[Freeipa-devel] [PATCH] admiyo-0218-default-all-false.
Requires patch 217 From d07565bd09081e9d2dd010f6b9a39cdd8df01e1d Mon Sep 17 00:00:00 2001 From: Adam Young Date: Wed, 30 Mar 2011 20:54:34 -0400 Subject: [PATCH] default all false no longer default to all: true for searches, only specify it for user searches --- install/ui/entity.js |5 - install/ui/search.js | 14 +- install/ui/user.js |3 ++- 3 files changed, 15 insertions(+), 7 deletions(-) diff --git a/install/ui/entity.js b/install/ui/entity.js index c23ce500ae9772371220a950efce4cb774240f49..31be28600e17b1e231ecebe1a9c547c17d51e56f 100644 --- a/install/ui/entity.js +++ b/install/ui/entity.js @@ -610,7 +610,10 @@ IPA.entity_builder = function(){ }; that.search_facet = function (spec){ -current_facet = IPA.search_facet({entity_name:that.entity_name}); +current_facet = IPA.search_facet({ +entity_name:that.entity_name, +search_all: spec.search_all || false +}); //once everything usese this mechanism, inline the init code current_facet.init(); diff --git a/install/ui/search.js b/install/ui/search.js index 9d22dfcc48006be38c75e4b46aa61a71161beab9..dc347aa390d6f3f193b0e9b2751c01f794bd01cc 100644 --- a/install/ui/search.js +++ b/install/ui/search.js @@ -32,6 +32,7 @@ IPA.search_widget = function (spec) { that.entity_name = spec.entity_name; that.facet = spec.facet; +that.search_all = spec.search_all || false; that.create = function(container) { @@ -269,7 +270,7 @@ IPA.search_widget = function (spec) { var filter = $.bbq.getState(that.entity_name + '-filter', true) || ''; IPA.cmd( - 'find', [filter], {all: true}, on_success, on_error, + 'find', [filter], {all: that.search_all}, on_success, on_error, that.entity_name); }; @@ -290,6 +291,7 @@ IPA.search_facet = function(spec) { that.entity_name = spec.entity_name; that.columns = []; that.columns_by_name = {}; +that.search_all = spec.search_all || false; that.__defineGetter__('entity_name', function() { return that._entity_name; @@ -356,10 +358,12 @@ IPA.search_facet = function(spec) { that.facet_init(); that.table = IPA.search_widget({ -'id': that.entity_name+'-search', -'name': 'search', 'label': IPA.metadata.objects[that.entity_name].label, -'entity_name': that.entity_name, -'facet': that +id: that.entity_name+'-search', +name: 'search', +label: IPA.metadata.objects[that.entity_name].label, +entity_name: that.entity_name, +facet: that, +search_all: that.search_all }); for (var i=0; i___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 5 Add note about ipa-dns-install to ipa-server-install man page
Jan Cholasta wrote: On 30.3.2011 01:01, David O'Brien wrote: Jan Cholasta wrote: Added the note so that users know that they can setup DNS at any time after ipa-server-install. https://fedorahosted.org/freeipa/ticket/1082 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel NACK Minor English and style fix: s/ "Note that you can setup DNS at any later time by running ipa-dns-install" / "Note that you can set up a DNS at any time after the initial IPA server install by running ipa-dns-install." Thanks, fixed. cheers ACK -- David O'Brien Senior Content Author Engineering Content Services (ECS) Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 21 Escape LDAP characters in member and memberof searches
On Mar 30, 2011, at 3:03 PM, Rob Crittenden wrote: > JR Aquino wrote: >> On Mar 30, 2011, at 1:01 PM, Stephen Gallagher wrote: >> >>> -BEGIN PGP SIGNED MESSAGE- >>> Hash: SHA1 >>> >>> On 03/30/2011 03:53 PM, JR Aquino wrote: On Mar 30, 2011, at 12:05 PM, JR Aquino wrote: > The FreeIPA framework performs unescaped searches to enumerate group > membership. > > The following patch corrects this behavior. > > -JR > > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Self NACK Attached is the corrected patch. search_group_dn = _ldap_filter.escape_filter_chars(search_group_dn) Is now correctly changed to: search_group_dn = _ldap_filter.escape_filter_chars(group_dn) >>> >>> Nack. This is a step in the right direction, but you're not actually >>> using this value anywhere. >>> >>> I think you wanted to have the next line changed to: >>> >>> searchfilter = "(memberof=%s)" % search_group_dn >>> >>> - -- >>> Stephen Gallagher >>> RHCE 804006346421761 >> >> Oh! You are right. >> >> Attached is the corrected patch. > > I don't think you need a new variable for search_group_dn. The value is > passed in from a tuple so any changes will be silently lost anyway. > > Or you can leave it, I think it's probably safer this way (since we can't > predict how it will be called in the future), but you should then do the same > in get_memberof(). > > rob I agree with you. For the sake of equality, I have adjusted the patch to address entry_dn with search_entry_dn. bing0ILo9CtZl.bin Description: freeipa-jraquino-0021-Escape-LDAP-characters-in-member-and-memberof-search.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 21 Escape LDAP characters in member and memberof searches
JR Aquino wrote: On Mar 30, 2011, at 1:01 PM, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/30/2011 03:53 PM, JR Aquino wrote: On Mar 30, 2011, at 12:05 PM, JR Aquino wrote: The FreeIPA framework performs unescaped searches to enumerate group membership. The following patch corrects this behavior. -JR ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Self NACK Attached is the corrected patch. search_group_dn = _ldap_filter.escape_filter_chars(search_group_dn) Is now correctly changed to: search_group_dn = _ldap_filter.escape_filter_chars(group_dn) Nack. This is a step in the right direction, but you're not actually using this value anywhere. I think you wanted to have the next line changed to: searchfilter = "(memberof=%s)" % search_group_dn - -- Stephen Gallagher RHCE 804006346421761 Oh! You are right. Attached is the corrected patch. I don't think you need a new variable for search_group_dn. The value is passed in from a tuple so any changes will be silently lost anyway. Or you can leave it, I think it's probably safer this way (since we can't predict how it will be called in the future), but you should then do the same in get_memberof(). rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 761 Sort entries on *-find commands
Sort output on find commands based on the baseldap LDAPSearch class. A couple tests had to be modified to match the new order. ticket 794 rob freeipa-rcrit-761-sort.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 045 Add DNS record modification command
On 03/30/2011 11:13 AM, Martin Kosek wrote: Since this is a new-feature type patch it should be pushed only to master. --- The DNS record plugin does not support modification of a record. One can only add A type addresses to a DNS record or remove the current ones. To actually change a DNS record value it has to be removed and then added with a desired value. This patch adds a new DNS plugin command "dnsrecord-mod" which enables user to: - modify a DNS record value (note than DNS record can hold multiple values and those will be overwritten) - remove a DNS record when an empty value is passed New tests for this new command have been added to the CLI test suite. https://fedorahosted.org/freeipa/ticket/1137 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel NACK, The problem is that if there are 10 A records, and I only want to modify one, I have no way to specify which one. The API should be something like: ipa dnsrecord-mod ayoung.boston.devel.redhat.com testa 10.10.2.3 --a-rec=,10.11.12.13 Alternatively, we can decide that we are not going to do mod, and have the WebUI do a delete and an add: ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 21 Escape LDAP characters in member and memberof searches
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/30/2011 04:22 PM, JR Aquino wrote: > On Mar 30, 2011, at 1:01 PM, Stephen Gallagher wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> On 03/30/2011 03:53 PM, JR Aquino wrote: >>> >>> On Mar 30, 2011, at 12:05 PM, JR Aquino wrote: >>> The FreeIPA framework performs unescaped searches to enumerate group membership. The following patch corrects this behavior. -JR ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >>> Self NACK >>> >>> Attached is the corrected patch. >>> >>> search_group_dn = _ldap_filter.escape_filter_chars(search_group_dn) >>> >>> Is now correctly changed to: >>> >>> search_group_dn = _ldap_filter.escape_filter_chars(group_dn) >>> >> >> Nack. This is a step in the right direction, but you're not actually >> using this value anywhere. >> >> I think you wanted to have the next line changed to: >> >> searchfilter = "(memberof=%s)" % search_group_dn >> >> - -- >> Stephen Gallagher >> RHCE 804006346421761 > > Oh! You are right. > > Attached is the corrected patch. Ack - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2TkgQACgkQeiVVYja6o6MFoACgruAs/QgalqNzBLrge9H+k9HE 6dcAn0WL5DDgUWA60wUCYvDDEXlRDNWz =co8G -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 21 Escape LDAP characters in member and memberof searches
On Mar 30, 2011, at 1:01 PM, Stephen Gallagher wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 03/30/2011 03:53 PM, JR Aquino wrote: >> >> On Mar 30, 2011, at 12:05 PM, JR Aquino wrote: >> >>> The FreeIPA framework performs unescaped searches to enumerate group >>> membership. >>> >>> The following patch corrects this behavior. >>> >>> -JR >>> >>> ___ >>> Freeipa-devel mailing list >>> Freeipa-devel@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> Self NACK >> >> Attached is the corrected patch. >> >> search_group_dn = _ldap_filter.escape_filter_chars(search_group_dn) >> >> Is now correctly changed to: >> >> search_group_dn = _ldap_filter.escape_filter_chars(group_dn) >> > > Nack. This is a step in the right direction, but you're not actually > using this value anywhere. > > I think you wanted to have the next line changed to: > > searchfilter = "(memberof=%s)" % search_group_dn > > - -- > Stephen Gallagher > RHCE 804006346421761 Oh! You are right. Attached is the corrected patch. binNBKTBPO58T.bin Description: freeipa-jraquino-0021-Escape-LDAP-characters-in-member-and-memberof-search.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 22 Add memberHost and memberUser to default indexes
The plugin architecture makes a great deal of calls to search for memberUser and memberHost. These attributes are missing from the index and are greatly slowing down the CLI and WebUI. They should be added as Equality Indexes, as the searches that are performed are meant for enumeration after the exact value is known. binMD11khTK1q.bin Description: freeipa-jraquino-0022-Add-memberHost-and-memberUser-to-default-indexes.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 21 Escape LDAP characters in member and memberof searches
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/30/2011 03:53 PM, JR Aquino wrote: > > On Mar 30, 2011, at 12:05 PM, JR Aquino wrote: > >> The FreeIPA framework performs unescaped searches to enumerate group >> membership. >> >> The following patch corrects this behavior. >> >> -JR >> >> ___ >> Freeipa-devel mailing list >> Freeipa-devel@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Self NACK > > Attached is the corrected patch. > > search_group_dn = _ldap_filter.escape_filter_chars(search_group_dn) > > Is now correctly changed to: > > search_group_dn = _ldap_filter.escape_filter_chars(group_dn) > Nack. This is a step in the right direction, but you're not actually using this value anywhere. I think you wanted to have the next line changed to: searchfilter = "(memberof=%s)" % search_group_dn - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2TjDAACgkQeiVVYja6o6NQIQCfc4x3PqTqwyqNNHcJXTwPrFYo /tEAnR1uEjPYPdqKVU/duw9UG0aZD7hL =nLiN -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 21 Escape LDAP characters in member and memberof searches
On Mar 30, 2011, at 12:05 PM, JR Aquino wrote: > The FreeIPA framework performs unescaped searches to enumerate group > membership. > > The following patch corrects this behavior. > > -JR > > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Self NACK Attached is the corrected patch. search_group_dn = _ldap_filter.escape_filter_chars(search_group_dn) Is now correctly changed to: search_group_dn = _ldap_filter.escape_filter_chars(group_dn) -JR binLzGtbldZbp.bin Description: freeipa-jraquino-0021-Escape-LDAP-characters-in-member-and-memberof-search.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 21 Escape LDAP characters in member and memberof searches
The FreeIPA framework performs unescaped searches to enumerate group membership. The following patch corrects this behavior. -JR binIXm2E6QDid.bin Description: freeipa-jraquino-0021-Escape-LDAP-characters-in-member-and-memberof-search.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 045 Add DNS record modification command
Since this is a new-feature type patch it should be pushed only to master. --- The DNS record plugin does not support modification of a record. One can only add A type addresses to a DNS record or remove the current ones. To actually change a DNS record value it has to be removed and then added with a desired value. This patch adds a new DNS plugin command "dnsrecord-mod" which enables user to: - modify a DNS record value (note than DNS record can hold multiple values and those will be overwritten) - remove a DNS record when an empty value is passed New tests for this new command have been added to the CLI test suite. https://fedorahosted.org/freeipa/ticket/1137 >From 9c9e193c1d76a4c51c496ec3f76d18a4a9dd2b4b Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Wed, 30 Mar 2011 17:07:17 +0200 Subject: [PATCH] Add DNS record modification command The DNS record plugin does not support modification of a record. One can only add A type addresses to a DNS record or remove the current ones. To actually change a DNS record value it has to be removed and then added with a desired value. This patch adds a new DNS plugin command "dnsrecord-mod" which enables user to: - modify a DNS record value (note than DNS record can hold multiple values and those will be overwritten) - remove a DNS record when an empty value is passed New tests for this new command have been added to the CLI test suite. https://fedorahosted.org/freeipa/ticket/1137 --- ipalib/plugins/dns.py| 95 -- tests/test_xmlrpc/test_dns_plugin.py | 48 - 2 files changed, 113 insertions(+), 30 deletions(-) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index f58e1ae1fae170270e8d065ada42da2f898992f5..cc70413bb387852307ac262379eb075b0a9b546c 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -189,9 +189,12 @@ _record_validators = { u'NAPTR': _validate_naptr, } -def has_cli_options(entry, no_option_msg): +def has_cli_options(entry, no_option_msg, allow_empty_attr=False): entry = dict((t, entry.get(t, [])) for t in _record_attributes) -numattr = reduce(lambda x,y: x+y, +if allow_empty_attr: +numattr = len(entry) +else: +numattr = reduce(lambda x,y: x+y, map(lambda x: len(x), [ v for v in entry.values() if v is not None ])) if numattr == 0: raise errors.OptionError(no_option_msg) @@ -514,6 +517,30 @@ class dnsrecord(LDAPObject): cliname = attr return cliname +def _nsrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options): +if options.get('force', False): +return dn + +for ns in options['nsrecord']: +is_ns_rec_resolvable(ns) +return dn + +def _ptrrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options): +components = dn.split(',',2) +addr = components[0].split('=')[1] +zone = components[1].split('=')[1] +if zone.find('ip6') != -1: +zone = zone.replace('.ip6.arpa.','') +zone_len = 32 +else: +zone = zone.replace('.in-addr.arpa.','') +zone_len = 4 + +if len(addr.split('.'))+len(zone.split('.')) != zone_len: +raise errors.ValidationError(name='cn', error=unicode('IP address must have exactly '+str(zone_len)+' components')) + +return dn + api.register(dnsrecord) @@ -648,35 +675,11 @@ class dnsrecord_add(LDAPCreate, dnsrecord_cmd_w_record_options): has_cli_options(options, self.no_option_msg) return super(dnsrecord_add, self).args_options_2_entry(*keys, **options) -def _nsrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options): -if options.get('force', False): -return dn - -for ns in options['nsrecord']: -is_ns_rec_resolvable(ns) -return dn - -def _ptrrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options): -components = dn.split(',',2) -addr = components[0].split('=')[1] -zone = components[1].split('=')[1] -if zone.find('ip6') != -1: -zone = zone.replace('.ip6.arpa.','') -zone_len = 32 -else: -zone = zone.replace('.in-addr.arpa.','') -zone_len = 4 - -if len(addr.split('.'))+len(zone.split('.')) != zone_len: -raise errors.ValidationError(name='cn', error=unicode('IP address must have exactly '+str(zone_len)+' components')) - -return dn - def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): for rtype in options: rtype_cb = '_%s_pre_callback' % rtype -if hasattr(self, rtype_cb): -dn = getattr(self, rtype_cb)(ldap, dn, entry_attrs, *keys, **options) +if hasattr(self.obj, rtype_cb): +dn = getattr(self.obj, rtype_cb)(ldap, dn, entry_attrs, *keys, **options)
Re: [Freeipa-devel] [PATCH] 760 don't crash when calculating indirect
Rob Crittenden wrote: This prevents an internal error when calculating direct vs indirect membership. ticket 1133 I accidentally included a change from another patch. Updated patch attached. rob freeipa-rcrit-760-2-member.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 760 don't crash when calculating indirect
This prevents an internal error when calculating direct vs indirect membership. ticket 1133 rob freeipa-rcrit-760-member.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 759 cache get_ipa_config() output in request context
Some requests generate multiple calls to get_ipa_config(). This patch caches the return value for this in the request context. ticket 1023 rob freeipa-rcrit-759-cache.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 758 make CA retrieval during discovery non-fatal
Martin Kosek wrote: On Tue, 2011-03-29 at 13:36 -0400, Rob Crittenden wrote: This makes the CA retrieval during IPA discovery non-fatal. If we can't get the CA cert then this likely isn't an IPA server so we should just return. ticket 1135 rob ACK from me. I also tried to at least partially simulate the AD by at least changing DNS SRV records in DNS server controlling the domain. I was able to install the client with --server, --domain and --force options then. Martin pushed to master and ipa-2-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 757 fix enrollment if otp is set
Martin Kosek wrote: On Tue, 2011-03-29 at 13:20 -0400, Rob Crittenden wrote: If a one-time password is set when a host is created the krbPrincipalName is not created. It will be added when the client enrolls with the password. This means that the host can't enroll with an admin user because we don't allow writing krbPrincipalName. This adds an exception that it can be written when it is blank. ticket 1075 rob ACK. Both IPA server upgrade and then OTP-free client enrollment went fine. Martin pushed to master and ipa-2-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 041 Replica installation fails for self-signed server
Martin Kosek wrote: On Tue, 2011-03-29 at 16:42 -0400, Rob Crittenden wrote: Martin Kosek wrote: When IPA server was configured as self-signed (--selfsign option) the replica always failed to install. https://fedorahosted.org/freeipa/ticket/1122 Why not just make install_ca return (None, None) instead if we aren't installing dogtag? rob Good point, this will be much more readable. Sending updated patch. Martin ack, pushed to master and ipa-2-0 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 3 Add ability to specify netmask with IP addresses during installation
On 29.3.2011 22:15, Rob Crittenden wrote: Jan Cholasta wrote: Sorry, forgot to attach the patch. Is this why you have some blind excepts? installutils._IPAddressWithPrefix('192.168.0.1/33') Traceback (most recent call last): File "", line 1, in File "ipaserver/install/installutils.py", line 167, in __init__ net = netaddr.IPNetwork(addr) File "/usr/lib/python2.7/site-packages/netaddr/ip/__init__.py", line 919, in __init__ implicit_prefix, flags) File "/usr/lib/python2.7/site-packages/netaddr/ip/__init__.py", line 782, in parse_ip_network value = ip._value UnboundLocalError: local variable 'ip' referenced before assignment We should get an upstream bug filed on python-netaddr about this. https://github.com/drkjam/netaddr/issues/closed#issue/5 https://github.com/drkjam/netaddr/issues/closed#issue/6 https://github.com/drkjam/netaddr/issues/closed#issue/8 Apparently it's already been fixed for the next release. IMHO it's not much of an issue for us, because the exception gets caught in parse_ip_address and that's currently the only place where _IPAddressWithPrefix is used. Shoudl parse_ip_address() raise an exception on bad data rather than returning 0.0.0.0? I've been down that road and it would need a rewrite of the fragile IP address handling logic of ipa-server-install, which is something I'd rather avoid. >>> installutils.parse_ip_address('355.555.3.3') _IPAddressWithPrefix('0.0.0.0') or >>> installutils.parse_ip_address('192.168.0.1/55') _IPAddressWithPrefix('0.0.0.0') Should it disallow net addresses like 192.168.0.0? If you mean network and broadcast addresses, it probably should. It might be a good idea to disallow localhost, multicast and/or link-local addresses too. rob -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 5 Add note about ipa-dns-install to ipa-server-install man page
On 30.3.2011 01:01, David O'Brien wrote: Jan Cholasta wrote: Added the note so that users know that they can setup DNS at any time after ipa-server-install. https://fedorahosted.org/freeipa/ticket/1082 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel NACK Minor English and style fix: s/ "Note that you can setup DNS at any later time by running ipa-dns-install" / "Note that you can set up a DNS at any time after the initial IPA server install by running ipa-dns-install." Thanks, fixed. cheers -- Jan Cholasta >From 631aa3a424b28f18195b2adb888536ac7342788d Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 30 Mar 2011 12:13:38 +0200 Subject: [PATCH] Add note about ipa-dns-install to ipa-server-install man page. ticket 1082 --- install/tools/man/ipa-server-install.1 |7 +++ 1 files changed, 7 insertions(+), 0 deletions(-) diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index e0ac182..cae821a 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -62,6 +62,11 @@ An unattended installation that will never prompt for user input Generate a DNS zone if it does not exist already and configure the DNS server. This option requires that you either specify at least one DNS forwarder through the \fB\-\-forwarder\fR option or use the \fB\-\-no\-forwarders\fR option. + +Note that you can set up a DNS at any time after the initial IPA server install by running +.B ipa-dns-install +(see +.BR ipa-dns-install (1)). .TP \fB\-\-forwarder\fR=\fIIP_ADDRESS\fR Add a DNS forwarder to the DNS configuration. You can use this option multiple @@ -111,3 +116,5 @@ Don't install allow_all HBAC rule. This rule lets any user from any host access 0 if the installation was successful 1 if an error occurred +.SH "SEE ALSO" +.BR ipa-dns-install (1) -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 758 make CA retrieval during discovery non-fatal
On Tue, 2011-03-29 at 13:36 -0400, Rob Crittenden wrote: > This makes the CA retrieval during IPA discovery non-fatal. If we can't > get the CA cert then this likely isn't an IPA server so we should just > return. > > ticket 1135 > > rob ACK from me. I also tried to at least partially simulate the AD by at least changing DNS SRV records in DNS server controlling the domain. I was able to install the client with --server, --domain and --force options then. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 757 fix enrollment if otp is set
On Tue, 2011-03-29 at 13:20 -0400, Rob Crittenden wrote: > If a one-time password is set when a host is created the > krbPrincipalName is not created. It will be added when the client > enrolls with the password. > > This means that the host can't enroll with an admin user because we > don't allow writing krbPrincipalName. This adds an exception that it can > be written when it is blank. > > ticket 1075 > > rob ACK. Both IPA server upgrade and then OTP-free client enrollment went fine. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel