Re: [Freeipa-devel] [PATCH] 0134 support bool type in CLI list output
On Fri, 17 Jan 2014, Alexander Bokovoy wrote: On Fri, 17 Jan 2014, Petr Viktorin wrote: On 01/16/2014 10:14 PM, Dmitri Pal wrote: On 01/16/2014 12:32 PM, Alexander Bokovoy wrote: On Thu, 16 Jan 2014, Alexander Bokovoy wrote: Hi, when testing changes to trustdomain-find to display status of the child domain (Domain enabled: True/False), Steeve found that on RHEL 7 beta Python doesn't coerce bool to string, while on Fedora 20 it does. To work around this issue I decided to extend encode_binary() method by converting bool values to unicode in CLI output. Steeve will file a ticket shortly. Here is the bug: https://bugzilla.redhat.com/show_bug.cgi?id=1054376 https://fedorahosted.org/freeipa/ticket/4122 This looks like something I touched in commit 7ec4d58; could you check if it solves the issue? https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=7ec4d58bf71077da5859ab798640479955fbdd48 This commit isn't in 3.3 branch which explains why it failed on RHEL 7. I think we should propagate your commit to 3.3 branch. I've pushed 7ec4d58b to ipa-3-3 branch. We can withdraw my patch 0134. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 450 Remove missing VERSION warning in dnsrecord-mod
dnsrecord-mod may call dnsrecord-delentry command when all records are deleted. However, the version was not passwd to delentry and it resulted in a warning. https://fedorahosted.org/freeipa/ticket/4120 Pushed as a one-liner to master, ipa-3-3. Martin From 49b6f950d8a33d8557c6a5d1a31f5c6c69cfa6cc Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Fri, 17 Jan 2014 09:26:35 +0100 Subject: [PATCH] Remove missing VERSION warning in dnsrecord-mod dnsrecord-mod may call dnsrecord-delentry command when all records are deleted. However, the version was not passwd to delentry and it resulted in a warning. https://fedorahosted.org/freeipa/ticket/4120 --- ipalib/plugins/dns.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index 07523dc72466892f0e7d5fdd9261024d0e898548..94ae92ba5d1ae42e31ebb6100c743a2334f29e70 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -2636,7 +2636,7 @@ def execute(self, *keys, **options): break if del_all: -return self.obj.methods.delentry(*keys) +return self.obj.methods.delentry(*keys, version=options['version']) return result def post_callback(self, ldap, dn, entry_attrs, *keys, **options): -- 1.8.4.2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 232 Increase service startup timeout default
On 01/15/2014 05:38 PM, Alexander Bokovoy wrote: On Wed, 15 Jan 2014, Jan Cholasta wrote: don't see why a single fix should be dispersed among multiple patches. Patch attached, it obsoletes your patch 179. Thanks, but I don't understand why you squashed my patch 179 into your patch, the fixes are for separate issues (yield exception handling vs. previously stopped service being started). Because you just said above: suggest you amend your patch with any changes you deem necessary, I don't see why a single fix should be dispersed among multiple patches. a single fix is now not dispersed among multiple patches. Well, now it's multiple fixes in a single patch. What I meant to end up with is single fix per single patch (see attachment). Now it is clearer. :) ACK to these patches. All 3 latches are now pushed to master, ipa-3-3. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0135 resolve SIDs to names in group-show for external members
On Thu, 16 Jan 2014, Alexander Bokovoy wrote: Hi, when group contains external members, they are specified using SIDs. Use trust-resolve command to convert them back on group-show. https://bugzilla.redhat.com/show_bug.cgi?id=1054391 Sumit found omission on name translation. New patch is attached. -- / Alexander Bokovoy From d7ce2cd8e646b7d07f80d19f4aa945e74b084aa7 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Thu, 16 Jan 2014 20:31:37 +0200 Subject: [PATCH 4/4] group-show: resolve external members of the groups Perform SID to name conversion for existing external members of the groups if trust is configured. https://bugzilla.redhat.com/show_bug.cgi?id=1054391 https://fedorahosted.org/freeipa/ticket/4123 --- ipalib/plugins/group.py | 15 +++ 1 file changed, 15 insertions(+) diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index 02eeb10..dac5500 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -387,6 +387,21 @@ api.register(group_find) class group_show(LDAPRetrieve): __doc__ = _('Display information about a named group.') has_output_params = LDAPRetrieve.has_output_params + (ipaexternalmember_param,) +def post_callback(self, ldap, dn, entry_attrs, *keys, **options): +assert isinstance(dn, DN) +if ('ipaexternalmember' in entry_attrs and +len(entry_attrs['ipaexternalmember']) 0 and +'trust_resolve' in self.Command and +not options.get('raw', False)): +sids = entry_attrs['ipaexternalmember'] +result = self.Command.trust_resolve(sids=sids) +for entry in result['result']: +try: +idx = sids.index(entry['sid'][0]) +sids[idx] = entry['name'][0] +except ValueError: +pass +return dn api.register(group_show) -- 1.8.4.2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 210 Allow SAN in IPA certificate profile
On 10.1.2014 13:34, Martin Kosek wrote: On 01/09/2014 04:49 PM, Simo Sorce wrote: On Thu, 2014-01-09 at 10:44 -0500, Rob Crittenden wrote: Martin Kosek wrote: On 01/09/2014 03:12 PM, Simo Sorce wrote: Also maybe we should allow admins to bypass the need to have an actual object to represent the alt name ? I'd rather not. This would allow a rogue admin to create a cert for www.google.com. Sure, they could also create a host for that but forcing them to add more entries increases the chances of them getting caught doing it. They can remove the host right after they create a cert, I honestly do not think this is a valid concern. If your admin is rouge he can already take full ownership of your infrastructure in many ways, preventing setting a name in a cert doesn't really make a difference IMO. However I would be ok to limit this to some new Security Admin/CA Admin role that is not assigned by default. Simo. Ok, let's reach some conclusion here. I would really like to not defer this feature for too long, it is quite wanted. Would creating new virtual operation Request certificate with SAN make the situation better? It would not be so difficult to do, the check_access function can already access virtual operation name as a parameter, we just need to call it. Why don't we treat SAN hostnames the same way as the subject hostname? The way I see it, with SAN the only difference is that there is a set of hostnames instead of just a single hostname, so maybe we should support requesting a certificate for a set of hosts/services instead of just a single host/service. As far as authorization is concerned, currently you can request a certificate for a single host/service, if you have the Request certificate permission and write access to the host/service entry. With multiple hosts/services, you would be able to request a certificate if you have the Request certificate permission and write access to *all* of the host/certificate entries you are requesting the certificate for. Effectively this means that cert-request would accept multiple principals instead of single principal and the automatic revocation code in cert-request, host-del and service-del would take into account that a single certificate might be assigned to multiple entities. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0135 resolve SIDs to names in group-show for external members
On Fri, Jan 17, 2014 at 11:49:18AM +0200, Alexander Bokovoy wrote: On Thu, 16 Jan 2014, Alexander Bokovoy wrote: Hi, when group contains external members, they are specified using SIDs. Use trust-resolve command to convert them back on group-show. https://bugzilla.redhat.com/show_bug.cgi?id=1054391 Sumit found omission on name translation. New patch is attached. -- / Alexander Bokovoy Patch now works as expected and python code looks good to me, so ACK. It would be nice if anyone else can check the python code before committing the patch. bye, Sumit ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0135 resolve SIDs to names in group-show for external members
On 01/17/2014 11:50 AM, Sumit Bose wrote: On Fri, Jan 17, 2014 at 11:49:18AM +0200, Alexander Bokovoy wrote: On Thu, 16 Jan 2014, Alexander Bokovoy wrote: Hi, when group contains external members, they are specified using SIDs. Use trust-resolve command to convert them back on group-show. https://bugzilla.redhat.com/show_bug.cgi?id=1054391 Sumit found omission on name translation. New patch is attached. -- / Alexander Bokovoy Patch now works as expected and python code looks good to me, so ACK. It would be nice if anyone else can check the python code before committing the patch. bye, Sumit Sumit, did you also test Web UI? We should check how it works there, we may no longer need to call trust-resolve internally there given it was changed on server side. If not, Petr1 plans to check that now. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0135 resolve SIDs to names in group-show for external members
On Fri, Jan 17, 2014 at 12:09:03PM +0100, Martin Kosek wrote: On 01/17/2014 11:50 AM, Sumit Bose wrote: On Fri, Jan 17, 2014 at 11:49:18AM +0200, Alexander Bokovoy wrote: On Thu, 16 Jan 2014, Alexander Bokovoy wrote: Hi, when group contains external members, they are specified using SIDs. Use trust-resolve command to convert them back on group-show. https://bugzilla.redhat.com/show_bug.cgi?id=1054391 Sumit found omission on name translation. New patch is attached. -- / Alexander Bokovoy Patch now works as expected and python code looks good to me, so ACK. It would be nice if anyone else can check the python code before committing the patch. bye, Sumit Sumit, did you also test Web UI? We should check how it works there, we may no longer need to call trust-resolve internally there given it was changed on server side. If not, Petr1 plans to check that now. sorry, no, I didn't check it. bye, Sumit Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0135 resolve SIDs to names in group-show for external members
On 17.1.2014 12:27, Sumit Bose wrote: On Fri, Jan 17, 2014 at 12:09:03PM +0100, Martin Kosek wrote: On 01/17/2014 11:50 AM, Sumit Bose wrote: On Fri, Jan 17, 2014 at 11:49:18AM +0200, Alexander Bokovoy wrote: On Thu, 16 Jan 2014, Alexander Bokovoy wrote: Hi, when group contains external members, they are specified using SIDs. Use trust-resolve command to convert them back on group-show. https://bugzilla.redhat.com/show_bug.cgi?id=1054391 Sumit found omission on name translation. New patch is attached. -- / Alexander Bokovoy Patch now works as expected and python code looks good to me, so ACK. It would be nice if anyone else can check the python code before committing the patch. bye, Sumit Sumit, did you also test Web UI? We should check how it works there, we may no longer need to call trust-resolve internally there given it was changed on server side. If not, Petr1 plans to check that now. sorry, no, I didn't check it. bye, Sumit Martin On my test system trust-resolve command is somehow broken. It doesn't return any names; therefore I was not able to test Alexander's patch properly. Anyway, attached patch removes the functionality from Web UI. -- Petr Vobornik From f55645dc41728e1ac453633babbcfe4b39568551 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Fri, 17 Jan 2014 12:43:11 +0100 Subject: [PATCH] Remove SID resolve call from Web UI - it's called in group-show https://bugzilla.redhat.com/show_bug.cgi?id=1054391 --- install/ui/src/freeipa/association.js | 52 --- install/ui/src/freeipa/group.js | 1 - 2 files changed, 53 deletions(-) diff --git a/install/ui/src/freeipa/association.js b/install/ui/src/freeipa/association.js index 8709b9045bc1baa7f08067fb57f39ce562c050d1..7b4a78d5a678861e60ba3db3c8ed6bf561629b25 100644 --- a/install/ui/src/freeipa/association.js +++ b/install/ui/src/freeipa/association.js @@ -1508,58 +1508,6 @@ exp.attribute_facet = IPA.attribute_facet = function(spec, no_init) { }; /** - * SID facet - * @class association.sid_facet - * @alternateClassName IPA.sid_facet - * @extends association.attribute_facet - */ -exp.sid_facet = IPA.sid_facet = function(spec, no_init) { - -spec.name = spec.name || 'sid_facet'; - -var that = IPA.attribute_facet(spec, no_init); - -that.load_records = function(value) { -var xlate = {}; -var sidxlate_command = IPA.command({ -entity: 'trust', -method: 'resolve', -options: { -sids: '' -} -}); -sidxlate_command.on_success = function(data, text_status, xhr) { -for (var i=0; i data.result.result.length; i++) { -var entry = data.result.result[i]; -if (entry.sid[0] in xlate) { -xlate[entry.sid[0]].resolve(entry.name[0]); -} -} -}; -that.table.empty(); - -if (value.length === 0) return; - -var sids = []; -for (var i=0; i value.length; i++) { -var sid = value[i][that.attribute]; -var deferred = new Deferred(); -value[i][that.attribute] = { -promise: deferred.promise, -temp: sid -}; -xlate[sid] = deferred; -sids.push(sid); -that.add_record(value[i]); -} -sidxlate_command.options.sids = sids; -sidxlate_command.execute(); -}; - -return that; -}; - -/** * Attriute read-only evaluator * @class IPA.attr_read_only_evaluator * @extends IPA.state_evaluator diff --git a/install/ui/src/freeipa/group.js b/install/ui/src/freeipa/group.js index 5e8cdf991cdaf4f52e3f49dca431e999a72f2089..bb12d902fcba8228098b667aa6fbd3fa7daee34d 100644 --- a/install/ui/src/freeipa/group.js +++ b/install/ui/src/freeipa/group.js @@ -112,7 +112,6 @@ return { }, { $type: 'attribute', -$factory: IPA.sid_facet, name: 'member_external', attribute: 'ipaexternalmember', tab_label: 'External', -- 1.8.4.2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0136 ipa-adtrust-install configure host netbios name by default
https://fedorahosted.org/freeipa/ticket/4116 -- / Alexander Bokovoy From a37901e6464e79e10555187d0f8b54d0a7176be0 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Fri, 17 Jan 2014 14:09:34 +0200 Subject: [PATCH 5/5] ipa-adtrust-install: configure host netbios name by default Ensure we set host netbios name by default in smb.conf https://fedorahosted.org/freeipa/ticket/4116 --- install/share/smb.conf.template | 1 + ipaserver/install/adtrustinstance.py | 3 +++ 2 files changed, 4 insertions(+) diff --git a/install/share/smb.conf.template b/install/share/smb.conf.template index 086b0fc..2908b99 100644 --- a/install/share/smb.conf.template +++ b/install/share/smb.conf.template @@ -1,5 +1,6 @@ [global] workgroup = $NETBIOS_NAME +netbios name = $HOST_NETBIOS_NAME realm = $REALM kerberos method = dedicated keytab dedicated keytab file = FILE:/etc/samba/samba.keytab diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 2f1c999..5eb6157 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -124,6 +124,7 @@ class ADTRUSTInstance(service.Service): self.secondary_rid_base = None self.fqdn = None +self.host_netbios_name = None self.realm = None self.domain_name = None @@ -151,6 +152,7 @@ class ADTRUSTInstance(service.Service): # Values obtained from API.env self.fqdn = self.fqdn or api.env.host +self.host_netbios_name = make_netbios_name(self.fqdn) self.realm = self.realm or api.env.realm self.domain_name = self.domain_name or api.env.domain @@ -769,6 +771,7 @@ class ADTRUSTInstance(service.Service): self.sub_dict = dict(REALM = self.realm, SUFFIX = self.suffix, NETBIOS_NAME = self.netbios_name, + HOST_NETBIOS_NAME = self.host_netbios_name, SMB_DN = self.smb_dn, LDAPI_SOCKET = self.ldapi_socket, FQDN = self.fqdn) -- 1.8.4.2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0135 resolve SIDs to names in group-show for external members
On Fri, Jan 17, 2014 at 01:02:18PM +0100, Petr Vobornik wrote: On 17.1.2014 12:27, Sumit Bose wrote: On Fri, Jan 17, 2014 at 12:09:03PM +0100, Martin Kosek wrote: On 01/17/2014 11:50 AM, Sumit Bose wrote: On Fri, Jan 17, 2014 at 11:49:18AM +0200, Alexander Bokovoy wrote: On Thu, 16 Jan 2014, Alexander Bokovoy wrote: Hi, when group contains external members, they are specified using SIDs. Use trust-resolve command to convert them back on group-show. https://bugzilla.redhat.com/show_bug.cgi?id=1054391 Sumit found omission on name translation. New patch is attached. -- / Alexander Bokovoy Patch now works as expected and python code looks good to me, so ACK. It would be nice if anyone else can check the python code before committing the patch. bye, Sumit Sumit, did you also test Web UI? We should check how it works there, we may no longer need to call trust-resolve internally there given it was changed on server side. If not, Petr1 plans to check that now. sorry, no, I didn't check it. bye, Sumit Martin On my test system trust-resolve command is somehow broken. It doesn't return any names; therefore I was not able to test Alexander's patch properly. Anyway, attached patch removes the functionality from Web UI. WebUI still translates the SIDs here, so ACK. bye, Sumit -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH][bind-dyndb-ldap] Fix warning duplicate 'const' declaration specifier
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/30/2013 09:21 AM, Lukas Slebodnik wrote: ehlo, There were few warnings in bind-dyndb-ldap duplicate 'const' declaration specifier. It does not make sense to have const twice in declaration like a const settings_set_t const settings_default_set This one was false positive. The 2nd warning revealed potential problem. const char const * dns_str With previous declaration, you cannot modify data, but you can modify pointer itself. *dns_str = asdasd //compilation error dns_str++ //works fine If you want to disable modification data and disable modification of pointer you will need to have 2nd const modifier after star * You can find some examples of const usage in attached file test.c or you can read article with explanation of next declaration char *(*(**foo [][8])())[]; http://eli.thegreenplace.net/2008/07/18/reading-c-type-declarations/ Simple patch is attached. LS ACK. Looks good. Regards, Tomas Hozza -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJS2UbdAAoJEMWIetUdnzwtqKIIAKEnhrYiT85yvGYkMVUjGZ5Y s42WXAcJOswo8rAiZwbMPmyGU7Imr+tEYf92Uu8S9kRipI6RnQYO0WFjt/HP/qQJ DblisCEgrWiPwYRTrEVuk2K7HZXUIvcEhB6KXgGPLsBw0bNFxb8FYs2GND4NjByU c/OCTGLaRsRxqX7sLn4UYZl32xic/QKJUeUWkfSgCbB7hzAOQJh65I5pW8e8LJre DBihpudiWVs2c13rIxyAyvbGcJ9X3HUuiRt/j2kWIhK4ESzB7Rf2cE3R1Frz7Do9 uDz8/q9WXIXmmQKCnK3zc8IM1LukPBYQUFN2j9ThiqzDFb/lMhGpXO3EeNRtiMM= =t8pR -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0204] Remove obsolete zr_get_rbt() function from zone register
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/11/2013 12:53 PM, Petr Spacek wrote: Hello, Remove obsolete zr_get_rbt() function from zone register. ACK. Patch looks good. Regards, Tomas Hozza -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJS2UiGAAoJEMWIetUdnzwtACUH/jygrRD1QKit5atNb416vWUM qTE/ozdZ6bFfRB9ndFSj3n8Qcq9wqOV493Dbe+Hhh8fdKmCSzqJ3MN6UpFhmv4M6 O0jAkYnMDqd+k5zb9+bVtqdj0SLvtzfqLGVL7ydxzg4zMp/H2Su1YdRARt/KkYUA z3nosofXgU418v0gG/+wegQKCzJPqQ7F/+ZuF6QbC9BAwYjpQA4FoH/gNZk7QuoU LafA/OveHEGgfmVq+5bcxMFYty2tLgWifRBCGruECwOc4qu8mhwVlZKb4FpsX5nR R5qh7W93d372QL/1I+QSHA4Z2rOYUhc04OBL90xPjf48jlzu8MnqRujvYddgy1U= =kk7O -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 451 Hide trust-resolve command
We do not need to expose a public FreeIPA specific interface to resolve SIDs to names. The interface is only used internally to resolve SIDs when external group members are listed. Additionally, the command interface is not prepared for regular user and can give rather confusing results. Hide it from CLI. The API itself is still accessible and compatible with older clients. https://fedorahosted.org/freeipa/ticket/4113 This patch comes from a discussion between developers and testers whether this interface is still useful or not. Give it hides the trust-resolve command from CLI, it obsoletes Alexander's patch 133. Martin From bc6f4265cc0fcc5d715bbb8df15a9f1e18c3b0fa Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Fri, 17 Jan 2014 16:13:17 +0100 Subject: [PATCH] Hide trust-resolve command We do not need to expose a public FreeIPA specific interface to resolve SIDs to names. The interface is only used internally to resolve SIDs when external group members are listed. Additionally, the command interface is not prepared for regular user and can give rather confusing results. Hide it from CLI. The API itself is still accessible and compatible with older clients. https://fedorahosted.org/freeipa/ticket/4113 --- ipalib/plugins/trust.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 3d412c9c9f518347769e88ddc9089d6d92ccc4be..0b6db27c696cd169c8f4b33128520961c20e3015 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -978,6 +978,7 @@ def idmap_type_string(level): return unicode(string) class trust_resolve(Command): +NO_CLI = True __doc__ = _('Resolve security identifiers of users and groups in trusted domains') takes_options = ( -- 1.8.4.2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 543 Trust domains Web UI
Note: this version of the patch is especially prepared for ipa-3-3 branch. Add Web UI counterpart of following CLI commands: * trust-fetch-domains Refresh list of the domains associated with the trust * trustdomain-del Remove infromation about the domain associated with the trust. * trustdomain-disable Disable use of IPA resources by the domain of the trust * trustdomain-enable Allow use of IPA resources by the domain of the trust * trustdomain-find Search domains of the trust https://fedorahosted.org/freeipa/ticket/4119 -- Petr Vobornik From 152aaf52f7daaf50ae44a4761849603756c186d1 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Wed, 15 Jan 2014 18:01:02 +0100 Subject: [PATCH] Trust domains Web UI Add Web UI counterpart of following CLI commands: * trust-fetch-domains Refresh list of the domains associated with the trust * trustdomain-del Remove infromation about the domain associated with the trust. * trustdomain-disable Disable use of IPA resources by the domain of the trust * trustdomain-enable Allow use of IPA resources by the domain of the trust * trustdomain-find Search domains of the trust https://fedorahosted.org/freeipa/ticket/4119 --- install/ui/src/freeipa/search.js | 11 +++--- install/ui/src/freeipa/trust.js| 68 ++ install/ui/test/data/ipa_init.json | 1 + ipalib/plugins/internal.py | 1 + 4 files changed, 77 insertions(+), 4 deletions(-) diff --git a/install/ui/src/freeipa/search.js b/install/ui/src/freeipa/search.js index c2e678a35e7d7d5179c1b766eea88599710593c3..3f7fdf9b1e6716c73e0657dc678abe332f6fc8c0 100644 --- a/install/ui/src/freeipa/search.js +++ b/install/ui/src/freeipa/search.js @@ -470,20 +470,23 @@ IPA.batch_items_action = function(spec) { that.execute_action = function(facet, on_success, on_error) { var entity = facet.managed_entity; -var pkeys = facet.get_selected_values(); +var selected_keys = facet.get_selected_values(); +var pkeys = facet.get_pkeys(); +if (!pkeys[0]) pkeys = []; // correction for search facet that.batch = IPA.batch_command({ name: entity.name + '_batch_'+ that.method, on_success: that.get_on_success(facet, on_success) }); -for (var i=0; ipkeys.length; i++) { -var pkey = pkeys[i]; +for (var i=0; iselected_keys.length; i++) { +var item_keys = pkeys.splice(0); +item_keys.push(selected_keys[i]); var command = IPA.command({ entity: entity.name, method: that.method, -args: [pkey] +args: item_keys }); that.batch.add_command(command); diff --git a/install/ui/src/freeipa/trust.js b/install/ui/src/freeipa/trust.js index 2653d3e67c2c5591f000e32c43a3a5878eef28fd..51f2000b47fd7943cb9a200c9bec7ebd3459178a 100644 --- a/install/ui/src/freeipa/trust.js +++ b/install/ui/src/freeipa/trust.js @@ -48,6 +48,7 @@ return { dest_facet: 'search' } ], +facet_groups: [ 'settings', 'trustdomain' ], facets: [ { $type: 'search', @@ -56,6 +57,63 @@ return { ] }, { +$type: 'nested_search', +$pre_ops: [ +// trustdomain-add is hidden, remove add button +{ $del: [[ 'control_buttons', [{ name: 'add'}] ]] } +], +nested_entity: 'trustdomain', +facet_group: 'trustdomain', +name: 'domains', +label: '@mo:trustdomain.label', +tab_label: '@mo:trustdomain.label', +search_all_entries: true, +actions: [ +{ +$type: 'batch_disable' +}, +{ +$type: 'batch_enable' +}, +{ +$type: 'object', +name: 'fetch', +label: '@i18n:objects.trust.fetch_domains', +method: 'fetch_domains' +} +], +control_buttons: [ +{ +name: 'disable', +label: '@i18n:buttons.disable', +icon: 'fa-minus' +}, +{ +name: 'enable', +label: '@i18n:buttons.enable', +icon: 'fa-check' +}, +{ +name: 'fetch', +label: '@i18n:objects.trust.fetch_domains', +icon: 'fa-download' +} +], +columns: [ +{ +name: 'cn', +link: false +}, +{ +name: 'domain_enabled', +label: '@i18n:status.label', +formatter:
[Freeipa-devel] [PATCH] 1106 IPA REST smart proxy
Implement an IPA RESTful Foreman-compatible smart proxy. This exposes hosts and hostgroups via an unauthenticated REST API. The idea is that this service runs on the Foreman server and only listens on local ports. It is a CherryPy-based server and that handles the majority of REST for us. I included some tests, they can be executed with: nosetests -v smartproxy/tests It is installable as a separate RPM but the local machine needs to be an IPA client. Configuration instructions are in the ipa-rest.1 man page. This requires an updated python-kerberos currently only available in rawhide: python-kerberos-1.1-13.fc21 http://www.freeipa.org/page/V3/Smart_Proxy rob From 0e4e6b47d96675abefa72eedc1afbeec94e05900 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Tue, 3 Dec 2013 09:14:00 -0700 Subject: [PATCH] Implement an IPA REST server This currently server supports only host and hostgroup commands for retrieving, adding and deleting entries. The incoming requests are completely unauthenticated and by default requests must be local. Utilize GSS-Proxy to manage the TGT. Configuration information is in the ipa-rest man page. Design: http://www.freeipa.org/page/V3/Smart_Proxy --- Makefile | 5 +- freeipa.spec.in| 21 +++ ipalib/util.py | 13 +- smartproxy/Makefile.am | 43 ++ smartproxy/configure.ac| 75 +++ smartproxy/gssproxy.conf.snippet | 6 + smartproxy/ipa-rest| 260 + smartproxy/ipa-rest.conf | 15 +++ smartproxy/ipa-rest.logrotate | 11 ++ smartproxy/ipa-rest.service| 12 ++ smartproxy/man/Makefile.am | 19 +++ smartproxy/man/ipa-rest.1 | 78 +++ smartproxy/man/ipa-rest.conf.5 | 72 ++ smartproxy/tests/resttest.py | 164 +++ smartproxy/tests/test_host.py | 144 smartproxy/tests/test_hostgroup.py | 97 ++ 16 files changed, 1029 insertions(+), 6 deletions(-) create mode 100644 smartproxy/Makefile.am create mode 100644 smartproxy/configure.ac create mode 100644 smartproxy/gssproxy.conf.snippet create mode 100755 smartproxy/ipa-rest create mode 100644 smartproxy/ipa-rest.conf create mode 100644 smartproxy/ipa-rest.logrotate create mode 100644 smartproxy/ipa-rest.service create mode 100644 smartproxy/man/Makefile.am create mode 100644 smartproxy/man/ipa-rest.1 create mode 100644 smartproxy/man/ipa-rest.conf.5 create mode 100644 smartproxy/tests/resttest.py create mode 100644 smartproxy/tests/test_host.py create mode 100644 smartproxy/tests/test_hostgroup.py diff --git a/Makefile b/Makefile index 0a300b4..9d6d93d 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ include VERSION -SUBDIRS=daemons install ipapython ipa-client +SUBDIRS=daemons install ipapython ipa-client smartproxy CLIENTDIRS=ipapython ipa-client PRJ_PREFIX=freeipa @@ -74,6 +74,7 @@ bootstrap-autogen: version-update client-autogen @echo Building IPA $(IPA_VERSION) cd daemons; if [ ! -e Makefile ]; then ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR) --with-openldap; fi cd install; if [ ! -e Makefile ]; then ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi + cd smartproxy; if [ ! -e Makefile ]; then ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi client-autogen: version-update cd ipa-client; if [ ! -e Makefile ]; then ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi @@ -194,6 +195,7 @@ tarballs: local-archive cd dist/$(TARBALL_PREFIX)/ipa-client; ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); make distclean cd dist/$(TARBALL_PREFIX)/daemons; ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); make distclean cd dist/$(TARBALL_PREFIX)/install; ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); make distclean + cd dist/$(TARBALL_PREFIX)/smartproxy; ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); make distclean cd dist; tar cfz sources/$(TARBALL) $(TARBALL_PREFIX) rm -rf dist/$(TARBALL_PREFIX) @@ -260,5 +262,6 @@ maintainer-clean: clean cd install $(MAKE) maintainer-clean cd ipa-client $(MAKE) maintainer-clean cd ipapython $(MAKE) maintainer-clean + cd smartproxy $(MAKE) maintainer-clean rm -f version.m4 rm -f freeipa.spec diff --git a/freeipa.spec.in b/freeipa.spec.in index 81c9672..da1e429 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -215,6 +215,17 @@ Cross-realm trusts with Active Directory in IPA require working Samba 4 installation. This package is provided for convenience to install all required dependencies at once. + +%package
Re: [Freeipa-devel] [PATCH] 1106 IPA REST smart proxy
On 01/17/2014 04:24 PM, Rob Crittenden wrote: Implement an IPA RESTful Foreman-compatible smart proxy. This exposes hosts and hostgroups via an unauthenticated REST API. The idea is that this service runs on the Foreman server and only listens on local ports. It is a CherryPy-based server and that handles the majority of REST for us. I included some tests, they can be executed with: nosetests -v smartproxy/tests It is installable as a separate RPM but the local machine needs to be an IPA client. Configuration instructions are in the ipa-rest.1 man page. This requires an updated python-kerberos currently only available in rawhide: python-kerberos-1.1-13.fc21 http://www.freeipa.org/page/V3/Smart_Proxy rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel What kind of the pre configuration it requires on IPA side. Should we setup some special permission for the host that would run this proxy? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1106 IPA REST smart proxy
Dmitri Pal wrote: On 01/17/2014 04:24 PM, Rob Crittenden wrote: Implement an IPA RESTful Foreman-compatible smart proxy. This exposes hosts and hostgroups via an unauthenticated REST API. The idea is that this service runs on the Foreman server and only listens on local ports. It is a CherryPy-based server and that handles the majority of REST for us. I included some tests, they can be executed with: nosetests -v smartproxy/tests It is installable as a separate RPM but the local machine needs to be an IPA client. Configuration instructions are in the ipa-rest.1 man page. This requires an updated python-kerberos currently only available in rawhide: python-kerberos-1.1-13.fc21 http://www.freeipa.org/page/V3/Smart_Proxy rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel What kind of the pre configuration it requires on IPA side. Should we setup some special permission for the host that would run this proxy? Nothing is required on the server. I tested this on and off a server and it is largely independent. I document how to create a role and what privileges it needs. For the time being I'm using a normal IPA user as a service user for this. If we add services to roles I'd prefer that, https://fedorahosted.org/freeipa/ticket/3164 . rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel