Re: [Freeipa-devel] [PATCH] 714 fix dogtag installation
On Thu, Feb 10, 2011 at 10:17:18PM -0500, Rob Crittenden wrote: Reset file ownership after calling update_file() and set_preference() in installutils. Out of the blue these would change file ownership to root:root which was breaking a dogtag profile. This fixes the error from cert-request: FAILURE (Profile caIPAserviceCert Not Found) ticket 928 rob Ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 712 drop kw from JSON error
On Thu, Feb 10, 2011 at 01:39:40PM -0500, Rob Crittenden wrote: The kw could contain another exception which was blowing up the marshalling. It doesn't seem to be used anywhere and contains information we've already saved in error as far as I can tell. ticket 905 rob Ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 051 Remove obsolete record types from DNS
https://fedorahosted.org/freeipa/ticket/923 From 5fdd046fb631a9c57cf6e9c6c98ee09e2cd77a6d Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date: Thu, 10 Feb 2011 21:17:21 +0100 Subject: [PATCH] Remove obsolete record types from DNS https://fedorahosted.org/freeipa/ticket/923 --- API.txt | 24 ipalib/plugins/dns.py |8 2 files changed, 8 insertions(+), 24 deletions(-) diff --git a/API.txt b/API.txt index 8736a07..d58f3a4 100644 --- a/API.txt +++ b/API.txt @@ -486,7 +486,7 @@ output: Output('summary', (type 'unicode', type 'NoneType'), 'User-friendly output: Output('result', type 'bool', 'True means the operation was successful') output: Output('value', type 'unicode', The primary_key value of the entry, e.g. 'jdoe' for a user) command: dnsrecord_add -args: 2,46,3 +args: 2,42,3 arg: Str('dnszoneidnsname', cli_name='dnszone', label=Gettext('Zone name', domain='ipa', localedir=None), query=True, required=True) arg: Str('idnsname', attribute=True, cli_name='name', label=Gettext('Record name', domain='ipa', localedir=None), multivalue=False, primary_key=True, required=True) option: Int('dnsttl', attribute=True, cli_name='ttl', label=Gettext('Time to live', domain='ipa', localedir=None), multivalue=False, required=False) @@ -509,21 +509,17 @@ option: List('dlvrecord?', attribute=True, cli_name='dlv_rec',ist('dlvrecord?', option: List('dnamerecord?', attribute=True, cli_name='dname_rec',ist('dnamerecord?', attribute=True, cli_name='dname_rec', doc='comma-separated list of DNAME records', label='DNAME record', multivalue=True) option: List('dnskeyrecord?', attribute=True, cli_name='dnskey_rec',ist('dnskeyrecord?', attribute=True, cli_name='dnskey_rec', doc='comma-separated list of DNSKEY records', label='DNSKEY record', multivalue=True) option: List('dsrecord?', attribute=True, cli_name='ds_rec',ist('dsrecord?', attribute=True, cli_name='ds_rec', doc='comma-separated list of DS records', label='DS record', multivalue=True) -option: List('hinforecord?', attribute=True, cli_name='hinfo_rec',ist('hinforecord?', attribute=True, cli_name='hinfo_rec', doc='comma-separated list of HINFO records', label='HINFO record', multivalue=True) option: List('hiprecord?', attribute=True, cli_name='hip_rec',ist('hiprecord?', attribute=True, cli_name='hip_rec', doc='comma-separated list of HIP records', label='HIP record', multivalue=True) option: List('ipseckeyrecord?', attribute=True, cli_name='ipseckey_rec',ist('ipseckeyrecord?', attribute=True, cli_name='ipseckey_rec', doc='comma-separated list of IPSECKEY records', label='IPSECKEY record', multivalue=True) option: List('keyrecord?', attribute=True, cli_name='key_rec',ist('keyrecord?', attribute=True, cli_name='key_rec', doc='comma-separated list of KEY records', label='KEY record', multivalue=True) option: List('kxrecord?', attribute=True, cli_name='kx_rec',ist('kxrecord?', attribute=True, cli_name='kx_rec', doc='comma-separated list of KX records', label='KX record', multivalue=True) option: List('locrecord?', attribute=True, cli_name='loc_rec',ist('locrecord?', attribute=True, cli_name='loc_rec', doc='comma-separated list of LOC records', label='LOC record', multivalue=True) -option: List('mdrecord?', attribute=True, cli_name='md_rec',ist('mdrecord?', attribute=True, cli_name='md_rec', doc='comma-separated list of MD records', label='MD record', multivalue=True) -option: List('minforecord?', attribute=True, cli_name='minfo_rec',ist('minforecord?', attribute=True, cli_name='minfo_rec', doc='comma-separated list of MINFO records', label='MINFO record', multivalue=True) option: List('mxrecord?', attribute=True, cli_name='mx_rec',ist('mxrecord?', attribute=True, cli_name='mx_rec', doc='comma-separated list of MX records', label='MX record', multivalue=True) option: List('naptrrecord?', attribute=True, cli_name='naptr_rec',ist('naptrrecord?', attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True) option: List('nsrecord?', attribute=True, cli_name='ns_rec',ist('nsrecord?', attribute=True, cli_name='ns_rec', doc='comma-separated list of NS records', label='NS record', multivalue=True) option: List('nsecrecord?', attribute=True, cli_name='nsec_rec',ist('nsecrecord?', attribute=True, cli_name='nsec_rec', doc='comma-separated list of NSEC records', label='NSEC record', multivalue=True) option: List('nsec3record?', attribute=True, cli_name='nsec3_rec',ist('nsec3record?', attribute=True, cli_name='nsec3_rec', doc='comma-separated list of NSEC3 records', label='NSEC3 record', multivalue=True) option: List('nsec3paramrecord?', attribute=True, cli_name='nsec3param_rec',ist('nsec3paramrecord?', attribute=True, cli_name='nsec3param_rec', doc='comma-separated list of NSEC3PARAM records', label='NSEC3PARAM record', multivalue=True) -option: List('nxtrecord?', attribute=True,
[Freeipa-devel] [PATCH] fix build
We were missing a BuildRequires for pyOpenSSL that was causing the build to fail in mock. This fixes a build failure, pushed as a 1-liner. diff --git a/freeipa.spec.in b/freeipa.spec.in index 729c7a2..69945db 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -51,6 +51,7 @@ BuildRequires: libcurl-devel BuildRequires: gettext BuildRequires: authconfig BuildRequires: libuuid-devel +BuildRequires: pyOpenSSL %endif %description ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 714 fix dogtag installation
Jakub Hrozek wrote: On Thu, Feb 10, 2011 at 10:17:18PM -0500, Rob Crittenden wrote: Reset file ownership after calling update_file() and set_preference() in installutils. Out of the blue these would change file ownership to root:root which was breaking a dogtag profile. This fixes the error from cert-request: FAILURE (Profile caIPAserviceCert Not Found) ticket 928 rob Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Help define the roles IPA has by default
Dmitri Pal wrote: On 02/10/2011 07:25 PM, David O'Brien wrote: Dmitri Pal wrote: On 02/10/2011 03:05 PM, Jakub Hrozek wrote: On 02/10/2011 05:12 PM, Rob Crittenden wrote: But what other roles do we need? The mind boggles and rather than dictating what the initial ones will be I'm looking for some guidance/suggestions. thanks rob I'm actually wondering if we need to define many default roles in the upstream project. I'm thinking that every organization will have different needs and different ways of role delegation anyway, so I would rather make sure this feature is well documented with examples and use cases. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I think that a reasonble set of 3 -5 roles and documentation how to change them should be sufficient. I agree. On top of what Dmitri has already sent out, this thread is a really good continuation of documenting delegation, permissions, roles, etc., especially because this area is so different from v1. If we look at it from two perspectives, one being What does IPA need to function?, and the other being What do customers need?, then we can probably come up with a short list and provide some basic use cases, descriptions, and examples. Dmitri's list of 5 is good, although I would suggest settling on a naming format, by which I mean rather than a combination of person-based and role-based names, use a consistent format. Security Architect IPA Administrator are people (faiap), while Helpdesk is a department. Anyway, you get the idea. We've already started with Name, Description, Goals; with a few use cases I can put together short sections with links to existing docs on how to use the relevant commands, or write them as needed. cheers Sounds like a good idea. Well, some of these roles don't really match what we are shipping in v2. There is no place for Application Administrator at all and End User is implicit. So that leaves 3 roles. If we go with these we'll need to add some additional permissions/privileges to support it. If we go with this, here is what we're looking at. Also note that the role IPA Administrator is distinct from the group cn=admins which gives pretty much global access. Those that need additional permissions/privileges are marked with the ticket number. * Security Architect * IPA config (950) * Replication * Define delegation of roles to other, lower-level administrators * IPA Administrator * Define and create groups (and delete?) * Define the relationships between groups (what does this mean?) * Define and create roles for users and groups (what does this mean?) * Create nested groups (I don't know if we can have an aci for this) * Help Desk * Review what groups are enabled on what hosts (what does this mean, all groups are enabled on all hosts, right?) * Set up/manage a user's attributes * Place a user in a specific group * Reset a user password This is a good start but it completely leaves out the following: * Users (helpdesk can modify reset password, nobody can add/delete) * Host management * Service management * Hostgroups * SUDO * HBAC * netgroups * DNS * Automount rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 028 Extend API validator
Martin Kosek wrote: makeapi script is used to check if ipalib API is consistent with the known state in API.txt. When the API is changed, major API version should be updated. However, when new options/arguments/outputs were added to an ipalib command, `makeapi --validate' call did not capture this. This patch fixes this issue and ensures that also the last command in API.txt is checked (it was not before this patch). https://fedorahosted.org/freeipa/ticket/868 ack, pushed to master rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 029 ipa-dns-install does not exit on error
Martin Kosek wrote: On Thu, 2011-02-10 at 13:58 -0500, Rob Crittenden wrote: Martin Kosek wrote: This patch fixes behavior of ipa-dns-install, which does not exit when an invalid configuration of /etc/hosts is detected. https://fedorahosted.org/freeipa/ticket/736 I'm not positive but was the address info checking done within the try to catch any possible exception? This code dates back to very early IPA code (say 4 years old or so) when we were pretty new to python and somethings catching things in a very broad way. Is it possible that running through the addresses could raise an unhandled exception? rob Rob, thanks for the review. Well, I think the unhandled code should not raise any exception - we are not calling any external function, just going through an array. But to bulletproof it, I have added a check just to be sure that we do it right even when socket.getaddrinfo would return empty result and did not raise an exception. Patch is attached. I moved the exception handling closer to the socket.getaddrinfo to actually be able to easily call sys.exit(). Martin I modified your patch very slightly to add a period to the end of Please fix your /etc/hosts file as requested in the ticket. Ack, pushed to master rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 708 move nscd disablement code
Jakub Hrozek wrote: On Wed, Feb 09, 2011 at 01:57:46PM -0500, Rob Crittenden wrote: Disable nscd before starting sssd. We used to disable it after configuring sssd which would cause a warning message to appear in /var/log/messages from sssd. This was in effect bogus because we killed nscd as the very next step after starting sssd but lets not confuse our users. ticket 743 rob Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 709 set minimum version of sssd to 1.5.1.
Jakub Hrozek wrote: On Wed, Feb 09, 2011 at 02:27:54PM -0500, Rob Crittenden wrote: Title says it all. ticket 926 rob Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 712 drop kw from JSON error
Jakub Hrozek wrote: On Thu, Feb 10, 2011 at 01:39:40PM -0500, Rob Crittenden wrote: The kw could contain another exception which was blowing up the marshalling. It doesn't seem to be used anywhere and contains information we've already saved in error as far as I can tell. ticket 905 rob Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 716 ignore case when removing members
Ignore case when removing members from a group. ticket 944 rob freeipa-rcrit-716-member.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Help define the roles IPA has by default
On 02/11/2011 10:12 AM, Rob Crittenden wrote: Dmitri Pal wrote: On 02/10/2011 07:25 PM, David O'Brien wrote: Dmitri Pal wrote: On 02/10/2011 03:05 PM, Jakub Hrozek wrote: On 02/10/2011 05:12 PM, Rob Crittenden wrote: But what other roles do we need? The mind boggles and rather than dictating what the initial ones will be I'm looking for some guidance/suggestions. thanks rob I'm actually wondering if we need to define many default roles in the upstream project. I'm thinking that every organization will have different needs and different ways of role delegation anyway, so I would rather make sure this feature is well documented with examples and use cases. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I think that a reasonble set of 3 -5 roles and documentation how to change them should be sufficient. I agree. On top of what Dmitri has already sent out, this thread is a really good continuation of documenting delegation, permissions, roles, etc., especially because this area is so different from v1. If we look at it from two perspectives, one being What does IPA need to function?, and the other being What do customers need?, then we can probably come up with a short list and provide some basic use cases, descriptions, and examples. Dmitri's list of 5 is good, although I would suggest settling on a naming format, by which I mean rather than a combination of person-based and role-based names, use a consistent format. Security Architect IPA Administrator are people (faiap), while Helpdesk is a department. Anyway, you get the idea. We've already started with Name, Description, Goals; with a few use cases I can put together short sections with links to existing docs on how to use the relevant commands, or write them as needed. cheers Sounds like a good idea. Well, some of these roles don't really match what we are shipping in v2. There is no place for Application Administrator at all and End User is implicit. So that leaves 3 roles. If we go with these we'll need to add some additional permissions/privileges to support it. If we go with this, here is what we're looking at. Also note that the role IPA Administrator is distinct from the group cn=admins which gives pretty much global access. Those that need additional permissions/privileges are marked with the ticket number. * Security Architect * IPA config (950) * Replication * Define delegation of roles to other, lower-level administrators * IPA Administrator * Define and create groups (and delete?) * Define the relationships between groups (what does this mean?) * Define and create roles for users and groups (what does this mean?) * Create nested groups (I don't know if we can have an aci for this) * Help Desk * Review what groups are enabled on what hosts (what does this mean, all groups are enabled on all hosts, right?) This mean he can read HBAC rules * Set up/manage a user's attributes * Place a user in a specific group * Reset a user password This is a good start but it completely leaves out the following: * Users (helpdesk can modify reset password, nobody can add/delete) * Host management * Service management * Hostgroups * SUDO * HBAC * netgroups * DNS * Automount rob How about this layout Helpdesk Engineer * Edit users * Reset passwords * Add/remove group membership * Troubleshoot the HBAC (in future but not modify the HBAC rules themselves) User administrator - the person who is responsible for creating users and groups. This is instead IPA administrator above. * Users - full control * Groups - full control IT Specialist * Hosts full control * Hostgroups full control * Services full control * DNS full control * Automount IT Security Specialist - includes all of the above + * Netgroups * SUDO * HBAC Security Architect * IPA config * Password policies * Kerberos config * Replication * Define delegation of roles to other, lower-level administrators Did I miss anything? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0191-target-section-without-radio-buttons
On 02/10/2011 06:46 PM, Endi Sukma Dewata wrote: On 2/10/2011 5:02 PM, Adam Young wrote: On 02/10/2011 04:42 PM, Endi Sukma Dewata wrote: On 2/10/2011 3:27 PM, Adam Young wrote: NACK. As discussed over IRC, the is_dirty functionality is not working for permissions that have an object by type target. Was worse than that, load was broken. It still has some problems: 1. Updating a permission with a filter doesn't work. Clicking the update button didn't execute anything, the undo button didn't disappear. 2. Resetting the user details page is not working properly, some fields did not get reset. I think the addition of undo_span in widgets.js is not needed and causing a problem because not all (custom) widgets will call create_undo(). Filter not set was due to incomplete filter_text attribute-rights work around undo_span is now wrapped in jquery select, so that it there is no undo, it works correctly. From 70a7496c6026a2ebe77535ac5abb84dae26303ab Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Mon, 7 Feb 2011 23:02:43 -0500 Subject: [PATCH] target section without radio buttons ACI target section refactored into an array of widget-like objects. The radio buttons have been replaced by a select box. THe select is not visible on the details page. --- install/ui/aci.js| 467 +- install/ui/dialog.js |7 + install/ui/test/aci_tests.js | 43 +++- install/ui/widget.js |7 +- 4 files changed, 277 insertions(+), 247 deletions(-) diff --git a/install/ui/aci.js b/install/ui/aci.js index e515902c5c83451389b5c9dde8115e087f9686f3..db1267936bf4f6a12ae8eadc278f27fc075b6f51 100644 --- a/install/ui/aci.js +++ b/install/ui/aci.js @@ -36,6 +36,8 @@ IPA.attributes_widget = function(spec) { that.create = function(container) { +that.container = container; + that.table = $('table/', { id:id, 'class':'search-table aci-attribute-table' @@ -200,6 +202,9 @@ IPA.hidden_widget = function(spec) { that.reset = function(){ }; +that.is_dirty = function(){ +return false; +} return that; }; @@ -221,265 +226,263 @@ IPA.target_section = function(spec) { spec = spec || {}; var that = IPA.details_section(spec); - that.undo = typeof spec.undo == 'undefined' ? true : spec.undo; -var groupings = ['aci_by_type', 'aci_by_query', 'aci_by_group', - 'aci_by_filter' ]; -var inputs = ['input', 'select', 'textarea']; - -function disable_inputs() { -for (var g = 0; g groupings.length; g += 1 ){ -for (var t = 0 ; t inputs.length; t += 1){ -$('.' + groupings[g] + ' '+ inputs[t]). -attr('disabled', 'disabled'); +that.filter_text = IPA.text_widget({name: 'filter', undo: that.undo}); +that.subtree_textarea = IPA.textarea_widget({ +name: 'subtree', +cols: 30, rows: 1, +undo: that.undo +}); +that.group_select = IPA.entity_select_widget( +{name: 'targetgroup', entity:'group', undo: that.undo}); +that.type_select = IPA.select_widget({name: 'type', undo: that.undo}); +that.attribute_table = IPA.attributes_widget({name: 'attrs', undo: that.undo}); +//TODO make the add_dialog.save not require fields, just use the record +that.add_field(that.filter_text); +that.add_field(that.subtree_textarea); +that.add_field(that.group_select ); +that.add_field(that.type_select); +that.add_field(that.attribute_table); + +var target_types = [ +{ +name:'filter', +create: function(dl){ + +$('dt/'). +append($('label/', { +text: 'Filter' +})). +appendTo(dl); + +var dd = $('dd/', { +'class': 'aci_by_filter first' +}).appendTo(dl); + +var span = $('span/', { +name: 'filter' +}).appendTo(dd); + +that.filter_text.create(span); +}, +load: function(record){ +that.filter_text.load(record); +}, +save: function(record){ +record.filter = that.filter_text.save()[0]; +} +}, +{ +name:'subtree', +create:function(dl) { + $('dt/'). + append($('label/', { + text: 'By Subtree' + })). + appendTo(dl); + var dd = $('dd/', { + 'class': 'aci_by_query first' + }).appendTo(dl); + var span = $('span/', { + name: 'subtree' + }).appendTo(dd); + that.subtree_textarea.create(span); +}, +load: function(record){ +
Re: [Freeipa-devel] [PATCH] admiyo-0192-column-formatting
On 02/10/2011 06:35 PM, Endi Sukma Dewata wrote: On 2/10/2011 5:00 PM, Adam Young wrote: Should we use one of these functions? http://www.w3schools.com/jsref/jsref_tostring_date.asp http://www.w3schools.com/jsref/jsref_tolocalestring.asp http://www.w3schools.com/jsref/jsref_toutcstring.asp Our dates are not conisdered valid dates, so we can't just use them. Isn't it a valid UTC time? We can parse it like what you're doing now using substring(), then use the values to construct a Date object in JS. Then we can invoke one of the above methods to display a properly formatted date. Using Date format, but only for GMT From e010366217eb72744c828f012a4d23a5d985de11 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Thu, 10 Feb 2011 16:48:17 -0500 Subject: [PATCH 2/2] column formatting Allow optional formatting for columns Provide Data formate for host modificaiton date format --- install/ui/aci.js| 17 - install/ui/host.js | 30 +- install/ui/widget.js |8 3 files changed, 49 insertions(+), 6 deletions(-) diff --git a/install/ui/aci.js b/install/ui/aci.js index 494bd9a5bd91b9c4de0210e2d9e3923d215f00e6..89caec040ea28e97406f336832bb4c4f26793b7b 100644 --- a/install/ui/aci.js +++ b/install/ui/aci.js @@ -227,21 +227,28 @@ IPA.target_section = function(spec) { that.add_field(that.attribute_table); +/*TODO these next two functions are work arounds for missing attribute + permissions for the filter text. Remove them once that has been fixed */ that.filter_text.update = function(){ var value = that.filter_text.values that.filter_text.values.length ? that.filter_text.values[0] : ''; -$('input[name='+that.filter_text.name+']', that.filter_text.container).val(value); +$('input[name='+that.filter_text.name+']', + that.filter_text.container).val(value); var label = $('label[name='+that.filter_text.name+']', that.filter_text.container); var input = $('input[name='+that.filter_text.name+']', that.filter_text.container); - -label.css('display', 'none'); -input.css('display', 'inline'); - +label.css('display', 'none'); +input.css('display', 'inline'); }; +that.filter_text.save = function(){ +var input = $('input[name='+that.filter_text.name+']', + that.filter_text.container); +var value = $.trim(input.val()); +return value === '' ? [] : [value]; +}; var target_types = [ { diff --git a/install/ui/host.js b/install/ui/host.js index 86a5b820aeaaea9e6819444d27dc1d8142e4a097..1e203787158c43d014f6d24e1728df7d198a8f77 100644 --- a/install/ui/host.js +++ b/install/ui/host.js @@ -103,6 +103,32 @@ IPA.host_add_dialog = function (spec) { return that; }; +/* Take an LDAP format date in UTC and format it */ +IPA.utc_date_column_format = function(value){ +if (!value) { +return ; +} +if (value.length != 20101119025910Z.length){ +return value; +} +/* We only handle GMT */ +if (value.charAt(value.length -1) !== 'Z'){ +return value; +} + +var date = new Date(); + +date.setUTCFullYear( +value.substring(0, 4), +value.substring(4, 6), +value.substring(6, 8)); +date.setUTCHours( +value.substring(8, 10), +value.substring(10, 12), +value.substring(12, 14)); +var formated = date.toString(); +return formated; +} IPA.host_search_facet = function (spec) { @@ -115,7 +141,9 @@ IPA.host_search_facet = function (spec) { that.create_column({name:'fqdn'}); that.create_column({name:'description'}); //TODO use the value of this field to set enrollment status -that.create_column({name:'krblastpwdchange', label:'Enrolled?'}); +that.create_column({name:'krblastpwdchange', label:'Enrolled?', +format:IPA.utc_date_column_format + }); that.create_column({name:'nshostlocation'}); that.search_facet_init(); diff --git a/install/ui/widget.js b/install/ui/widget.js index 1bff1579dbb16a99c85ebb2c1c5f2b33c547a347..78a594680cf09f2fdd07e63d465b372001a34277 100644 --- a/install/ui/widget.js +++ b/install/ui/widget.js @@ -1005,6 +1005,9 @@ IPA.column = function (spec) { var that = {}; +if (spec.format){ +that.format = spec.format; +} that.name = spec.name; that.label = spec.label; that.primary_key = spec.primary_key; @@ -1025,8 +1028,13 @@ IPA.column = function (spec) { container.empty(); var value = record[that.name]; +if (that.format value){ +value = that.format(value); +} + value = value ? value.toString() : ''; + container.append(value); } -- 1.7.3.5
Re: [Freeipa-devel] [PATCH] 76 Fallback to default locale (en_US) if env. setting is corrupt.
Pavel Zuna wrote: This is a follow-up to my patches 69 and 71 (70 is garbage). It prevents a crash when user misconfigures his locale settings. Pavel The trio of patches work great but some of the unit tests break, can you take a look at those? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 050 Fix migration page
Pavel Zuna wrote: On 02/09/2011 02:09 PM, Jakub Hrozek wrote: During some UI rewrite, the password migration form completely lost the action= field and defaulted to GET instead of POST. ACK. Pavel pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 717 Add replace to ipa-ldap-updater
Add a replace verb to ipa-ldap-updater so an existing value can be replaced, but only if the value matches the old value in the update. This would be used for us to replace default values that the end-user hasn't already updated. The first one of these would be for the kerberos password policy where our default values are on the low side. We don't want to interfere with anything already set. The update file would look like: dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX replace:krbPwdLockoutDuration: 10: 600 dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX replace:krbPwdMaxFailure: 3: 6 This patch would obsolete Jan's patch titled 'Updated default Kerberos password policy. Simo and I had discussed doing something like this in IRC and hadn't communicated our intentions to the rest of the team, sorry about that. rob freeipa-rcrit-717-update.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 711 Convert json strings to unicode
On 2/10/2011 12:34 PM, Rob Crittenden wrote: Convert json strings to unicode when they are unmarshalled. This patch removes some individual work-arounds of converting strings to unicode, they only masked the problem. String values are not passed to the validator or normalizers so things like adding the realm automatically to services weren't happening. ticket 941 ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 718 move files in packages
Move a bunch of utilities that really only make sense to be run on the server from the admintools package to the server package. ticket 947 rob freeipa-rcrit-718-spec.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0191-target-section-without-radio-buttons
On 2/11/2011 11:52 AM, Adam Young wrote: Filter not set was due to incomplete filter_text attribute-rights work around undo_span is now wrapped in jquery select, so that it there is no undo, it works correctly. ACK. The filter problem is fixed in 192. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0192-column-formatting
On 2/11/2011 11:50 AM, Adam Young wrote: Using Date format, but only for GMT ACK. There's one jslint warning. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0191-target-section-without-radio-buttons
On 02/11/2011 02:28 PM, Endi Sukma Dewata wrote: On 2/11/2011 11:52 AM, Adam Young wrote: Filter not set was due to incomplete filter_text attribute-rights work around undo_span is now wrapped in jquery select, so that it there is no undo, it works correctly. ACK. The filter problem is fixed in 192. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0192-column-formatting
On 02/11/2011 02:29 PM, Endi Sukma Dewata wrote: On 2/11/2011 11:50 AM, Adam Young wrote: Using Date format, but only for GMT ACK. There's one jslint warning. jslint warning fixed. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] admiyo-0193- allow-null-keys-for-show
From 3ddcb0e3131f747d81b1a8dfda8078c9739c6f11 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Fri, 11 Feb 2011 15:36:29 -0500 Subject: [PATCH] allow null keys for show https://fedorahosted.org/freeipa/ticket/951 --- install/ui/details.js | 12 1 files changed, 8 insertions(+), 4 deletions(-) diff --git a/install/ui/details.js b/install/ui/details.js index b62f049419b819def729bc75d89b1d9a6aa999e1..0c68fe4c4136a6b532315627e8a2fbba70a9809a 100644 --- a/install/ui/details.js +++ b/install/ui/details.js @@ -536,14 +536,18 @@ IPA.details_refresh = function() { var that = this; -that.pkey = $.bbq.getState(that.entity_name + '-pkey', true) || ''; +that.pkey = $.bbq.getState(that.entity_name + '-pkey', true) ; var command = IPA.command({ -'method': that.entity_name+'_show', -'args': [that.pkey], -'options': { 'all': true, 'rights': true } +method: that.entity_name+'_show', +args: [], +options: { 'all': true, 'rights': true } }); +if (that.pkey){ +command.args = [that.pkey]; +} + command.on_success = function(data, text_status, xhr) { that.load(data.result.result); }; -- 1.7.3.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0193- allow-null-keys-for-show
On 2/11/2011 2:38 PM, Adam Young wrote: ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 195/195] remove deprecated record types
-- Adam Young ayo...@redhat.com www.redhat.com From 445e6b72441e7c39f9f6c2f91f46fd25c1633dc3 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Fri, 11 Feb 2011 15:50:24 -0500 Subject: [PATCH 195/195] remove deprecated record types --- install/ui/policy.js |6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/install/ui/policy.js b/install/ui/policy.js index 7cafd1776bde531826d5fecdee408283f64fc22e..e83056cd808e7ca6a9629e398997590c2c762b06 100644 --- a/install/ui/policy.js +++ b/install/ui/policy.js @@ -89,9 +89,9 @@ IPA.records_facet = function (spec){ that.record = null; var record_types =[ 'a', '', 'dname', 'cname', 'mx', 'ns', 'ptr', -'srv', 'txt', 'a6', 'afsdb', 'cert', 'ds', 'hinfo', -'key', 'kx', 'loc', 'md', 'minfo', 'naptr', 'nsec', -'nxt', 'rrsig', 'sshfp']; +'srv', 'txt', 'a6', 'afsdb', 'cert', 'ds', +'key', 'kx', 'loc', 'naptr', 'nsec', +'rrsig', 'sshfp']; function create_type_select(id,add_none) { var type_select = $('select/',{ -- 1.7.3.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0082 - fix per/post operation with krb password change
We weren't setting the kerberos metadata when modifying userPassword for a kerberos enabled record. Fixes #949 Simo. -- Simo Sorce * Red Hat, Inc * New York From dbcb72a091dae59adbb23f9df176fae4daef9cea Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Fri, 11 Feb 2011 15:48:20 -0500 Subject: [PATCH] Correctly report if this is a krb related password operation Fixes: https://fedorahosted.org/freeipa/ticket/949 --- .../ipa-pwd-extop/ipapwd_prepost.c |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c index 60a8ca3be62333be4f5ec40c4d25a9b24c351e71..fc0a68418b22f033e4e13cbe175d6a9a8b5aafb0 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c @@ -659,6 +659,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) goto done; } +pwdop-is_krb = is_krb; pwdop-pwd_op = IPAPWD_OP_MOD; pwdop-pwdata.password = slapi_ch_strdup(unhashedpw); pwdop-pwdata.changetype = IPA_CHANGETYPE_NORMAL; -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 195/195] remove deprecated record types
On Fri, 11 Feb 2011 15:53:49 -0500 Adam Young ayo...@redhat.com wrote: ACK -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 195/195] remove deprecated record types
On 02/11/2011 04:10 PM, Simo Sorce wrote: On Fri, 11 Feb 2011 15:53:49 -0500 Adam Youngayo...@redhat.com wrote: ACK Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 052 Fine tuning DNS options
Simo did a nice writeup of the changes in https://fedorahosted.org/freeipa/ticket/931 From d27c228160b5bfc460055392389e2ba966263709 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date: Thu, 10 Feb 2011 21:47:45 +0100 Subject: [PATCH] Fine tuning DNS options Add pointer to self to /etc/hosts to avoid chicken/egg problems when restarting DNS. On servers set both dns_lookup_realm and dns_lookup_kdc to false so we don't attempt to do any resolving. Leave it to true on clients. Set rdns to false on both server and client. https://fedorahosted.org/freeipa/ticket/931 --- install/share/krb5.conf.template |5 +++-- ipa-client/ipa-install/ipa-client-install |1 + ipaserver/install/bindinstance.py |3 +++ ipaserver/install/installutils.py | 24 4 files changed, 27 insertions(+), 6 deletions(-) diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template index 9cf4ee8..93d88db 100644 --- a/install/share/krb5.conf.template +++ b/install/share/krb5.conf.template @@ -5,8 +5,9 @@ [libdefaults] default_realm = $REALM - dns_lookup_realm = true - dns_lookup_kdc = true + dns_lookup_realm = false + dns_lookup_kdc = false + rdns = false ticket_lifetime = 24h forwardable = yes diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index a32564d..9211a86 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -408,6 +408,7 @@ def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, d else: libopts.append({'name':'dns_lookup_realm', 'type':'option', 'value':'true'}) libopts.append({'name':'dns_lookup_kdc', 'type':'option', 'value':'true'}) +libopts.append({'name':'rdns', 'type':'option', 'value':'false'}) libopts.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'}) libopts.append({'name':'forwardable', 'type':'option', 'value':'yes'}) diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 8790427..ea9280b 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -297,6 +297,9 @@ class BindInstance(service.Service): # get a connection to the DS self.ldap_connect() +if not installutils.record_in_hosts(self.ip_address, self.fqdn): +installutils.add_record_to_hosts(self.ip_address, self.fqdn) + if not dns_container_exists(self.fqdn, self.suffix): self.step(adding DNS container, self.__setup_dns_container) if not dns_zone_exists(self.domain): diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 99d1582..56b 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -156,6 +156,25 @@ def verify_ip_address(ip): is_ok = False return is_ok +def record_in_hosts(ip, host_name, file=/etc/hosts): +hosts = open(file, 'r').readlines() +for line in hosts: +hosts_ip = line.split()[0] +if hosts_ip != ip: +continue + +names = line.split()[1:] +if host_name in names: +return True + +return False + +def add_record_to_hosts(ip, host_name, file=/etc/hosts): +hosts_fd = open(file, 'r+') +hosts_fd.seek(0, 2) +hosts_fd.write(ip+'\t'+host_name+' '+host_name.split('.')[0]+'\n') +hosts_fd.close() + def read_ip_address(host_name, fstore): while True: ip = ipautil.user_input(Please provide the IP address to be used for this host name, allow_empty = False) @@ -169,10 +188,7 @@ def read_ip_address(host_name, fstore): print Adding [+ip+ +host_name+] to your /etc/hosts file fstore.backup_file(/etc/hosts) -hosts_fd = open('/etc/hosts', 'r+') -hosts_fd.seek(0, 2) -hosts_fd.write(ip+'\t'+host_name+' '+host_name.split('.')[0]+'\n') -hosts_fd.close() +add_record_to_hosts(ip, host_name) return ip -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fixed add service dialog box.
On 02/10/2011 04:45 PM, Endi Sukma Dewata wrote: Previously the add service dialog box shows a 'Principal:' label with no text field next to it. It now has been removed. The dialog box has been widened to avoid line wrapping of the buttons. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 719 permission for cn=ipaconfig
Add permission and privilege for updating the IPA configuration in cn=ipaconfig. ticket 950 rob freeipa-rcrit-719-permission.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 721 fix cert-show
The --out option wasn't working at all with cert-show. Also fix some related problems in write_certificate(), handle either a DER or base64-formatted incoming certificate and don't explode if the filename is None. ticket 954 rob freeipa-rcrit-721-cert.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] admiyo-0196-DNS-record-search.
From ccae52028bdea318229d343aed6c3b5bd14fb184 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Fri, 11 Feb 2011 20:40:01 -0500 Subject: [PATCH] DNS record search The current version of the DNS Plugin does not support searching by record, so that is commented out. The search field wasn't working either. The search criteria had to be appended to the params array, just after the zone. https://fedorahosted.org/freeipa/ticket/907 --- install/ui/policy.js | 27 ++- 1 files changed, 18 insertions(+), 9 deletions(-) diff --git a/install/ui/policy.js b/install/ui/policy.js index 4e92e7ea6a5b3d6983e1ae3d0268f8677355ca08..f7e4761a3c6c0e73bc417ded0ac60cf83683bc59 100644 --- a/install/ui/policy.js +++ b/install/ui/policy.js @@ -293,11 +293,16 @@ IPA.records_facet = function (spec){ name: 'search-' + that.entity_name + '-filter' })); -control_span.append('Type'); - -create_type_select('dns-record-type-filter',true). -appendTo(control_span); +/* + THe OLD DNS plugin allowed for search based on record type. + This one does not. If the plugin gets modified to support + Record type searches, uncomment the followin lines and + adjust the code that modifies the search parameters. + control_span.append('Type'); + create_type_select('dns-record-type-filter',true). + appendTo(control_span); +*/ IPA.button({ 'label': IPA.messages.button.find, @@ -399,9 +404,9 @@ IPA.records_facet = function (spec){ var resource_filter = that.container. find(#dns-record-resource-filter).val(); -if (resource_filter){ -options.idnsname = resource_filter; -} +//if (resource_filter){ +//options.idnsname = resource_filter; +//} var type_filter = that.container.find(#dns-record-type-filter).val(); if (type_filter){ @@ -413,8 +418,12 @@ IPA.records_facet = function (spec){ options.data = data_filter; } -var pkey = $.bbq.getState(that.entity_name + '-pkey', true); -IPA.cmd('dnsrecord_find',[pkey],options,load_on_win, load_on_fail); +var pkey = [$.bbq.getState(that.entity_name + '-pkey', true)]; + +if (resource_filter){ +pkey.push(resource_filter); +} +IPA.cmd('dnsrecord_find',pkey,options,load_on_win, load_on_fail); } -- 1.7.3.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 712 drop kw from JSON error
On 02/11/2011 10:37 AM, Rob Crittenden wrote: Jakub Hrozek wrote: On Thu, Feb 10, 2011 at 01:39:40PM -0500, Rob Crittenden wrote: The kw could contain another exception which was blowing up the marshalling. It doesn't seem to be used anywhere and contains information we've already saved in error as far as I can tell. ticket 905 rob Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel This might have been premature. See ticket https://fedorahosted.org/freeipa/ticket/956 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel