Re: [Freeipa-devel] [PATCH] 091 Improve long integer type validation
On Fri, 2011-07-15 at 17:26 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
Passing a number of long type to IPA Int parameter invokes
user-unfriendly error message about incompatible types. This patch
improves Int parameter with user understandable message along with
maximum value he can pass.
https://fedorahosted.org/freeipa/ticket/1346
nack. We need to limit Int to 32-bit values because that is what XML-RPC
supports. So if maxvalue isn't set we need to compare against MAXINT and
not sys.maxint.
rob
You are right. Sending a fixed patch.
Martin
From ada8023da76e12139593559ddc9b78865faf26bd Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Thu, 14 Jul 2011 09:14:07 +0200
Subject: [PATCH] Improve long integer type validation
Passing a number of long type to IPA Int parameter invokes
user-unfriendly error message about incompatible types. This patch
improves Int parameter with user understandable message along with
maximum value he can pass.
https://fedorahosted.org/freeipa/ticket/1346
---
ipalib/parameters.py | 24
1 files changed, 24 insertions(+), 0 deletions(-)
diff --git a/ipalib/parameters.py b/ipalib/parameters.py
index da3b05cf731578a70f32f5b3d922c670c74cb898..982b192a7776f575ac97e7ed2178c9910f0915e4 100644
--- a/ipalib/parameters.py
+++ b/ipalib/parameters.py
@@ -1066,6 +1066,30 @@ class Int(Number):
maxvalue=self.maxvalue,
)
+def _validate_scalar(self, value, index=None):
+if type(value) is long:
+# too big number for int type to hold
+if self.maxvalue is not None:
+raise ValidationError(
+name=self.name,
+value=value,
+index=index,
+error=_('can be at most %(maxvalue)d') % dict(
+maxvalue=self.maxvalue,
+)
+)
+else:
+raise ValidationError(
+name=self.name,
+value=value,
+index=index,
+error=_('can be at most %(maxvalue)d') % dict(
+maxvalue=MAXINT,
+)
+)
+super(Int, self)._validate_scalar(value, index)
+
+
class Float(Number):
A parameter for floating-point values (stored in the ``float`` type).
--
1.7.6
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 088 Check IPA configuration in install tools
On Fri, 2011-07-15 at 10:14 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Wed, 2011-06-22 at 18:03 -0400, Rob Crittenden wrote: Martin Kosek wrote: Install tools may fail with unexpected error when IPA server is not installed on a system. Improve user experience by implementing a check to affected tools. https://fedorahosted.org/freeipa/ticket/1327 https://fedorahosted.org/freeipa/ticket/1347 Can you add a docstring to the check_server_configuration() function? Looking in each utility it isn't necessarily obvious what this does but my meager attempts at renaming it all failed. I considered is_server_installed() but that implies it would return True/False. Then I considered require_server_configured() but that didn't seem to fit either. We have lots of other check_* so I guess it is fine, but some docs on where/why it is used would be nice. rob I see you undertake the same function naming dilemma as I do. I improved documentation for the function, it should help. Martin ACK Merged to current master. Pushed to master, ipa-2-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 817 Add option to wait for values
On Sun, 2011-07-17 at 17:42 -0400, Rob Crittenden wrote: Rob Crittenden wrote: Martin Kosek wrote: On Tue, 2011-07-05 at 13:41 -0400, Rob Crittenden wrote: Rob Crittenden wrote: Rob Crittenden wrote: 389-ds postop plugins, such as the managed entry and memberof plugins, add values after the data has been returned to the client. In the case of the managed entry plugin this affects the parent entry as well (adds an objectclass value). This wreaks havoc on our tests as the values don't match what we expect. The solution is to wait for the postop plugins to finish their work, then return. I've added this as an option. The downside is it is going to naturally slow things down, so it is off by default. It is currently only used in the hostgroup plugin. The option is wait_for_attr. Add this to ~/.ipa/default.conf and set it to True and all the current tests will pass (assuming you apply patches 814-816 as well). So now we won't have any excuses for missing test failures in the unit tests... rob Bah, found a small problem. Self-NACK. rob Updated patch attached. Note that I don't think there is a way for us to handle things like memberof_indirect. We wouldn't know to wait. rob Works fine for the hostgroup entry. It's good it can be switched on/off. But what about other managed entries, like user entry? Would it make sense to add a wait here too? Or maybe something systematic to baseldap so that we wouldn't have to implement this wait to every managed entry. Martin I can certainly add it to users to check for managed groups. Making it generic would be difficult because some are conditional (such as users). rob Added support for managed users as well. rob Waiting for managed users work too. However, I have just noticed that the entire solution works only partially. It waits for mepOriginEntry objectclass, but it doesn't add the new LDAP attributes mepmanagedentry and memberof to the command-add result: # ipa hostgroup-add hgroup3 --desc=foo --all --raw - Added hostgroup hgroup3 - dn: cn=hgroup3,cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com cn: hgroup3 description: foo ipauniqueid: 20d1b8e4-b114-11e0-ab28-00163e0ed706 objectclass: ipaobject objectclass: ipahostgroup objectclass: nestedGroup objectclass: groupOfNames objectclass: top objectclass: mepOriginEntry # ipa hostgroup-show hgroup3 --all --raw dn: cn=hgroup3,cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com cn: hgroup3 description: foo ipauniqueid: 20d1b8e4-b114-11e0-ab28-00163e0ed706 memberof: cn=hgroup3,cn=ng,cn=alt,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com mepmanagedentry: cn=hgroup3,cn=ng,cn=alt,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com objectclass: ipaobject objectclass: ipahostgroup objectclass: nestedGroup objectclass: groupOfNames objectclass: top objectclass: mepOriginEntry # ipa user-add --first=Foo --last=Bar fbar2 --all --raw -- Added user fbar2 -- dn: uid=fbar2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com uid: fbar2 givenname: Foo sn: Bar cn: Foo Bar displayname: Foo Bar initials: FB homedirectory: /home/fbar2 gecos: Foo Bar loginshell: /bin/sh krbprincipalname: fb...@idm.lab.bos.redhat.com uidnumber: 52464 gidnumber: 52464 ipauniqueid: b22ab54c-b115-11e0-b354-00163e0ed706 krbpwdpolicyreference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com objectclass: top objectclass: person objectclass: organizationalperson objectclass: inetorgperson objectclass: inetuser objectclass: posixaccount objectclass: krbprincipalaux objectclass: krbticketpolicyaux objectclass: ipaobject objectclass: mepOriginEntry # ipa user-show fbar2 --all --raw dn: uid=fbar2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com uid: fbar2 givenname: Foo sn: Bar cn: Foo Bar displayname: Foo Bar initials: FB homedirectory: /home/fbar2 gecos: Foo Bar loginshell: /bin/sh krbprincipalname: fb...@idm.lab.bos.redhat.com uidnumber: 52464 gidnumber: 52464 nsaccountlock: False ipauniqueid: b22ab54c-b115-11e0-b354-00163e0ed706 krbpwdpolicyreference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com memberof: cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com mepmanagedentry: cn=fbar2,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com objectclass: top objectclass: person objectclass: organizationalperson objectclass: inetorgperson objectclass: inetuser objectclass: posixaccount objectclass: krbprincipalaux objectclass: krbticketpolicyaux objectclass: ipaobject objectclass: mepOriginEntry I think there attributes should be added in
Re: [Freeipa-devel] [PATCH] 824 make more sensible nicknames
On 11.7.2011 23:48, Rob Crittenden wrote: When loading a chained CA from a PKCS#7 or PEM file we used to use very generic nicknames, sometimes as bad as Imported CA in the case of winsync. This will use the subject of the cert to get the nickname instead. I also extended the API of some of the x509 functions to optionally take in the NSS database dir. I had originally used this in the patch but did it another way but still thought the changes useful. ticket https://fedorahosted.org/freeipa/ticket/1141 Word of warning, this is going to require a fair bit of testing. The way to test it is to install with an external CA, then install a replica with a CA to be sure that works as well. Testing basic installs would be handy as well. rob ACK, everything seems to work fine. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 826 fix failing memberof tests
On 15.7.2011 23:20, Rob Crittenden wrote: With the recent object_name/label changes some tests were failing that were expecting the old value which contained a space. This fixes them. rob ACK. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 096 Fix ipa-dns-install incorrect warning
ipa-dns-install incorrectly warns about non-local IP addresses when installing without --ip-address parameter. https://fedorahosted.org/freeipa/ticket/1486 From befac1fc7221cddae0fbda67c4a72297b5377906 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Mon, 18 Jul 2011 12:54:03 +0200 Subject: [PATCH] Fix ipa-dns-install incorrect warning ipa-dns-install incorrectly warns about non-local IP addresses when installing without --ip-address parameter. https://fedorahosted.org/freeipa/ticket/1486 --- install/tools/ipa-dns-install |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index 7c83dc8694ffec94299979b163818794db57ccf5..56edccadeebd2ece7db9415ebf0aac69eb64ba29 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -112,7 +112,7 @@ def main(): ip = options.ip_address else: hostaddr = resolve_host(api.env.host) -ip = hostaddr and ipautil.CheckedIPAddress(hostaddr) +ip = hostaddr and parse_ip_address(hostaddr) try: verify_ip_address(ip) -- 1.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 096 Fix ipa-dns-install incorrect warning
On 18.7.2011 12:56, Martin Kosek wrote: ipa-dns-install incorrectly warns about non-local IP addresses when installing without --ip-address parameter. https://fedorahosted.org/freeipa/ticket/1486 IMO the warning message should be removed from parse_ip_address altogether, as the local IP address check is done in CheckedIPAddress.__init__. This makes both parse_ip_address and verify_ip_address unnecessary, because all they do is call CheckedIPAddress, so calls to them should be replaced with calls to CheckedIPAddress directly. I've made a patch that does all of this and also removes some redundant IP address checks from ipa-server-install, see attachment. Honza -- Jan Cholasta From 947708b36bdf6979e11850217a98738f01f896f0 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Mon, 18 Jul 2011 13:36:47 +0200 Subject: [PATCH] Clean up of IP address checks in install scripts. Fixes ipa-dns-install incorrect warning. ticket 1486 --- install/tools/ipa-dns-install | 12 +--- install/tools/ipa-replica-install |4 ++-- install/tools/ipa-server-install | 22 -- ipaserver/install/installutils.py | 13 ++--- 4 files changed, 13 insertions(+), 38 deletions(-) diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index cc091dd..917cb1c 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -109,13 +109,11 @@ def main(): ip = options.ip_address else: hostaddr = resolve_host(api.env.host) -ip = hostaddr and ipautil.CheckedIPAddress(hostaddr) - -try: -verify_ip_address(ip) -except Exception, e: -print Error: Invalid IP Address %s: %s % (ip, e) -ip = None +try: +ip = hostaddr and ipautil.CheckedIPAddress(hostaddr, match_local=True) +except Exception, e: +print Error: Invalid IP Address %s: %s % (ip, e) +ip = None if not ip: if options.unattended: diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index d499754..6531421 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -186,7 +186,7 @@ def install_bind(config, options): ip_address = resolve_host(config.host_name) if not ip_address: sys.exit(Unable to resolve IP address for host name) -ip = installutils.parse_ip_address(ip_address) +ip = ipautil.CheckedIPAddress(ip_address, match_local=True) ip_address = str(ip) if options.reverse_zone: @@ -225,7 +225,7 @@ def install_dns_records(config, options): ip_address = resolve_host(config.host_name) if not ip_address: sys.exit(Unable to resolve IP address for host name) -ip = installutils.parse_ip_address(ip_address) +ip = ipautil.CheckedIPAddress(ip_address, match_local=True) ip_address = str(ip) reverse_zone = bindinstance.find_reverse_zone(ip) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 35b16da..186b904 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -603,20 +603,11 @@ def main(): if hostaddr is not None: ip = CheckedIPAddress(hostaddr, match_local=True) else: -if not options.ip_address: -print Unable to resolve IP address for host name ip = options.ip_address -if ip is None and options.unattended: -sys.exit(Unable to resolve IP address for host name) - -if ip: -try: -verify_ip_address(ip) -except Exception, e: -print Error: Invalid IP Address %s: %s % (ip, e) -if options.unattended: -sys.exit(1) -ip = None +if ip is None: +print Unable to resolve IP address for host name +if options.unattended: +sys.exit(1) if options.ip_address: if options.ip_address != ip and not options.setup_dns: @@ -626,11 +617,6 @@ def main(): return 1 ip = options.ip_address -try: -verify_ip_address(ip) -except Exception, e: -print Error: Invalid IP Address %s: %s % (ip, e) -sys.exit(1) if ip is None: ip = read_ip_address(host_name, fstore) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 68fce7e..0cdc906 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -164,15 +164,6 @@ def verify_fqdn(host_name,no_host_dns=False): else: print Warning: Hostname (%s) not found in DNS % host_name -def parse_ip_address(addr, match_local=True, parse_netmask=True): -ip = ipautil.CheckedIPAddress(addr, match_local=match_local, parse_netmask=parse_netmask) -if match_local and not ip.is_local(): -print Warning: No network interface matches IP address %s % addr -return ip - -def
Re: [Freeipa-devel] [PATCH] 088 Check IPA configuration in install tools
On 18.7.2011 09:41, Martin Kosek wrote: On Fri, 2011-07-15 at 10:14 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Wed, 2011-06-22 at 18:03 -0400, Rob Crittenden wrote: Martin Kosek wrote: Install tools may fail with unexpected error when IPA server is not installed on a system. Improve user experience by implementing a check to affected tools. https://fedorahosted.org/freeipa/ticket/1327 https://fedorahosted.org/freeipa/ticket/1347 Can you add a docstring to the check_server_configuration() function? Looking in each utility it isn't necessarily obvious what this does but my meager attempts at renaming it all failed. I considered is_server_installed() but that implies it would return True/False. Then I considered require_server_configured() but that didn't seem to fit either. We have lots of other check_* so I guess it is fine, but some docs on where/why it is used would be nice. rob I see you undertake the same function naming dilemma as I do. I improved documentation for the function, it should help. Martin ACK Merged to current master. Pushed to master, ipa-2-0. Martin I've just tried to build current master and got this: ./make-lint install/tools/ipa-replica-prepare:68: [E0602, parse_options] Undefined variable 'config' Does anyone run make-lint before submitting a patch or during review at all? :( Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 088 Check IPA configuration in install tools
On Mon, 2011-07-18 at 14:35 +0200, Jan Cholasta wrote: On 18.7.2011 09:41, Martin Kosek wrote: On Fri, 2011-07-15 at 10:14 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Wed, 2011-06-22 at 18:03 -0400, Rob Crittenden wrote: Martin Kosek wrote: Install tools may fail with unexpected error when IPA server is not installed on a system. Improve user experience by implementing a check to affected tools. https://fedorahosted.org/freeipa/ticket/1327 https://fedorahosted.org/freeipa/ticket/1347 Can you add a docstring to the check_server_configuration() function? Looking in each utility it isn't necessarily obvious what this does but my meager attempts at renaming it all failed. I considered is_server_installed() but that implies it would return True/False. Then I considered require_server_configured() but that didn't seem to fit either. We have lots of other check_* so I guess it is fine, but some docs on where/why it is used would be nice. rob I see you undertake the same function naming dilemma as I do. I improved documentation for the function, it should help. Martin ACK Merged to current master. Pushed to master, ipa-2-0. Martin I've just tried to build current master and got this: ./make-lint install/tools/ipa-replica-prepare:68: [E0602, parse_options] Undefined variable 'config' Does anyone run make-lint before submitting a patch or during review at all? :( Honza We don't - so that you can rant on the list :-) Of course we do, but this one slipped in. Thanks for catching this. Fixed and pushed under the one-liner rule (patch attached). Martin From 958e8ac090e148f5d7f8c004e8e39aee3804d1ec Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Mon, 18 Jul 2011 14:50:05 +0200 Subject: [PATCH] Fix typo in ipa-replica-prepare https://fedorahosted.org/freeipa/ticket/1327 https://fedorahosted.org/freeipa/ticket/1347 --- install/tools/ipa-replica-prepare |1 - 1 files changed, 0 insertions(+), 1 deletions(-) diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index 14ee539135f0187d576516d640f885eec3602d8a..0c88244b33f46aa87f4f619a0b7053ec14fd7603 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -65,7 +65,6 @@ def parse_options(): default=True, help=disables pkinit setup steps) options, args = parser.parse_args() -config.init_config() if not options.ip_address: if options.reverse_zone: -- 1.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 088 Check IPA configuration in install tools
On 18.7.2011 15:00, Martin Kosek wrote: On Mon, 2011-07-18 at 14:35 +0200, Jan Cholasta wrote: On 18.7.2011 09:41, Martin Kosek wrote: On Fri, 2011-07-15 at 10:14 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Wed, 2011-06-22 at 18:03 -0400, Rob Crittenden wrote: Martin Kosek wrote: Install tools may fail with unexpected error when IPA server is not installed on a system. Improve user experience by implementing a check to affected tools. https://fedorahosted.org/freeipa/ticket/1327 https://fedorahosted.org/freeipa/ticket/1347 Can you add a docstring to the check_server_configuration() function? Looking in each utility it isn't necessarily obvious what this does but my meager attempts at renaming it all failed. I considered is_server_installed() but that implies it would return True/False. Then I considered require_server_configured() but that didn't seem to fit either. We have lots of other check_* so I guess it is fine, but some docs on where/why it is used would be nice. rob I see you undertake the same function naming dilemma as I do. I improved documentation for the function, it should help. Martin ACK Merged to current master. Pushed to master, ipa-2-0. Martin I've just tried to build current master and got this: ./make-lint install/tools/ipa-replica-prepare:68: [E0602, parse_options] Undefined variable 'config' Does anyone run make-lint before submitting a patch or during review at all? :( Honza We don't - so that you can rant on the list :-) Of course we do, but this one slipped in. Thanks for catching this. Fixed and pushed under the one-liner rule (patch attached). Martin That's a relief, I got frightened for a moment :-) Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 091 Improve long integer type validation
Martin Kosek wrote: On Fri, 2011-07-15 at 17:26 -0400, Rob Crittenden wrote: Martin Kosek wrote: Passing a number of long type to IPA Int parameter invokes user-unfriendly error message about incompatible types. This patch improves Int parameter with user understandable message along with maximum value he can pass. https://fedorahosted.org/freeipa/ticket/1346 nack. We need to limit Int to 32-bit values because that is what XML-RPC supports. So if maxvalue isn't set we need to compare against MAXINT and not sys.maxint. rob You are right. Sending a fixed patch. Martin ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 091 Improve long integer type validation
On Mon, 2011-07-18 at 09:43 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Fri, 2011-07-15 at 17:26 -0400, Rob Crittenden wrote: Martin Kosek wrote: Passing a number of long type to IPA Int parameter invokes user-unfriendly error message about incompatible types. This patch improves Int parameter with user understandable message along with maximum value he can pass. https://fedorahosted.org/freeipa/ticket/1346 nack. We need to limit Int to 32-bit values because that is what XML-RPC supports. So if maxvalue isn't set we need to compare against MAXINT and not sys.maxint. rob You are right. Sending a fixed patch. Martin ACK Pushed to master, ipa-2-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 32 Don't delete NIS netgroup compat suffix on 'ipa-nis-manage disable'
https://fedorahosted.org/freeipa/ticket/1469 Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 825 add dogtag replication management
Jan Cholasta wrote:
On 15.7.2011 21:24, Rob Crittenden wrote:
Rich Megginson wrote:
On 07/15/2011 10:57 AM, Rob Crittenden wrote:
Rich Megginson wrote:
On 07/15/2011 08:01 AM, Rob Crittenden wrote:
Martin Kosek wrote:
On Fri, 2011-07-15 at 14:43 +0200, Jan Cholasta wrote:
On 15.7.2011 05:42, Rob Crittenden wrote:
Add a separate tool for now to do dogtag replication agreement
management. The syntax is the same for IPA agreements with the
exception
that the DM password is always required and it isn't possible to
delegate the management of this.
ticket https://fedorahosted.org/freeipa/ticket/1250
rob
NACK
'ipa-csreplica-manage list server' doesn't list the peers of the
specified server, but the peers of localhost.
Connecting already connected pair of replicas duplicates the
replication
information ('ipa-csreplica-manage list server' shows the same
hostname
twice).
There is trailing whitespace on line 87 of the patch.
BTW I don't understand why is it possible (or necessary?) to be
able to
have CS replication topology that is different from the main IPA
replication topology (ipa-csreplica-manage allows you to do
that). Is
there a reason for this?
Honza
And some issues from me:
1) Unhelpful error message when force-syncing from a master
without a
replication agreement:
# ipa-csreplica-manage force-sync --from=HOST
Directory Manager password:
ipa: ERROR: Unable to find replication agreement for
vm-060.idm.lab.bos.redhat.com
unexpected error: Unable to proceed
2) Minor stuff in man page:
Unindented Exit statuses:
EXIT STATUS
0 if the command was successful
1 if an error occurred
Missing dot: The default is the machine on which the command is run
Not
honoured by the re-initialize command.
Otherwise it looks good.
Martin
This should address all the issues raised.
The reason for different topology has several reasons:
1. A given IPA server may not have a CA installed
2. Some aspects of ipa-replica-manage can be delegated. We can't
delegate CS replica management because it is in a different directory
server. We don't have users stored there so can't map the GSSAPI
credentials. So only Directory Manager can operate on it for now.
3. Flexibility. You may want way more connections for users than for
the CA.
+ if starttls:
+ self.conn = ipaldap.IPAdmin(hostname, port=port)
+ ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, CACERT)
Why in the starttls case do you not call ipaldap.IPAdmin(hostname,
port=PORT, cacert=CACERT) ?
Because the port is the non-secure port and opening an SSL connection
to it failed.
Ah, ok. So that tells IPAdmin to use this CACERT and to use ldaps.
+ managers = entry.getValues('nsDS5ReplicaBindDN')
+ if replica_binddn not in managers:
You might want to use the dn.py code, or at least normalize the DNs in
managers before comparing
That's a good idea.
+ if master is None:
+ entry.setValues('nsds5replicaupdateschedule', '-2359
0123456')
You should just omit nsds5replicaupdateschedule
It failed with an operations erorr when I tried removing the attribute
either directly with a MOD_DELETE or doing a MOD_REPLACE with nothing.
I assume this is another attribute in cn=config that once set cannot
be undone.
Right. Ok. When you add the agreement entry, you can just omit it. But
if you are trying to modify an existing agreement entry, you can't
MOD_DELETE it or MOD_REPLACE with an empty value.
Ok, good point about normalizing, updated patch attached.
rob
Everything I found is fixed. You might want to take a look at what
Martin found, though.
Honza
Updated patch to use the DN class a bit more.
rob
From 19eb76779357277b059875803b4fb76791393b02 Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Thu, 14 Jul 2011 23:35:01 -0400
Subject: [PATCH] Create tool to manage dogtag replication agreements
For the most part the existing replication code worked with the
following exceptions:
- Added more port options
- It assumed that initial connections were done to an SSL port. Added
ability to use startTLS
- It assumed that the name of the agreement was the same on both sides.
In dogtag one is marked as master and one as clone. A new option is
added, master, the determines which side we're working on or None
if it isn't a dogtag agreement.
- Don't set the attribute exclude list on dogtag agreements
- dogtag doesn't set a schedule by default (which is actually recommended
by 389-ds). This causes problems when doing a force-sync though so
if one is done we set a schedule to run all the time. Otherwise the
temporary schedule can't be removed (LDAP operations error).
https://fedorahosted.org/freeipa/ticket/1250
---
freeipa.spec.in |7 +-
install/tools/Makefile.am|1 +
install/tools/ipa-csreplica-manage | 452 ++
install/tools/man/Makefile.am|1 +
install/tools/man/ipa-csreplica-manage.1 | 93 ++
Re: [Freeipa-devel] [PATCH] 825 add dogtag replication management
On 07/18/2011 09:34 AM, Rob Crittenden wrote:
Jan Cholasta wrote:
On 15.7.2011 21:24, Rob Crittenden wrote:
Rich Megginson wrote:
On 07/15/2011 10:57 AM, Rob Crittenden wrote:
Rich Megginson wrote:
On 07/15/2011 08:01 AM, Rob Crittenden wrote:
Martin Kosek wrote:
On Fri, 2011-07-15 at 14:43 +0200, Jan Cholasta wrote:
On 15.7.2011 05:42, Rob Crittenden wrote:
Add a separate tool for now to do dogtag replication agreement
management. The syntax is the same for IPA agreements with the
exception
that the DM password is always required and it isn't possible to
delegate the management of this.
ticket https://fedorahosted.org/freeipa/ticket/1250
rob
NACK
'ipa-csreplica-manage list server' doesn't list the peers of the
specified server, but the peers of localhost.
Connecting already connected pair of replicas duplicates the
replication
information ('ipa-csreplica-manage list server' shows the same
hostname
twice).
There is trailing whitespace on line 87 of the patch.
BTW I don't understand why is it possible (or necessary?) to be
able to
have CS replication topology that is different from the main IPA
replication topology (ipa-csreplica-manage allows you to do
that). Is
there a reason for this?
Honza
And some issues from me:
1) Unhelpful error message when force-syncing from a master
without a
replication agreement:
# ipa-csreplica-manage force-sync --from=HOST
Directory Manager password:
ipa: ERROR: Unable to find replication agreement for
vm-060.idm.lab.bos.redhat.com
unexpected error: Unable to proceed
2) Minor stuff in man page:
Unindented Exit statuses:
EXIT STATUS
0 if the command was successful
1 if an error occurred
Missing dot: The default is the machine on which the command is
run
Not
honoured by the re-initialize command.
Otherwise it looks good.
Martin
This should address all the issues raised.
The reason for different topology has several reasons:
1. A given IPA server may not have a CA installed
2. Some aspects of ipa-replica-manage can be delegated. We can't
delegate CS replica management because it is in a different
directory
server. We don't have users stored there so can't map the GSSAPI
credentials. So only Directory Manager can operate on it for now.
3. Flexibility. You may want way more connections for users than
for
the CA.
+ if starttls:
+ self.conn = ipaldap.IPAdmin(hostname, port=port)
+ ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, CACERT)
Why in the starttls case do you not call ipaldap.IPAdmin(hostname,
port=PORT, cacert=CACERT) ?
Because the port is the non-secure port and opening an SSL connection
to it failed.
Ah, ok. So that tells IPAdmin to use this CACERT and to use ldaps.
+ managers = entry.getValues('nsDS5ReplicaBindDN')
+ if replica_binddn not in managers:
You might want to use the dn.py code, or at least normalize the
DNs in
managers before comparing
That's a good idea.
+ if master is None:
+ entry.setValues('nsds5replicaupdateschedule', '-2359
0123456')
You should just omit nsds5replicaupdateschedule
It failed with an operations erorr when I tried removing the
attribute
either directly with a MOD_DELETE or doing a MOD_REPLACE with
nothing.
I assume this is another attribute in cn=config that once set cannot
be undone.
Right. Ok. When you add the agreement entry, you can just omit it. But
if you are trying to modify an existing agreement entry, you can't
MOD_DELETE it or MOD_REPLACE with an empty value.
Ok, good point about normalizing, updated patch attached.
rob
Everything I found is fixed. You might want to take a look at what
Martin found, though.
Honza
Updated patch to use the DN class a bit more.
ack
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 208 Entity select widget improvements
The IPA.entity_select_widget has been modified into a searchable and
editable drop down list.
Ticket #1361
--
Endi S. Dewata
From 5affc4f0a2748a1882b4f883b657ffcc5bfbf7d5 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Fri, 15 Jul 2011 12:18:59 -0500
Subject: [PATCH] Entity select widget improvements
The IPA.entity_select_widget has been modified into a searchable and
editable drop down list.
Ticket #1361
---
install/ui/aci.js| 41 +++--
install/ui/details.js| 53 +++---
install/ui/dialog.js |6 +-
install/ui/entitle.js|8 +-
install/ui/hbac.js |4 +-
install/ui/host.js |9 +-
install/ui/ipa.css | 212 +++--
install/ui/jsl.conf |2 +-
install/ui/policy.js |9 +-
install/ui/search.js | 11 +-
install/ui/serverconfig.js |5 +-
install/ui/service.js|7 +-
install/ui/test/aci_tests.js |2 +-
install/ui/test/details_tests.js | 14 +-
install/ui/test/widget_tests.js | 11 +-
install/ui/user.js | 12 +-
install/ui/widget.js | 378 --
17 files changed, 468 insertions(+), 316 deletions(-)
diff --git a/install/ui/aci.js b/install/ui/aci.js
index 1a95af0e7f9d663fccb98d472aee3b2a8fee2868..54050c79cfa2f88fae87907cae67bb71affb7082 100644
--- a/install/ui/aci.js
+++ b/install/ui/aci.js
@@ -50,7 +50,8 @@ IPA.entity_factories.permission = function() {
}]}).
standard_association_facets().
adder_dialog({
-height: '400',
+width: 500,
+height: 400,
fields:[
'cn',
{
@@ -165,12 +166,16 @@ IPA.entity_factories.delegation = function() {
fields:[
'aciname',
{
-factory:IPA.entity_select_widget,
-name: 'group', entity: 'group'
+factory: IPA.entity_select_widget,
+name: 'group',
+other_entity: 'group',
+other_field: 'cn'
},
{
-factory:IPA.entity_select_widget,
-name: 'memberof', entity: 'group',
+factory: IPA.entity_select_widget,
+name: 'memberof',
+other_entity: 'group',
+other_field: 'cn',
join: true
},
{
@@ -183,13 +188,19 @@ IPA.entity_factories.delegation = function() {
fields:[
'aciname',
{
-factory:IPA.entity_select_widget,
-name: 'group', entity: 'group', undo: false
+factory: IPA.entity_select_widget,
+name: 'group',
+other_entity: 'group',
+other_field: 'cn',
+undo: false
},
{
-factory:IPA.entity_select_widget,
-name: 'memberof', entity: 'group',
-join: true, undo: false
+factory: IPA.entity_select_widget,
+name: 'memberof',
+other_entity: 'group',
+other_field: 'cn',
+join: true,
+undo: false
},
{
factory:IPA.attributes_widget,
@@ -402,8 +413,12 @@ IPA.target_section = function(spec) {
cols: 30, rows: 1,
undo: that.undo
});
-that.group_select = IPA.entity_select_widget(
-{name: 'targetgroup', entity:'group', undo: that.undo});
+that.group_select = IPA.entity_select_widget({
+name: 'targetgroup',
+other_entity: 'group',
+other_field: 'cn',
+undo: that.undo
+});
that.type_select = IPA.select_widget({name: 'type', undo: that.undo});
that.attribute_table = IPA.attributes_widget({
name: 'attrs', undo: that.undo});
@@ -506,7 +521,7 @@ IPA.target_section = function(spec) {
that.group_select.create(span);
},
load: function(record){
-that.group_select.entity_select.val(record.targetgroup);
+that.group_select.list.val(record.targetgroup);
},
save: function(record){
record.targetgroup = that.group_select.save()[0];
diff --git a/install/ui/details.js b/install/ui/details.js
index b31305c693de767ec2381192759ca9839ca6894c..82804b538618e884025990907e235a6050b8f2b0 100644
--- a/install/ui/details.js
+++ b/install/ui/details.js
@@ -26,8 +26,8 @@
/* REQUIRES: ipa.js */
-IPA.expanded_icon = 'ui-icon-expanded';
Re: [Freeipa-devel] [PATCH] 25 Update minimum required version of python-netaddr
On 07/01/2011 09:04 PM, Jan Cholasta wrote: On 1.7.2011 16:34, Jakub Hrozek wrote: On 07/01/2011 06:35 AM, Jan Cholasta wrote: On 28.6.2011 16:14, Jakub Hrozek wrote: On 06/28/2011 08:52 AM, Jan Cholasta wrote: https://fedorahosted.org/freeipa/ticket/1288 Honza I gather this is done in order to get rid of the try: except all hack in installer? This works fine with F15 and F16 in mind. However, if the specfile is intended for being usable on RHEL as well (at least for development), some %if magic is required -- the fix is not there yet. Updated so that 0.7.5-3 is required on Fedora = 15 and RHEL = 6. Honza Sorry, I wasn't clear in the previous message. The fix so far is *only* in Fedora, not in any RHEL versions. So the versioned requires must apply only to Fedora until we release python-netaddr errata, be it in 6.2 or 6.3 Thanks for the info. I really need to learn more about RHEL :-) Updated patch attached. Honza I missed the new revision - sorry. Ack! signature.asc Description: OpenPGP digital signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 823 validate certificate subject base
Martin Kosek wrote:
On Thu, 2011-07-07 at 12:02 -0400, Rob Crittenden wrote:
Use John's new DN class to verify that the subject base passed into
ipa-server-install is valid.
https://fedorahosted.org/freeipa/ticket/1176
rob
Works fine for basic errors. But what if the DN is syntactically valid,
but it makes no sense for CA? For example:
# ipa-server-install --subject=FOO=BAR
...
Configuring certificate server: Estimated time 6 minutes
[1/16]: creating certificate server user
[2/16]: creating pki-ca instance
[3/16]: restarting certificate server
[4/16]: configuring certificate server instance
root: CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
vm-099.idm.lab.bos.redhat.com -cs_port 9445
-client_certdb_dir /tmp/tmp-VQeqTM -client_certdb_pwd ''
-preop_pin p8NYnreBzTcV8Oq13vCu -domain_name IPA -admin_user admin
-admin_email root@localhost -admin_password '' -agent_name
ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
-agent_cert_subject CN=ipa-ca-agent,FOO=BAR -ldap_host
vm-099.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn cn=Directory
Manager -bind_password '' -base_dn o=ipaca -db_name ipaca
-key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true
-backup_pwd '' -subsystem_name pki-cad -token_name internal
-ca_subsystem_cert_subject_name CN=CA Subsystem,FOO=BAR
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,FOO=BAR
-ca_server_cert_subject_name CN=vm-099.idm.lab.bos.redhat.com,FOO=BAR
-ca_audit_signing_cert_subject_name CN=CA Audit,FOO=BAR
-ca_sign_cert_subject_name CN=Certificate Authority,FOO=BAR -external
false -clone false' returned non-zero exit status 255
Unexpected error - see ipaserver-install.log for details:
Configuration of CA failed
Could we cover also these cases in the callback?
Martin
Added list of allowed attributes.
rob
From fcb39d9ab06242916381a63e922f4b93cb048971 Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Thu, 7 Jul 2011 11:55:20 -0400
Subject: [PATCH] Validate that the certificate subject base is in valid DN format.
https://fedorahosted.org/freeipa/ticket/1176
---
install/tools/ipa-server-install | 21 -
1 files changed, 20 insertions(+), 1 deletions(-)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 35b16dae8c069d510ed0293930a2d026265aa990..8c51154699f84a7e071e3c69883c58eaf2163626 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -58,10 +58,13 @@ from ipapython.ipautil import *
from ipalib import api, errors, util
from ipalib.parameters import IA5Str
from ipapython.config import IPAOptionParser
+from ipalib.dn import DN
pw_name = None
uninstalling = False
+VALID_SUBJECT_ATTRS = ['cn', 'st', 'o', 'ou', 'dnqualifier', 'c', 'serialnumber', 'l', 'title', 'sn', 'givenname', 'initials', 'generationqualifier', 'dc', 'mail', 'uid', 'postaladdress', 'postalcode', 'postofficebox', 'houseidentifier', 'e', 'street', 'pseudonym', 'incorporationlocality', 'incorporationstate', 'incorporationcountry', 'businesscategory']
+
def zonemgr_callback(option, opt_str, value, parser):
Make sure the zonemgr is an IA5String.
@@ -72,6 +75,21 @@ def zonemgr_callback(option, opt_str, value, parser):
ia._convert_scalar(v)
parser.values.zonemgr = value
+def subject_callback(option, opt_str, value, parser):
+
+Make sure the certificate subject base is a valid DN
+
+name = opt_str.replace('--','')
+v = unicode(value, 'utf-8')
+try:
+dn = DN(v)
+for x in xrange(len(dn)):
+if dn[x][0].attr.lower() not in VALID_SUBJECT_ATTRS:
+raise ValueError('invalid attribute: %s' % dn[x][0].attr.lower())
+except ValueError, e:
+raise ValueError('Invalid subject base format: %s' % str(e))
+parser.values.subject = value
+
def parse_options():
# Guaranteed to give a random 200k range below the 2G mark (uint32_t limit)
namespace = random.randint(1, 1) * 20
@@ -142,7 +160,8 @@ def parse_options():
help=The starting value for the IDs range (default random))
parser.add_option(--idmax, dest=idmax, default=0, type=int,
help=The max value value for the IDs range (default: idstart+19))
-parser.add_option(--subject, dest=subject,
+parser.add_option(--subject, action=callback, callback=subject_callback,
+ type=string,
help=The certificate subject base (default O=realm-name))
parser.add_option(--no_hbac_allow, dest=hbac_allow, default=False,
action=store_true,
--
1.7.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 823 validate certificate subject base
On Mon, 2011-07-18 at 12:08 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Thu, 2011-07-07 at 12:02 -0400, Rob Crittenden wrote: Use John's new DN class to verify that the subject base passed into ipa-server-install is valid. https://fedorahosted.org/freeipa/ticket/1176 rob Works fine for basic errors. But what if the DN is syntactically valid, but it makes no sense for CA? For example: # ipa-server-install --subject=FOO=BAR ... Configuring certificate server: Estimated time 6 minutes [1/16]: creating certificate server user [2/16]: creating pki-ca instance [3/16]: restarting certificate server [4/16]: configuring certificate server instance root: CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname vm-099.idm.lab.bos.redhat.com -cs_port 9445 -client_certdb_dir /tmp/tmp-VQeqTM -client_certdb_pwd '' -preop_pin p8NYnreBzTcV8Oq13vCu -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password '' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,FOO=BAR -ldap_host vm-099.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password '' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd '' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,FOO=BAR -ca_ocsp_cert_subject_name CN=OCSP Subsystem,FOO=BAR -ca_server_cert_subject_name CN=vm-099.idm.lab.bos.redhat.com,FOO=BAR -ca_audit_signing_cert_subject_name CN=CA Audit,FOO=BAR -ca_sign_cert_subject_name CN=Certificate Authority,FOO=BAR -external false -clone false' returned non-zero exit status 255 Unexpected error - see ipaserver-install.log for details: Configuration of CA failed Could we cover also these cases in the callback? Martin Added list of allowed attributes. rob ACK, works fine. I would just recommend to split the line with VALID_SUBJECT_ATTRS before pushing, it's quite long. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 32 Don't delete NIS netgroup compat suffix on 'ipa-nis-manage disable'
On Mon, 2011-07-18 at 17:16 +0200, Jan Cholasta wrote: https://fedorahosted.org/freeipa/ticket/1469 Honza The patch is missing. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 823 validate certificate subject base
Martin Kosek wrote: On Mon, 2011-07-18 at 12:08 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Thu, 2011-07-07 at 12:02 -0400, Rob Crittenden wrote: Use John's new DN class to verify that the subject base passed into ipa-server-install is valid. https://fedorahosted.org/freeipa/ticket/1176 rob Works fine for basic errors. But what if the DN is syntactically valid, but it makes no sense for CA? For example: # ipa-server-install --subject=FOO=BAR ... Configuring certificate server: Estimated time 6 minutes [1/16]: creating certificate server user [2/16]: creating pki-ca instance [3/16]: restarting certificate server [4/16]: configuring certificate server instance root: CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname vm-099.idm.lab.bos.redhat.com -cs_port 9445 -client_certdb_dir /tmp/tmp-VQeqTM -client_certdb_pwd '' -preop_pin p8NYnreBzTcV8Oq13vCu -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password '' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,FOO=BAR -ldap_host vm-099.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password '' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd '' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,FOO=BAR -ca_ocsp_cert_subject_name CN=OCSP Subsystem,FOO=BAR -ca_server_cert_subject_name CN=vm-099.idm.lab.bos.redhat.com,FOO=BAR -ca_audit_signing_cert_subject_name CN=CA Audit,FOO=BAR -ca_sign_cert_subject_name CN=Certificate Authority,FOO=BAR -external false -clone false' returned non-zero exit status 255 Unexpected error - see ipaserver-install.log for details: Configuration of CA failed Could we cover also these cases in the callback? Martin Added list of allowed attributes. rob ACK, works fine. I would just recommend to split the line with VALID_SUBJECT_ATTRS before pushing, it's quite long. Martin Fixed and pushed to master and ipa-2-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 824 make more sensible nicknames
Jan Cholasta wrote: On 11.7.2011 23:48, Rob Crittenden wrote: When loading a chained CA from a PKCS#7 or PEM file we used to use very generic nicknames, sometimes as bad as Imported CA in the case of winsync. This will use the subject of the cert to get the nickname instead. I also extended the API of some of the x509 functions to optionally take in the NSS database dir. I had originally used this in the patch but did it another way but still thought the changes useful. ticket https://fedorahosted.org/freeipa/ticket/1141 Word of warning, this is going to require a fair bit of testing. The way to test it is to install with an external CA, then install a replica with a CA to be sure that works as well. Testing basic installs would be handy as well. rob ACK, everything seems to work fine. Honza pushed to master and ipa-2-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 826 fix failing memberof tests
Jan Cholasta wrote: On 15.7.2011 23:20, Rob Crittenden wrote: With the recent object_name/label changes some tests were failing that were expecting the old value which contained a space. This fixes them. rob ACK. Honza pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 825 add dogtag replication management
Rich Megginson wrote:
On 07/18/2011 09:34 AM, Rob Crittenden wrote:
Jan Cholasta wrote:
On 15.7.2011 21:24, Rob Crittenden wrote:
Rich Megginson wrote:
On 07/15/2011 10:57 AM, Rob Crittenden wrote:
Rich Megginson wrote:
On 07/15/2011 08:01 AM, Rob Crittenden wrote:
Martin Kosek wrote:
On Fri, 2011-07-15 at 14:43 +0200, Jan Cholasta wrote:
On 15.7.2011 05:42, Rob Crittenden wrote:
Add a separate tool for now to do dogtag replication agreement
management. The syntax is the same for IPA agreements with the
exception
that the DM password is always required and it isn't possible to
delegate the management of this.
ticket https://fedorahosted.org/freeipa/ticket/1250
rob
NACK
'ipa-csreplica-manage list server' doesn't list the peers of the
specified server, but the peers of localhost.
Connecting already connected pair of replicas duplicates the
replication
information ('ipa-csreplica-manage list server' shows the same
hostname
twice).
There is trailing whitespace on line 87 of the patch.
BTW I don't understand why is it possible (or necessary?) to be
able to
have CS replication topology that is different from the main IPA
replication topology (ipa-csreplica-manage allows you to do
that). Is
there a reason for this?
Honza
And some issues from me:
1) Unhelpful error message when force-syncing from a master
without a
replication agreement:
# ipa-csreplica-manage force-sync --from=HOST
Directory Manager password:
ipa: ERROR: Unable to find replication agreement for
vm-060.idm.lab.bos.redhat.com
unexpected error: Unable to proceed
2) Minor stuff in man page:
Unindented Exit statuses:
EXIT STATUS
0 if the command was successful
1 if an error occurred
Missing dot: The default is the machine on which the command is
run
Not
honoured by the re-initialize command.
Otherwise it looks good.
Martin
This should address all the issues raised.
The reason for different topology has several reasons:
1. A given IPA server may not have a CA installed
2. Some aspects of ipa-replica-manage can be delegated. We can't
delegate CS replica management because it is in a different
directory
server. We don't have users stored there so can't map the GSSAPI
credentials. So only Directory Manager can operate on it for now.
3. Flexibility. You may want way more connections for users than
for
the CA.
+ if starttls:
+ self.conn = ipaldap.IPAdmin(hostname, port=port)
+ ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, CACERT)
Why in the starttls case do you not call ipaldap.IPAdmin(hostname,
port=PORT, cacert=CACERT) ?
Because the port is the non-secure port and opening an SSL connection
to it failed.
Ah, ok. So that tells IPAdmin to use this CACERT and to use ldaps.
+ managers = entry.getValues('nsDS5ReplicaBindDN')
+ if replica_binddn not in managers:
You might want to use the dn.py code, or at least normalize the
DNs in
managers before comparing
That's a good idea.
+ if master is None:
+ entry.setValues('nsds5replicaupdateschedule', '-2359
0123456')
You should just omit nsds5replicaupdateschedule
It failed with an operations erorr when I tried removing the
attribute
either directly with a MOD_DELETE or doing a MOD_REPLACE with
nothing.
I assume this is another attribute in cn=config that once set cannot
be undone.
Right. Ok. When you add the agreement entry, you can just omit it. But
if you are trying to modify an existing agreement entry, you can't
MOD_DELETE it or MOD_REPLACE with an empty value.
Ok, good point about normalizing, updated patch attached.
rob
Everything I found is fixed. You might want to take a look at what
Martin found, though.
Honza
Updated patch to use the DN class a bit more.
ack
rob
pushed to master and ipa-2-0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 827 change subject of RA
Simo Sorce wrote: On Sun, 2011-07-17 at 17:45 -0400, Rob Crittenden wrote: Change the subject of the RA to not confuse dogtag users. We used 'RA Subsystem' and this might confuse some to think we're using the dogtag RA which we are not. This won't affect existing installations, only new ones. https://fedorahosted.org/freeipa/ticket/1236 ACK. Simo. pushed to master and ipa-2-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 828 set plugin precedence
Simo Sorce wrote: On Sun, 2011-07-17 at 17:46 -0400, Rob Crittenden wrote: The default precedence of slapi plugins is 50 and all of them (ours and the 389-ds plugins) all have this level with the exception of one (Retro changelog). The IPA modrdn plugin should run after all of these so I've bumped up the precedence to 60 as recommended by the 389-ds team. https://fedorahosted.org/freeipa/ticket/1370 ACK. Simo. pushed to master and ipa-2-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 829 Generate a database password by default
Simo Sorce wrote:
On Sun, 2011-07-17 at 17:47 -0400, Rob Crittenden wrote:
If the password passed in when creating a NSS certificate database is
None then a random password is generated. If it is empty ('') then an
empty password is set.
Because of this the HTTP instance on replicas were created with an empty
password.
https://fedorahosted.org/freeipa/ticket/1407
ACK,
Simo.
pushed to master and ipa-2-0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 25 Update minimum required version of python-netaddr
Jakub Hrozek wrote: On 07/01/2011 09:04 PM, Jan Cholasta wrote: On 1.7.2011 16:34, Jakub Hrozek wrote: On 07/01/2011 06:35 AM, Jan Cholasta wrote: On 28.6.2011 16:14, Jakub Hrozek wrote: On 06/28/2011 08:52 AM, Jan Cholasta wrote: https://fedorahosted.org/freeipa/ticket/1288 Honza I gather this is done in order to get rid of the try: except all hack in installer? This works fine with F15 and F16 in mind. However, if the specfile is intended for being usable on RHEL as well (at least for development), some %if magic is required -- the fix is not there yet. Updated so that 0.7.5-3 is required on Fedora= 15 and RHEL= 6. Honza Sorry, I wasn't clear in the previous message. The fix so far is *only* in Fedora, not in any RHEL versions. So the versioned requires must apply only to Fedora until we release python-netaddr errata, be it in 6.2 or 6.3 Thanks for the info. I really need to learn more about RHEL :-) Updated patch attached. Honza I missed the new revision - sorry. Ack! pushed to master and ipa-2-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 208 Entity select widget improvements
On 7/18/2011 11:52 AM, Endi Sukma Dewata wrote:
On 7/18/2011 10:44 AM, Endi Sukma Dewata wrote:
The IPA.entity_select_widget has been modified into a searchable and
editable drop down list.
Ticket #1361
Fixed z-index problem and renamed base class to IPA.combobox_widget.
Included new icon provided by ayoung.
--
Endi S. Dewata
From db48ea67e0569ffc2650dbb651ef6e32f51b789c Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Fri, 15 Jul 2011 12:18:59 -0500
Subject: [PATCH] Entity select widget improvements
The IPA.entity_select_widget has been modified into a searchable and
editable drop down list. The base functionality has been extracted
into IPA.combobox_widget.
Ticket #1361
---
install/ui/aci.js| 41 +++--
install/ui/combobox_open.png | Bin 0 - 274 bytes
install/ui/details.js| 53 +++---
install/ui/dialog.js |6 +-
install/ui/entitle.js|8 +-
install/ui/hbac.js |4 +-
install/ui/host.js |9 +-
install/ui/ipa.css | 216 --
install/ui/jsl.conf |2 +-
install/ui/policy.js |9 +-
install/ui/search.js | 11 +-
install/ui/serverconfig.js |5 +-
install/ui/service.js|7 +-
install/ui/test/aci_tests.js |2 +-
install/ui/test/details_tests.js | 14 +-
install/ui/test/widget_tests.js | 11 +-
install/ui/user.js | 12 +-
install/ui/widget.js | 378 --
18 files changed, 472 insertions(+), 316 deletions(-)
create mode 100755 install/ui/combobox_open.png
diff --git a/install/ui/aci.js b/install/ui/aci.js
index 1a95af0e7f9d663fccb98d472aee3b2a8fee2868..54050c79cfa2f88fae87907cae67bb71affb7082 100644
--- a/install/ui/aci.js
+++ b/install/ui/aci.js
@@ -50,7 +50,8 @@ IPA.entity_factories.permission = function() {
}]}).
standard_association_facets().
adder_dialog({
-height: '400',
+width: 500,
+height: 400,
fields:[
'cn',
{
@@ -165,12 +166,16 @@ IPA.entity_factories.delegation = function() {
fields:[
'aciname',
{
-factory:IPA.entity_select_widget,
-name: 'group', entity: 'group'
+factory: IPA.entity_select_widget,
+name: 'group',
+other_entity: 'group',
+other_field: 'cn'
},
{
-factory:IPA.entity_select_widget,
-name: 'memberof', entity: 'group',
+factory: IPA.entity_select_widget,
+name: 'memberof',
+other_entity: 'group',
+other_field: 'cn',
join: true
},
{
@@ -183,13 +188,19 @@ IPA.entity_factories.delegation = function() {
fields:[
'aciname',
{
-factory:IPA.entity_select_widget,
-name: 'group', entity: 'group', undo: false
+factory: IPA.entity_select_widget,
+name: 'group',
+other_entity: 'group',
+other_field: 'cn',
+undo: false
},
{
-factory:IPA.entity_select_widget,
-name: 'memberof', entity: 'group',
-join: true, undo: false
+factory: IPA.entity_select_widget,
+name: 'memberof',
+other_entity: 'group',
+other_field: 'cn',
+join: true,
+undo: false
},
{
factory:IPA.attributes_widget,
@@ -402,8 +413,12 @@ IPA.target_section = function(spec) {
cols: 30, rows: 1,
undo: that.undo
});
-that.group_select = IPA.entity_select_widget(
-{name: 'targetgroup', entity:'group', undo: that.undo});
+that.group_select = IPA.entity_select_widget({
+name: 'targetgroup',
+other_entity: 'group',
+other_field: 'cn',
+undo: that.undo
+});
that.type_select = IPA.select_widget({name: 'type', undo: that.undo});
that.attribute_table = IPA.attributes_widget({
name: 'attrs', undo: that.undo});
@@ -506,7 +521,7 @@ IPA.target_section = function(spec) {
that.group_select.create(span);
},
load: function(record){
-that.group_select.entity_select.val(record.targetgroup);
+that.group_select.list.val(record.targetgroup);
},
save:
Re: [Freeipa-devel] [PATCH] 208 Entity select widget improvements
On 07/18/2011 02:39 PM, Endi Sukma Dewata wrote: On 7/18/2011 11:52 AM, Endi Sukma Dewata wrote: On 7/18/2011 10:44 AM, Endi Sukma Dewata wrote: The IPA.entity_select_widget has been modified into a searchable and editable drop down list. Ticket #1361 Fixed z-index problem and renamed base class to IPA.combobox_widget. Included new icon provided by ayoung. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 3 ipa-client-install tries to start non-existing nscd
On 15.07.2011 22:41, Rob Crittenden wrote:
Alexander Bokovoy wrote:
nack.
I don't believe this fixes the reported problem. This patch affects
un-installation in which case whether sssd was selected or not doesn't
matter, we're just trying to restore the previous state (so tangentially
I wonder if we should store the state of at install time).
Actually, the patch deals with installation, not uninstallation.
As discussed on IRC, I've reworked it to add an alternative warning to
sssd configuration path.
New version attached.
--
/ Alexander Bokovoy
From ba45b67b1847df16f802bfe44d4af68c5536c2ae Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Fri, 1 Jul 2011 11:11:38 +0300
Subject: [PATCH] Rearrange logging for NSCD daemon.
https://fedorahosted.org/freeipa/ticket/1373
When SSSD is in use, we actually trying to disable NSCD daemon. Telling that we
failed to configure
automatic _startup_ of the NSCD is wrong then.
---
ipa-client/ipa-install/ipa-client-install |5 -
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/ipa-client/ipa-install/ipa-client-install
b/ipa-client/ipa-install/ipa-client-install
index
6bdeb8796b677c3a604083aad54f086c79af322b..c39780c9e59ca61ba952997458cf847f47aeaa4a
100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -929,9 +929,12 @@ def main():
try:
nscd_chkconfig_cmd('nscd')
except:
-print sys.stderr, Failed to configure automatic startup of the
NSCD daemon
if not options.sssd:
+print sys.stderr, Failed to configure automatic startup of
the NSCD daemon
print sys.stderr, Caching of users/groups will not be
available after reboot
+ else:
+ print sys.stderr, Failed to disable NSCD daemon. Please
disable it manually.
+
else:
# this is optional service, just log
logging.info(NSCD daemon is not installed, skip configuration)
--
1.7.6
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 209 Removed reverse zones from host adder dialog.
The host adder dialog has been modified to specify the new flag
for retrieving the forward zones only.
Ticket #1458
--
Endi S. Dewata
From abea002ce23b74db537103658bfbb8a147e2c39e Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Mon, 18 Jul 2011 11:42:22 -0500
Subject: [PATCH] Removed reverse zones from host adder dialog.
The host adder dialog has been modified to specify the new flag
for retrieving the forward zones only.
Ticket #1458
---
install/ui/host.js | 25 ++---
install/ui/widget.js | 15 +--
2 files changed, 31 insertions(+), 9 deletions(-)
diff --git a/install/ui/host.js b/install/ui/host.js
index e9adcd4f796860ff41aadda59f0410ca4a28fbf5..14f16d93d918325a0d42b823c43ce7280b0704c5 100644
--- a/install/ui/host.js
+++ b/install/ui/host.js
@@ -106,10 +106,8 @@ IPA.entity_factories.host = function () {
height: 250,
fields:[
{
-factory: IPA.entity_select_widget,
+factory: IPA.dnszone_select_widget,
name: 'fqdn',
-other_entity: 'dnszone',
-other_field: 'idnsname',
label: IPA.messages.objects.service.host,
editable: true,
undo: false
@@ -127,6 +125,27 @@ IPA.entity_factories.host = function () {
build();
};
+IPA.dnszone_select_widget = function(spec) {
+
+spec = spec || {};
+spec.other_entity = 'dnszone';
+spec.other_field = 'idnsname';
+
+var that = IPA.entity_select_widget(spec);
+
+that.create_search_command = function() {
+return IPA.command({
+entity: that.other_entity,
+method: 'find',
+args: [that.filter.val()],
+options: {
+forward_only: true
+}
+});
+};
+
+return that;
+};
IPA.host_dnsrecord_entity_link_widget = function(spec){
var that = IPA.entity_link_widget(spec);
diff --git a/install/ui/widget.js b/install/ui/widget.js
index f5ed036525cf405e5fcf256902848e8995e0e6c3..1932bee7582f1430fe35725b291359d4885de136 100644
--- a/install/ui/widget.js
+++ b/install/ui/widget.js
@@ -1821,15 +1821,17 @@ IPA.entity_select_widget = function(spec) {
that.other_entity = spec.other_entity;
that.other_field = spec.other_field;
-that.search = function() {
-
-var filter = that.filter.val();
-
-var command = IPA.command({
+that.create_search_command = function() {
+return IPA.command({
entity: that.other_entity,
method: 'find',
-args: [filter]
+args: [that.filter.val()]
});
+};
+
+that.search = function() {
+
+var command = that.create_search_command();
command.on_success = function(data, text_status, xhr) {
@@ -1837,6 +1839,7 @@ IPA.entity_select_widget = function(spec) {
that.create_option();
+var filter = that.filter.val();
var entries = data.result.result;
for (var i=0; idata.result.count; i++) {
var entry = entries[i];
--
1.7.5.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 35 remove escapes from the cvs parser in ipaserver/install/ldapupdate
On Jul 18, 2011, at 1:08 PM, wrote: https://fedorahosted.org/freeipa/ticket/1472 Changeset 8e086fd7b8c1edd0ccfec527c0699d396a7954f9 introduced a bug with ldapupdate resulting in incorrect handling of uldif files. Particularly the schema_compat.uldif. freeipa-jraquino-0035-remove-escapes-from-the-cvs-parser-in-ldapupdate.patch Added PATCH to subject line. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] 35 remove escapes from the cvs parser in ipaserver/install/ldapupdate
https://fedorahosted.org/freeipa/ticket/1472 Changeset 8e086fd7b8c1edd0ccfec527c0699d396a7954f9 introduced a bug with ldapupdate resulting in incorrect handling of uldif files. Particularly the schema_compat.uldif. binyrC3uyjN7A.bin Description: freeipa-jraquino-0035-remove-escapes-from-the-cvs-parser-in-ldapupdate.patch ~ Jr Aquino, GCIH | Information Security Specialist Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 T: +1 805.690.3478 jr.aqu...@citrixonline.com http://www.citrixonline.com ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 210 Fixed host details fields.
The host details facet has been fixed to remove a redundant field
and include some missing fields.
Ticket #1484
--
Endi S. Dewata
From 3e3efd2c92454513f004e8c9ae00fe6fd14d842e Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Mon, 18 Jul 2011 15:07:18 -0500
Subject: [PATCH] Fixed host details fields.
The host details facet has been fixed to remove a redundant field
and include some missing fields.
Ticket #1484
---
install/ui/host.js | 22 +++---
1 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/install/ui/host.js b/install/ui/host.js
index 14f16d93d918325a0d42b823c43ce7280b0704c5..9994abf31407c6be82ce186713995187620290ab 100644
--- a/install/ui/host.js
+++ b/install/ui/host.js
@@ -37,20 +37,20 @@ IPA.entity_factories.host = function () {
}).
details_facet({sections:[
{
-name:'details',
+name: 'details',
fields: [
-{ factory: IPA.host_dnsrecord_entity_link_widget,
- name: 'fqdn',
- other_entity:'dnsrecord'
+{
+factory: IPA.host_dnsrecord_entity_link_widget,
+name: 'fqdn',
+other_entity:'dnsrecord'
},
'krbprincipalname',
-{
-factory: IPA.text_widget,
-name: 'cn',
-label: IPA.messages.objects.host.cn,
-read_only: true
-},
-'description' ]
+'description',
+'l',
+'nshostlocation',
+'nshardwareplatform',
+'nsosversion'
+]
},
{
name:'enrollment',
--
1.7.5.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 209 Removed reverse zones from host adder dialog.
On 07/18/2011 03:16 PM, Endi Sukma Dewata wrote: The host adder dialog has been modified to specify the new flag for retrieving the forward zones only. Ticket #1458 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 210 Fixed host details fields.
On 07/18/2011 04:13 PM, Endi Sukma Dewata wrote: The host details facet has been fixed to remove a redundant field and include some missing fields. Ticket #1484 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] specify ds-replication plugin by name
Like bind and bind-dyndb-ldap specify the replication package by name
when it is not found.
Pushed under the 1-liner rule.
diff --git a/ipaserver/install/replication.py
b/ipaserver/install/replication.py
index da8e749..7186a18 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -84,7 +84,8 @@ def check_replication_plugin():
if not
os.path.exists('/usr/lib/dirsrv/plugins/libreplication-plugin.so') and \
not
os.path.exists('/usr/lib64/dirsrv/plugins/libreplication-plugin.so'):
-print The 389-ds replication plug-in was not found on this system
+print The 389-ds replication plug-in was not found on this
system.
+print Please install the 'ds-replication' package and start
the installation again
return False
return True
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 091 Improve long integer type validation
On 07/15/2011 05:26 PM, Rob Crittenden wrote: Martin Kosek wrote: Passing a number of long type to IPA Int parameter invokes user-unfriendly error message about incompatible types. This patch improves Int parameter with user understandable message along with maximum value he can pass. https://fedorahosted.org/freeipa/ticket/1346 nack. We need to limit Int to 32-bit values because that is what XML-RPC supports. So if maxvalue isn't set we need to compare against MAXINT and not sys.maxint. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Is this the wrong forum to point out how wrong XML-RPC is in limiting things to 32 bit values? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 36 Removed RunAs External Group is removed in the output when --all switch is used.
https://fedorahosted.org/freeipa/ticket/1348 Corrected behavior for ipa sudorule-remove-runasgroup rule1 --groups=tgroup2 --all binTRh8Wcv8ho.bin Description: freeipa-jraquino-0036-Removed-RunAs-External-Group-is-removed-in-the-output.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 37 Correct sudo runasuser and runasgroup attributes in schema
https://fedorahosted.org/freeipa/ticket/1309 Added .update file to correct the sudo schema during freeipa updates on older systems. Modified Makefile.am to account for new .update file. binuYzjiki10A.bin Description: freeipa-jraquino-0037-Correct-sudo-runasuser-and-runasgroup-attributes.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 36 Removed RunAs External Group is removed in the output when --all switch is used.
JR Aquino wrote: https://fedorahosted.org/freeipa/ticket/1348 Corrected behavior for ipa sudorule-remove-runasgroup rule1 --groups=tgroup2 --all ack, pushed to master and ipa-2-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 830 change enrollment principal prompt
Change the enrollment principal prompt to hopefully be more clear. ticket https://fedorahosted.org/freeipa/ticket/1449 From 5a61eb36044ab15b55f42aeee5544983372c992c Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Mon, 18 Jul 2011 22:46:44 -0400 Subject: [PATCH] Change client enrollment principal prompt to hopefully be clearer. ticket https://fedorahosted.org/freeipa/ticket/1449 --- ipa-client/ipa-install/ipa-client-install |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 77b1ddfca589b97d74df83087809f0eed521c5dd..68ebb9595796442621656d346403176fbafea39b 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -791,7 +791,7 @@ def main(): if not options.unattended: if options.principal is None and options.password is None and options.prompt_password is False: -options.principal = user_input(Enrollment principal, allow_empty=False) +options.principal = user_input(User authorized to enroll computers, allow_empty=False) logging.debug(will use principal: %s\n, options.principal) # Get the CA certificate -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 3 ipa-client-install tries to start non-existing nscd
Alexander Bokovoy wrote: On 15.07.2011 22:41, Rob Crittenden wrote: Alexander Bokovoy wrote: nack. I don't believe this fixes the reported problem. This patch affects un-installation in which case whether sssd was selected or not doesn't matter, we're just trying to restore the previous state (so tangentially I wonder if we should store the state of at install time). Actually, the patch deals with installation, not uninstallation. As discussed on IRC, I've reworked it to add an alternative warning to sssd configuration path. New version attached. ack, pushed to master and ipa-2-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 817 Add option to wait for values
Martin Kosek wrote: On Sun, 2011-07-17 at 17:42 -0400, Rob Crittenden wrote: Rob Crittenden wrote: Martin Kosek wrote: On Tue, 2011-07-05 at 13:41 -0400, Rob Crittenden wrote: Rob Crittenden wrote: Rob Crittenden wrote: 389-ds postop plugins, such as the managed entry and memberof plugins, add values after the data has been returned to the client. In the case of the managed entry plugin this affects the parent entry as well (adds an objectclass value). This wreaks havoc on our tests as the values don't match what we expect. The solution is to wait for the postop plugins to finish their work, then return. I've added this as an option. The downside is it is going to naturally slow things down, so it is off by default. It is currently only used in the hostgroup plugin. The option is wait_for_attr. Add this to ~/.ipa/default.conf and set it to True and all the current tests will pass (assuming you apply patches 814-816 as well). So now we won't have any excuses for missing test failures in the unit tests... rob Bah, found a small problem. Self-NACK. rob Updated patch attached. Note that I don't think there is a way for us to handle things like memberof_indirect. We wouldn't know to wait. rob Works fine for the hostgroup entry. It's good it can be switched on/off. But what about other managed entries, like user entry? Would it make sense to add a wait here too? Or maybe something systematic to baseldap so that we wouldn't have to implement this wait to every managed entry. Martin I can certainly add it to users to check for managed groups. Making it generic would be difficult because some are conditional (such as users). rob Added support for managed users as well. rob Waiting for managed users work too. However, I have just noticed that the entire solution works only partially. It waits for mepOriginEntry objectclass, but it doesn't add the new LDAP attributes mepmanagedentry and memberof to thecommand-add result: # ipa hostgroup-add hgroup3 --desc=foo --all --raw - Added hostgroup hgroup3 - dn: cn=hgroup3,cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com cn: hgroup3 description: foo ipauniqueid: 20d1b8e4-b114-11e0-ab28-00163e0ed706 objectclass: ipaobject objectclass: ipahostgroup objectclass: nestedGroup objectclass: groupOfNames objectclass: top objectclass: mepOriginEntry # ipa hostgroup-show hgroup3 --all --raw dn: cn=hgroup3,cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com cn: hgroup3 description: foo ipauniqueid: 20d1b8e4-b114-11e0-ab28-00163e0ed706 memberof: cn=hgroup3,cn=ng,cn=alt,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com mepmanagedentry: cn=hgroup3,cn=ng,cn=alt,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com objectclass: ipaobject objectclass: ipahostgroup objectclass: nestedGroup objectclass: groupOfNames objectclass: top objectclass: mepOriginEntry # ipa user-add --first=Foo --last=Bar fbar2 --all --raw -- Added user fbar2 -- dn: uid=fbar2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com uid: fbar2 givenname: Foo sn: Bar cn: Foo Bar displayname: Foo Bar initials: FB homedirectory: /home/fbar2 gecos: Foo Bar loginshell: /bin/sh krbprincipalname: fb...@idm.lab.bos.redhat.com uidnumber: 52464 gidnumber: 52464 ipauniqueid: b22ab54c-b115-11e0-b354-00163e0ed706 krbpwdpolicyreference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com objectclass: top objectclass: person objectclass: organizationalperson objectclass: inetorgperson objectclass: inetuser objectclass: posixaccount objectclass: krbprincipalaux objectclass: krbticketpolicyaux objectclass: ipaobject objectclass: mepOriginEntry # ipa user-show fbar2 --all --raw dn: uid=fbar2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com uid: fbar2 givenname: Foo sn: Bar cn: Foo Bar displayname: Foo Bar initials: FB homedirectory: /home/fbar2 gecos: Foo Bar loginshell: /bin/sh krbprincipalname: fb...@idm.lab.bos.redhat.com uidnumber: 52464 gidnumber: 52464 nsaccountlock: False ipauniqueid: b22ab54c-b115-11e0-b354-00163e0ed706 krbpwdpolicyreference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com memberof: cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com mepmanagedentry: cn=fbar2,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com objectclass: top objectclass: person objectclass: organizationalperson objectclass: inetorgperson objectclass: inetuser objectclass: posixaccount objectclass: krbprincipalaux objectclass: krbticketpolicyaux objectclass: ipaobject objectclass: mepOriginEntry I think there attributes should be added in
