Re: [Freeipa-devel] [PATCH] 240-252 AMD modules and Web UI build
On 01/18/2013 03:11 AM, Endi Sukma Dewata wrote:
On 1/17/2013 8:01 PM, Petr Vobornik wrote:
On 01/17/2013 04:24 AM, Endi Sukma Dewata wrote:
Nice work! They seem to be working fine so it's ACKed.
I found a little error - there is a jsl problem in dojo.profile:86 -
comma at the end of a list. Updated patch 243 attached.
ACK.
Pushed to master.
We can polish the dev tools later.
2. Is there a way to disable uglify in case we need to debug with
Firebug?
Currently no. I found myself that I have needed it only when I was
trying to figure out what is the output of the builder or some build
debugging (what modules are actually used).
What's your use case with Firebug? If I want to debug, I would use plain
source codes and send it to the test server [1] or I would use the local
file modes [2]. The output of the builder is quite ugly to debug.
If it's really useful we might add some option to make-ui.sh, should be
easy.
[1]
http://www.freeipa.org/page/V3/WebUI_build#Copy_source_codes_of_FreeIPA_layer_on_test_server
[2]
http://www.freeipa.org/page/V3/WebUI_build#Set_environment_to_debug_source_codes_of_FreeIPA_layer_using_offline_version
I guess what I'm looking for is a way to troubleshoot using Firebug at a
customer's environment who's using the compiled code on a live server.
Chrome has a 'pretty print' feature which makes the compiled code
somehow readable - much better than single line. Example:
}, r.reset = function() {
delete r.selected_values, r.external_radio
r.external_radio.prop(checked, !1), r.external_text
r.external_text.val()
}, r.save = function(e) {
if (r.selected_values r.selected_values.length) {
var t = r.selected_values[0];
r.external_radio t === r.external_radio.val() ? e[r.name] =
r.external_text.val() : e[r.name] = t
}
Using just a built, not compiled version might be even more readable,
but in that case we can use sources codes as well.
I suppose we can ask the customer to install the source code, then run
sync.sh to install the sources. But is there a way to clean up the
machine and switch back to the compiled code after we're done
troubleshooting? The sync.sh --compiled or --clean doesn't seem to do it.
You have to build the UI first.
--clean only deletes files in certain directory
--compiled switches from sources to compiled versions, can be also used
with --dojo
So the correct command to replace sources with just app.js is:
$ util/make-ui.sh util/sync.sh --host r...@test.example.com --freeipa
--compiled --clean
or shorter: $ util/make-ui.sh util/sync.sh -fcC -h r...@test.example.com
We might polish the arguments if you think they are not easy to
understand. I assumed that it's better to create more general synch util
and then let developers make their own aliases for most often used
commands+args - mostly to avoid writing hostname. I'm not against
exending the synch util though.
3. Is it possible to set breakpoints in AMD modules in Firebug, for
example line 44 in widget.js?
Yes.
OK, after doing sync.sh --freeipa I was able to see the sources in
Firebug and set breakpoints. We might want to include this in a
troubleshooting guide (if it's not already there).
This guide: http://www.freeipa.org/page/TroubleshootingGuide ? We might
polish #2 and then I can write something down.
4. Calling change-profile.sh allsource modifies the install/ui/js/dojo.
Should they be included in .gitignore? Or is there a way to select the
profile without modifying any files included in git (e.g. using
parameter)? The concern is that the changes could accidentally get
checked in and affect the official build.
change-profile.sh has option --git-ignore which marks those symbolic
links with 'git update-index --assume-unchanged ' which should prevent
this issue. Option --git-undo removes this mark.
It might be little uncomfortable, but I didn't find better method.
Possible option is to remove those links from git repository and add
them to .gitignore, but by using it the 'offline version' wouldn't be
functional out of the box (checkout).
Are the links used by the offline version only, or would it also affect
live server deployed from the RPM that includes modified links?
Symbolic links are just for offline version. Deployed RPM has all code
directly in subdirs of js directory. Basically the sym links are there
just to solve the switching problem - we don't want to copy files around
in dev tree. For testing on a machine, mapping from 'build' or 'src'
directory solves the sync util. For deployment it's done by makefiles.
--
Petr Vobornik
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 352-354 Add support for AD users to hbactest command
How this works:
1. When a trusted domain user is tested, AD GC is searched
for the user entry Distinguished Name
2. The user entry is then read from AD GC and its SID and SIDs
of all its assigned groups (tokenGroups attribute) are retrieved
3. The SIDs are then used to search IPA LDAP database to find
all external groups which have any of these SIDs as external
members
4. All these groups having these groups as direct or indirect
members are added to hbactest allowing it to perform the search
LIMITATIONS:
- user SID in hbactest --user parameter is not supported
- only Trusted Admins group members can use this function as it
uses secret for IPA-Trusted domain link
- List of group SIDs does not contain group memberships outside
of the trusted domain
https://fedorahosted.org/freeipa/ticket/2997
There are also 2 patches changing current dcerpc.py code to make it usable both
for group-add-member trusted domain user resolution and also for purposes of
the trusted domain user hbactest.
Example of the new hbactest ability:
# ipa hbacrule-show can_login
Rule name: can_login
Host category: all
Source host category: all
Enabled: TRUE
User Groups: admins, ad_test_admins
Services: login, sshd
# ipa group-show ad_test_admins
Group name: ad_test_admins
Description: AD.TEST admins
GID: 17911
Member groups: ext_all_admins
Member of HBAC rule: can_login
# ipa group-show ext_all_admins
Group name: ext_all_admins
Description: All AD.TEST admins
Member of groups: ad_test_admins
Indirect Member of HBAC rule: can_login
External member: S-1-5-21-3035198329-144811719-1378114514-512
# ipa hbactest --user='AD\Administrator' --host=`hostname` --service=sshd
Access granted: True
Matched rules: can_login
There may still be dragons, I am sending what I have now, still need to run
more tests.
Martin
From 64e719de744fad61f60e4ddeb4927f6a2b568b81 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Fri, 18 Jan 2013 17:28:39 +0100
Subject: [PATCH 1/3] Generalize AD GC search
Modify access methods to AD GC so that callers can specify a custom
basedn, filter, scope and attribute list, thus allowing it to perform
any LDAP search.
Error checking methodology in these functions was changed, so that it
rather raises an exception with a desription instead of simply returning
a None or False value which would made an investigation why something
does not work much more difficult. External membership method in
group-add-member command was updated to match this approach.
https://fedorahosted.org/freeipa/ticket/2997
---
ipalib/plugins/group.py | 9 ++--
ipaserver/dcerpc.py | 121 +++-
2 files changed, 83 insertions(+), 47 deletions(-)
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index f86b134e61fc8c7518a64d25329babee3398c6ef..347a7ee9fda9cb574f433dff3a9621d8bffee887 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -384,11 +384,12 @@ class group_add_member(LDAPAddMember):
if domain_validator.is_trusted_sid_valid(sid):
sids.append(sid)
else:
-actual_sid = domain_validator.get_sid_trusted_domain_object(sid)
-if isinstance(actual_sid, unicode):
-sids.append(actual_sid)
+try:
+actual_sid = domain_validator.get_trusted_domain_object_sid(sid)
+except errors.PublicError, e:
+failed_sids.append((sid, unicode(e)))
else:
-failed_sids.append((sid, 'Not a trusted domain SID'))
+sids.append(actual_sid)
if len(sids) == 0:
raise errors.ValidationError(name=_('external member'),
error=_('values are not recognized as valid SIDs from trusted domain'))
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 54a70defc9df52db58054d29c1c9f9189a88cabb..ef937db048a69323fae59687b5c406424add1a03 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -185,41 +185,77 @@ class DomainValidator(object):
return True
return False
-def get_sid_trusted_domain_object(self, object_name):
+
+def get_trusted_domain_objects(self, domain=None, flatname=None, filter=,
+attrs=None, scope=_ldap.SCOPE_SUBTREE, basedn=None):
+
+Search for LDAP objects in a trusted domain specified either by `domain'
+or `flatname'. The actual LDAP search is specified by `filter', `attrs',
+`scope' and `basedn'. When `basedn' is empty, database root DN is used.
+
+assert domain is not None or flatname is not None
Returns SID for the trusted domain object (user or group only)
if not
Re: [Freeipa-devel] [PATCH] 349 Test NetBIOS name clash before creating a trust
On 01/17/2013 04:15 PM, Rob Crittenden wrote:
Martin Kosek wrote:
Give a clear message about what is wrong with current Trust settings
before letting AD to return a confusing error message.
https://fedorahosted.org/freeipa/ticket/3193
I hate being picky over wording but...
I think it would read better if you replaced 'this' with 'The IPA server' or
'IPA' or something like that.
rob
No worries, attaching a better worded version.
Martin
From cca2557282ef69e3791126a578e8c45a18460c47 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Fri, 11 Jan 2013 16:33:43 +0100
Subject: [PATCH] Test NetBIOS name clash before creating a trust
Give a clear message about what is wrong with current Trust settings
before letting AD to return a confusing error message.
https://fedorahosted.org/freeipa/ticket/3193
---
ipaserver/dcerpc.py | 6 ++
1 file changed, 6 insertions(+)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 54a70defc9df52db58054d29c1c9f9189a88cabb..f1d148f0bccfff9568dff49d0eb64c6b815d578f 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -585,6 +585,12 @@ class TrustDomainInstance(object):
info.trust_type = lsa.LSA_TRUST_TYPE_UPLEVEL
info.trust_attributes = lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
+if self.info['name'] == info.netbios_name.string:
+# Check that NetBIOS names do not clash
+raise errors.ValidationError(name=u'AD Trust Setup',
+error=_('the IPA server and the remote domain cannot share the same '
+'NetBIOS name: %s') % self.info['name'])
+
try:
dname = lsa.String()
dname.string = another_domain.info['dns_domain']
--
1.7.11.7
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
