWXKglJd/i /awAn1Opj+qq5uk7yHnuNyT33nVo8eRi =MXfi -END PGP SIGNATURE- From 55795db0250b711a74ce300e55ecf26a08aa4f34 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date: Tue, 23 Nov 2010 13:22:56 +0100 Subject: [PATCH] Clarify ipa-replica-install error message --- install/tools/ipa-replica-install |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index c9df2dd..0c13ad0 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -366,10 +366,10 @@ def main(): tls_cacertfile=CACERT) try: entry = conn.find_entries(u'fqdn=%s' % host, ['dn', 'fqdn'], u'%s,%s' % (api.env.container_host, api.env.basedn)) -print The host %s already exists.\n % host +print The host %s already exists on the master server. Depending on your configuration, you may perform the following:\n % host print Remove the replication agreement, if any: print %% ipa-replica-manage del %s % host -print Remove the host continue: +print Remove the host entry: print %% ipa host-del %s % host sys.exit(3) except errors.NotFound: -- 1.7.3.2 freeipa-jhrozek-023-Clarify-ipa-replica-install-error-message.patch.sig Description: PGP signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 022 Check the number of fields when importing automount maps
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 https://fedorahosted.org/freeipa/ticket/359 Sending this separately from the other automount changes since those are more intrusive and may be under review for a while. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0HR8sACgkQHsardTLnvCUbOwCgzgiTsGH9dEcaUqwIxnyFqPPO 6WMAnjuetAFyQ00ynjsHw1gxd7llsM6U =5Feo -END PGP SIGNATURE- From d704cbb5ecadd3302375fa8ca2e7e0aa01962ca2 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date: Wed, 8 Dec 2010 13:58:16 -0500 Subject: [PATCH] Check the number of fields when importing automount maps https://fedorahosted.org/freeipa/ticket/359 --- ipalib/plugins/automount.py |3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/automount.py b/ipalib/plugins/automount.py index 5689524..7cc7a14 100644 --- a/ipalib/plugins/automount.py +++ b/ipalib/plugins/automount.py @@ -351,6 +351,9 @@ class automountlocation_import(LDAPQuery): if len(m) == 0: continue am = m.split(None) +if len(am) 2: +continue + if am[1].startswith('/'): mapfile = am[1].replace('','') am[1] = os.path.basename(am[1]) -- 1.7.3.2 freeipa-jhrozek-022-Check-the-number-of-fields-when-importing-automount-.patch.sig Description: PGP signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 021 Make the IPA installer IPv6 friendly
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This is a first patch towards IPv6 support. Currently it only touches the installer only as other changes will be fully testable only when python-nss is IPv6 ready. Changes include: * parse records in dnsclient * also ask for records when verifying FQDN * do not use functions that are not IPv6 aware - notably socket.gethostbyname(). The complete list of functions was taken from http://www.akkadia.org/drepper/userapi-ipv6.html section Interface Checklist -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0HR8IACgkQHsardTLnvCU/jQCePrBXG+2NTDmfq1y3BgQIaHMl eH8AnAivy5jA3YQP1JXznBg/IubD3lLG =m52C -END PGP SIGNATURE- From 66376ec364e5a5f5d42492d42412b4ea0893ea99 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date: Wed, 1 Dec 2010 17:22:56 +0100 Subject: [PATCH] Make the IPA installer IPv6 friendly Notable changes include: * parse records in dnsclient * also ask for records when verifying FQDN * do not use functions that are not IPv6 aware - notably socket.gethostbyname() The complete list of functions was taken from http://www.akkadia.org/drepper/userapi-ipv6.html section Interface Checklist --- install/tools/ipa-dns-install | 21 --- install/tools/ipa-replica-install | 14 +++-- install/tools/ipa-server-install | 27 + ipapython/dnsclient.py| 19 ++- ipaserver/install/installutils.py | 109 +++-- ipaserver/install/krbinstance.py |2 +- 6 files changed, 121 insertions(+), 71 deletions(-) diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index bf6679e..a91938f 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -62,16 +62,19 @@ def parse_options(): def resolve_host(host_name): ip = None try: -ip = socket.gethostbyname(host_name) - -if ip == 127.0.0.1 or ip == ::1: -print The hostname resolves to the localhost address (127.0.0.1/::1) -print Please change your /etc/hosts file so that the hostname -print resolves to the ip address of your network interface. -print -print Please fix your /etc/hosts file and restart the setup program -return None - +addrinfos = socket.getaddrinfo(host_name, None, + socket.AF_UNSPEC, socket.SOCK_DGRAM) +for ai in addrinfos: +ip = ai[4][0] +if ip == 127.0.0.1 or ip == ::1: +print The hostname resolves to the localhost address (127.0.0.1/::1) +print Please change your /etc/hosts file so that the hostname +print resolves to the ip address of your network interface. +print +print Please fix your /etc/hosts file and restart the setup program +return None + +ip = addrinfos[0][4][0] except: print Unable to lookup the IP address of the provided host return ip diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 0c13ad0..5ff50f1 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -126,12 +126,14 @@ def get_host_name(no_host_dns): return hostname def resolve_host(host_name): -ip = socket.gethostbyname(host_name) - -if ip == 127.0.0.1 or ip == ::1: -raise HostnameLocalhost - -return ip +addrinfos = socket.getaddrinfo(host_name, None, + socket.AF_UNSPEC, socket.SOCK_STREAM) +for ai in addrinfos: +ip = ai[4][0] +if ip == 127.0.0.1 or ip == ::1: +raise HostnameLocalhost + +return addrinfos[0][4][0] def set_owner(config, dir): pw = pwd.getpwnam(config.ds_user) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 0a1f1c5..7c1f3c2 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -279,19 +279,22 @@ def read_host_name(host_default,no_host_dns=False): return host_name def resolve_host(host_name): -ip = +ip = None try: -ip = socket.gethostbyname(host_name) - -if ip == 127.0.0.1 or ip == ::1: -print The hostname resolves to the localhost address (127.0.0.1/::1) -print Please change your /etc/hosts file so that the hostname -print resolves to the ip address of your network interface. -print The KDC service does not listen on localhost -print -print Please fix your /etc/hosts file and restart the setup program -return None +addrinfos = socket.getaddrinfo(host_name, None, + socket.AF_UNSPEC, socket.SOCK_DGRAM) +for ai in addrinfos: +ip =
Re: [Freeipa-devel] ACI permissions UI up for review
Dmitri Pal wrote: In addition to the issues I explain above here is what I also noticed: 1) As we mentioned there is no Description in ACI. The description and name is the same field for ACI. Description is in the Meta data, and gets returned with ipa permission_show, role_show, and privilege_show May be but I was under impression that the name and description is really the same. name is the name of the permission. description is the name/description part of the ACI. 2) There is a label it is the name of the task group the ACI is associated with - it is missing It is not in the metadata. Then it should be unless we can always name it the same way as name, but as far as I understand this is not the case right now. Rob? I need more context. Also we need to be sure to use the current terms, there is no task group any more. 3) Rest of the screen does not make much sense at all but the attribute part seems fine. 4) I do not like some of the levels on the left in the menu. It is all mixed up. 5) The Privileges, Permissions and Role Groups are jumping and changing places depending on your selection - this is wrong. They should just expand. They do just expand and contract, but we don't have any animation in there. The order stays the same, but the are under each one either shows or hides the controls. No, the one you click bubbles to the top at least for me. 6) The hierarchy is broken for permissions What hierarchy? The LIST PERMISSIONS is now on the same level as Permissions - this is wrong. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] ACI permissions UI up for review
Dmitri Pal wrote: Adam Young wrote: On 12/13/2010 11:27 AM, Dmitri Pal wrote: Sorry this whole part just does not make sense to me. What is the target group? Where it came from? One ACI that uses this is 'add_user_to_default_group. This is used in the permission 'useradmin'. The json response for permission-show looks like this: |{ ||error: null, ||id: 2, ||result: { ||result: { ||attributelevelrights: { ||aci: rscwo, ||businesscategory: rscwo, ||cn: rscwo, ||description: rscwo, ||member: rscwo, ||nsaccountlock: rscwo, ||o: rscwo, ||objectclass: rscwo, ||ou: rscwo, ||owner: rscwo, ||seealso: rscwo ||}, ||attrs: [ ||member ||], ||cn: [ ||add_user_to_default_group ||], ||description: [ ||Add user to default group ||], ||dn: cn=add_user_to_default_group,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel||,dc=redhat,dc=com, ||member_privilege: [ ||useradmin ||], ||objectclass: [ ||top, ||groupofnames ||], ||permissions: [ ||write ||], ||targetgroup: ldap:///cn=ipausers,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc||=redhat,dc=com ||}, ||summary: null, ||value: add_user_to_default_group ||} ||}| IMO this is a special case and should end up in the generic LDAP filter. Rob it seems this case is unclear and we need to sort it out. A targetgroup lets you manage a specific group. In this case it grants permission to manage the membership of the ipausers group. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 649 metadata for delegation and selfservice
On 12/13/2010 11:15 PM, Rob Crittenden wrote: This is metadata for the UI. Adam, I took a guess at the things you need, not everything is defined since these aren't using the baseldap class (doesn't really make sense to since there isn't an object backing them). Let me know if I missed something. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK, pushed to master. I think this coveres everything, but if not, I can add it in. Thanks ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Plans for bind-dyndb-ldap
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 FreeIPA v2 DNS integration relies on a BIND plugin to store the DNS data in LDAP, which was written by Martin Nagy. Martin, who left the FreeIPA development team some time ago was the only person with commit access to this repository, leaving it both unmaintained and uneditable. We need to discuss how to proceed with this dependency on FreeIPA. Originally, Martin's plan was to campaign for this plugin's acceptance into the BIND upstream, and to terminate the separate bind-dyndb-ldap project. I think that this is a valuable long-term goal, but we need to discuss shorter-term needs. As we work to finalize FreeIPA v2, it's very likely that we will discover one or more bugs in bind-dyndb-ldap. If this happens, we will have to provide patches and get them included in Fedora. However, Fedora has a strong policy against shipping patches that aren't upstream, and we have no way currently of pushing them upstream. So I figure that we have the following options to consider: 1) Petition the Fedora Infrastructure team to turn over ownership of this upstream project. This is likely to meet with resistance without the input of the current owner (who is more or less unreachable at this point). The bind-dyndb-ldap project was initiated with FreeIPA as its primary patron, but I'm not certain this would be sufficient argument to the admins to annex the project. 2) Open dialog with the BIND upstream and push very hard to merge this code into their mainline, then involve ourselves with their process to push patches. This is probably our best long-term approach, but currently we have no control over when the ldap plugin would be merged, and how soon afterwards that it would be pushed into Fedora. 3) Fork bind-dyndb-ldap into a new project that we maintain and include in Fedora. This is the least controversial approach, as it will involve no difficult political maneuvering to include. However, it also requires an additional effort in setting up a new project and getting packages approved in Fedora. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0Hvg0ACgkQeiVVYja6o6M7VgCeIje+BcvlS5k8C0KgHC3tqhrI s8IAniYxCMx2MqG0idk82RhFXxCgtO48 =m7Ry -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Plans for bind-dyndb-ldap
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/14/2010 01:57 PM, Stephen Gallagher wrote: 1) Petition the Fedora Infrastructure team to turn over ownership of this upstream project. This is likely to meet with resistance without the input of the current owner (who is more or less unreachable at this point). The bind-dyndb-ldap project was initiated with FreeIPA as its primary patron, but I'm not certain this would be sufficient argument to the admins to annex the project. Apparently, this was indeed sufficient to take over the project. I've been made the project sponsor, and I've granted Simo commit privilege as well. So we should be alright to make fixes as needed from now on. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0Hx5kACgkQeiVVYja6o6P1ogCfZriFVstvBJGW8sFQZTqqchCb GggAoKEB+LAurg6vJ+aMiGz16Uazm5Ip =JrKB -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Account activation adjustment
On 12/09/2010 05:02 PM, Endi Sukma Dewata wrote: On 12/9/2010 3:17 PM, Endi Sukma Dewata wrote: Please review the attached patch. This should fix this bug: https://fedorahosted.org/freeipa/ticket/462 The user details facet has been modified such that when the account is activated/deactivated the page will be reloaded. Some methods in the framework have been changed: - The ipa_widget.clear() has been removed because it can be replaced by existing reset(). - The ipa_widget.set_values() has been renamed into update(). Forgot to include the latest changes. Attached is a new patch. Thanks! ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel