Re: [Freeipa-devel] [PATCH] 202 Add reverse DNS record when forward is created
On Mon, 2012-01-30 at 11:52 -0500, Rob Crittenden wrote: Martin Kosek wrote: Adding reverse DNS record may be a time consuming task, especially for IPv6 addresses. Having a way to automatically create a reverse record when a forward record is created could speed up the process. host-add command already has this possibility. This patch takes advantage of the new per-type API and adds new options for A/ record types: --a-create-reverse and ---create-reverse. These commands can be used to automatically create reverse records for new A/ addresses (both forward and reverse zones need to be managed by FreeIPA server): ipa dnsrecord-add example.com foo --a-rec=10.0.0.1 --a-create-reverse This command would add a new A record to record foo in zone example.com and a PTR record to appropriate reverse zone for IP address 10.0.0.1 (for example PTR record 1 in zone 0.0.10.in-addr.arpa. pointing to foo.example.com.). Few modification were done to new DNS API to support this feature: - Refactor --ip-address option handling from host-add and place it to dns.py to be used by both modules - Add support for extra per-type options - Hide DNS record part options in dnsrecord_find command as they have no effect for this command https://fedorahosted.org/freeipa/ticket/2009 Can the options -a-create-reverse and --create-reverse be combined? I was able to create an IPv4 addr using --create-reverse: # ipa dnsrecord-add example.com baz --a-rec=192.168.166.115 ---create-reverse Record name: baz A record: 192.168.166.115 Otherwise the patch seems fine. These 2 options can be combined, you can add both A and forward records and create records in their reverse records at the same time: ipa dnsrecord-add example.com bar --a-rec=10.0.0.1 --a-create-reverse ---rec=2001::beef:1 ---create-reverse In your case the option ---create-reverse is ignored as there is no rec added. Thus no record callback which would create this reverse record is called. We may implement some checks which would throw a validation error when --a-create-reverse/---create-reverse is called without a respective A/ record. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Adding a new DNA plugin configuration in IPAv3
Hi, for the IPAv3 trust feature we have to add the objectclass ipaNTUserAttrs/ipaNTGroupAttrs to every user/group which should be visible on the Windows side of the trust. The only MUST attribute of both objectclasses is ipaNTSecurityIdentifier the SID or the user or group. We would like to manage the SIDS with the DNA plugin since they have to be unique in the IPA domain. The trust support will typically be added to a running IPA domain, because we do not plan to install it by default and we have to consider updated v2 environments as well. So the question arises what is the most preferred way to add a DNA configuration to an existing Directory Server setup with replication. Nathan suggested to create the configuration with the full range on the first master, configure the other master with no available values and let the DNA plugin transfer the ranges between the masters. This will lead to the following steps: 1. Check if there are already shared configuration entries in cn=sids,cn=dna,cn=ipa,cn=etc,$SUFFIX 2a. if not we can create the initial configuration on the current master: dn: cn=SIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config changetype: add objectclass: top objectclass: extensibleObject cn: SIDs dnaType: ipaNTSecurityIdentifier dnaNextValue: 1000 dnaMaxValue: eval($SIDMAX)# Maybe 200k ? dnaMagicRegen: 999 dnaFilter: (|(objectclass=ipaNTUserAttrs)(objectClass=ipaNTGroupAttrs)) dnaScope: $SUFFIX dnaThreshold: 500 dnaSharedCfgDN: cn=sids,cn=dna,cn=ipa,cn=etc,$SUFFIX 3a. Add ipaNTUserAttrs/ipaNTGroupAttrs to all users/groups with ipaNTSecurityIdentifier=999 on the current master 4a. Done on the first master 2b. if there are already entries we can create the configuration for an additional master: dn: cn=SIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config changetype: add objectclass: top objectclass: extensibleObject cn: SIDs dnaType: ipaNTSecurityIdentifier dnaNextValue: 1101 dnaMaxValue: 1100 dnaMagicRegen: 999 dnaFilter: (|(objectclass=ipaNTUserAttrs)(objectClass=ipaNTGroupAttrs)) dnaScope: $SUFFIX dnaThreshold: 500 dnaSharedCfgDN: cn=sids,cn=dna,cn=ipa,cn=etc,$SUFFIX 3b. Done on the additional master, DNA plugin will sort out the rest Do these steps make sense? Is it necessary to add a lock to prevent a race condition btween step 1 and 2a, i.e. two admins try to prepare IPA for trusts independently at the same time? Do I understand it correctly that if dnaMaxValue is set to e.g. 2^32 on the first master, the range on the second master will start at 2^31? So the usage of the full range will be quite sparse if dnaMaxValue is set too high. Step 3a on the first master might need some time to finish. Is it necessary to set some kind of lock to prevent the configuration of the DNA plugin on other masters while this task is running or is it safe to add another master at any time? Are there other ways to introduce the DNA configuration? Nathan suggested also that the ranges can be configured manually without overlap, but if possible I would prefer the automatic way. Thank you for your help. bye, Sumit ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 070 Modifying DNS UI to benefit from new DNS API
On 01/31/2012 01:09 AM, Endi Sukma Dewata wrote: On 1/27/2012 8:51 AM, Petr Vobornik wrote: Updated patch attached. ACK and pushed to master and ipa-2-2. See also the comments below. 5. The following attributes probably should be shown as text areas in the edit dialog and should not be displayed in the table because it could be too long: * cert_part_certificate_or_crl * ds_part_digest * key_part_public_key * sig_part_signature * rrsig_part_signature * sshfp_part_fingerprint Fixed. The sig_part_signature and rrsig_part_signature actually still appear in the table since we're showing the raw data but I think we can deal with it later once we decide which columns to show in the table. Another possibility, instead of hiding these fields we can also show just the first few characters. Yes, some right combinations of columns possibly with custom formatters. In this case some future user feedback would be nice. 7. The record type header (e.g. A record) on the left of the table probably can be moved above the table to allow wider table. For comparison, in HBAC/sudo rule details page the tables occupy the entire width of the page. Maybe. I will wait for Kyle's review (WWKR). In this implementation the table is too narrow, if we moved the headers and extend the table the space for one type will be too height a user will have to scroll a lot. Both are not ideal. OK'd by Kyle in ticket #2208. Let's leave it as is for now. One thing though, in HBAC/sudo rules the Add/Delete buttons occupy the same box as the last column header. In the DNS records page the buttons occupy a separate box. This can be fixed later. The buttons are in last column which doesn't have a label because it doesn't need it - the column contains edit links. So it is consistent. It would change automatically if we decide to remove/change the edit link - remove the column itself. The only thing I don't like on the buttons is that they have slightly different vertical alignment than the rest of the labels - existing issue. And that they have too wide left padding/margin/cell-space. Additional improvements: 13. In the details page the title of the Add/Delete/Edit dialogs could be modified to mention the record type. Yeah, I was lazy. 14. The IPA.dns.record_metadata is lazily initialized in get_record_metadata(). I suppose this is because the validators are dependent on the metadata loaded from the server. However, being a standalone function, it doesn't prevent someone from calling get_record_metadata() too early and still get an error. We might be able to address this by moving the initialization into IPA.dns.record_entity.init() because it's guaranteed to be called after entity creation which will only happen after loading the metadata. I don't see it as a big problem. The only thing which would change is that the caller would get null object instead of raising some exception. In both cases the call would have to be postponed after initialization. Sometimes I see exception as a better way because it is screaming: You are doing something bad/too early In init it would be called each time users uses the UI and it would have bigger indentation. 15. Currently when calling IPA.dns.get_record_type() you'd have to append the 'record' manually. The function can be modified to take the record type only, then internally append the 'record' prefix to find the metadata for that type. Agree. Also other parts may benefit from some kind of normalization of record name - on various parts are used different representations subsequent transformations: ie -'A' - 'a' - 'arecord'. 16. Existing issue: some parameters in the specs (e.g. validators, policies, formats) are objects instead of the class/factory. For example: factory: IPA.dnszone_adder_dialog, policies: [ IPA.dnsrecord_adder_dialog_type_policy({ type_field: 'record_type' }) ] Compare it with: factory: IPA.dnszone_adder_dialog, policies: [ { factory: IPA.dnsrecord_adder_dialog_type_policy, type_field: 'record_type' } ] This is not an issue now, but if we want to make the spec more declarative (see ticket #2052) I think we should avoid executing a code in order to construct the spec. We also still need to figure out how to handle messages and dynamic specs properly (see user.js:35-36). Suppose we have a fully declarative spec we can move the spec out of the entity class (and maybe into a separate json file) to simplify UI customization, but I'm still not sure if it's possible due to the dynamic nature of the UI. Suppose it's not possible, we might as well create the objects directly instead of using 2 stages (spec - object): that.adder_dialog(IPA.dnszone_adder_dialog({ policies: [ IPA.dnsrecord_adder_dialog_type_policy({ type_field: 'record_type' }) ] }); Totally agree. I was thinking about doing it, but I postponed it. It may be also beneficial for columns and their formatter definitions. I'm thinking about some generic collection with
Re: [Freeipa-devel] [PATCH] [WIP] 069 Added refresh button for UI
On 01/31/2012 12:50 AM, Endi Sukma Dewata wrote: OK'd by Kyle in ticket #2051. Pushed to master and ipa-2-2. One more issue, in the details page the Refresh and Reset buttons are actually doing a similar thing. They both cancel unsaved changes in the page, but the difference is the Reset button will show the values originally loaded when you open the page (which might be stale) whereas the Refresh button will reload the latest values from the server. So I think we can remove the Refresh button from the details page and modify the Reset button to do a refresh. We can leave the Undo buttons as is. This way we don't need a new icon for Refresh. What do you think? It is a possible solution. I agree that users can be confused what is the difference between them. With low latency and quick line they may appear similar. I wonder if someone is using the reset button at all. So I'm not opposed to it. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 10 --no-reverse option in ipa-replica-install is not honoured
On 01/26/2012 09:24 AM, Jan Cholasta wrote: Dne 25.1.2012 17:50, Ondrej Hamada napsal(a): https://fedorahosted.org/freeipa/ticket/2161 The option '--no-reverse' was not honoured in replica-install because of wrongly placed condition checking. NACK The --no-reverse options means do not create new reverse zone if there is no existing suitable reverse zone. Your patch changes the semantics of the option to do not use any reverse zone. One problem I see is that the name of the option is misleading. It should probably be changed to --no-new-reverse. Anyway, the ticket should IMO be closed as invalid. It is a case of people not reading documentation and then being surprised why things don't work the way they assumed. Honza According to discussion with jgalipea and rcrit: the option will stay as it is, just the manpages and documentation will be updated. This patch patches the option descriptions in code and in manpages. For documentation update was created a new ticket: https://fedorahosted.org/freeipa/ticket/2330 -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From 372aa7fd3a656f4092cd27a0cf7bd611f87f0e35 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Tue, 31 Jan 2012 15:16:56 +0100 Subject: [PATCH] Fix 'no-reverse' option description The description of 'no-reverse' option was fixed in both code and manpages of ipa-replica-install and ipa-dns-install. https://fedorahosted.org/freeipa/ticket/2161 --- install/tools/ipa-dns-install |2 +- install/tools/ipa-replica-install |2 +- install/tools/man/ipa-dns-install.1 |2 +- install/tools/man/ipa-replica-install.1 |2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index 98929bdc35dbd4cfde657e7711ed3eee98e1598f..70cc00d33df981a6f57dab56c7598cd35f562fbc 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -48,7 +48,7 @@ def parse_options(): default=False, help=Do not add any DNS forwarders, use root servers instead) parser.add_option(--reverse-zone, dest=reverse_zone, help=The reverse DNS zone to use) parser.add_option(--no-reverse, dest=no_reverse, action=store_true, - default=False, help=Do not create reverse DNS zone) + default=False, help=Do not create new reverse DNS zone) parser.add_option(--zonemgr, action=callback, callback=bindinstance.zonemgr_callback, type=string, help=DNS zone manager e-mail address. Defaults to root) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index c1474ecbffc6ac5ccc22b91098dbdb1aa4613f0f..4af0358d86787f177a77b95743afff157a16726e 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -85,7 +85,7 @@ def parse_options(): default=False, help=Do not add any DNS forwarders, use root servers instead) dns_group.add_option(--reverse-zone, dest=reverse_zone, help=The reverse DNS zone to use) dns_group.add_option(--no-reverse, dest=no_reverse, action=store_true, - default=False, help=Do not create reverse DNS zone) + default=False, help=Do not create new reverse DNS zone) dns_group.add_option(--no-host-dns, dest=no_host_dns, action=store_true, default=False, help=Do not use DNS for hostname lookup during installation) diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1 index adcab95e0dca9711cb6f3a8f45f62b3bdc26b58c..c9dfbb560355d67404540acddd8c6c3450b6f540 100644 --- a/install/tools/man/ipa-dns-install.1 +++ b/install/tools/man/ipa-dns-install.1 @@ -44,7 +44,7 @@ Do not add any DNS forwarders, send non\-resolvable addresses to the DNS root se The reverse DNS zone to use .TP \fB\-\-no\-reverse\fR -Do not create reverse DNS zone +Do not create new reverse DNS zone. If used on a replica and a reverse DNS zone already exists for the subnet, it will be used. .TP \fB\-\-zonemgr\fR The e\-mail address of the DNS zone manager. Defaults too root@host.domain diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1 index f8fa148d076b2e4a53682b1d48e08e57380892d7..074162f0c74207643d3f83e39e15534666899b27 100644 --- a/install/tools/man/ipa-replica-install.1 +++ b/install/tools/man/ipa-replica-install.1 @@ -80,7 +80,7 @@ Do not add any DNS forwarders. Root DNS servers will be used instead. The reverse DNS zone to use .TP \fB\-\-no\-reverse\fR -Do not create reverse DNS zone +Do not create new reverse DNS zone. If a reverse DNS zone already exists for the subnet, it will be used. .TP \fB\-\-no\-host\-dns\fR Do not use DNS for hostname lookup during installation -- 1.7.6.5 ___ Freeipa-devel
Re: [Freeipa-devel] [PATCH] 203 Add argument help to CLI
On Mon, 2012-01-30 at 11:22 -0500, Rob Crittenden wrote: Martin Kosek wrote: An example of the improved help: # ipa help user-add Purpose: Add a new user. Usage: ipa [global-options] user-add LOGIN [options] Positional arguments: LOGIN: User login Options: -h, --help show this help message and exit --first=STRFirst name --last=STR Last name --cn=STR Full name ... We may want to improve help for most arguments we use. Most of them are missing. In this patch I updated just the CRITERIA argument that was complained about in the relevant BZ. Martin Patch looks ok, I just think the output could be improved. I think it should look similar to the existing usage output, so, similar indention and description columns lined up: Usage: ipa [global-options] user-add LOGIN [options] Positional arguments: LOGIN User login Options: -h, --help show this help message and exit rob I agree. I refactored the patch to integrate better with OptionParser and rather provide a support of argument help directly instead of misusing description field. New patch adds a formatter capable of formatting arguments consistently with options format (as you proposed). Martin From 2af51484aa097c95b6b3639fd47c103d477f Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Fri, 27 Jan 2012 16:51:37 +0100 Subject: [PATCH] Add argument help to CLI CLI command help contains a documentation for all options that can be passed to commands. However, help strings for positional arguments are not included. This patch uses an OptionParser description field to list all command arguments as OptionParser does not have a native support to provide such information to user. https://fedorahosted.org/freeipa/ticket/1974 --- ipalib/cli.py | 86 +++- ipalib/plugins/baseldap.py |4 ++- 2 files changed, 80 insertions(+), 10 deletions(-) diff --git a/ipalib/cli.py b/ipalib/cli.py index 667a7cdc40b4557841bac3186b3271836e6f358c..c5bb9461fddc8ec20190778d0f51d1629e8659ec 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -942,6 +942,57 @@ class Collector(object): def __todict__(self): return dict(self.__options) +class CLIOptionParserFormatter(optparse.IndentedHelpFormatter): +def format_argument(self, name, help_string): +result = [] +opt_width = self.help_position - self.current_indent - 2 +if len(name) opt_width: +name = %*s%s\n % (self.current_indent, , name) +indent_first = self.help_position +else: # start help on same line as name +name = %*s%-*s % (self.current_indent, , opt_width, name) +indent_first = 0 +result.append(name) +if help_string: +help_lines = textwrap.wrap(help_string, self.help_width) +result.append(%*s%s\n % (indent_first, , help_lines[0])) +result.extend([%*s%s\n % (self.help_position, , line) + for line in help_lines[1:]]) +elif name[-1] != \n: +result.append(\n) +return .join(result) + +class CLIOptionParser(optparse.OptionParser): + +This OptionParser subclass adds an ability to print positional +arguments in CLI help. Custom formatter is used to format the argument +list in the same way as OptionParser formats options. + +def __init__(self, *args, **kwargs): +self._arguments = [] +if 'formatter' not in kwargs: +kwargs['formatter'] = CLIOptionParserFormatter() +optparse.OptionParser.__init__(self, *args, **kwargs) + +def format_option_help(self, formatter=None): + +Prepend argument help to standard OptionParser's option help + +option_help = optparse.OptionParser.format_option_help(self, formatter) + +if isinstance(formatter, CLIOptionParserFormatter): +arguments = [] +for (name, help_string) in self._arguments: +arguments.append(formatter.format_argument(name, help_string)) +if arguments: +heading = unicode(_(Positional arguments)) +arguments.insert(0, formatter.format_heading(heading)) +arguments.append(\n) +option_help = .join(arguments) + option_help +return option_help + +def add_argument(self, name, help_string): +self._arguments.append((name, help_string)) class cli(backend.Executioner): @@ -1006,7 +1057,7 @@ class cli(backend.Executioner): yield (key, self.Backend.textui.decode(value)) def build_parser(self, cmd): -parser = optparse.OptionParser( +parser = CLIOptionParser( usage=' '.join(self.usage_iter(cmd)) ) option_groups = {} @@ -1045,20 +1096,37 @@ class
Re: [Freeipa-devel] [PATCH] 071 Added paging to DNS record search facet
On 1/24/2012 8:52 AM, Petr Vobornik wrote: Patch Description: Paging in DNS record search facet was disabled because there was a mismatch between primary keys sent by server and values displayed in the facet. The facet was modified to enable paging. To preserve amount of information which was displayed before, current rows have variable height - they can contain more that one line depending on number of values in the record. Each record has a checkbox and indsname in its first line to distinguish one record from others. Because there is only one checkbox for record, delete command is called with --del-all option which causes that entire record is removed. Individual values can be deleted in record's details facet. https://fedorahosted.org/freeipa/ticket/2094 ACK. OK'd by Kyle too. Pushed to master and ipa-2-2. Just one comment, the new deleter_dialog parameter for the search facet might not be necessary. The DNS record deleter dialog could be added into the DNS record entity like in host.js:161. The nested DNS record search facet has a managed_entity which points to the DNS record entity. The facet will be able to find the deleter dialog using the managed_entity in search.js:146. Another possibility is to move the nested search facet into the DNS record entity itself. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fixed host managed-by adder dialog.
On 1/30/2012 3:00 AM, Petr Vobornik wrote: On 01/26/2012 05:33 PM, Endi Sukma Dewata wrote: The host managed-by adder dialog has been fixed to use the new --not-man-hosts option to filter out hosts that are already added. Ticket #1675 ACK Pushed to master and ipa-2-2. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 073 Automember UI
New UI for automember. Implemented: * search facet core * rule details facet * attribute_table_widget - new base class for tables which contains multivalued attribute with special add/remove commands * adding/removing conditions in details facet TODO (will follow): * label translations * UI for defining default rules Note: depends on my patch #72 -- Petr Vobornik From c268e263dad36df5dd8ed0c6582a84f816e5d556 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Voborn=C3=ADk?= pvobo...@redhat.com Date: Wed, 25 Jan 2012 13:06:15 +0100 Subject: [PATCH] Automember UI New UI for automember. Implemented: * search facet core * rule details facet * attribute_table_widget - new base class for tables which contains multivalued attribute with special add/remove commands * adding/removing conditions in details facet TODO: * label translations * UI for defining default rules https://fedorahosted.org/freeipa/ticket/2195 --- install/ui/Makefile.am |1 + install/ui/automember.js | 461 install/ui/facet.js| 13 +- install/ui/index.html |1 + install/ui/jsl.conf|1 + install/ui/test/data/automembergroup_add.json | 21 + .../ui/test/data/automembergroup_find_pkeys.json | 24 + .../ui/test/data/automembergroup_get_records.json | 27 ++ install/ui/test/data/automembergroup_show.json | 31 ++ install/ui/test/data/automemberhostgroup_add.json | 21 + .../test/data/automemberhostgroup_find_pkeys.json | 24 + .../test/data/automemberhostgroup_get_records.json | 27 ++ install/ui/test/data/automemberhostgroup_show.json | 30 ++ install/ui/test/data/ipa_init.json |1 + install/ui/webui.js|9 +- install/ui/widget.js | 351 +++- 16 files changed, 1039 insertions(+), 4 deletions(-) create mode 100644 install/ui/automember.js create mode 100644 install/ui/test/data/automembergroup_add.json create mode 100644 install/ui/test/data/automembergroup_find_pkeys.json create mode 100644 install/ui/test/data/automembergroup_get_records.json create mode 100644 install/ui/test/data/automembergroup_show.json create mode 100644 install/ui/test/data/automemberhostgroup_add.json create mode 100644 install/ui/test/data/automemberhostgroup_find_pkeys.json create mode 100644 install/ui/test/data/automemberhostgroup_get_records.json create mode 100644 install/ui/test/data/automemberhostgroup_show.json diff --git a/install/ui/Makefile.am b/install/ui/Makefile.am index 822a6282f3a447e24282e4112df2e63457890fa7..d87a0944ca47e1885a9a2781e6ed03e30c662fe6 100644 --- a/install/ui/Makefile.am +++ b/install/ui/Makefile.am @@ -11,6 +11,7 @@ app_DATA =\ aci.js\ add.js\ association.js \ + automember.js \ automount.js \ browser.js \ certificate.js \ diff --git a/install/ui/automember.js b/install/ui/automember.js new file mode 100644 index ..d6c3c7ee730b7e2d260aadda179b867dbe12610c --- /dev/null +++ b/install/ui/automember.js @@ -0,0 +1,461 @@ +/*jsl:import ipa.js */ + +/* Authors: + *Petr Vobornik pvobo...@redhat.com + * + * Copyright (C) 2012 Red Hat + * see file 'COPYING' for use and warranty information + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see http://www.gnu.org/licenses/. + */ + +/* REQUIRES: ipa.js, details.js, search.js, add.js, facet.js, entity.js */ + +IPA.automember = {}; + +IPA.automember.entity = function(spec) { + + //HACK: Automember takes_params is missing a cn attribute. This hack + //copies cn from mod command. Also it is set as pkey. +var pkey_attr = IPA.metadata.commands.automember_mod.takes_args[0]; +pkey_attr.primary_key = true; +IPA.metadata.objects.automember.takes_params.push(pkey_attr); +IPA.metadata.objects.automember.primary_key = pkey_attr.name; + +var that = IPA.entity(spec); + +that.init = function() { + +that.entity_init(); + +that.builder.search_facet({ +factory: IPA.automember.rule_search_facet, +name: 'searchgroup', +group_type: 'group', +label: 'User group rules', //TODO: translate +details_facet: 'usergrouprule', +columns: [
Re: [Freeipa-devel] session authentication issues
On Tue, 2012-01-31 at 09:35 -0500, John Dennis wrote: Good news, bad news. I had mistakenly believed the session authentication was working properly, but it's not. The good news is that the session code seems to work flawlessly and has for a while. The bad news is that the approach we took with using redirects to a login url seems to be fundamentally flawed. Also the introduction of S4U2proxy has changed some assumptions about what we see in the Kerberos ccache on the server (but this should be easy to address). I'll try to be brief (I know not my usual :-) The fundamental problem is that using redirects cause the POST data to be lost. This was a bit tricky to diagnose because using Firebug on the browser didn't show the redirect activity and because so much on the client side happens in javascript code. And on the server we don't have a way to show the complete HTTP request, just what handlers it hits and the HTTP headers the handlers see. So from both the browser and server perspective it appeared the redirects were working as expected, but there wasn't enough information to (easily) see where things were going astray. The diagnosis was further complicated by the fact the problem would clear itself on the next request (after credentials had been established eliminating the need for a redirect). Simple explanation: A redirect seen by XMLHttpRequest (i.e. Ajax) causes a POST to be converted to a GET. The web UI uses Ajax to send POST (wrapped by JQerry). Using a redirect breaks our whole RPC mechanism. More detail: (skip to Bottom line simple summary if don't want the details) XMLHttpRequest appears to be somewhat underspecified, this is compounded by XMLHttpRequest implementation differences in different browsers. As best as I can understand at the moment Javascript does not implement XMLHttpRequest in native Javascript using networking primitives, rather it's leverages the XMLHttpRequest implmentation in the browser, thus it's at the mercy of the browser implementation. The HTTP protocol also specifies certain behavior with respect to redirects for security reasons. You're not supposed to send POST data to another server on a redirect unless the user is prompted and OK's the re-transmission. But Ajax operates a layer below and is not in a good position to prompt the user, nor would that necessarily be desired behavior from Javascript code. This page gives some good explanations and provides Javascript test code to see how compliant your browser is: http://www.mnot.net/javascript/xmlhttprequest/ One might think that the decision to convert from POST to GET on a redirect would be governed by whether the new URL was located on the same origin server as the original URL (the idea is to avoid sending POST data to a different server), but apparently thats not how it works, the mere fact it's a redirect triggers the conversion (is this XMLHttpRequest implementation specific??) What happens with F16 Firefox is the original post to /ipa/json gets redirected to /ipa/login as a GET (because Firefox won't send POST during a redirect). I am a bit confused, you repeat a couple of times that the POST is translated into a GET, but you do not say what data is sent in this GET ? Then /ipa/login redirect again after obtaining credentials back to the original /ipa/json, but what arrives at the RPC interface is a GET not a post (again due to redirects). The POST data has been lost. As best I can tell all this is happening inside Firefox's XMLHttpRequest implementation and the Javascript making the Ajax call never sees it (not 100% sure about this though). Thus our Javascript code thinks it sent something it never actually did. The RPC code on the server doesn't complain it received a GET instead of a POST, instead it tries to read the RPC data from query parameters on the URL. It fails to find RPC data and sends an IPA error back stating the command is unknown. From an Ajax/HTTP perspective this was 100% successful, it got back a good response, that we later interpret as an IPA error and put up a dialog box. Then our Javascript issues the next RPC, none of the redirects occur and everything works wonderfully. The fact the redirects are occurring in the XMLHttpRequest layer also seems to induce another undesirable behavior. Despite the fact we send back a session cookie on the first request that session cookie is not sent back in the subsequent redirects. Each time one of the redirects hits the server we allocate a new session because we think none exists yet. Thus for the first request we end up creating two sessions that will never be used (they will eventually get purged but it's not optimal). I am a bit surprised here. Shouldn't we create a session only once Negotiate auth is completed and we know the user is authenticated ? If so where do the other sessions come
[Freeipa-devel] [PATCH] 344 Added icons for status column.
The status formatter was modified to show enabled/disabled icon before the status text. The format classes were renamed to formatter to avoid confusion with the format() method. A new parameter 'type' was added to the formatter to determine the output type (e.g. text/html). Ticket #1996 -- Endi S. Dewata From e3eadbaa6f0d4eb2aeca4f47662152a9523fa4ef Mon Sep 17 00:00:00 2001 From: Endi Sukma Dewata edew...@redhat.com Date: Tue, 31 Jan 2012 09:57:33 -0600 Subject: [PATCH] Added icons for status column. The status formatter was modified to show enabled/disabled icon before the status text. The format classes were renamed to formatter to avoid confusion with the format() method. A new parameter 'type' was added to the formatter to determine the output type (e.g. text/html). Ticket #1996 --- install/ui/dns.js |2 +- install/ui/facet.js|2 +- install/ui/hbac.js |2 +- install/ui/hbactest.js | 12 ++-- install/ui/host.js |6 +++--- install/ui/ipa.css | 12 install/ui/rule.js |2 +- install/ui/selinux.js |2 +- install/ui/sudo.js |2 +- install/ui/user.js |2 +- install/ui/widget.js | 45 + 11 files changed, 61 insertions(+), 28 deletions(-) diff --git a/install/ui/dns.js b/install/ui/dns.js index 65c331f5b70b563655f7be9f2e3c59376c36788f..edd9274c671fe5f3b542502c27d9dbd5025da1fc 100644 --- a/install/ui/dns.js +++ b/install/ui/dns.js @@ -51,7 +51,7 @@ IPA.dns.zone_entity = function(spec) { { name: 'idnszoneactive', label: IPA.messages.status.label, -format: IPA.boolean_status_format() +formatter: IPA.boolean_status_formatter() } ] }). diff --git a/install/ui/facet.js b/install/ui/facet.js index 150c3e8faad29381372c31358ea928db14c0be0c..6247ebde632a3467e6743a755bc8f250c97b03a0 100644 --- a/install/ui/facet.js +++ b/install/ui/facet.js @@ -628,7 +628,7 @@ IPA.table_facet = function(spec) { var value = record[attribute]; var column = that.table.get_column(attribute); -if (column.format) value = column.format.parse(value); +if (column.formatter) value = column.formatter.parse(value); that.table.set_row_enabled(tr, value); }; diff --git a/install/ui/hbac.js b/install/ui/hbac.js index bff2af30c82a7ad0cff77dcc024c6ca6144b4c78..6bd63d4ecb6a2f1071385a93f0e5edf792604792 100644 --- a/install/ui/hbac.js +++ b/install/ui/hbac.js @@ -44,7 +44,7 @@ IPA.hbac.rule_entity = function(spec) { { name: 'ipaenabledflag', label: IPA.messages.status.label, -format: IPA.boolean_status_format() +formatter: IPA.boolean_status_formatter() }, 'description' ] diff --git a/install/ui/hbactest.js b/install/ui/hbactest.js index e9b02a14ca0670949f1a7faead70b44f262a3c37..0e77083cafcd6a61170bf347fe9c5e428366eae3 100644 --- a/install/ui/hbactest.js +++ b/install/ui/hbactest.js @@ -51,7 +51,7 @@ IPA.hbac.test_entity = function(spec) { { name: 'nsaccountlock', label: IPA.messages.status.label, -format: IPA.boolean_status_format({ +formatter: IPA.boolean_status_formatter({ invert_value: true }) } @@ -70,7 +70,7 @@ IPA.hbac.test_entity = function(spec) { { name: 'has_keytab', label: IPA.messages.objects.host.enrolled, -format: IPA.boolean_format() +formatter: IPA.boolean_formatter() } ] }). @@ -99,7 +99,7 @@ IPA.hbac.test_entity = function(spec) { { name: 'has_keytab', label: IPA.messages.objects.host.enrolled, -format: IPA.boolean_format() +formatter: IPA.boolean_formatter() } ] }). @@ -116,7 +116,7 @@ IPA.hbac.test_entity = function(spec) { { name: 'ipaenabledflag', label: IPA.messages.status.label, -format: IPA.boolean_status_format() +formatter: IPA.boolean_status_formatter() }, 'description' ] @@ -134,12 +134,12 @@ IPA.hbac.test_entity = function(spec) { { name: 'matched', label: IPA.messages.objects.hbactest.matched, -format: IPA.boolean_format() +formatter: IPA.boolean_formatter() }, { name: 'ipaenabledflag', label:
Re: [Freeipa-devel] [PATCH] 933 %ghost some UI files
On Mon, 2012-01-30 at 13:53 -0500, Rob Crittenden wrote: Martin Kosek wrote: On Fri, 2012-01-27 at 09:26 -0500, Rob Crittenden wrote: Martin Kosek wrote: On Thu, 2012-01-26 at 14:11 -0500, Rob Crittenden wrote: Add a %ghost to some files installed by the UI so that they are owned by freeipa-server when the server is installed and they will be removed by rpm when the package is removed. rob I see you did not add /usr/share/ipa/html/ca.crt to %ghost too. Is this intentional? We may want to keep ca.crt intact when freeipa package is uninstalled... This a list of files in /usr/share/ipa/ that we do not own: file /usr/share/ipa/html/krb.con is not owned by any package file /usr/share/ipa/html/preferences.html is not owned by any package file /usr/share/ipa/html/configure.jar is not owned by any package file /usr/share/ipa/html/krbrealm.con is not owned by any package file /usr/share/ipa/html/ca.crt is not owned by any package file /usr/share/ipa/html/krb5.ini is not owned by any package Martin This was my thinking exactly. Right now if you uninstall the rpms and re-install them then (at least apparently) the server continues to work. I might be talked into adding a config(noreplace) if we want this at least owned by the package. I think it would be a good idea. We already own for example default.conf with config(noreplace) which is also generated during installation. There 2 ca.crt's to manage this way: /usr/share/ipa/html/ca.crt /etc/ipa/ca.crt Martin Ok, added both of these. rob ACK. Pushed to master, ipa-2-2. (There was a small rebase for master). Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 345 Hide Add/Delete buttons in self-service mode.
Users do not have add/delete permission in self-service mode, so the search facet was modified to hide the Add/Delete buttons. Ticket #2188 -- Endi S. Dewata From 7eb8e5a383d69b7b490d4e480a705c5efed6fb34 Mon Sep 17 00:00:00 2001 From: Endi Sukma Dewata edew...@redhat.com Date: Tue, 31 Jan 2012 10:44:34 -0600 Subject: [PATCH] Hide Add/Delete buttons in self-service mode. Users do not have add/delete permission in self-service mode, so the search facet was modified to hide the Add/Delete buttons. Ticket #2188 --- install/ui/search.js |7 +++ 1 files changed, 7 insertions(+), 0 deletions(-) diff --git a/install/ui/search.js b/install/ui/search.js index 4f26c0407f55b758bc32b3df899bd5af72d6ba29..30b4d3dd0a378e0855c4b7ccb41c14d63a199006 100644 --- a/install/ui/search.js +++ b/install/ui/search.js @@ -114,6 +114,13 @@ IPA.search_facet = function(spec) { return false; } }).appendTo(that.controls); + +var self_service = IPA.nav.name === 'self-service'; + +if (self_service) { +that.remove_button.css('display', 'none'); +that.add_button.css('display', 'none'); +} }; that.show = function() { -- 1.7.7.1.msysgit.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 346 Use fixed font when displaying certificate.
The textareas used to display certificates were modified to use fixed font. Ticket #2017 -- Endi S. Dewata From 7e810c16bd76ef605d61a1bb2f2b8e27f753a5fc Mon Sep 17 00:00:00 2001 From: Endi Sukma Dewata edew...@redhat.com Date: Tue, 31 Jan 2012 11:31:22 -0600 Subject: [PATCH] Use fixed font when displaying certificate. The textareas used to display certificates were modified to use fixed font. Ticket #2017 --- install/ui/certificate.js | 20 ++-- install/ui/ipa.css|6 ++ 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/install/ui/certificate.js b/install/ui/certificate.js index 70533c14d5de21684ff3839f289158accefc5dc7..9645aad397ee1ee10f2d3751c560575af28e18de 100755 --- a/install/ui/certificate.js +++ b/install/ui/certificate.js @@ -173,7 +173,7 @@ IPA.cert.download_dialog = function(spec) { var that = IPA.dialog(spec); that.width = spec.width || 500; -that.height = spec.height || 400; +that.height = spec.height || 380; that.add_pem_delimiters = typeof spec.add_pem_delimiters == 'undefined' ? true : spec.add_pem_delimiters; that.certificate = spec.certificate || ''; @@ -188,8 +188,8 @@ IPA.cert.download_dialog = function(spec) { that.create = function() { var textarea = $('textarea/', { -readonly: 'yes', -style: 'width: 100%; height: 275px;' +'class': 'certificate', +readonly: 'yes' }).appendTo(that.container); var certificate = that.certificate; @@ -438,7 +438,7 @@ IPA.cert.request_dialog = function(spec) { var that = IPA.dialog(spec); that.width = spec.width || 600; -that.height = spec.height || 450; +that.height = spec.height || 480; that.message = spec.message; that.request = spec.request; @@ -470,7 +470,7 @@ IPA.cert.request_dialog = function(spec) { that.container.append(that.message); that.textarea = $('textarea/', { -style: 'width: 100%; height: 225px;' +'class': 'certificate' }).appendTo(that.container); }; @@ -732,16 +732,16 @@ IPA.cert.status_widget = function(spec) { }; function set_status(status, revocation_reason) { -that.status_valid.css('display', status == IPA.cert.CERTIFICATE_STATUS_VALID ? 'inline' : 'none'); -that.status_missing.css('display', status == IPA.cert.CERTIFICATE_STATUS_MISSING ? 'inline' : 'none'); +that.status_valid.css('display', status == IPA.cert.CERTIFICATE_STATUS_VALID ? '' : 'none'); +that.status_missing.css('display', status == IPA.cert.CERTIFICATE_STATUS_MISSING ? '' : 'none'); if (!that.is_selfsign()) { -that.status_revoked.css('display', status == IPA.cert.CERTIFICATE_STATUS_REVOKED ? 'inline' : 'none'); -that.revoke_button.css('display', status == IPA.cert.CERTIFICATE_STATUS_VALID ? 'inline' : 'none'); +that.status_revoked.css('display', status == IPA.cert.CERTIFICATE_STATUS_REVOKED ? '' : 'none'); +that.revoke_button.css('display', status == IPA.cert.CERTIFICATE_STATUS_VALID ? '' : 'none'); var reason = IPA.cert.CRL_REASON[revocation_reason]; that.revocation_reason.html(revocation_reason === undefined || reason === null ? '' : IPA.messages.objects.cert[reason]); -that.restore_button.css('display', reason == 'certificate_hold' ? 'inline' : 'none'); +that.restore_button.css('display', reason == 'certificate_hold' ? '' : 'none'); } } diff --git a/install/ui/ipa.css b/install/ui/ipa.css index 1d754ea8398059ec9f98a747b5143e033a7762a4..ab61e8672c0236d409806276ebc6ff031dd0c678 100644 --- a/install/ui/ipa.css +++ b/install/ui/ipa.css @@ -1058,6 +1058,12 @@ span.main-separator{ .strikethrough { text-decoration: line-through; } +textarea.certificate { +font-family: Courier New; +width: 100%; +height: 250px; +} + table.certificate-status { line-height: 2; } -- 1.7.7.1.msysgit.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Fwd: Miroslav we need some policy for IPA back ported to F16 and RHEL6.
FYI, selinux policy for ipa memcached is being worked on ... Original Message Subject: Miroslav we need some policy for IPA back ported to F16 and RHEL6. Date: Tue, 31 Jan 2012 17:00:17 -0500 From: Daniel J Walsh dwa...@redhat.com To: Miroslav Grepl mgr...@redhat.com CC: John Dennis jden...@redhat.com -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 f322c5c3685ac8e9c3e86c24f63ad78887be7a9b Basically we probably want all of memcached policy and the apache parts of this patch. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8oZHEACgkQrlYvE4MpobN0GwCfdVdVcasS5zzS64DdpAwHzjUy hpYAoKGuaBAzKxKZp35Y7CbWhbN4iQnB =56bI -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 937 configure /etc/openldap/ldap.conf
Configure the openldap configuration file with the basics for IPA. This is mostly to make querying with StartTLS easier but it does make ldapsearch a lot nicer in general. I got a little carried away with the man page. I wanted to include that we were updating yet another configuration file and found no FILES section at all so I added one. I think I caught every file we update, it is the bulk in any case. rob From 48d08f533fdbd1266f02c2412b4a15d9aa3b9af5 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Tue, 31 Jan 2012 22:44:20 -0500 Subject: [PATCH] Configure a basic ldap.conf for OpenLDAP in /etc/openldap/ldap.conf Set URI, BASE and TLS_CACERT Also update the man page to include a list of files that the client changes. https://fedorahosted.org/freeipa/ticket/1810 Add list of files --- ipa-client/ipa-install/ipa-client-install | 19 ipa-client/man/ipa-client-install.1 | 34 - 2 files changed, 52 insertions(+), 1 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index f2f4973fb365dcc11ee1db484fac791fbf765dd8..f50b391a85fb8d739c56757480fb24989b3c1dbb 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -529,6 +529,22 @@ def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, return (0, 'NSLCD', ', '.join(files)) +def configure_openldap_conf(fstore, cli_basedn, cli_server): +ldapconf = ipaclient.ipachangeconf.IPAChangeConf(IPA Installer) +ldapconf.setOptionAssignment( ) + +opts = [{'name':'comment', 'type':'comment', 'value':'File modified by ipa-client-install'}, +{'name':'empty', 'type':'empty'}, +{'name':'URI', 'type':'option', 'value':'ldaps://'+ cli_server}, +{'name':'BASE', 'type':'option', 'value':cli_basedn}, +{'name':'TLS_CACERT', 'type':'option', 'value':'/etc/ipa/ca.crt'}, +{'name':'empty', 'type':'empty'}] + +target_fname = '/etc/openldap/ldap.conf' +fstore.backup_file(target_fname) +ldapconf.newConf(target_fname, opts) +os.chmod(target_fname, 0644) + def hardcode_ldap_server(cli_server): DNS Discovery didn't return a valid IPA server, hardcode a value into @@ -1222,6 +1238,9 @@ def install(options, env, fstore, statestore): if conf: print %s configured using configuration file(s) %s % (conf, filename) +configure_openldap_conf(fstore, cli_basedn, cli_server) +print Configured /etc/openldap/ldap.conf + #Check that nss is working properly if not options.on_master: n = 0 diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index 6f5e0fc4590f69163573798ae80f839179e7df77..0926df4c1981b84c9b9001ad4deb44eca6c0021c 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -93,7 +93,7 @@ possible due to SSSDConfig reader encountering unsupported options, \fBipa\-client\-install\fR will not run further and ask to fix SSSD config first. When this option is not specified, \fBipa\-client\-install\fR will back up SSSD config and create new one. The back up version will be restored during -uninstall. +uninstall. .SS UNINSTALL OPTIONS .TP @@ -103,6 +103,38 @@ Remove the IPA client software and restore the configuration to the pre\-IPA sta \fB\-U\fR, \fB\-\-unattended\fR Unattended uninstallation. The user will not be prompted. +.SH FILES +.TP +Files that will be replaced if SSSD is configured (default): + +/etc/sssd/sssd.conf\p +.TP +Files that will be replaced if they exist and SSSD is not configured (\-\-no\-sssd): + +/etc/ldap.conf\p +/etc/nss_ldap.conf\p +/etc/libnss\-ldap.conf\p +/etc/pam_ldap.conf\p +/etc/nslcd.conf\p +.TP +Files replaced if NTP is enabled: + +/etc/ntp.conf\p +/etc/sysconfig/ntpd\p +/etc/ntp/step\-tickers\p +/etc/sysconfig/ntpd +.TP +Files always created (replacing existing content): + +/etc/ipa/ca.crt\p +/etc/ipa/default.conf\p +/etc/openldap/ldap.conf\p +.TP +Files updated, existing content is maintained: + +/etc/pki/nssdb\p +/etc/krb5.keytab\p +/etc/sysconfig/network\p .SH EXIT STATUS 0 if the installation was successful -- 1.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel