Re: [Freeipa-devel] [PATCH] 708 move nscd disablement code
On Wed, Feb 09, 2011 at 01:57:46PM -0500, Rob Crittenden wrote: Disable nscd before starting sssd. We used to disable it after configuring sssd which would cause a warning message to appear in /var/log/messages from sssd. This was in effect bogus because we killed nscd as the very next step after starting sssd but lets not confuse our users. ticket 743 rob Ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 75 Display error messages for failed manageby in service-add/remove-host.
Pavel Zuna pz...@redhat.com wrote: Fix #830 Pavel ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 76 Fallback to default locale (en_US) if env. setting is corrupt.
Pavel Zuna pz...@redhat.com wrote: This is a follow-up to my patches 69 and 71 (70 is garbage). It prevents a crash when user misconfigures his locale settings. Pavel ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
Pavel Zuna pz...@redhat.com wrote: On 02/08/2011 01:06 PM, Pavel Zuna wrote: The patch also corrects exception handling in some of the tools. Fix #874 Pavel Updated patch attached. Forgot to rename an identifier in exception handling. Pavel ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 704 replication version plugin fix
On Tue, Feb 08, 2011 at 10:27:57PM -0500, Rob Crittenden wrote: The 389-ds replication plugin may not be installed on all platforms and our replication version plugin will cause 389-ds to not start if it is loaded and the replication plugin is not. So disable by default. When a replica is prepared we check for the replication plugin. If it exists we will enable the replication version plugin. Likewise on installation of a replica we check for existence of the repliation plugin and if it is there then we enable the version plugin before replication begins. ticket 918 rob +def enable_replication_version_checking(hostname, realm, dirman_passwd): + +Check the replication version checking plugin. If it is not +enabled then enable it and restart 389-ds. If it is enabled +the do nothing. + +import pdb +pdb.set_trace() ^^^ please remove these and you'll get an ack :-) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1 Remove unnecessary BuildRequires
On Tue, Feb 08, 2011 at 06:39:05PM +0100, Jan Cholasta wrote: Fixing newbie mistake: included properly formated patch. It was tested in mock. Dne 8.2.2011 18:30, Jan Cholasta napsal(a): Removed 2 unnecessary BuildRequires from freeipa.spec.in: * e2fsprogs-devel: obsoleted by libuuid-devel * libcap-devel: not needed to build the RPM Ack. Also tested with Koji scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=2829532 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 028 Extend API validator
makeapi script is used to check if ipalib API is consistent with the known state in API.txt. When the API is changed, major API version should be updated. However, when new options/arguments/outputs were added to an ipalib command, `makeapi --validate' call did not capture this. This patch fixes this issue and ensures that also the last command in API.txt is checked (it was not before this patch). https://fedorahosted.org/freeipa/ticket/868 From 0bc2f66f81bc1ea38ad25f711d832433fca1c12b Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Thu, 10 Feb 2011 12:56:49 +0100 Subject: [PATCH] Extend API validator makeapi script is used to check if ipalib API is consistent with the known state in API.txt. When the API is changed, major API version should be updated. However, when new options/arguments/outputs were added to an ipalib command, `makeapi --validate' call did not capture this. This patch fixes this issue and ensures that also the last command in API.txt is checked (it was not before this patch). https://fedorahosted.org/freeipa/ticket/868 --- makeapi | 77 +- 1 files changed, 56 insertions(+), 21 deletions(-) diff --git a/makeapi b/makeapi index 90f367824d96d9e9d734dd964f2cc088ed7f7d56..1d418fe69ab0af64773604226d793c6d84b19356 100755 --- a/makeapi +++ b/makeapi @@ -86,6 +86,43 @@ def find_name(line): name = '' return name +def _finalize_command_validation(cmd, found_args, expected_args, + found_options, expected_options, + found_output, expected_output): +passed = True +# Check the args of the previous command. +if len(found_args) != expected_args: +print 'Argument count in %s of %d doesn\'t match expected: %d' % ( +cmd.name, len(found_args), expected_args) +passed = False +if len(found_options) != expected_options: +print 'Options count in %s of %d doesn\'t match expected: %d' % ( +cmd.name, len(found_options), expected_options) +passed = False +if len(found_output) != expected_output: +print 'Output count in %s of %d doesn\'t match expected: %d' % ( +cmd.name, len(found_output), expected_output) +passed = False + +# Check if there is not a new arg/opt/output in previous command +for a in cmd.args(): +if a.param_spec not in found_args: +print 'Argument %s of command %s in ipalib, not in API file:\n%s' % ( +a.param_spec, cmd.name, strip_doc(repr(a))) +passed = False +for o in cmd.options(): +if o.param_spec not in found_options: +print 'Option %s of command %s in ipalib, not in API file:\n%s' % ( +o.param_spec, cmd.name, strip_doc(repr(o))) +passed = False +for o in cmd.output(): +if o.name not in found_output: +print 'Output %s of command %s in ipalib, not in API file:\n%s' % ( +o.name, cmd.name, strip_doc(repr(o))) +passed = False + +return passed + def validate_api(): Compare the API in the file to the one in ipalib. @@ -106,19 +143,11 @@ def validate_api(): line = line.strip() if line.startswith('command:'): if cmd: -# Check the args of the previous command. -if found_args != expected_args: -print 'Argument count in %s of %d doesn\'t match expected: %d' % ( -name, found_args, expected_args) -rval |= API_FILE_DIFFERENCE -if found_options != expected_options: -print 'Options count in %s of %d doesn\'t match expected: %d' % ( -name, found_options, expected_options) -rval |= API_FILE_DIFFERENCE -if found_output != expected_output: -print 'Output count in %s of %d doesn\'t match expected: %d' % ( -name, found_output, expected_output) +if not _finalize_command_validation(cmd, found_args, expected_args, + found_options, expected_options, + found_output, expected_output): rval |= API_FILE_DIFFERENCE + (arg, name) = line.split(': ', 1) if name not in api.Command: print Command %s in API file, not in ipalib % name @@ -127,9 +156,9 @@ def validate_api(): else: existing_cmds.append(name) cmd = api.Command[name] -found_args = 0 -found_options = 0 -found_output = 0 +found_args = [] +found_options = [] +found_output = [] if line.startswith('args:') and cmd: line = line.replace('args: ', '')
Re: [Freeipa-devel] [PATCH] 710 fix test failures
On Wed, Feb 09, 2011 at 05:04:57PM -0500, Rob Crittenden wrote: The performance patch depended on self.env.mode != 'production'. env and mode aren't guaranteed to exist in the object so check for those and only skip the work if the mode is explicitly production. rob Ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 703 389-ds startup with krb config
On Tue, Feb 08, 2011 at 10:12:27AM -0500, Rob Crittenden wrote: If /etc/krb5.conf doesn't exist or contains no default kerberos realm then 389-ds won't start at all. This is a problem during installation because we configure 389 first. This patch will let the server come up, you just won't be able to do any joins or password changes until you configure kerberos. ticket 606 rob I wasn't able to install with this patch when I had no /etc/krb5.conf at all. Here's what the DS error log said: --- 10/Feb/2011:07:30:35 -0500] ipaenrollment_start - [file ipa_enrollment.c, line 389]: Failed to get default realm?! [10/Feb/2011:07:30:35 -0500] - Failed to start extendedop plugin ipa_enrollment_extop [10/Feb/2011:07:30:35 -0500] ipaenrollment_start - [file ipa_enrollment.c, line 389]: Failed to get default realm?! [10/Feb/2011:07:30:35 -0500] - Failed to start extendedop plugin ipa_enrollment_extop [10/Feb/2011:07:30:36 -0500] ipaenrollment_start - [file ipa_enrollment.c, line 389]: Failed to get default realm?! [10/Feb/2011:07:30:36 -0500] - Failed to start extendedop plugin ipa_enrollment_extop --- Looking at ipaenrollment_start(), it looks like the culprit is that when krb5_get_default_realm() fails, ret is set to an error code and returned. It should be either reset to LDAP_SUCCESS or maybe rc should be used instead. Also one nitpick. This: -static char *realm; -static const char *ipa_realm_dn; +static char *realm = NULL; +static const char *ipa_realm_dn = NULL; Is not neccessary, global variables are initialized to NULL automatically. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Updated default Kerberos password policy
https://fedorahosted.org/freeipa/ticket/930 I put there a value Dmitri suggested. Feel free to change it before pushing if you think there should be the originally suggested 10 login attempts. -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic From bc08a4bc646ca7947fad4b91762af98f19cc259f Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Thu, 10 Feb 2011 08:02:27 -0500 Subject: [PATCH] Updated default Kerberos password policy https://fedorahosted.org/freeipa/ticket/930 --- install/share/default-pwpolicy.ldif |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/install/share/default-pwpolicy.ldif b/install/share/default-pwpolicy.ldif index 9d3d8a755f38ee2db9ad0eb6df32dff3dea187db..8c4f8199c0a770b84b4133da5a0d71be2ffebe55 100644 --- a/install/share/default-pwpolicy.ldif +++ b/install/share/default-pwpolicy.ldif @@ -8,7 +8,7 @@ krbPwdMinDiffChars: 0 krbPwdMinLength: 8 krbPwdHistoryLength: 0 krbMaxPwdLife: 7776000 -krbPwdMaxFailure: 3 +krbPwdMaxFailure: 6 krbPwdFailureCountInterval: 60 krbPwdLockoutDuration: 10 -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 029 ipa-dns-install does not exit on error
This patch fixes behavior of ipa-dns-install, which does not exit when an invalid configuration of /etc/hosts is detected. https://fedorahosted.org/freeipa/ticket/736 From 0c75da337003e0660679534928a70b6b7317c3e8 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Thu, 10 Feb 2011 14:18:57 +0100 Subject: [PATCH] ipa-dns-install does not exit on error This patch fixes behavior of ipa-dns-install, which does not exit when an invalid configuration of /etc/hosts is detected. https://fedorahosted.org/freeipa/ticket/736 --- install/tools/ipa-dns-install | 28 1 files changed, 16 insertions(+), 12 deletions(-) diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index 66cdaffd8a18b1ba3771f14cf17e61edc021f1e0..35d225537aec919cd3d379cace6ca5cc0c41e3ad 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -67,19 +67,23 @@ def resolve_host(host_name): try: addrinfos = socket.getaddrinfo(host_name, None, socket.AF_UNSPEC, socket.SOCK_DGRAM) -for ai in addrinfos: -ip = ai[4][0] -if ip == 127.0.0.1 or ip == ::1: -print The hostname resolves to the localhost address (127.0.0.1/::1) -print Please change your /etc/hosts file so that the hostname -print resolves to the ip address of your network interface. -print -print Please fix your /etc/hosts file and restart the setup program -return None - -ip = addrinfos[0][4][0] except: print Unable to lookup the IP address of the provided host +return None + +for ai in addrinfos: +ip = ai[4][0] +if ip == 127.0.0.1 or ip == ::1: +print The hostname resolves to the localhost address (127.0.0.1/::1) +print Please change your /etc/hosts file so that the hostname +print resolves to the ip address of your network interface. +print +print Please fix your /etc/hosts file and restart the setup program. +print +sys.exit(Aborting installation.) + +ip = addrinfos[0][4][0] + return ip def main(): @@ -108,7 +112,7 @@ def main(): # Check bind packages are installed if not bindinstance.check_inst(options.unattended): -sys.exit(Aborting installation) +sys.exit(Aborting installation.) # Initialize the ipalib api cfg = dict( -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Updated default Kerberos password policy
Jan Zelený wrote: https://fedorahosted.org/freeipa/ticket/930 I put there a value Dmitri suggested. Feel free to change it before pushing if you think there should be the originally suggested 10 login attempts. We want to increase krbPwdLockoutDuration too, to 600. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 030 Fix return codes for ipactl
This patch fixes ipactl to return non-zero value when something goes wrong. https://fedorahosted.org/freeipa/ticket/894 From 9142d27922d5d355b6e6921b9a03b01e6c98d2a5 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Thu, 10 Feb 2011 15:42:36 +0100 Subject: [PATCH] Fix return codes for ipactl This patch fixes ipactl to return non-zero value when something goes wrong. https://fedorahosted.org/freeipa/ticket/894 --- install/tools/ipactl | 24 ++-- 1 files changed, 10 insertions(+), 14 deletions(-) diff --git a/install/tools/ipactl b/install/tools/ipactl index 20b4a69b704c9004fa9aee40119bdd442a449166..6b6db7806b44fc84098ae94cc1733e89fef795f0 100755 --- a/install/tools/ipactl +++ b/install/tools/ipactl @@ -53,7 +53,7 @@ def parse_options(): return safe_options, options, args def emit_err(err): -sys.stderr.write(err) +sys.stderr.write(err + '\n') def get_config(): base = cn=%s,cn=masters,cn=ipa,cn=etc,%s % (socket.gethostname(), @@ -71,7 +71,7 @@ def get_config(): timeout=10) except Exception, e: print Error retrieving list of services %s % e -print Is IPA installed ? +print Is IPA installed? raise svc_list = [] @@ -91,8 +91,7 @@ def ipa_start(): print Starting Directory Service service.start('dirsrv', capture_output=False) except: -emit_err(Failed to start Directory Service) -return +raise RuntimeError(Failed to start Directory Service) svc_list = [] try: @@ -123,7 +122,7 @@ def ipa_start(): service.stop('dirsrv', capture_output=False) except: pass -return +raise RuntimeError(Aborting ipactl) def ipa_stop(): @@ -157,8 +156,7 @@ def ipa_stop(): print Stopping Directory Service service.stop('dirsrv', capture_output=False) except: -emit_err(Failed to stop Directory Service) -return +raise RuntimeError(Failed to stop Directory Service) def ipa_restart(): @@ -166,8 +164,7 @@ def ipa_restart(): print Restarting Directory Service service.restart('dirsrv', capture_output=False) except: -emit_err(Failed to restart Directory Service) -return +raise RuntimeError(Failed to restart Directory Service) svc_list = [] try: @@ -198,7 +195,7 @@ def ipa_restart(): service.stop('dirsrv', capture_output=False) except: pass -return +raise RuntimeError(Aborting ipactl) def ipa_status(): try: @@ -207,14 +204,13 @@ def ipa_status(): else: print Directory Service: STOPPED except: -print Failed to get Directory Service status -return +raise RuntimeError(Failed to get Directory Service status) svc_list = [] try: svc_list = get_config() except: -print Failed to get list of services to probe status +raise RuntimeError(Failed to get list of services to probe status) if len(svc_list) == 0: return @@ -254,7 +250,7 @@ try: if __name__ == __main__: sys.exit(main()) except RuntimeError, e: -print %s % e +emit_err(%s % e) sys.exit(1) except SystemExit, e: sys.exit(e) -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Help define the roles IPA has by default
One of the features of IPAv2 is it is much easier to delegate permissions to perform tasks (add, delete, modify, etc). This delegation is broken out into three pieces: * permissions * privileges * roles A permission is a very low-level object that says who can do what to whom. These permissions are grouped together into permissions so one can perform a whole task. This is needed for something like adding a user which requires a couple of different permission such as actually writing the user entry, adding the user to the default group and setting the password. A role is a collection of privileges and the users/groups that are granted those privileges. Right now we are defining a single role, helpdesk, and have assigned no privileges to that yet. I was thinking about just assigning it the ability to reset passwords. But what other roles do we need? The mind boggles and rather than dictating what the initial ones will be I'm looking for some guidance/suggestions. thanks rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Updated default Kerberos password policy
Rob Crittenden rcrit...@redhat.com wrote: Jan Zelený wrote: https://fedorahosted.org/freeipa/ticket/930 I put there a value Dmitri suggested. Feel free to change it before pushing if you think there should be the originally suggested 10 login attempts. We want to increase krbPwdLockoutDuration too, to 600. rob Sorry, I didn't realize it was in seconds. I just saw 10 and figured it's ok it's already there. Anyway, I'm sending the updated patch. Jan From 9bfb44ca273268b782c7d52aafb05b32bbcabe54 Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Thu, 10 Feb 2011 08:02:27 -0500 Subject: [PATCH] Updated default Kerberos password policy https://fedorahosted.org/freeipa/ticket/930 --- install/share/default-pwpolicy.ldif |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/install/share/default-pwpolicy.ldif b/install/share/default-pwpolicy.ldif index 9d3d8a755f38ee2db9ad0eb6df32dff3dea187db..1bb4a096efbdeba26b48d2e3a2935228da10bf23 100644 --- a/install/share/default-pwpolicy.ldif +++ b/install/share/default-pwpolicy.ldif @@ -8,7 +8,7 @@ krbPwdMinDiffChars: 0 krbPwdMinLength: 8 krbPwdHistoryLength: 0 krbMaxPwdLife: 7776000 -krbPwdMaxFailure: 3 +krbPwdMaxFailure: 6 krbPwdFailureCountInterval: 60 -krbPwdLockoutDuration: 10 +krbPwdLockoutDuration: 600 -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Provide a way to display CLI-LDAP attribute relation
Jan Zelený jzel...@redhat.com wrote: Ok, I'm sending updated patch in attachment Should I change it in class help then? That's where I copied this from. I think so. Ok, I'll send another patch, so me don't mix it together with this patch. I'll do a review of the code in cli.py, maybe the same issue is elsewhere as well. This will blow up as expected in the FIXME if an unknown command is passed in. Fixed, thanks. Not to be pedantic but I think it should return a non-zero error code too on error. Yep, replaced this with exception. ipa show-mappings user-show returns just 'rights' If it was the acting correctly, it shouldn't be displayed at all, because it is not LDAP based (and user-show doesn't take any other LDAP-based arguments/options). I'm just not sure how to do this with minimal changes. One option is to create new flag denoting whether parameter is LDAP based or not and for each parameter set it appropriately, but that is just too much effort for something that is not that important. That's why I use the 'webui' flag to filter things at least a little bit. You should have the object Params list available, right? Can you use that to show at least some attributes? I already thought of that, but that would add only primary key, since Params is a concatenation of Options and Args - in args there are usually only mandatory arguments (i.e. primary keys, uid in case of user-show) and options are already iterated over and printed out. I think adding this is too much effort. For one thing user-show takes no other options than --rights (and the purpose of the patch is to show mapping between CLI options and LDAP attributes) and user can always see real LDAP attributes of user object by using --raw. Jan Just a reminder that this patch waits for review. Thanks Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Help define the roles IPA has by default
On 02/10/2011 09:42 PM, Rob Crittenden wrote: One of the features of IPAv2 is it is much easier to delegate permissions to perform tasks (add, delete, modify, etc). This delegation is broken out into three pieces: * permissions * privileges * roles A permission is a very low-level object that says who can do what to whom. These permissions are grouped together into permissions so one can perform a whole task. This is needed for something like adding a user which requires a couple of different permission such as actually writing the user entry, adding the user to the default group and setting the password. A role is a collection of privileges and the users/groups that are granted those privileges. Right now we are defining a single role, helpdesk, and have assigned no privileges to that yet. I was thinking about just assigning it the ability to reset passwords. But what other roles do we need? The mind boggles and rather than dictating what the initial ones will be I'm looking for some guidance/suggestions. Thinking about helpdesk and whenever a user joins/leaves a company the helpdesk needs the privileges to add/delete their user accounts. I would suggest all the privileges like: - creating users - resetting passwords - deleting users - disabling user accounts - unlocking user accounts - modifying user accounts Groups are something that are more involved with their respective departments and can be left out for the administrators to decide on if they would like to upgrade the helpdesk role/ or create new roles as per their department listings. thanks rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- regards /shanks ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Help define the roles IPA has by default
Rob Crittenden rcrit...@redhat.com wrote: One of the features of IPAv2 is it is much easier to delegate permissions to perform tasks (add, delete, modify, etc). This delegation is broken out into three pieces: * permissions * privileges * roles A permission is a very low-level object that says who can do what to whom. These permissions are grouped together into permissions so one can perform a whole task. This is needed for something like adding a user which requires a couple of different permission such as actually writing the user entry, adding the user to the default group and setting the password. A role is a collection of privileges and the users/groups that are granted those privileges. Right now we are defining a single role, helpdesk, and have assigned no privileges to that yet. I was thinking about just assigning it the ability to reset passwords. But what other roles do we need? The mind boggles and rather than dictating what the initial ones will be I'm looking for some guidance/suggestions. I think a role called something like IT might be good. Their privileges would cover mainly access to different parts of the network. They should have privilegese to manage: - hosts - hostgroups - hbac rules - sudo rules? - dns - groups (for example to create new group of users which will have access to a particular machine) - services Now looking at the list, this group can be split into two - one managing the hosts/services and one granting users access. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 711 Convert json strings to unicode
Convert json strings to unicode when they are unmarshalled. This patch removes some individual work-arounds of converting strings to unicode, they only masked the problem. String values are not passed to the validator or normalizers so things like adding the realm automatically to services weren't happening. ticket 941 rob freeipa-rcrit-711-json.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 712 drop kw from JSON error
The kw could contain another exception which was blowing up the marshalling. It doesn't seem to be used anywhere and contains information we've already saved in error as far as I can tell. ticket 905 rob freeipa-rcrit-712-json.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 75 Display error messages for failed manageby in service-add/remove-host.
Jan Zelený wrote: Pavel Zunapz...@redhat.com wrote: Fix #830 Pavel ack Jan pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Help define the roles IPA has by default
On 02/10/2011 01:11 PM, Jan Zeleny wrote: Rob Crittendenrcrit...@redhat.com wrote: One of the features of IPAv2 is it is much easier to delegate permissions to perform tasks (add, delete, modify, etc). This delegation is broken out into three pieces: * permissions * privileges * roles A permission is a very low-level object that says who can do what to whom. These permissions are grouped together into permissions so one can perform a whole task. This is needed for something like adding a user which requires a couple of different permission such as actually writing the user entry, adding the user to the default group and setting the password. A role is a collection of privileges and the users/groups that are granted those privileges. Right now we are defining a single role, helpdesk, and have assigned no privileges to that yet. I was thinking about just assigning it the ability to reset passwords. But what other roles do we need? The mind boggles and rather than dictating what the initial ones will be I'm looking for some guidance/suggestions. I think a role called something like IT might be good. Their privileges would cover mainly access to different parts of the network. They should have privilegese to manage: - hosts - hostgroups - hbac rules - sudo rules? - dns - groups (for example to create new group of users which will have access to a particular machine) - services Now looking at the list, this group can be split into two - one managing the hosts/services and one granting users access. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Desktop support: needs to be able to add a new host to the server. Probably means they need delete host as well. Can't mess with the user info. Right now, they would also need to be able to create the A record, too. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1 Remove unnecessary BuildRequires
Jakub Hrozek wrote: On Tue, Feb 08, 2011 at 06:39:05PM +0100, Jan Cholasta wrote: Fixing newbie mistake: included properly formated patch. It was tested in mock. Dne 8.2.2011 18:30, Jan Cholasta napsal(a): Removed 2 unnecessary BuildRequires from freeipa.spec.in: * e2fsprogs-devel: obsoleted by libuuid-devel * libcap-devel: not needed to build the RPM Ack. Also tested with Koji scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=2829532 pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 710 fix test failures
Jakub Hrozek wrote: On Wed, Feb 09, 2011 at 05:04:57PM -0500, Rob Crittenden wrote: The performance patch depended on self.env.mode != 'production'. env and mode aren't guaranteed to exist in the object so check for those and only skip the work if the mode is explicitly production. rob Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 704 replication version plugin fix
Jakub Hrozek wrote: On Tue, Feb 08, 2011 at 10:27:57PM -0500, Rob Crittenden wrote: The 389-ds replication plugin may not be installed on all platforms and our replication version plugin will cause 389-ds to not start if it is loaded and the replication plugin is not. So disable by default. When a replica is prepared we check for the replication plugin. If it exists we will enable the replication version plugin. Likewise on installation of a replica we check for existence of the repliation plugin and if it is there then we enable the version plugin before replication begins. ticket 918 rob +def enable_replication_version_checking(hostname, realm, dirman_passwd): + +Check the replication version checking plugin. If it is not +enabled then enable it and restart 389-ds. If it is enabled +the do nothing. + +import pdb +pdb.set_trace() ^^^ please remove these and you'll get an ack :-) Removed and pushed to master rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 029 ipa-dns-install does not exit on error
Martin Kosek wrote: This patch fixes behavior of ipa-dns-install, which does not exit when an invalid configuration of /etc/hosts is detected. https://fedorahosted.org/freeipa/ticket/736 I'm not positive but was the address info checking done within the try to catch any possible exception? This code dates back to very early IPA code (say 4 years old or so) when we were pretty new to python and somethings catching things in a very broad way. Is it possible that running through the addresses could raise an unhandled exception? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 030 Fix return codes for ipactl
Martin Kosek wrote: This patch fixes ipactl to return non-zero value when something goes wrong. https://fedorahosted.org/freeipa/ticket/894 ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Provide a way to display CLI-LDAP attribute relation
Rob Crittenden rcrit...@redhat.com wrote: Just a really minor nit. Can you define a label for the argument? Otherwise if you run: `ipa show-mappings` it will prompt for command_name. rob Done, sending in attachment. Jan From fece796ab7894a591ef4e2fb4bb39f097c687cc1 Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Wed, 26 Jan 2011 13:09:26 +0100 Subject: [PATCH] Provide a way to display CLI-LDAP relation Since some LDAP attributes have their cli_name value defined, so they can be more user friendly, it can be difficult for user to find out which attributes do the parameteres given to CLI really represent. This patch provides new command, which will take another IPA command as and argument and display attributes which given command takes and what LDAP attributes are they mapped to. https://fedorahosted.org/freeipa/ticket/447 --- ipalib/cli.py | 27 ++- 1 files changed, 26 insertions(+), 1 deletions(-) diff --git a/ipalib/cli.py b/ipalib/cli.py index 4ce7e7fa91c347aa629a8bf9dd5964f4120fb539..ab26dba69ff122637f7bcadbc71c44c9ccf76b64 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -47,7 +47,7 @@ import plugable import util from errors import PublicError, CommandError, HelpError, InternalError, NoSuchNamespaceError, ValidationError, NotFound, NotConfiguredError from constants import CLI_TAB -from parameters import Password, Bytes, File +from parameters import Password, Bytes, File, Str from text import _ from ipapython.version import API_VERSION @@ -767,6 +767,30 @@ class help(frontend.Local): print ' %s %s' % (to_cli(c.name).ljust(mcl), c.summary) print \n +class show_mappings(frontend.Command): +takes_args = ( +Str('command_name', +label='Command name', +), +) +has_output = tuple() + +def run(self, command_name): +command_name = from_cli(command_name) +if command_name not in self.Command: +raise CommandError(name=command_name) +params = self.Command[command_name].options +out = [('Parameter','LDAP attribute'), + ('=','==')] +mcl = len(out[0][0]) +for param in params(): +if param.exclude and 'webui' in param.exclude: +continue +out.append((param.cli_name, param.param_spec)) +mcl = max(mcl,len(param.cli_name)) +for item in out: +print to_cli(item[0]).ljust(mcl)+' : '+item[1] + class console(frontend.Command): Start the IPA interactive Python console. @@ -1045,6 +1069,7 @@ cli_plugins = ( textui, console, help, +show_mappings, ) -- 1.7.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0191-target-section-without-radio-buttons
On 02/10/2011 01:13 AM, Endi Sukma Dewata wrote: On 2/9/2011 7:06 PM, Adam Young wrote: A few comments: 1. The functionality seems to be working, but the layout is a bit different. Previously the label (e.g. Filter) and the widget (e.g. text field) occupy the same line. Right now they occupy different lines and not aligned with the labels widgets above it (e.g. Permission name). I'd like the UXD team to review this change. I had mIssed the classes that these things needed. Added them back in. 2. The jQuery selectors on lines 427, 462, 472 in aci.js are not qualified, so they will be doing a global search. I'd rather store the object reference somewhere and use it directly without searching for it again. For example, line 411 can be changed as follows: target_type.container = $('dl/', { Then line 427 can be changed as follows: target_type.container.css('display', 'block'); Done. Good idea/ 3. The indentation of the target_types array in aci.js is inconsistent. Fixed 4. The IPA.hidden_widget doesn't seem to be used. Should this be removed? Gone baby gone 5. For the changes in dialog.js, it's not necessary to check section.reset()'s presence before calling it. All sections will have a reset() function because it's inherited from the base class. Removed 6. For the changes in widget.js, let's do this in a separate patch. We'll combine the create/setup in a more consistent way. Agreed. This was actually part of trial and error to get it to work, and it didn't need to be there. Gone. 7. There are some jslint warnings. Fixed From c88f50789f8ae94e852b15aaf8970f5c506554f9 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Mon, 7 Feb 2011 23:02:43 -0500 Subject: [PATCH] target section without radio buttons ACI target section refactored into an array of widget-like objects. The radio buttons have been replaced by a select box. THe select is not visible on the details page. https://fedorahosted.org/freeipa/ticket/924 --- install/ui/aci.js| 519 +- install/ui/dialog.js |3 + install/ui/test/aci_tests.js | 43 +++- install/ui/widget.js |6 +- 4 files changed, 293 insertions(+), 278 deletions(-) diff --git a/install/ui/aci.js b/install/ui/aci.js index e515902c5c83451389b5c9dde8115e087f9686f3..fce6846dc56ec4722239673f6b9fc9ec2c939aa9 100644 --- a/install/ui/aci.js +++ b/install/ui/aci.js @@ -36,6 +36,8 @@ IPA.attributes_widget = function(spec) { that.create = function(container) { + + that.table = $('table/', { id:id, 'class':'search-table aci-attribute-table' @@ -129,7 +131,8 @@ IPA.attributes_widget = function(spec) { var unmatched = []; for (var i=0; ithat.values.length; i++) { -var input = $('input[name='+that.name+'][value='+that.values[i]+']', that.container); +var input = $('input[name='+that.name+']'+ + '[value='+that.values[i]+']', that.container); if (!input.length) { unmatched.push(that.values[i]); } @@ -180,29 +183,6 @@ IPA.rights_widget = function(spec) { return that; }; -IPA.hidden_widget = function(spec) { -spec.label = ''; -var that = IPA.widget(spec); -that.id = spec.id; -var value = spec.value || ''; -that.create = function(container){ -$('input/',{ -type:'hidden', -'id':that.id, -value: value -}). -appendTo(container); -}; - -that.save = function(){ -return [value]; -}; -that.reset = function(){ - -}; -return that; -}; - IPA.rights_section = function() { var spec = { @@ -210,7 +190,8 @@ IPA.rights_section = function() { 'label': 'Rights' }; var that = IPA.details_section(spec); -that.add_field(IPA.rights_widget({name: 'permissions', label: 'Permissions', join: true})); +that.add_field(IPA.rights_widget( +{name: 'permissions', label: 'Permissions', join: true})); return that; }; @@ -221,265 +202,268 @@ IPA.target_section = function(spec) { spec = spec || {}; var that = IPA.details_section(spec); - that.undo = typeof spec.undo == 'undefined' ? true : spec.undo; -var groupings = ['aci_by_type', 'aci_by_query', 'aci_by_group', - 'aci_by_filter' ]; -var inputs = ['input', 'select', 'textarea']; - -function disable_inputs() { -for (var g = 0; g groupings.length; g += 1 ){ -for (var t = 0 ; t inputs.length; t += 1){ -$('.' + groupings[g] + ' '+ inputs[t]). -attr('disabled', 'disabled'); +that.filter_text = IPA.text_widget({name: 'filter', undo: that.undo}); +that.subtree_textarea = IPA.textarea_widget({ +name: 'subtree', +cols: 30, rows: 1, +undo: that.undo +}); +that.group_select =
Re: [Freeipa-devel] Help define the roles IPA has by default
On 02/10/2011 05:12 PM, Rob Crittenden wrote: But what other roles do we need? The mind boggles and rather than dictating what the initial ones will be I'm looking for some guidance/suggestions. thanks rob I'm actually wondering if we need to define many default roles in the upstream project. I'm thinking that every organization will have different needs and different ways of role delegation anyway, so I would rather make sure this feature is well documented with examples and use cases. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0191-target-section-without-radio-buttons
Last version was a little too zealos in remivng style info, and I removed the code that hid the select boxthat chose the target. Added that code back in here. On 02/10/2011 03:02 PM, Adam Young wrote: On 02/10/2011 01:13 AM, Endi Sukma Dewata wrote: On 2/9/2011 7:06 PM, Adam Young wrote: A few comments: 1. The functionality seems to be working, but the layout is a bit different. Previously the label (e.g. Filter) and the widget (e.g. text field) occupy the same line. Right now they occupy different lines and not aligned with the labels widgets above it (e.g. Permission name). I'd like the UXD team to review this change. I had mIssed the classes that these things needed. Added them back in. 2. The jQuery selectors on lines 427, 462, 472 in aci.js are not qualified, so they will be doing a global search. I'd rather store the object reference somewhere and use it directly without searching for it again. For example, line 411 can be changed as follows: target_type.container = $('dl/', { Then line 427 can be changed as follows: target_type.container.css('display', 'block'); Done. Good idea/ 3. The indentation of the target_types array in aci.js is inconsistent. Fixed 4. The IPA.hidden_widget doesn't seem to be used. Should this be removed? Gone baby gone 5. For the changes in dialog.js, it's not necessary to check section.reset()'s presence before calling it. All sections will have a reset() function because it's inherited from the base class. Removed 6. For the changes in widget.js, let's do this in a separate patch. We'll combine the create/setup in a more consistent way. Agreed. This was actually part of trial and error to get it to work, and it didn't need to be there. Gone. 7. There are some jslint warnings. Fixed ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel From 6c157b6e49b2cf5da7f848d6bf4c40f92ad7b7b4 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Mon, 7 Feb 2011 23:02:43 -0500 Subject: [PATCH] target section without radio buttons ACI target section refactored into an array of widget-like objects. The radio buttons have been replaced by a select box. THe select is not visible on the details page. https://fedorahosted.org/freeipa/ticket/924 --- install/ui/aci.js| 519 +- install/ui/dialog.js |3 + install/ui/test/aci_tests.js | 43 +++- install/ui/widget.js |6 +- 4 files changed, 293 insertions(+), 278 deletions(-) diff --git a/install/ui/aci.js b/install/ui/aci.js index e515902c5c83451389b5c9dde8115e087f9686f3..9307785b8c5d3850e53943356d1198ed66c417aa 100644 --- a/install/ui/aci.js +++ b/install/ui/aci.js @@ -36,6 +36,8 @@ IPA.attributes_widget = function(spec) { that.create = function(container) { + + that.table = $('table/', { id:id, 'class':'search-table aci-attribute-table' @@ -129,7 +131,8 @@ IPA.attributes_widget = function(spec) { var unmatched = []; for (var i=0; ithat.values.length; i++) { -var input = $('input[name='+that.name+'][value='+that.values[i]+']', that.container); +var input = $('input[name='+that.name+']'+ + '[value='+that.values[i]+']', that.container); if (!input.length) { unmatched.push(that.values[i]); } @@ -180,29 +183,6 @@ IPA.rights_widget = function(spec) { return that; }; -IPA.hidden_widget = function(spec) { -spec.label = ''; -var that = IPA.widget(spec); -that.id = spec.id; -var value = spec.value || ''; -that.create = function(container){ -$('input/',{ -type:'hidden', -'id':that.id, -value: value -}). -appendTo(container); -}; - -that.save = function(){ -return [value]; -}; -that.reset = function(){ - -}; -return that; -}; - IPA.rights_section = function() { var spec = { @@ -210,7 +190,8 @@ IPA.rights_section = function() { 'label': 'Rights' }; var that = IPA.details_section(spec); -that.add_field(IPA.rights_widget({name: 'permissions', label: 'Permissions', join: true})); +that.add_field(IPA.rights_widget( +{name: 'permissions', label: 'Permissions', join: true})); return that; }; @@ -221,265 +202,268 @@ IPA.target_section = function(spec) { spec = spec || {}; var that = IPA.details_section(spec); - that.undo = typeof spec.undo == 'undefined' ? true : spec.undo; -var groupings = ['aci_by_type', 'aci_by_query', 'aci_by_group', - 'aci_by_filter' ]; -var inputs = ['input', 'select', 'textarea']; - -function disable_inputs() { -for (var g = 0; g groupings.length; g += 1 ){ -for (var t = 0 ; t
Re: [Freeipa-devel] [PATCH] Provide a way to display CLI-LDAP attribute relation
Jan Zeleny wrote: Rob Crittendenrcrit...@redhat.com wrote: Just a really minor nit. Can you define a label for the argument? Otherwise if you run: `ipa show-mappings` it will prompt for command_name. rob Done, sending in attachment. Jan I made one minor change to the patch before pushing. I wrapper 'Command name' in _() so it can be localized. pushed to master rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0191-target-section-without-radio-buttons
On 02/10/2011 03:09 PM, Adam Young wrote: Last version was a little too zealos in remivng style info, and I removed the code that hid the select boxthat chose the target. Added that code back in here. On 02/10/2011 03:02 PM, Adam Young wrote: On 02/10/2011 01:13 AM, Endi Sukma Dewata wrote: On 2/9/2011 7:06 PM, Adam Young wrote: A few comments: 1. The functionality seems to be working, but the layout is a bit different. Previously the label (e.g. Filter) and the widget (e.g. text field) occupy the same line. Right now they occupy different lines and not aligned with the labels widgets above it (e.g. Permission name). I'd like the UXD team to review this change. I had mIssed the classes that these things needed. Added them back in. 2. The jQuery selectors on lines 427, 462, 472 in aci.js are not qualified, so they will be doing a global search. I'd rather store the object reference somewhere and use it directly without searching for it again. For example, line 411 can be changed as follows: target_type.container = $('dl/', { Then line 427 can be changed as follows: target_type.container.css('display', 'block'); Done. Good idea/ 3. The indentation of the target_types array in aci.js is inconsistent. Fixed 4. The IPA.hidden_widget doesn't seem to be used. Should this be removed? Gone baby gone 5. For the changes in dialog.js, it's not necessary to check section.reset()'s presence before calling it. All sections will have a reset() function because it's inherited from the base class. Removed 6. For the changes in widget.js, let's do this in a separate patch. We'll combine the create/setup in a more consistent way. Agreed. This was actually part of trial and error to get it to work, and it didn't need to be there. Gone. 7. There are some jslint warnings. Fixed ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel From ea289c7bbcb58b86b1c9fd61f8c03e360e476e03 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Mon, 7 Feb 2011 23:02:43 -0500 Subject: [PATCH] target section without radio buttons ACI target section refactored into an array of widget-like objects. The radio buttons have been replaced by a select box. THe select is not visible on the details page. https://fedorahosted.org/freeipa/ticket/924 --- install/ui/aci.js| 519 +- install/ui/dialog.js |3 + install/ui/test/aci_tests.js | 43 +++- install/ui/widget.js |3 +- 4 files changed, 293 insertions(+), 275 deletions(-) diff --git a/install/ui/aci.js b/install/ui/aci.js index e515902c5c83451389b5c9dde8115e087f9686f3..182cd7e05db230dde9bbb63aa8c21e877dfb8a43 100644 --- a/install/ui/aci.js +++ b/install/ui/aci.js @@ -36,6 +36,8 @@ IPA.attributes_widget = function(spec) { that.create = function(container) { + + that.table = $('table/', { id:id, 'class':'search-table aci-attribute-table' @@ -129,7 +131,8 @@ IPA.attributes_widget = function(spec) { var unmatched = []; for (var i=0; ithat.values.length; i++) { -var input = $('input[name='+that.name+'][value='+that.values[i]+']', that.container); +var input = $('input[name='+that.name+']'+ + '[value='+that.values[i]+']', that.container); if (!input.length) { unmatched.push(that.values[i]); } @@ -180,29 +183,6 @@ IPA.rights_widget = function(spec) { return that; }; -IPA.hidden_widget = function(spec) { -spec.label = ''; -var that = IPA.widget(spec); -that.id = spec.id; -var value = spec.value || ''; -that.create = function(container){ -$('input/',{ -type:'hidden', -'id':that.id, -value: value -}). -appendTo(container); -}; - -that.save = function(){ -return [value]; -}; -that.reset = function(){ - -}; -return that; -}; - IPA.rights_section = function() { var spec = { @@ -210,7 +190,8 @@ IPA.rights_section = function() { 'label': 'Rights' }; var that = IPA.details_section(spec); -that.add_field(IPA.rights_widget({name: 'permissions', label: 'Permissions', join: true})); +that.add_field(IPA.rights_widget( +{name: 'permissions', label: 'Permissions', join: true})); return that; }; @@ -221,265 +202,270 @@ IPA.target_section = function(spec) { spec = spec || {}; var that = IPA.details_section(spec); - that.undo = typeof spec.undo == 'undefined' ? true : spec.undo; -var groupings = ['aci_by_type', 'aci_by_query', 'aci_by_group', -
Re: [Freeipa-devel] Help define the roles IPA has by default
On 02/10/2011 03:05 PM, Jakub Hrozek wrote: On 02/10/2011 05:12 PM, Rob Crittenden wrote: But what other roles do we need? The mind boggles and rather than dictating what the initial ones will be I'm looking for some guidance/suggestions. thanks rob I'm actually wondering if we need to define many default roles in the upstream project. I'm thinking that every organization will have different needs and different ways of role delegation anyway, so I would rather make sure this feature is well documented with examples and use cases. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I think that a reasonble set of 3 -5 roles and documentation how to change them should be sufficient. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 703 389-ds startup with krb config
Jakub Hrozek wrote: On Tue, Feb 08, 2011 at 10:12:27AM -0500, Rob Crittenden wrote: If /etc/krb5.conf doesn't exist or contains no default kerberos realm then 389-ds won't start at all. This is a problem during installation because we configure 389 first. This patch will let the server come up, you just won't be able to do any joins or password changes until you configure kerberos. ticket 606 rob I wasn't able to install with this patch when I had no /etc/krb5.conf at all. Here's what the DS error log said: --- 10/Feb/2011:07:30:35 -0500] ipaenrollment_start - [file ipa_enrollment.c, line 389]: Failed to get default realm?! [10/Feb/2011:07:30:35 -0500] - Failed to start extendedop plugin ipa_enrollment_extop [10/Feb/2011:07:30:35 -0500] ipaenrollment_start - [file ipa_enrollment.c, line 389]: Failed to get default realm?! [10/Feb/2011:07:30:35 -0500] - Failed to start extendedop plugin ipa_enrollment_extop [10/Feb/2011:07:30:36 -0500] ipaenrollment_start - [file ipa_enrollment.c, line 389]: Failed to get default realm?! [10/Feb/2011:07:30:36 -0500] - Failed to start extendedop plugin ipa_enrollment_extop --- Looking at ipaenrollment_start(), it looks like the culprit is that when krb5_get_default_realm() fails, ret is set to an error code and returned. It should be either reset to LDAP_SUCCESS or maybe rc should be used instead. Also one nitpick. This: -static char *realm; -static const char *ipa_realm_dn; +static char *realm = NULL; +static const char *ipa_realm_dn = NULL; Is not neccessary, global variables are initialized to NULL automatically. Updated patch attached. I was able to do full install with this one. rob freeipa-rcrit-703-2-startup.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0191-target-section-without-radio-buttons
On 2/10/2011 3:27 PM, Adam Young wrote: NACK. As discussed over IRC, the is_dirty functionality is not working for permissions that have an object by type target. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fixed add service dialog box.
Previously the add service dialog box shows a 'Principal:' label with no text field next to it. It now has been removed. The dialog box has been widened to avoid line wrapping of the buttons. -- Endi S. Dewata From 24d77795d7e73e4a0d91245c9603ef8ea8ffb4e9 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Wed, 9 Feb 2011 10:56:25 -0600 Subject: [PATCH] Fixed add service dialog box. Previously the add service dialog box shows a 'Principal:' label with no text field next to it. It now has been removed. The dialog box has been widened to avoid line wrapping of the buttons. --- install/ui/dialog.js |1 + install/ui/service.js | 52 +--- install/ui/widget.js |1 + 3 files changed, 29 insertions(+), 25 deletions(-) diff --git a/install/ui/dialog.js b/install/ui/dialog.js index f8eaf21215500cf83d35a39d558a380412dfdf53..4733b7814c845fa9862af95d1d2df8fa95349b6b 100644 --- a/install/ui/dialog.js +++ b/install/ui/dialog.js @@ -117,6 +117,7 @@ IPA.dialog = function(spec) { for (var i=0; ithat.fields.length; i++) { var field = that.fields[i]; +if (field.hidden) continue; var tr = $('tr/').appendTo(table); diff --git a/install/ui/service.js b/install/ui/service.js index 409aa5dfaede03ef85b9c6cec57fd258967cec01..7fc1547223c08d8bc574284764ae2e4886ed8b46 100644 --- a/install/ui/service.js +++ b/install/ui/service.js @@ -23,35 +23,36 @@ /* REQUIRES: ipa.js, details.js, search.js, add.js, entity.js */ -IPA.entity_factories.service = function () { +IPA.entity_factories.service = function() { return IPA.entity({ -'name': 'service' +name: 'service' }). association({ -'name': 'host', -'add_method': 'add_host', -'remove_method': 'remove_host' +name: 'host', +add_method: 'add_host', +remove_method: 'remove_host' }). facet( IPA.search_facet(). column({name: 'krbprincipalname'}). dialog( IPA.service_add_dialog({ -'name': 'add', -'title': 'Add New Service' +name: 'add', +title: 'Add New Service', +width: '450px' }))). -facet( IPA.service_details_facet()). -facet( IPA.service_managedby_host_facet({ -'name': 'managedby_host', -'label': IPA.messages.association.managedby + +facet(IPA.service_details_facet()). +facet(IPA.service_managedby_host_facet({ +name: 'managedby_host', +label: IPA.messages.association.managedby + ' '+IPA.metadata['host'].label, -'other_entity': 'host' +other_entity: 'host' })); }; -IPA.service_select_widget = function (spec){ +IPA.service_select_widget = function(spec) { var that = IPA.text_widget(spec); var known_services = [, cifs, DNS, ftp, HTTP,imap, ldap, @@ -81,25 +82,26 @@ IPA.service_select_widget = function (spec){ /*TODO: the following labels etc. all need to be replaced with I18N strings */ -IPA.service_add_dialog = function (spec) { +IPA.service_add_dialog = function(spec) { spec = spec || {}; var that = IPA.add_dialog(spec). field(IPA.widget({ -name: 'krbprincipalname' +name: 'krbprincipalname', +hidden: true })). field(IPA.service_select_widget({ -'name': 'service', -'label': 'Service', -'size': 20, -'undo': false +name: 'service', +label: 'Service', +size: 20, +undo: false })). field(IPA.text_widget({ -'name': 'host', -'label': 'Host Name', -'size': 40, -'undo': false +name: 'host', +label: 'Host Name', +size: 40, +undo: false })). field(IPA.checkbox_widget({ name: 'force', @@ -127,7 +129,7 @@ IPA.service_add_dialog = function (spec) { }; -IPA.service_details_facet = function (spec) { +IPA.service_details_facet = function(spec) { spec = spec || {}; @@ -360,7 +362,7 @@ function service_certificate_status_widget(spec) { return that; } -IPA.service_managedby_host_facet = function (spec) { +IPA.service_managedby_host_facet = function(spec) { spec = spec || {}; diff --git a/install/ui/widget.js b/install/ui/widget.js index dad35ecfa55d390ad6d5bd501e85f7cfe069b16e..c4dfb5397b5373b50496086a67ebf0dc453d4a80 100644 --- a/install/ui/widget.js +++ b/install/ui/widget.js @@ -35,6 +35,7 @@ IPA.widget = function(spec) { that.tooltip = spec.tooltip; that.disabled = spec.disabled; +that.hidden = spec.hidden; // read_only is set
[Freeipa-devel] [PATCH] admiyo-0192-column-formatting
From 2f6d37bab0064b7cab9ffb4f6976487afb3ff6a4 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Thu, 10 Feb 2011 16:48:17 -0500 Subject: [PATCH] column formatting Allow optional formatting for columns Provide Data formate for host modificaiton https://fedorahosted.org/freeipa/ticket/781 --- install/ui/host.js | 26 +- install/ui/widget.js |8 2 files changed, 33 insertions(+), 1 deletions(-) diff --git a/install/ui/host.js b/install/ui/host.js index 86a5b820aeaaea9e6819444d27dc1d8142e4a097..9a84f77a0b923d8a804aff67d9b712a9d78ff502 100644 --- a/install/ui/host.js +++ b/install/ui/host.js @@ -115,7 +115,31 @@ IPA.host_search_facet = function (spec) { that.create_column({name:'fqdn'}); that.create_column({name:'description'}); //TODO use the value of this field to set enrollment status -that.create_column({name:'krblastpwdchange', label:'Enrolled?'}); +that.create_column({name:'krblastpwdchange', label:'Enrolled?', +format: function(value){ +if (value.length != 20101119025910Z.length){ +return value; +} + + + +var formated = // 2010-11-19, 02:59:10; +value.substring(0, 4)+ +'-' + +value.substring(4, 6) + +'-' + +value.substring(6, 8) + +', ' + +value.substring(8, 10) + +':' + +value.substring(10, 12) + +':' + +value.substring(12, 14) + +' ' + +value.substring(14, 15) +return formated; +} + }); that.create_column({name:'nshostlocation'}); that.search_facet_init(); diff --git a/install/ui/widget.js b/install/ui/widget.js index 5c0d2dd5feba9f49c0524fc9722632e06e1d8799..96893df71d3956aa6f30f5fc65af687a2e15b4b5 100644 --- a/install/ui/widget.js +++ b/install/ui/widget.js @@ -1006,6 +1006,9 @@ IPA.column = function (spec) { var that = {}; +if (spec.format){ +that.format = spec.format; +} that.name = spec.name; that.label = spec.label; that.primary_key = spec.primary_key; @@ -1026,8 +1029,13 @@ IPA.column = function (spec) { container.empty(); var value = record[that.name]; +if (that.format value){ +value = that.format(value); +} + value = value ? value.toString() : ''; + container.append(value); } -- 1.7.3.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0192-column-formatting
On 2/10/2011 3:51 PM, Adam Young wrote: Should we use one of these functions? http://www.w3schools.com/jsref/jsref_tostring_date.asp http://www.w3schools.com/jsref/jsref_tolocalestring.asp http://www.w3schools.com/jsref/jsref_toutcstring.asp -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] one-liner to fix BUILD.txt
Pushed this one-liner to fix reference to ipa.spec.in in BUILD.txt ticket 859 diff --git a/BUILD.txt b/BUILD.txt index d70351d..df029a5 100644 --- a/BUILD.txt +++ b/BUILD.txt @@ -5,7 +5,7 @@ Dependencies The quickest way to get the dependencies needed for building is: -# yum install rpm-build `grep ^BuildRequires ipa.spec.in | awk '{ print $2 }' | grep -v ^/` +# yum install rpm-build `grep ^BuildRequires freeipa.spec.in | awk '{ print $ 2 }' | grep -v ^/` ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0192-column-formatting
On 2/10/2011 5:00 PM, Adam Young wrote: Should we use one of these functions? http://www.w3schools.com/jsref/jsref_tostring_date.asp http://www.w3schools.com/jsref/jsref_tolocalestring.asp http://www.w3schools.com/jsref/jsref_toutcstring.asp Our dates are not conisdered valid dates, so we can't just use them. Isn't it a valid UTC time? We can parse it like what you're doing now using substring(), then use the values to construct a Date object in JS. Then we can invoke one of the above methods to display a properly formatted date. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0191-target-section-without-radio-buttons
On 2/10/2011 5:02 PM, Adam Young wrote: On 02/10/2011 04:42 PM, Endi Sukma Dewata wrote: On 2/10/2011 3:27 PM, Adam Young wrote: NACK. As discussed over IRC, the is_dirty functionality is not working for permissions that have an object by type target. Was worse than that, load was broken. It still has some problems: 1. Updating a permission with a filter doesn't work. Clicking the update button didn't execute anything, the undo button didn't disappear. 2. Resetting the user details page is not working properly, some fields did not get reset. I think the addition of undo_span in widgets.js is not needed and causing a problem because not all (custom) widgets will call create_undo(). -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Help define the roles IPA has by default
Dmitri Pal wrote: On 02/10/2011 03:05 PM, Jakub Hrozek wrote: On 02/10/2011 05:12 PM, Rob Crittenden wrote: But what other roles do we need? The mind boggles and rather than dictating what the initial ones will be I'm looking for some guidance/suggestions. thanks rob I'm actually wondering if we need to define many default roles in the upstream project. I'm thinking that every organization will have different needs and different ways of role delegation anyway, so I would rather make sure this feature is well documented with examples and use cases. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I think that a reasonble set of 3 -5 roles and documentation how to change them should be sufficient. I agree. On top of what Dmitri has already sent out, this thread is a really good continuation of documenting delegation, permissions, roles, etc., especially because this area is so different from v1. If we look at it from two perspectives, one being What does IPA need to function?, and the other being What do customers need?, then we can probably come up with a short list and provide some basic use cases, descriptions, and examples. Dmitri's list of 5 is good, although I would suggest settling on a naming format, by which I mean rather than a combination of person-based and role-based names, use a consistent format. Security Architect IPA Administrator are people (faiap), while Helpdesk is a department. Anyway, you get the idea. We've already started with Name, Description, Goals; with a few use cases I can put together short sections with links to existing docs on how to use the relevant commands, or write them as needed. cheers -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 He who asks is a fool for five minutes, but he who does not ask remains a fool forever. ~ Chinese proverb ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 714 fix dogtag installation
Reset file ownership after calling update_file() and set_preference() in installutils. Out of the blue these would change file ownership to root:root which was breaking a dogtag profile. This fixes the error from cert-request: FAILURE (Profile caIPAserviceCert Not Found) ticket 928 rob freeipa-rcrit-714-ownership.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 703 389-ds startup with krb config
Rob Crittenden wrote: Jakub Hrozek wrote: On Tue, Feb 08, 2011 at 10:12:27AM -0500, Rob Crittenden wrote: If /etc/krb5.conf doesn't exist or contains no default kerberos realm then 389-ds won't start at all. This is a problem during installation because we configure 389 first. This patch will let the server come up, you just won't be able to do any joins or password changes until you configure kerberos. ticket 606 rob I wasn't able to install with this patch when I had no /etc/krb5.conf at all. Here's what the DS error log said: --- 10/Feb/2011:07:30:35 -0500] ipaenrollment_start - [file ipa_enrollment.c, line 389]: Failed to get default realm?! [10/Feb/2011:07:30:35 -0500] - Failed to start extendedop plugin ipa_enrollment_extop [10/Feb/2011:07:30:35 -0500] ipaenrollment_start - [file ipa_enrollment.c, line 389]: Failed to get default realm?! [10/Feb/2011:07:30:35 -0500] - Failed to start extendedop plugin ipa_enrollment_extop [10/Feb/2011:07:30:36 -0500] ipaenrollment_start - [file ipa_enrollment.c, line 389]: Failed to get default realm?! [10/Feb/2011:07:30:36 -0500] - Failed to start extendedop plugin ipa_enrollment_extop --- Looking at ipaenrollment_start(), it looks like the culprit is that when krb5_get_default_realm() fails, ret is set to an error code and returned. It should be either reset to LDAP_SUCCESS or maybe rc should be used instead. Also one nitpick. This: -static char *realm; -static const char *ipa_realm_dn; +static char *realm = NULL; +static const char *ipa_realm_dn = NULL; Is not neccessary, global variables are initialized to NULL automatically. Updated patch attached. I was able to do full install with this one. rob Found another problem, new patch. rob freeipa-rcrit-703-3-startup.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 715 ensure required variables are required
Yi found a tricky way to remove required attributes that aren't required in the schema. The problem was we weren't enforcing parameter.required in mods (because it was enforcing that every variable with required be provided). I added a new check routine that is executed after setattr/addattr does its work and verifies that no required parameters get skipped. ticket 852 rob freeipa-rcrit-715-required.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Added expand/collapse all.
Hi Kyle, I added the expand/collapse all link into the details page. See the following demo: http://edewata.fedorapeople.org/freeipa/install/ui/index.html#navigation=0identity=0user-facet=detailsuser-pkey=kfrog Please let me know if this is sufficient for this ticket: https://fedorahosted.org/freeipa/ticket/737 Thanks! -- Endi S. Dewata From 62b53201e23ba5f5a1b459bc076ba8eb3a5b3ac1 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Thu, 10 Feb 2011 16:10:53 -0600 Subject: [PATCH] Added expand/collapse all. A link has been added into the details page to expand/collapse all sections. Previously each section's div container is identified using a long ID. It is now identified using the section name. --- install/ui/details.js | 100 +++ install/ui/dialog.js |4 +- install/ui/hbacrule.js |4 +- install/ui/sudorule.js |4 +- 4 files changed, 78 insertions(+), 34 deletions(-) diff --git a/install/ui/details.js b/install/ui/details.js index b62f049419b819def729bc75d89b1d9a6aa999e1..a9741690493b0aa75d0dd5c70e619b3ab7e4505b 100644 --- a/install/ui/details.js +++ b/install/ui/details.js @@ -348,18 +348,6 @@ IPA.details_facet = function(spec) { } }; -that.get_section_header_prefix = function(visible) { -if (visible) { -return 'span class=ui-icon '+ -IPA.collapse_icon + -' section-expand /span'; -} else { -return 'span class=ui-icon '+ -IPA.expand_icon + -' section-expand /'; -} -}; - function create(container) { container.attr('title', that.entity_name); @@ -373,6 +361,21 @@ IPA.details_facet = function(spec) { 'class': 'content' }).appendTo(container); +$('a/', { +name: 'expand_all', +href: 'expand_all', +text: 'Expand All', +style: 'display: none;' +}).appendTo(details); + +$('a/', { +name: 'collapse_all', +href: 'collapse_all', +text: 'Collapse All' +}).appendTo(details); + +details.append('br/'); + var action_panel = that.get_action_panel(); var ul = $('ul', action_panel); @@ -392,14 +395,22 @@ IPA.details_facet = function(spec) { for (var i = 0; i that.sections.length; ++i) { var section = that.sections[i]; -$('h2/', { +var header = $('h2/', { name: section.name, -title: section.label, -html: that.get_section_header_prefix(true) + ' ' + section.label +title: section.label }).appendTo(details); +var icon = $('span/', { +name: 'icon', +'class': 'ui-icon section-expand '+IPA.expand_icon +}).appendTo(header); + +header.append(' '); + +header.append(section.label); + var div = $('div/', { -'id': that.entity_name+'-'+that.name+'-'+section.name, +name: section.name, 'class': 'details-section' }).appendTo(details); @@ -437,26 +448,65 @@ IPA.details_facet = function(spec) { }); button.replaceWith(that.update_button); +var details = $('div.content', that.container); + +var expand_all = $('a[name=expand_all]', details); +expand_all.click(function() { +expand_all.css('display', 'none'); +collapse_all.css('display', 'inline'); + +for (var i=0; ithat.sections.length; i++) { +var section = that.sections[i]; +toggle(section, true); +} + +return false; +}); + +var collapse_all = $('a[name=collapse_all]', details); +collapse_all.click(function() { +expand_all.css('display', 'inline'); +collapse_all.css('display', 'none'); + +for (var i=0; ithat.sections.length; i++) { +var section = that.sections[i]; +toggle(section, false); +} + +return false; +}); + for (var i = 0; i that.sections.length; ++i) { var section = that.sections[i]; var header = $('h2[name='+section.name+']', that.container); +var div = $('div.details-section[name='+section.name+']', that.container); -var div = $('#'+that.entity_name+'-'+that.name+'-'+section.name, -that.container); - -header.click(function(section, header, div) { +header.click(function(section, div) { return function() { var visible = div.is(:visible); -header.html(that.get_section_header_prefix(!visible) + ' ' + section.label); -div.slideToggle(); +toggle(section,
Re: [Freeipa-devel] [PATCH] 029 ipa-dns-install does not exit on error
On Thu, 2011-02-10 at 13:58 -0500, Rob Crittenden wrote: Martin Kosek wrote: This patch fixes behavior of ipa-dns-install, which does not exit when an invalid configuration of /etc/hosts is detected. https://fedorahosted.org/freeipa/ticket/736 I'm not positive but was the address info checking done within the try to catch any possible exception? This code dates back to very early IPA code (say 4 years old or so) when we were pretty new to python and somethings catching things in a very broad way. Is it possible that running through the addresses could raise an unhandled exception? rob Rob, thanks for the review. Well, I think the unhandled code should not raise any exception - we are not calling any external function, just going through an array. But to bulletproof it, I have added a check just to be sure that we do it right even when socket.getaddrinfo would return empty result and did not raise an exception. Patch is attached. I moved the exception handling closer to the socket.getaddrinfo to actually be able to easily call sys.exit(). Martin From 1b361dbe9469a5896140ce7ce819d4013d93d0cd Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Thu, 10 Feb 2011 14:18:57 +0100 Subject: [PATCH] ipa-dns-install does not exit on error This patch fixes behavior of ipa-dns-install, which does not exit when an invalid configuration of /etc/hosts is detected. https://fedorahosted.org/freeipa/ticket/736 --- install/tools/ipa-dns-install | 29 + 1 files changed, 17 insertions(+), 12 deletions(-) diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index 66cdaffd8a18b1ba3771f14cf17e61edc021f1e0..57a9cb36eb86e408e305c9b1e2431e4e54cce621 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -67,19 +67,24 @@ def resolve_host(host_name): try: addrinfos = socket.getaddrinfo(host_name, None, socket.AF_UNSPEC, socket.SOCK_DGRAM) -for ai in addrinfos: -ip = ai[4][0] -if ip == 127.0.0.1 or ip == ::1: -print The hostname resolves to the localhost address (127.0.0.1/::1) -print Please change your /etc/hosts file so that the hostname -print resolves to the ip address of your network interface. -print -print Please fix your /etc/hosts file and restart the setup program -return None - -ip = addrinfos[0][4][0] except: print Unable to lookup the IP address of the provided host +return None + +for ai in addrinfos: +ip = ai[4][0] +if ip == 127.0.0.1 or ip == ::1: +print The hostname resolves to the localhost address (127.0.0.1/::1) +print Please change your /etc/hosts file so that the hostname +print resolves to the ip address of your network interface. +print +print Please fix your /etc/hosts file and restart the setup program. +print +sys.exit(Aborting installation.) + +if addrinfos: +ip = addrinfos[0][4][0] + return ip def main(): @@ -108,7 +113,7 @@ def main(): # Check bind packages are installed if not bindinstance.check_inst(options.unattended): -sys.exit(Aborting installation) +sys.exit(Aborting installation.) # Initialize the ipalib api cfg = dict( -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel