Re: [Freeipa-devel] [PATCH] 664 entitlement support

2011-01-05 Thread Dmitri Pal 
Rob Crittenden wrote:
> Dmitri Pal wrote:
>> Rob Crittenden wrote:
>>> This patch adds a plugin and tools for managing entitlements for host
>>> machines.
>>>
>>> Testing is rather complex so I've attached a script to help set up the
>>> Candlepin server. You'll need to ping me out of band for the backend
>>> data. This configures the Candlepin server with an in-memory database
>>> so any time tomcat6 is restarted you'll need to reload the data.
>>>
>>> You have to run candlepin.setup as root. This will configure your
>>> Fedora tomcat6 instance.
>>>
>>> Once your candlepin server is setup and IPA is installed do something
>>> like:
>>>
>>> $ ipa entitle-register admin
>>> (password is admin)
>>>
>>> $ ipa entitle-consume 25
>>>
>>> $ ipa entitle-status
>>> (verify that it is 25)
>>>
>>> # ipa-compliance
>>> (should be 1 of 50)
>>>
>>> Our tools can consume only, not return entitlements.
>>>
>>> tickets 28, 79 and 278.
>>>
>>> rob
>> Does the patch include all items from ticket 79? Should we split the
>> ticket, especially third bullet and treat it separately? Is it
>> addressed, do we still plan to provide a quesry in the docs?
>> Once Nalin created something like this:
>>
>> Date comparisons in LDAP search filters compare using the ISO
>> representation of the time, given in MMDDHHMMSSZ form, which is more
>> or less what they look like on the wire.  For example, search for people
>> hired at Red Hat since Sunday:
>>
>>ldapsearch -x -h ldap.corp.redhat.com -b dc=redhat,dc=com \
>>"(rhathiredate>=20100411Z)" cn
>>
>> The KDC (in 1.8 and later) will update krbLastSuccessfulAuth,
>> krbLastFailedAuth, and krbLoginFailedCount when a client attempts to
>> authenticate, so I expect that the search filter would look something
>> like this:
>>
>>   
>> "(&(|(krbLastFailedAuth>=20100411Z)(krbLastSuccessfulAuth>=20100411Z))(krbPrincipalName=*))"
>>
>>
>> Keep in mind that we probably don't index either "krbLastFailedAuth" or
>> "krbLastSuccessfulAuth" for searching, so the search would probably take
>> a while to run.
>
> No, the patch does not have the "find old hosts" part in it.
>
> I was planning to only test for krbLastSuccessfulAuth. Since this is a
> keytab I seriously doubt it will ever have a failed auth. I was going
> to update the ticket with the query and provide it to David for
> documentation.
>

This is sufficient.

>> Does the patch include cron job to run license check and log into the
>> syslog the results if you are out of compliance?
>
> Yes.
>
>> Does it count the servers and the clients i.e all the entries that have
>> a host principal and a keytab?
>
> Yes.
>
>> I have seen a FIXME comment in one of the patches below. Is this
>> intended or omission?
>
> Unrelated to this feature and not show-stoppers, just recognizing some
> limitations.
>
> rob
>
Thanks!


> ___
> Freeipa-devel mailing list
> Freeipa-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 664 entitlement support

2011-01-05 Thread Rob Crittenden 

Dmitri Pal wrote:

Rob Crittenden wrote:

This patch adds a plugin and tools for managing entitlements for host
machines.

Testing is rather complex so I've attached a script to help set up the
Candlepin server. You'll need to ping me out of band for the backend
data. This configures the Candlepin server with an in-memory database
so any time tomcat6 is restarted you'll need to reload the data.

You have to run candlepin.setup as root. This will configure your
Fedora tomcat6 instance.

Once your candlepin server is setup and IPA is installed do something
like:

$ ipa entitle-register admin
(password is admin)

$ ipa entitle-consume 25

$ ipa entitle-status
(verify that it is 25)

# ipa-compliance
(should be 1 of 50)

Our tools can consume only, not return entitlements.

tickets 28, 79 and 278.

rob

Does the patch include all items from ticket 79? Should we split the
ticket, especially third bullet and treat it separately? Is it
addressed, do we still plan to provide a quesry in the docs?
Once Nalin created something like this:

Date comparisons in LDAP search filters compare using the ISO
representation of the time, given in MMDDHHMMSSZ form, which is more
or less what they look like on the wire.  For example, search for people
hired at Red Hat since Sunday:

   ldapsearch -x -h ldap.corp.redhat.com -b dc=redhat,dc=com \
"(rhathiredate>=20100411Z)" cn

The KDC (in 1.8 and later) will update krbLastSuccessfulAuth,
krbLastFailedAuth, and krbLoginFailedCount when a client attempts to
authenticate, so I expect that the search filter would look something
like this:

   
"(&(|(krbLastFailedAuth>=20100411Z)(krbLastSuccessfulAuth>=20100411Z))(krbPrincipalName=*))"

Keep in mind that we probably don't index either "krbLastFailedAuth" or
"krbLastSuccessfulAuth" for searching, so the search would probably take
a while to run.


No, the patch does not have the "find old hosts" part in it.

I was planning to only test for krbLastSuccessfulAuth. Since this is a 
keytab I seriously doubt it will ever have a failed auth. I was going to 
update the ticket with the query and provide it to David for documentation.



Does the patch include cron job to run license check and log into the
syslog the results if you are out of compliance?


Yes.


Does it count the servers and the clients i.e all the entries that have
a host principal and a keytab?


Yes.


I have seen a FIXME comment in one of the patches below. Is this
intended or omission?


Unrelated to this feature and not show-stoppers, just recognizing some 
limitations.


rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Use AJAX status text as default error message.

2011-01-05 Thread Adam Young 

On 01/05/2011 02:50 PM, Adam Young wrote:

On 01/05/2011 02:22 PM, Endi Sukma Dewata wrote:

Hi,

The attached patch should fix the following bug:
https://fedorahosted.org/freeipa/ticket/669
It now shows the server's actual response: "Internal Server Error".

Additional improvements can be done by validating the input on client 
side and/or server side.



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Pushed to master
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Translate IA5Str paramaters the editable text fields in the webUI.

2011-01-05 Thread Adam Young 

On 01/01/2011 09:04 PM, Adam Young wrote:

On 12/30/2010 11:27 AM, Pavel Zůna wrote:

On 2010-12-30 10:29, Pavel Zůna wrote:

Fix #684

Pavel



Left some debugging output in the original patch. Fixed version 
attached.


Pavel


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

pushed to master
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 665 simple build instructions

2011-01-05 Thread Rob Crittenden 
Here are some simple instructions to get a new IPA developer pointed in 
the right direction.


ticket 314

rob
>From b086ad411ce236eead7e49d46a72b750e1d61811 Mon Sep 17 00:00:00 2001
From: Rob Crittenden 
Date: Wed, 5 Jan 2011 15:01:59 -0500
Subject: [PATCH] Simple instructions to start developing IPA.

ticket 314
---
 BUILD.txt |   75 +
 1 files changed, 75 insertions(+), 0 deletions(-)
 create mode 100644 BUILD.txt

diff --git a/BUILD.txt b/BUILD.txt
new file mode 100644
index 000..bce7d7c
--- /dev/null
+++ b/BUILD.txt
@@ -0,0 +1,75 @@
+Here is a quickie guide to get you started in IPA development.
+
+Dependencies
+
+
+The quickest way to get the dependencies needed for building is:
+
+# yum install rpm-build `grep "^BuildRequires" ipa.spec.in | awk '{ print $2 }' | grep -v "^/"` 
+
+This is currently (01/05/11):
+
+yum install 389-ds-base-devel mozldap-devel svrcore-devel nspr-devel \
+openssl-devel openldap-devel e2fsprogs-devel krb5-devel nss-devel \
+libcap-devel python-devel autoconf automake libtool popt-devel m4 \
+policycoreutils python-setuptools python-krbV xmlrpc-c-devel \
+libcurl-devel gettext authconfig libuuid-devel
+
+Building
+
+
+From the root of the source tree run:
+$ make rpms
+
+The resulting rpm packages are in dist/rpms:
+
+# rpm -Uvh dist/rpms/*
+# ipa-server-install
+
+It may be possible to do a simple make all install but this has not been
+well-tested. Additional work is done in pre/post install scripts in the ipa
+spec file.
+
+Developing plugins.
+-
+
+It is possible to do management plugin development within the source tree.
+
+To start with, you need a full IPA install on the current system. Build and
+install the rpms and then configure IPA using ipa-server-install.
+
+Get a TGT for the admin user with: kinit admin
+
+Next you'll need 2 sessions in the source tree. In the first session run
+python lite-server.py. In the second session you can run the ./ipa
+tool and it will make requests to the lite-server listening on 127.0.0.1:8080.
+
+This makes develping plugins much faster and you can also make use of the
+Python pdb debugger on the server side.
+
+You'll find you may need to refresh the underlying build if schema or other
+changes are required.
+
+Testing
+---
+
+We use python nosetests to test for regressions in the management framework
+and plugins. You'll need the python-nose package installed to run the tests.
+
+To run all of the tests you will need 2 sessions, one to run the lite-server
+and the other to execute the tests. You'll also need a TGT before starting
+the lite-server:
+
+% kinit admin
+% make test
+
+Some tests may be skipped. For example, all the XML-RPC tests will be skipped
+if you haven't started the lite-server. The DNS tests will be skipped if
+the underlying IPA installation doesn't configure DNS, etc.
+
+General Notes
+-
+IPA is not relocatable.
+
+When building rpms the version contains the GIT id in the version. To prevent
+this pass the argument IPA_VERSION_IS_GIT_SNAPSHOT=yes to make.
-- 
1.7.3.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] admiyo-0127-add-missing-files-in-rpm

2011-01-05 Thread Adam Young 

Had to move some files around, and added to both Makefile.am and ipa.spec
From 7474a2cf3ffd0af259dc32d5b4652b054b585340 Mon Sep 17 00:00:00 2001
From: Adam Young 
Date: Wed, 5 Jan 2011 14:02:24 -0500
Subject: [PATCH] add missing files in rpm

Fonts, header images, and json.js
---
 install/static/{fonts => }/FreeWay-Bold.otf |  Bin 47524 -> 47524 bytes
 install/static/{fonts => }/FreeWay.otf  |  Bin 38948 -> 38948 bytes
 install/static/Makefile.am  |5 +
 install/static/ipa.css  |4 ++--
 ipa.spec.in |1 +
 5 files changed, 8 insertions(+), 2 deletions(-)
 rename install/static/{fonts => }/FreeWay-Bold.otf (100%)
 rename install/static/{fonts => }/FreeWay.otf (100%)

diff --git a/install/static/fonts/FreeWay-Bold.otf b/install/static/FreeWay-Bold.otf
similarity index 100%
rename from install/static/fonts/FreeWay-Bold.otf
rename to install/static/FreeWay-Bold.otf
diff --git a/install/static/fonts/FreeWay.otf b/install/static/FreeWay.otf
similarity index 100%
rename from install/static/fonts/FreeWay.otf
rename to install/static/FreeWay.otf
diff --git a/install/static/Makefile.am b/install/static/Makefile.am
index 40d3b521b28fc8c962fe108c0d1ba6fc02daa00a..5c88d7800aaf4e695b7283aea057d88a9e347e21 100644
--- a/install/static/Makefile.am
+++ b/install/static/Makefile.am
@@ -14,6 +14,7 @@ app_DATA =  \
 	ipa_logo_180x50.png		\
 	ipa.js\
 	ipa.css\
+	json2.js			\
 	jquery.js			\
 	jquery-ui.js			\
 	jquery.ba-bbq.js		\
@@ -47,6 +48,8 @@ app_DATA =  \
 	Mainnav-background.png		\
 	Mainnav-offtab.png  		\
 	Mainnav-ontab.png  		\
+	modal-background.png		\
+	panel-background.png		\
 	Subnav-background.png		\
 	Subnav-offbutton.png		\
 	Subnav-onbutton.png		\
@@ -65,6 +68,8 @@ app_DATA =  \
 	ui-icons_ededed_256x240.png \
 	ui-icons_ffcf29_256x240.png \
 	ui-icons_ff_256x240.png \
+	FreeWay.otf \
+	FreeWay-Bold.otf \
 	$(NULL)
 
 EXTRA_DIST =\
diff --git a/install/static/ipa.css b/install/static/ipa.css
index 42625ec7efe3c03c3b2d69d7cb2604389e315605..df138aa2f5ed1a38953e10bc83ebc3291c14a583 100644
--- a/install/static/ipa.css
+++ b/install/static/ipa.css
@@ -15,8 +15,8 @@ body{
 margin: 0;
 }
 
-...@font-face {font-family: "FreeWay"; src:url("fonts/FreeWay.otf");}
-...@font-face {font-family: "FreeWayBold"; src:url("fonts/FreeWay-Bold.otf");}
+...@font-face {font-family: "FreeWay"; src:url("FreeWay.otf");}
+...@font-face {font-family: "FreeWayBold"; src:url("FreeWay-Bold.otf");}
 
 .input_link {
 padding: .4em 1em .4em 2em;
diff --git a/ipa.spec.in b/ipa.spec.in
index 39817a699da18f424668ecee0b2b85d95c461e7b..b318712555c6c0c643cdf8ce5e2c86622ccbac09 100644
--- a/ipa.spec.in
+++ b/ipa.spec.in
@@ -400,6 +400,7 @@ fi
 %{_usr}/share/ipa/static/*.png
 %{_usr}/share/ipa/static/*.css
 %{_usr}/share/ipa/static/*.js
+%{_usr}/share/ipa/static/*.otf
 %dir %{_usr}/share/ipa/static/layouts
 %dir %{_usr}/share/ipa/static/layouts/default
 %{_usr}/share/ipa/static/layouts/default/*.html
-- 
1.7.3.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Use AJAX status text as default error message.

2011-01-05 Thread Adam Young 

On 01/05/2011 02:22 PM, Endi Sukma Dewata wrote:

Hi,

The attached patch should fix the following bug:
https://fedorahosted.org/freeipa/ticket/669
It now shows the server's actual response: "Internal Server Error".

Additional improvements can be done by validating the input on client 
side and/or server side.



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Use AJAX status text as default error message.

2011-01-05 Thread Endi Sukma Dewata 

Hi,

The attached patch should fix the following bug:
https://fedorahosted.org/freeipa/ticket/669
It now shows the server's actual response: "Internal Server Error".

Additional improvements can be done by validating the input on client 
side and/or server side.


--
Endi S. Dewata
From 604dc3952290b8fcba6da8b4307e798cdd37b155 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata 
Date: Wed, 5 Jan 2011 21:20:31 +0700
Subject: [PATCH] Use AJAX status text as default error message.

The ipa_cmd() error handler has been updated to use AJAX status
text as the default error message.
---
 install/static/ipa.js |   26 +++---
 1 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/install/static/ipa.js b/install/static/ipa.js
index ac8a0f2657ea613e5b6e67c2b14122f2961c7f78..b340d8350e6bf83940ac8ad7dfa128f795b0f5a0 100644
--- a/install/static/ipa.js
+++ b/install/static/ipa.js
@@ -314,21 +314,25 @@ function ipa_cmd(name, args, options, win_callback, fail_callback, objname, comm
 }
 
 function error_handler(xhr, text_status, error_thrown) {
-if (!error_thrown){
-error_thrown = {name:'unknown'}
+
+if (!error_thrown) {
+error_thrown = {
+name: xhr.responseText || 'Unknown Error',
+message: xhr.statusText || 'Unknown Error'
+}
 }
 
-if (xhr.status === 401){
-error_thrown.name  = 'Kerberos ticket no longer valid.';
+if (xhr.status === 401) {
+error_thrown.name = 'Kerberos ticket no longer valid.';
 if (IPA.messages && IPA.messages.ajax){
-error_thrown.message =  IPA.messages.ajax["401"];
-}else{
+error_thrown.message = IPA.messages.ajax["401"];
+} else {
 error_thrown.message =
-"Your kerberos ticket no longer valid."+
-"Please run kinit and then click 'retry'"+
-"If this is your first time running the IPA Web UI"+
-" "+
-"Follow these directions to configure your browser."
+"Your kerberos ticket no longer valid. "+
+"Please run kinit and then click 'retry'. "+
+"If this is your first time running the IPA Web UI "+
+""+
+"follow these directions to configure your browser."
 }
 }
 
-- 
1.6.6.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] One liner to remove UID from krbtpolicy page

2011-01-05 Thread Adam Young 

pushed under the one line rule.

commit 69de8b317adbf9836819e4a5f6e87018d4a6520d
Author: Adam Young 
Date:   Wed Jan 5 13:31:21 2011 -0500

remove UID field
we are only doing global policy on the krbtpolicy page

diff --git a/install/static/policy.js b/install/static/policy.js
index d8cfbec..038b630 100644
--- a/install/static/policy.js
+++ b/install/static/policy.js
@@ -589,7 +589,7 @@ IPA.add_entity(function (){

 ipa_entity_set_details_definition('krbtpolicy', [
 ipa_stanza({name:'identity', label:'Kerberos ticket policy'}).
-input({name:'uid'}).
+//input({name:'uid',label:' '}).
 input({name:'krbmaxrenewableage'}).
 input({name:'krbmaxticketlife'})
 ]);

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 21/21] fixes CA install problem in trac ticket 682

2011-01-05 Thread Rob Crittenden 

Simo Sorce wrote:

- Original Message -

Do not call status after pkisilent, it will return non-zero.
Instead restart server after pkisilent so configuration
changes take effect, the check the status.


Ack.

Simo.



Working for me with the newer dogtag packages in the ipa-devel repo.

Pushed to master

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Fixed SUDO dialog boxes.

2011-01-05 Thread Adam Young 

On 01/05/2011 12:53 PM, Adam Young wrote:

On 01/05/2011 05:03 AM, Endi Sukma Dewata wrote:

Hi,

This patch should fix the following bug:
https://fedorahosted.org/freeipa/ticket/656

The dialog boxes for SUDO details page have been modified
to generate the HTML code by default.

--
Endi S. Dewata



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK and pushed to master


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK and pushed to master
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] SUDO run-as adjustments.

2011-01-05 Thread Adam Young 

On 01/05/2011 05:07 AM, Endi Sukma Dewata wrote:

Added the missing attachment.

--
Endi S. Dewata

- Original Message -

Hi,

This patch partially fix this bug:
https://fedorahosted.org/freeipa/ticket/534

The SUDO details page has been modified to match the attribute
names for run-as attributes.

--
Endi S. Dewata


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK and pushed to master
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 0043 fix ipa-dns-install to not require DM password

2011-01-05 Thread Simo Sorce 
This patch makes it possible to run ipa-dns-install and use the admin
kerberos credentials.

Fixes #686.

Simo.


bineDa4vQ2Cmr.bin
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Fixed SUDO dialog boxes.

2011-01-05 Thread Adam Young 

On 01/05/2011 05:03 AM, Endi Sukma Dewata wrote:

Hi,

This patch should fix the following bug:
https://fedorahosted.org/freeipa/ticket/656

The dialog boxes for SUDO details page have been modified
to generate the HTML code by default.

--
Endi S. Dewata



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK and pushed to master
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Support for external SUDO users and hosts.

2011-01-05 Thread Endi Sukma Dewata 

On 1/5/2011 5:09 PM, Endi Sukma Dewata wrote:

This patch partially fix this bug:
https://fedorahosted.org/freeipa/ticket/534

The SUDO details page has been modified to support external users
and hosts. In the backend, the internal and external users are kept
in separate attributes, but in the UI they will be displayed as a
single list. The same thing is done for hosts.


I updated the patch to match the correct spec:

The ipa_sudorule_association_adder_dialog() has been modified such
that it only displays the external field if there is an external
attribute for that field.

--
Endi S. Dewata
From cf5d93d2dfd6aced29d42b91651517d3582879ae Mon Sep 17 00:00:00 2001
From: Endi S. Dewata 
Date: Wed, 5 Jan 2011 11:13:08 +0700
Subject: [PATCH] Support for external SUDO users and hosts.

The SUDO details page has been modified to support external users
and hosts. In the backend, the internal and external users are kept
in separate attributes, but in the UI they will be displayed as a
single list. The same thing is done for hosts.

The ipa_sudorule_association_adder_dialog() has been modified such
that it only displays the external field if there is an external
attribute for that field.
---
 install/static/sudorule.js  |   70 +-
 install/static/test/data/sudorule_show.json |6 ++
 2 files changed, 52 insertions(+), 24 deletions(-)

diff --git a/install/static/sudorule.js b/install/static/sudorule.js
index 219671b206e9b5c80be33b3623585e2e982ff025..bc1ba95bfc7476b95fb329103010fe85a8e30206 100755
--- a/install/static/sudorule.js
+++ b/install/static/sudorule.js
@@ -137,7 +137,8 @@ function ipa_sudorule_details_facet(spec) {
 section.add_field(ipa_sudorule_association_table_widget({
 'id': that.entity_name+'-memberuser_user',
 'name': 'memberuser_user', 'label': 'Users', 'category': category,
-'other_entity': 'user', 'add_method': 'add_user', 'remove_method': 'remove_user'
+'other_entity': 'user', 'add_method': 'add_user', 'remove_method': 'remove_user',
+'external': 'externaluser'
 }));
 section.add_field(ipa_sudorule_association_table_widget({
 'id': that.entity_name+'-memberuser_group',
@@ -164,7 +165,8 @@ function ipa_sudorule_details_facet(spec) {
 section.add_field(ipa_sudorule_association_table_widget({
 'id': that.entity_name+'-memberhost_host',
 'name': 'memberhost_host', 'label': 'Host', 'category': category,
-'other_entity': 'host', 'add_method': 'add_host', 'remove_method': 'remove_host'
+'other_entity': 'host', 'add_method': 'add_host', 'remove_method': 'remove_host',
+'external': 'externalhost'
 }));
 section.add_field(ipa_sudorule_association_table_widget({
 'id': that.entity_name+'-memberhost_hostgroup',
@@ -745,6 +747,8 @@ function ipa_sudorule_association_table_widget(spec) {
 
 var that = ipa_rule_association_table_widget(spec);
 
+that.external = spec.external;
+
 that.create_add_dialog = function() {
 var pkey = $.bbq.getState(that.entity_name + '-pkey', true) || '';
 var label = IPA.metadata[that.other_entity].label;
@@ -760,10 +764,20 @@ function ipa_sudorule_association_table_widget(spec) {
 'entity_name': that.entity_name,
 'pkey': pkey,
 'other_entity': that.other_entity,
+'external': that.external,
 'template': template
 });
 };
 
+that.load = function(result) {
+that.values = result[that.name] || [];
+if (that.external) {
+var external_values = result[that.external] || [];
+$.merge(that.values, external_values);
+}
+that.reset();
+};
+
 return that;
 }
 
@@ -773,6 +787,8 @@ function ipa_sudorule_association_adder_dialog(spec) {
 
 var that = ipa_association_adder_dialog(spec);
 
+that.external = spec.external;
+
 that.init = function() {
 
 if (!that.columns.length) {
@@ -830,9 +846,11 @@ function ipa_sudorule_association_adder_dialog(spec) {
 'class': 'adder-dialog-results'
 }).appendTo(that.container);
 
+var class_name = that.external ? 'adder-dialog-internal' : 'adder-dialog-available';
+
 var available_panel = $('', {
 name: 'available',
-'class': 'adder-dialog-internal'
+'class': class_name
 }).appendTo(results_panel);
 
 $('', {
@@ -873,40 +891,44 @@ function ipa_sudorule_association_adder_dialog(spec) {
 
 that.selected_table.create(selected_panel);
 
-var external_panel = $('', {
-name: 'external',
-'class': 'adder-dialog-external'
-}).appendTo(results_panel);
+if (that.external) {
+var external_panel = $('', {
+name: 'external',
+'class': 'adder-dialog-external'
+}).ap

Re: [Freeipa-devel] [PATCH] Rename --ipaddr option of host-add command

2011-01-05 Thread Simo Sorce 
On Wed, 2011-01-05 at 16:44 +0100, Jan Zelený wrote:
> The option is renamed to --ip-address to be consistent with
> ipa-replica-prepare.
> 
> https://fedorahosted.org/freeipa/ticket/655

ACK,
Simo.

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 664 entitlement support

2011-01-05 Thread Dmitri Pal 
Rob Crittenden wrote:
> This patch adds a plugin and tools for managing entitlements for host
> machines.
>
> Testing is rather complex so I've attached a script to help set up the
> Candlepin server. You'll need to ping me out of band for the backend
> data. This configures the Candlepin server with an in-memory database
> so any time tomcat6 is restarted you'll need to reload the data.
>
> You have to run candlepin.setup as root. This will configure your
> Fedora tomcat6 instance.
>
> Once your candlepin server is setup and IPA is installed do something
> like:
>
> $ ipa entitle-register admin
> (password is admin)
>
> $ ipa entitle-consume 25
>
> $ ipa entitle-status
> (verify that it is 25)
>
> # ipa-compliance
> (should be 1 of 50)
>
> Our tools can consume only, not return entitlements.
>
> tickets 28, 79 and 278.
>
> rob
Does the patch include all items from ticket 79? Should we split the
ticket, especially third bullet and treat it separately? Is it
addressed, do we still plan to provide a quesry in the docs?
Once Nalin created something like this:

Date comparisons in LDAP search filters compare using the ISO
representation of the time, given in MMDDHHMMSSZ form, which is more
or less what they look like on the wire.  For example, search for people
hired at Red Hat since Sunday:

  ldapsearch -x -h ldap.corp.redhat.com -b dc=redhat,dc=com \
"(rhathiredate>=20100411Z)" cn

The KDC (in 1.8 and later) will update krbLastSuccessfulAuth,
krbLastFailedAuth, and krbLoginFailedCount when a client attempts to
authenticate, so I expect that the search filter would look something
like this:

  
"(&(|(krbLastFailedAuth>=20100411Z)(krbLastSuccessfulAuth>=20100411Z))(krbPrincipalName=*))"

Keep in mind that we probably don't index either "krbLastFailedAuth" or
"krbLastSuccessfulAuth" for searching, so the search would probably take
a while to run.


==
Does the patch include cron job to run license check and log into the
syslog the results if you are out of compliance?
Does it count the servers and the clients i.e all the entries that have
a host principal and a keytab?
I have seen a FIXME comment in one of the patches below. Is this
intended or omission?


> 
>
> ___
> Freeipa-devel mailing list
> Freeipa-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] one liner to re-add in user associations

2011-01-05 Thread Adam Young 

commit 3390319f4c79564ab579bfbc1e341defb5299e50
Author: Adam Young 
Date:   Tue Jan 4 22:58:27 2011 -0500

user associations
user associations had been removed.  This adds them back in.

diff --git a/install/static/user.js b/install/static/user.js
index 1a2ab44..c0e6fae 100644
--- a/install/static/user.js
+++ b/install/static/user.js
@@ -69,7 +69,7 @@ function ipa_user(){
   entity.create_association_facets();
   but we are currently defining the associator using the global
   function after the registration of the entity */
-
+  that.create_association_facets();

 that.entity_init();
 };

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 033 Add new installer option for reverse zone creation

2011-01-05 Thread Dmitri Pal 
Jan Zelený wrote:
> Jakub Hrozek  wrote:
>   
>> On 01/05/2011 01:09 PM, Jan Zelený wrote:
>> 
>>> Jakub Hrozek  wrote:
>>>   
 ticket #678
 
>>> Nack, the unattended option given to the create_reverse function is
>>> redundant, please remove it.
>>>
>>> Jan
>>>   
>> OK, new patch attached.
>> 
>
> ack
>
>   
Jenny had some questions about the default value. Please hold off
pushing before you reconcile with her.



> Jan
>
> ___
> Freeipa-devel mailing list
> Freeipa-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>
>   


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [Fwd: [freeipa] #703: krbtpolicy needs list page]

2011-01-05 Thread Dmitri Pal 
IMO it should just be a section on the user details page rather than a
separate screen.

 Original Message 
Subject:[freeipa] #703: krbtpolicy needs list page
Date:   Wed, 05 Jan 2011 14:56:42 -
From:   freeipa 
Reply-To:   nob...@fedoraproject.org
To: undisclosed-recipients:;



#703: krbtpolicy needs list page
-+--
  Reporter:  admiyo  | Owner:  admiyo  
  Type:  defect  |Status:  new 
  Priority:  major   | Milestone:  0.0 NEEDS_TRIAGE
 Component:  Web UI  |   Version:  
  Keywords:  | Tests:  0   
  Testsupdated:  0   |   Affects_cli:  0   
Candidate_to_defer:  0   |   Affects_doc:  0   
  Estimate:  |  
-+--
 Since there can be one krbtpolicy per user, supported by the CLI, the
 WebUI needs a way to list the alternatives.  If there is is a policy for a
 user, there should be a link to it from the user details.

-- 
Ticket URL: 
freeipa 
FreeIPA


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 664 entitlement support

2011-01-05 Thread Rob Crittenden 
This patch adds a plugin and tools for managing entitlements for host 
machines.


Testing is rather complex so I've attached a script to help set up the 
Candlepin server. You'll need to ping me out of band for the backend 
data. This configures the Candlepin server with an in-memory database so 
any time tomcat6 is restarted you'll need to reload the data.


You have to run candlepin.setup as root. This will configure your Fedora 
tomcat6 instance.


Once your candlepin server is setup and IPA is installed do something like:

$ ipa entitle-register admin
(password is admin)

$ ipa entitle-consume 25

$ ipa entitle-status
(verify that it is 25)

# ipa-compliance
(should be 1 of 50)

Our tools can consume only, not return entitlements.

tickets 28, 79 and 278.

rob
>From 5edc404987a747fe6e6def79e5501fffac9350b2 Mon Sep 17 00:00:00 2001
From: Rob Crittenden 
Date: Mon, 20 Dec 2010 16:36:28 -0500
Subject: [PATCH] Add support for tracking and counting entitlements

Adds a plugin, entitle, to register to the entitlement server, consume
entitlements and to count and track them. It is also possible to
import an entitlement certificate (if for example the remote entitlement
server is unaviailable).

This uses the candlepin server from https://fedorahosted.org/candlepin/wiki
for entitlements.

Add a cron job to validate the entitlement status and syslog the results.

tickets 28, 79, 278
---
 install/share/60basev2.ldif|2 +
 install/share/default-aci.ldif |2 +-
 install/share/delegation.ldif  |   65 +++-
 install/tools/Makefile.am  |1 +
 install/tools/ipa-compliance   |  192 ++
 install/tools/man/Makefile.am  |3 +-
 install/tools/man/ipa-compliance.1 |   45 +++
 ipa-compliance.cron|5 +
 ipa.spec.in|5 +
 ipalib/cli.py  |   14 +-
 ipalib/constants.py|1 +
 ipalib/errors.py   |   41 ++-
 ipalib/plugins/entitle.py  |  737 
 ipalib/plugins/service.py  |5 +
 ipaserver/plugins/ldap2.py |   14 +
 15 files changed, 1106 insertions(+), 26 deletions(-)
 create mode 100755 install/tools/ipa-compliance
 create mode 100644 install/tools/man/ipa-compliance.1
 create mode 100644 ipa-compliance.cron
 create mode 100644 ipalib/plugins/entitle.py

diff --git a/install/share/60basev2.ldif b/install/share/60basev2.ldif
index 7eb346b..4bc165e 100644
--- a/install/share/60basev2.ldif
+++ b/install/share/60basev2.ldif
@@ -11,8 +11,10 @@ attributeTypes: (2.16.840.1.113730.3.8.3.2 NAME 'ipaClientVersion' DESC 'Text st
 attributeTypes: (2.16.840.1.113730.3.8.3.3 NAME 'enrolledBy' DESC 'DN of administrator who performed manual enrollment of the host' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )
 attributeTypes: (2.16.840.1.113730.3.8.3.4 NAME 'fqdn' DESC 'FQDN' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
 attributeTypes: (2.16.840.1.113730.3.8.3.18 NAME 'managedBy' DESC 'DNs of entries allowed to manage' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2')
+attributeTypes: (2.16.840.1.113730.3.8.3.24 NAME 'ipaEntitlementId' DESC 'Entitlement Unique identifier' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.1 NAME 'ipaHost' AUXILIARY MUST ( fqdn ) MAY ( userPassword $ ipaClientVersion $ enrolledBy $ memberOf) X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.12 NAME 'ipaObject' DESC 'IPA objectclass' AUXILIARY MUST ( ipaUniqueId ) X-ORIGIN 'IPA v2' )
+objectClasses: (2.16.840.1.113730.3.8.4.14 NAME 'ipaEntitlement' DESC 'IPA Entitlement object' AUXILIARY MUST ( ipaEntitlementId ) MAY ( userPKCS12 $ userCertificate ) X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf $ managedBy ) X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.3 NAME 'nestedGroup' DESC 'Group that supports nesting' SUP groupOfNames STRUCTURAL MAY memberOf X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.4 NAME 'ipaUserGroup' DESC 'IPA user group object class' SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' )
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index 159cb07..f33e8ba 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -3,7 +3,7 @@
 dn: $SUFFIX
 changetype: modify
 add: aci
-aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";;)
+aci: (targetattr !=

Re: [Freeipa-devel] [PATCH] admiyo-0121-posix-checked

2011-01-05 Thread Adam Young 

On 01/05/2011 10:32 AM, Endi Sukma Dewata wrote:

On 12/24/2010 2:27 AM, Adam Young wrote:

fixes https://fedorahosted.org/freeipa/ticket/661


ACK.


pushed to master

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] admiyo-0126-update-metadata

2011-01-05 Thread Adam Young 

On 01/05/2011 10:22 AM, Endi Sukma Dewata wrote:

On 1/5/2011 10:52 AM, Adam Young wrote:

We've gotten behind on the meta data with many of the recent changes.
This makes the webui work via the file: protocol again.


The file pwpolicy_mod.json~ should be removed. Otherwise it's ACKed.


fixed and pushed to master

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] admiyo-0121-posix-checked

2011-01-05 Thread Endi Sukma Dewata 

On 12/24/2010 2:27 AM, Adam Young wrote:

fixes https://fedorahosted.org/freeipa/ticket/661


ACK.

--
Endi S. Dewata

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] admiyo-0126-update-metadata

2011-01-05 Thread Endi Sukma Dewata 

On 1/5/2011 10:52 AM, Adam Young wrote:

We've gotten behind on the meta data with many of the recent changes.
This makes the webui work via the file: protocol again.


The file pwpolicy_mod.json~ should be removed. Otherwise it's ACKed.

--
Endi S. Dewata

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] admiyo-0124-fix-krbtpolicy-update

2011-01-05 Thread Endi Sukma Dewata 

On 1/4/2011 1:15 AM, Adam Young wrote:




ACK with note that in the Kerberos Ticket Policy page there's a 'User 
name' label without a text field next to it.


--
Endi S. Dewata

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 033 Add new installer option for reverse zone creation

2011-01-05 Thread Jakub Hrozek 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/05/2011 01:09 PM, Jan Zelený wrote:
> Jakub Hrozek  wrote:
>> ticket #678
> 
> Nack, the unattended option given to the create_reverse function is 
> redundant, 
> please remove it.
> 
> Jan
> 

OK, new patch attached.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0kZl0ACgkQHsardTLnvCWjbwCePhwqcQ0opDRodSbzJuz9jMOg
/swAnjfjPSwC+tOTzjl8E/kxjovUzMFE
=az5d
-END PGP SIGNATURE-
From 6c152e4e72949c95bcc9b674cceaa98de07675fb Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Tue, 4 Jan 2011 08:55:47 -0500
Subject: [PATCH] A new option to specify reverse zone creation for unattended installs

https://fedorahosted.org/freeipa/ticket/678
---
 install/tools/ipa-dns-install |8 +++-
 install/tools/ipa-replica-install |   11 ++-
 install/tools/ipa-server-install  |   10 +-
 ipaserver/install/bindinstance.py |4 +---
 4 files changed, 27 insertions(+), 6 deletions(-)

diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index d4cd1eb..20a7354 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -40,6 +40,9 @@ def parse_options():
   help="Add a DNS forwarder")
 parser.add_option("--no-forwarders", dest="no_forwarders", action="store_true",
   default=False, help="Do not add any DNS forwarders, use root servers instead")
+parser.add_option("--create-reverse", dest="create_reverse",
+  action="store_true", default=False,
+  help="Create reverse DNS zone")
 parser.add_option("--zonemgr", dest="zonemgr", 
   help="DNS zone manager e-mail address. Defaults to root")
 parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
@@ -164,7 +167,10 @@ def main():
 
 # Create a BIND instance
 bind = bindinstance.BindInstance(fstore, dm_password)
-create_reverse = bindinstance.create_reverse(options.unattended)
+if options.unattended:
+create_reverse = options.create_reverse
+elif not options.create_reverse:
+create_reverse = bindinstance.create_reverse()
 bind.setup(api.env.host, ip_address, api.env.realm, api.env.domain, dns_forwarders, conf_ntp, create_reverse, zonemgr=options.zonemgr)
 api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw=dm_password)
 bind.create_instance()
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 9dda13f..97223ea 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -66,6 +66,8 @@ def parse_options():
   help="Add a DNS forwarder")
 parser.add_option("--no-forwarders", dest="no_forwarders", action="store_true",
   default=False, help="Do not add any DNS forwarders, use root servers instead")
+parser.add_option("--create-reverse", dest="create_reverse", action="store_true",
+  default=False, help="Create reverse DNS zone")
 parser.add_option("--no-host-dns", dest="no_host_dns", action="store_true",
   default=False,
   help="Do not use DNS for hostname lookup during installation")
@@ -83,6 +85,8 @@ def parse_options():
 parser.error("You cannot specify a --forwarder option without the --setup-dns option")
 if options.no_forwarders:
 parser.error("You cannot specify a --no-forwarders option without the --setup-dns option")
+if options.create_reverse:
+parser.error("You cannot specify a --create-reverse option without the --setup-dns option")
 elif options.forwarders and options.no_forwarders:
 parser.error("You cannot specify a --forwarder option together with --no-forwarders")
 elif not options.forwarders and not options.no_forwarders:
@@ -247,7 +251,12 @@ def install_bind(config, options):
 ip_address = resolve_host(config.host_name)
 if not ip_address:
 sys.exit("Unable to resolve IP address for host name")
-create_reverse = bindinstance.create_reverse(options.unattended)
+
+if options.unattended:
+create_reverse = options.create_reverse
+elif not options.create_reverse:
+create_reverse = bindinstance.create_reverse()
+
 bind.setup(config.host_name, ip_address, config.realm_name,
config.domain_name, forwarders, options.conf_ntp, create_reverse)
 bind.create_instance()
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 2bbf481..3ff82ec 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -99,6 +99,8 @@ def parse_options():
   help="Add a DNS forwarder")
 parser.add_option("--no-forwarders", dest="no_forwarders", action="store_true",
   default=F

Re: [Freeipa-devel] [PATCHES] [bind-dyndb-ldap] Two patches for minor Coverity issues

2011-01-05 Thread Stephen Gallagher 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/05/2011 05:00 AM, Adam Tkac wrote:
> On Tue, Jan 04, 2011 at 03:41:12PM -0500, Stephen Gallagher wrote:
> Patch 0001: Fix missing varargs cleanup
> 
> The CHECK() macro may cause execution to skip down to the cleanup
> tag. If this happens, it would mean that we never called va_end()
> on "backup".
> 
> This patch reorganizes the code slightly to ensure that va_end()
> is always called.
> 
> 
> Patch 0002: Fix potential out-of-bounds write
> 
> If there are exactly LD_MAX_SPLITS entries resulting from this
> split, the mandatory trailing NULL entry will be written to one
> entry past the end of the static arrayof LD_MAX_SPLITS size.
> 
>> Both patches look fine for me, ack. Please push them.
> 

Pushed to master.



- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0kZL8ACgkQeiVVYja6o6O+YgCdFny0PHIvy/14UeMcRwzVaXOX
Gt8AniwOyMt8oSZEEMTnJ9QRwsEJp+yW
=ttzH
-END PGP SIGNATURE-

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Modified ipa help behavior

2011-01-05 Thread Jakub Hrozek 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/05/2011 11:55 AM, Jan Zelený wrote:
> Jakub Hrozek  wrote:
>> Nack,
>>
>> the hbac->hbacrule rename is still not complete. There is still
>> "from ipalib.plugins.hbac import is_all" in ipalib/plugins/netgroup.py
>> and "api.register(hbac)" in ipalib/plugins/hbacrule.py and also "ret =
>> self.failsafe_add(api.Object.hbac," in
>> tests/test_xmlrpc/test_hbac_plugin.py
> 
> This is final version, all issues have been solved.
> 
> Jan
> 

Ack

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0kXpUACgkQHsardTLnvCVP2ACgld4eoNAKeiB07mTql63Lx0C0
kyMAoKl2ruUkNYQbAPXKsY5qEFY5Dl1v
=Lrkm
-END PGP SIGNATURE-

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 033 Add new installer option for reverse zone creation

2011-01-05 Thread Jakub Hrozek 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

ticket #678
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0kTvAACgkQHsardTLnvCV1ewCgpACp3hukxps6/GpmK62OKkxQ
eUcAnR/6tM90xvjPWuy3XOPkoqVs3DcF
=/ko+
-END PGP SIGNATURE-
From b9cfe78ea10b7404e0504770e087b882e842d8e0 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Tue, 4 Jan 2011 08:55:47 -0500
Subject: [PATCH] A new option to specify reverse zone creation for unattended installs

https://fedorahosted.org/freeipa/ticket/678
---
 install/tools/ipa-dns-install |8 +++-
 install/tools/ipa-replica-install |   11 ++-
 install/tools/ipa-server-install  |   10 +-
 3 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index d4cd1eb..5ae6096 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -40,6 +40,9 @@ def parse_options():
   help="Add a DNS forwarder")
 parser.add_option("--no-forwarders", dest="no_forwarders", action="store_true",
   default=False, help="Do not add any DNS forwarders, use root servers instead")
+parser.add_option("--create-reverse", dest="create_reverse",
+  action="store_true", default=False,
+  help="Create reverse DNS zone")
 parser.add_option("--zonemgr", dest="zonemgr", 
   help="DNS zone manager e-mail address. Defaults to root")
 parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
@@ -164,7 +167,10 @@ def main():
 
 # Create a BIND instance
 bind = bindinstance.BindInstance(fstore, dm_password)
-create_reverse = bindinstance.create_reverse(options.unattended)
+if options.unattended:
+create_reverse = options.create_reverse
+elif not options.create_reverse:
+create_reverse = bindinstance.create_reverse(options.unattended)
 bind.setup(api.env.host, ip_address, api.env.realm, api.env.domain, dns_forwarders, conf_ntp, create_reverse, zonemgr=options.zonemgr)
 api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw=dm_password)
 bind.create_instance()
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 9dda13f..e487948 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -66,6 +66,8 @@ def parse_options():
   help="Add a DNS forwarder")
 parser.add_option("--no-forwarders", dest="no_forwarders", action="store_true",
   default=False, help="Do not add any DNS forwarders, use root servers instead")
+parser.add_option("--create-reverse", dest="create_reverse", action="store_true",
+  default=False, help="Create reverse DNS zone")
 parser.add_option("--no-host-dns", dest="no_host_dns", action="store_true",
   default=False,
   help="Do not use DNS for hostname lookup during installation")
@@ -83,6 +85,8 @@ def parse_options():
 parser.error("You cannot specify a --forwarder option without the --setup-dns option")
 if options.no_forwarders:
 parser.error("You cannot specify a --no-forwarders option without the --setup-dns option")
+if options.create_reverse:
+parser.error("You cannot specify a --create-reverse option without the --setup-dns option")
 elif options.forwarders and options.no_forwarders:
 parser.error("You cannot specify a --forwarder option together with --no-forwarders")
 elif not options.forwarders and not options.no_forwarders:
@@ -247,7 +251,12 @@ def install_bind(config, options):
 ip_address = resolve_host(config.host_name)
 if not ip_address:
 sys.exit("Unable to resolve IP address for host name")
-create_reverse = bindinstance.create_reverse(options.unattended)
+
+if options.unattended:
+create_reverse = options.create_reverse
+elif not options.create_reverse:
+create_reverse = bindinstance.create_reverse(options.unattended)
+
 bind.setup(config.host_name, ip_address, config.realm_name,
config.domain_name, forwarders, options.conf_ntp, create_reverse)
 bind.create_instance()
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index b73b63e..2fa0c97 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -99,6 +99,8 @@ def parse_options():
   help="Add a DNS forwarder")
 parser.add_option("--no-forwarders", dest="no_forwarders", action="store_true",
   default=False, help="Do not add any DNS forwarders, use root servers instead")
+parser.add_option("--create-reverse", dest="create_reverse", action="store_true",
+  default=False, help="Create reverse DNS zone

[Freeipa-devel] [PATCH] Retype (when cloning) Flag parameters to Bool for search commands.

2011-01-05 Thread Pavel Zuna 
Flag parameters are always autofill by definition, causing unexpected search 
results. This patch retypes them to Bool for search commands, so that users have 
to/can enter the desired value manually.


A good example of the Flag parameters causing problems in search commands is 
`dnszone-find` (ticket #689).


Ticket #689
Ticket #701

Pavel
>From 2206dd739dabf3e08555126b545a6cc62d6cd93c Mon Sep 17 00:00:00 2001
From: Pavel Zuna 
Date: Wed, 5 Jan 2011 10:07:23 -0500
Subject: [PATCH] Retype (when cloning) Flag parameters to Bool for search commands.

Flag parameters are always autofill by definition, causing unexpected
search results. This patch retypes them to Bool for search commands,
so that users have to/can enter the desired value manually.

Ticket #689
Ticket #701
---
 ipalib/crud.py   |   12 +---
 ipalib/parameters.py |8 +++-
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/ipalib/crud.py b/ipalib/crud.py
index 86e1756..6df3c73 100644
--- a/ipalib/crud.py
+++ b/ipalib/crud.py
@@ -210,9 +210,15 @@ class Search(Method):
 for option in self.obj.params_minus(self.args):
 if 'no_search' in option.flags:
 continue
-yield option.clone(
-attribute=True, query=True, required=False, autofill=False
-)
+if isinstance(option, parameters.Flag):
+yield option.clone_retype(
+option.name, parameters.Bool,
+attribute=True, query=True, required=False, autofill=False
+)
+else:
+yield option.clone(
+attribute=True, query=True, required=False, autofill=False
+)
 if not self.extra_options_first:
 for option in super(Search, self).get_options():
 yield option
diff --git a/ipalib/parameters.py b/ipalib/parameters.py
index 5c386c3..128c8a4 100644
--- a/ipalib/parameters.py
+++ b/ipalib/parameters.py
@@ -585,9 +585,15 @@ class Param(ReadOnly):
 """
 Return a new `Param` instance similar to this one, but named differently
 """
+return self.clone_retype(name, self.__class__, **overrides)
+
+def clone_retype(self, name, klass, **overrides):
+"""
+Return a new `Param` instance similar to this one, but of a different type
+"""
 kw = dict(self.__clonekw)
 kw.update(overrides)
-return self.__class__(name, *self.rules, **kw)
+return klass(name, *self.rules, **kw)
 
 def normalize(self, value):
 """
-- 
1.7.1.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Support for external SUDO users and hosts.

2011-01-05 Thread Endi Sukma Dewata 
Hi,

This patch partially fix this bug:
https://fedorahosted.org/freeipa/ticket/534

The SUDO details page has been modified to support external users
and hosts. In the backend, the internal and external users are kept
in separate attributes, but in the UI they will be displayed as a
single list. The same thing is done for hosts.

--
Endi S. Dewata

From 3874a0f8bd1977152f08cfaf53bc4ac18ca89453 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata 
Date: Wed, 5 Jan 2011 11:13:08 +0700
Subject: [PATCH] Support for external SUDO users and hosts.

The SUDO details page has been modified to support external users
and hosts. In the backend, the internal and external users are kept
in separate attributes, but in the UI they will be displayed as a
single list. The same thing is done for hosts.
---
 install/static/sudorule.js  |   17 +++--
 install/static/test/data/sudorule_show.json |6 ++
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/install/static/sudorule.js b/install/static/sudorule.js
index 219671b206e9b5c80be33b3623585e2e982ff025..4400ce7588ee1ab6b05dab2289507ddd5ce03b73 100755
--- a/install/static/sudorule.js
+++ b/install/static/sudorule.js
@@ -137,7 +137,8 @@ function ipa_sudorule_details_facet(spec) {
 section.add_field(ipa_sudorule_association_table_widget({
 'id': that.entity_name+'-memberuser_user',
 'name': 'memberuser_user', 'label': 'Users', 'category': category,
-'other_entity': 'user', 'add_method': 'add_user', 'remove_method': 'remove_user'
+'other_entity': 'user', 'add_method': 'add_user', 'remove_method': 'remove_user',
+'external_attribute': 'externaluser'
 }));
 section.add_field(ipa_sudorule_association_table_widget({
 'id': that.entity_name+'-memberuser_group',
@@ -164,7 +165,8 @@ function ipa_sudorule_details_facet(spec) {
 section.add_field(ipa_sudorule_association_table_widget({
 'id': that.entity_name+'-memberhost_host',
 'name': 'memberhost_host', 'label': 'Host', 'category': category,
-'other_entity': 'host', 'add_method': 'add_host', 'remove_method': 'remove_host'
+'other_entity': 'host', 'add_method': 'add_host', 'remove_method': 'remove_host',
+'external_attribute': 'externalhost'
 }));
 section.add_field(ipa_sudorule_association_table_widget({
 'id': that.entity_name+'-memberhost_hostgroup',
@@ -745,6 +747,8 @@ function ipa_sudorule_association_table_widget(spec) {
 
 var that = ipa_rule_association_table_widget(spec);
 
+that.external_attribute = spec.external_attribute;
+
 that.create_add_dialog = function() {
 var pkey = $.bbq.getState(that.entity_name + '-pkey', true) || '';
 var label = IPA.metadata[that.other_entity].label;
@@ -764,6 +768,15 @@ function ipa_sudorule_association_table_widget(spec) {
 });
 };
 
+that.load = function(result) {
+that.values = result[that.name] || [];
+if (that.external_attribute) {
+var external_values = result[that.external_attribute] || [];
+$.merge(that.values, external_values);
+}
+that.reset();
+};
+
 return that;
 }
 
diff --git a/install/static/test/data/sudorule_show.json b/install/static/test/data/sudorule_show.json
index 6f4b47526815ee114d9f7602cef2217c7605e406..5d8473259c15c0452f9fbeca1166dc1161dcbbad 100644
--- a/install/static/test/data/sudorule_show.json
+++ b/install/static/test/data/sudorule_show.json
@@ -32,6 +32,12 @@
 "test"
 ],
 "dn": "ipauniqueid=4fc57a02-f23311df-b268e50e-a3b3ef71,cn=sudorules,dc=dev,dc=example,dc=com",
+"externalhost": [
+"external.example.com"
+],
+"externaluser": [
+"external"
+],
 "ipasudorunas_user": [
 "admin"
 ],
-- 
1.6.6.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] SUDO run-as adjustments.

2011-01-05 Thread Endi Sukma Dewata 
Added the missing attachment.

--
Endi S. Dewata

- Original Message -
> Hi,
> 
> This patch partially fix this bug:
> https://fedorahosted.org/freeipa/ticket/534
> 
> The SUDO details page has been modified to match the attribute
> names for run-as attributes.
> 
> --
> Endi S. Dewata
From da41ad583b8b2d9e8c9df7d4bfa825c63b12acaf Mon Sep 17 00:00:00 2001
From: Endi S. Dewata 
Date: Wed, 5 Jan 2011 10:26:36 +0700
Subject: [PATCH] SUDO run-as adjustments.

The SUDO details page has been modified to match the attribute
names for run-as attributes.
---
 install/static/sudorule.js  |   50 +-
 install/static/test/data/sudorule_show.json |6 +++
 2 files changed, 31 insertions(+), 25 deletions(-)

diff --git a/install/static/sudorule.js b/install/static/sudorule.js
index 3ee42c9be9d36425ea9f641c5d80bd20f277f051..219671b206e9b5c80be33b3623585e2e982ff025 100755
--- a/install/static/sudorule.js
+++ b/install/static/sudorule.js
@@ -233,10 +233,10 @@ function ipa_sudorule_details_facet(spec) {
 'cmdcategory': {
 'remove_values': false
 },
-'runasusercategory': {
+'ipasudorunasusercategory': {
 'remove_values': false
 },
-'runasgroupcategory': {
+'ipasudorunasgroupcategory': {
 'remove_values': false
 }
 };
@@ -278,20 +278,20 @@ function ipa_sudorule_details_facet(spec) {
 'options': {'all': true, 'rights': true}
 })
 },
-'runasuser': {
-'category': 'runasusercategory',
+'ipasudorunas': {
+'category': 'ipasudorunasusercategory',
 'has_values': false,
 'command': ipa_command({
-'method': that.entity_name+'_remove_runas_user',
+'method': that.entity_name+'_remove_runasuser',
 'args': [pkey],
 'options': {'all': true, 'rights': true}
 })
 },
-'runasgroup': {
-'category': 'runasgroupcategory',
+'ipasudorunasgroup': {
+'category': 'ipasudorunasgroupcategory',
 'has_values': false,
 'command': ipa_command({
-'method': that.entity_name+'_remove_runas_group',
+'method': that.entity_name+'_remove_runasgroup',
 'args': [pkey],
 'options': {'all': true, 'rights': true}
 })
@@ -639,22 +639,22 @@ function ipa_sudorule_details_runas_section(spec){
 
 that.init = function() {
 
-var category = that.create_radio({ name: 'runasusercategory', label: 'Run as User category' });
+var category = that.create_radio({ name: 'ipasudorunasusercategory', label: 'Run as User category' });
 that.add_field(ipa_sudorule_association_table_widget({
 'id': that.entity_name+'-runasruser_user',
-'name': 'runasuser_user', 'label': 'Users', 'category': category,
+'name': 'ipasudorunas_user', 'label': 'Users', 'category': category,
 'other_entity': 'user', 'add_method': 'add_runasuser', 'remove_method': 'remove_runasuser'
 }));
 that.add_field(ipa_sudorule_association_table_widget({
 'id': that.entity_name+'-runasuser_group',
-'name': 'runasuser_group', 'label': 'Groups', 'category': category,
+'name': 'ipasudorunas_group', 'label': 'Groups', 'category': category,
 'other_entity': 'group', 'add_method': 'add_runasuser', 'remove_method': 'remove_runasuser'
 }));
 
-category = that.create_radio({ name: 'runasgroupcategory', label: 'Run as Group category' });
+category = that.create_radio({ name: 'ipasudorunasgroupcategory', label: 'Run as Group category' });
 that.add_field(ipa_sudorule_association_table_widget({
 'id': that.entity_name+'-runasgroup_group',
-'name': 'runasgroup_group', 'label': 'Groups', 'category': category,
+'name': 'ipasudorunasgroup_group', 'label': 'Groups', 'category': category,
 'other_entity': 'group', 'add_method': 'add_runasgroup', 'remove_method': 'remove_runasgroup'
 }));
 
@@ -665,11 +665,11 @@ function ipa_sudorule_details_runas_section(spec){
 
 if (that.template) return;
 
-var span = $('', { 'name': 'runasusercategory' }).appendTo(container);
+var span = $('', { 'name': 'ipasudorunasusercategory' }).appendTo(container);
 
 $('', {
 'type': 'radio',
-'name': 'runasusercategory',
+'name': 'ipasudorunasusercategory',
 'value': 'all'
 }).appendTo(span);
 
@@ -677,7 +677,7 @@ function ipa_sudorule_details_runas_section(spec){
 
 $('', {
 'type': 'radio',
-'name': 'runasu

[Freeipa-devel] [PATCH] SUDO run-as adjustments.

2011-01-05 Thread Endi Sukma Dewata 
Hi,

This patch partially fix this bug:
https://fedorahosted.org/freeipa/ticket/534

The SUDO details page has been modified to match the attribute
names for run-as attributes.

--
Endi S. Dewata

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Fixed SUDO dialog boxes.

2011-01-05 Thread Endi Sukma Dewata 
Hi,

This patch should fix the following bug:
https://fedorahosted.org/freeipa/ticket/656

The dialog boxes for SUDO details page have been modified
to generate the HTML code by default.

--
Endi S. Dewata

From afed2df4634eb96be043d7a2b290d5d016f484d9 Mon Sep 17 00:00:00 2001
From: Endi Sukma Dewata 
Date: Tue, 4 Jan 2011 13:50:40 -0500
Subject: [PATCH] Fixed SUDO dialog boxes.

The dialog boxes for SUDO details page have been modified
to generate the HTML code by default.
---
 install/static/layouts/default/Makefile.am |5 +
 .../layouts/default/sudorule-user-dialog.html  |2 +-
 install/static/sudorule.js |   96 +++-
 3 files changed, 100 insertions(+), 3 deletions(-)

diff --git a/install/static/layouts/default/Makefile.am b/install/static/layouts/default/Makefile.am
index 904fad171fd6c5e1a460b505ba99aefb1cab6dac..ca57a653975b57b0bd57126ec04544cf6bec982c 100644
--- a/install/static/layouts/default/Makefile.am
+++ b/install/static/layouts/default/Makefile.am
@@ -13,6 +13,11 @@ app_DATA =  \
 	hbac-details-service.html	\
 	hbac-details-sourcehost.html	\
 	hbac-details-user.html		\
+	sudorule-details-general.html	\
+	sudorule-group-dialog.html	\
+	sudorule-host-dialog.html	\
+	sudorule-hostgroup-dialog.html	\
+	sudorule-user-dialog.html	\
 	$(NULL)
 
 EXTRA_DIST =\
diff --git a/install/static/layouts/default/sudorule-user-dialog.html b/install/static/layouts/default/sudorule-user-dialog.html
index c40b97594ea0192140a55685880355a36880c3cc..78687cead60d94c667d386162b8ac5b7dbc96654 100755
--- a/install/static/layouts/default/sudorule-user-dialog.html
+++ b/install/static/layouts/default/sudorule-user-dialog.html
@@ -1,7 +1,7 @@
 
 
 
-SAdder Dialog
+Adder Dialog
 
 
 
diff --git a/install/static/sudorule.js b/install/static/sudorule.js
index c314ccd0b047fdec59498434fe457cc85faa1aac..3ee42c9be9d36425ea9f641c5d80bd20f277f051 100755
--- a/install/static/sudorule.js
+++ b/install/static/sudorule.js
@@ -750,12 +750,17 @@ function ipa_sudorule_association_table_widget(spec) {
 var label = IPA.metadata[that.other_entity].label;
 var title = 'Add '+label+' to '+that.entity_name+' '+pkey;
 
+var template;
+if (IPA.layout) {
+template = 'sudorule-'+that.other_entity+'-dialog.html #contents';
+}
+
 return ipa_sudorule_association_adder_dialog({
 'title': title,
 'entity_name': that.entity_name,
 'pkey': pkey,
 'other_entity': that.other_entity,
-'template': 'sudorule-'+that.other_entity+'-dialog.html #contents'
+'template': template
 });
 };
 
@@ -775,7 +780,8 @@ function ipa_sudorule_association_adder_dialog(spec) {
 that.create_column({
 name: pkey_name,
 label: IPA.metadata[that.other_entity].label,
-primary_key: true
+primary_key: true,
+width: '200px'
 });
 }
 
@@ -798,6 +804,92 @@ function ipa_sudorule_association_adder_dialog(spec) {
 that.association_adder_dialog_init();
 };
 
+that.create = function() {
+
+// do not call that.dialog_create();
+
+var search_panel = $('', {
+'class': 'adder-dialog-filter'
+}).appendTo(that.container);
+
+$('', {
+type: 'text',
+name: 'filter',
+style: 'width: 244px'
+}).appendTo(search_panel);
+
+search_panel.append(' ');
+
+$('', {
+type: 'button',
+name: 'find',
+value: 'Find'
+}).appendTo(search_panel);
+
+var results_panel = $('', {
+'class': 'adder-dialog-results'
+}).appendTo(that.container);
+
+var available_panel = $('', {
+name: 'available',
+'class': 'adder-dialog-internal'
+}).appendTo(results_panel);
+
+$('', {
+html: 'Available',
+'class': 'ui-widget-header'
+}).appendTo(available_panel);
+
+that.available_table.create(available_panel);
+
+var buttons_panel = $('', {
+name: 'buttons',
+'class': 'adder-dialog-buttons'
+}).appendTo(results_panel);
+
+var p = $('').appendTo(buttons_panel);
+$('', {
+type: 'button',
+name: 'remove',
+value: '<<'
+}).appendTo(p);
+
+p = $('').appendTo(buttons_panel);
+$('', {
+type: 'button',
+name: 'add',
+value: '>>'
+}).appendTo(p);
+
+var selected_panel = $('', {
+name: 'selected',
+'class': 'adder-dialog-selected'
+}).appendTo(results_panel);
+
+$('', {
+html: 'Prospective',
+'class': 'ui-widget-header'
+}).appendTo(selected_panel);
+
+

Re: [Freeipa-devel] [PATCHES] [bind-dyndb-ldap] Two patches for minor Coverity issues

2011-01-05 Thread Adam Tkac 
On Tue, Jan 04, 2011 at 03:41:12PM -0500, Stephen Gallagher wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Patch 0001: Fix missing varargs cleanup
> 
> The CHECK() macro may cause execution to skip down to the cleanup
> tag. If this happens, it would mean that we never called va_end()
> on "backup".
> 
> This patch reorganizes the code slightly to ensure that va_end()
> is always called.
> 
> 
> Patch 0002: Fix potential out-of-bounds write
> 
> If there are exactly LD_MAX_SPLITS entries resulting from this
> split, the mandatory trailing NULL entry will be written to one
> entry past the end of the static arrayof LD_MAX_SPLITS size.

Both patches look fine for me, ack. Please push them.

Regards, Adam

> - -- 
> Stephen Gallagher
> RHCE 804006346421761
> 
> Delivering value year after year.
> Red Hat ranks #1 in value among software vendors.
> http://www.redhat.com/promo/vendor/
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAk0jhegACgkQeiVVYja6o6PGlwCgnO1jSmW1VhO3kJh3C818655M
> DaEAoK5b0f4VLiRkkKgMaJnGrjRoHv9+
> =XJeu
> -END PGP SIGNATURE-

> From 4cc3a923c1e26ac4c286afd47df1d823920ef56b Mon Sep 17 00:00:00 2001
> From: Stephen Gallagher 
> Date: Tue, 4 Jan 2011 15:28:46 -0500
> Subject: [PATCH 1/2] Fix missing varargs cleanup
> 
> The CHECK() macro may cause execution to skip down to the cleanup
> tag. If this happens, it would mean that we never called va_end()
> on "backup".
> 
> This patch reorganizes the code slightly to ensure that va_end()
> is always called.
> ---
>  src/str.c |4 ++--
>  1 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/src/str.c b/src/str.c
> index 
> b975aac7ba8c1028a71ac499dfe39530aba4e61f..611ae2028ec06d2e8e9e270eb6a6e0eaa37adcae
>  100644
> --- a/src/str.c
> +++ b/src/str.c
> @@ -431,16 +431,16 @@ str_vsprintf(ld_string_t *dest, const char *format, 
> va_list ap)
>   CHECK(str_alloc(dest, len));
>   len = vsnprintf(dest->data, dest->allocated, format, backup);
>   }
> - va_end(backup);
>  
>   if (len < 0) {
>   result = ISC_R_FAILURE;
>   goto cleanup;
>   }
>  
> - return ISC_R_SUCCESS;
> + result = ISC_R_SUCCESS;
>  
>  cleanup:
> + va_end(backup);
>   return result;
>  }
>  
> -- 
> 1.7.3.4
> 

> From 93d709e47444ba38c314b4cece980a829c4f23b9 Mon Sep 17 00:00:00 2001
> From: Stephen Gallagher 
> Date: Tue, 4 Jan 2011 15:33:02 -0500
> Subject: [PATCH 2/2] Fix potential out-of-bounds write
> 
> If there are exactly LD_MAX_SPLITS entries resulting from this
> split, the mandatory trailing NULL entry will be written to one
> entry past the end of the static arrayof LD_MAX_SPLITS size.
> ---
>  src/str.c |2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/src/str.c b/src/str.c
> index 
> 611ae2028ec06d2e8e9e270eb6a6e0eaa37adcae..56faa12dce3c7c7bde59d947b69907b9f63d315d
>  100644
> --- a/src/str.c
> +++ b/src/str.c
> @@ -570,7 +570,7 @@ str_split(const ld_string_t *src, const char delimiter, 
> ld_split_t *split)
>   current_pos = 0;
>   save = 1;
>   for (unsigned int i = 0;
> -  i < split->allocated && current_pos < LD_MAX_SPLITS;
> +  i < split->allocated && current_pos < LD_MAX_SPLITS - 1;
>i++) {
>   if (save && split->data[i] != '\0') {
>   split->splits[current_pos] = split->data + i;
> -- 
> 1.7.3.4
> 



> ___
> Freeipa-devel mailing list
> Freeipa-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Adam Tkac, Red Hat, Inc.

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Make it impossible to add an object as a member of itself in webUI.

2011-01-05 Thread Pavel Zuna 

Ticket #700

Pavel
>From 793314369f6587fa1819a17bb0b196e09939c3f3 Mon Sep 17 00:00:00 2001
From: Pavel Zuna 
Date: Wed, 5 Jan 2011 09:31:02 -0500
Subject: [PATCH] Make it impossible to add an object as a member of itself in webUI.

Ticket #700
---
 install/static/associate.js |5 -
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/install/static/associate.js b/install/static/associate.js
index 6517cca..60e7c09 100644
--- a/install/static/associate.js
+++ b/install/static/associate.js
@@ -164,9 +164,12 @@ function ipa_association_adder_dialog(spec) {
 var results = data.result;
 that.clear_available_values();
 
+var pkey_attr = IPA.metadata[that.entity_name].primary_key;
+
 for (var i=0; i___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel