Re: [Freeipa-devel] [PATCH] stop checking for CA ports

2011-08-31 Thread Rob Crittenden 

Simo Sorce wrote:

We use the new proxy code for dogtag now, so we do not need to open all
the CA ports as all connections go through the standard https port.

Fixes https://fedorahosted.org/freeipa/ticket/1745

Simo.


nack. dogtag replication still takes place over 7389.

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 262 Fixed missing permission filter field.

2011-08-31 Thread Endi Sukma Dewata 

Due to a recent change, all dialog boxes are now reset initially. The
IPA.target_section has been modified to show the default target (i.e.
filter) and the fields properly when reset.

Ticket #1748

--
Endi S. Dewata


freeipa-edewata-0262-Fixed-missing-permission-filter-field.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 261 Fixed hard-coded UI message in entity.js.

2011-08-31 Thread Endi Sukma Dewata 

The hard-coded label in IPA.facet has been moved into internal.py to
allow translation.

Ticket #1701

--
Endi S. Dewata


freeipa-edewata-0261-Fixed-hard-coded-UI-message-in-entity.js.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] #1743 Fix ipa-replica-prepare

2011-08-31 Thread Simo Sorce 
On Wed, 2011-08-31 at 14:25 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > We stopped using lpaddwd and kpasswd.keytab when we moved from
> > ipa_kpasswd to kadmind.
> >
> > Unfortunately I forgot to remove their use in all places and didn't
> > notice issues during testing because I used a "dirty" virtual machine
> > that had a ldappwd file in place.
> >
> > These patches get rid of these vestiges of the past and fix the replica
> > installation issues.
> >
> > Simo.
> 
> ACK

Pushed to master.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Double check kinit return

2011-08-31 Thread Simo Sorce 
At least once I had kinit fail to get a proper ticket and yet not return
an error. I honestly was not able to reproduce, but add a double check
to make sure we actually got a usable ticket so that ssh does no prompt
again for the admin user password.

Fixes: https://fedorahosted.org/freeipa/ticket/1746
-- 
Simo Sorce * Red Hat, Inc * New York
>From aa8bdfea9c2e464977d31571bd623c8ac711f02e Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Wed, 31 Aug 2011 14:13:32 -0400
Subject: [PATCH 2/2] conncheck: Additional check to verify the admin password
 is ok

If we can get a ticket for the master then we know we got all right.
This should avoid being prompted again by ssh if the kinit failed and for some
reason the error was not caught (seen in live tests).
---
 install/tools/ipa-replica-conncheck |9 +
 1 files changed, 9 insertions(+), 0 deletions(-)

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 18eeacdf45bf78009a08db9da462ef2fab4e31ee..d6e03f8d13a7a9bde004619a47cfec4dedba8ab5 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -308,6 +308,15 @@ def main():
 if returncode != 0:
 raise RuntimeError("Cannot acquire Kerberos ticket: %s" % stderr)
 
+# Verify kinit was actually successful
+stderr=''
+(stdout, stderr, returncode) = ipautil.run(['/usr/bin/kvno',
+ 'host/%s' % options.master],
+ env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE},
+ raiseonerr=False)
+if returncode != 0:
+raise RuntimeError("Could not get ticket for master server: %s" % stderr)
+
 remote_check_opts = ['--replica %s' % options.hostname]
 
 print_info("Execute check on remote master")
-- 
1.7.6

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] stop checking for CA ports

2011-08-31 Thread Simo Sorce 
We use the new proxy code for dogtag now, so we do not need to open all
the CA ports as all connections go through the standard https port.

Fixes https://fedorahosted.org/freeipa/ticket/1745

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
>From 114f980762db5200d1e980858af8be2496430e82 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Wed, 31 Aug 2011 14:07:56 -0400
Subject: [PATCH 1/2] conncheck: No need to check for CA ports anymore

Since we have the PKI proxy configuration all communication with the CA happens
on the standard 80/443 ports so we do not need to leave the old CA ports open.

These ports are still used locally but not over the network.
---
 install/tools/ipa-ca-install|2 +-
 install/tools/ipa-replica-conncheck |   19 ---
 install/tools/ipa-replica-install   |2 +-
 ipaserver/install/replication.py|4 +---
 4 files changed, 3 insertions(+), 24 deletions(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 05a05dce9bf00102aa9781997f9d7f52fd5e8ba2..cf2e193e04984e252547d11038cd7372476c6a46 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -127,7 +127,7 @@ def main():
 config.setup_ca = True
 
 if not options.skip_conncheck:
-replica_conn_check(config.master_host_name, config.host_name, config.realm_name, True, options.admin_password)
+replica_conn_check(config.master_host_name, config.host_name, config.realm_name, options.admin_password)
 
 api.bootstrap(in_server=True)
 api.finalize()
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 7929579885c7e4e36716eb3587ab7d7450461e89..18eeacdf45bf78009a08db9da462ef2fab4e31ee 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -53,15 +53,6 @@ BASE_PORTS = [
 CheckedPort(88, False, "Kerberos"),
  ]
 
-CA_PORTS  = [
-CheckedPort(7389, True, "PKI-CA: Directory Service port"),
-CheckedPort(9443, True, "PKI-CA: Agent secure port"),
-CheckedPort(9444, True, "PKI-CA: EE secure port"),
-CheckedPort(9445, True, "PKI-CA: Admin secure port"),
-CheckedPort(9446, True, "PKI-CA: EE secure client auth port"),
-CheckedPort(9180, True, "PKI-CA: Unsecure port"),
-]
-
 def print_info(msg):
 if not QUIET:
 print msg
@@ -93,10 +84,6 @@ def parse_options():
 parser.add_option_group(master_group)
 
 common_group = OptionGroup(parser, "common options")
-common_group.add_option("-c", "--check-ca", dest="check_ca",
-  action="store_true",
-  default=False,
-  help="Check also ports for Certificate Authority")
 
 common_group.add_option("", "--hostname", dest="hostname",
   help="The hostname of this server (FQDN). "
@@ -272,8 +259,6 @@ def main():
 signal.signal(signal.SIGINT, sigterm_handler)
 
 required_ports = BASE_PORTS
-if options.check_ca:
-required_ports.extend(CA_PORTS)
 
 if options.replica:
 print_info("Check connection from master to remote replica '%s':" % options.replica)
@@ -324,8 +309,6 @@ def main():
 raise RuntimeError("Cannot acquire Kerberos ticket: %s" % stderr)
 
 remote_check_opts = ['--replica %s' % options.hostname]
-if options.check_ca:
-remote_check_opts.append('--check-ca')
 
 print_info("Execute check on remote master")
 
@@ -349,8 +332,6 @@ def main():
 print_info("Please run the following command on remote master:")
 
 remote_check_opts = ['--replica %s' % options.hostname]
-if options.check_ca:
-remote_check_opts.append('--check-ca')
 print_info("/usr/sbin/ipa-replica-conncheck " + " ".join(remote_check_opts))
 time.sleep(3600)
 print_info("Connection check timeout: terminating listening program")
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 0d622628070ffe44122edb6a3c12732ddcad50eb..2386159ed0a09cf04dcebddd68234bbe1a21c554 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -334,7 +334,7 @@ def main():
 
 # check connection
 if not options.skip_conncheck:
-replica_conn_check(config.master_host_name, config.host_name, config.realm_name, options.setup_ca, options.admin_password)
+replica_conn_check(config.master_host_name, config.host_name, config.realm_name, options.admin_password)
 
 # Create the management framework config file
 # Note: We must do this before bootstraping and finalizing ipalib.api
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index fbf9c95b5573c424a94e9a8b4d7261785ba76f75..33da6af295058b9f5f6aedab277fa3dcb4ba74c9 100644
--- a/ipaserver/install/replic

Re: [Freeipa-devel] [PATCH] 011 Attributes table not scrollable

2011-08-31 Thread Endi Sukma Dewata 

On 8/31/2011 8:04 AM, Petr Vobornik wrote:

https://fedorahosted.org/freeipa/ticket/1739

The attributes table (IPA.attributes_widget) used in Permissions,
Self-Service Permissions, and Delegations is supposed to be short but
scrollable. In Firefox 3.6 it works fine, but in Firefox 6.0 it appears
as a long non-scrollable table which makes it more difficult to use.


ACK and pushed to master and ipa-2-1.


--
Endi S. Dewata

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH, FreeIPA2.1] Review request for platform abstraction refactoring

2011-08-31 Thread Alexander Bokovoy 
Hi!

In branch 'platform' of
http://fedorapeople.org/gitweb?p=abbra/public_git/freeipa.git;a=summary
you can find four commits which represent working code to address
https://fedorahosted.org/freeipa/ticket/1605.

What is done:
1. ipapython.services module represents system-agnostic way to
communicate with platform-specific services management and other
platform-specific functions.

2. ipapython.platform.* implements platform-specific functionality. The
code is pulled in by ipapython.services module and should not be
adressed directly.

3. ipapython.platform.redhat module (not to be called directly!) is what
FreeIPA 2.1 has had previously -- current RHEL6 and Fedora14/15
implementation.

4. Install tools, IPA client, and IPA server install code is converted
to use ipapython.services.

To facilitate more expressive way of working with often used services,
ipapython.services module provides a shortcut to access them by name via
ipapython.services.knownservices.. A typical code change looks
like this:

(from ipapython import services as ipaservices)
-service.restart("dirsrv")
-service.restart("krb5kdc")
-service.restart("httpd")
+ipaservices.knownservices.dirsrv.restart()
+ipaservices.knownservices.krb5kdc.restart()
+ipaservices.knownservices.httpd.restart()


Besides expression change this also makes more explicit to platform
providers access to what services they have to implement. Service names
are defined in ipapython.platform.base.wellknownservices and represent
definitive names to access these services from FreeIPA code. Of course,
platform provider should remap those names to platform-specific ones --
for ipapython.platform.redhat provider mapping is identity.

If code needs direct access to some unnamed service, one could use
ipapython.services.service class:

 for (order, svc) in sorted(svc_list):
 svc_name = service.SERVICE_LIST[svc][0]
+   svchandle = ipaservices.service(svc_name)
 try:
 print "Starting %s Service" % svc
-service.start(svc_name,
capture_output=get_capture_output(svc_name, options.debug))
+svchandle.start(capture_output=get_capture_output(svc_name,
options.debug))
 except:
 emit_err("Failed to start %s Service" % svc)


Server-side installation code depends on quite a delicate arrangement of
Certificate Server, Directory Server, and is not really portable to
other environments unless you do provide same packages as Fedora or RHEL
have. However, I tried to abstract service-specific calls in such way
that they all go through ipapython.platform.* so even here remapping of
names is possible. Unfortunately, not for file paths yet.

Client side is more ready for porting except authconfig(8) use.
One of substantial issues for porting FreeIPA client code to platforms
other than Red Hat's is use of authconfig(8) utility to configure
authentication services. What I ended up is a flexible interface
(ipapython.platform.base.AuthConfig) to specify options and execute
external apps. As with knownservices, one step more is to make those
options accessible as member attributes instead of strings but even with
current approach this gives full isolation of implementation of
authconfig replacement from FreeIPA code.

Typical use for AuthConfig is via ipapython.services.authconfig class:

-run(["/usr/sbin/authconfig", "--disableldap", "--disablekrb5",
"--disablesssd", "--disablesssdauth", "--disablemkhomedir", "--update"])
+auth_config = ipaservices.authconfig()
+auth_config.disable("ldap").\
+disable("krb5").\
+disable("sssd").\
+disable("sssdauth").\
+disable("mkhomedir").\
+add_option("update")
+auth_config.execute()

This should make porting much simpler -- less code to touch in core FreeIPA.

Now good things: this all works! :)

I tried on F15, doing ipa-server-install with different options and
uninstalling as well, joining another client and removing it later. Of
course, more testing is needed too.

-- 
/ Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] #1743 Fix ipa-replica-prepare

2011-08-31 Thread Rob Crittenden 

Simo Sorce wrote:

We stopped using lpaddwd and kpasswd.keytab when we moved from
ipa_kpasswd to kadmind.

Unfortunately I forgot to remove their use in all places and didn't
notice issues during testing because I used a "dirty" virtual machine
that had a ldappwd file in place.

These patches get rid of these vestiges of the past and fix the replica
installation issues.

Simo.


ACK

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] #1743 Fix ipa-replica-prepare

2011-08-31 Thread Simo Sorce 
We stopped using lpaddwd and kpasswd.keytab when we moved from
ipa_kpasswd to kadmind.

Unfortunately I forgot to remove their use in all places and didn't
notice issues during testing because I used a "dirty" virtual machine
that had a ldappwd file in place.

These patches get rid of these vestiges of the past and fix the replica
installation issues.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
>From 8e8cf07b530643290944d93314e1e43acb52d18d Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Wed, 31 Aug 2011 11:39:53 -0400
Subject: [PATCH 1/2] install: We do not need a ldap password anymore

Our new ipa-kdb driver access ldap via ldapi:// and EXTERNAL auth and doesn't
need a bind password anymore.

Fixes: https://fedorahosted.org/freeipa/ticket/1743
---
 install/tools/ipa-replica-install |3 +--
 install/tools/ipa-replica-prepare |1 -
 ipaserver/install/krbinstance.py  |   10 ++
 3 files changed, 3 insertions(+), 11 deletions(-)

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 6b97e0e93799c7cdb1b90fbe89a0f42a3c3d0b8d..a7c28c1ad40028657e71959176e960f4ff7a2d91 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -129,7 +129,6 @@ def install_replica_ds(config):
 
 def install_krb(config, setup_pkinit=False):
 krb = krbinstance.KrbInstance()
-ldappwd_filename = config.dir + "/ldappwd"
 kpasswd_filename = config.dir + "/kpasswd.keytab"
 
 #pkinit files
@@ -141,7 +140,7 @@ def install_krb(config, setup_pkinit=False):
 krb.create_replica(config.realm_name,
config.master_host_name, config.host_name,
config.domain_name, config.dirman_password,
-   ldappwd_filename, kpasswd_filename,
+   kpasswd_filename,
setup_pkinit, pkcs12_info)
 
 def install_ca_cert(config):
diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare
index 0c88244b33f46aa87f4f619a0b7053ec14fd7603..647252e49548fd99e79d90da4dd5bf68e0475e2b 100755
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -214,7 +214,6 @@ def copy_files(realm_name, dir):
 config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))
 
 try:
-shutil.copy("/var/kerberos/krb5kdc/ldappwd", dir + "/ldappwd")
 shutil.copy("/var/kerberos/krb5kdc/kpasswd.keytab", dir + "/kpasswd.keytab")
 shutil.copy("/usr/share/ipa/html/ca.crt", dir + "/ca.crt")
 if ipautil.file_exists("/usr/share/ipa/html/preferences.html"):
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 9956b9fb7fb69d8788d2e8472a7b68993f7d561d..1f499006ec8dd8811378412420b25d4d3af252b5 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -183,13 +183,12 @@ class KrbInstance(service.Service):
 def create_replica(self, realm_name,
master_fqdn, host_name,
domain_name, admin_password,
-   ldap_passwd_filename, kpasswd_filename,
+   kpasswd_filename,
setup_pkinit=False, pkcs12_info=None,
self_signed_ca=False, subject_base=None):
 self.pkcs12_info = pkcs12_info
 self.self_signed_ca = self_signed_ca
 self.subject_base = subject_base
-self.__copy_ldap_passwd(ldap_passwd_filename)
 self.__copy_kpasswd_keytab(kpasswd_filename)
 self.master_fqdn = master_fqdn
 
@@ -212,11 +211,6 @@ class KrbInstance(service.Service):
 self.kpasswd = KpasswdInstance()
 self.kpasswd.create_instance('KPASSWD', self.fqdn, self.admin_password, self.suffix)
 
-def __copy_ldap_passwd(self, filename):
-self.fstore.backup_file("/var/kerberos/krb5kdc/ldappwd")
-shutil.copy(filename, "/var/kerberos/krb5kdc/ldappwd")
-os.chmod("/var/kerberos/krb5kdc/ldappwd", 0600)
-
 def __copy_kpasswd_keytab(self, filename):
 self.fstore.backup_file("/var/kerberos/krb5kdc/kpasswd.keytab")
 shutil.copy(filename, "/var/kerberos/krb5kdc/kpasswd.keytab")
@@ -463,7 +457,7 @@ class KrbInstance(service.Service):
 except:
 pass
 
-for f in ["/var/kerberos/krb5kdc/ldappwd", "/var/kerberos/krb5kdc/kdc.conf", "/etc/krb5.conf"]:
+for f in ["/var/kerberos/krb5kdc/kdc.conf", "/etc/krb5.conf"]:
 try:
 self.fstore.restore_file(f)
 except ValueError, error:
-- 
1.7.6

>From 717fd6a447bef3f6792f6104f37bb1120c764095 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Wed, 31 Aug 2011 11:45:07 -0400
Subject: [PATCH 2/2] install: We do not need a kpasswd keytab anymore

We now use MIT's kadmin instead of our old ipa_kpasswd daemon.
kadmind knows how to fetch the keys directly from the database and doesn't need
a keytab on the filesystem.
---
 install/tools/ipa-replica-install

[Freeipa-devel] [PATCH] 864 use IPA cert profile in installer

2011-08-31 Thread Rob Crittenden 
We were still using the caRAserverCert profile when installing IPA and 
replicas resulting in 6 month server certs. Use the IPA profile instead 
to get 2 year certs.


Pushed as a one-liner to master and ipa-2-1

rob
>From a71e38ea6ed1166bd637770a1c5f00867cb520be Mon Sep 17 00:00:00 2001
From: Rob Crittenden 
Date: Wed, 31 Aug 2011 13:22:33 -0400
Subject: [PATCH] Use the IPA server cert profile in the installer.

We were still using the caRAserverCert profile during installation.

https://fedorahosted.org/freeipa/ticket/1744
---
 ipaserver/install/certs.py |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index d3df168..ead9c81 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -622,7 +622,7 @@ class CertDB(object):
 # We just want the CSR bits, make sure there is nothing else
 csr = pkcs10.strip_header(csr)
 
-params = {'profileId': 'caRAserverCert',
+params = {'profileId': 'caIPAserviceCert',
 'cert_request_type': 'pkcs10',
 'requestor_name': 'IPA Installer',
 'cert_request': csr,
-- 
1.7.6

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 865 update minimum 389-ds-base version

2011-08-31 Thread Rob Crittenden 
Bump up minimum version of 389-ds to pick up fix to allow it to start 
with an expired cert


Pushed under the 1-liner rule.

rob
>From f59e8145fa0ee131aafa1ce58e4ac729240e3418 Mon Sep 17 00:00:00 2001
From: Rob Crittenden 
Date: Tue, 30 Aug 2011 20:42:29 -0400
Subject: [PATCH] Set min nvr of 389-ds-base to 1.2.9.7-1 for BZ 728605

https://fedorahosted.org/freeipa/ticket/1576
---
 freeipa.spec.in |5 -
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 1ef14a8..31a1e94 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -85,7 +85,7 @@ Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
 Requires(post): %{name}-server-selinux = %{version}-%{release}
-Requires(pre): 389-ds-base >= 1.2.9.6-1
+Requires(pre): 389-ds-base >= 1.2.9.7-1
 Requires: openldap-clients
 Requires: nss
 Requires: nss-tools
@@ -537,6 +537,9 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
 
 %changelog
+* Wed Aug 31 2011 Rob Crittenden  - 2.99.0-3
+- Set min nvr of 389-ds-base to 1.2.9.7-1 for BZ 728605
+
 * Mon Aug 29 2011 Rob Crittenden  - 2.99.0-2
 - Set min nvr of pki-ca to 9.0.12 for fix in BZ 700505
 
-- 
1.6.2.5

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 260 Fixed problem with combobox.

2011-08-31 Thread Endi Sukma Dewata 

On 8/31/2011 6:36 AM, Petr Vobornik wrote:

On 08/31/2011 07:30 AM, Endi Sukma Dewata wrote:

The entity select widget has been modified to handle timing issue
in both dialog box and details page.

Ticket #1736

ACK


Pushed to master and ipa-2-1.

--
Endi S. Dewata

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 259 Fixed problem adding hostgroup into netgroup.

2011-08-31 Thread Endi Sukma Dewata 

On 8/31/2011 3:46 AM, Petr Vobornik wrote:

On 08/30/2011 09:06 PM, Endi Sukma Dewata wrote:

The memberof_netgroup association facet for hostgroup has been
explicitly defined to use the serial associator so it will invoke
the right methods.

Ticket #1737

ACK


Pushed to master and ipa-2-1.


I think, we should unite the usage of serial and bulk associators.
Currently the usage of entity and other_entity is inverted. This could
be achieved by proper initialization of spec from association type
(association name - something similar to what is used now in
association_table) and do not blindly copy entity from facet as it is
done now (association entity often isn't equal to facet entity (eg in
memberof association)). This could be part of
https://fedorahosted.org/freeipa/ticket/1690 .


I agree that the associators need some cleanup. The serial & bulk 
associators right now determines the type of the association. MemberOf 
association uses serial because the 'entity' has to be added into 'other 
entities' using multiple -add-member commands. Member 
association uses bulk because the 'other entities' can be added into the 
'entity' at once using a single -add-member command.


We could combine them into a single class and use a variable 'type' to 
determine how to generate the commands. We could also keep them separate 
and use the class itself to determine the 'type'. We would rename them 
into memberof_association and member_association. Then the 
association_facet() in the entity_builder will map the association names 
into the right 'type'. That way we don't have to specify it explicitly 
in the entity declarations.


--
Endi S. Dewata

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 258 Fixed hard-coded UI messages.

2011-08-31 Thread Endi Sukma Dewata 

On 8/31/2011 2:42 AM, Petr Vobornik wrote:

On 08/30/2011 04:43 PM, Endi Sukma Dewata wrote:

Some hard-coded messages in ipa.js have been moved into internal.py.
The messages in internal.py have been rearranged to match the output
(ipa_init.json).

A new method IPA.get_message() has been added to take a message ID and
return the translated message or a default message if not found.

Ticket #1701

for the changes: ACK


Pushed to master and ipa-2-1.


I found one more string: "'Error: '+error_thrown.name+'';"
entity.js:126


We'll fix that in another patch.

--
Endi S. Dewata

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] bind-dyndb-ldap 1.0.0b1 has been released

2011-08-31 Thread Simo Sorce 
On Wed, 2011-08-31 at 14:13 +0200, Adam Tkac wrote:
> Hello,
> 
> bind-dyndb-ldap 1.0.0b1 has been released. The most notable change is
> new "psearch (yes/no)" option. When set to "yes" then the plugin is able
> to immediately propagate addition/modification/deletion of zones,
> without need of the `rndc reload` command.
> 
> Tarball:
> https://fedorahosted.org/released/bind-dyndb-ldap/bind-dyndb-ldap-1.0.0b1.tar.gz
> 
> Links to Fedora updates:
> https://admin.fedoraproject.org/updates/bind-dyndb-ldap-1.0.0-0.1.b1.fc16
> https://admin.fedoraproject.org/updates/bind-dyndb-ldap-1.0.0-0.1.b1.fc15
> 
> Please report any bugs to https://bugzilla.redhat.com
> 
> Check the NEWS file for other notable changes.
> 
> Regards, Adam

Thanks Adam,
this feature is really useful!

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 111 Let Bind track data changes

2011-08-31 Thread Martin Kosek 
On Wed, 2011-08-31 at 10:40 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Mon, 2011-08-15 at 14:20 +0200, Martin Kosek wrote:
> >> A new version of bind-dyndb-ldap has been released. Thanks to the new
> >> persistent search feature, the name server can immediately pull new DNS
> >> zones when they are created in IPA.
> >>
> >> Since the bind-dyndb-ldap plugin has not been released in F-15 yet, one
> >> has to use the provided src.rpm:
> >>
> >> http://mkosek.fedorapeople.org/bind-dyndb-ldap/srpm/bind-dyndb-ldap-0.2.0-5.fc17.src.rpm
> >>
> >> or rpms I built for x86_64 F-15:
> >>
> >> http://mkosek.fedorapeople.org/bind-dyndb-ldap/x86_64/
> >>
> >> There is one setback though. When I investigated DNS persistent search
> >> behavior I still miss the ability to detect changes to the DNS zone
> >> itself. Adding a record (for example MX record) to the zone does not
> >> trigger an update of the zone in nameserver cache. We still have to wait
> >> for cache timeout (argument "cache_ttl"). We cannot therefore use this
> >> feature as a solution of:
> >>
> >> https://fedorahosted.org/freeipa/ticket/1114
> >> https://fedorahosted.org/freeipa/ticket/1125
> >> https://fedorahosted.org/freeipa/ticket/1126
> >>
> >> Martin
> >>
> >
> > Sending a rebased version of the patch. It requires new bind-dyndb-ldap
> > version that Adam has just sent to the list.
> >
> > Martin
> 
> Ack. Tested this with the older bind-dyndb-ldap too and it doesn't cause 
> anything to blow up, so ok to push now rather than waiting for 
> bind-dyndb-ldap to hit updates-testing.
> 
> rob

Pushed to master, ipa-2-1.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 111 Let Bind track data changes

2011-08-31 Thread Rob Crittenden 

Martin Kosek wrote:

On Mon, 2011-08-15 at 14:20 +0200, Martin Kosek wrote:

A new version of bind-dyndb-ldap has been released. Thanks to the new
persistent search feature, the name server can immediately pull new DNS
zones when they are created in IPA.

Since the bind-dyndb-ldap plugin has not been released in F-15 yet, one
has to use the provided src.rpm:

http://mkosek.fedorapeople.org/bind-dyndb-ldap/srpm/bind-dyndb-ldap-0.2.0-5.fc17.src.rpm

or rpms I built for x86_64 F-15:

http://mkosek.fedorapeople.org/bind-dyndb-ldap/x86_64/

There is one setback though. When I investigated DNS persistent search
behavior I still miss the ability to detect changes to the DNS zone
itself. Adding a record (for example MX record) to the zone does not
trigger an update of the zone in nameserver cache. We still have to wait
for cache timeout (argument "cache_ttl"). We cannot therefore use this
feature as a solution of:

https://fedorahosted.org/freeipa/ticket/1114
https://fedorahosted.org/freeipa/ticket/1125
https://fedorahosted.org/freeipa/ticket/1126

Martin



Sending a rebased version of the patch. It requires new bind-dyndb-ldap
version that Adam has just sent to the list.

Martin


Ack. Tested this with the older bind-dyndb-ldap too and it doesn't cause 
anything to blow up, so ok to push now rather than waiting for 
bind-dyndb-ldap to hit updates-testing.


rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 111 Let Bind track data changes

2011-08-31 Thread Martin Kosek 
On Wed, 2011-08-31 at 14:47 +0200, Martin Kosek wrote:
> On Mon, 2011-08-15 at 14:20 +0200, Martin Kosek wrote:
> > A new version of bind-dyndb-ldap has been released. Thanks to the new
> > persistent search feature, the name server can immediately pull new DNS
> > zones when they are created in IPA.
> > 
> > Since the bind-dyndb-ldap plugin has not been released in F-15 yet, one
> > has to use the provided src.rpm:
> > 
> > http://mkosek.fedorapeople.org/bind-dyndb-ldap/srpm/bind-dyndb-ldap-0.2.0-5.fc17.src.rpm
> > 
> > or rpms I built for x86_64 F-15:
> > 
> > http://mkosek.fedorapeople.org/bind-dyndb-ldap/x86_64/
> > 
> > There is one setback though. When I investigated DNS persistent search
> > behavior I still miss the ability to detect changes to the DNS zone
> > itself. Adding a record (for example MX record) to the zone does not
> > trigger an update of the zone in nameserver cache. We still have to wait
> > for cache timeout (argument "cache_ttl"). We cannot therefore use this
> > feature as a solution of:
> > 
> > https://fedorahosted.org/freeipa/ticket/1114
> > https://fedorahosted.org/freeipa/ticket/1125
> > https://fedorahosted.org/freeipa/ticket/1126
> > 
> > Martin
> > 
> 
> Sending a rebased version of the patch. It requires new bind-dyndb-ldap
> version that Adam has just sent to the list.
> 
> Martin

I would also like to add a hint for reviewers how to test:

1) Install refered bind-dyndb-ldap package
2) Configure FreeIPA with DNS using
  2a) ipa-dns-install without any arguments to enable zone refresh
(scenario A)
  2b) ipa-dns-install --zone-notif to enable persistent search (scenario
B)
3) Add new zone using "ipa dnszone-add $ZONE"
4) Use following command to see if the zone is already resolvable:
   $ dig -t soa $ZONE
  4a) scenario A: the new zone does not have to be resolvable
immediately, but in default number of seconds for zone refresh (defaults
to 30)
  4b) scenario B: the new zone should be immediately resolvable


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 011 Attributes table not scrollable

2011-08-31 Thread Petr Vobornik 

https://fedorahosted.org/freeipa/ticket/1739

The attributes table (IPA.attributes_widget) used in Permissions, 
Self-Service Permissions, and Delegations is supposed to be short but 
scrollable. In Firefox 3.6 it works fine, but in Firefox 6.0 it appears 
as a long non-scrollable table which makes it more difficult to use.


--
Petr Vobornik
From d54e3d5758771fd010ce60ff0d77ee51964f7bc3 Mon Sep 17 00:00:00 2001
From: Petr Vobornik 
Date: Wed, 31 Aug 2011 14:42:33 +0200
Subject: [PATCH] Attributes table not scrollable

https://fedorahosted.org/freeipa/ticket/1739

The attributes table (IPA.attributes_widget) used in Permissions, Self-Service Permissions, and Delegations is supposed to be short but scrollable. In Firefox 3.6 it works fine, but in Firefox 6.0 it appears as a long non-scrollable table which makes it more difficult to use.
---
 install/ui/ipa.css |7 ++-
 1 files changed, 6 insertions(+), 1 deletions(-)

diff --git a/install/ui/ipa.css b/install/ui/ipa.css
index 705e9a11ebf54771669172a85025d17b18aa2ae2..e341b4112bbaa8c8680e8b291aed64d5a3d2e988 100644
--- a/install/ui/ipa.css
+++ b/install/ui/ipa.css
@@ -1035,12 +1035,17 @@ span.main-separator{
 
 }
 
+.aci-attribute-table thead{
+display: block;
+}
+
 
 .aci-attribute-table tbody{
-width: 20em;
+width: 100%;
 height:10em;
 overflow:auto;
 border-bottom: 1px solid #8a8a8a;
+display: block;
 }
 
 .aci-attribute-table th.aci-attribute-column{
-- 
1.7.6

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 111 Let Bind track data changes

2011-08-31 Thread Martin Kosek 
On Mon, 2011-08-15 at 14:20 +0200, Martin Kosek wrote:
> A new version of bind-dyndb-ldap has been released. Thanks to the new
> persistent search feature, the name server can immediately pull new DNS
> zones when they are created in IPA.
> 
> Since the bind-dyndb-ldap plugin has not been released in F-15 yet, one
> has to use the provided src.rpm:
> 
> http://mkosek.fedorapeople.org/bind-dyndb-ldap/srpm/bind-dyndb-ldap-0.2.0-5.fc17.src.rpm
> 
> or rpms I built for x86_64 F-15:
> 
> http://mkosek.fedorapeople.org/bind-dyndb-ldap/x86_64/
> 
> There is one setback though. When I investigated DNS persistent search
> behavior I still miss the ability to detect changes to the DNS zone
> itself. Adding a record (for example MX record) to the zone does not
> trigger an update of the zone in nameserver cache. We still have to wait
> for cache timeout (argument "cache_ttl"). We cannot therefore use this
> feature as a solution of:
> 
> https://fedorahosted.org/freeipa/ticket/1114
> https://fedorahosted.org/freeipa/ticket/1125
> https://fedorahosted.org/freeipa/ticket/1126
> 
> Martin
> 

Sending a rebased version of the patch. It requires new bind-dyndb-ldap
version that Adam has just sent to the list.

Martin
>From 2efceb25237cdc55c05875a03fb9cf576143 Mon Sep 17 00:00:00 2001
From: Martin Kosek 
Date: Wed, 31 Aug 2011 14:42:57 +0200
Subject: [PATCH] Let Bind track data changes

Integrate new bind-dyndb-ldap features to automatically track
DNS data changes:

 1) Zone refresh
Set --zone-refresh in installation to define number of seconds
between bind-dyndb-ldap polls for new DNS zones. User now
doesn't have to restart name server when a new zone is added.

 2) New zone notifications
Use LDAP persistent search mechanism to immediately get
notification when any new DNS zone is added. Use --zone-notif
install option to enable. This option is mutually exclusive
with Zone refresh.

To enable this functionality in existing IPA installations,
update a list of arguments for bind-dyndb-ldap in /etc/named.conf.
An example when zone refresh is disabled and DNS data change
notifications are enabled:

dynamic-db "ipa" {
...
arg "zone_refresh 0";
arg "psearch on";
};

This patch requires bind-dyndb-ldap-1.0.0-0.1.b1 or later.

https://fedorahosted.org/freeipa/ticket/826
---
 install/share/bind.named.conf.template |2 ++
 install/tools/ipa-dns-install  |   20 +++-
 install/tools/ipa-server-install   |   20 +++-
 install/tools/man/ipa-dns-install.1|6 ++
 install/tools/man/ipa-server-install.1 |6 ++
 ipalib/constants.py|3 +++
 ipaserver/install/bindinstance.py  |   11 +--
 7 files changed, 64 insertions(+), 4 deletions(-)

diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template
index e843b4c005cbbbee55a2f9ef5374a6a3f12dbfca..f133b089a9eb428e9ad76b66a3ff162b45e5a779 100644
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -44,4 +44,6 @@ dynamic-db "ipa" {
 	arg "auth_method sasl";
 	arg "sasl_mech GSSAPI";
 	arg "sasl_user DNS/$FQDN";
+	arg "zone_refresh $ZONE_REFRESH";
+	arg "psearch $PERSISTENT_SEARCH";
 };
diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index cf400dd75cdf747ec24ccfc7d2dabd4873c8962b..09006a2009c42a61ab80172637eeaf87a9db0635 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -29,6 +29,7 @@ from ipapython import version
 from ipapython import ipautil, sysrestore
 from ipalib import api, errors, util
 from ipapython.config import IPAOptionParser
+from ipalib.constants import DNS_ZONE_REFRESH
 import krbV
 import ldap
 
@@ -49,6 +50,14 @@ def parse_options():
   default=False, help="Do not create reverse DNS zone")
 parser.add_option("--zonemgr", dest="zonemgr", 
   help="DNS zone manager e-mail address. Defaults to root")
+parser.add_option("--zone-notif", dest="zone_notif",
+  action="store_true", default=False,
+  help="Let name server receive notification when a new zone is added." \
+   "Zone refresh is turned off when zone notification is enabled")
+parser.add_option("--zone-refresh", dest="zone_refresh",
+  default=DNS_ZONE_REFRESH, type="int",
+  help="A delay between checks for new DNS zones. Defaults to %d" \
+  % DNS_ZONE_REFRESH)
 parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
   default=False, help="unattended installation never prompts the user")
 
@@ -64,6 +73,12 @@ def parse_options():
 if not options.forwarders and not options.no_forwarders:
 parser.error("You must specify at least one --forwarder option or --no-forwarders option")
 
+if options.zone_refresh

Re: [Freeipa-devel] [PATCH] 863 netgroups memberof

2011-08-31 Thread Martin Kosek 
On Wed, 2011-08-31 at 08:22 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Tue, 2011-08-30 at 23:50 -0400, Rob Crittenden wrote:
> >> This was spawned by another recent patch I pushed that showed netgroups
> >> that a hostgroup is a member of. We want to suppress the automatic
> >> netgroup that is created with hostgroups.
> >>
> >> rob
> >
> > NACK. I see several issues with the patch:
> >
> > 1) Lint problem:
> > ipalib/plugins/hostgroup.py:107: [E0602, 
> > hostgroup.suppress_netgroup_memberof] Undefined variable 'NotFound'
> >
> > 2) When there is not hostgroup, `ipa hostgroup-find` throws an
> > exception:
> > [Wed Aug 31 04:36:11 2011] [error] ipa: ERROR: non-public: 
> > UnboundLocalError: local variable 'dn' referenced before assignment
> > [Wed Aug 31 04:36:11 2011] [error] Traceback (most recent call last):
> > [Wed Aug 31 04:36:11 2011] [error]   File 
> > "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 223, in 
> > wsgi_execute
> > [Wed Aug 31 04:36:11 2011] [error] result = self.Command[name](*args, 
> > **options)
> > [Wed Aug 31 04:36:11 2011] [error]   File 
> > "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 432, in __call__
> > [Wed Aug 31 04:36:11 2011] [error] ret = self.run(*args, **options)
> > [Wed Aug 31 04:36:11 2011] [error]   File 
> > "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 738, in run
> > [Wed Aug 31 04:36:11 2011] [error] return self.execute(*args, **options)
> > [Wed Aug 31 04:36:11 2011] [error]   File 
> > "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1596, 
> > in execute
> > [Wed Aug 31 04:36:11 2011] [error] callback(ldap, entries, truncated, 
> > *args, **options)
> > [Wed Aug 31 04:36:11 2011] [error]   File 
> > "/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py", line 163, 
> > in post_callback
> > [Wed Aug 31 04:36:11 2011] [error] return dn
> > [Wed Aug 31 04:36:11 2011] [error] UnboundLocalError: local variable 'dn' 
> > referenced before assignment
> >
> > 3) JR's automember tests that were pushed today will need to have
> > memberof_netgroup removed too.
> >
> > Martin
> >
> 
> All issues addressed.
> 
> rob

ACK. Pushed to master, ipa-2-1.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 863 netgroups memberof

2011-08-31 Thread Rob Crittenden 

Martin Kosek wrote:

On Tue, 2011-08-30 at 23:50 -0400, Rob Crittenden wrote:

This was spawned by another recent patch I pushed that showed netgroups
that a hostgroup is a member of. We want to suppress the automatic
netgroup that is created with hostgroups.

rob


NACK. I see several issues with the patch:

1) Lint problem:
ipalib/plugins/hostgroup.py:107: [E0602, hostgroup.suppress_netgroup_memberof] 
Undefined variable 'NotFound'

2) When there is not hostgroup, `ipa hostgroup-find` throws an
exception:
[Wed Aug 31 04:36:11 2011] [error] ipa: ERROR: non-public: UnboundLocalError: 
local variable 'dn' referenced before assignment
[Wed Aug 31 04:36:11 2011] [error] Traceback (most recent call last):
[Wed Aug 31 04:36:11 2011] [error]   File 
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 223, in 
wsgi_execute
[Wed Aug 31 04:36:11 2011] [error] result = self.Command[name](*args, 
**options)
[Wed Aug 31 04:36:11 2011] [error]   File 
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 432, in __call__
[Wed Aug 31 04:36:11 2011] [error] ret = self.run(*args, **options)
[Wed Aug 31 04:36:11 2011] [error]   File 
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 738, in run
[Wed Aug 31 04:36:11 2011] [error] return self.execute(*args, **options)
[Wed Aug 31 04:36:11 2011] [error]   File 
"/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1596, in 
execute
[Wed Aug 31 04:36:11 2011] [error] callback(ldap, entries, truncated, 
*args, **options)
[Wed Aug 31 04:36:11 2011] [error]   File 
"/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py", line 163, in 
post_callback
[Wed Aug 31 04:36:11 2011] [error] return dn
[Wed Aug 31 04:36:11 2011] [error] UnboundLocalError: local variable 'dn' 
referenced before assignment

3) JR's automember tests that were pushed today will need to have
memberof_netgroup removed too.

Martin



All issues addressed.

rob
>From 79ce49eb3ce5d35b22efe9c8019e66ff56686ee5 Mon Sep 17 00:00:00 2001
From: Rob Crittenden 
Date: Tue, 30 Aug 2011 18:38:22 -0400
Subject: [PATCH] Suppress managed netgroups from showing as memberof hostgroups.

By design these managed netgroups are not supposed to show unless you
specifically want to see them.

https://fedorahosted.org/freeipa/ticket/1738
---
 ipalib/plugins/hostgroup.py |   50 --
 tests/test_xmlrpc/test_automember_plugin.py |   12 +--
 tests/test_xmlrpc/test_hostgroup_plugin.py  |7 
 tests/test_xmlrpc/test_nesting.py   |5 ---
 tests/test_xmlrpc/test_netgroup_plugin.py   |1 -
 5 files changed, 47 insertions(+), 28 deletions(-)

diff --git a/ipalib/plugins/hostgroup.py b/ipalib/plugins/hostgroup.py
index d75f381..0d69d09 100644
--- a/ipalib/plugins/hostgroup.py
+++ b/ipalib/plugins/hostgroup.py
@@ -19,7 +19,8 @@
 # along with this program.  If not, see .
 
 from ipalib.plugins.baseldap import *
-from ipalib import api, Int, _, ngettext
+from ipalib import api, Int, _, ngettext, errors
+from ipalib.dn import DN
 
 __doc__ = _("""
 Groups of hosts.
@@ -88,6 +89,24 @@ class hostgroup(LDAPObject):
 ),
 )
 
+def suppress_netgroup_memberof(self, dn, entry_attrs):
+"""
+We don't want to show managed netgroups so remove them from the
+memberOf list.
+"""
+if 'memberof' in entry_attrs:
+hgdn = DN(dn)
+for member in entry_attrs['memberof']:
+ngdn = DN(member)
+if ngdn['cn'] == hgdn['cn']:
+try:
+netgroup = api.Command['netgroup_show'](ngdn['cn'], all=True)['result']
+if self.has_objectclass(netgroup['objectclass'], 'mepmanagedentry'):
+entry_attrs['memberof'].remove(member)
+return
+except errors.NotFound:
+pass
+
 api.register(hostgroup)
 
 
@@ -97,9 +116,11 @@ class hostgroup_add(LDAPCreate):
 msg_summary = _('Added hostgroup "%(value)s"')
 
 def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
-if self.api.env.wait_for_attr:
-newentry = wait_for_value(ldap, dn, 'objectclass', 'mepOriginEntry')
-entry_from_entry(entry_attrs, newentry)
+# Always wait for the associated netgroup to be created so we can
+# be sure to ignore it in memberOf
+newentry = wait_for_value(ldap, dn, 'objectclass', 'mepOriginEntry')
+entry_from_entry(entry_attrs, newentry)
+self.obj.suppress_netgroup_memberof(dn, entry_attrs)
 
 return dn
 
@@ -120,6 +141,10 @@ class hostgroup_mod(LDAPUpdate):
 
 msg_summary = _('Modified hostgroup "%(value)s"')
 
+def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+self.obj.suppress_netgroup_memberof(dn, entry_attrs)
+return dn
+
 api.register(hostgroup_mod)

[Freeipa-devel] bind-dyndb-ldap 1.0.0b1 has been released

2011-08-31 Thread Adam Tkac 
Hello,

bind-dyndb-ldap 1.0.0b1 has been released. The most notable change is
new "psearch (yes/no)" option. When set to "yes" then the plugin is able
to immediately propagate addition/modification/deletion of zones,
without need of the `rndc reload` command.

Tarball:
https://fedorahosted.org/released/bind-dyndb-ldap/bind-dyndb-ldap-1.0.0b1.tar.gz

Links to Fedora updates:
https://admin.fedoraproject.org/updates/bind-dyndb-ldap-1.0.0-0.1.b1.fc16
https://admin.fedoraproject.org/updates/bind-dyndb-ldap-1.0.0-0.1.b1.fc15

Please report any bugs to https://bugzilla.redhat.com

Check the NEWS file for other notable changes.

Regards, Adam

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 260 Fixed problem with combobox.

2011-08-31 Thread Petr Vobornik 

On 08/31/2011 07:30 AM, Endi Sukma Dewata wrote:

The entity select widget has been modified to handle timing issue
in both dialog box and details page.

Ticket #1736



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK

--
Petr Vobornik

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 862 sort lists in tests

2011-08-31 Thread Martin Kosek 
On Tue, 2011-08-30 at 23:50 -0400, Rob Crittenden wrote:
> JR ran into an issue with his automember patch where the order of 
> memberof wasn't predictable which caused tests to fail.
> 
> To resolve this we just need to sort the lists and then compare.
> 
> rob

ACK. Pushed to master, ipa-2-1.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 863 netgroups memberof

2011-08-31 Thread Martin Kosek 
On Tue, 2011-08-30 at 23:50 -0400, Rob Crittenden wrote:
> This was spawned by another recent patch I pushed that showed netgroups 
> that a hostgroup is a member of. We want to suppress the automatic 
> netgroup that is created with hostgroups.
> 
> rob

NACK. I see several issues with the patch:

1) Lint problem:
ipalib/plugins/hostgroup.py:107: [E0602, hostgroup.suppress_netgroup_memberof] 
Undefined variable 'NotFound'

2) When there is not hostgroup, `ipa hostgroup-find` throws an
exception:
[Wed Aug 31 04:36:11 2011] [error] ipa: ERROR: non-public: UnboundLocalError: 
local variable 'dn' referenced before assignment
[Wed Aug 31 04:36:11 2011] [error] Traceback (most recent call last):
[Wed Aug 31 04:36:11 2011] [error]   File 
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 223, in 
wsgi_execute
[Wed Aug 31 04:36:11 2011] [error] result = self.Command[name](*args, 
**options)
[Wed Aug 31 04:36:11 2011] [error]   File 
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 432, in __call__
[Wed Aug 31 04:36:11 2011] [error] ret = self.run(*args, **options)
[Wed Aug 31 04:36:11 2011] [error]   File 
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 738, in run
[Wed Aug 31 04:36:11 2011] [error] return self.execute(*args, **options)
[Wed Aug 31 04:36:11 2011] [error]   File 
"/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1596, in 
execute
[Wed Aug 31 04:36:11 2011] [error] callback(ldap, entries, truncated, 
*args, **options)
[Wed Aug 31 04:36:11 2011] [error]   File 
"/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py", line 163, in 
post_callback
[Wed Aug 31 04:36:11 2011] [error] return dn
[Wed Aug 31 04:36:11 2011] [error] UnboundLocalError: local variable 'dn' 
referenced before assignment

3) JR's automember tests that were pushed today will need to have
memberof_netgroup removed too.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 259 Fixed problem adding hostgroup into netgroup.

2011-08-31 Thread Petr Vobornik 

On 08/30/2011 09:06 PM, Endi Sukma Dewata wrote:

The memberof_netgroup association facet for hostgroup has been
explicitly defined to use the serial associator so it will invoke
the right methods.

Ticket #1737



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK

I think, we should unite the usage of serial and bulk associators. 
Currently the usage of entity and other_entity is inverted. This could 
be achieved by proper initialization of spec from association type 
(association name - something similar to what is used now in 
association_table) and do not blindly copy entity from facet as it is 
done now (association entity often isn't equal to facet entity (eg in 
memberof association)). This could be part of 
https://fedorahosted.org/freeipa/ticket/1690 .


--
Petr Vobornik

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin

2011-08-31 Thread Martin Kosek 
On Wed, 2011-08-31 at 00:59 +, JR Aquino wrote:
> On Aug 30, 2011, at 12:44 PM, Jr Aquino wrote:
> 
> > 
> > On Aug 23, 2011, at 2:43 PM, Rob Crittenden wrote:
> > 
> >> JR Aquino wrote:
> >>> 
> >>> On Aug 19, 2011, at 2:16 AM, Martin Kosek wrote:
> >>> 
>  Hi JR,
>  
>  I get to your plugin again. You can see my findings below.
>  
>  On Tue, 2011-08-09 at 22:41 +, JR Aquino wrote:
>  ...
> > Ok New Patch attached.
> > 
> > I believe this addresses the above.
> > 
> > 1. Requires(pre): 389-ds-base>= 1.2.9.5-1
>  
>  1) Please, remove the change to FreeIPA spec, its no longer needed since
>  we shipped version 2.1 and it already requires sufficient 389-ds-base
>  version.
> >>> 
> >>> Done.
> >>> 
>  
> > 
> > 2. replica-automember.ldif added for dsinstance to install during 
> > replica installs:
> > +dn: cn=Auto Membership Plugin,cn=plugins,cn=config
> > +changetype: modify
> > +add: nsslapd-pluginConfigArea
> > +nsslapd-pluginConfigArea: cn=automember,cn=etc,$SUFFIX
>  
>  2) OK. I would do it a bit different - have one LDIF for
>  nsslapd-pluginConfigArea setting and second for creating the base
>  automember structure. Master would then use both LDIFs and a replica
>  both of them. We would then be without duplicates in LDIF. But your way
>  acceptable.
> >>> 
> >>> Please allow the 2 ldif's in as they are.
> >>> 
> >>> I tried to split them to leverage cn=config change in common, however, I 
> >>> encountered a 389 ds bug.
> >>> I will be opening a bug with Nathan in BZ to address the bug.  If you 
> >>> feel strongly, we can either:
> >>> 
> >>> A: Accept the two LDIFs as is and revisit after a newer version of 389 ds 
> >>> is available.
> >>> B: Wait until 389 ds addresses the bug and make the minor modification 
> >>> you suggested above.
> >>> 
>  
> > 
> > 3. autoMemberScope is now set for each:
> > groups: cn=users,cn=accounts,$SUFFIX
> > hostgroups: cn=computers,cn=accounts,$SUFFIX
>  
>  OK
>  
> > 
> > 4. Corrected examples
> > Set the default target group:
> >   ipa automember-default-group-set --default-group=webservers hostgroup
> >   ipa automember-default-group-set --default-group=ipausers group
> > 
> > Set the default target group:
> >   ipa automember-default-group-remove hostgroup
> >   ipa automember-default-group-remove group
> > 
> > Show the default target group:
> >   ipa automember-default-group-show hostgroup
> >   ipa automember-default-group-show group
> > 
> > 5. Corrected examples
> > Add a condition to the rule:
> >  ipa automember-add-condition --key=fqdn --type=hostgroup 
> > --inclusive-regex=^web[1-9+]\.example\.com webservers
>  
>  3) Please fix the regex to ^web[1-9]+\.example\.com. I think its just a
>  mistake - right now for example a host web11.example.com does not match.
> >>> 
> >>> Fixed
> >>> 
>  
> >  ipa automember-add-condition --key=manager --type=group 
> > --inclusive-regex=^mscott admins
> > 
>  
>  4) I think you wanted to use devel rule instead of non-existent "admins"
>  automember rule.
>  
> >>> 
> >>> You are correct, this has been fixed.
> >>> 
> > Add an exclusive condition to the rule to prevent auto asignment:
> >  ipa automember-add-condition --key=fqdn --type=hostgroup 
> > --exclusive-regex=^web5\.example\.com webservers
> > 
> > Remove a condition from the rule:
> >  ipa automember-remove-condition --key=fqdn --type=hostgroup 
> > --inclusive-regex=^www[1-9+]\.example\.com webservers
>  
>  5) The same as in 3)
> >>> 
> >>> Fixed
> >>> 
>  
> > 
> > 6. Correct bug for adding duplicate conditions. Included test for it in 
> > the test suite.
> > 
>  
>  OK. Here are my additional findings:
>  
>  6) There some more example commands in doc which are not complete and
>  require some user typing:
>  
>  Display a automember rule:
>    ipa automember-show webservers
>  
>  Delete an automember rule:
>    ipa automember-del webservers
>  
>  Grouping type option is missing
> >>> 
> >>> Fixed.  Added the appropriate flags in the examples
> >>> 
>  
>  7) I get internal error when running examples from the automember doc:
>  # ipa automember-add --type=group devel
>  -
>  Added automember rule "devel"
>  -
>  Automember Rule: devel
>  # ipa automember-add-condition --key=manager --type=group 
>  --inclusive-regex=^mscott admins
>  ipa: ERROR: an internal error has occurred
> >>> 
> >>> Fixed.
> >>> 
>  
>  
>  That's all. The plugin gets better with every version, I think we may
>  soon be ready for pushing - when all of the issues are resolved.
>  
> >>>

Re: [Freeipa-devel] [PATCH] 258 Fixed hard-coded UI messages.

2011-08-31 Thread Petr Vobornik 

On 08/30/2011 04:43 PM, Endi Sukma Dewata wrote:

Some hard-coded messages in ipa.js have been moved into internal.py.
The messages in internal.py have been rearranged to match the output
(ipa_init.json).

A new method IPA.get_message() has been added to take a message ID and
return the translated message or a default message if not found.

Ticket #1701



for the changes: ACK

I found one more string: "'Error: '+error_thrown.name+'';" 
entity.js:126


--
Petr Vobornik

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel