Re: [Freeipa-devel] [PATCH] 741 fix sudocmd membership
On 2/23/2011 4:13 PM, Rob Crittenden wrote: We weren't searching the cn=sudo container so all members of a sudocmdgroup looked indirect. Add a label for sudo command groups. Update the tests to include verifying that membership is done properly. ticket 1003 ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 742 Sudo command groups are not supposed to allow nesting
On 2/23/2011 4:50 PM, Rob Crittenden wrote: It was a design decision to now allow nesting sudo command groups, remove it. ticket 1004 Updated patch attached. This is going to require an API change. ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 115 Fixed attribute for SUDO command group membership.
The correct attribute name for SUDO command group membership is
memberof_sudocmdgroup and it contains the group name instead of dn.
--
Endi S. Dewata
From db1bb27fe8fd3f04ae976e2b0ab6444e033299d5 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata
Date: Wed, 23 Feb 2011 17:15:42 -0600
Subject: [PATCH] Fixed attribute for SUDO command group membership.
The correct attribute name for SUDO command group membership is
memberof_sudocmdgroup and it contains the group name instead of dn.
---
install/ui/sudocmd.js |7 ++-
1 files changed, 2 insertions(+), 5 deletions(-)
diff --git a/install/ui/sudocmd.js b/install/ui/sudocmd.js
index b98f2d4dc9a33894cf69dd4df981437c7482bbf9..748ec4b8862aa94fd9346e3a155e44ed52f3f4ca 100644
--- a/install/ui/sudocmd.js
+++ b/install/ui/sudocmd.js
@@ -115,7 +115,7 @@ IPA.sudocmd_details_facet = function (spec) {
that.add_section(section);
var field = IPA.sudocmd_member_sudocmdgroup_table_widget({
-'name': 'memberof',
+'name': 'memberof_sudocmdgroup',
'label': IPA.messages.objects.sudocmd.groups,
'other_entity': 'sudocmdgroup',
'save_values': false
@@ -194,10 +194,7 @@ IPA.sudocmd_member_sudocmdgroup_table_widget = function (spec) {
});
for (var i=0; i___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On Wed, 23 Feb 2011 23:41:33 +0100 Pavel Zůna wrote: > On 2011-02-15 16:36, JR Aquino wrote: > > On 2/15/11 6:52 AM, "Simo Sorce" wrote: > > > >> On Tue, 15 Feb 2011 15:19:50 +0100 > >> Pavel Zuna wrote: > >> > >>> I can't reproduce this. :-/ > >>> > >>> For me it goes fine: > >>> > >>> [root@ipadev tools]# ./ipa-nis-manage enable > >>> Directory Manager password: > >>> > >>> Enabling plugin > >>> This setting will not take effect until you restart Directory > >>> Server. The rpcbind service may need to be started. > >>> > >> > >> Pavel, > >> Jr has set the minimum ssf to a non default value to test a > >> configuration in which all communications are required to be > >> encrypted. That's why you can't reproduce with the vanilla > >> configuration. > >> > >> We want to support that mode although it won't be the default, so > >> we need to fix any issue that causes that configuration to break > >> (ie all non-encrypted/non-ldapi connections). > >> > >> Simo. > >> > >> -- > >> Simo Sorce * Red Hat, Inc * New York > >> > >> ___ > >> Freeipa-devel mailing list > >> Freeipa-devel@redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > The best way to do this is: > > > > -=- > > service ipa stop > > Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif > > > > Change: > > nsslapd-minssf: 0 > > > > To: > > nsslapd-minssf: 56<- 56 is chosen because SASL communicates a 56bit > > handshake even though we utilize a much strong cipher... (It is a > > known bug/feature) > > > > service ipa start > > > > I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) > with ldapi=True, but it raises a NotFound exception when trying to > call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This > exception originates in IPAdmin.__lateinit() when trying to retrieve > this > > cn=config,cn=ldbm database,cn=plugins,cn=config > > For some reason it looks like this entry is inaccessible when doing a > SASL EXTERNAL bind as root. > > I can retrieve the entry as "cn=directory manager": > > > > [root@vm-090 freeipa]# ldapsearch -D "cn=directory manager" -W -H > ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b > "cn=config,cn=ldbm database,cn=plugins,cn=config" -s one > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base with scope > oneLevel # filter: (objectclass=*) > # requesting: ALL > # > > # default indexes, config, ldbm database, plugins, config > dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config > objectClass: top > objectClass: extensibleObject > cn: default indexes > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > > > > but not as root: > > > > [root@vm-090 freeipa]# ldapsearch -Y EXTERNAL -H > ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b > "cn=config" SASL/EXTERNAL authentication started > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > SASL SSF: 0 > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # SNMP, config > dn: cn=SNMP,cn=config > objectClass: top > objectClass: nsSNMP > cn: SNMP > nsSNMPEnabled: on > > # 2.16.840.1.113730.3.4.9, features, config > dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config > objectClass: top > objectClass: directoryServerFeature > oid: 2.16.840.1.113730.3.4.9 > cn: VLV Request Control > > # search result > search: 2 > result: 0 Success > > # numResponses: 3 > # numEntries: 2 > > > I'm not sure what the problem is, I tried setting different SASL > security properties, but nothing helped. :( Next step is to analyze > DS logs, but before I do that, I wanted to ask if anyone has any tips > on what the solution might be. We have very strict ACIs when using EXTERNAL SASL as root. Is there any reason you need to operate as root ? you can also authenticate with SIMPLE (Dir MGr credentials), or SASL/GSSAPI if you ahve credentials. If you need to run unattended as root then we may need to make root+SASL/EXTERNAL more powerful but I'd like to understand exactly why you need that and can't use regular authentication with DirMgr or GSSAPI credentials. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Localization patches.
On 2011-02-23 20:26, Rob Crittenden wrote: Pavel Zůna wrote: Rebased patch 81 and 83 (pygettext). Created a new patch to fix these latest test failures - it was easier than doing a complex rebase. All latest versions of localization patches are attached to this email for review. I tried to apply them on a clean master clone, build RPMs, installed and run all unit tests. So hopefully, we're finally going to get this in. :) Pavel I don't understand some of these (and past changes): - Updated patch 83-2 just changes the commit message slightly I rebased everything and did, generated new patches and did a diff to see if anything has changed. This patch had differences in line numbers, so I decided to make a new one, just to make sure it applies cleanly on master. - Patch 84 comments out several lines in the tests.There isn't any explaination what these changes do and why they are needed. It seems to be disabling a confirmation that changing locale works. It comments out parts that tests the deprecated code removed by patch 69. I probably should have removed the lines completely, but wanted to keep them for reference - guess there's no point really. We no longer setup languages in the code, but rather get them from what is passed from the terminal OR from what is requested over XML-RPC. All localization code that uses the context thread local variable doesn't work anyway - that's why the tests were failing. - Patch 82 drops a bunch of the old ugettext code which is fine, but I think one of the purposes was to make sure that translation was occurring. - Patch 82 in test_text.py changing the languages is removed. Are we really exercising this code? Same deal as 84. rob Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 742 Sudo command groups are not supposed to allow nesting
Rob Crittenden wrote: It was a design decision to now allow nesting sudo command groups, remove it. ticket 1004 rob Updated patch attached. This is going to require an API change. rob freeipa-rcrit-742-2-sudocmdgroup.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On 2011-02-15 16:36, JR Aquino wrote: On 2/15/11 6:52 AM, "Simo Sorce" wrote: On Tue, 15 Feb 2011 15:19:50 +0100 Pavel Zuna wrote: I can't reproduce this. :-/ For me it goes fine: [root@ipadev tools]# ./ipa-nis-manage enable Directory Manager password: Enabling plugin This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. Pavel, Jr has set the minimum ssf to a non default value to test a configuration in which all communications are required to be encrypted. That's why you can't reproduce with the vanilla configuration. We want to support that mode although it won't be the default, so we need to fix any issue that causes that configuration to break (ie all non-encrypted/non-ldapi connections). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The best way to do this is: -=- service ipa stop Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif Change: nsslapd-minssf: 0 To: nsslapd-minssf: 56<- 56 is chosen because SASL communicates a 56bit handshake even though we utilize a much strong cipher... (It is a known bug/feature) service ipa start I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) with ldapi=True, but it raises a NotFound exception when trying to call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This exception originates in IPAdmin.__lateinit() when trying to retrieve this cn=config,cn=ldbm database,cn=plugins,cn=config For some reason it looks like this entry is inaccessible when doing a SASL EXTERNAL bind as root. I can retrieve the entry as "cn=directory manager": [root@vm-090 freeipa]# ldapsearch -D "cn=directory manager" -W -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b "cn=config,cn=ldbm database,cn=plugins,cn=config" -s one Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope oneLevel # filter: (objectclass=*) # requesting: ALL # # default indexes, config, ldbm database, plugins, config dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: default indexes # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 but not as root: [root@vm-090 freeipa]# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b "cn=config" SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # SNMP, config dn: cn=SNMP,cn=config objectClass: top objectClass: nsSNMP cn: SNMP nsSNMPEnabled: on # 2.16.840.1.113730.3.4.9, features, config dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 2.16.840.1.113730.3.4.9 cn: VLV Request Control # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 I'm not sure what the problem is, I tried setting different SASL security properties, but nothing helped. :( Next step is to analyze DS logs, but before I do that, I wanted to ask if anyone has any tips on what the solution might be. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 742 Sudo command groups are not supposed to allow nesting
On 02/23/2011 05:15 PM, Rob Crittenden wrote: > It was a design decision to now allow nesting sudo command groups, > remove it. > *Not* allow, right? > ticket 1004 > > rob > > > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 742 Sudo command groups are not supposed to allow nesting
It was a design decision to now allow nesting sudo command groups, remove it. ticket 1004 rob freeipa-rcrit-742-sudocmdgroup.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 741 fix sudocmd membership
We weren't searching the cn=sudo container so all members of a sudocmdgroup looked indirect. Add a label for sudo command groups. Update the tests to include verifying that membership is done properly. ticket 1003 rob freeipa-rcrit-741-sudocmd.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 114 Save changes before modifying association.
In a details page, usually any changes done to the fields will not be
applied until the user clicks the Update button. However, if the page
contains an association table, any addition/deletion to the table will
be applied immediately.
To avoid any confusion, the user is now required to save or reset all
changes to the page before modifying the association. A dialog box will
appear if the page contains any unsaved changes.
--
Endi S. Dewata
From e3e26e9dae6ad228c6bbbe98e649e3e0abbd2131 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata
Date: Wed, 23 Feb 2011 12:35:45 -0600
Subject: [PATCH] Save changes before modifying association.
In a details page, usually any changes done to the fields will not be
applied until the user clicks the Update button. However, if the page
contains an association table, any addition/deletion to the table will
be applied immediately.
To avoid any confusion, the user is now required to save or reset all
changes to the page before modifying the association. A dialog box will
appear if the page contains any unsaved changes.
---
install/ui/associate.js | 42 --
install/ui/ipa.js |4 +-
install/ui/test/data/i18n_messages.json |3 +-
install/ui/test/data/ipa_init.json |3 +-
ipalib/plugins/internal.py |7 +++--
5 files changed, 49 insertions(+), 10 deletions(-)
diff --git a/install/ui/associate.js b/install/ui/associate.js
index 600cd55c3abb99f810c8e322da83262c21b5e2c3..2f1a28d5a66e989d562c3605fa335763bcd00324 100644
--- a/install/ui/associate.js
+++ b/install/ui/associate.js
@@ -351,6 +351,28 @@ IPA.association_table_widget = function (spec) {
that.table_setup(container);
+var dialog = $('', {
+html: IPA.messages.dialogs.dirty_message
+}).appendTo(container);
+
+var buttons = {};
+
+buttons[IPA.messages.buttons.ok] = function() {
+dialog.dialog('close');
+};
+
+dialog.dialog({
+autoOpen: false,
+title: IPA.messages.dialogs.dirty_title,
+modal: true,
+width: '20em',
+buttons: buttons
+});
+
+var entity = IPA.get_entity(that.entity_name);
+var facet_name = IPA.current_facet(entity);
+var facet = entity.get_facet(facet_name);
+
var button = $('input[name=remove]', container);
button.replaceWith(IPA.action_button({
'label': button.val(),
@@ -359,7 +381,13 @@ IPA.association_table_widget = function (spec) {
if ($(this).hasClass('action-button-disabled')) {
return false;
}
-that.show_remove_dialog();
+
+if (facet.is_dirty()) {
+dialog.dialog('open');
+} else {
+that.show_remove_dialog();
+}
+
return false;
}
}));
@@ -369,8 +397,16 @@ IPA.association_table_widget = function (spec) {
'label': button.val(),
'icon': 'ui-icon-plus',
'click': function() {
-if ($(this).hasClass('action-button-disabled')) return false;
-that.show_add_dialog();
+if ($(this).hasClass('action-button-disabled')) {
+return false;
+}
+
+if (facet.is_dirty()) {
+dialog.dialog('open');
+} else {
+that.show_add_dialog();
+}
+
return false;
}
}));
diff --git a/install/ui/ipa.js b/install/ui/ipa.js
index 2c07d742a71b3e0428eac0637fc75f5fc0419280..ec15332f4a3d56fd54412bba99898b8e73986ef4 100644
--- a/install/ui/ipa.js
+++ b/install/ui/ipa.js
@@ -137,7 +137,7 @@ var IPA = ( function () {
var facet = IPA.current_entity.facets_by_name[facet_name];
if (facet.is_dirty()){
var message_box = $("",{
-html: IPA.messages.dirty
+html: IPA.messages.dialogs.dirty_message
}).
appendTo($("#navigation"));
@@ -148,7 +148,7 @@ var IPA = ( function () {
};
message_box.dialog({
-title: 'Dirty',
+title: IPA.messages.dialogs.dirty_title,
modal:true,
width: '20em',
buttons: buttons
diff --git a/install/ui/test/data/i18n_messages.json b/install/ui/test/data/i18n_messages.json
index f5aa841ec1483618a3851871362477e2a6756241..076bdbf4c94694401f8079e1f5adfc189473dce4 100644
--- a/install/ui/test/data/i18n_messages.json
+++ b/install/ui/test/data/i18n_messages.json
@@ -42,12 +42,13 @@
},
"dialogs": {
"available": "Available",
+"dirty_message": "This page has unsaved changes. Please save or rev
Re: [Freeipa-devel] [PATCH] 20 Create default disabled sudo bind user
JR Aquino wrote:
On 2/23/11 11:23 AM, "Simo Sorce" wrote:
On Wed, 23 Feb 2011 13:50:37 -0500
Rob Crittenden wrote:
JR Aquino wrote:
On 2/22/11 7:45 PM, "JR Aquino" wrote:
This patch addressees ticket #998
It adds:
* ldif to create a default sudo bind user: dn:
uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX
* modifications to dsinstance.py to add the ldif
* modifications to dsinstance.py to add a call to
ipautil.ipa_generate_password() for an random password. It is
added to the sub_dict as 'RANDOM_PASSWORD'
* addition to the Makefile.am in install/share to account for the
new ldif file
Corrections / Additions:
* Correction to dsinstance.py to remove the unnecessary sha1 call
and library
* Addition of docstring for the ipa help sudorule to explain usage
of the sudo binddn
We need to make sure we don't log random passwords. Can you add this
to your patch?
--- service.py 2011-02-14 20:18:23.0 -0500
+++ /tmp/service.py 2011-02-23 13:49:56.0 -0500
@@ -137,6 +137,8 @@
# do not log passwords
if sub_dict.has_key('PASSWORD'):
nologlist = sub_dict['PASSWORD'],
+if sub_dict.has_key('RANDOM_PASSWORD'):
+nologlist = sub_dict['RANDOM_PASSWORD'],
Should you append to nologlist ?
If I read this right otherwise you'll replace the previous one.
Simo.
New corrections posted for the full patch.
Adding a correction to nologlist to initialize it as a dict rather than a
tuple. Then correctly appending the various sub_dict objects to the list.
Also corrected 2 trailing whitespace bugs that were present in the
previous patch.
ack, pushed to master.
I just added a bit more info to the commit message.
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] one-liner for krbtpolicy
Pushed out this one-liner to fix a typo and add an example for when user ticket policy takes effect. diff --git a/ipalib/plugins/krbtpolicy.py b/ipalib/plugins/krbtpolicy.py index 22ef161..c9d86ea 100644 --- a/ipalib/plugins/krbtpolicy.py +++ b/ipalib/plugins/krbtpolicy.py @@ -30,8 +30,8 @@ is required, which can be achieved using: service krb5kdc restart -Changes to per-user policies take effect immediatly for newly requested -tickets. +Changes to per-user policies take effect immediately for newly requested +tickets (e.g. when the user next runs kinit). EXAMPLES: ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 20 Create default disabled sudo bind user
On 2/23/11 11:23 AM, "Simo Sorce" wrote:
>On Wed, 23 Feb 2011 13:50:37 -0500
>Rob Crittenden wrote:
>
>> JR Aquino wrote:
>> > On 2/22/11 7:45 PM, "JR Aquino" wrote:
>> >
>> >> This patch addressees ticket #998
>> >>
>> >> It adds:
>> >>
>> >> * ldif to create a default sudo bind user: dn:
>> >> uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX
>> >> * modifications to dsinstance.py to add the ldif
>> >> * modifications to dsinstance.py to add a call to
>> >> ipautil.ipa_generate_password() for an random password. It is
>> >> added to the sub_dict as 'RANDOM_PASSWORD'
>> >> * addition to the Makefile.am in install/share to account for the
>> >> new ldif file
>> >
>> > Corrections / Additions:
>> >
>> > * Correction to dsinstance.py to remove the unnecessary sha1 call
>> > and library
>> > * Addition of docstring for the ipa help sudorule to explain usage
>> > of the sudo binddn
>> >
>>
>> We need to make sure we don't log random passwords. Can you add this
>> to your patch?
>>
>> --- service.py 2011-02-14 20:18:23.0 -0500
>> +++ /tmp/service.py 2011-02-23 13:49:56.0 -0500
>> @@ -137,6 +137,8 @@
>> # do not log passwords
>> if sub_dict.has_key('PASSWORD'):
>> nologlist = sub_dict['PASSWORD'],
>> +if sub_dict.has_key('RANDOM_PASSWORD'):
>> +nologlist = sub_dict['RANDOM_PASSWORD'],
>
>Should you append to nologlist ?
>If I read this right otherwise you'll replace the previous one.
>
>Simo.
New corrections posted for the full patch.
Adding a correction to nologlist to initialize it as a dict rather than a
tuple. Then correctly appending the various sub_dict objects to the list.
Also corrected 2 trailing whitespace bugs that were present in the
previous patch.
freeipa-jraquino-0020-Create-default-disabled-sudo-bind-user.patch
Description: freeipa-jraquino-0020-Create-default-disabled-sudo-bind-user.patch
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Localization patches.
Pavel Zůna wrote: Rebased patch 81 and 83 (pygettext). Created a new patch to fix these latest test failures - it was easier than doing a complex rebase. All latest versions of localization patches are attached to this email for review. I tried to apply them on a clean master clone, build RPMs, installed and run all unit tests. So hopefully, we're finally going to get this in. :) Pavel I don't understand some of these (and past changes): - Updated patch 83-2 just changes the commit message slightly - Patch 84 comments out several lines in the tests.There isn't any explaination what these changes do and why they are needed. It seems to be disabling a confirmation that changing locale works. - Patch 82 drops a bunch of the old ugettext code which is fine, but I think one of the purposes was to make sure that translation was occurring. - Patch 82 in test_text.py changing the languages is removed. Are we really exercising this code? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 20 Create default disabled sudo bind user
On Wed, 23 Feb 2011 13:50:37 -0500
Rob Crittenden wrote:
> JR Aquino wrote:
> > On 2/22/11 7:45 PM, "JR Aquino" wrote:
> >
> >> This patch addressees ticket #998
> >>
> >> It adds:
> >>
> >> * ldif to create a default sudo bind user: dn:
> >> uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX
> >> * modifications to dsinstance.py to add the ldif
> >> * modifications to dsinstance.py to add a call to
> >> ipautil.ipa_generate_password() for an random password. It is
> >> added to the sub_dict as 'RANDOM_PASSWORD'
> >> * addition to the Makefile.am in install/share to account for the
> >> new ldif file
> >
> > Corrections / Additions:
> >
> > * Correction to dsinstance.py to remove the unnecessary sha1 call
> > and library
> > * Addition of docstring for the ipa help sudorule to explain usage
> > of the sudo binddn
> >
>
> We need to make sure we don't log random passwords. Can you add this
> to your patch?
>
> --- service.py 2011-02-14 20:18:23.0 -0500
> +++ /tmp/service.py 2011-02-23 13:49:56.0 -0500
> @@ -137,6 +137,8 @@
> # do not log passwords
> if sub_dict.has_key('PASSWORD'):
> nologlist = sub_dict['PASSWORD'],
> +if sub_dict.has_key('RANDOM_PASSWORD'):
> +nologlist = sub_dict['RANDOM_PASSWORD'],
Should you append to nologlist ?
If I read this right otherwise you'll replace the previous one.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 20 Create default disabled sudo bind user
JR Aquino wrote:
On 2/22/11 7:45 PM, "JR Aquino" wrote:
This patch addressees ticket #998
It adds:
* ldif to create a default sudo bind user: dn:
uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX
* modifications to dsinstance.py to add the ldif
* modifications to dsinstance.py to add a call to
ipautil.ipa_generate_password() for an random password. It is added to
the sub_dict as 'RANDOM_PASSWORD'
* addition to the Makefile.am in install/share to account for the new
ldif file
Corrections / Additions:
* Correction to dsinstance.py to remove the unnecessary sha1 call and
library
* Addition of docstring for the ipa help sudorule to explain usage of the
sudo binddn
We need to make sure we don't log random passwords. Can you add this to
your patch?
--- service.py 2011-02-14 20:18:23.0 -0500
+++ /tmp/service.py 2011-02-23 13:49:56.0 -0500
@@ -137,6 +137,8 @@
# do not log passwords
if sub_dict.has_key('PASSWORD'):
nologlist = sub_dict['PASSWORD'],
+if sub_dict.has_key('RANDOM_PASSWORD'):
+nologlist = sub_dict['RANDOM_PASSWORD'],
if self.dm_password:
[pw_fd, pw_name] = tempfile.mkstemp()
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 065 Replace only if old and new have nothing in common
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/23/2011 04:47 PM, Rob Crittenden wrote: Jakub Hrozek wrote: Replace only if old and new have nothing in common This has problems when removing the last member. There is no adds, rems has a single value (the member being removed). The intersection is 0 so force_replace gets set to True and nothing ends up getting done. I added a len(v)> 0 to this conditional and it seems to work. I also added a small test case based on Endi's initial report. I'm getting a 100% test pass rate. rob I hit one more problem with the patch, although I'm not entirely sure how is that possible - when a user is renamed, his memberof becomes indirect memberof: # ipa user-mod --rename test2 test - Modified user "test" - User login: test2 First name: Test Last name: User Home directory: /home/test Login shell: /bin/sh Account disabled: False Indirect Member of group: ipausers I think this is another timing issue with 389-ds postop plugins, this time the referential integrity plugin. I don't think this is related to this change. We start with: dn: uid=test, ... uid: test memberOf: ipausers dn: cn=ipausers, ... cn: ipausers member: uid=test,... When we we do the rename we immediately end up with: dn: uid=test2, .. uid: test2 memberOf: ipausers dn: cn=ipausers, ... cn: ipausers member: uid=test, ... We determine indirect membership by comparing the user's memberOf with the results of a query for member=uid=test2 If the refint plugin hasn't updated the ipausers group by the time we do the query the user will appear to be an indirect member. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 065 Replace only if old and new have nothing in common
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/23/2011 04:47 PM, Rob Crittenden wrote: > Jakub Hrozek wrote: >> Replace only if old and new have nothing in common >> > > This has problems when removing the last member. There is no adds, rems > has a single value (the member being removed). The intersection is 0 so > force_replace gets set to True and nothing ends up getting done. > > I added a len(v) > 0 to this conditional and it seems to work. I also > added a small test case based on Endi's initial report. I'm getting a > 100% test pass rate. > > rob I hit one more problem with the patch, although I'm not entirely sure how is that possible - when a user is renamed, his memberof becomes indirect memberof: # ipa user-mod --rename test2 test - Modified user "test" - User login: test2 First name: Test Last name: User Home directory: /home/test Login shell: /bin/sh Account disabled: False Indirect Member of group: ipausers -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1lQFUACgkQHsardTLnvCUNDwCghhM7z5y0sZkYAd6LWbtpPsuY ua4AoJbugnFeCADOG91nm5PJcNfshCgQ =pHWV -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 738 default.conf man page
David O'Brien wrote: Rob Crittenden wrote: David O'Brien wrote: Rob Crittenden wrote: Add a man page for the IPA configuration file default.conf. ticket 969 rob NACK A few too many typos and other errors. "Spaces between the equals sign are ignored." Do you mean, "Spaces surrounding equals signs are ignored."? +Specifies the base DN to use when performan LDAP operations. performing +Specfies the secure CA agent port. The defauilt is 9443. Specifies default +Specifies the unsecure CA end user port. The default is 9190. insecure "For example. if you want to always perform client requests in verbose mode but do not want to have verbose enabled on the server add the verbose option to \fI/etc/ipa/cli.conf\fR." comma after "example", not a period. add a comma after "enabled on the server" +Specifies whether the CA is acting is an RA agent, as an RA agent "+Specifies the name of the CA backend to use. The current options are \fBselfsign\fR and \fBdogtag\fR. This is a server\-side setting. Changing this value is not recommended as the CA backend is only set up during ininitial installation." s/backend/back end/ s/selfsign/self-sign/ s/ininitial/initial/ +Specifies the kerberos realm. Kerberos "...and show the server(s) the client contacts." s/server(s)/servers/ +user IPA configurationf ile configuration file "+Optional configuration files used in a particular context are. The value of mode is used to attempt to load these files, if they exist:" I'm not sure what this means Fixes applied. rob +Specfies the secure CA agent port. The default is 9443. Specifies "Changing this value is not recommended as the CA backend is only set up during initial installation." s/backend/back end/ "+Optional configuration files used in a particular context are. The value of the context setting (\fBcli\fR or \fBserver\fR) is used to attempt to load these files, if they exist:" I still don't understand this. Bear in mind that I'm reading the raw patch; I haven't applied it or tried to format this as a man page. Maybe that would help. Everything else is fine. ACK with those couple of fixes. /dob Fixed, pushed to master. I added a bit more discussion about the context-specific files. I think it is clearer now. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 739 update permission help text
David O'Brien wrote: Rob Crittenden wrote: Jakub Hrozek wrote: On Tue, Feb 22, 2011 at 03:24:01PM -0500, Rob Crittenden wrote: Jakub Hrozek wrote: On Tue, Feb 22, 2011 at 01:38:11PM -0500, Rob Crittenden wrote: Based on feedback from David here is a hopefully clearer description of permissions. ticket 996 rob I think you sent a wrong patch, this is the default.conf manpage one. D'oh, here you go. rob I agree with the changes, but now I realized that davido mentioned "privilege" not "permission". The privilege docstring contains the same errors as permission, can you also copy the changes into ipalib/plugins/privilege.py ? Good idea, updated patch attached. rob This is heaps better. ACK pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 20 Create default disabled sudo bind user
On 2/22/11 7:45 PM, "JR Aquino" wrote: >This patch addressees ticket #998 > >It adds: > >* ldif to create a default sudo bind user: dn: >uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX >* modifications to dsinstance.py to add the ldif >* modifications to dsinstance.py to add a call to >ipautil.ipa_generate_password() for an random password. It is added to >the sub_dict as 'RANDOM_PASSWORD' >* addition to the Makefile.am in install/share to account for the new >ldif file Corrections / Additions: * Correction to dsinstance.py to remove the unnecessary sha1 call and library * Addition of docstring for the ipa help sudorule to explain usage of the sudo binddn freeipa-jraquino-0020-Create-default-disabled-sudo-bind-user.patch Description: freeipa-jraquino-0020-Create-default-disabled-sudo-bind-user.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] one liner to add new image for banner text.
pushed to master under the one line rule commit 49b2c0bb6203d23ff0c56945b447b7da8f2a3f84 Author: Adam Young Date: Wed Feb 23 11:23:16 2011 -0500 splitting banner requires new file in Makefile.am diff --git a/install/ui/Makefile.am b/install/ui/Makefile.am index e6ffed1..e8c11c2 100644 --- a/install/ui/Makefile.am +++ b/install/ui/Makefile.am @@ -48,6 +48,7 @@ app_DATA = \ widget.js \ user.js \ ipalogo.png \ + ipabanner.png \ gray-fade-line.png \ Mainnav-background.png \ Mainnav-offtab.png \ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 113 Fixed buttons for DNS records.
On 02/22/2011 06:18 PM, Endi Sukma Dewata wrote: The order of the Add and Delete buttons has been reversed to be consistent with those in other facets. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 113 Fixed buttons for DNS records.
On 02/22/2011 06:18 PM, Endi Sukma Dewata wrote: The order of the Add and Delete buttons has been reversed to be consistent with those in other facets. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 065 Replace only if old and new have nothing in common
Jakub Hrozek wrote: Replace only if old and new have nothing in common This has problems when removing the last member. There is no adds, rems has a single value (the member being removed). The intersection is 0 so force_replace gets set to True and nothing ends up getting done. I added a len(v) > 0 to this conditional and it seems to work. I also added a small test case based on Endi's initial report. I'm getting a 100% test pass rate. rob freeipa-rcrit-740-replace.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Don't load the LDAP schema during startup
Jan Zelený wrote: > Jan Zelený wrote: > > Rob Crittenden wrote: > > > Jan Zelený wrote: > > > > Rob Crittenden wrote: > > > >> Jan Zelený wrote: > > > >>> Loading of the schema is now performed in the first request that > > > >>> requires it. > > > >>> > > > >>> https://fedorahosted.org/freeipa/ticket/583 > > > >>> > > > >>> Jan > > > >> > > > >> We still need to enforce that we get the schema, some low-level > > > >> functions depend on it. Also, if the UI doesn't get its aciattrs > > > >> (which are derived from the schema) then nothing will be editable. > > > >> > > > >> I'm getting this backtrace if I force no schema by disabling > > get_schema: > > > > Ok, I'm sending new version, it should handle these exceptions better > > > > and the operation should fail if it needs the schema and the schema > > > > is not available for some reason. > > > > > > This breaks the XML-RPC server. I fixed one problem: > > > --- a/ipaserver/plugins/ldap2.py > > > +++ b/ipaserver/plugins/ldap2.py > > > > > > @@ -253,9 +253,10 @@ class ldap2(CrudBackend, Encoder): > > > def get_syntax(self, attr, value): > > > if not self.schema: > > > -self.schema = get_schema(self.ldap_uri, self.conn) > > > -if not self.schema: > > > +schema = get_schema(self.ldap_uri, self.conn) > > > > > > +if not schema: > > > return None > > > > > > +object.__setattr__(self, 'schema', schema) > > > > > > obj = self.schema.get_obj(_ldap.schema.AttributeType, attr) > > > > > > if obj is not None: > > > return obj.syntax > > > > > > But simply things like get_entry() return an InternalError now. I'm not > > > sure where you were going by adding this. > > > > > > rob > > > > Ok, no problem. It's possible that I simply did a mistake thinking I can > > do something in Python what is not really possible. > > > > About that InternalError: I think raising InternalError when we cannot > > load the schema to do the decoding is the right thing to do. Do you have > > a better solution? I thought about returning empty result, but that > > would mean we have to check the result in every funtction that is > > calling them and raising InternalError there. > > I'm sending updated patch. I modified the get_syntax() as you suggested and > I slightly modified raising that InternalError - currently it isn't raised > when results from get_entry() are not required by calling method. > Currently I'm running some tests, preliminary results looked ok. self-nack I discovered some issues discovered by internal test suite, I'm working on them Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 065 Replace only if old and new have nothing in common
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 https://fedorahosted.org/freeipa/ticket/1000 I hope this doesn't break anything..my testing went OK. I've seen some unit test failures (group tests, for instance), but they don't seem to be related. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1k9IkACgkQHsardTLnvCUh/ACfbV10+PZJiLfThJufBlxEB9Ww ZicAnj1wzu7JKQxUHjiopc753x5oog21 =LB3i -END PGP SIGNATURE- From 260e39be806c6c95376ab7c6266654bac436bca4 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 23 Feb 2011 06:32:01 -0500 Subject: [PATCH] Replace only if old and new have nothing in common https://fedorahosted.org/freeipa/ticket/1000 --- ipaserver/plugins/ldap2.py |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index d1e31f5..8eefa3b 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -798,7 +798,7 @@ class ldap2(CrudBackend, Encoder): force_replace = False if k in self._FORCE_REPLACE_ON_UPDATE_ATTRS or is_single_value: force_replace = True -elif len(adds) == 1 and len(rems) == 1: +elif len(v.intersection(old_v)) == 0: force_replace = True if adds: -- 1.7.4 jhrozek-freeipa-065-replace.patch.sig Description: PGP signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Don't load the LDAP schema during startup
Jan Zelený wrote:
> Rob Crittenden wrote:
> > Jan Zelený wrote:
> > > Rob Crittenden wrote:
> > >> Jan Zelený wrote:
> > >>> Loading of the schema is now performed in the first request that
> > >>> requires it.
> > >>>
> > >>> https://fedorahosted.org/freeipa/ticket/583
> > >>>
> > >>> Jan
> > >>
> > >> We still need to enforce that we get the schema, some low-level
> > >> functions depend on it. Also, if the UI doesn't get its aciattrs
> > >> (which are derived from the schema) then nothing will be editable.
> > >
> > >> I'm getting this backtrace if I force no schema by disabling
get_schema:
> > > Ok, I'm sending new version, it should handle these exceptions better
> > > and the operation should fail if it needs the schema and the schema is
> > > not available for some reason.
> >
> > This breaks the XML-RPC server. I fixed one problem:
> > --- a/ipaserver/plugins/ldap2.py
> > +++ b/ipaserver/plugins/ldap2.py
> >
> > @@ -253,9 +253,10 @@ class ldap2(CrudBackend, Encoder):
> > def get_syntax(self, attr, value):
> > if not self.schema:
> > -self.schema = get_schema(self.ldap_uri, self.conn)
> > -if not self.schema:
> > +schema = get_schema(self.ldap_uri, self.conn)
> >
> > +if not schema:
> > return None
> >
> > +object.__setattr__(self, 'schema', schema)
> >
> > obj = self.schema.get_obj(_ldap.schema.AttributeType, attr)
> >
> > if obj is not None:
> > return obj.syntax
> >
> > But simply things like get_entry() return an InternalError now. I'm not
> > sure where you were going by adding this.
> >
> > rob
>
> Ok, no problem. It's possible that I simply did a mistake thinking I can do
> something in Python what is not really possible.
>
> About that InternalError: I think raising InternalError when we cannot load
> the schema to do the decoding is the right thing to do. Do you have a
> better solution? I thought about returning empty result, but that would
> mean we have to check the result in every funtction that is calling them
> and raising InternalError there.
I'm sending updated patch. I modified the get_syntax() as you suggested and I
slightly modified raising that InternalError - currently it isn't raised when
results from get_entry() are not required by calling method. Currently I'm
running some tests, preliminary results looked ok.
--
Thank you
Jan Zeleny
Red Hat Software Engineer
Brno, Czech Republic
From bdab2d3b9b8a7397e13acdad9d2809ae355cd5a7 Mon Sep 17 00:00:00 2001
From: Jan Zeleny
Date: Tue, 15 Feb 2011 09:37:58 +0100
Subject: [PATCH] Don't load the LDAP schema during startup
https://fedorahosted.org/freeipa/ticket/583
---
ipalib/encoder.py | 11 +++--
ipalib/plugins/baseldap.py | 21 -
ipalib/plugins/dns.py |2 +-
ipalib/plugins/host.py |2 +-
ipalib/plugins/permission.py|4 +-
ipalib/plugins/sudocmd.py |2 +-
ipaserver/install/dsinstance.py |2 +-
ipaserver/plugins/ldap2.py | 90 ---
8 files changed, 96 insertions(+), 38 deletions(-)
diff --git a/ipalib/encoder.py b/ipalib/encoder.py
index f23e5659e848d37db1072ff59aa7e11796b0836c..fbcae1739ee6541bdb989d6d01f8a4c9fb614b62 100644
--- a/ipalib/encoder.py
+++ b/ipalib/encoder.py
@@ -56,11 +56,12 @@ class Encoder(object):
self.encoder_settings = EncoderSettings()
def _decode_dict_val(self, key, val):
-f = self.encoder_settings.decode_dict_vals_table.get(
-self.encoder_settings.decode_dict_vals_table_keygen(key, val)
-)
+k = self.encoder_settings.decode_dict_vals_table_keygen(key, val)
+if k is False:
+return False
+f = self.encoder_settings.decode_dict_vals_table.get(key)
if f:
-return val
+return f(val)
return self.decode(val)
def encode(self, var):
@@ -155,6 +156,8 @@ class Encoder(object):
self.encoder_settings.decode_postprocessor = lambda x: x
for (k, v) in dct.iteritems():
dct[k] = self._decode_dict_val(k, v)
+if dct[k] is False:
+return False
if not self.encoder_settings.decode_dict_vals_postprocess:
self.encoder_settings.decode_postprocessor = tmp
return dct
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 3cb72d7b09cc8c8a77bd4e594660ee376d668013..adc19fec8ff96eef2750ad08715e9324c1c536c6 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -189,6 +189,9 @@ def get_effective_rights(ldap, dn, attrs=None):
if attrs is None:
attrs = ['*', 'nsaccountlock', 'cospriority']
rights = ldap.get_effective_rights(dn, attrs)
+if rights[1] in None:
+return None
+
rdict = {}
if 'attributelevelrights'
Re: [Freeipa-devel] [PATCH] Don't load the LDAP schema during startup
Rob Crittenden wrote: > Jan Zelený wrote: > > Rob Crittenden wrote: > >> Jan Zelený wrote: > >>> Loading of the schema is now performed in the first request that > >>> requires it. > >>> > >>> https://fedorahosted.org/freeipa/ticket/583 > >>> > >>> Jan > >> > >> We still need to enforce that we get the schema, some low-level > >> functions depend on it. Also, if the UI doesn't get its aciattrs (which > >> are derived from the schema) then nothing will be editable. > > > >> I'm getting this backtrace if I force no schema by disabling get_schema: > > Ok, I'm sending new version, it should handle these exceptions better and > > the operation should fail if it needs the schema and the schema is not > > available for some reason. > > This breaks the XML-RPC server. I fixed one problem: > --- a/ipaserver/plugins/ldap2.py > +++ b/ipaserver/plugins/ldap2.py > @@ -253,9 +253,10 @@ class ldap2(CrudBackend, Encoder): > > def get_syntax(self, attr, value): > if not self.schema: > -self.schema = get_schema(self.ldap_uri, self.conn) > -if not self.schema: > +schema = get_schema(self.ldap_uri, self.conn) > +if not schema: > return None > +object.__setattr__(self, 'schema', schema) > obj = self.schema.get_obj(_ldap.schema.AttributeType, attr) > if obj is not None: > return obj.syntax > > But simply things like get_entry() return an InternalError now. I'm not > sure where you were going by adding this. > > rob Ok, no problem. It's possible that I simply did a mistake thinking I can do something in Python what is not really possible. About that InternalError: I think raising InternalError when we cannot load the schema to do the decoding is the right thing to do. Do you have a better solution? I thought about returning empty result, but that would mean we have to check the result in every funtction that is calling them and raising InternalError there. -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
