Re: [Freeipa-devel] [PATCH] 736 hard limit for # of batch requests
On Mon, 2011-02-21 at 11:48 -0500, Rob Crittenden wrote: > Set a hard limit of 256 for the # of commands in a batch request we'll > handle. > > ticket 984 > > rob ACK. Works for me. Tested by custom JSON command via curl. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 737 move BuildRequires
Rob Crittenden wrote: > Move some BuildRequires so building with ONLY_CLIENT works. > > I tested with: > > $ mock -r fedora-14-x86_64 --define='ONLY_CLIENT 1' > ./dist/srpms/freeipa-2.0.0GIT055a668-0.fc14.src.rpm > > rob I'm a little confused. Some of the lines are only moved a couple lines above their original location (like python-ldap for instance). Does this really have an impact on building? The only three lines I undestand are those first three. Thanks for explanation Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 737 move BuildRequires
On Tue, Feb 22, 2011 at 10:34:35AM +0100, Jan Zeleny wrote: > Rob Crittenden wrote: > > Move some BuildRequires so building with ONLY_CLIENT works. > > > > I tested with: > > > > $ mock -r fedora-14-x86_64 --define='ONLY_CLIENT 1' > > ./dist/srpms/freeipa-2.0.0GIT055a668-0.fc14.src.rpm > > > > rob > > I'm a little confused. Some of the lines are only moved a couple lines above > their original location (like python-ldap for instance). > > Does this really have an impact on building? The only three lines I undestand > are those first three. > Note the %else. Koji scratch build of client worked fine: http://koji.fedoraproject.org/koji/taskinfo?taskID=2856864 Ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 737 move BuildRequires
On Tue, Feb 22, 2011 at 11:21:41AM +0100, Jakub Hrozek wrote: > Note the %else. > Sorry, %endif. That separates BRs for !ONLY_CLIENT from those that are needed in both cases. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 061 Validate NAPTR records
On Mon, Feb 21, 2011 at 01:18:07PM -0500, Rob Crittenden wrote:
> Jakub Hrozek wrote:
> >-BEGIN PGP SIGNED MESSAGE-
> >Hash: SHA1
> >
> >I'm not sure about checking the flags - this might be a little too much
> >validation.
> >
> >https://fedorahosted.org/freeipa/ticket/840
>
> I think the flags length check needs to change. I would do this instead:
>
> flags = flags.replace('"','')
>
> Otherwise someone might try to pass in the flags 'SAU' and all that
> would get set is A.
>
> rob
OK, that's much better. New patch attached.
>From aaeb347cfa015783606058a29b2009cf6306d578 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Fri, 18 Feb 2011 11:00:36 +0100
Subject: [PATCH] Validate NAPTR records
https://fedorahosted.org/freeipa/ticket/840
---
API.txt |8
ipalib/plugins/dns.py | 26 ++
2 files changed, 30 insertions(+), 4 deletions(-)
diff --git a/API.txt b/API.txt
index b7ea174..56cbb8b 100644
--- a/API.txt
+++ b/API.txt
@@ -515,7 +515,7 @@ option: List('keyrecord?', attribute=True,
cli_name='key_rec',ist('keyrecord?',
option: List('kxrecord?', attribute=True, cli_name='kx_rec',ist('kxrecord?',
attribute=True, cli_name='kx_rec', doc='comma-separated list of KX records',
label='KX record', multivalue=True)
option: List('locrecord?', attribute=True,
cli_name='loc_rec',ist('locrecord?', attribute=True, cli_name='loc_rec',
doc='comma-separated list of LOC records', label='LOC record', multivalue=True)
option: List('mxrecord?', _validate_mx, attribute=True,
cli_name='mx_rec',ist('mxrecord?', _validate_mx, attribute=True,
cli_name='mx_rec', doc='comma-separated list of MX records', label='MX record',
multivalue=True)
-option: List('naptrrecord?', attribute=True,
cli_name='naptr_rec',ist('naptrrecord?', attribute=True, cli_name='naptr_rec',
doc='comma-separated list of NAPTR records', label='NAPTR record',
multivalue=True)
+option: List('naptrrecord?', _validate_naptr, attribute=True,
cli_name='naptr_rec',ist('naptrrecord?', _validate_naptr, attribute=True,
cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR
record', multivalue=True)
option: List('nsrecord?', attribute=True, cli_name='ns_rec',ist('nsrecord?',
attribute=True, cli_name='ns_rec', doc='comma-separated list of NS records',
label='NS record', multivalue=True)
option: List('nsecrecord?', attribute=True,
cli_name='nsec_rec',ist('nsecrecord?', attribute=True, cli_name='nsec_rec',
doc='comma-separated list of NSEC records', label='NSEC record',
multivalue=True)
option: List('nsec3record?', attribute=True,
cli_name='nsec3_rec',ist('nsec3record?', attribute=True, cli_name='nsec3_rec',
doc='comma-separated list of NSEC3 records', label='NSEC3 record',
multivalue=True)
@@ -559,7 +559,7 @@ option: List('keyrecord?', attribute=True,
cli_name='key_rec',ist('keyrecord?',
option: List('kxrecord?', attribute=True, cli_name='kx_rec',ist('kxrecord?',
attribute=True, cli_name='kx_rec', doc='comma-separated list of KX records',
label='KX record', multivalue=True)
option: List('locrecord?', attribute=True,
cli_name='loc_rec',ist('locrecord?', attribute=True, cli_name='loc_rec',
doc='comma-separated list of LOC records', label='LOC record', multivalue=True)
option: List('mxrecord?', _validate_mx, attribute=True,
cli_name='mx_rec',ist('mxrecord?', _validate_mx, attribute=True,
cli_name='mx_rec', doc='comma-separated list of MX records', label='MX record',
multivalue=True)
-option: List('naptrrecord?', attribute=True,
cli_name='naptr_rec',ist('naptrrecord?', attribute=True, cli_name='naptr_rec',
doc='comma-separated list of NAPTR records', label='NAPTR record',
multivalue=True)
+option: List('naptrrecord?', _validate_naptr, attribute=True,
cli_name='naptr_rec',ist('naptrrecord?', _validate_naptr, attribute=True,
cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR
record', multivalue=True)
option: List('nsrecord?', attribute=True, cli_name='ns_rec',ist('nsrecord?',
attribute=True, cli_name='ns_rec', doc='comma-separated list of NS records',
label='NS record', multivalue=True)
option: List('nsecrecord?', attribute=True,
cli_name='nsec_rec',ist('nsecrecord?', attribute=True, cli_name='nsec_rec',
doc='comma-separated list of NSEC records', label='NSEC record',
multivalue=True)
option: List('nsec3record?', attribute=True,
cli_name='nsec3_rec',ist('nsec3record?', attribute=True, cli_name='nsec3_rec',
doc='comma-separated list of NSEC3 records', label='NSEC3 record',
multivalue=True)
@@ -604,7 +604,7 @@ option: List('keyrecord?', attribute=True,
cli_name='key_rec',ist('keyrecord?',
option: List('kxrecord?', attribute=True, cli_name='kx_rec',ist('kxrecord?',
attribute=True, cli_name='kx_rec', doc='comma-separated list of KX records',
label='KX record', multivalue=True)
option: List('locrecord?', attribute=True,
cli_name='loc_rec',ist('locrecord?', attribute=True, cli_name='loc_rec',
doc='comma-separa
Re: [Freeipa-devel] [PATCH] 738 default.conf man page
On Mon, Feb 21, 2011 at 04:57:22PM -0500, Rob Crittenden wrote: > Add a man page for the IPA configuration file default.conf. > > ticket 969 > > rob Looks good to me, Ack. The options that are in constants.py but not documented in the manpage seem to be unused. I guess we can remove them in the future (webui_assets_dir, mount_jsonserver etc..) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 735 configure krb5_realm in sssd ipa provider
On Mon, Feb 21, 2011 at 11:30:04AM -0500, Rob Crittenden wrote: > Jakub Hrozek wrote: > >On Mon, Feb 21, 2011 at 10:27:26AM -0500, Rob Crittenden wrote: > >>Set krb5_realm in sssd.conf in the ipa provider. > >> > >>ticket 925 > >> > >>rob > > > >This works fine, so Ack. > > > >One question, though, why don't we add the realm only if > >ipa_domain.upper() != krb5_realm? It would make the config file a little > >more readable for the 99% case where the two are the same. > > Sure. We can't assume that the realm is always upper case so I'll do > a case insensitive match (I did lower by reflex). > > rob My sssd.conf is nice and minimal again, thank you :-) Ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 737 move BuildRequires
Jakub Hrozek wrote: > On Tue, Feb 22, 2011 at 11:21:41AM +0100, Jakub Hrozek wrote: > > Note the %else. > > Sorry, %endif. That separates BRs for !ONLY_CLIENT from those that are > needed in both cases. Yes I noticed that and I understand that part. I meant the part after the %endif - there is no need to move those dependencies. On the other hand it's definitely not a patch-blocker or something, so I give this patch ACK. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 728 default roles
Rob Crittenden wrote: > Jakub Hrozek wrote: > > On Mon, Feb 21, 2011 at 10:11:38AM -0500, Rob Crittenden wrote: > >> Rob Crittenden wrote: > >>> Jakub Hrozek wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 02/17/2011 04:35 AM, Rob Crittenden wrote: > > Add default roles and permissions for HBAC, SUDO and pw policy > > > > Created some default roles as examples. In doing so I realized that > > we were completely missing default rules for HBAC, SUDO and password > > policy so I added those as well. > > > > I ran into a problem when the updater has a default record and an add > > at the same time, it should handle it better now. > > > > ticket 585 > > > > rob > > I'm not sure about the HBAC rules ACIs. They are specified as: > > 'target = "ldap:///cn=*,cn=hbac,$SUFFIX";' > > while HBAC rules' DN is: > > 'ipauniqueid=*,cn=hbac,$SUFFIX'. > > But HBAC rules do have a cn: attribute, so maybe the ACIs would work? > >>> > >>> No, you're right, this is wrong. I'll fix it up and resubmit. > >>> > The patch also needs rebasing on top of recent changes to > install/updates/Makefile.am > > Other than that, looks OK to me. > > btw when I was reviewing this patch, I noticed we add a "DNS > Administrators" privilege in dns.ldif. Would it make sense to add DNS > administration to "Security Architect" (replication management) and > "IT Specialist" (hosts management)? > >>> > >>> The DNS stuff is added only if DNS is enabled on the server so I can't > >>> add them by default. > >>> > >>> rob > >> > >> Updated patch. > >> > >> rob > > > > Interdiff looks fine, but I'm not able to apply the patch (not even > > 3-way merge), can you rebase? > > done The patch now applies ok (just one whitespace warning), ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 728 default roles
On Tue, 2011-02-22 at 13:14 +0100, Jan Zelený wrote: > Rob Crittenden wrote: > > Jakub Hrozek wrote: > > > On Mon, Feb 21, 2011 at 10:11:38AM -0500, Rob Crittenden wrote: > > >> Rob Crittenden wrote: > > >>> Jakub Hrozek wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > On 02/17/2011 04:35 AM, Rob Crittenden wrote: > > > Add default roles and permissions for HBAC, SUDO and pw policy > > > > > > Created some default roles as examples. In doing so I realized that > > > we were completely missing default rules for HBAC, SUDO and password > > > policy so I added those as well. > > > > > > I ran into a problem when the updater has a default record and an add > > > at the same time, it should handle it better now. > > > > > > ticket 585 > > > > > > rob > > > > I'm not sure about the HBAC rules ACIs. They are specified as: > > > > 'target = "ldap:///cn=*,cn=hbac,$SUFFIX";' > > > > while HBAC rules' DN is: > > > > 'ipauniqueid=*,cn=hbac,$SUFFIX'. > > > > But HBAC rules do have a cn: attribute, so maybe the ACIs would work? > > >>> > > >>> No, you're right, this is wrong. I'll fix it up and resubmit. > > >>> > > The patch also needs rebasing on top of recent changes to > > install/updates/Makefile.am > > > > Other than that, looks OK to me. > > > > btw when I was reviewing this patch, I noticed we add a "DNS > > Administrators" privilege in dns.ldif. Would it make sense to add DNS > > administration to "Security Architect" (replication management) and > > "IT Specialist" (hosts management)? > > >>> > > >>> The DNS stuff is added only if DNS is enabled on the server so I can't > > >>> add them by default. > > >>> > > >>> rob > > >> > > >> Updated patch. > > >> > > >> rob > > > > > > Interdiff looks fine, but I'm not able to apply the patch (not even > > > 3-way merge), can you rebase? > > > > done > > The patch now applies ok (just one whitespace warning), ack > > Jan > > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel I have to NACK this. I have found some issues in the new LDAP records: 1) A wrong groupdn for the following ACI in 40-delegation.update: add:aci: '(target = "ldap:///cn=*,cn=sudorules,cn=sudo,$SUFFIX";)(version 3.0;acl "permission:Add SUDO rule";allow (add) groupdn = "ldap:///cn=Add SUDOrule,cn=permissions,cn=pbac,$SUFFIX";)' It should be dap:///cn=Add SUDO rule,cn=permissions,cn=pbac,$SUFFIX 2) Another wrong target for few ACIs: ldap:///cn=*,cn=sudorules,cn=sudo,$SUFFIX is used instead of ldap:///ipaUniqueID=*,cn=sudorules,cn=sudo,$SUFFIX 3) Missing Description for the following new privileges: Write IPA Configuration Modify Users and Reset passwords Modify Group membership Remainder looks good. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 738 default.conf man page
Rob Crittenden wrote: Add a man page for the IPA configuration file default.conf. ticket 969 rob NACK A few too many typos and other errors. "Spaces between the equals sign are ignored." Do you mean, "Spaces surrounding equals signs are ignored."? +Specifies the base DN to use when performan LDAP operations. performing +Specfies the secure CA agent port. The defauilt is 9443. Specifies default +Specifies the unsecure CA end user port. The default is 9190. insecure "For example. if you want to always perform client requests in verbose mode but do not want to have verbose enabled on the server add the verbose option to \fI/etc/ipa/cli.conf\fR." comma after "example", not a period. add a comma after "enabled on the server" +Specifies whether the CA is acting is an RA agent, as an RA agent "+Specifies the name of the CA backend to use. The current options are \fBselfsign\fR and \fBdogtag\fR. This is a server\-side setting. Changing this value is not recommended as the CA backend is only set up during ininitial installation." s/backend/back end/ s/selfsign/self-sign/ s/ininitial/initial/ +Specifies the kerberos realm. Kerberos "...and show the server(s) the client contacts." s/server(s)/servers/ +user IPA configurationf ile configuration file "+Optional configuration files used in a particular context are. The value of mode is used to attempt to load these files, if they exist:" I'm not sure what this means -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 737 move BuildRequires
Jan Zelený wrote: Jakub Hrozek wrote: On Tue, Feb 22, 2011 at 11:21:41AM +0100, Jakub Hrozek wrote: Note the %else. Sorry, %endif. That separates BRs for !ONLY_CLIENT from those that are needed in both cases. Yes I noticed that and I understand that part. I meant the part after the %endif - there is no need to move those dependencies. On the other hand it's definitely not a patch-blocker or something, so I give this patch ACK. Jan pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 735 configure krb5_realm in sssd ipa provider
Jakub Hrozek wrote: On Mon, Feb 21, 2011 at 11:30:04AM -0500, Rob Crittenden wrote: Jakub Hrozek wrote: On Mon, Feb 21, 2011 at 10:27:26AM -0500, Rob Crittenden wrote: Set krb5_realm in sssd.conf in the ipa provider. ticket 925 rob This works fine, so Ack. One question, though, why don't we add the realm only if ipa_domain.upper() != krb5_realm? It would make the config file a little more readable for the 99% case where the two are the same. Sure. We can't assume that the realm is always upper case so I'll do a case insensitive match (I did lower by reflex). rob My sssd.conf is nice and minimal again, thank you :-) Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 737 move BuildRequires
Jan Zeleny wrote: Rob Crittenden wrote: Move some BuildRequires so building with ONLY_CLIENT works. I tested with: $ mock -r fedora-14-x86_64 --define='ONLY_CLIENT 1' ./dist/srpms/freeipa-2.0.0GIT055a668-0.fc14.src.rpm rob I'm a little confused. Some of the lines are only moved a couple lines above their original location (like python-ldap for instance). Does this really have an impact on building? The only three lines I undestand are those first three. Thanks for explanation Jan I had already sone a similar change in another spec I maintain and pull them out one at a time until it built properly, thus I didn't maintain order. What this does is it pulls most of the requires out of the ! ONLY_CLIENT conditional. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 736 hard limit for # of batch requests
Martin Kosek wrote: On Mon, 2011-02-21 at 11:48 -0500, Rob Crittenden wrote: Set a hard limit of 256 for the # of commands in a batch request we'll handle. ticket 984 rob ACK. Works for me. Tested by custom JSON command via curl. Martin pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 061 Validate NAPTR records
Jakub Hrozek wrote:
On Mon, Feb 21, 2011 at 01:18:07PM -0500, Rob Crittenden wrote:
Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I'm not sure about checking the flags - this might be a little too much
validation.
https://fedorahosted.org/freeipa/ticket/840
I think the flags length check needs to change. I would do this instead:
flags = flags.replace('"','')
Otherwise someone might try to pass in the flags 'SAU' and all that
would get set is A.
rob
OK, that's much better. New patch attached.
ack, pushed to master
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 738 default.conf man page
David O'Brien wrote: Rob Crittenden wrote: Add a man page for the IPA configuration file default.conf. ticket 969 rob NACK A few too many typos and other errors. "Spaces between the equals sign are ignored." Do you mean, "Spaces surrounding equals signs are ignored."? +Specifies the base DN to use when performan LDAP operations. performing +Specfies the secure CA agent port. The defauilt is 9443. Specifies default +Specifies the unsecure CA end user port. The default is 9190. insecure "For example. if you want to always perform client requests in verbose mode but do not want to have verbose enabled on the server add the verbose option to \fI/etc/ipa/cli.conf\fR." comma after "example", not a period. add a comma after "enabled on the server" +Specifies whether the CA is acting is an RA agent, as an RA agent "+Specifies the name of the CA backend to use. The current options are \fBselfsign\fR and \fBdogtag\fR. This is a server\-side setting. Changing this value is not recommended as the CA backend is only set up during ininitial installation." s/backend/back end/ s/selfsign/self-sign/ s/ininitial/initial/ +Specifies the kerberos realm. Kerberos "...and show the server(s) the client contacts." s/server(s)/servers/ +user IPA configurationf ile configuration file "+Optional configuration files used in a particular context are. The value of mode is used to attempt to load these files, if they exist:" I'm not sure what this means Fixes applied. rob freeipa-rcrit-738-2-man.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 728 default roles
Martin Kosek wrote: On Tue, 2011-02-22 at 13:14 +0100, Jan Zelený wrote: Rob Crittenden wrote: Jakub Hrozek wrote: On Mon, Feb 21, 2011 at 10:11:38AM -0500, Rob Crittenden wrote: Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/17/2011 04:35 AM, Rob Crittenden wrote: Add default roles and permissions for HBAC, SUDO and pw policy Created some default roles as examples. In doing so I realized that we were completely missing default rules for HBAC, SUDO and password policy so I added those as well. I ran into a problem when the updater has a default record and an add at the same time, it should handle it better now. ticket 585 rob I'm not sure about the HBAC rules ACIs. They are specified as: 'target = "ldap:///cn=*,cn=hbac,$SUFFIX";' while HBAC rules' DN is: 'ipauniqueid=*,cn=hbac,$SUFFIX'. But HBAC rules do have a cn: attribute, so maybe the ACIs would work? No, you're right, this is wrong. I'll fix it up and resubmit. The patch also needs rebasing on top of recent changes to install/updates/Makefile.am Other than that, looks OK to me. btw when I was reviewing this patch, I noticed we add a "DNS Administrators" privilege in dns.ldif. Would it make sense to add DNS administration to "Security Architect" (replication management) and "IT Specialist" (hosts management)? The DNS stuff is added only if DNS is enabled on the server so I can't add them by default. rob Updated patch. rob Interdiff looks fine, but I'm not able to apply the patch (not even 3-way merge), can you rebase? done The patch now applies ok (just one whitespace warning), ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I have to NACK this. I have found some issues in the new LDAP records: 1) A wrong groupdn for the following ACI in 40-delegation.update: add:aci: '(target = "ldap:///cn=*,cn=sudorules,cn=sudo,$SUFFIX";)(version 3.0;acl "permission:Add SUDO rule";allow (add) groupdn = "ldap:///cn=Add SUDOrule,cn=permissions,cn=pbac,$SUFFIX";)' It should be dap:///cn=Add SUDO rule,cn=permissions,cn=pbac,$SUFFIX 2) Another wrong target for few ACIs: ldap:///cn=*,cn=sudorules,cn=sudo,$SUFFIX is used instead of ldap:///ipaUniqueID=*,cn=sudorules,cn=sudo,$SUFFIX 3) Missing Description for the following new privileges: Write IPA Configuration Modify Users and Reset passwords Modify Group membership Remainder looks good. Martin Thanks for the careful review. Updated patch attached. rob freeipa-rcrit-728-4-roles.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 728 default roles
On Tue, 2011-02-22 at 09:22 -0500, Rob Crittenden wrote: > Martin Kosek wrote: > > On Tue, 2011-02-22 at 13:14 +0100, Jan Zelený wrote: > >> Rob Crittenden wrote: > >>> Jakub Hrozek wrote: > On Mon, Feb 21, 2011 at 10:11:38AM -0500, Rob Crittenden wrote: > > Rob Crittenden wrote: > >> Jakub Hrozek wrote: > >>> -BEGIN PGP SIGNED MESSAGE- > >>> Hash: SHA1 > >>> > >>> On 02/17/2011 04:35 AM, Rob Crittenden wrote: > Add default roles and permissions for HBAC, SUDO and pw policy > > Created some default roles as examples. In doing so I realized that > we were completely missing default rules for HBAC, SUDO and password > policy so I added those as well. > > I ran into a problem when the updater has a default record and an add > at the same time, it should handle it better now. > > ticket 585 > > rob > >>> > >>> I'm not sure about the HBAC rules ACIs. They are specified as: > >>> > >>> 'target = "ldap:///cn=*,cn=hbac,$SUFFIX";' > >>> > >>> while HBAC rules' DN is: > >>> > >>> 'ipauniqueid=*,cn=hbac,$SUFFIX'. > >>> > >>> But HBAC rules do have a cn: attribute, so maybe the ACIs would work? > >> > >> No, you're right, this is wrong. I'll fix it up and resubmit. > >> > >>> The patch also needs rebasing on top of recent changes to > >>> install/updates/Makefile.am > >>> > >>> Other than that, looks OK to me. > >>> > >>> btw when I was reviewing this patch, I noticed we add a "DNS > >>> Administrators" privilege in dns.ldif. Would it make sense to add DNS > >>> administration to "Security Architect" (replication management) and > >>> "IT Specialist" (hosts management)? > >> > >> The DNS stuff is added only if DNS is enabled on the server so I can't > >> add them by default. > >> > >> rob > > > > Updated patch. > > > > rob > > Interdiff looks fine, but I'm not able to apply the patch (not even > 3-way merge), can you rebase? > >>> > >>> done > >> > >> The patch now applies ok (just one whitespace warning), ack > >> > >> Jan > >> > >> ___ > >> Freeipa-devel mailing list > >> Freeipa-devel@redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > I have to NACK this. I have found some issues in the new LDAP records: > > > > 1) A wrong groupdn for the following ACI in 40-delegation.update: > > add:aci: '(target = "ldap:///cn=*,cn=sudorules,cn=sudo,$SUFFIX";)(version > > 3.0;acl "permission:Add SUDO rule";allow (add) groupdn = "ldap:///cn=Add > > SUDOrule,cn=permissions,cn=pbac,$SUFFIX";)' > > > > It should be dap:///cn=Add SUDO rule,cn=permissions,cn=pbac,$SUFFIX > > > > 2) Another wrong target for few ACIs: > > ldap:///cn=*,cn=sudorules,cn=sudo,$SUFFIX > > is used instead of > > ldap:///ipaUniqueID=*,cn=sudorules,cn=sudo,$SUFFIX > > > > > > 3) Missing Description for the following new privileges: > > Write IPA Configuration > > Modify Users and Reset passwords > > Modify Group membership > > > > Remainder looks good. > > > > Martin > > Thanks for the careful review. Updated patch attached. > > rob Good job! Its OK now. ACK Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 034 Entitlements ACIs not visible to Permission plugin
This patch fixes Entitlements privileges and ACIs. There were missing descriptions or the ACIs could not be processed by Permissino plugin because of missing prefix. https://fedorahosted.org/freeipa/ticket/997 >From 2b088549da0b3c8beb4451d09e337b1dfa8ee9ce Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Tue, 22 Feb 2011 15:25:43 +0100 Subject: [PATCH] Entitlements ACIs not visible to Permission plugin This patch fixes Entitlements privileges and ACIs. There were missing descriptions or the ACIs could not be processed by Permissino plugin because of missing prefix. https://fedorahosted.org/freeipa/ticket/997 --- install/share/delegation.ldif |9 ++--- 1 files changed, 6 insertions(+), 3 deletions(-) diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 02dc850af1634483ad289eac261263db92157d11..5d4949ae37a33eabb9646b181e41923c5811275f 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -152,6 +152,7 @@ objectClass: top objectClass: groupofnames objectClass: nestedgroup cn: Register and Write Entitlements +description: Register and Write Entitlements member: cn=Entitlement Management,cn=roles,cn=accounts,$SUFFIX dn: cn=Read Entitlements,cn=privileges,cn=pbac,$SUFFIX @@ -160,6 +161,7 @@ objectClass: top objectClass: groupofnames objectClass: nestedgroup cn: Read Entitlements +description: Read Entitlements member: cn=Entitlement Management,cn=roles,cn=accounts,$SUFFIX member: cn=Entitlement Compliance,cn=roles,cn=accounts,$SUFFIX @@ -518,6 +520,7 @@ changetype: add objectClass: top objectClass: groupofnames objectClass: ipapermission +cn: Register Entitlements member: cn=Register and Write Entitlements,cn=privileges,cn=pbac,$SUFFIX dn: cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX @@ -656,17 +659,17 @@ aci: (targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=comp dn: $SUFFIX changetype: modify add: aci -aci: (target = "ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX";)(version 3.0;acl "Register Entitlements";allow (add) groupdn = "ldap:///cn=Register Entitlements,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX";)(version 3.0;acl "permission:Register Entitlements";allow (add) groupdn = "ldap:///cn=Register Entitlements,cn=permissions,cn=pbac,$SUFFIX";) dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "usercertificate")(target = "ldap:///ipaentitlement=*,cn=entitlements,cn=etc,$SUFFIX";)(version 3.0;acl "Write Entitlements";allow (write) groupdn = "ldap:///cn=Write entitlements,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "usercertificate")(target = "ldap:///ipaentitlement=*,cn=entitlements,cn=etc,$SUFFIX";)(version 3.0;acl "permission:Write Entitlements";allow (write) groupdn = "ldap:///cn=Write Entitlements,cn=permissions,cn=pbac,$SUFFIX";) dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "userpkcs12")(target = "ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX";)(version 3.0;acl "Read Entitlements";allow (read) groupdn = "ldap:///cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "userpkcs12")(target = "ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX";)(version 3.0;acl "permission:Read Entitlements";allow (read) groupdn = "ldap:///cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX";) # Create virtual operations entry. This is used to control access to # operations that don't rely on LDAP directly. -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 034 Entitlements ACIs not visible to Permission plugin
On Tue, 2011-02-22 at 15:46 +0100, Martin Kosek wrote: > This patch fixes Entitlements privileges and ACIs. There were > missing descriptions or the ACIs could not be processed by > Permissino plugin because of missing prefix. > > https://fedorahosted.org/freeipa/ticket/997 > I just want to add that this patch is built on a top of Rob's patch "728 default roles". Attached a patch with fixed typo in commit message. Martin >From 6d6acc6f622b473922458bff4c42ab73b0c1d78e Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Tue, 22 Feb 2011 15:25:43 +0100 Subject: [PATCH] Entitlements ACIs not visible to Permission plugin This patch fixes Entitlements privileges and ACIs. There were missing descriptions or the ACIs could not be processed by Permission plugin because of missing prefix. https://fedorahosted.org/freeipa/ticket/997 --- install/share/delegation.ldif |9 ++--- 1 files changed, 6 insertions(+), 3 deletions(-) diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 02dc850af1634483ad289eac261263db92157d11..5d4949ae37a33eabb9646b181e41923c5811275f 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -152,6 +152,7 @@ objectClass: top objectClass: groupofnames objectClass: nestedgroup cn: Register and Write Entitlements +description: Register and Write Entitlements member: cn=Entitlement Management,cn=roles,cn=accounts,$SUFFIX dn: cn=Read Entitlements,cn=privileges,cn=pbac,$SUFFIX @@ -160,6 +161,7 @@ objectClass: top objectClass: groupofnames objectClass: nestedgroup cn: Read Entitlements +description: Read Entitlements member: cn=Entitlement Management,cn=roles,cn=accounts,$SUFFIX member: cn=Entitlement Compliance,cn=roles,cn=accounts,$SUFFIX @@ -518,6 +520,7 @@ changetype: add objectClass: top objectClass: groupofnames objectClass: ipapermission +cn: Register Entitlements member: cn=Register and Write Entitlements,cn=privileges,cn=pbac,$SUFFIX dn: cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX @@ -656,17 +659,17 @@ aci: (targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=comp dn: $SUFFIX changetype: modify add: aci -aci: (target = "ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX";)(version 3.0;acl "Register Entitlements";allow (add) groupdn = "ldap:///cn=Register Entitlements,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX";)(version 3.0;acl "permission:Register Entitlements";allow (add) groupdn = "ldap:///cn=Register Entitlements,cn=permissions,cn=pbac,$SUFFIX";) dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "usercertificate")(target = "ldap:///ipaentitlement=*,cn=entitlements,cn=etc,$SUFFIX";)(version 3.0;acl "Write Entitlements";allow (write) groupdn = "ldap:///cn=Write entitlements,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "usercertificate")(target = "ldap:///ipaentitlement=*,cn=entitlements,cn=etc,$SUFFIX";)(version 3.0;acl "permission:Write Entitlements";allow (write) groupdn = "ldap:///cn=Write Entitlements,cn=permissions,cn=pbac,$SUFFIX";) dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "userpkcs12")(target = "ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX";)(version 3.0;acl "Read Entitlements";allow (read) groupdn = "ldap:///cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "userpkcs12")(target = "ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX";)(version 3.0;acl "permission:Read Entitlements";allow (read) groupdn = "ldap:///cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX";) # Create virtual operations entry. This is used to control access to # operations that don't rely on LDAP directly. -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 728 default roles
Martin Kosek wrote: On Tue, 2011-02-22 at 09:22 -0500, Rob Crittenden wrote: Martin Kosek wrote: On Tue, 2011-02-22 at 13:14 +0100, Jan Zelený wrote: Rob Crittenden wrote: Jakub Hrozek wrote: On Mon, Feb 21, 2011 at 10:11:38AM -0500, Rob Crittenden wrote: Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/17/2011 04:35 AM, Rob Crittenden wrote: Add default roles and permissions for HBAC, SUDO and pw policy Created some default roles as examples. In doing so I realized that we were completely missing default rules for HBAC, SUDO and password policy so I added those as well. I ran into a problem when the updater has a default record and an add at the same time, it should handle it better now. ticket 585 rob I'm not sure about the HBAC rules ACIs. They are specified as: 'target = "ldap:///cn=*,cn=hbac,$SUFFIX";' while HBAC rules' DN is: 'ipauniqueid=*,cn=hbac,$SUFFIX'. But HBAC rules do have a cn: attribute, so maybe the ACIs would work? No, you're right, this is wrong. I'll fix it up and resubmit. The patch also needs rebasing on top of recent changes to install/updates/Makefile.am Other than that, looks OK to me. btw when I was reviewing this patch, I noticed we add a "DNS Administrators" privilege in dns.ldif. Would it make sense to add DNS administration to "Security Architect" (replication management) and "IT Specialist" (hosts management)? The DNS stuff is added only if DNS is enabled on the server so I can't add them by default. rob Updated patch. rob Interdiff looks fine, but I'm not able to apply the patch (not even 3-way merge), can you rebase? done The patch now applies ok (just one whitespace warning), ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I have to NACK this. I have found some issues in the new LDAP records: 1) A wrong groupdn for the following ACI in 40-delegation.update: add:aci: '(target = "ldap:///cn=*,cn=sudorules,cn=sudo,$SUFFIX";)(version 3.0;acl "permission:Add SUDO rule";allow (add) groupdn = "ldap:///cn=Add SUDOrule,cn=permissions,cn=pbac,$SUFFIX";)' It should be dap:///cn=Add SUDO rule,cn=permissions,cn=pbac,$SUFFIX 2) Another wrong target for few ACIs: ldap:///cn=*,cn=sudorules,cn=sudo,$SUFFIX is used instead of ldap:///ipaUniqueID=*,cn=sudorules,cn=sudo,$SUFFIX 3) Missing Description for the following new privileges: Write IPA Configuration Modify Users and Reset passwords Modify Group membership Remainder looks good. Martin Thanks for the careful review. Updated patch attached. rob Good job! Its OK now. ACK Martin pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 034 Entitlements ACIs not visible to Permission plugin
Martin Kosek wrote: This patch fixes Entitlements privileges and ACIs. There were missing descriptions or the ACIs could not be processed by Permissino plugin because of missing prefix. https://fedorahosted.org/freeipa/ticket/997 ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 112 I18n update for dialog box buttons.
https://fedorahosted.org/freeipa/ticket/899
--
Endi S. Dewata
From b8881ccdd02965a70c0136ba66de2006b96379a9 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata
Date: Mon, 21 Feb 2011 18:36:42 -0600
Subject: [PATCH] I18n update for dialog box buttons.
https://fedorahosted.org/freeipa/ticket/899
---
install/ui/certificate.js | 124 ++-
install/ui/dialog.js| 18 ++---
install/ui/ipa.js | 52 -
install/ui/policy.js| 21 +++--
install/ui/test/data/i18n_messages.json |9 ++-
install/ui/test/data/ipa_init.json |9 ++-
install/ui/user.js | 34 +
ipalib/plugins/internal.py | 15 +++-
8 files changed, 164 insertions(+), 118 deletions(-)
diff --git a/install/ui/certificate.js b/install/ui/certificate.js
index b91d2b9bcaf79074f2b41fd246d5cd8ca046c273..c5de56c1f461ee5865a53e3762aee2081093c503 100755
--- a/install/ui/certificate.js
+++ b/install/ui/certificate.js
@@ -98,15 +98,18 @@ IPA.cert.get_dialog = function(spec) {
IPA.cert.END_CERTIFICATE);
that.open = function() {
+
+var buttons = {};
+
+buttons[IPA.messages.buttons.close] = function() {
+dialog.dialog('destroy');
+};
+
dialog.dialog({
modal: true,
width: 500,
height: 400,
-buttons: {
-'Close': function() {
-dialog.dialog('destroy');
-}
-}
+buttons: buttons
});
};
@@ -153,23 +156,27 @@ IPA.cert.revoke_dialog = function(spec) {
}
that.open = function() {
+
+var buttons = {};
+
+buttons[IPA.messages.buttons.revoke] = function() {
+var values = {};
+values['reason'] = select.val();
+if (that.revoke) {
+that.revoke(values);
+}
+dialog.dialog('destroy');
+};
+
+buttons[IPA.messages.buttons.cancel] = function() {
+dialog.dialog('destroy');
+};
+
dialog.dialog({
modal: true,
width: 500,
height: 300,
-buttons: {
-'Revoke': function() {
-var values = {};
-values['reason'] = select.val();
-if (that.revoke) {
-that.revoke(values);
-}
-dialog.dialog('destroy');
-},
-'Cancel': function() {
-dialog.dialog('destroy');
-}
-}
+buttons: buttons
});
};
@@ -193,22 +200,26 @@ IPA.cert.restore_dialog = function(spec) {
IPA.messages.objects.cert.restore_confirmation);
that.open = function() {
+
+var buttons = {};
+
+buttons[IPA.messages.buttons.restore] = function() {
+var values = {};
+if (that.restore) {
+that.restore(values);
+}
+dialog.dialog('destroy');
+};
+
+buttons[IPA.messages.buttons.cancel] = function() {
+dialog.dialog('destroy');
+};
+
dialog.dialog({
modal: true,
width: 400,
height: 200,
-buttons: {
-'Restore': function() {
-var values = {};
-if (that.restore) {
-that.restore(values);
-}
-dialog.dialog('destroy');
-},
-'Cancel': function() {
-dialog.dialog('destroy');
-}
-}
+buttons: buttons
});
};
@@ -327,15 +338,18 @@ IPA.cert.view_dialog = function(spec) {
}).appendTo(tr);
that.open = function() {
+
+var buttons = {};
+
+buttons[IPA.messages.buttons.close] = function() {
+dialog.dialog('destroy');
+};
+
dialog.dialog({
modal: true,
width: 600,
height: 500,
-buttons: {
-'Close': function() {
-dialog.dialog('destroy');
-}
-}
+buttons: buttons
});
};
@@ -370,28 +384,32 @@ IPA.cert.request_dialog = function(spec) {
dialog.append(IPA.cert.END_CERTIFICATE_REQUEST);
that.open = function() {
+
+var buttons = {};
+
+buttons[IPA.messages.buttons.issue] = function() {
+var values = {};
+var request = textarea.val();
+request =
+IPA.cert.BEGIN_CERTIFICATE_REQUEST+'\n'+
+$.trim(request)+'\n'+
+IPA.cert.END_CERTIFICATE_REQUEST+'\n';
+values['request'] = request;
+if (that.request) {
+that.request(values);
+
[Freeipa-devel] [PATCH] admiyo-0199-Net-group-to-Netgroup
From b0cb901f26834ba6e4e32d7d3a3ae10452de04e6 Mon Sep 17 00:00:00 2001
From: Adam Young
Date: Tue, 22 Feb 2011 11:35:25 -0500
Subject: [PATCH 199/203] Net group to Netgroup
---
ipalib/plugins/netgroup.py |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/ipalib/plugins/netgroup.py b/ipalib/plugins/netgroup.py
index 3e45fcc7c317e5b139fb7092c9fc81ac603c387c..610eb02c398c98b3f11da0463a193bd232275bb4 100644
--- a/ipalib/plugins/netgroup.py
+++ b/ipalib/plugins/netgroup.py
@@ -95,7 +95,7 @@ class netgroup(LDAPObject):
'memberhost': ('Member', '', 'no_'),
}
-label = _('Net Groups')
+label = _('Netgroups')
takes_params = (
Str('cn',
--
1.7.3.5
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] admiyo-0201-reorder-user-search-columns
From 93e0a5af40c9c8fba358f82433e29eb550f708c9 Mon Sep 17 00:00:00 2001
From: Adam Young
Date: Tue, 22 Feb 2011 13:03:02 -0500
Subject: [PATCH 201/203] reorder user search columns
UXD found in testing that not having the clikcable link as the left most column confused users.
---
install/ui/user.js |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/install/ui/user.js b/install/ui/user.js
index 66a1b8d15650b11062289bc06f773e2066446fda..0b7bef893aa5bac28101338d29813f5771a3ce44 100644
--- a/install/ui/user.js
+++ b/install/ui/user.js
@@ -30,8 +30,8 @@ IPA.entity_factories.user = function() {
}).
facet(
IPA.search_facet().
-column({name:'cn'}).
column({name:'uid'}).
+column({name:'cn'}).
column({name:'uidnumber'}).
column({name:'mail'}).
column({name:'telephonenumber'}).
--
1.7.3.5
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] admiyo-0200-adder-dialogs-with-external
https://fedorahosted.org/freeipa/ticket/986
From c0af47af158ec9a30924f2571f8a1fef13c414ad Mon Sep 17 00:00:00 2001
From: Adam Young
Date: Tue, 22 Feb 2011 12:58:26 -0500
Subject: [PATCH 200/203] adder dialogs with external
made the styles for the internal and external classes match the styles
for available.
---
install/ui/ipa.css | 13 -
1 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/install/ui/ipa.css b/install/ui/ipa.css
index 44643f7d47a57225bf59baf2b215d0776f30bea2..a9004c9f34965d077e17b6508f0001c5d6417f38 100644
--- a/install/ui/ipa.css
+++ b/install/ui/ipa.css
@@ -944,19 +944,22 @@ table.scrollable tbody {
}
.adder-dialog-internal {
-border: 1px solid black;
+background-color: #ff;
+border: none;
position: absolute;
top: 0;
left: 0;
-bottom: 4.5em;
-width: 25em;
+bottom: 0;
+width: 23em;
+padding-top: 1em;
+
}
.adder-dialog-external {
-border: 1px solid black;
+border: none;
position: absolute;
left: 0;
bottom: 0;
-width: 25em;
+width: 23em;
height: 4em;
}
--
1.7.3.5
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] admiyo-0202-move-expand-and-collapse-all-to-the-right-hand-side
From ad998f2c36c48ae2bd9ea37cf10b755167b53bec Mon Sep 17 00:00:00 2001
From: Adam Young
Date: Tue, 22 Feb 2011 13:09:14 -0500
Subject: [PATCH 202/203] move expand and collpase all to the right hand side
---
install/ui/details.js |4 +++-
install/ui/ipa.css|5 +
2 files changed, 8 insertions(+), 1 deletions(-)
diff --git a/install/ui/details.js b/install/ui/details.js
index f579fb612d4cb21edf582f86a4f7f220bee857f3..0a4146498eda567350747400dabe2afb2c5a392d 100644
--- a/install/ui/details.js
+++ b/install/ui/details.js
@@ -367,13 +367,15 @@ IPA.details_facet = function(spec) {
name: 'expand_all',
href: 'expand_all',
text: 'Expand All',
+'class': 'expand-collapse-all',
style: 'display: none;'
}).appendTo(details);
$('', {
name: 'collapse_all',
href: 'collapse_all',
-text: 'Collapse All'
+text: 'Collapse All',
+'class': 'expand-collapse-all'
}).appendTo(details);
details.append('');
diff --git a/install/ui/ipa.css b/install/ui/ipa.css
index a9004c9f34965d077e17b6508f0001c5d6417f38..56e5c2507b044e51bd31ee4dff1d971cb292d655 100644
--- a/install/ui/ipa.css
+++ b/install/ui/ipa.css
@@ -963,3 +963,8 @@ table.scrollable tbody {
width: 23em;
height: 4em;
}
+
+.expand-collapse-all {
+float: right;
+padding-right: 1.5em;
+}
\ No newline at end of file
--
1.7.3.5
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] admiyo-0203-Space-above-line-in-table-footer.
From a32b182bf83fdf9aab71aec325628d5a589b3f87 Mon Sep 17 00:00:00 2001
From: Adam Young
Date: Tue, 22 Feb 2011 13:16:59 -0500
Subject: [PATCH 203/203] Space above line in table footer
---
install/ui/ipa.css |1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/install/ui/ipa.css b/install/ui/ipa.css
index 56e5c2507b044e51bd31ee4dff1d971cb292d655..80f347d7125c6475499cf01593433acf289c6d6d 100644
--- a/install/ui/ipa.css
+++ b/install/ui/ipa.css
@@ -789,6 +789,7 @@ a.action-button-disabled {
.search-table tfoot tr td span{
border-top: 1px solid #dfdfdf;
+margin-top: 1em;
padding: 0.9em 0 0 1em;
display: block;
}
--
1.7.3.5
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 111 Fixed error dialog box.
On 02/21/2011 05:29 PM, Endi Sukma Dewata wrote: The IPA.cmd() has been modified to set the error dialog box's title properly. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 739 update permission help text
Based on feedback from David here is a hopefully clearer description of permissions. ticket 996 rob freeipa-rcrit-739-permission.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Don't load the LDAP schema during startup
Rob Crittenden wrote:
> Jan Zelený wrote:
> > Loading of the schema is now performed in the first request that requires
> > it.
> >
> > https://fedorahosted.org/freeipa/ticket/583
> >
> > Jan
>
> We still need to enforce that we get the schema, some low-level
> functions depend on it. Also, if the UI doesn't get its aciattrs (which
> are derived from the schema) then nothing will be editable.
>
> I'm getting this backtrace if I force no schema by disabling get_schema:
Ok, I'm sending new version, it should handle these exceptions better and the
operation should fail if it needs the schema and the schema is not available
for some reason.
--
Thank you
Jan Zeleny
Red Hat Software Engineer
Brno, Czech Republic
From 5ef34748ad1b2d055c86e6674f060d78ad2f8f5f Mon Sep 17 00:00:00 2001
From: Jan Zeleny
Date: Tue, 15 Feb 2011 09:37:58 +0100
Subject: [PATCH] Don't load the LDAP schema during startup
https://fedorahosted.org/freeipa/ticket/583
---
ipalib/encoder.py | 11 +++--
ipalib/plugins/baseldap.py |6 ++-
ipaserver/install/dsinstance.py |2 +-
ipaserver/plugins/ldap2.py | 79 ++
4 files changed, 67 insertions(+), 31 deletions(-)
diff --git a/ipalib/encoder.py b/ipalib/encoder.py
index f23e5659e848d37db1072ff59aa7e11796b0836c..1874d903aa0dc2a8c9ee1497164b9d418457c82a 100644
--- a/ipalib/encoder.py
+++ b/ipalib/encoder.py
@@ -56,11 +56,12 @@ class Encoder(object):
self.encoder_settings = EncoderSettings()
def _decode_dict_val(self, key, val):
-f = self.encoder_settings.decode_dict_vals_table.get(
-self.encoder_settings.decode_dict_vals_table_keygen(key, val)
-)
+key = self.encoder_settings.decode_dict_vals_table_keygen(key, val)
+if key is None:
+return None
+f = self.encoder_settings.decode_dict_vals_table.get(key)
if f:
-return val
+return f(val)
return self.decode(val)
def encode(self, var):
@@ -155,6 +156,8 @@ class Encoder(object):
self.encoder_settings.decode_postprocessor = lambda x: x
for (k, v) in dct.iteritems():
dct[k] = self._decode_dict_val(k, v)
+if dct[k] is None:
+return None
if not self.encoder_settings.decode_dict_vals_postprocess:
self.encoder_settings.decode_postprocessor = tmp
return dct
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 3cb72d7b09cc8c8a77bd4e594660ee376d668013..8866c2f6f1c84b9b5b785562db34b82481a52fb9 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -394,7 +394,11 @@ class LDAPObject(Object):
objectclasses += self.possible_objectclasses
# Get list of available attributes for this object for use
# in the ACI UI.
-attrs = self.api.Backend.ldap2.schema.attribute_types(objectclasses)
+schema = self.api.Backend.ldap2.get_schema()
+if not schema:
+attrs = []
+else:
+attrs = schema.attribute_types(objectclasses)
attrlist = []
# Go through the MUST first
for (oid, attr) in attrs[0].iteritems():
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 2544e167bdff28c13201c5371070ab729ca84b67..c2081700bb7348f4db7e3467f64d040effd07cbe 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -133,7 +133,7 @@ def has_managed_entries(host_name, dm_password):
conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='cn=config')
conn.connect(bind_dn='cn=Directory Manager', bind_pw=dm_password)
(dn, attrs) = conn.get_entry('cn=Managed Entries,cn=plugins',
- ['*'], time_limit=2, size_limit=3000)
+ ['*'], time_limit=2, size_limit=3000, override=True)
return True
except errors.NotFound:
return False
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index d1e31f5e6eff20cd162c0a11eb4e4404b43ae4b2..3ef076a3dd0c92422bea8fdd29b01e8e311be8ae 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -184,12 +184,6 @@ def get_schema(url, conn=None):
return _ldap.schema.SubSchema(schema_entry[1])
-# cache schema when importing module
-try:
-_schema = get_schema(api.env.ldap_uri)
-except AttributeError:
-_schema = None
-
# The UPG setting will be cached the first time a module checks it
_upg = None
@@ -229,7 +223,6 @@ class ldap2(CrudBackend, Encoder):
def __init__(self, shared_instance=True, ldap_uri=None, base_dn=None,
schema=None):
-global _schema
CrudBackend.__init__(self, shared_instance=shared_instance)
Encoder.__init__(self)
self.encoder_settings.encode_dict_keys = True
@@ -249,7 +242,7 @@ class ldap2(CrudBacken
Re: [Freeipa-devel] [PATCH] 112 I18n update for dialog box buttons.
On 02/22/2011 12:28 PM, Endi Sukma Dewata wrote: https://fedorahosted.org/freeipa/ticket/899 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Localization patches.
Pavel Zůna wrote:
On 2011-02-17 22:52, Rob Crittenden wrote:
Pavel Zůna wrote:
On 2011-02-17 05:09, Rob Crittenden wrote:
Pavel Zůna wrote:
My efforts in fixing localization all around the framework and
preparing
it for localizing docstrings have resulted in a lot of patches.
Because
I understand they have become a bit hard to track, I decided to post
them all together in this thread to make review easier.
After this is committed, there will be one more patch that switches
xgettext for pygettext. Then hopefully, we'll be pretty much set
when it
comes to i18n.
Pavel
Patch 81 isn't applying for me.
Help is not working for me either, this is due to patch 80.
$ ipa help user
ipa: ERROR: NameError: global name '_' is not defined
Traceback (most recent call last):
File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1087, in
run
api.finalize()
File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 619,
in finalize
plugin_iter(base, (magic[k] for k in magic))
File "/home/rcrit/redhat/freeipa-version/ipalib/base.py", line 397, in
__init__
sorted(members, key=lambda m: getattr(m, name_attr))
File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 608,
in plugin_iter
plugins[klass] = PluginInstance(klass)
File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 585,
in __init__
self.instance = klass()
File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 184,
in __init__
self.doc = _(inspect.getdoc(cls))
NameError: global name '_' is not defined
ipa: ERROR: an internal error has occurred
Patches 69, 71 and 73 are still working fine.
What is switching from xgettext to pygettext going to do?
This was answered by John Dennis: xgettext doesn't parse python
docstrings.
rob
Rebased version of 81 attached. It should also fix the traceback you're
getting.
Pavel
Something is still not working. I'm having a hard time reproducing how I
got this but with LANG=es_US.UTF-8 for a while I was getting this with
every ipa user-* request:
ipa: ERROR: UnicodeEncodeError: 'ascii' codec can't encode character
u'\xf1' in position 20: ordinal not in range(128)
Traceback (most recent call last):
File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1090, in
run
sys.exit(api.Backend.cli.run(argv))
File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 917, in run
rv = cmd.output_for_cli(self.api.Backend.textui, result, *args,
**options)
File "/home/rcrit/redhat/freeipa-version/ipalib/frontend.py", line 953,
in output_for_cli
textui.print_entries(result, order, labels, flags, print_all)
File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 346, in
print_entries
self.print_entry(entry, order, labels, flags, print_all, format, indent)
File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 378, in
print_entry
label, value, format, indent, one_value_per_line
File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 309, in
print_attribute
self.print_indented(format % (attr, text[0]), indent)
File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 232, in
print_indented
print (CLI_TAB * indent + text)
UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in
position 20: ordinal not in range(128)
ipa: ERROR: ha ocurrido un error interno
I think it is blowing up on this user:
User login: jose
First name: Jose
Last name: contraseñas
Home directory: /home/jose
Login shell: /bin/sh
Account disabled: TRUE
Member of groups: ipausers
Then all of a sudden things started working fine, so I'm not sure what's
going on.
Is this traceback meaningful to you?
rob
This looks like a bug in the textui backend.
You get this error when you do something like this:
>>> a = u'\xf1'
>>> a.decode('utf-8')
Traceback (most recent call last):
File "", line 1, in
File "/usr/lib/python2.6/encodings/utf_8.py", line 16, in decode
return codecs.utf_8_decode(input, errors, True)
UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in
position 0: ordinal not in range(128)
It means we're not handling encoding/decoding from/to the CLI right
somewhere.
The character \xf1 corresponds to the small N with tilde in Jose's last
name.
I'm going to look into it, but I don't think it's related to the
localization patches.
Pavel
I'm seeing 2 test failures:
==
FAIL: Test the `ipalib.plugable.Plugin.__init__` method.
--
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/nose/case.py", line 186, in
runTest
self.test(*self.arg)
File
"/home/rcrit/redhat/freeipa-tests/tests/test_ipalib/test_plugable.py",
line 237, in test_init
assert o.summary == 'Do sub-classy things.'
AssertionError
==
FAIL: Test gettext translation
--
Traceback (m
Re: [Freeipa-devel] [PATCH] admiyo-0202-move-expand-and-collapse-all-to-the-right-hand-side
On 2/22/2011 12:23 PM, Adam Young wrote: ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0199-Net-group-to-Netgroup
On 2/22/2011 12:20 PM, Adam Young wrote: ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0203-Space-above-line-in-table-footer.
On 2/22/2011 12:23 PM, Adam Young wrote: ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0200-adder-dialogs-with-external
On 2/22/2011 12:21 PM, Adam Young wrote: https://fedorahosted.org/freeipa/ticket/986 ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0201-reorder-user-search-columns
On 2/22/2011 12:22 PM, Adam Young wrote: ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 739 update permission help text
On Tue, Feb 22, 2011 at 01:38:11PM -0500, Rob Crittenden wrote: > Based on feedback from David here is a hopefully clearer description > of permissions. > > ticket 996 > > rob I think you sent a wrong patch, this is the default.conf manpage one. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Don't load the LDAP schema during startup
Jan Zelený wrote: Rob Crittenden wrote: Jan Zelený wrote: Loading of the schema is now performed in the first request that requires it. https://fedorahosted.org/freeipa/ticket/583 Jan We still need to enforce that we get the schema, some low-level functions depend on it. Also, if the UI doesn't get its aciattrs (which are derived from the schema) then nothing will be editable. I'm getting this backtrace if I force no schema by disabling get_schema: Ok, I'm sending new version, it should handle these exceptions better and the operation should fail if it needs the schema and the schema is not available for some reason. This breaks the XML-RPC server. I fixed one problem: --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -253,9 +253,10 @@ class ldap2(CrudBackend, Encoder): def get_syntax(self, attr, value): if not self.schema: -self.schema = get_schema(self.ldap_uri, self.conn) -if not self.schema: +schema = get_schema(self.ldap_uri, self.conn) +if not schema: return None +object.__setattr__(self, 'schema', schema) obj = self.schema.get_obj(_ldap.schema.AttributeType, attr) if obj is not None: return obj.syntax But simply things like get_entry() return an InternalError now. I'm not sure where you were going by adding this. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 739 update permission help text
Jakub Hrozek wrote: On Tue, Feb 22, 2011 at 01:38:11PM -0500, Rob Crittenden wrote: Based on feedback from David here is a hopefully clearer description of permissions. ticket 996 rob I think you sent a wrong patch, this is the default.conf manpage one. D'oh, here you go. rob freeipa-rcrit-739-permission.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 739 update permission help text
On Tue, Feb 22, 2011 at 03:24:01PM -0500, Rob Crittenden wrote: > Jakub Hrozek wrote: > >On Tue, Feb 22, 2011 at 01:38:11PM -0500, Rob Crittenden wrote: > >>Based on feedback from David here is a hopefully clearer description > >>of permissions. > >> > >>ticket 996 > >> > >>rob > > > >I think you sent a wrong patch, this is the default.conf manpage one. > > D'oh, here you go. > > rob I agree with the changes, but now I realized that davido mentioned "privilege" not "permission". The privilege docstring contains the same errors as permission, can you also copy the changes into ipalib/plugins/privilege.py ? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Localization patches.
On Tue, Feb 22, 2011 at 02:16:01PM -0500, Rob Crittenden wrote:
> Pavel Zůna wrote:
> >On 2011-02-17 22:52, Rob Crittenden wrote:
> >>Pavel Zůna wrote:
> >>>On 2011-02-17 05:09, Rob Crittenden wrote:
> Pavel Zůna wrote:
> >My efforts in fixing localization all around the framework and
> >preparing
> >it for localizing docstrings have resulted in a lot of patches.
> >Because
> >I understand they have become a bit hard to track, I decided to post
> >them all together in this thread to make review easier.
> >
> >After this is committed, there will be one more patch that switches
> >xgettext for pygettext. Then hopefully, we'll be pretty much set
> >when it
> >comes to i18n.
> >
> >Pavel
>
> Patch 81 isn't applying for me.
>
> Help is not working for me either, this is due to patch 80.
>
> $ ipa help user
> ipa: ERROR: NameError: global name '_' is not defined
> Traceback (most recent call last):
> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1087, in
> run
> api.finalize()
> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 619,
> in finalize
> plugin_iter(base, (magic[k] for k in magic))
> File "/home/rcrit/redhat/freeipa-version/ipalib/base.py", line 397, in
> __init__
> sorted(members, key=lambda m: getattr(m, name_attr))
> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 608,
> in plugin_iter
> plugins[klass] = PluginInstance(klass)
> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 585,
> in __init__
> self.instance = klass()
> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 184,
> in __init__
> self.doc = _(inspect.getdoc(cls))
> NameError: global name '_' is not defined
> ipa: ERROR: an internal error has occurred
>
> Patches 69, 71 and 73 are still working fine.
>
> What is switching from xgettext to pygettext going to do?
> >>>
> >>>This was answered by John Dennis: xgettext doesn't parse python
> >>>docstrings.
> >>>
>
> rob
> >>>
> >>>Rebased version of 81 attached. It should also fix the traceback you're
> >>>getting.
> >>>
> >>>Pavel
> >>
> >>Something is still not working. I'm having a hard time reproducing how I
> >>got this but with LANG=es_US.UTF-8 for a while I was getting this with
> >>every ipa user-* request:
> >>
> >>ipa: ERROR: UnicodeEncodeError: 'ascii' codec can't encode character
> >>u'\xf1' in position 20: ordinal not in range(128)
> >>Traceback (most recent call last):
> >>File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1090, in
> >>run
> >>sys.exit(api.Backend.cli.run(argv))
> >>File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 917, in run
> >>rv = cmd.output_for_cli(self.api.Backend.textui, result, *args,
> >>**options)
> >>File "/home/rcrit/redhat/freeipa-version/ipalib/frontend.py", line 953,
> >>in output_for_cli
> >>textui.print_entries(result, order, labels, flags, print_all)
> >>File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 346, in
> >>print_entries
> >>self.print_entry(entry, order, labels, flags, print_all, format, indent)
> >>File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 378, in
> >>print_entry
> >>label, value, format, indent, one_value_per_line
> >>File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 309, in
> >>print_attribute
> >>self.print_indented(format % (attr, text[0]), indent)
> >>File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 232, in
> >>print_indented
> >>print (CLI_TAB * indent + text)
> >>UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in
> >>position 20: ordinal not in range(128)
> >>ipa: ERROR: ha ocurrido un error interno
> >>
> >>I think it is blowing up on this user:
> >>
> >>User login: jose
> >>First name: Jose
> >>Last name: contraseñas
> >>Home directory: /home/jose
> >>Login shell: /bin/sh
> >>Account disabled: TRUE
> >>Member of groups: ipausers
> >>
> >>Then all of a sudden things started working fine, so I'm not sure what's
> >>going on.
> >>
> >>Is this traceback meaningful to you?
> >>
> >>rob
> >
> >This looks like a bug in the textui backend.
> >
> >You get this error when you do something like this:
> >
> > >>> a = u'\xf1'
> > >>> a.decode('utf-8')
> >Traceback (most recent call last):
> >File "", line 1, in
> >File "/usr/lib/python2.6/encodings/utf_8.py", line 16, in decode
> >return codecs.utf_8_decode(input, errors, True)
> >UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in
> >position 0: ordinal not in range(128)
> >
> >It means we're not handling encoding/decoding from/to the CLI right
> >somewhere.
> >
> >The character \xf1 corresponds to the small N with tilde in Jose's last
> >name.
> >
> >I'm going to look into it, but I don't think it's related to the
> >localization patches.
> >
> >Pavel
>
> I'm seeing 2 test failures:
>
>
> ==
Re: [Freeipa-devel] [PATCH] 739 update permission help text
Jakub Hrozek wrote: On Tue, Feb 22, 2011 at 03:24:01PM -0500, Rob Crittenden wrote: Jakub Hrozek wrote: On Tue, Feb 22, 2011 at 01:38:11PM -0500, Rob Crittenden wrote: Based on feedback from David here is a hopefully clearer description of permissions. ticket 996 rob I think you sent a wrong patch, this is the default.conf manpage one. D'oh, here you go. rob I agree with the changes, but now I realized that davido mentioned "privilege" not "permission". The privilege docstring contains the same errors as permission, can you also copy the changes into ipalib/plugins/privilege.py ? Good idea, updated patch attached. rob freeipa-rcrit-739-2-permission.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Use pygettext to generate translatable strings from plugin files.
On Mon, Feb 21, 2011 at 04:12:31PM +0100, Pavel Zůna wrote: > This goes on top of my other localization patches! > > This patch replaces xgettext with a custom pygettext to generate > translatable strings from plugin files in ipalib/plugins. pygettext > was modified to handle plural forms (credit goes to Jan Hendrik > Goellner) and had some bugs fixed by myself. We only use it for > plugins, because it's the only place where we need to extract > docstrings for the built-in help system. > > I also had to make some changes to the way the built-in > documentation system gets docstrings from modules for this to work. > > How to test? > > > 1) > First, apply all of the localization patches found in thread > "Localization patches" on freeipa-devel. Then apply this patch. > > 2) > Regenerate your install/po/Makefile: > - delete install/po/Makefile > - run `./configure` in install > > 3) > Regenerate the pot and po files: > - run `make update-pot` in install/po > - run `make update-po` in install/po I noticed that none of the .po files is regenerated when we run make dist. Is that intentional? I think that all the released tarballs should contain up-to-date translations. > > 4) > Make a change to one of the translations: > - example: add translation to the ACI docstring > * find docstring for ACI in install/po/es.po > * change the corresponding msgstr "" to > msgstr "\nBuenos dias, amigos!\n" > > Note: if the translatable string begins with \n, the translation > also needs to begin with \n. Same goes for ending. > > 5) > Install the modified translations: > - run `make install` in install/po > > Note: I had some problems with this and had to make rpms and install > IPA from beginning for it to work. Looks like doing `make install` > manually updates /usr/local/share/locale instead of > /usr/share/locale, but maybe I just did something wrong. > ./configure --datadir=/usr/share My buildscript contains a variation of "rpm -E %configure". ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] admiyo-0204-split-logo
From b34ce11a9d9894edbb80fe4b2576f688249ff4a5 Mon Sep 17 00:00:00 2001
From: Adam Young
Date: Tue, 22 Feb 2011 16:46:33 -0500
Subject: [PATCH] split logo
This allows for more flexilibity in customizing the site, as an end user can replace the logo, the banner or both
---
install/ui/index.html|2 +-
install/ui/ipabanner.png | Bin 0 -> 668 bytes
install/ui/ipalogo.png | Bin 2492 -> 1959 bytes
3 files changed, 1 insertions(+), 1 deletions(-)
create mode 100644 install/ui/ipabanner.png
diff --git a/install/ui/index.html b/install/ui/index.html
index e3205d69f5ae44b7b4da536fa8d0808a451dac53..7b6331148ca75facd78837135f37354c9e918f4c 100644
--- a/install/ui/index.html
+++ b/install/ui/index.html
@@ -51,7 +51,7 @@
-
+
diff --git a/install/ui/ipabanner.png b/install/ui/ipabanner.png
new file mode 100644
index ..56bea691bed75675f27dbfb6316cd8050f01ffa9
GIT binary patch
literal 668
zcmeAS@N?(olHy`uVBq!ia0vp^O+c*5!3HGzqzqRBDaPU;cPEB*=VV?2Ic!PZ?k)`f
zL2$v|<&%LToCO|{#S9GG!XV7ZFl&wkP>{XE)7O>#Hj|jBu9bVp|CK-?$r9Iy66gHf
z+|;}h2Ir#G#FEq$h4Rdj3~)o&C`Fuz`Tveg(D@9Er^R
z6Z{x_E|fHF6P}X8AbbJD$#F0{pq$eD;ki=ZVZX_%E_BuSZ(8tDFz5Ntnso}9x5Zjw
z3b{C36+{{XSeyiLF#gQtsAkAr@>VtN^5=hd4^)@di%gX7xcTMF*6x$;-?UBc*}7WH
zV{=elJCXep(}B5_Jsay%)%3!JUcT3Cdc^3EbnDEKD@D0%57-)}zuwOLZYoP%y2dh_
zB%rdhzIQI|xfjs#a^lLjk3v&hdz5OHPpA#ve&~qB*L&?gNz4i2CpetH{fm$_oEEU3
z;eqakU$zacU#f#5A66ad+PHeL(fZ)c>#rHD{C6gq=j-Yz>+jyMS~=gPNw;BYjJ|#X
zkGS$7vkjYS9eP+B%4gQBIJr$S@kHGGIT<~n3+8oRWh!2o85C^2W~XV5?Uz#~@}1hD
zUi-dWnKeuIoaeWKv}m81g2z54d@4)z4*}Q$iB}sY(~+
literal 0
HcmV?d1
diff --git a/install/ui/ipalogo.png b/install/ui/ipalogo.png
index 62185c1b0e2ad9223a69a69e8cfd93a442b9f51d..2251193f05d46884f66e06a3b1d6347721ce0270 100644
GIT binary patch
literal 1959
zcmV;Y2Uz%tP)Px#24YJ`L;(K){{a7>y{D4^000SaNLh0L01FcU01FcV0GgZ_7bV*G`2ipP`
z6)i2qhk9-R000?uMObu0Z*6U5Zgc=ca%Ew3Wn>_CX>@2HM@dakSAh-}000L9NklA)Bq_I(j-lZQb>W)hMU2FF#;RM;|sQDJf0cP%(?Y}F?A>g
zr&5)NW=mT~+WSb~`v0@`UQ0*#zR%||B%jmx0{jK|e>TKt3{vEuetvrS=Y+=Cqbnx}
zG!`#w4DbE$;~oK-t9uj30q&jDk5w$j15PO|Gk5I#U}H*7{eCnSUl|ZBR9B`b3`+*$
zBeYx*wD;ddW$CQ_=5Wi;o_c)!8Nj}s{o{deD13hV8xN-S^dEE&Wt-B;Hl{}|bMMMh
zMsjIvJ4vKSk;$bwdm+KQ$Epa1mkrG+$!z`SJ1=j0eaF^VUcGlGumI$=X)~DQq6h?+HR0bs_t-b!@v$3gvc=q*k+n@c_j=KPJyyO%4&B(%yFLXYNno48&utOer`_ZB0AH
zQ?l5$rsY&GhnpM7S&t%>!1ElW6odoPcXKY6J5wT_NHw2+dF3h~1=wT3dNiplQwz^W
z96WN)XgS~MtzEO+X;@M(4MVA5;XJyNr9=;Z#JtL5RL<$5s?Nbtf9J^QGF-8if`IgW
z$MdgtCPhbgMr3myA)Rvo3mCcCYCSf)g%AV+Asn|yzP11N^4P}>&Vvs$Iz?qOlw}o)
zl)sJ>Z8co&*+b>5lXUmbA`mS1eBpUr(X{O7vBgN%7nUIi1{5Yj0_s-BR{z`d>-&zQ
zD4Qbr$>v(Nyws*&{9T`a&&qmtVMBv3&9KY_Dn(b~yY!yv_8hm=?H@8kdvr*}lb$ej
z8cVxq6+udY5^~&2>IPWo0C4@~cv2HA@OkkU^=#a9QM`YsRkvP>ddrtLc#~&TAY8+V
z_LhtGp0rM+a#H#utX_D9uP*8%KHSURLyJi{bto}1?k#o$EVYG?z!w@Tq&axBnSfP5
zFjPX=E21x!mHXd4>Mvg!&&K^q)fdYdLTZXaah_P;&b^H(Jn56kdNj9PzFaQ}g(SWVfU=NA0MoQE4dpwYU`1^otCuG@*&N3T
z3=^3YCz%<*aa@!DDg238ZQ>)5!UUxhaG+k@;XCR+IvsToPN(!
zJ;~6jjO}B)gZLtnFD>H66hfetCS=-_OztM0?xuE8imvu@cK>-3X{Q3IN+<|=zAvI3
z<2496zcF&+{cWdU+mF7o;pgjfX7%Gc_sy?ZR(}$u-0S6iGzo=3OF>o`TyC$RF1(mC
zEz>x3at$NQB^>f_(_N=7fBeB~ou~JFIHo-QM|G0<00KZEP+V5Ebk@wfpL|ROJ2ng^
zXIeRL22!}#j?4Vnle5Jo6~>6|N$JH17!HX{5!wi&?4AqVt$*Eh^6j6#=jKv_KnxfL
zvVeQ54n*YdR1*k|22j0f^WC9})td%0W`pa2=XuPZJvlpR%5|{sO9TSx#5%6EAKiWG
z?PvC75$yhNTR;I20g4xGeEwUxQ1zn&!(LhKoDzFd=`16gb&zhV
zXR!15-j)L|?2SjyM1e#em>JUmdJ}E-M(sC%U|xOE^qMtuN)~+Qd*!p|-Cr0fPF!n0
z{m%J=+jjL``lurhOabXz0VfLnRP#5+{s<6R@y+MH)_*NJ(01@Qr^hH91v<9^epc|!
t_6PC-nECZ={u^e-D4cj-{eSmI;9skP6ZJ^WN}2!w002ovPDHLkV1nkCpECde
literal 2492
zcmV;t2}AaYP)}XJ!w*rW((NJ}Vc3yRQb`=K2jkalD`){6boar^+-Ry(yrrLEW*mEu$#Ay^Q+
zV2eXS1&R_A0>Ok>*d*pcNV1#Fp3T`kx4vgRk<*<`2$w>~y#L9QJ$v@enRoa6&i{Fy
zH)k2cFhE6hGsV)6fQmv$MIodg0TqRiib6;~0xAk2)r1#s{$d#BN}y$|N5cx;dK{PN
zk`UF^I-xnvF@Ir2+TKHFfAG>jdJa|}?tJ#Ctvhnf{nSyZu0@RLOk+5q2^V)uQHl85
zKkr%CegE>(on%~`gmyVsq)tdRUI-KLP0q>|w(oj>
zwZu;ONmnqm*vT}ZC|`mnjYWTG7)|FH1o~zoKPzv)Fx2$R4eM5(B7dihm7*zxRF{MB
z3+H=g+iUkk`Ds7x9*k8+BdwU`J%>9NXJI%Vg`z~@&EO!D?bFR+ynDP5uC#@Nv;6Yb
zkKTFVxmUMu4O*_KQwXWX3t^(!m^yX3xb2m2d_n0*%WO2bI=#Bt`6LA?3FHxXy&Vpf(?=VN*|Kfbo|pp~Nk%M~evRHHQ}
z=A-zhUB`9@x%{2I5?`5Uof(Ay8U@eGP`Qf`ToKI9BlTch!_lUx__(njsu6_8I|v6S
zgJW5=TrlRJ4o>;oldqoH_T=xj&m@NtXyZaP9w#(G@!q<6OUHf77YlQWXB#oa;8cx4
zG&%?+`XP!7KSM!b1PrU9vr9s7khr5yg|5jsT0a}-2kr&Sr6r6{)ePvw@McfpyE6Fb
zOHbTC_o)$Aq)tdR8iY==?a#RF@n)7mTE)U*^;>sUz?+%HM}}1jYDq~UkzrZQ)
z5daOO6Zl-Lp|^KLaI_)Fv~|l+VsX_>^;eOS58={+cyb)F#%vtp_0{7%*2q;+b(t|6
z$69%^qUs9gmFoQ-nrIO6c2`XNB0Y-J=_V<)hkaxJ>+JCp6|Ef7|B?U
zk6Vk;-m?e!dG+Y-%Y)OEqZ^E_cXmbDwjPBUjv0*TVBm6cq#$GxfR7yif20tJ25Y;_
zg29Y(+y0xO(dJc1B48U=WdnF*yJn&}p@kur2vy^dJ(?EAUW8@xsT==30W`do~S#UqT!hryHd%yTR_p2al+xXJo^
zdn`>F(_rmenskC!jpJCU=9X&A=Bt?dX!BZ=H15%)=Nl(tI{y5V=bee*1QDSK4_CT@
z=YKsHY3akv-w(I&)zxn^y=|?!TTnE&;E45wa@2-al{<4@;$?Z5sk*fpzxd$^tXpva
zUgy7w2a1V~nQBZG*i!Ufn;RBP#B>an7fDgVz+iZYZXUJA8sQYv;d1+tre~lx7-RRp
zd(60fK`0h7^10q%+`+IsGTb4oUm3ui6%usTfE?4&*m@SHJ4%TgI<9q&Yi+4&L@$%r
zVS8R?tEJ3spOp$5M61cx^po-eKHeM!Mj8ePENwlzT1wwDkbcABaFu8KFInY
z+^%RM
Re: [Freeipa-devel] [PATCH] admiyo-0204-split-logo
On 2/22/2011 3:48 PM, Adam Young wrote: ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 113 Fixed buttons for DNS records.
The order of the Add and Delete buttons has been reversed to be
consistent with those in other facets.
--
Endi S. Dewata
From 77070192fec42b64697f8456d1303b6bf722d082 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata
Date: Tue, 22 Feb 2011 17:00:50 -0600
Subject: [PATCH] Fixed buttons for DNS records.
The order of the Add and Delete buttons has been reversed to be
consistent with those in other facets.
---
install/ui/policy.js | 12 ++--
1 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/install/ui/policy.js b/install/ui/policy.js
index c26dfc5c574cb4497f6afdb51e27ac233633ba41..c35696b617c3ff1e47688d9b643ea2d7190de84b 100644
--- a/install/ui/policy.js
+++ b/install/ui/policy.js
@@ -324,15 +324,15 @@ IPA.records_facet = function (spec){
IPA.action_button({
-'label': IPA.messages.buttons.add,
-'icon': 'ui-icon-plus',
-'click': add_click
+label: IPA.messages.buttons.remove,
+icon: 'ui-icon-trash',
+click: function(){ delete_records(records_table); }
}).appendTo(action_controls);
IPA.action_button({
-'label': IPA.messages.buttons.remove,
-'icon': 'ui-icon-trash',
-'click': function(){delete_records(records_table);}
+label: IPA.messages.buttons.add,
+icon: 'ui-icon-plus',
+click: add_click
}).appendTo(action_controls);
div.append('');
--
1.6.6.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 738 default.conf man page
Rob Crittenden wrote: David O'Brien wrote: Rob Crittenden wrote: Add a man page for the IPA configuration file default.conf. ticket 969 rob NACK A few too many typos and other errors. "Spaces between the equals sign are ignored." Do you mean, "Spaces surrounding equals signs are ignored."? +Specifies the base DN to use when performan LDAP operations. performing +Specfies the secure CA agent port. The defauilt is 9443. Specifies default +Specifies the unsecure CA end user port. The default is 9190. insecure "For example. if you want to always perform client requests in verbose mode but do not want to have verbose enabled on the server add the verbose option to \fI/etc/ipa/cli.conf\fR." comma after "example", not a period. add a comma after "enabled on the server" +Specifies whether the CA is acting is an RA agent, as an RA agent "+Specifies the name of the CA backend to use. The current options are \fBselfsign\fR and \fBdogtag\fR. This is a server\-side setting. Changing this value is not recommended as the CA backend is only set up during ininitial installation." s/backend/back end/ s/selfsign/self-sign/ s/ininitial/initial/ +Specifies the kerberos realm. Kerberos "...and show the server(s) the client contacts." s/server(s)/servers/ +user IPA configurationf ile configuration file "+Optional configuration files used in a particular context are. The value of mode is used to attempt to load these files, if they exist:" I'm not sure what this means Fixes applied. rob +Specfies the secure CA agent port. The default is 9443. Specifies "Changing this value is not recommended as the CA backend is only set up during initial installation." s/backend/back end/ "+Optional configuration files used in a particular context are. The value of the context setting (\fBcli\fR or \fBserver\fR) is used to attempt to load these files, if they exist:" I still don't understand this. Bear in mind that I'm reading the raw patch; I haven't applied it or tried to format this as a man page. Maybe that would help. Everything else is fine. ACK with those couple of fixes. /dob -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 739 update permission help text
Rob Crittenden wrote: Jakub Hrozek wrote: On Tue, Feb 22, 2011 at 03:24:01PM -0500, Rob Crittenden wrote: Jakub Hrozek wrote: On Tue, Feb 22, 2011 at 01:38:11PM -0500, Rob Crittenden wrote: Based on feedback from David here is a hopefully clearer description of permissions. ticket 996 rob I think you sent a wrong patch, this is the default.conf manpage one. D'oh, here you go. rob I agree with the changes, but now I realized that davido mentioned "privilege" not "permission". The privilege docstring contains the same errors as permission, can you also copy the changes into ipalib/plugins/privilege.py ? Good idea, updated patch attached. rob This is heaps better. ACK -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 20 Create default disabled sudo bind user
This patch addressees ticket #998 It adds: * ldif to create a default sudo bind user: dn: uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX * modifications to dsinstance.py to add the ldif * modifications to dsinstance.py to add a call to ipautil.ipa_generate_password() for an random password. It is added to the sub_dict as 'RANDOM_PASSWORD' * addition to the Makefile.am in install/share to account for the new ldif file Documentation to follow will include: the method of enabling the user with: * LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com * Configuring nss_ldap.conf for using this user as the binddn * Help file for the ipa sudo command to reference the user and the written documentation. freeipa-jraquino-0020-Create-default-disabled-sudo-bind-user.patch Description: freeipa-jraquino-0020-Create-default-disabled-sudo-bind-user.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
