Re: [Freeipa-devel] [PATCH] 872 allow csr file to be provided interactively
On Tue, 2011-09-13 at 14:35 -0400, Rob Crittenden wrote:
> Add an escape clause to the CSR validator in the cert plugin. If the csr
> is a file just return and let the load_files() call slurp in the
> contents. It will still get validated.
>
> rob
This works fine for CSR file.
Shouldn't we fix this also for other File params? For example,
entitle-import command will be affected as well:
takes_args = (
File('usercertificate*', validate_certificate,
cli_name='certificate_file',
),
)
We can create a separate ticket for entitle-import if you want.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 016 Fixed: Some widgets do not have space for validation error message
Forgot to update tests - to address newly added validation row in
table_widget.
--
Petr Vobornik
From 40382df3620607760e8a6033b93b178d149f9ed4 Mon Sep 17 00:00:00 2001
From: Petr Vobornik
Date: Wed, 14 Sep 2011 13:01:25 +0200
Subject: [PATCH] Fixed: Some widgets do not have space for validation error
message
https://fedorahosted.org/freeipa/ticket/1454
The following widgets should call create_error_link() to create a space to show validation error messages:
IPA.checkbox_widget
IPA.checkboxes_widget
IPA.radio_widget
IPA.select_widget
IPA.table_widget
IPA.attributes_widget
IPA.rights_widget
IPA.target_section (it's a widget)
Solution:
* added call to checkbox, checkboxes, radio, select, table, attributes widget
* rights_widget inherits it from checkboxes_widget.
* target_section IS NOT a widget as it doesn't inherit from widget. It's still a section, which shows different widgets based on its state.
* table_widget displays error_link above pagination. It looks better than under the table.
---
install/ui/aci.js |2 +
install/ui/test/widget_tests.js |2 +-
install/ui/widget.js| 43 +-
3 files changed, 40 insertions(+), 7 deletions(-)
diff --git a/install/ui/aci.js b/install/ui/aci.js
index 5dcd69d447521ff5ed80088be1bd19bb3b851ba8..3be9953ae782320bace7bbc51e74d908b1c409d4 100644
--- a/install/ui/aci.js
+++ b/install/ui/aci.js
@@ -276,6 +276,8 @@ IPA.attributes_widget = function(spec) {
if (that.object_type){
that.populate (that.object_type);
}
+
+that.create_error_link(container);
};
that.load = function(record) {
diff --git a/install/ui/test/widget_tests.js b/install/ui/test/widget_tests.js
index 9f0f6f0b59660a9c0648680ac94302ecf4d84aa5..141a0659e65ac01e781cad7f5ab5f3410fd1dc11 100644
--- a/install/ui/test/widget_tests.js
+++ b/install/ui/test/widget_tests.js
@@ -190,7 +190,7 @@ test("IPA.table_widget" ,function(){
widget.load(mock_results);
-same ($('tr' ,widget_container).length, 4, 'four rows after load');
+same ($('tr' ,widget_container).length, 5, 'five rows after load');
});
diff --git a/install/ui/widget.js b/install/ui/widget.js
index 58698486894ce9e72842ea1cf011a5fb75286421..e71cc22c1f660815afae0398f0bea0b8346d7a83 100644
--- a/install/ui/widget.js
+++ b/install/ui/widget.js
@@ -148,7 +148,7 @@ IPA.widget = function(spec) {
the validation pattern. If the field value does not pass validation,
displays the error message and returns false. */
that.validate = function() {
-hide_error();
+that.hide_error();
that.valid = true;
var values = that.save();
@@ -353,10 +353,10 @@ IPA.widget = function(spec) {
error_link.css('display', 'block');
};
-function hide_error() {
+that.hide_error = function() {
var error_link = that.get_error_link();
error_link.css('display', 'none');
-}
+};
that.set_enabled = function() {
};
@@ -370,10 +370,12 @@ IPA.widget = function(spec) {
// methods that should be invoked by subclasses
that.widget_create = that.create;
+that.widget_hide_error = that.hide_error;
that.widget_load = that.load;
that.widget_reset = that.reset;
that.widget_save = that.save;
that.widget_set_dirty = that.set_dirty;
+that.widget_show_error = that.show_error;
that.widget_test_dirty = that.test_dirty;
return that;
@@ -783,6 +785,8 @@ IPA.checkbox_widget = function (spec) {
if (that.undo) {
that.create_undo(container);
}
+
+that.create_error_link(container);
};
that.load = function(record) {
@@ -858,6 +862,8 @@ IPA.checkboxes_widget = function (spec) {
input.change(function() {
that.set_dirty(that.test_dirty());
});
+
+that.create_error_link(container);
};
@@ -928,6 +934,8 @@ IPA.radio_widget = function(spec) {
input.change(function() {
that.set_dirty(that.test_dirty());
});
+
+that.create_error_link(container);
};
that.load = function(record) {
@@ -1000,6 +1008,8 @@ IPA.select_widget = function(spec) {
that.select.change(function() {
that.set_dirty(that.test_dirty());
});
+
+that.create_error_link(container);
};
that.load = function(record) {
@@ -1336,10 +1346,20 @@ IPA.table_widget = function (spec) {
that.tfoot = $('').appendTo(that.table);
+var columns_count = columns.length + (that.selectable ? 1 : 0);
+
+that.error_link_row = $('').appendTo(that.tfoot);
+
+td = $('', {
+colspan: columns_count
+}).appendTo(that.error_link_row);
+
+that.create_error_link(td);
+
tr = $('').appendTo(that.tfoot);
td = $('', {
-colspan: columns.length + (that.selectable ? 1 : 0)
+col
Re: [Freeipa-devel] [PATCH] 872 allow csr file to be provided interactively
On Wed, 2011-09-14 at 14:23 +0200, Martin Kosek wrote:
> On Tue, 2011-09-13 at 14:35 -0400, Rob Crittenden wrote:
> > Add an escape clause to the CSR validator in the cert plugin. If the csr
> > is a file just return and let the load_files() call slurp in the
> > contents. It will still get validated.
> >
> > rob
>
> This works fine for CSR file.
>
> Shouldn't we fix this also for other File params? For example,
> entitle-import command will be affected as well:
>
> takes_args = (
> File('usercertificate*', validate_certificate,
> cli_name='certificate_file',
> ),
> )
>
> We can create a separate ticket for entitle-import if you want.
>
> Martin
Oh, and one more thing - API.txt has to be updated since you added a
label to the CSR parameter.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 873 update ipa-ldap-updater man page
On Tue, 2011-09-13 at 16:13 -0400, Rob Crittenden wrote: > ipa-ldap-updater is really just meant to be run during upgrades, not as > a user utility. Add a blurb about that. > > This also fixes a bit of formatting and adds a bit about the order of > operations. > > rob ACK. Pushed to master, ipa-2-1. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility
On Tue, Sep 13, 2011 at 06:01:33PM +0200, Sumit Bose wrote:
> On Mon, Sep 12, 2011 at 05:24:38PM -0400, Simo Sorce wrote:
> > On Mon, 2011-09-12 at 17:53 +0200, Sumit Bose wrote:
> > [..]
> > > >
> > > I can now run 'smbclient -k -L' on my test system wit hthe recent samba
> > > patch.
> >
> > Sorry a couple more nitpicks.
> >
> > Trying to reinstall ipa-adtrust-install it returned immediately with
> > "Aborting Installation" and no explanation whatsoever. Turned out it saw
> > there was the IPA autogenerated text in smb.conf and decided to get out.
> >
> > - 2 issues here:
> > 1) no information (I had to check the code to see what reported that
> > error message), so we need a reason nif we abort.
> > 2) In interactive mode we should ask if we want to proceed anyway I
> > think (to make it simpler to test it on an already enabled tree), but
> > can be convinced it is safer to just abort.
>
> interactive mode now stops and ask for confirmation
>
> >
> >
> > - Once I fixed that by removing smb.conf and all tdbs to be sure, it
> > failed because smb.conf was not found, we should not require to find it
> > if we are going to wipe it anyway. If it is not there we should just go
> > on and create one.
> >
>
> fixed
>
> >
> > - Then it correctly detected the samba sysaccount user existed and
> > decided not to reset the password. Not sure why, if we proceeed and
> > reset the password in both ldap and secrets.tdb we are sure they are the
> > same, if we don't we just risk having no password (I wiped out
> > secrets.tdb and running ipa-adtruct-install again is the fastest way to
> > get that restered). I think you should always reset that password.
>
> fixed
>
> >
> >
> > - The installation also failed because the service entry under the
> > master entry already existed. We should probably ignore and proceed, in
> > case of existing object. Not fail.
>
> fixed, since ldap_enable() already print a logging.critical I added
> another one which should clarify what happens.
>
> >
> >
> > Except for these points I had to set SELinux in permissive mode in order
> > to run the epmd, we need to track SELinux changes in a ticket I think.
> >
> > I wasn't able to test smbclient -k yes due to another bug in smbd but
> > the install seem fine so far, and I was able to get a ticket for cifs/
> > w/o any issue, and auth seemed to work.
> >
> > So if the nitpicks above get fixed it should be the last revision.
>
> Yes, if you do not find another major issue it would be nice if you can
> open a new ticket for new features.
>
> bye,
> Sumit
a recent commit in master made another change necesary. Additionally I
renamed smbinstance to adtrustinstance and check for more samba client
binaries which are needed by the utility. New version attached.
bye,
Sumit
>
> >
> > Simo.
> >
> > --
> > Simo Sorce * Red Hat, Inc * New York
> >
From b7c2a3089b74a929cf28d581fd816a60d749ecc9 Mon Sep 17 00:00:00 2001
From: Sumit Bose
Date: Wed, 7 Sep 2011 10:17:12 +0200
Subject: [PATCH] Add ipa-adtrust-install utility
https://fedorahosted.org/freeipa/ticket/1619
---
freeipa.spec.in|2 +
install/po/Makefile.in |1 +
install/share/Makefile.am |1 +
install/share/smb.conf.template| 28 ++
install/tools/Makefile.am |1 +
install/tools/ipa-adtrust-install | 249 +
install/tools/man/Makefile.am |1 +
install/tools/man/ipa-adtrust-install.1| 47
ipaserver/install/Makefile.am |1 +
ipaserver/install/adtrustinstance.py | 281
ipaserver/install/service.py |3 +-
.../test_ipaserver/install/test_adtrustinstance.py | 59
12 files changed, 673 insertions(+), 1 deletions(-)
create mode 100644 install/share/smb.conf.template
create mode 100755 install/tools/ipa-adtrust-install
create mode 100644 install/tools/man/ipa-adtrust-install.1
create mode 100644 ipaserver/install/adtrustinstance.py
create mode 100755 tests/test_ipaserver/install/test_adtrustinstance.py
diff --git a/freeipa.spec.in b/freeipa.spec.in
index
0f358fb4c34c52f2d86d1089b475e725fc6a5131..50b22b0779e77136a3a2bbc55dc8e56a6c094a8f
100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -401,6 +401,7 @@ fi
%doc COPYING README Contributors.txt
%{_sbindir}/ipa-ca-install
%{_sbindir}/ipa-dns-install
+%{_sbindir}/ipa-adtrust-install
%{_sbindir}/ipa-server-install
%{_sbindir}/ipa-replica-conncheck
%{_sbindir}/ipa-replica-install
@@ -482,6 +483,7 @@ fi
%{_mandir}/man1/ipa-server-certinstall.1.gz
%{_mandir}/man1/ipa-server-install.1.gz
%{_mandir}/man1/ipa-dns-install.1.gz
+%{_mandir}/man1/ipa-adtrust-install.1.gz
%{_mandir}/man1/ipa-ca-install.1.gz
%{_mandir}/man1/ipa-compat-manage.1.gz
%{_mandir}/man1/ipa-nis-manage.1.gz
diff --git a/install/p
Re: [Freeipa-devel] [PATCH] 872 allow csr file to be provided interactively
Martin Kosek wrote:
On Wed, 2011-09-14 at 14:23 +0200, Martin Kosek wrote:
On Tue, 2011-09-13 at 14:35 -0400, Rob Crittenden wrote:
Add an escape clause to the CSR validator in the cert plugin. If the csr
is a file just return and let the load_files() call slurp in the
contents. It will still get validated.
rob
This works fine for CSR file.
Shouldn't we fix this also for other File params? For example,
entitle-import command will be affected as well:
takes_args = (
File('usercertificate*', validate_certificate,
cli_name='certificate_file',
),
)
We can create a separate ticket for entitle-import if you want.
Martin
Oh, and one more thing - API.txt has to be updated since you added a
label to the CSR parameter.
Martin
Updated patch with API attached. I had that fixed, dropped my changes,
re-made them and forgot to update API again.
entitle-import doesn't have stdin_if_missing set so will only read from
a file, there is no interactive option.
rob
>From 1d00575813aaa3ff4366f11100303fa029ad8bb4 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Tue, 13 Sep 2011 14:25:16 -0400
Subject: [PATCH] Skip the cert validator if the csr we are passed in is a
valid filename
The validator will still fire, just after the load_files() call. Basically
it will hit the validator twice. The first time it will exit because the
value of csr is a filename. The second time it will run the validator against
the contents of the file.
ticket https://fedorahosted.org/freeipa/ticket/1777
---
API.txt|2 +-
ipalib/plugins/cert.py |7 +++
2 files changed, 8 insertions(+), 1 deletions(-)
diff --git a/API.txt b/API.txt
index 5f8e72d..aee0c88 100644
--- a/API.txt
+++ b/API.txt
@@ -420,7 +420,7 @@ arg: Str('serial_number', validate_serial_number, label=Gettext('Serial number',
output: Output('result', None, None)
command: cert_request
args: 1,3,1
-arg: File('csr', validate_csr, cli_name='csr_file', normalizer=normalize_csr)
+arg: File('csr', validate_csr, cli_name='csr_file', label=Gettext('CSR', domain='ipa', localedir=None), normalizer=normalize_csr)
option: Str('principal', label=Gettext('Principal', domain='ipa', localedir=None))
option: Str('request_type', autofill=True, default=u'pkcs10')
option: Flag('add', autofill=True, default=False)
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index e32004e..aa3cf21 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -23,6 +23,7 @@ from ipalib import api, SkipPluginModule
if api.env.enable_ra is not True:
# In this case, abort loading this plugin module...
raise SkipPluginModule(reason='env.enable_ra is not True')
+import os
from ipalib import Command, Str, Int, Bytes, Flag, File
from ipalib import errors
from ipalib import pkcs10
@@ -129,6 +130,11 @@ def validate_csr(ugettext, csr):
Ensure the CSR is base64-encoded and can be decoded by our PKCS#10
parser.
"""
+if api.env.context == 'cli':
+# If we are passed in a pointer to a valid file on the client side
+# escape and let the load_files() handle things
+if csr and os.path.exists(csr):
+return
try:
request = pkcs10.load_certificate_request(csr)
except TypeError, e:
@@ -203,6 +209,7 @@ class cert_request(VirtualCommand):
takes_args = (
File('csr', validate_csr,
+label=_('CSR'),
cli_name='csr_file',
normalizer=normalize_csr,
),
--
1.7.6
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 871 add hostname regex
Alexander Bokovoy wrote:
On Tue, 13 Sep 2011, Jan Cholasta wrote:
What about IDN hosts? With this change we would require them to be
always in Punycode?
Oh, hadn't considered that, I was just following the relevent RFCs. Is
there a way we can easily support those as well?
The easiest way would probably be:
normalizer=lambda value: unicode(value.encode('idna'))
That's one part. Another one is visualizing such content -- for both
Web UI and CLI we would need to run encodings.idna.ToUnicode().
Finally, make sure whatever we pass to external applications is
properly formatted as well -- all of them should be able to work with
xn- form.
The UI also links the DNS hostname to the host entries so I'd think the
names must be matchable in some way. If DNS can only store punycode
names I think the regex will be fine.
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Structured DNS record API proposal
Attached in the txt file. If you have any comments or suggestions to this proposal, please let me know. https://fedorahosted.org/freeipa/ticket/1766 https://fedorahosted.org/freeipa/ticket/1766 This is a proposal for API for per-DNS-type interface in FreeIPA. There are many structured DNS RR types where DNS data is not just an IP address or a domain name, but a (often complex) data structure. Example of adding a structured DNS RR (LOC in this case): ipa dnsrecord-add example.com @ --loc-rec "49 11 42.4 N 16 36 29.6 E 227.64m" It may be difficult to enter such DNS record to FreeIPA without making error (which would lead to invalid zone in this case). For this reason, I have created at least basic validators in my patch 120 (ticket 1106). GOAL: Create API useful for both CLI and WebUI capable of creating these structured DNS types CURRENT API: ipa dnsrecord-addAdd new DNS resource record. ipa dnsrecord-delDelete DNS resource record. ipa dnsrecord-find Search for DNS resources. ipa dnsrecord-modModify a DNS resource record. ipa dnsrecord-show Display DNS resource. PROPOSED API IMPROVEMENT: Proposed API for all supported structured DNS follows: ipa dnsrecord-afsdb-add --subtype=INT --hostname=STR ipa dnsrecord-cert-add --type=ENUM --tag=INT --algorithm=ENUM --certificate=STR ipa dnsrecord-ds-add --tag=INT --algorithm=ENUM --type=ENUM --digest=STR ipa dnsrecord-key-add --flags=LIST --protocol=INT --algorithm=ENUM --digest=STR ipa dnsrecord-kx-add --preference=INT --exchanger=STR ipa dnsrecord-loc-add --lat-deg=INT --lat-min=INT --lat-sec=FLOAT --lat-dir=ENUM --lon-deg=INT --lon-min=INT --lon-sec=FLOAT --lon-dir=ENUM --alt=FLOAT --h-precision=FLOAT --v-precision=FLOAT ipa dnsrecord-mx-add --priority=INT --mailserver=STR ipa dnsrecord-nsec-add --next=STR --types=LIST ipa dnsrecord-naptr-add --order=INT --preference=INT --flag=ENUM --service=STR --regexp=STR --replacement=STR ipa dnsrecord-sig-add --type=ENUM --algorithm=ENUM --labels=INT --original-ttl=INT --sig-expiration=INT --sig-inception=INT --tag=INT --signer=STR --signature=STR ipa dnsrecord-srv-add --priority=INT --weight=INT --port=INT --target=STR ipa dnsrecord-sshfp-add --algorithm=ENUM --type=ENUM --fingerprint=STR ipa dnsrecord-rrsig-add --type=ENUM --algorithm=ENUM --labels=INT --original-ttl=INT --sig-expiration=INT --sig-inception=INT --tag=INT --signer=STR --signature=STR To support also modification of current records (i.e. replacement) we can add a "mod" equivalent, e.g.: ipa dnsrecord-afsdb-mod --subtype=INT --hostname=STR ipa dnsrecord-cert-mod --type=ENUM --tag=INT --algorithm=ENUM --certificate=STR ... I think this is what WebUI guys will want. EXAMPLE OF OPTIONS: The available options for particular RR types will be based on RFC research I have already done for my patch 120. Lets see how the API will look. 1) LOC record example noted in the begging: ipa dnsrecord-loc-add example.com @ --lat-deg=49 --lat-min=11 --lat-sec=42.4 --lat-dir=N --lon-deg=16 --lon-min=36 --lon-sec=29.6 --lon-dir=E --alt=227.64 Good thing about options is that we can divide then to mandatory and optional and provide defaults. In this case, one can enter imprecise LOC record with: ipa dnsrecord-loc-add example.com @ --lat-deg=49 --lat-dir=N --lon-deg=16 --lon-dir=E 2) Another example with CERT RR type: CURRENT API: ipa dnsrecord-add example.com foo --cert-rec="1 0 5 MIIDfzCCAuigAwIBAgIKcYxqqAAAFzANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpVTS1BTUFMR0ExMB4XDTEwMDYwMTE3NTM1NVoXDTExMDYwMTE4MDM1NVowgY0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHUmVkbW9uZDEMMAoG" NEW API: ipa dnsrecord-cert-add example.com foo --type=PKIX --tag=0 --algorithm=RSASHA1 --certificate=MIIDfzCCAuigAwIBAgIKcYxqqAAAFzANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpVTS1BTUFMR0ExMB4XDTEwMDYwMTE3NTM1NVoXDTExMDYwMTE4MDM1NVowgY0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHUmVkbW9uZDEMMAoG" ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 872 allow csr file to be provided interactively
On Wed, 2011-09-14 at 11:29 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Wed, 2011-09-14 at 14:23 +0200, Martin Kosek wrote:
> >> On Tue, 2011-09-13 at 14:35 -0400, Rob Crittenden wrote:
> >>> Add an escape clause to the CSR validator in the cert plugin. If the csr
> >>> is a file just return and let the load_files() call slurp in the
> >>> contents. It will still get validated.
> >>>
> >>> rob
> >>
> >> This works fine for CSR file.
> >>
> >> Shouldn't we fix this also for other File params? For example,
> >> entitle-import command will be affected as well:
> >>
> >> takes_args = (
> >> File('usercertificate*', validate_certificate,
> >> cli_name='certificate_file',
> >> ),
> >> )
> >>
> >> We can create a separate ticket for entitle-import if you want.
> >>
> >> Martin
> >
> > Oh, and one more thing - API.txt has to be updated since you added a
> > label to the CSR parameter.
> >
> > Martin
> >
>
> Updated patch with API attached. I had that fixed, dropped my changes,
> re-made them and forgot to update API again.
>
> entitle-import doesn't have stdin_if_missing set so will only read from
> a file, there is no interactive option.
>
> rob
ACK. Pushed to master, ipa-2-1.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 874 suppress managed netgroups as indirect members of hosts
Suppress managed netgroups as indirect members of hosts. This enhances a
previous patch that I did for hostgroups.
rob
>From 5ab1b8b8f82e419c4b6c80e01e6a0805ab62bffe Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Wed, 14 Sep 2011 16:33:33 -0400
Subject: [PATCH] Suppress managed netgroups as indirect members of hosts.
By design these managed netgroups are not supposed to show unless you
specifically want to see them.
https://fedorahosted.org/freeipa/ticket/1738
---
ipalib/plugins/host.py| 34 ++
tests/test_xmlrpc/test_nesting.py |2 +-
2 files changed, 35 insertions(+), 1 deletions(-)
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 4230c44..52907ee 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -339,6 +339,23 @@ class host(LDAPObject):
return managed_hosts
+def suppress_netgroup_memberof(self, entry_attrs):
+"""
+We don't want to show managed netgroups so remove them from the
+memberofindirect list.
+"""
+ng_container = DN(api.env.container_netgroup, api.env.basedn)
+if 'memberofindirect' in entry_attrs:
+for member in entry_attrs['memberofindirect']:
+memberdn = DN(member)
+if memberdn.endswith(ng_container):
+try:
+netgroup = api.Command['netgroup_show'](memberdn['cn'], all=True)['result']
+if self.has_objectclass(netgroup['objectclass'], 'mepmanagedentry'):
+entry_attrs['memberofindirect'].remove(member)
+except errors.NotFound:
+pass
+
api.register(host)
@@ -681,6 +698,8 @@ class host_mod(LDAPUpdate):
if options.get('all', False):
entry_attrs['managing'] = self.obj.get_managed_hosts(dn)
+self.obj.suppress_netgroup_memberof(entry_attrs)
+
return dn
api.register(host_mod)
@@ -706,6 +725,7 @@ class host_find(LDAPSearch):
(dn, entry_attrs) = entry
set_certificate_attrs(entry_attrs)
self.obj.get_password_attributes(ldap, dn, entry_attrs)
+self.obj.suppress_netgroup_memberof(entry_attrs)
if entry_attrs['has_password']:
# If an OTP is set there is no keytab, at least not one
# fetched anywhere.
@@ -741,6 +761,8 @@ class host_show(LDAPRetrieve):
if options.get('all', False):
entry_attrs['managing'] = self.obj.get_managed_hosts(dn)
+self.obj.suppress_netgroup_memberof(entry_attrs)
+
return dn
def forward(self, *keys, **options):
@@ -843,6 +865,10 @@ class host_disable(LDAPQuery):
value=keys[0],
)
+def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+self.obj.suppress_netgroup_memberof(entry_attrs)
+return dn
+
api.register(host_disable)
class host_add_managedby(LDAPAddMember):
@@ -852,6 +878,10 @@ class host_add_managedby(LDAPAddMember):
has_output_params = LDAPAddMember.has_output_params + host_output_params
allow_same = True
+def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
+self.obj.suppress_netgroup_memberof(entry_attrs)
+return (completed, dn)
+
api.register(host_add_managedby)
@@ -861,4 +891,8 @@ class host_remove_managedby(LDAPRemoveMember):
member_attributes = ['managedby']
has_output_params = LDAPRemoveMember.has_output_params + host_output_params
+def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
+self.obj.suppress_netgroup_memberof(entry_attrs)
+return (completed, dn)
+
api.register(host_remove_managedby)
diff --git a/tests/test_xmlrpc/test_nesting.py b/tests/test_xmlrpc/test_nesting.py
index cb2d1d0..a855960 100644
--- a/tests/test_xmlrpc/test_nesting.py
+++ b/tests/test_xmlrpc/test_nesting.py
@@ -815,7 +815,7 @@ class test_nesting(Declarative):
managedby_host=[fqdn1],
memberof_hostgroup = [u'testhostgroup2'],
memberofindirect_hostgroup = [u'testhostgroup1'],
-memberofindirect_netgroup = [u'testhostgroup1', u'testhostgroup2'],
+memberofindirect_netgroup = [u'testhostgroup2'],
),
),
),
--
1.7.6
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Upgrading a machine to use the proxy.
Adam Young wrote:
To convert an older build where the PKI system wasn't proxied:
awk '{print $0} /Define an AJP 1.3 Connector on port/ {print "}" }'
/etc/pki-ca/server.xml > server.xml.new ; mv server.xml.new
/etc/pki-ca/server.xml
sed -e "s/\[PKI_MACHINE_NAME\]/$HOSTNAME/g" -e
"s/\[PKI_AJP_PORT\]/9444/g" /usr/share/pki/ca/conf/proxy.conf >
/etc/pki-ca/proxy.conf
I've used the default ports here. Adjest is you've altered yours.
IPA copies the proxy.conf file into /etc/httpd/conf.d and renames it.
You can do the same thing by hand.
I'm not sure if this should go into PKI or IPA.
Since these are dogtag configuration files I think dogtag needs to
handle updating them.
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Upgrading a machine to use the proxy.
On 09/14/2011 04:46 PM, Rob Crittenden wrote:
> Adam Young wrote:
>> To convert an older build where the PKI system wasn't proxied:
>>
>>
>> awk '{print $0} /Define an AJP 1.3 Connector on port/ {print "> port=\"9447\" protocol=\"AJP/1.3\" redirectPort=\"9444\" />}" }'
>> /etc/pki-ca/server.xml > server.xml.new ; mv server.xml.new
>> /etc/pki-ca/server.xml
>>
>> sed -e "s/\[PKI_MACHINE_NAME\]/$HOSTNAME/g" -e
>> "s/\[PKI_AJP_PORT\]/9444/g" /usr/share/pki/ca/conf/proxy.conf >
>> /etc/pki-ca/proxy.conf
>>
>>
>> I've used the default ports here. Adjest is you've altered yours.
>>
>>
>> IPA copies the proxy.conf file into /etc/httpd/conf.d and renames it.
>> You can do the same thing by hand.
>>
>>
>> I'm not sure if this should go into PKI or IPA.
>
> Since these are dogtag configuration files I think dogtag needs to
> handle updating them.
>
Agree.
> rob
>
> ___
> Freeipa-devel mailing list
> Freeipa-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility
On Wed, 2011-09-14 at 14:50 +0200, Sumit Bose wrote: > a recent commit in master made another change necesary. Additionally I > renamed smbinstance to adtrustinstance and check for more samba client > binaries which are needed by the utility. New version attached. Tested and works great! ACK, Pushed to master. Simo. > -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 016 Fixed: Some widgets do not have space for validation error message
On 9/14/2011 7:23 AM, Petr Vobornik wrote: Forgot to update tests - to address newly added validation row in table_widget. One issue, in all search and association facets we now have 2 rows of footer (there are 2 horizontal lines at the bottom). I think it would be better to use a single row for both summary/error messages and pagination. The messages will be left aligned, the pagination will be right aligned. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 269 Fixed problem opening host adder dialog.
The hidden fqdn field in the host adder dialog has been changed to
use a generic widget instead of text widget to avoid null pointer
error since the UI elements are never created.
Ticket #1788
Pushed to master and ipa-2-1 under one-liner/trivial rule.
--
Endi S. Dewata
From 5e7a5bdfa92cd63f96aa1484ba24d7dfc5646664 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata
Date: Wed, 14 Sep 2011 18:03:02 -0500
Subject: [PATCH] Fixed problem opening host adder dialog.
The hidden fqdn field in the host adder dialog has been changed to
use a generic widget instead of text widget to avoid null pointer
error since the UI elements are never created.
Ticket #1788
---
install/ui/host.js |1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/install/ui/host.js b/install/ui/host.js
index 7eb2e98e5235cf73b67ecc2598d794cb23f7ac72..1b11251709f87196829002e323ad408ca5184b21 100644
--- a/install/ui/host.js
+++ b/install/ui/host.js
@@ -121,6 +121,7 @@ IPA.entity_factories.host = function () {
height: 250,
fields: [
{
+factory: IPA.widget,
name: 'fqdn',
optional: true,
hidden: true
--
1.7.5.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 270 Fixed posix group checkbox.
In the adder dialog for groups the checkbox has been modified to use
the correct field name "nonposix" and be checked by default.
Note: This is a temporary fix to minimize the changes due to release
schedule. Eventually the field label will be changed into "Non-POSIX
group" and the checkbox will be unchecked by default, which is more
consistent with CLI.
Ticket #1799
--
Endi S. Dewata
From 1dac389949b79ee83a58051c069138affa8c9894 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata
Date: Wed, 14 Sep 2011 12:36:58 -0500
Subject: [PATCH] Fixed posix group checkbox.
In the adder dialog for groups the checkbox has been modified to use
the correct field name "nonposix" and be checked by default.
Note: This is a temporary fix to minimize the changes due to release
schedule. Eventually the field label will be changed into "Non-POSIX
group" and the checkbox will be unchecked by default, which is more
consistent with CLI.
Ticket #1799
---
install/ui/group.js | 21 ++---
install/ui/widget.js | 24 +++-
2 files changed, 33 insertions(+), 12 deletions(-)
diff --git a/install/ui/group.js b/install/ui/group.js
index 410a295d4ac98da161cee9455b910660ec608469..f8d42ea37fdbb3420008b332ca1a1717b3d36170 100644
--- a/install/ui/group.js
+++ b/install/ui/group.js
@@ -92,13 +92,28 @@ IPA.entity_factories.group = function () {
'cn',
'description',
{
-factory:IPA.checkbox_widget,
-name: 'posix',
+factory: IPA.nonposix_checkbox_widget,
+name: 'nonposix',
label: IPA.messages.objects.group.posix,
undo: false,
-checked: 'checked'
+checked: true
},
'gidnumber']
}).
build();
};
+
+IPA.nonposix_checkbox_widget = function (spec) {
+
+spec = spec || {};
+
+var that = IPA.checkbox_widget(spec);
+
+that.save = function() {
+var value = that.checkbox_save()[0];
+// convert posix into non-posix
+return [!value];
+};
+
+return that;
+};
\ No newline at end of file
diff --git a/install/ui/widget.js b/install/ui/widget.js
index 58698486894ce9e72842ea1cf011a5fb75286421..d4a46bd37a9ccfac48469c312d81081105816b4f 100644
--- a/install/ui/widget.js
+++ b/install/ui/widget.js
@@ -760,9 +760,10 @@ IPA.multivalued_text_widget = function(spec) {
IPA.checkbox_widget = function (spec) {
spec = spec || {};
+
var that = IPA.widget(spec);
-that.checked = spec.checked || '';
+that.checked = spec.checked;
that.create = function(container) {
@@ -773,7 +774,7 @@ IPA.checkbox_widget = function (spec) {
that.input = $('', {
type: 'checkbox',
name: that.name,
-checked : that.checked,
+checked: that.checked,
title: that.tooltip,
change: function() {
that.set_dirty(that.test_dirty());
@@ -796,17 +797,22 @@ IPA.checkbox_widget = function (spec) {
};
that.update = function() {
-var value = that.values && that.values.length ? that.values[0] : false;
-if (value ==="FALSE"){
-value = false;
-}
-if (value ==="TRUE"){
-value = true;
+var checked = that.checked || false;
+if (that.values && that.values.length) {
+var value = that.values[0];
+if (value === "FALSE") {
+checked = false;
+}
+if (value === "TRUE") {
+checked = true;
+}
}
-that.input.attr('checked', value);
+that.input.attr('checked', checked);
};
+that.checkbox_save = that.save;
+
return that;
};
--
1.7.5.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry
On Jul 22, 2011, at 7:05 AM, Martin Kosek wrote: > On Thu, 2011-07-21 at 23:52 +, JR Aquino wrote: >> On Apr 25, 2011, at 9:00 AM, Simo Sorce wrote: >> >>> On Mon, 2011-04-25 at 14:59 +, JR Aquino wrote: On Apr 25, 2011, at 6:43 AM, Simo Sorce wrote: > On Thu, 2011-04-21 at 23:28 +, JR Aquino wrote: >> Hmmm >> Both Private Groups and the Hostgroup -> Netgroup Managed Entries >> create objects in the container: >> cn=Managed Entries,cn=plugins,cn=config >> >> Each Ldif contains 2 ldap objects. One that lives in the main $SUFFIX, >> and one in the cn=config >> >> How will these be treated by replication and the multi masters? > > Only the common objects in the public suffix are replicated. > I think at some point we discussed that we should use a filter in the > private config entry made so that we could enable/disable the plugin by > simply making the filter result true/false. > Thus not ever touch the entries in cn=config but simply > "enable"/"disable" the functionality by (not)adding the appropriate > attributes to objects so that filters would (not) match. > > Simo. This tool works by toggling the originfilter: objectclass=disabled in order to turn off the plugin. >>> >>> But this is backwards, because originfilter is defined in the >>> configuration entry stored in cn=config >>> >>> Meaning as soon as you change it one server will behave differently from >>> the others until you go and change it on each and every server. >> >> Finally able to revisit this Patch / Ticket: >> (To be used in conjunction with Patch 38) >> >> 25 Create Tool for Enabling/Disabling Managed Entry >> Plugins https://fedorahosted.org/freeipa/ticket/1181 >> >> Remove legacy ipa-host-net-manage >> Add ipa-managed-entries tool >> Add man page for ipa-managed-entries tool >> > > I have found few issues with the patch: > > 1) I don't think its necessary to change BuildRequires to > 389-ds-base-devel >= 1.2.8 This is no longer necessary and has been removed. > > 2) Invalid comment in get_dirman_password() function. There is no > verification of the password. It just prompts it This has been corrected > > 3) ipa-managed entries man pages: copy & paste error: > +Directory Server will need to be restarted after the schema > compatibility plugin has been enabled. Copy / Paste Typo corrected > > 4) Invalid help of the program: > # ipa-managed-entries --help > Usage: ipa-managed-entries [options] > ipa-managed-entries [options] > > - status action is missing > - running program without action is not allowed, i.e. should not be > offered Corrected help entries > > 5) I was thinking if there is a better solution to enabling/disabling of > the plugin. Likes setting something like "managedEntryEnabled" attribute > to on/off as we do with compat plugin. Current concept with disabling > the definition by damaging the originFilter and then restoring it from > an LDIF seems a bit awkward to me. This has been completely changed: Instead of looking to ldif files, an ldap look up is now performed to dynamically list the available managed entries. > > 6) ipa-managed-entries crashes when managed entry is a wrong file: > > # ipa-managed-entries status -f /usr/share/ipa/managed-entries.ldif > Directory Manager password: > > Traceback (most recent call last): > File "/usr/sbin/ipa-managed-entries", line 245, in >sys.exit(main()) > File "/usr/sbin/ipa-managed-entries", line 141, in main >originFilter = entry_attr['originFilter'][0] > KeyError: 'originFilter' This is no longer an issue now that it is no longer using the ldif files. > 7) What if there are more managed entries in the LDIF? This concept > would not work correctly then. A behavior I would expect: > a) User (optionally) passes a directory with managed entries LDIFs > b) ipa-managed-entries analyzes all LDIFs and prints available Managed > Entry definitions > c) I would choose the one I want to enable/disable via > ipa-managed-entries option Also no longer an issue. > Martin > Corrected Patch Attached: binscouuEWzDP.bin Description: freeipa-jraquino-0025-Create-Tool-for-Enabling-Disabling-Managed-Entries.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
