Re: [Freeipa-devel] [PATCH] 240-252 AMD modules and Web UI build
On 01/18/2013 03:11 AM, Endi Sukma Dewata wrote: On 1/17/2013 8:01 PM, Petr Vobornik wrote: On 01/17/2013 04:24 AM, Endi Sukma Dewata wrote: Nice work! They seem to be working fine so it's ACKed. I found a little error - there is a jsl problem in dojo.profile:86 - comma at the end of a list. Updated patch 243 attached. ACK. Pushed to master. We can polish the dev tools later. 2. Is there a way to disable uglify in case we need to debug with Firebug? Currently no. I found myself that I have needed it only when I was trying to figure out what is the output of the builder or some build debugging (what modules are actually used). What's your use case with Firebug? If I want to debug, I would use plain source codes and send it to the test server [1] or I would use the local file modes [2]. The output of the builder is quite ugly to debug. If it's really useful we might add some option to make-ui.sh, should be easy. [1] http://www.freeipa.org/page/V3/WebUI_build#Copy_source_codes_of_FreeIPA_layer_on_test_server [2] http://www.freeipa.org/page/V3/WebUI_build#Set_environment_to_debug_source_codes_of_FreeIPA_layer_using_offline_version I guess what I'm looking for is a way to troubleshoot using Firebug at a customer's environment who's using the compiled code on a live server. Chrome has a 'pretty print' feature which makes the compiled code somehow readable - much better than single line. Example: }, r.reset = function() { delete r.selected_values, r.external_radio r.external_radio.prop(checked, !1), r.external_text r.external_text.val() }, r.save = function(e) { if (r.selected_values r.selected_values.length) { var t = r.selected_values[0]; r.external_radio t === r.external_radio.val() ? e[r.name] = r.external_text.val() : e[r.name] = t } Using just a built, not compiled version might be even more readable, but in that case we can use sources codes as well. I suppose we can ask the customer to install the source code, then run sync.sh to install the sources. But is there a way to clean up the machine and switch back to the compiled code after we're done troubleshooting? The sync.sh --compiled or --clean doesn't seem to do it. You have to build the UI first. --clean only deletes files in certain directory --compiled switches from sources to compiled versions, can be also used with --dojo So the correct command to replace sources with just app.js is: $ util/make-ui.sh util/sync.sh --host r...@test.example.com --freeipa --compiled --clean or shorter: $ util/make-ui.sh util/sync.sh -fcC -h r...@test.example.com We might polish the arguments if you think they are not easy to understand. I assumed that it's better to create more general synch util and then let developers make their own aliases for most often used commands+args - mostly to avoid writing hostname. I'm not against exending the synch util though. 3. Is it possible to set breakpoints in AMD modules in Firebug, for example line 44 in widget.js? Yes. OK, after doing sync.sh --freeipa I was able to see the sources in Firebug and set breakpoints. We might want to include this in a troubleshooting guide (if it's not already there). This guide: http://www.freeipa.org/page/TroubleshootingGuide ? We might polish #2 and then I can write something down. 4. Calling change-profile.sh allsource modifies the install/ui/js/dojo. Should they be included in .gitignore? Or is there a way to select the profile without modifying any files included in git (e.g. using parameter)? The concern is that the changes could accidentally get checked in and affect the official build. change-profile.sh has option --git-ignore which marks those symbolic links with 'git update-index --assume-unchanged ' which should prevent this issue. Option --git-undo removes this mark. It might be little uncomfortable, but I didn't find better method. Possible option is to remove those links from git repository and add them to .gitignore, but by using it the 'offline version' wouldn't be functional out of the box (checkout). Are the links used by the offline version only, or would it also affect live server deployed from the RPM that includes modified links? Symbolic links are just for offline version. Deployed RPM has all code directly in subdirs of js directory. Basically the sym links are there just to solve the switching problem - we don't want to copy files around in dev tree. For testing on a machine, mapping from 'build' or 'src' directory solves the sync util. For deployment it's done by makefiles. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 352-354 Add support for AD users to hbactest command
How this works: 1. When a trusted domain user is tested, AD GC is searched for the user entry Distinguished Name 2. The user entry is then read from AD GC and its SID and SIDs of all its assigned groups (tokenGroups attribute) are retrieved 3. The SIDs are then used to search IPA LDAP database to find all external groups which have any of these SIDs as external members 4. All these groups having these groups as direct or indirect members are added to hbactest allowing it to perform the search LIMITATIONS: - user SID in hbactest --user parameter is not supported - only Trusted Admins group members can use this function as it uses secret for IPA-Trusted domain link - List of group SIDs does not contain group memberships outside of the trusted domain https://fedorahosted.org/freeipa/ticket/2997 There are also 2 patches changing current dcerpc.py code to make it usable both for group-add-member trusted domain user resolution and also for purposes of the trusted domain user hbactest. Example of the new hbactest ability: # ipa hbacrule-show can_login Rule name: can_login Host category: all Source host category: all Enabled: TRUE User Groups: admins, ad_test_admins Services: login, sshd # ipa group-show ad_test_admins Group name: ad_test_admins Description: AD.TEST admins GID: 17911 Member groups: ext_all_admins Member of HBAC rule: can_login # ipa group-show ext_all_admins Group name: ext_all_admins Description: All AD.TEST admins Member of groups: ad_test_admins Indirect Member of HBAC rule: can_login External member: S-1-5-21-3035198329-144811719-1378114514-512 # ipa hbactest --user='AD\Administrator' --host=`hostname` --service=sshd Access granted: True Matched rules: can_login There may still be dragons, I am sending what I have now, still need to run more tests. Martin From 64e719de744fad61f60e4ddeb4927f6a2b568b81 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Fri, 18 Jan 2013 17:28:39 +0100 Subject: [PATCH 1/3] Generalize AD GC search Modify access methods to AD GC so that callers can specify a custom basedn, filter, scope and attribute list, thus allowing it to perform any LDAP search. Error checking methodology in these functions was changed, so that it rather raises an exception with a desription instead of simply returning a None or False value which would made an investigation why something does not work much more difficult. External membership method in group-add-member command was updated to match this approach. https://fedorahosted.org/freeipa/ticket/2997 --- ipalib/plugins/group.py | 9 ++-- ipaserver/dcerpc.py | 121 +++- 2 files changed, 83 insertions(+), 47 deletions(-) diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index f86b134e61fc8c7518a64d25329babee3398c6ef..347a7ee9fda9cb574f433dff3a9621d8bffee887 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -384,11 +384,12 @@ class group_add_member(LDAPAddMember): if domain_validator.is_trusted_sid_valid(sid): sids.append(sid) else: -actual_sid = domain_validator.get_sid_trusted_domain_object(sid) -if isinstance(actual_sid, unicode): -sids.append(actual_sid) +try: +actual_sid = domain_validator.get_trusted_domain_object_sid(sid) +except errors.PublicError, e: +failed_sids.append((sid, unicode(e))) else: -failed_sids.append((sid, 'Not a trusted domain SID')) +sids.append(actual_sid) if len(sids) == 0: raise errors.ValidationError(name=_('external member'), error=_('values are not recognized as valid SIDs from trusted domain')) diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 54a70defc9df52db58054d29c1c9f9189a88cabb..ef937db048a69323fae59687b5c406424add1a03 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -185,41 +185,77 @@ class DomainValidator(object): return True return False -def get_sid_trusted_domain_object(self, object_name): + +def get_trusted_domain_objects(self, domain=None, flatname=None, filter=, +attrs=None, scope=_ldap.SCOPE_SUBTREE, basedn=None): + +Search for LDAP objects in a trusted domain specified either by `domain' +or `flatname'. The actual LDAP search is specified by `filter', `attrs', +`scope' and `basedn'. When `basedn' is empty, database root DN is used. + +assert domain is not None or flatname is not None Returns SID for the trusted domain object (user or group only) if not
Re: [Freeipa-devel] [PATCH] 349 Test NetBIOS name clash before creating a trust
On 01/17/2013 04:15 PM, Rob Crittenden wrote: Martin Kosek wrote: Give a clear message about what is wrong with current Trust settings before letting AD to return a confusing error message. https://fedorahosted.org/freeipa/ticket/3193 I hate being picky over wording but... I think it would read better if you replaced 'this' with 'The IPA server' or 'IPA' or something like that. rob No worries, attaching a better worded version. Martin From cca2557282ef69e3791126a578e8c45a18460c47 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Fri, 11 Jan 2013 16:33:43 +0100 Subject: [PATCH] Test NetBIOS name clash before creating a trust Give a clear message about what is wrong with current Trust settings before letting AD to return a confusing error message. https://fedorahosted.org/freeipa/ticket/3193 --- ipaserver/dcerpc.py | 6 ++ 1 file changed, 6 insertions(+) diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 54a70defc9df52db58054d29c1c9f9189a88cabb..f1d148f0bccfff9568dff49d0eb64c6b815d578f 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -585,6 +585,12 @@ class TrustDomainInstance(object): info.trust_type = lsa.LSA_TRUST_TYPE_UPLEVEL info.trust_attributes = lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE +if self.info['name'] == info.netbios_name.string: +# Check that NetBIOS names do not clash +raise errors.ValidationError(name=u'AD Trust Setup', +error=_('the IPA server and the remote domain cannot share the same ' +'NetBIOS name: %s') % self.info['name']) + try: dname = lsa.String() dname.string = another_domain.info['dns_domain'] -- 1.7.11.7 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel