[Freeipa-devel] 389-ds-base-1.2.11.14 is available in testing

2012-09-07 Thread Rich Megginson 

This should fix the problem with CLEANALLRUV and winsync agreements

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 205 Reflect API change of SSH store in Web UI

2012-09-07 Thread Rob Crittenden 

Endi Sukma Dewata wrote:

On 9/5/2012 3:14 AM, Petr Vobornik wrote:

Format of ipasshpubkey in users and hosts changed from BYTES to STR. Web
UI no longer gets the value as base64 encoded string in an object.

Label was changed to reflect that the key don't have to be plain base64
encoded blob.

https://fedorahosted.org/freeipa/ticket/2989

Note: freeipa-jcholast-83-openssh-style-public-keys.patch should be
applied


ACK.

Possible improvements:

1. Right now if you click 'Add' SSH public key you'd have to click
'Show/Set key' to enter the value. We probably could make it such that
when you click 'Add' it will open the input dialog immediately. This way
we can avoid an incomplete state where a slot for a new key is added but
it's empty.

2. If we do #1 the 'New: key set/not set' label can be changed to 'New
key'. The 'Modified' can be changed to 'Modified key'.

3. The 'Show/Set key' probably can be changed to 'View/Edit' to be more
consistent with host/service certificate.



pushed to ipa-3-0 and master

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 83 Use OpenSSH-style public keys as the preferred format of SSH public keys

2012-09-07 Thread Rob Crittenden 

Jan Cholasta wrote:

Dne 6.9.2012 17:47, Jan Cholasta napsal(a):

Dne 5.9.2012 22:57, Rob Crittenden napsal(a):

Jan Cholasta wrote:

Hi,

this patch changes the format of the sshpubkey parameter to the format
used by OpenSSH (see sshd(8)).

Public keys in the old format (raw RFC 4253 blob) are automatically
converted to OpenSSH-style public keys. OpenSSH-style public keys are
now stored in LDAP.

Changed sshpubkeyfp to be an output parameter, as that is what it
actually is.

Allow parameter normalizers to be used on values of any type, not just
unicode, so that public key blobs (which are str) can be normalized to
OpenSSH-style public keys.

Note that you need a SSSD build including




(SSSD 1.9.0beta7-to-be) in order to make OpenSSH integration actually
work with OpenSSH-style public keys.




Honza


NACK.

I think a bunch of tests are needed for this.

Because you abstracted out the pubkey class it should be straightforward
to add a bunch of class-based unit tests on it.

There are also no user or host-based tests, either for adding or
managing keys.


Tests added.



I tested backwards compatibility with 2.2 and the initial tests are
mixed.

I installed 2.2 and created a 3.0 clone from it, including your patch.


Do people actually do that in real deployments?



I added a user in 3.0 with a key and it added ok, but on the 2.2 side it
returns the entire base64 encoded blob of key type, key and comment,
which I presume is unusable. At least things don't blow up.


The format of ipasshpubkey in LDAP has changed, so there's not much I
can do about this.



The reverse works fine. An old-style key added to 2.2 appears to work
fine in 3.0, we just lack a comment.

On the 2.2 server:

$ ipa user-show tuser1 --all | grep -i ssh
   Base-64 encoded SSH public key:
c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDNUQyRTI2dHU5YXM2cHhlUVlSdUgzelYyUDUzMjFpR1U5aC9XNElpd0tGSGlOc2p5cXFyemhCUFB3am83dGlYRDlHbUo1M25KS21OTGd0K01XUnFTZEx2R0V3NjM3SkVTWEpGL0VWeUxvZEFWRGltdXFRVkNLWjBRcm1kYjErRUg1VGRrd3ByOExyd0g1a0RzMEVpcGc2c0xoRUZ5NzMvaXNjRkJqcmk0NGxSU1BZNXFHTWFLOVE0cjY1WFEyaytlZ1RDQnBNZnc0b0J6Mzh0ZHVEVVE2bW9XNFhQSnhZeWJ3MGFDMnRUK2RBOU42WndFSFZXREUzdzg0bHRHa0JRZFRaKzViRnBFdlladm9PbkZXdDlNZFIzYVd6UklnY1o5VDlySDFFT2Z3eE5zWVRCLzRjTmg3dS9adGxnMVV0Z1VteWN3TkpMTUYrMTNzNTl2OFFpSFogcmNyaXRAZWRzZWwuZ3JleW9hay5jb20=



$ python
Python 2.7.3 (default, Jul 24 2012, 10:05:38)
[GCC 4.7.0 20120507 (Red Hat 4.7.0-5)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
 >>> import base64
 >>> s =
'c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDNUQyRTI2dHU5YXM2cHhlUVlSdUgzelYyUDUzMjFpR1U5aC9XNElpd0tGSGlOc2p5cXFyemhCUFB3am83dGlYRDlHbUo1M25KS21OTGd0K01XUnFTZEx2R0V3NjM3SkVTWEpGL0VWeUxvZEFWRGltdXFRVkNLWjBRcm1kYjErRUg1VGRrd3ByOExyd0g1a0RzMEVpcGc2c0xoRUZ5NzMvaXNjRkJqcmk0NGxSU1BZNXFHTWFLOVE0cjY1WFEyaytlZ1RDQnBNZnc0b0J6Mzh0ZHVEVVE2bW9XNFhQSnhZeWJ3MGFDMnRUK2RBOU42WndFSFZXREUzdzg0bHRHa0JRZFRaKzViRnBFdlladm9PbkZXdDlNZFIzYVd6UklnY1o5VDlySDFFT2Z3eE5zWVRCLzRjTmg3dS9adGxnMVV0Z1VteWN3TkpMTUYrMTNzNTl2OFFpSFogcmNyaXRAZWRzZWwuZ3JleW9hay5jb20='



 >>> base64.b64decode(s)
'ssh-rsa
B3NzaC1yc2EDAQABAAABAQC5D2E26tu9as6pxeQYRuH3zV2P5321iGU9h/W4IiwKFHiNsjyqqrzhBPPwjo7tiXD9GmJ53nJKmNLgt+MWRqSdLvGEw637JESXJF/EVyLodAVDimuqQVCKZ0Qrmdb1+EH5Tdkwpr8LrwH5kDs0Eipg6sLhEFy73/iscFBjri44lRSPY5qGMaK9Q4r65XQ2k+egTCBpMfw4oBz38tduDUQ6moW4XPJxYybw0aC2tT+dA9N6ZwEHVWDE3w84ltGkBQdTZ+5bFpEvYZvoOnFWt9MdR3aWzRIgcZ9T9rH1EOfwxNsYTB/4cNh7u/Ztlg1UtgUmycwNJLMF+13s59v8QiHZ


rc...@edsel.greyoak.com'

Now show an old style key:

$ ipa user-show tuser2 --all | grep -i ssh
   Base-64 encoded SSH public key:
B3NzaC1yc2EDAQABAAABAQCbRLyizFGyfucNRnHpWdUG8dBD7W2PfvTQ42k+LmAdUFudTytO89oTRXcVEYMDL42OyRth12JRMUjYTEmFwo9a9Mb7cP8+bo7N2lV4iCB0CUybcZARF0MV6NeYhhWlC9DV40nkqs3Goe8X8tMPXn/HZn8Rz33703w8K/G6STnN0txhAT4tY7D3e0DA9UY87wNnpJ7dXoJqMXRv2dRgmUnGih/8cLHypyxBoLoL8qR9cWxAf/Cs+qQmsk15lzIGQUAJwwXBBjbnXKwykEeHjTHsvjd7zzC1cWtz5Zz/8aop7AsVwaBqb9u+5dVOMxdzLGD24NKTjhtG86ADU4Mpnlb5




rob


Updated patch attached.

Honza



Rebased patch attached.

Honza



ACK.

I merged in a change that adds e-mail to one test and pushed to master 
and ipa-3-0.


rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 1048 update certificate renewal scripts

2012-09-07 Thread Rob Crittenden 

Jan Cholasta wrote:

Dne 24.8.2012 23:52, Rob Crittenden napsal(a):

A couple of issues were found in the CA renewal scripts. The api wasn't
being initialized so restart_dirsrv() didn't have access to
api.env.startup_timeout()


I believe it was I who mislead you into removing it when I reviewed the
original CA renewal patch. Sorry :-)



A cert was missing from our list of certs to translate into CS.cfg
directives.

rob



ACK.

Honza



pushed to master and ipa-3-0

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 1048 update certificate renewal scripts

2012-09-07 Thread Jan Cholasta 

Dne 24.8.2012 23:52, Rob Crittenden napsal(a):

A couple of issues were found in the CA renewal scripts. The api wasn't
being initialized so restart_dirsrv() didn't have access to
api.env.startup_timeout()


I believe it was I who mislead you into removing it when I reviewed the 
original CA renewal patch. Sorry :-)




A cert was missing from our list of certs to translate into CS.cfg
directives.

rob



ACK.

Honza

--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 83 Use OpenSSH-style public keys as the preferred format of SSH public keys

2012-09-07 Thread Jan Cholasta 

Dne 6.9.2012 17:47, Jan Cholasta napsal(a):

Dne 5.9.2012 22:57, Rob Crittenden napsal(a):

Jan Cholasta wrote:

Hi,

this patch changes the format of the sshpubkey parameter to the format
used by OpenSSH (see sshd(8)).

Public keys in the old format (raw RFC 4253 blob) are automatically
converted to OpenSSH-style public keys. OpenSSH-style public keys are
now stored in LDAP.

Changed sshpubkeyfp to be an output parameter, as that is what it
actually is.

Allow parameter normalizers to be used on values of any type, not just
unicode, so that public key blobs (which are str) can be normalized to
OpenSSH-style public keys.

Note that you need a SSSD build including



(SSSD 1.9.0beta7-to-be) in order to make OpenSSH integration actually
work with OpenSSH-style public keys.




Honza


NACK.

I think a bunch of tests are needed for this.

Because you abstracted out the pubkey class it should be straightforward
to add a bunch of class-based unit tests on it.

There are also no user or host-based tests, either for adding or
managing keys.


Tests added.



I tested backwards compatibility with 2.2 and the initial tests are
mixed.

I installed 2.2 and created a 3.0 clone from it, including your patch.


Do people actually do that in real deployments?



I added a user in 3.0 with a key and it added ok, but on the 2.2 side it
returns the entire base64 encoded blob of key type, key and comment,
which I presume is unusable. At least things don't blow up.


The format of ipasshpubkey in LDAP has changed, so there's not much I
can do about this.



The reverse works fine. An old-style key added to 2.2 appears to work
fine in 3.0, we just lack a comment.

On the 2.2 server:

$ ipa user-show tuser1 --all | grep -i ssh
   Base-64 encoded SSH public key:
c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDNUQyRTI2dHU5YXM2cHhlUVlSdUgzelYyUDUzMjFpR1U5aC9XNElpd0tGSGlOc2p5cXFyemhCUFB3am83dGlYRDlHbUo1M25KS21OTGd0K01XUnFTZEx2R0V3NjM3SkVTWEpGL0VWeUxvZEFWRGltdXFRVkNLWjBRcm1kYjErRUg1VGRrd3ByOExyd0g1a0RzMEVpcGc2c0xoRUZ5NzMvaXNjRkJqcmk0NGxSU1BZNXFHTWFLOVE0cjY1WFEyaytlZ1RDQnBNZnc0b0J6Mzh0ZHVEVVE2bW9XNFhQSnhZeWJ3MGFDMnRUK2RBOU42WndFSFZXREUzdzg0bHRHa0JRZFRaKzViRnBFdlladm9PbkZXdDlNZFIzYVd6UklnY1o5VDlySDFFT2Z3eE5zWVRCLzRjTmg3dS9adGxnMVV0Z1VteWN3TkpMTUYrMTNzNTl2OFFpSFogcmNyaXRAZWRzZWwuZ3JleW9hay5jb20=


$ python
Python 2.7.3 (default, Jul 24 2012, 10:05:38)
[GCC 4.7.0 20120507 (Red Hat 4.7.0-5)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
 >>> import base64
 >>> s =
'c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDNUQyRTI2dHU5YXM2cHhlUVlSdUgzelYyUDUzMjFpR1U5aC9XNElpd0tGSGlOc2p5cXFyemhCUFB3am83dGlYRDlHbUo1M25KS21OTGd0K01XUnFTZEx2R0V3NjM3SkVTWEpGL0VWeUxvZEFWRGltdXFRVkNLWjBRcm1kYjErRUg1VGRrd3ByOExyd0g1a0RzMEVpcGc2c0xoRUZ5NzMvaXNjRkJqcmk0NGxSU1BZNXFHTWFLOVE0cjY1WFEyaytlZ1RDQnBNZnc0b0J6Mzh0ZHVEVVE2bW9XNFhQSnhZeWJ3MGFDMnRUK2RBOU42WndFSFZXREUzdzg0bHRHa0JRZFRaKzViRnBFdlladm9PbkZXdDlNZFIzYVd6UklnY1o5VDlySDFFT2Z3eE5zWVRCLzRjTmg3dS9adGxnMVV0Z1VteWN3TkpMTUYrMTNzNTl2OFFpSFogcmNyaXRAZWRzZWwuZ3JleW9hay5jb20='


 >>> base64.b64decode(s)
'ssh-rsa
B3NzaC1yc2EDAQABAAABAQC5D2E26tu9as6pxeQYRuH3zV2P5321iGU9h/W4IiwKFHiNsjyqqrzhBPPwjo7tiXD9GmJ53nJKmNLgt+MWRqSdLvGEw637JESXJF/EVyLodAVDimuqQVCKZ0Qrmdb1+EH5Tdkwpr8LrwH5kDs0Eipg6sLhEFy73/iscFBjri44lRSPY5qGMaK9Q4r65XQ2k+egTCBpMfw4oBz38tduDUQ6moW4XPJxYybw0aC2tT+dA9N6ZwEHVWDE3w84ltGkBQdTZ+5bFpEvYZvoOnFWt9MdR3aWzRIgcZ9T9rH1EOfwxNsYTB/4cNh7u/Ztlg1UtgUmycwNJLMF+13s59v8QiHZ

rc...@edsel.greyoak.com'

Now show an old style key:

$ ipa user-show tuser2 --all | grep -i ssh
   Base-64 encoded SSH public key:
B3NzaC1yc2EDAQABAAABAQCbRLyizFGyfucNRnHpWdUG8dBD7W2PfvTQ42k+LmAdUFudTytO89oTRXcVEYMDL42OyRth12JRMUjYTEmFwo9a9Mb7cP8+bo7N2lV4iCB0CUybcZARF0MV6NeYhhWlC9DV40nkqs3Goe8X8tMPXn/HZn8Rz33703w8K/G6STnN0txhAT4tY7D3e0DA9UY87wNnpJ7dXoJqMXRv2dRgmUnGih/8cLHypyxBoLoL8qR9cWxAf/Cs+qQmsk15lzIGQUAJwwXBBjbnXKwykEeHjTHsvjd7zzC1cWtz5Zz/8aop7AsVwaBqb9u+5dVOMxdzLGD24NKTjhtG86ADU4Mpnlb5



rob


Updated patch attached.

Honza



Rebased patch attached.

Honza

--
Jan Cholasta
>From d1fdf351cf33346455d2cbc8bb7e907fac909c86 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Mon, 3 Sep 2012 09:33:30 -0400
Subject: [PATCH] Use OpenSSH-style public keys as the preferred format of SSH
 public keys.

Public keys in the old format (raw RFC 4253 blob) are automatically converted
to OpenSSH-style public keys. OpenSSH-style public keys are now stored in LDAP.

Changed sshpubkeyfp to be an output parameter, as that is what it actually is.

Allow parameter normalizers to be used on values of any type, not just unicode,
so that public key blobs (which are str) can be normalized to OpenSSH-style
public keys.

ticket 2932, 2935
---
 API.txt   |   8 +-
 VERSION   |   2 +-

Re: [Freeipa-devel] [PATCHES] Various fixes for trust and range CLI

2012-09-07 Thread Martin Kosek 
On Thu, 2012-09-06 at 16:50 +0200, Petr Vobornik wrote:
> On 09/06/2012 01:39 PM, Sumit Bose wrote:
> > Hi,
> >
> > this series of patches touches couple of tickets related to the trust
> > and (id)range CLI. I post them together because some of them depend on
> > each other. I already rebased them on Martin's "Add range safety check
> > for range_mod and range_del" patch which I'm currently reviewing.
> >
> > bye,
> > Sumit
> >
> >
> 
> ACK for the UI changes in patch 60.
> 
> There is a minor issue in ipa_init_objects.json and 
> ipa_init_command.json files: Labels aren't changed so there are still 
> 'Ranges' instead of 'ID ranges'. I don't think it matters because it 
> doesn't affect actual functionality and I will definitely regenerate 
> those files sometime in a future. They are only for developer and 
> related purposes.

Ok, I will leave the UI patch as is, it is ok to have the label
regenerated later.

ACK for the rest of the patches. Pushed them all to master, ipa-3-0.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 306 Cast DNS SOA serial maximum boundary to long

2012-09-07 Thread Rob Crittenden 

Martin Kosek wrote:

This will fix i386 builds where the SOA serial value written
in API.txt was already of a long type while on x86_64 it was still
of an int type.

--

I verified that IPA now builds both on i386 and x86_64 platforms.

Martin


ACK

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 306 Cast DNS SOA serial maximum boundary to long

2012-09-07 Thread Martin Kosek 
On Fri, 2012-09-07 at 09:38 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > This will fix i386 builds where the SOA serial value written
> > in API.txt was already of a long type while on x86_64 it was still
> > of an int type.
> >
> > --
> >
> > I verified that IPA now builds both on i386 and x86_64 platforms.
> >
> > Martin
> 
> ACK
> 

Pushed to master, ipa-3-0.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 306 Cast DNS SOA serial maximum boundary to long

2012-09-07 Thread Martin Kosek 
This will fix i386 builds where the SOA serial value written
in API.txt was already of a long type while on x86_64 it was still
of an int type.

--

I verified that IPA now builds both on i386 and x86_64 platforms.

Martin
>From f1b9ea16d7fcc562e7a8a9d65a771971375dd5d2 Mon Sep 17 00:00:00 2001
From: Martin Kosek 
Date: Fri, 7 Sep 2012 14:46:41 +0200
Subject: [PATCH] Cast DNS SOA serial maximum boundary to long

This will fix i386 builds where the SOA serial value written
in API.txt was already of a long type while on x86_64 it was still
of an int type.
---
 API.txt   | 6 +++---
 ipalib/plugins/dns.py | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/API.txt b/API.txt
index cfdfaae708b0ef93c9d4cad603de68d69875d1a7..ced63ad11cb30de4fe011d1e091662f7105a1d6c 100644
--- a/API.txt
+++ b/API.txt
@@ -1014,7 +1014,7 @@ arg: Str('idnsname', attribute=True, cli_name='name', multivalue=False, primary_
 option: Str('name_from_ip', attribute=False, cli_name='name_from_ip', multivalue=False, required=False)
 option: Str('idnssoamname', attribute=True, cli_name='name_server', multivalue=False, required=True)
 option: Str('idnssoarname', attribute=True, cli_name='admin_email', multivalue=False, required=True)
-option: Int('idnssoaserial', attribute=True, autofill=True, cli_name='serial', maxvalue=4294967295, minvalue=1, multivalue=False, required=True)
+option: Int('idnssoaserial', attribute=True, autofill=True, cli_name='serial', maxvalue=4294967295L, minvalue=1, multivalue=False, required=True)
 option: Int('idnssoarefresh', attribute=True, autofill=True, cli_name='refresh', default=3600, maxvalue=2147483647, minvalue=0, multivalue=False, required=True)
 option: Int('idnssoaretry', attribute=True, autofill=True, cli_name='retry', default=900, maxvalue=2147483647, minvalue=0, multivalue=False, required=True)
 option: Int('idnssoaexpire', attribute=True, autofill=True, cli_name='expire', default=1209600, maxvalue=2147483647, minvalue=0, multivalue=False, required=True)
@@ -1070,7 +1070,7 @@ option: Str('idnsname', attribute=True, autofill=False, cli_name='name', multiva
 option: Str('name_from_ip', attribute=False, autofill=False, cli_name='name_from_ip', multivalue=False, query=True, required=False)
 option: Str('idnssoamname', attribute=True, autofill=False, cli_name='name_server', multivalue=False, query=True, required=False)
 option: Str('idnssoarname', attribute=True, autofill=False, cli_name='admin_email', multivalue=False, query=True, required=False)
-option: Int('idnssoaserial', attribute=True, autofill=False, cli_name='serial', maxvalue=4294967295, minvalue=1, multivalue=False, query=True, required=False)
+option: Int('idnssoaserial', attribute=True, autofill=False, cli_name='serial', maxvalue=4294967295L, minvalue=1, multivalue=False, query=True, required=False)
 option: Int('idnssoarefresh', attribute=True, autofill=False, cli_name='refresh', default=3600, maxvalue=2147483647, minvalue=0, multivalue=False, query=True, required=False)
 option: Int('idnssoaretry', attribute=True, autofill=False, cli_name='retry', default=900, maxvalue=2147483647, minvalue=0, multivalue=False, query=True, required=False)
 option: Int('idnssoaexpire', attribute=True, autofill=False, cli_name='expire', default=1209600, maxvalue=2147483647, minvalue=0, multivalue=False, query=True, required=False)
@@ -1102,7 +1102,7 @@ arg: Str('idnsname', attribute=True, cli_name='name', multivalue=False, primary_
 option: Str('name_from_ip', attribute=False, autofill=False, cli_name='name_from_ip', multivalue=False, required=False)
 option: Str('idnssoamname', attribute=True, autofill=False, cli_name='name_server', multivalue=False, required=False)
 option: Str('idnssoarname', attribute=True, autofill=False, cli_name='admin_email', multivalue=False, required=False)
-option: Int('idnssoaserial', attribute=True, autofill=False, cli_name='serial', maxvalue=4294967295, minvalue=1, multivalue=False, required=False)
+option: Int('idnssoaserial', attribute=True, autofill=False, cli_name='serial', maxvalue=4294967295L, minvalue=1, multivalue=False, required=False)
 option: Int('idnssoarefresh', attribute=True, autofill=False, cli_name='refresh', default=3600, maxvalue=2147483647, minvalue=0, multivalue=False, required=False)
 option: Int('idnssoaretry', attribute=True, autofill=False, cli_name='retry', default=900, maxvalue=2147483647, minvalue=0, multivalue=False, required=False)
 option: Int('idnssoaexpire', attribute=True, autofill=False, cli_name='expire', default=1209600, maxvalue=2147483647, minvalue=0, multivalue=False, required=False)
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index 8e297099446127817323c7b674548fa9877b4d0e..d71607f28c8d65296dda9b5a9d85d16ea5e99091 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -1585,7 +1585,7 @@ class dnszone(LDAPObject):
 label=_('SOA serial'),
 doc=_('SOA record serial number'),
 minvalue=1,
-max

[Freeipa-devel] [PATCH] 211 Prevent opening of multiple dirty dialogs on navigation

2012-09-07 Thread Petr Vobornik 
Facets which performs AJAX call after update refresh (clear dirty state) 
after calling callback of dirty dialog. It might lead to multiple 
openings of dirty dialog.


Assuming that calling dirty dialog's callback can be evaluated as "dirty 
state is gone", we can call reset in the callback to prevent the issue. 
There will be an incorrect state in the facet for a moment. It will be 
fixed soon on execute of callback of the refresh AJAX call. It is not an 
issue because it will happen in background. User will be looking on 
different facet.


https://fedorahosted.org/freeipa/ticket/2667
--
Petr Vobornik
From 30f0c69ed718796806ccfc1dd1a4d9243980cb5f Mon Sep 17 00:00:00 2001
From: Petr Vobornik 
Date: Fri, 7 Sep 2012 14:24:58 +0200
Subject: [PATCH] Prevent opening of multiple dirty dialogs on navigation

Facets which performs AJAX call after update refresh (clear dirty state) after calling callback of dirty dialog. It might lead to multiple openings of dirty dialog.

Assuming that calling dirty dialog's callback can be evaluated as "dirty state is gone", we can call reset in the callback to prevent the issue. There will be an incorrect state in the facet for a moment. It will be fixed soon on execute of callback of the refresh AJAX call. It is not an issue because it will happen in background. User will be looking on different facet.

https://fedorahosted.org/freeipa/ticket/2667
---
 install/ui/navigation.js | 5 +
 1 file changed, 5 insertions(+)

diff --git a/install/ui/navigation.js b/install/ui/navigation.js
index 502b05490217e1c90b157ce4a242813e8e9968ab..deef37dd8a73128e5de2b3e9725e5161d5406b1c 100644
--- a/install/ui/navigation.js
+++ b/install/ui/navigation.js
@@ -134,6 +134,11 @@ IPA.navigation = function(spec) {
 });
 
 dialog.callback = function() {
+
+// Some facet's might not call reset before this call but after
+// so they are still dirty. Calling reset prevent's opening of
+// dirty dialog again.
+if (prev_facet.is_dirty()) prev_facet.reset();
 $.bbq.pushState(params);
 };
 
-- 
1.7.11.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Set master_kdc and dns_lookup_kdc to true

2012-09-07 Thread Sumit Bose 
Hi,

those two patches should fix
https://fedorahosted.org/freeipa/ticket/2515 . The first makes the
needed change for fresh installations. The second adds the changes
during ipa-adtrust-install if needed. I prefer to do the changes here
instead of during updates, because during updates it is not easy to see
that the Kerberos configuration was changes.

bye,
Sumit
From af51c4e31fe691a05498c29d334b5958c60dface Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Thu, 16 Aug 2012 13:16:55 +0200
Subject: [PATCH 67/68] Set master_kdc and dns_lookup_kdc to true

---
 contrib/RHEL4/ipa-client-setup| 3 ++-
 install/share/krb5.conf.template  | 3 ++-
 install/share/krb5.ini.template   | 1 +
 install/tools/ipa-replica-conncheck   | 3 ++-
 ipa-client/ipa-install/ipa-client-install | 1 +
 5 Dateien geändert, 8 Zeilen hinzugefügt(+), 3 Zeilen entfernt(-)

diff --git a/contrib/RHEL4/ipa-client-setup b/contrib/RHEL4/ipa-client-setup
index 
1a8761036e1b7230b1524c45d565126ff73030b4..4d1fead981d0e10232e974527222a2f9a62252b4
 100644
--- a/contrib/RHEL4/ipa-client-setup
+++ b/contrib/RHEL4/ipa-client-setup
@@ -307,7 +307,7 @@ def main():
 #[libdefaults]
 libopts = [{'name':'default_realm', 'type':'option', 
'value':ipasrv.getRealmName()}]
 libopts.append({'name':'dns_lookup_realm', 'type':'option', 
'value':'false'})
-libopts.append({'name':'dns_lookup_kdc', 'type':'option', 
'value':'false'})
+libopts.append({'name':'dns_lookup_kdc', 'type':'option', 
'value':'true'})
 libopts.append({'name':'ticket_lifetime', 'type':'option', 
'value':'24h'})
 libopts.append({'name':'forwardable', 'type':'option', 'value':'yes'})
 
@@ -316,6 +316,7 @@ def main():
 
 #[realms]
 kropts =[{'name':'kdc', 'type':'option', 
'value':ipasrv.getServerName()+':88'},
+ {'name':'master_kdc', 'type':'option', 
'value':ipasrv.getServerName()+':88'},
  {'name':'admin_server', 'type':'option', 
'value':ipasrv.getServerName()+':749'},
  {'name':'default_domain', 'type':'option', 
'value':ipasrv.getDomainName()}]
 ropts = [{'name':ipasrv.getRealmName(), 'type':'subsection', 
'value':kropts}]
diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template
index 
eda8ba6fe647d54d5feef1acda41c482b0dbcefa..f8b1a6f09868c55e47f21279b6d061fbd8251171
 100644
--- a/install/share/krb5.conf.template
+++ b/install/share/krb5.conf.template
@@ -6,7 +6,7 @@
 [libdefaults]
  default_realm = $REALM
  dns_lookup_realm = false
- dns_lookup_kdc = false
+ dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
@@ -14,6 +14,7 @@
 [realms]
  $REALM = {
   kdc = $FQDN:88
+  master_kdc = $FQDN:88
   admin_server = $FQDN:749
   default_domain = $DOMAIN
   pkinit_anchors = FILE:/etc/ipa/ca.crt
diff --git a/install/share/krb5.ini.template b/install/share/krb5.ini.template
index 
89f4a370143ac0848b7eeed24085d897242595f1..01cc1369f518f8e903d175d5c41e40040eaa1784
 100644
--- a/install/share/krb5.ini.template
+++ b/install/share/krb5.ini.template
@@ -8,6 +8,7 @@
 $REALM = {
 admin_server = $FQDN
 kdc = $FQDN
+master_kdc = $FQDN
 default_domain = $REALM
 }
 
diff --git a/install/tools/ipa-replica-conncheck 
b/install/tools/ipa-replica-conncheck
index 
8e4536cf67cafb907a3e330607a81b4bc034015b..169e9dc9f1d28dcc7c36b09f4382b8948d5ae831
 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -177,7 +177,7 @@ def configure_krb5_conf(realm, kdc, filename):
 #[libdefaults]
 libdefaults = [{'name':'default_realm', 'type':'option', 'value':realm}]
 libdefaults.append({'name':'dns_lookup_realm', 'type':'option', 
'value':'false'})
-libdefaults.append({'name':'dns_lookup_kdc', 'type':'option', 
'value':'false'})
+libdefaults.append({'name':'dns_lookup_kdc', 'type':'option', 
'value':'true'})
 libdefaults.append({'name':'rdns', 'type':'option', 'value':'false'})
 libdefaults.append({'name':'ticket_lifetime', 'type':'option', 
'value':'24h'})
 libdefaults.append({'name':'forwardable', 'type':'option', 'value':'yes'})
@@ -188,6 +188,7 @@ def configure_krb5_conf(realm, kdc, filename):
 #the following are necessary only if DNS discovery does not work
 #[realms]
 realms_info =[{'name':'kdc', 'type':'option', 
'value':ipautil.format_netloc(kdc, 88)},
+ {'name':'master_kdc', 'type':'option', 
'value':ipautil.format_netloc(kdc, 88)},
  {'name':'admin_server', 'type':'option', 
'value':ipautil.format_netloc(kdc, 749)}]
 realms = [{'name':realm, 'type':'subsection', 'value':realms_info}]
 
diff --git a/ipa-client/ipa-install/ipa-client-install 
b/ipa-client/ipa-install/ipa-client-install
index 
d87fcc2a662b73c8ff269b65437d7d3023509b62..38b632220a1397b73acc042bd343b7638eb96230
 100755
--- a/ipa-client/ipa-install/ipa-client

Re: [Freeipa-devel] [PATCH] 305 Update DNS zone allow-query validation test

2012-09-07 Thread Martin Kosek 
On Thu, 2012-09-06 at 14:00 +0200, Martin Kosek wrote:
> On 09/06/2012 01:35 PM, Petr Vobornik wrote:
> > On 09/06/2012 11:51 AM, Martin Kosek wrote:
> >> Loopback address, "localhost" and "localnets" ACIs are no longer
> >> an issue for bind-dyndb-ldap. Allow them in our validators.
> >>
> > 
> > Martin's patch works and looks good - ACK.
> > 
> > 
> > Attaching patch for Web UI part.
> 
> Web UI validator works fine too, ACK.
> 
> Pushed both patches to master, ipa-3-0.
> 
> Martin

I forgot to fix one DNS zone unit test.

Fixed (patch attached) and pushed as a one(two)-liner.

Martin
>From adeb23af6feb6bee8fe28644c8e16888bc98b7ea Mon Sep 17 00:00:00 2001
From: Martin Kosek 
Date: Fri, 7 Sep 2012 13:49:15 +0200
Subject: [PATCH] Update DNS zone allow-query validation test

localhost and localnets ACIs are now allowed. Update the respective
unit test.
---
 tests/test_xmlrpc/test_dns_plugin.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/test_xmlrpc/test_dns_plugin.py b/tests/test_xmlrpc/test_dns_plugin.py
index e5c8a7c03c5faf88607576ff32a6a6866d8f8c4f..e8c0b241cc56261061de3cf4397ec097683f10a9 100644
--- a/tests/test_xmlrpc/test_dns_plugin.py
+++ b/tests/test_xmlrpc/test_dns_plugin.py
@@ -1038,9 +1038,9 @@ class test_dns(Declarative):
 
 dict(
 desc='Try to add invalid allow-query to zone %r' % dnszone1,
-command=('dnszone_mod', [dnszone1], {'idnsallowquery': u'localhost'}),
+command=('dnszone_mod', [dnszone1], {'idnsallowquery': u'foo'}),
 expected=errors.ValidationError(name='allow_query',
-error=u'ACL name "localhost" is not supported'),
+error=u"failed to detect a valid IP address from u'foo'"),
 ),
 
 dict(
-- 
1.7.11.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 1046 add e-mail by default

2012-09-07 Thread Martin Kosek 
On Thu, 2012-09-06 at 11:42 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On 08/24/2012 07:54 PM, Rob Crittenden wrote:
> >> We weren't automatically creating the mail attribute despite having the 
> >> default
> >> e-mail domain. This patch will add it to all new users.
> >>
> >> To disable creating this set the default e-mail domain to empty in ipa 
> >> config.
> >>
> >> rob
> >>
> >
> > 1) Patch needs a rebase
> >
> > 2) There are 2 test cases where new default mail attribute was not added:
> >
> > ==
> > FAIL: test_user[34]: user_find: Search for "tuser2" with manager "tuser1"
> > --
> > ...
> >extra keys = ['mail']
> > ...
> >
> > ==
> > FAIL: test_user[75]: user_add: Create 2nd admin user "admin2"
> > --
> > ...
> >extra keys = ['mail']
> > ...
> >
> > 3) Some code could be simplified:
> >
> > This:
> > +if 'ipadefaultemaildomain' in config:
> > +defaultdomain = config['ipadefaultemaildomain'][0]
> > +else:
> > +defaultdomain = None
> >
> > To this:
> >   defaultdomain = config.get('ipadefaultemaildomain', [None])[0]
> >
> >
> > This:
> > if m.find('@') == -1 ...
> >
> > To this:
> > if '@' not in m ...
> >
> > IMHO, it is more readable than the find method.
> >
> > 3) When default e-mail domain is removed from config, users cannot be added 
> > any
> > more when e-mail is not explicitly specified:
> >
> > # ipa config-mod --emaildomain=
> >Maximum username length: 32
> >Home directory base: /home
> >Default shell: /bin/sh
> >Default users group: ipausers
> >Search time limit: 2
> >Search size limit: 100
> >User search fields: uid,givenname,sn,telephonenumber,ou,title
> >Group search fields: cn,description
> >Enable migration mode: FALSE
> >Certificate Subject base: O=IDM.LAB.BOS.REDHAT.COM
> >Password Expiration Notification (days): 4
> >Password plugin features: AllowNThash
> >SELinux user map order:
> > guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
> >Default SELinux user: guest_u:s0
> >PAC type: MS-PAC
> >
> > # ipa user-add --first=Foo --last=Bar fbar
> > ipa: ERROR: invalid 'email': invalid e-mail format: fbar
> >
> > Martin
> >
> 
> Rebased, issues addressed.
> 
> rob

Yup, its OK now.

ACK. I just had to squash an attached one-liner which updates range
tests I committed yesterday.

Pushed to master, ipa-3-0.

Martin
>From 91640237bb6b12dce5016f427bec4981bce24de4 Mon Sep 17 00:00:00 2001
From: Martin Kosek 
Date: Fri, 7 Sep 2012 13:34:42 +0200
Subject: [PATCH] Add missing mail attribute to range tests

---
 tests/test_xmlrpc/test_range_plugin.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tests/test_xmlrpc/test_range_plugin.py b/tests/test_xmlrpc/test_range_plugin.py
index 4b7aa0893b9c77ebdec38e518bcf63ef88a6ce09..d7d4dac0fe398d56de33a215d5f6f7bc0ed61129 100644
--- a/tests/test_xmlrpc/test_range_plugin.py
+++ b/tests/test_xmlrpc/test_range_plugin.py
@@ -109,6 +109,7 @@ class test_range(Declarative):
 displayname=[u'Test User1'],
 cn=[u'Test User1'],
 initials=[u'TU'],
+mail=[u'%s@%s' % (user1, api.env.domain)],
 ipauniqueid=[fuzzy_uuid],
 krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),
   ('cn','kerberos'),api.env.basedn)],
-- 
1.7.11.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0055] Fix race condition in addrdataset() during SOA serial update

2012-09-07 Thread Petr Spacek 

Hello,

Fix race condition in addrdataset() during SOA serial update.

https://fedorahosted.org/bind-dyndb-ldap/ticket/89

--
Petr^2 Spacek
From 5e8bc8f943345d8d92900474905288939958dcd8 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Fri, 7 Sep 2012 13:01:57 +0200
Subject: [PATCH] Fix race condition in addrdataset() during SOA serial
 update.

https://fedorahosted.org/bind-dyndb-ldap/ticket/89

Signed-off-by: Petr Spacek 
---
 src/ldap_driver.c | 44 ++--
 src/ldap_helper.c |  4 ++--
 2 files changed, 36 insertions(+), 12 deletions(-)

diff --git a/src/ldap_driver.c b/src/ldap_driver.c
index 2cdde30cdad9544d530475f5cf4a0b8275a56f03..3a802238028145d35390f6a8d00f156bfdf8e7a1 100644
--- a/src/ldap_driver.c
+++ b/src/ldap_driver.c
@@ -936,6 +936,7 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	dns_rdatalist_t diff;
 	isc_result_t result;
 	isc_boolean_t rdatalist_exists = ISC_FALSE;
+	isc_boolean_t soa_simulated_write = ISC_FALSE;
 
 	UNUSED(now);
 	UNUSED(db);
@@ -975,42 +976,65 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 			rdatalist_removedups(found_rdlist, new_rdlist,
 	 ISC_FALSE, &diff);
 
-			if ((options & DNS_DBADD_MERGE) != 0)
+			if ((options & DNS_DBADD_MERGE) == 0 &&
+			(rdatalist_length(&diff) != 0)) {
+CLEANUP_WITH(DNS_R_NOTEXACT);
+			} else {
 free_rdatalist(ldapdb->common.mctx, &diff);
-			else if (rdatalist_length(&diff) != 0) {
-free_rdatalist(ldapdb->common.mctx, &diff);
-result = DNS_R_NOTEXACT;
-goto cleanup;
 			}
 		} else {
 			/* Replace existing rdataset */
 			free_rdatalist(ldapdb->common.mctx, found_rdlist);
 		}
 	}
 
-	CHECK(write_to_ldap(&ldapdbnode->owner, ldapdb->ldap_inst, new_rdlist));
+	/* HACK: SOA addition will never fail with DNS_R_UNCHANGED.
+	 * This prevents warning from BIND's diff_apply(), it has too strict
+	 * checks for us.
+	 *
+	 * Reason: There is a race condition between SOA serial update
+	 * from BIND's update_action() and our persistent search watcher, because
+	 * they don't know about each other.
+	 * BIND's update_action() changes data with first addrdataset() call and
+	 * then changes serial with second addrdataset() call.
+	 * It can lead to empty diff if persistent search watcher
+	 * incremented serial in meanwhile.
+	 */
+	if (HEAD(new_rdlist->rdata) == NULL) {
+		if (rdlist->type == dns_rdatatype_soa)
+			soa_simulated_write = ISC_TRUE;
+		else
+			CLEANUP_WITH(DNS_R_UNCHANGED);
+	} else {
+		CHECK(write_to_ldap(&ldapdbnode->owner, ldapdb->ldap_inst, new_rdlist));
+	}
+
 
 	if (addedrdataset != NULL) {
-		result = dns_rdatalist_tordataset(new_rdlist, addedrdataset);
-		/* Use strong condition here, returns only SUCCESS */
-		INSIST(result == ISC_R_SUCCESS);
+		if (soa_simulated_write) {
+			dns_rdataset_clone(rdataset, addedrdataset);
+		} else {
+			result = dns_rdatalist_tordataset(new_rdlist, addedrdataset);
+			/* Use strong condition here, returns only SUCCESS */
+			INSIST(result == ISC_R_SUCCESS);
+		}
 	}
 
 	if (rdatalist_exists) {
 		ISC_LIST_APPENDLIST(found_rdlist->rdata, new_rdlist->rdata,
 link);
 		SAFE_MEM_PUT_PTR(ldapdb->common.mctx, new_rdlist);
 	} else
 		APPEND(ldapdbnode->rdatalist, new_rdlist, link);
 
-
 	return ISC_R_SUCCESS;
 
 cleanup:
 	if (new_rdlist != NULL) {
 		free_rdatalist(ldapdb->common.mctx, new_rdlist);
 		SAFE_MEM_PUT_PTR(ldapdb->common.mctx, new_rdlist);
 	}
+	free_rdatalist(ldapdb->common.mctx, &diff);
 
 	return result;
 }
diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index 3241ffe486205fa03a6fd1a0a14edf1245c5c4aa..e636a84b35d0bcdc8573c6e7146f38ee21a42076 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -2973,10 +2973,10 @@ soa_serial_increment(isc_mem_t *mctx, ldap_instance_t *inst,
 
 	/* put the new SOA to inst->cache and compare old and new serials */
 	CHECK(ldap_get_zone_serial(inst, zone_name, &new_serial));
-	INSIST(isc_serial_gt(new_serial, old_serial) == ISC_TRUE);
 
 cleanup:
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS ||
+	isc_serial_gt(new_serial, old_serial) != ISC_TRUE)
 		log_error("SOA serial number incrementation failed in zone '%s'",
 	str_buf(zone_dn));
 
-- 
1.7.11.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 1052 add version to prepared replica files

2012-09-07 Thread Martin Kosek 
On Fri, 2012-08-31 at 13:49 -0400, Rob Crittenden wrote:
> When installing a replica in an upgrade situation we want to be sure we 
> install the same version or higher. This will have to bake a bit until 
> the next full version of IPA but the idea is to prevent installing a 
> newer replica file on an older server.
> 
> To test this you need to rip apart a prepared file and tweak the version 
> forward or backward.
> 
> To do this, do something like:
> 
> # gpg -d replica-info-pitbull.example.com.gpg | tar xf -
> # edit realm_info/realm_info
> # tar cf replica-info-pitbull.example.com realm_info
> # gpg --batch --homedir `pwd`/.gnupg --passphrase-fd 0 --yes --no-tty -o 
> replica-info-pitbull.example.com.gpg -c replica-info-pitbull.example.com
> 
> 
> rob

Works fine.

ACK. Pushed to master, ipa-3-0.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 1050 prevent replica orphans

2012-09-07 Thread Martin Kosek 
On Thu, 2012-09-06 at 17:22 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On 08/31/2012 07:40 PM, Rob Crittenden wrote:
> >> Rob Crittenden wrote:
> >>> It was possible use ipa-replica-manage connect/disconnect/del to end up
> >>> orphaning or or more IPA masters. This is an attempt to catch and
> >>> prevent that case.
> >>>
> >>> I tested with this topology, trying to delete B.
> >>>
> >>> A <-> B <-> C
> >>>
> >>> I got here by creating B and C from A, connecting B to C then deleting
> >>> the link from A to B, so it went from A -> B and A -> C to the above.
> >>>
> >>> What I do is look up the servers that the delete candidate host has
> >>> connections to and see if we're the last link.
> >>>
> >>> I added an escape clause if there are only two masters.
> >>>
> >>> rob
> >>
> >> Oh, this relies on my cleanruv patch 1031.
> >>
> >> rob
> >>
> >
> > 1) When I run ipa-replica-manage del --force to an already uninstalled host,
> > the new code will prevent me the deletation because it cannot connect to 
> > it. It
> > also crashes with UnboundLocalError:
> >
> > # ipa-replica-manage del vm-055.idm.lab.bos.redhat.com --force
> >
> > Unable to connect to replica vm-055.idm.lab.bos.redhat.com, forcing removal
> > Traceback (most recent call last):
> >File "/sbin/ipa-replica-manage", line 708, in 
> >  main()
> >File "/sbin/ipa-replica-manage", line 677, in main
> >  del_master(realm, args[1], options)
> >File "/sbin/ipa-replica-manage", line 476, in del_master
> >  sys.exit("Failed read master data from '%s': %s" % (delrepl.hostname, 
> > str(e)))
> > UnboundLocalError: local variable 'delrepl' referenced before assignment
> 
> Fixed.
> 
> >
> >
> > I also hit this error when removing a winsync replica.
> 
> Fixed.
> 
> >
> >
> > 2) As I wrote before, I think having --force option override the user 
> > inquiries
> > would benefit test automation:
> >
> > +if not ipautil.user_input("Continue to delete?", False):
> > +sys.exit("Aborted")
> 
> Fixed.
> 
> >
> >
> > 3) I don't think this code won't cover this topology:
> >
> > A - B - C - D - E
> >
> > It would allow you deleting a replica C even though it would separate A-B 
> > and
> > D-E. Though we may not want to cover this situation now, what you got is
> > definitely helping.
> 
> I think you may be right. I only tested with 4 servers. With this B and 
> D would both still have 2 agreements so wouldn't be covered by the last 
> link test.

Everything looks good now, so ACK. We just need to push it along with
CLEANALLRUV patch.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 1031 run cleanallruv task

2012-09-07 Thread Martin Kosek 
On Thu, 2012-09-06 at 17:17 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On 09/06/2012 05:55 PM, Rob Crittenden wrote:
> >> Rob Crittenden wrote:
> >>> Rob Crittenden wrote:
>  Martin Kosek wrote:
> > On 09/05/2012 08:06 PM, Rob Crittenden wrote:
> >> Rob Crittenden wrote:
> >>> Martin Kosek wrote:
>  On 07/05/2012 08:39 PM, Rob Crittenden wrote:
> > Martin Kosek wrote:
> >> On 07/03/2012 04:41 PM, Rob Crittenden wrote:
> >>> Deleting a replica can leave a replication vector (RUV) on the
> >>> other servers.
> >>> This can confuse things if the replica is re-added, and it also
> >>> causes the
> >>> server to calculate changes against a server that may no longer
> >>> exist.
> >>>
> >>> 389-ds-base provides a new task that self-propogates itself to all
> >>> available
> >>> replicas to clean this RUV data.
> >>>
> >>> This patch will create this task at deletion time to hopefully
> >>> clean things up.
> >>>
> >>> It isn't perfect. If any replica is down or unavailable at the
> >>> time
> >>> the
> >>> cleanruv task fires, and then comes back up, the old RUV data
> >>> may be
> >>> re-propogated around.
> >>>
> >>> To make things easier in this case I've added two new commands to
> >>> ipa-replica-manage. The first lists the replication ids of all the
> >>> servers we
> >>> have a RUV for. Using this you can call clean_ruv with the
> >>> replication id of a
> >>> server that no longer exists to try the cleanallruv step again.
> >>>
> >>> This is quite dangerous though. If you run cleanruv against a
> >>> replica id that
> >>> does exist it can cause a loss of data. I believe I've put in
> >>> enough scary
> >>> warnings about this.
> >>>
> >>> rob
> >>>
> >>
> >> Good work there, this should make cleaning RUVs much easier than
> >> with the
> >> previous version.
> >>
> >> This is what I found during review:
> >>
> >> 1) list_ruv and clean_ruv command help in man is quite lost. I
> >> think
> >> it would
> >> help if we for example have all info for commands indented. This
> >> way
> >> user could
> >> simply over-look the new commands in the man page.
> >>
> >>
> >> 2) I would rename new commands to clean-ruv and list-ruv to make
> >> them
> >> consistent with the rest of the commands (re-initialize,
> >> force-sync).
> >>
> >>
> >> 3) It would be nice to be able to run clean_ruv command in an
> >> unattended way
> >> (for better testing), i.e. respect --force option as we already
> >> do for
> >> ipa-replica-manage del. This fix would aid test automation in the
> >> future.
> >>
> >>
> >> 4) (minor) The new question (and the del too) does not react too
> >> well for
> >> CTRL+D:
> >>
> >> # ipa-replica-manage clean_ruv 3 --force
> >> Clean the Replication Update Vector for
> >> vm-055.idm.lab.bos.redhat.com:389
> >>
> >> Cleaning the wrong replica ID will cause that server to no
> >> longer replicate so it may miss updates while the process
> >> is running. It would need to be re-initialized to maintain
> >> consistency. Be very careful.
> >> Continue to clean? [no]: unexpected error:
> >>
> >>
> >> 5) Help for clean_ruv command without a required parameter is quite
> >> confusing
> >> as it reports that command is wrong and not the parameter:
> >>
> >> # ipa-replica-manage clean_ruv
> >> Usage: ipa-replica-manage [options]
> >>
> >> ipa-replica-manage: error: must provide a command [clean_ruv |
> >> force-sync |
> >> disconnect | connect | del | re-initialize | list | list_ruv]
> >>
> >> It seems you just forgot to specify the error message in the
> >> command
> >> definition
> >>
> >>
> >> 6) When the remote replica is down, the clean_ruv command fails
> >> with an
> >> unexpected error:
> >>
> >> [root@vm-086 ~]# ipa-replica-manage clean_ruv 5
> >> Clean the Replication Update Vector for
> >> vm-055.idm.lab.bos.redhat.com:389
> >>
> >> Cleaning the wrong replica ID will cause that server to no
> >> longer replicate so it may miss updates while the process
> >> is running. It would need to be re-initialized to maintain
> >> consistency. Be very careful.
> >> Continue to clean? [no]: y
> >>>