[Freeipa-devel] [PATCH] Disable renaming to empty string
So far it was possible to rename any object using LDAPUpdate to a name with empty primary key. Since this can cause nasty problems, this patch disables empty string in --rename argument. https://fedorahosted.org/freeipa/ticket/827 Jan From 5d2eb85af1df7c20049e7fdc05e6a529a2b2839b Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Mon, 24 Jan 2011 03:24:05 -0500 Subject: [PATCH] Disable renaming to empty string So far it was possible to rename any object using LDAPUpdate to a name with empty primary key. Since this can cause nasty problems, this patch disables empty string in --rename argument. https://fedorahosted.org/freeipa/ticket/827 --- ipalib/plugins/baseldap.py |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index e7ccb7724ff39a115c8931c7829d4352c3e0c691..1ef1af56947c5d0f90088b9ba2be98b8acb0278c 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -799,6 +799,8 @@ class LDAPUpdate(LDAPQuery, crud.Update): rdnupdate = False try: if self.obj.rdnattr and 'rename' in options: +if not options['rename']: +raise errors.ValidationError(name='rename', error=u'can\'t be empty') entry_attrs[self.obj.rdnattr] = options['rename'] if self.obj.rdnattr and self.obj.rdnattr in entry_attrs: -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Disable renaming to empty string
On Mon, 24 Jan 2011 09:38:45 +0100 Jan Zelený jzel...@redhat.com wrote: So far it was possible to rename any object using LDAPUpdate to a name with empty primary key. Since this can cause nasty problems, this patch disables empty string in --rename argument. https://fedorahosted.org/freeipa/ticket/827 ack Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 039 Delete the whole DNS record with no parameters
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/22/2011 02:28 AM, Adam Young wrote: Does any of this imply that we shopuld change the WebUI handling of Zone or Record deletes? Sorry, I don't know enough about the WebUI to give an authoritative answer. I'll try to summarize the changes I did, if it doesn't answer your question, please catch me on IRC :-) The only change to the API is a new option del_all that specifies that the caller wants to delete the whole DNS record. Calling dnsrecord-add and dnsrecord-del with no options is now disallowed. See my reply to Rob's email for more details. The return value of dnsrecord-del changed for the case the whole record is deleted - now it returns the same value other -del commands do, which in the Python CLI world is a dictionary that contains entries we failed to delete. Jakub -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk09kfcACgkQHsardTLnvCXklgCg0qCPgt3RLKOjExvR0HcD/bgN Uo4AmgJkeLFBhKFfMV/2tnmjkrgGYtqY =uN9v -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Make ipa permission-add ask for optional attributes
Jan Zelený wrote: Rob Crittendenrcrit...@redhat.com wrote: Jan Zeleny wrote: Either one of type, filter, subtree, targetgroup, attrs or memberof is required. https://fedorahosted.org/freeipa/ticket/819 Jan Do you think the prompt should be annotated somehow to indicate that the optional attributes are optional? I've been wondering about this since I added alwaysask for managing permissions, it isn't very clear that you don't have to enter something. I'm not sure how we would do it, a *, or some other indicator? rob That's definitely a good idea, but if we will use *, I think it should be present for required arguments, otherwise it might be confusing - on the web * usually marks required fields. From this point of view square brackets are used to indicate something is optional, so about something like [Subtree]:? Jan Yes, that sounds perfect. I filed ticket https://fedorahosted.org/freeipa/ticket/832 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 039 Delete the whole DNS record with no parameters
On 01/24/2011 09:51 AM, Jakub Hrozek wrote: Sorry, I don't know enough about the WebUI to give an authoritative answer. I'll try to summarize the changes I did, if it doesn't answer your question, please catch me on IRC:-) The only change to the API is a new option del_all that specifies that the caller wants to delete the whole DNS record. Calling dnsrecord-add and dnsrecord-del with no options is now disallowed. See my reply to Rob's email for more details. The return value of dnsrecord-del changed for the case the whole record is deleted - now it returns the same value other -del commands do, which in the Python CLI world is a dictionary that contains entries we failed to delete. I think that this won't change anything UI based. If you want to delete all of the records for a given Zone, you would just select all of them in the UI, so it would be an exhaustive list. To select them all, we have UI control that toggles all of the checkmarks. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] OpenSSL CA complains that CSR from --external-ca missing mandatory Country field.
I'm not sure if this is a user error or a bug. I didn't see a way to tell OpenSSL to not require that Country be in the CSR. Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows organizationName :PRINTABLE:'MYREALM.COM' commonName:PRINTABLE:'Certificate Authority' The mandatory countryName field was missing I didn't see anything in Trac regarding this. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] OpenSSL CA complains that CSR from --external-ca missing mandatory Country field.
Jeff B wrote: I'm not sure if this is a user error or a bug. I didn't see a way to tell OpenSSL to not require that Country be in the CSR. Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows organizationName :PRINTABLE:'MYREALM.COM' commonName:PRINTABLE:'Certificate Authority' The mandatory countryName field was missing I didn't see anything in Trac regarding this. I don't know a ton about OpenSSL but I think it is because the default configuration file, /etc/pki/tls/openssl.cnf, requires country. You should be able to provide your own config file to the openssl commands. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] OpenSSL CA complains that CSR from --external-ca missing mandatory Country field.
On Mon, Jan 24, 2011 at 10:38 AM, Jeff B jeffb.l...@gmail.com wrote: You are right. I changed: [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional to [ policy_match ] countryName = optional stateOrProvinceName = optional organizationName = supplied organizationalUnitName = optional commonName = supplied emailAddress = optional Aside from the Country and State missing It also complained that the organizationName didn't match the org name of my CA so I had to change the 3rd line from match to supplied. On Mon, Jan 24, 2011 at 10:26 AM, Rob Crittenden rcrit...@redhat.com wrote: Jeff B wrote: I'm not sure if this is a user error or a bug. I didn't see a way to tell OpenSSL to not require that Country be in the CSR. Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows organizationName :PRINTABLE:'MYREALM.COM' commonName :PRINTABLE:'Certificate Authority' The mandatory countryName field was missing I didn't see anything in Trac regarding this. I don't know a ton about OpenSSL but I think it is because the default configuration file, /etc/pki/tls/openssl.cnf, requires country. You should be able to provide your own config file to the openssl commands. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] fix doctest
I pushed this under the 1-liner rule, it fixes a doctest failure. rob From 76cbd48896bc8953fdd7abf4afd797ffb6cbfc92 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Mon, 24 Jan 2011 10:41:20 -0500 Subject: [PATCH] Fix exception doctest failure --- ipalib/errors.py |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ipalib/errors.py b/ipalib/errors.py index faa9e81..20cd52b 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1353,10 +1353,10 @@ class BadSearchFilter(ExecutionError): For example: - raise BadSearchFilter(info='') + raise BadSearchFilter(info='invalid syntax') Traceback (most recent call last): ... -BadSearchFilter: Bad search filter +BadSearchFilter: Bad search filter invalid syntax errno = 4209 -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 688 fix some unit tests
It looks like python 2.7 changed the API of time.utcoffset(), this should fix the tests. We have recently relaxed what input a Str will take, the tests need to be updated to accomodate. rob From 459b204be01bd57ba2420a269b3a9702dfc22a3c Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Mon, 24 Jan 2011 10:43:59 -0500 Subject: [PATCH] Fix failed tests. API for utcoffset changed and strings are more robust. In Python 2.7 the API for time.utcoffset() changed. We do more automatic conversions of strings so need to loosen the tests a bit. --- ipapython/test/test_ipautil.py |8 tests/test_ipalib/test_parameters.py |7 --- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/ipapython/test/test_ipautil.py b/ipapython/test/test_ipautil.py index ef1afd3..ff9f282 100644 --- a/ipapython/test/test_ipautil.py +++ b/ipapython/test/test_ipautil.py @@ -275,7 +275,7 @@ class TestTimeParser(unittest.TestCase): time = ipautil.parse_generalized_time(timestr) self.assertEqual(0, time.tzinfo.houroffset) self.assertEqual(0, time.tzinfo.minoffset) -offset = time.tzinfo.utcoffset() +offset = time.tzinfo.utcoffset(time.tzinfo.dst()) self.assertEqual(0, offset.seconds) timestr = 20051213141205+0500 @@ -283,7 +283,7 @@ class TestTimeParser(unittest.TestCase): time = ipautil.parse_generalized_time(timestr) self.assertEqual(5, time.tzinfo.houroffset) self.assertEqual(0, time.tzinfo.minoffset) -offset = time.tzinfo.utcoffset() +offset = time.tzinfo.utcoffset(time.tzinfo.dst()) self.assertEqual(5 * 60 * 60, offset.seconds) timestr = 20051213141205-0500 @@ -293,7 +293,7 @@ class TestTimeParser(unittest.TestCase): self.assertEqual(0, time.tzinfo.minoffset) # NOTE - the offset is always positive - it's minutes #_east_ of UTC -offset = time.tzinfo.utcoffset() +offset = time.tzinfo.utcoffset(time.tzinfo.dst()) self.assertEqual((24 - 5) * 60 * 60, offset.seconds) timestr = 20051213141205-0930 @@ -301,7 +301,7 @@ class TestTimeParser(unittest.TestCase): time = ipautil.parse_generalized_time(timestr) self.assertEqual(-9, time.tzinfo.houroffset) self.assertEqual(-30, time.tzinfo.minoffset) -offset = time.tzinfo.utcoffset() +offset = time.tzinfo.utcoffset(time.tzinfo.dst()) self.assertEqual(((24 - 9) * 60 * 60) - (30 * 60), offset.seconds) diff --git a/tests/test_ipalib/test_parameters.py b/tests/test_ipalib/test_parameters.py index fd9880d..e90a262 100644 --- a/tests/test_ipalib/test_parameters.py +++ b/tests/test_ipalib/test_parameters.py @@ -33,6 +33,7 @@ from ipalib import parameters, request, errors, config from ipalib.constants import TYPE_ERROR, CALLABLE_ERROR, NULLS from ipalib.errors import ValidationError from ipalib import _ +from xmlrpclib import MAXINT class test_DefaultFrom(ClassChecker): @@ -921,7 +922,7 @@ class test_Str(ClassChecker): mthd = o._convert_scalar for value in (u'Hello', 42, 1.2, unicode_str): assert mthd(value) == unicode(value) -bad = [True, 'Hello', dict(one=1), utf8_bytes] +bad = [True, dict(one=1)] for value in bad: e = raises(errors.ConversionError, mthd, value) assert e.name == 'my_str' @@ -1164,7 +1165,7 @@ class test_Int(ClassChecker): assert o.type is int assert isinstance(o, parameters.Int) assert o.minvalue is None -assert o.maxvalue is None +assert o.maxvalue == int(MAXINT) # Test when min max: e = raises(ValueError, self.cls, 'my_number', minvalue=22, maxvalue=15) @@ -1233,7 +1234,7 @@ class test_Int(ClassChecker): o = self.cls('my_number') # Assure invalid inputs raise error -for bad in ['hello', u'hello', True, None, '10', u'', u'.']: +for bad in ['hello', u'hello', True, None, u'', u'.']: e = raises(errors.ConversionError, o._convert_scalar, bad) assert e.name == 'my_number' assert e.index is None -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 689 make deepcopy of objectclasses
In the host plugin we modify the default set of objectclasses depending on what kind of host we're creating. This was actually updating the objectclass of the object itself so that the objectclass variable was storing duplicate objectclasses (because we sometimes append values). Make a deepcopy instead. I also re-ordered some values in the host plugin to match what the unit tests expect. It was easier to change in one place than many and have the same result :-) rob From 459b204be01bd57ba2420a269b3a9702dfc22a3c Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Mon, 24 Jan 2011 10:43:59 -0500 Subject: [PATCH] Fix failed tests. API for utcoffset changed and strings are more robust. In Python 2.7 the API for time.utcoffset() changed. We do more automatic conversions of strings so need to loosen the tests a bit. --- ipapython/test/test_ipautil.py |8 tests/test_ipalib/test_parameters.py |7 --- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/ipapython/test/test_ipautil.py b/ipapython/test/test_ipautil.py index ef1afd3..ff9f282 100644 --- a/ipapython/test/test_ipautil.py +++ b/ipapython/test/test_ipautil.py @@ -275,7 +275,7 @@ class TestTimeParser(unittest.TestCase): time = ipautil.parse_generalized_time(timestr) self.assertEqual(0, time.tzinfo.houroffset) self.assertEqual(0, time.tzinfo.minoffset) -offset = time.tzinfo.utcoffset() +offset = time.tzinfo.utcoffset(time.tzinfo.dst()) self.assertEqual(0, offset.seconds) timestr = 20051213141205+0500 @@ -283,7 +283,7 @@ class TestTimeParser(unittest.TestCase): time = ipautil.parse_generalized_time(timestr) self.assertEqual(5, time.tzinfo.houroffset) self.assertEqual(0, time.tzinfo.minoffset) -offset = time.tzinfo.utcoffset() +offset = time.tzinfo.utcoffset(time.tzinfo.dst()) self.assertEqual(5 * 60 * 60, offset.seconds) timestr = 20051213141205-0500 @@ -293,7 +293,7 @@ class TestTimeParser(unittest.TestCase): self.assertEqual(0, time.tzinfo.minoffset) # NOTE - the offset is always positive - it's minutes #_east_ of UTC -offset = time.tzinfo.utcoffset() +offset = time.tzinfo.utcoffset(time.tzinfo.dst()) self.assertEqual((24 - 5) * 60 * 60, offset.seconds) timestr = 20051213141205-0930 @@ -301,7 +301,7 @@ class TestTimeParser(unittest.TestCase): time = ipautil.parse_generalized_time(timestr) self.assertEqual(-9, time.tzinfo.houroffset) self.assertEqual(-30, time.tzinfo.minoffset) -offset = time.tzinfo.utcoffset() +offset = time.tzinfo.utcoffset(time.tzinfo.dst()) self.assertEqual(((24 - 9) * 60 * 60) - (30 * 60), offset.seconds) diff --git a/tests/test_ipalib/test_parameters.py b/tests/test_ipalib/test_parameters.py index fd9880d..e90a262 100644 --- a/tests/test_ipalib/test_parameters.py +++ b/tests/test_ipalib/test_parameters.py @@ -33,6 +33,7 @@ from ipalib import parameters, request, errors, config from ipalib.constants import TYPE_ERROR, CALLABLE_ERROR, NULLS from ipalib.errors import ValidationError from ipalib import _ +from xmlrpclib import MAXINT class test_DefaultFrom(ClassChecker): @@ -921,7 +922,7 @@ class test_Str(ClassChecker): mthd = o._convert_scalar for value in (u'Hello', 42, 1.2, unicode_str): assert mthd(value) == unicode(value) -bad = [True, 'Hello', dict(one=1), utf8_bytes] +bad = [True, dict(one=1)] for value in bad: e = raises(errors.ConversionError, mthd, value) assert e.name == 'my_str' @@ -1164,7 +1165,7 @@ class test_Int(ClassChecker): assert o.type is int assert isinstance(o, parameters.Int) assert o.minvalue is None -assert o.maxvalue is None +assert o.maxvalue == int(MAXINT) # Test when min max: e = raises(ValueError, self.cls, 'my_number', minvalue=22, maxvalue=15) @@ -1233,7 +1234,7 @@ class test_Int(ClassChecker): o = self.cls('my_number') # Assure invalid inputs raise error -for bad in ['hello', u'hello', True, None, '10', u'', u'.']: +for bad in ['hello', u'hello', True, None, u'', u'.']: e = raises(errors.ConversionError, o._convert_scalar, bad) assert e.name == 'my_number' assert e.index is None -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 689 make deepcopy of objectclasses
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2011 04:50 PM, Rob Crittenden wrote: In the host plugin we modify the default set of objectclasses depending on what kind of host we're creating. This was actually updating the objectclass of the object itself so that the objectclass variable was storing duplicate objectclasses (because we sometimes append values). Make a deepcopy instead. I also re-ordered some values in the host plugin to match what the unit tests expect. It was easier to change in one place than many and have the same result :-) rob I think you sent a wrong patch (688, should have been 689) Ok, here goes. rob From 2512a94629e55e3693ec9b348fff09866f21585d Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Mon, 24 Jan 2011 10:46:44 -0500 Subject: [PATCH] Make a copy of objectclasses so a call can't update them globally. In the host plugin we may change the default objectclasses based on the options selected. This was affecting it globally and causing subsequent calls to fail. --- ipalib/plugins/baseldap.py |3 ++- ipalib/plugins/host.py |8 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index e7ccb77..27e543d 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -23,6 +23,7 @@ Base classes for LDAP plugins. import re import json import time +from copy import deepcopy from ipalib import api, crud, errors from ipalib import Method, Object @@ -504,7 +505,7 @@ class LDAPCreate(CallbackInterface, crud.Create): ldap = self.obj.backend entry_attrs = self.args_options_2_entry(*keys, **options) -entry_attrs['objectclass'] = self.obj.object_class +entry_attrs['objectclass'] = deepcopy(self.obj.object_class) if self.obj.object_class_config: config = ldap.get_ipa_config()[1] diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 6947d90..3225a78 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -323,15 +323,15 @@ class host_add(LDAPCreate): entry_attrs['krbprincipalname'] = 'host/%s@%s' % ( keys[-1], self.api.env.realm ) +if 'krbprincipalaux' not in entry_attrs: +entry_attrs['objectclass'].append('krbprincipalaux') if 'krbprincipal' not in entry_attrs: entry_attrs['objectclass'].append('krbprincipal') -if 'krbprincipal' not in entry_attrs: -entry_attrs['objectclass'].append('krbprincipalaux') else: -if 'krbprincipal' in entry_attrs['objectclass']: -entry_attrs['objectclass'].remove('krbprincipal') if 'krbprincipalaux' in entry_attrs['objectclass']: entry_attrs['objectclass'].remove('krbprincipalaux') +if 'krbprincipal' in entry_attrs['objectclass']: +entry_attrs['objectclass'].remove('krbprincipal') if 'random' in options: if options.get('random'): entry_attrs['userpassword'] = ipa_generate_password() -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 688 fix some unit tests
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2011 04:46 PM, Rob Crittenden wrote: It looks like python 2.7 changed the API of time.utcoffset(), this should fix the tests. We have recently relaxed what input a Str will take, the tests need to be updated to accomodate. rob Ack -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk09q8YACgkQHsardTLnvCWXdgCgtTAcSusoWRQxDDtt33QaZFY9 irEAoKtxSLfaiTgGC1EfUdHgWbAyCQqw =FcPa -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 689 make deepcopy of objectclasses
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2011 04:58 PM, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2011 04:50 PM, Rob Crittenden wrote: In the host plugin we modify the default set of objectclasses depending on what kind of host we're creating. This was actually updating the objectclass of the object itself so that the objectclass variable was storing duplicate objectclasses (because we sometimes append values). Make a deepcopy instead. I also re-ordered some values in the host plugin to match what the unit tests expect. It was easier to change in one place than many and have the same result :-) rob I think you sent a wrong patch (688, should have been 689) Ok, here goes. rob Ack -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk09rEAACgkQHsardTLnvCV5zACgih6krPeHUe4UzDEccDlYYV8n g9AAoN47pXdhXtVDimqi+OUX1d1whtmT =gYvF -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Results of some testing
Hello, Here are some issues that I came across during my testing of the latest IPA version on Friday. Please take a look and file tickets as appropriate. 1) Can't bail out from the install Start IPA install without any command line parameters. It any prompt try to stop installation by pressing Ctrl+C. You are still at the prompt and there is no way to abort installation. This can be an ER. 2) For the unattended install with -U the -u is listed as required option -u, --user=DS_USER The user that the Directory Server will run as Why it is a required if the interactive install never asks for it. IMO a bug. 3) When adding service in UI via popup it does not automatically append realm to the host when it creates a service pricipal. IMO a bug. 4) The service status is all messed up and unclear. After just being added it should be in not provisioned state but this is not what you see. You see as if it is already provisioned. When the service screen is shown it blinks showing a lot of different buttons and statuses before it settles down on the following UI Please retry. May be it is already addressed with latest fixes. 5) The items in the action panel are now black The links in the action panel that you are supposed to click are now black which is not intuitive since they are clickable links. 6) [dpal@lenovo ~]$ ipa host-add foobar.home --ip-address=1.1.1.1 --no-reverse ipa: ERROR: The host was added but the DNS update failed with: 1.1.1.in-addr.arpa: DNS zone not found Should not fail since --no-reverse is specified. I checked. If the zone is there it is added automatically. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Problem trying to install --external_cert_file. says system is already configured.
I'm trying to do an ipa-server-install with an --external-ca but after it generates the .csr and I sign a .crt I can't run the followup ips-server-install to import the certificate. I don't think I'm supposed to run an --uninstall between the --external-ca and the --external_cert_file installations but I'm not sure. Here is what I'm getting: [root@ipa0 ~]# ipa-server-install --setup-dns --forwarder=10.0.0.53 10.0.1.53 -U -p -a -u dirsrv -r MYREALM.COM --external-ca The log file for this installation can be found in /var/log/ipaserver-install.log == This program will set up the FreeIPA Server. This includes: * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Warning: Hostname (ipa0.averesys.com) not found in DNS The domain name has been calculated based on the host name. The IPA Master Server will be configured with Hostname:ipa0.myrealm.com IP address: 10.0.0.11 Domain name: myrealm.com Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 6 minutes [1/4]: creating certificate server user [2/4]: creating pki-ca instance [3/4]: restarting certificate server [4/4]: configuring certificate server instance The next step is to get /root/ipa.csr signed by your CA and re-run ipa-server-install as: ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate ... Signed the Certificate ... [root@ipa0 ~]# ipa-server-install --external_cert_file=/root/ipa.crt --external_ca_file=/root/ca.crt The log file for this installation can be found in /var/log/ipaserver-install.log IPA server is already configured on this system. [root@ipa0 ~]# cat /var/log/ipaserver-install.log 2011-01-24 11:36:14,214 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2011-01-24 11:36:14,309 DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2011-01-24 11:36:14,336 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0070 Create DNS entries early on
See ticket #833 for a detailed explanation. Simo. -- Simo Sorce * Red Hat, Inc * New York From f74f30aa01a7b3cc669ebf0275ad7e3768ede787 Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Mon, 24 Jan 2011 11:42:53 -0500 Subject: [PATCH] Create DNS records as early as possible Fixes: https://fedorahosted.org/freeipa/ticket/833 --- install/tools/ipa-replica-install | 19 +++ 1 files changed, 15 insertions(+), 4 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index b53ceeea4f7849a67facd46e7fbf3c2203ad7af5..9fca31ff762d3eed56d37e8ca8830667867b8f2b 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -270,12 +270,18 @@ def install_bind(config, options): def install_dns_records(config, options): -if not bindinstance.dns_container_exists(config.host_name, +if not bindinstance.dns_container_exists(config.master_host_name, util.realm_to_suffix(config.realm_name)): return +# We have to force to connect to the remote master because we do this step +# before our DS server is installed. +cur_uri = api.Backend.ldap2.ldap_uri +object.__setattr__(api.Backend.ldap2, 'ldap_uri', + 'ldaps://%s' % config.master_host_name) api.Backend.ldap2.connect(bind_dn=cn=Directory Manager, - bind_pw=config.dirman_password) + bind_pw=config.dirman_password, + tls_cacertfile=CACERT) bind = bindinstance.BindInstance(dm_password=config.dirman_password) ip_address = resolve_host(config.host_name) if not ip_address: @@ -285,6 +291,10 @@ def install_dns_records(config, options): config.realm_name, config.domain_name, options.conf_ntp) +#set it back to the default +api.Backend.ldap2.disconnect() +object.__setattr__(api.Backend.ldap2, 'ldap_uri', cur_uri) + def check_dirsrv(): serverids = dsinstance.check_existing_installation() if serverids: @@ -421,6 +431,9 @@ def main(): # Configure the CA if necessary CA = install_ca(config) +# Always try to install DNS records +install_dns_records(config, options) + # Configure dirsrv ds = install_replica_ds(config) @@ -452,8 +465,6 @@ def main(): if options.setup_dns: install_bind(config, options) -else: -install_dns_records(config, options) # Call client install script try: -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Results of some testing
Dmitri Pal wrote: Hello, Here are some issues that I came across during my testing of the latest IPA version on Friday. Please take a look and file tickets as appropriate. 1) Can't bail out from the install Start IPA install without any command line parameters. It any prompt try to stop installation by pressing Ctrl+C. You are still at the prompt and there is no way to abort installation. This can be an ER. Was this in a password prompt? I'm thinking that python 2.7 changed their handling. 2) For the unattended install with -U the -u is listed as required option -u, --user=DS_USER The user that the Directory Server will run as Why it is a required if the interactive install never asks for it. IMO a bug. It seemed an unnecessary question to prompt for in the UI so we removed it. It should be optional in non-interactive. 3) When adding service in UI via popup it does not automatically append realm to the host when it creates a service pricipal. IMO a bug. The framework will add the realm automatically if it is not provided. Or are you actually seeing a service created with no realm? 4) The service status is all messed up and unclear. After just being added it should be in not provisioned state but this is not what you see. You see as if it is already provisioned. When the service screen is shown it blinks showing a lot of different buttons and statuses before it settles down on the following UI Please retry. May be it is already addressed with latest fixes. 5) The items in the action panel are now black The links in the action panel that you are supposed to click are now black which is not intuitive since they are clickable links. 6) [dpal@lenovo ~]$ ipa host-add foobar.home --ip-address=1.1.1.1 --no-reverse ipa: ERROR: The host was added but the DNS update failed with: 1.1.1.in-addr.arpa: DNS zone not found Should not fail since --no-reverse is specified. I checked. If the zone is there it is added automatically. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Modified description of nsaccountlock attribute
Jan Zelený jzel...@redhat.com wrote: The original one was misleading, giving the value exactly opposite meaning than it actually was. https://fedorahosted.org/freeipa/ticket/741 Jan Just a reminder that this patch still needs a review. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Modified description of nsaccountlock attribute
Jan Zeleny jzel...@redhat.com wrote: Jan Zelený jzel...@redhat.com wrote: The original one was misleading, giving the value exactly opposite meaning than it actually was. https://fedorahosted.org/freeipa/ticket/741 Jan Just a reminder that this patch still needs a review. Jan Never mind, I missed the review from Simo. Sorry for the noise. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changed dns permission types
Jan Zelený jzel...@redhat.com wrote: Rob Crittenden rcrit...@redhat.com wrote: Jan Zelený wrote: Recent change of DNS module to version caused that dns object type was replaced by dnszone and dnsrecord. This patch corrects dns types in permissions class. https://fedorahosted.org/freeipa/ticket/646 Nack. These values need to be added as valid types to the aci plugin and the _type_map needs to be updated. rob I'm sending an updated patch. Jan Just a reminder that this patch needs to be reviewed. Thanks Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Check field's validity before executing add
On 01/22/2011 07:49 PM, Endi Sukma Dewata wrote: This should fix this bug: https://fedorahosted.org/freeipa/ticket/660 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel NACK: Too many false positives: Try adding a user group. Group name works as designed, others do not allow anything through. Ithink you are not accounting fro null validation. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Added scrollable panel for delete dialog box.
On 01/22/2011 07:46 PM, Endi Sukma Dewata wrote: This is required by the latest spec. May need further revision. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. As follow on, we need to fix the max size of the delete dialog ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Added spaces around radio buttons.
On 01/22/2011 07:45 PM, Endi Sukma Dewata wrote: This is required by the latest spec. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Added scrollable panel for delete dialog box.
On 01/24/2011 01:29 PM, Adam Young wrote: On 01/22/2011 07:46 PM, Endi Sukma Dewata wrote: This is required by the latest spec. May need further revision. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. As follow on, we need to fix the max size of the delete dialog ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Added spaces around radio buttons.
On 01/24/2011 01:29 PM, Adam Young wrote: On 01/22/2011 07:45 PM, Endi Sukma Dewata wrote: This is required by the latest spec. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Removed 'name' from 'Sudo Command Group name'
On 01/24/2011 01:31 PM, Adam Young wrote: On 01/22/2011 07:46 PM, Endi Sukma Dewata wrote: This is required by the latest spec. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Problem trying to install --external_cert_file. says system is already configured.
Jeff B wrote: I'm trying to do an ipa-server-install with an --external-ca but after it generates the .csr and I sign a .crt I can't run the followup ips-server-install to import the certificate. I don't think I'm supposed to run an --uninstall between the --external-ca and the --external_cert_file installations but I'm not sure. Here is what I'm getting: [root@ipa0 ~]# ipa-server-install --setup-dns --forwarder=10.0.0.53 10.0.1.53 -U -p -a -u dirsrv -r MYREALM.COM --external-ca The log file for this installation can be found in /var/log/ipaserver-install.log == This program will set up the FreeIPA Server. This includes: * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Warning: Hostname (ipa0.averesys.com) not found in DNS The domain name has been calculated based on the host name. The IPA Master Server will be configured with Hostname:ipa0.myrealm.com IP address: 10.0.0.11 Domain name: myrealm.com Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 6 minutes [1/4]: creating certificate server user [2/4]: creating pki-ca instance [3/4]: restarting certificate server [4/4]: configuring certificate server instance The next step is to get /root/ipa.csr signed by your CA and re-run ipa-server-install as: ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate ... Signed the Certificate ... [root@ipa0 ~]# ipa-server-install --external_cert_file=/root/ipa.crt --external_ca_file=/root/ca.crt The log file for this installation can be found in /var/log/ipaserver-install.log IPA server is already configured on this system. [root@ipa0 ~]# cat /var/log/ipaserver-install.log 2011-01-24 11:36:14,214 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2011-01-24 11:36:14,309 DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2011-01-24 11:36:14,336 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Looks like a bug. You should be able to work around it by commenting out these lines in /usr/sbin/ipa-server-install: if dsinstance.DsInstance().is_configured() or cainstance.CADSInstance().is_configured(): sys.exit(IPA server is already configured on this system.) The python comment is a hash (#). I opened ticket https://fedorahosted.org/freeipa/ticket/835 to track this. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 683 block anonymous access to hbac info
JR Aquino wrote: On 1/20/11 10:05 AM, Rob Crittendenrcrit...@redhat.com wrote: Simo Sorce wrote: On Wed, 19 Jan 2011 17:51:56 -0500 Rob Crittendenrcrit...@redhat.com wrote: +aci: (targetattr = member || memberOf || memberHost || memberUser)(version 3.0; acl No anonymous access to member information; deny (read,search,compare) userdn != ldap:///all;;) Nack, without 'member', nss_ldap will have no way to determine posixAccount group memberships using anonymous access (the default). Simo. Ok, dropped member and added an aci for cn=roles. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 688 fix some unit tests
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2011 04:46 PM, Rob Crittenden wrote: It looks like python 2.7 changed the API of time.utcoffset(), this should fix the tests. We have recently relaxed what input a Str will take, the tests need to be updated to accomodate. rob Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Results of some testing
Rob Crittenden wrote: Dmitri Pal wrote: Rob Crittenden wrote: Dmitri Pal wrote: Hello, Here are some issues that I came across during my testing of the latest IPA version on Friday. Please take a look and file tickets as appropriate. 1) Can't bail out from the install Start IPA install without any command line parameters. It any prompt try to stop installation by pressing Ctrl+C. You are still at the prompt and there is no way to abort installation. This can be an ER. Was this in a password prompt? I'm thinking that python 2.7 changed their handling. Yes. But I think not only. The first prompt is the prompt for domain and you can't break from it either. It works for me. What distro are you using? F14. I will retest. 2) For the unattended install with -U the -u is listed as required option -u, --user=DS_USER The user that the Directory Server will run as Why it is a required if the interactive install never asks for it. IMO a bug. It seemed an unnecessary question to prompt for in the UI so we removed it. It should be optional in non-interactive. Please file a ticket. done 3) When adding service in UI via popup it does not automatically append realm to the host when it creates a service pricipal. IMO a bug. The framework will add the realm automatically if it is not provided. Or are you actually seeing a service created with no realm? Created with no realm. Can you do an ldapsearch to confirm this? I never include the realm when I add services, it gets automatically added. I will retry. What about the rest below? 4) The service status is all messed up and unclear. After just being added it should be in not provisioned state but this is not what you see. You see as if it is already provisioned. When the service screen is shown it blinks showing a lot of different buttons and statuses before it settles down on the following UI Please retry. May be it is already addressed with latest fixes. 5) The items in the action panel are now black The links in the action panel that you are supposed to click are now black which is not intuitive since they are clickable links. 6) [dpal@lenovo ~]$ ipa host-add foobar.home --ip-address=1.1.1.1 --no-reverse ipa: ERROR: The host was added but the DNS update failed with: 1.1.1.in-addr.arpa: DNS zone not found Should not fail since --no-reverse is specified. I checked. If the zone is there it is added automatically. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Problem trying to install --external_cert_file. says system is already configured.
I don't want to start filing tickets since I'm not that familiar with the project but here is another similar one where the checks aren't necessarily doing what they are intended to be doing. Steps: 1. ran install with --external-ca 2. tried running with --external_cert_file but hit error in #835 3. Did workaround to commented out the configuration check and exit message like suggested by Rob 4. tried importing the cert again but got an error saying connection refused on Attempting to connect to: ipa0.myrealm.com:9445 5. I didn't know what service wasn't running so I rebooted (yeah, bad jeff) 6. I tried running --external_cert_file again but it looked like it had forgotten all my configs and looked like it was starting over. It prompted me: An existing Directory Server has been detected. Do you wish to remove it and create a new one? [no]: I chose 'no' and the installer exited. 7. Did an --uninstall 8. tried to start fresh but it failed with this error: You already have a CA signing request for this server (/root/ipa.csr), you need to include --external_cert_file and --external_ca_file Which is not right because since I uninstalled I can't just add the certs. Either the uninstall needs to clean up the .csr or the installer needs to not assume so much just from the existence of a .csr On Mon, Jan 24, 2011 at 1:55 PM, Rob Crittenden rcrit...@redhat.com wrote: Jeff B wrote: I'm trying to do an ipa-server-install with an --external-ca but after it generates the .csr and I sign a .crt I can't run the followup ips-server-install to import the certificate. I don't think I'm supposed to run an --uninstall between the --external-ca and the --external_cert_file installations but I'm not sure. Here is what I'm getting: [root@ipa0 ~]# ipa-server-install --setup-dns --forwarder=10.0.0.53 10.0.1.53 -U -p -a -u dirsrv -r MYREALM.COM --external-ca The log file for this installation can be found in /var/log/ipaserver-install.log == This program will set up the FreeIPA Server. This includes: * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Warning: Hostname (ipa0.averesys.com) not found in DNS The domain name has been calculated based on the host name. The IPA Master Server will be configured with Hostname: ipa0.myrealm.com IP address: 10.0.0.11 Domain name: myrealm.com Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 6 minutes [1/4]: creating certificate server user [2/4]: creating pki-ca instance [3/4]: restarting certificate server [4/4]: configuring certificate server instance The next step is to get /root/ipa.csr signed by your CA and re-run ipa-server-install as: ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate ... Signed the Certificate ... [root@ipa0 ~]# ipa-server-install --external_cert_file=/root/ipa.crt --external_ca_file=/root/ca.crt The log file for this installation can be found in /var/log/ipaserver-install.log IPA server is already configured on this system. [root@ipa0 ~]# cat /var/log/ipaserver-install.log 2011-01-24 11:36:14,214 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2011-01-24 11:36:14,309 DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2011-01-24 11:36:14,336 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Looks like a bug. You should be able to work around it by commenting out these lines in /usr/sbin/ipa-server-install: if dsinstance.DsInstance().is_configured() or cainstance.CADSInstance().is_configured(): sys.exit(IPA server is already configured on this system.) The python comment is a hash (#). I opened ticket https://fedorahosted.org/freeipa/ticket/835 to track this. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0071 Make -u optional in unattended mode
We have a default user name, which is also the recommended one, it made no sense to force users to specify it at the command line for unattended installations. Just use the default if none is provided. Ticket #836 Simo. -- Simo Sorce * Red Hat, Inc * New York From fab7dcca35ea37a637ad1fcc741cb8986ec60da9 Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Mon, 24 Jan 2011 14:58:11 -0500 Subject: [PATCH] Make the -u option optional in unattended mode Fixes: https://fedorahosted.org/freeipa/ticket/836 --- install/tools/ipa-server-install | 19 +++ 1 files changed, 11 insertions(+), 8 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 37ded58d852b143b5c9cc91ad75281befe0b21f6..f1cab63f6ef7a7a34404b78d5f6cdb107aa9b3cb 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -58,6 +58,7 @@ from ipapython.ipautil import * from ipalib import api, errors, util from ipapython.config import IPAOptionParser +DEF_DS_USER = 'dirsrv' pw_name = None uninstalling = False @@ -154,9 +155,11 @@ def parse_options(): options.admin_password or options.master_password): parser.error(In uninstall mode, -u, r and -P options are not allowed) elif options.unattended: -if (not options.ds_user or not options.realm_name or +if not options.ds_user: +options.ds_user = DEF_DS_USER +if (not options.realm_name or not options.dm_password or not options.admin_password): -parser.error(In unattended mode you need to provide at least -u, -r, -p and -a options) +parser.error(In unattended mode you need to provide at least -r, -p and -a options) if options.setup_dns: if not options.forwarders and not options.no_forwarders: parser.error(You must specify at least one --forwarder option or --no-forwarders option) @@ -313,19 +316,19 @@ def read_ds_user(): ds_user = try: -pwd.getpwnam('dirsrv') +pwd.getpwnam(DEF_DS_USER) -print A user account named 'dirsrv' already exists. This is the user id -print that the Directory Server will run as. +print A user account named %s already exists. % DEF_DS_USER +print This is the user id that the Directory Server will run as. print -if user_input(Do you want to use the existing 'dirsrv' account?, True): -ds_user = dirsrv +if user_input(Do you want to use the existing %s account? % DEF_DS_USER, True): +ds_user = DEF_DS_USER else: print ds_user = user_input_plain(Which account name do you want to use for the DS instance?, allow_empty = False, allow_spaces = False) print except KeyError: -ds_user = dirsrv +ds_user = DEF_DS_USER return ds_user -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0071 Make -u optional in unattended mode
On 01/24/2011 09:27 PM, Simo Sorce wrote: We have a default user name, which is also the recommended one, it made no sense to force users to specify it at the command line for unattended installations. Just use the default if none is provided. Ticket #836 Simo. Ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0066 remove binddn when using GSSAPI for replication
On 01/20/2011 01:43 AM, Simo Sorce wrote: See ticket #817 Simo. Ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0071 Make -u optional in unattended mode
On Mon, 24 Jan 2011 22:00:37 +0100 Jakub Hrozek jhro...@redhat.com wrote: On 01/24/2011 09:27 PM, Simo Sorce wrote: We have a default user name, which is also the recommended one, it made no sense to force users to specify it at the command line for unattended installations. Just use the default if none is provided. Ticket #836 Simo. Ack Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0066 remove binddn when using GSSAPI for replication
On Mon, 24 Jan 2011 22:28:57 +0100 Jakub Hrozek jhro...@redhat.com wrote: On 01/20/2011 01:43 AM, Simo Sorce wrote: See ticket #817 Simo. Ack Pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 691 add --hostname option to ipa-client-install
Rob Crittenden wrote: Let the installer override the detected hostname value with the --hostname flag. This is likely to lead to a non-working installation so let the buyer beware. ticket 834 I do not think this is enough. There is a part of the ipa-client-install other than ipa-join that assumes that host name will match. I saw that in the log. I do not have it in front of me now. It is on hame machine. If the -h option is provided this check/enforcement should be suppressed. Please try running ipa-client-install with the mismatching name you will see what I mean. Thanks Dmitri rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 691 add --hostname option to ipa-client-install
Dmitri Pal wrote: Rob Crittenden wrote: Let the installer override the detected hostname value with the --hostname flag. This is likely to lead to a non-working installation so let the buyer beware. ticket 834 I do not think this is enough. There is a part of the ipa-client-install other than ipa-join that assumes that host name will match. I saw that in the log. I do not have it in front of me now. It is on hame machine. If the -h option is provided this check/enforcement should be suppressed. Please try running ipa-client-install with the mismatching name you will see what I mean. I did a successful install with the --hostname option, using another hostname in DNS. I verified that this hostname was used as the name in the host service principal in /etc/krb5.keytab. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] admiyo-0156-remove-icons-from-association-buttons.
From b4313a5605bdd9de95d4bb245196d13aa54a7e46 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Mon, 24 Jan 2011 22:00:38 -0500 Subject: [PATCH] remove icons from association buttons --- install/ui/widget.js |2 -- 1 files changed, 0 insertions(+), 2 deletions(-) diff --git a/install/ui/widget.js b/install/ui/widget.js index 138526fb3520e71643769ee8ad841be6769d0d70..90f6dac8bf47dec2ef17bcd4a84648ffd829d99d 100644 --- a/install/ui/widget.js +++ b/install/ui/widget.js @@ -1191,7 +1191,6 @@ IPA.adder_dialog = function (spec) { button = $('input[name=remove]', that.container); that.remove_button = IPA.button({ 'label': button.val(), -'icon': 'ui-icon-trash', 'click': function() { that.remove(); } @@ -1201,7 +1200,6 @@ IPA.adder_dialog = function (spec) { button = $('input[name=add]', that.container); that.add_button = IPA.button({ 'label': button.val(), -'icon': 'ui-icon-plus', 'click': function() { that.add(); } -- 1.7.3.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] admiyo-0158-action-buttons-for-dns
From 27660b175d90b1d7b96958aa537a96ff46b498b8 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Mon, 24 Jan 2011 22:30:28 -0500 Subject: [PATCH] action buttons for dns --- install/ui/policy.js |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/install/ui/policy.js b/install/ui/policy.js index eeec44e35b144b911bcdb4abdb047f17432594a6..208b7c9ec55f82166d876fea250c93a37bf85880 100644 --- a/install/ui/policy.js +++ b/install/ui/policy.js @@ -333,13 +333,13 @@ IPA.records_facet = function (spec){ class:action-controls}).appendTo(action_panel_ul); -IPA.button({ +IPA.action_button({ 'label': IPA.messages.button.add, 'icon': 'ui-icon-plus', 'click': add_click }).appendTo(action_controls); -IPA.button({ +IPA.action_button({ 'label': IPA.messages.button.remove, 'icon': 'ui-icon-trash', 'click': function(){delete_records(records_table);} -- 1.7.3.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel