[Freeipa-devel] [PATCH] 0002 - User Life Cycle (create containers and scoping DS plugins)
Hello This patch (RF3813) setup DS plugins and containers required for User life cycle * creation of the Stage/Delete containers (Active container already exists) * attribute uniqueness (uid, ipaUniqueID, krbCanonicalName, krbPrincipalName) will be enforced across all backends with https://fedorahosted.org/389/ticket/47823 * ipa UUID will exclude Stage/Delete container with a change in ipa-uuid (patch 0003) Thanks thierry From 63241abc1dbb291745ad18c73ae5da415661d022 Mon Sep 17 00:00:00 2001 From: Thierry bordaz (tbordaz) tbor...@redhat.com Date: Mon, 23 Jun 2014 11:05:18 +0200 Subject: [PATCH 1/2] Ticket 3813 - User Life Cycle: create containers and scoping DS plugins Bug Description: User Life Cycle is designed http://www.freeipa.org/page/V4/User_Life-Cycle_Management It manages 3 containers (Staging, Active, Delete). At install Delete and Staging containers needs to be created. Active: cn=users,cn=accounts,$SUFFIX Delete: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX Stage: cn=staged users ,cn=accounts,cn=provisioning,$SUFFIX Plugins scopes: krbPrincipalName, krbCanonicalName, ipaUniqueID, uid: cn=accounts,SUFFIX cn=deleted users,cn=accounts,cn=provisioning,SUFFIX DNA: cn=accounts,SUFFIX Plugins exclude subtree: IPA UUID, Referential Integrity, memberOf: cn=provisioning,SUFFIX Fix Description: Reviewed by: ? Platforms tested: F20 Flag Day: no Doc impact: no https://fedorahosted.org/freeipa/ticket/3813 --- install/share/bootstrap-template.ldif | 24 install/share/dna.ldif| 2 +- install/share/unique-attributes.ldif | 9 ++--- install/share/uuid-ipauniqueid.ldif | 1 + install/updates/10-uniqueness.update | 8 install/updates/20-syncrepl.update| 2 ++ 6 files changed, 42 insertions(+), 4 deletions(-) diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index f603ad5..de65979 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -34,6 +34,30 @@ objectClass: top objectClass: nsContainer cn: hostgroups +dn: cn=provisioning,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: provisioning + +dn: cn=accounts,cn=provisioning,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: accounts + +dn: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: staged users + +dn: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: deleted users + dn: cn=alt,$SUFFIX changetype: add objectClass: nsContainer diff --git a/install/share/dna.ldif b/install/share/dna.ldif index 86be44c..b4c674d 100644 --- a/install/share/dna.ldif +++ b/install/share/dna.ldif @@ -11,7 +11,7 @@ dnaNextValue: eval($IDSTART) dnaMaxValue: eval($IDMAX) dnaMagicRegen: -1 dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDobject)) -dnaScope: $SUFFIX +dnaScope: cn=accounts,$SUFFIX dnaThreshold: 500 dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX diff --git a/install/share/unique-attributes.ldif b/install/share/unique-attributes.ldif index 0e680a0..1908412 100644 --- a/install/share/unique-attributes.ldif +++ b/install/share/unique-attributes.ldif @@ -9,7 +9,8 @@ nsslapd-pluginInitfunc: NSUniqueAttr_Init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginarg0: krbPrincipalName -nsslapd-pluginarg1: $SUFFIX +nsslapd-pluginarg1: cn=accounts,$SUFFIX +nsslapd-pluginarg2: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX nsslapd-plugin-depends-on-type: database nsslapd-pluginId: NSUniqueAttr nsslapd-pluginVersion: 1.1.0 @@ -27,7 +28,8 @@ nsslapd-pluginInitfunc: NSUniqueAttr_Init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginarg0: krbCanonicalName -nsslapd-pluginarg1: $SUFFIX +nsslapd-pluginarg1: cn=accounts,$SUFFIX +nsslapd-pluginarg2: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX nsslapd-plugin-depends-on-type: database nsslapd-pluginId: NSUniqueAttr nsslapd-pluginVersion: 1.1.0 @@ -63,7 +65,8 @@ nsslapd-pluginInitfunc: NSUniqueAttr_Init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginarg0: ipaUniqueID -nsslapd-pluginarg1: $SUFFIX +nsslapd-pluginarg1: cn=accounts,$SUFFIX +nsslapd-pluginarg2: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX nsslapd-plugin-depends-on-type: database nsslapd-pluginId: NSUniqueAttr nsslapd-pluginVersion: 1.1.0 diff --git a/install/share/uuid-ipauniqueid.ldif b/install/share/uuid-ipauniqueid.ldif index c8d08cd..b61b6bd 100644 --- a/install/share/uuid-ipauniqueid.ldif +++ b/install/share/uuid-ipauniqueid.ldif @@ -8,4 +8,5 @@ ipaUuidAttr: ipaUniqueID ipaUuidMagicRegen: autogenerate ipaUuidFilter: (|(objectclass=ipaObject)(objectclass=ipaAssociation))
Re: [Freeipa-devel] [PATCH] 692 webui: capitalize labels of undo and undo all buttons
On Fri, Jun 27, 2014 at 02:11:47PM +0200, Petr Vobornik wrote:
Make the label of these buttons consistent with other buttons which have
capital first letters.
--
Petr Vobornik
From 7214242fb0c5accc45b6af476a8ff7e7b1a7883f Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Fri, 27 Jun 2014 13:59:11 +0200
Subject: [PATCH] webui: capitalize labels of undo and undo all buttons
Make the label of these buttons consistent with other buttons which have
capital first letters.
---
install/ui/test/data/ipa_init.json | 4 ++--
ipalib/plugins/internal.py | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/install/ui/test/data/ipa_init.json
b/install/ui/test/data/ipa_init.json
index
0c32395ee7d68440aea0271359b0ac88fed86c42..20a462fff3b664d2320946765d1dac21ac2b1929
100644
--- a/install/ui/test/data/ipa_init.json
+++ b/install/ui/test/data/ipa_init.json
@@ -563,8 +563,8 @@
next: Next,
page: Page,
prev: Prev,
-undo: undo,
-undo_all: undo all,
+undo: Undo,
+undo_all: Undo All,
validation: {
error: Text does not match field pattern,
datetime: Must be an UTC date/time value
(e.g., \2014-01-20 17:58:01Z\),
diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py
index
f9ae831dc665b1282ded798023856dacec480e3b..cda9fdc7ba5237bc5bcfddbce20f47abbc210a40
100644
--- a/ipalib/plugins/internal.py
+++ b/ipalib/plugins/internal.py
@@ -708,8 +708,8 @@ class i18n_messages(Command):
next: _(Next),
page: _(Page),
prev: _(Prev),
-undo: _(undo),
-undo_all: _(undo all),
+undo: _(Undo),
+undo_all: _(Undo All),
Does this affect translations? The msgid undo all is present in
the PO files.
Fraser
validation: {
error: _(Text does not match field pattern),
datetime: _(Must be an UTC date/time value (e.g.,
\2014-01-20 17:58:01Z\)),
--
1.9.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0070] Normalization check only for IDNA domains
On Fri, 2014-06-27 at 12:21 +0200, Petr Spacek wrote:
On 27.6.2014 12:20, Alexander Bokovoy wrote:
On Fri, 27 Jun 2014, Petr Spacek wrote:
On 27.6.2014 12:04, Alexander Bokovoy wrote:
diff --git a/ipalib/parameters.py b/ipalib/parameters.py
index 1dff13c..09fed28 100644
--- a/ipalib/parameters.py
+++ b/ipalib/parameters.py
@@ -1965,12 +1965,15 @@ class DNSNameParam(Param):
#compare if IDN normalized and original domain match
#there is N:1 mapping between unicode and IDNA names
#user should use normalized names to avoid mistakes
-normalized_domain_name = encodings.idna.nameprep(value)
-if value != normalized_domain_name:
-error = _(domain name '%(domain)s' and normalized domain
name
- '%(normalized)s' do not match. Please use
only
- normalized domains) % {'domain': value,
- 'normalized': normalized_domain_name}
+labels = value.split('.')
NACK. This is going to break with IDNA2003 as there are four different
dots.
The whole DNS refactoring was about eliminating all places where DNS names
are threaded as strings separated by ASCII dots.
IDNA implementation in FreeIPA git master right now is wrong with
regards to nameprep use -- encodings.idna.nameprep(), as well as other
functions in encodings.idna should be applied to labels, not to the
whole DNS name.
Give me a way to split a name to labels properly and we can work on.
I would like to hear reasons against fixing ipa-adtrust-install (in the
other part of thread).
As I said, 'fixing' ipa-adtrust-install is considered a hack. Current
IDNA support is broken anyway, *it* needs to be fixed, not a long
standing convention to name DNS records in Active Directory
implementations (which Samba AD DC setup shares as well).
Let me add that DNS protocol is case insensitive so it doesn't matter. Let's
wait for mbasti's opinion.
Yes DNS is, but IDNA is case sensitive, we need to allow use upper case
for non-IDNA domains, because they can be already stored in LDAP and
after upgrade these domains will raise an error.
--
Martin^2 Basti
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0003 - User Life Cycle (prevent ipaUniqueID generation in provisioning)
This fix is to prevent IPA UUID DS plugin to generate a ipaUniqueID for
users in provisioning container (Stage/Delete).
thanks
thierry
From c06af590b11a3692dcd1afc4a52e724aab59173d Mon Sep 17 00:00:00 2001
From: Thierry bordaz (tbordaz) tbor...@redhat.com
Date: Wed, 25 Jun 2014 12:49:45 +0200
Subject: [PATCH 2/2] Ticket 3813 - User Life Cycle: Exclude subtree for
ipaUniqueID generation
Bug Description:
IPA UUID should not generate ipaUniqueID for entries under 'cn=provisioning,SUFFIX'
Fix Description:
Add in the configuration the ability to set (optional) 'ipaUuidExcludeSubtree'
Reviewed by: ?
Platforms tested: F20
Flag Day: no
Doc impact: no
https://fedorahosted.org/freeipa/ticket/3813
---
daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c | 16
1 file changed, 16 insertions(+)
diff --git a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
index 2b07de4..9a1eaed 100644
--- a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
+++ b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
@@ -64,6 +64,7 @@
#define IPAUUID_GENERATE ipaUuidMagicRegen
#define IPAUUID_FILTER ipaUuidFilter
#define IPAUUID_SCOPEipaUuidScope
+#define IPAUUID_EXCLUDE_SUBTREE ipaUuidExcludeSubtree
#define IPAUUID_ENFORCE ipaUuidEnforce
#define IPAUUID_FEATURE_DESC IPA UUID
@@ -91,6 +92,7 @@ struct configEntry {
Slapi_Filter *slapi_filter;
char *generate;
char *scope;
+char *exclude_subtree;
bool enforce;
};
@@ -536,6 +538,10 @@ ipauuid_parse_config_entry(Slapi_Entry * e, bool apply)
goto bail;
}
LOG_CONFIG(-- %s [%s]\n, IPAUUID_SCOPE, entry-scope);
+
+value = slapi_entry_attr_get_charptr(e, IPAUUID_EXCLUDE_SUBTREE);
+entry-exclude_subtree = value;
+LOG_CONFIG(-- %s [%s]\n, IPAUUID_EXCLUDE_SUBTREE, entry-exclude_subtree);
entry-enforce = slapi_entry_attr_get_bool(e, IPAUUID_ENFORCE);
LOG_CONFIG(-- %s [%s]\n,
@@ -639,6 +645,10 @@ ipauuid_free_config_entry(struct configEntry **entry)
if (e-scope) {
slapi_ch_free_string(e-scope);
}
+
+if (e-exclude_subtree) {
+slapi_ch_free_string(e-exclude_subtree);
+}
slapi_ch_free((void **)entry);
}
@@ -917,6 +927,12 @@ static int ipauuid_pre_op(Slapi_PBlock *pb, int modtype)
continue;
}
}
+
+if (cfgentry-exclude_subtree) {
+if (slapi_dn_issuffix(dn, cfgentry-exclude_subtree)) {
+continue;
+}
+}
/* does the entry match the filter? */
if (cfgentry-slapi_filter) {
--
1.7.11.7
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reorganization of Web UI navigation items
On 06/27/2014 07:27 PM, Petr Vobornik wrote: On 2.6.2014 15:59, Petr Vobornik wrote: Hi List, the purpose if this mail is to start a discussion about reorganization of navigation items. Users are not fond of such change so we should come up with a solution which would last for some time. Problem: UX recommendation is that one menu level should contain maximum of 7 items. We have 10 items in Identity, 7 in Policy and 7 in IPA Server. Basically we reached max. capacity of all 1st-level items. Solution: Introduce new 1st-level items and redistribute 2nd-level items. It would be great to get this into 4.0, resuming the discussion. My proposal which takes into account various other proposals: Identity (7) - Users - User Groups - Hosts - Host Groups - Netgroups - Services - Automember - User group rules - Host group rules Policy (5) - Host Based Access Control - HBAC Rules - HBAC Services - HBAC Service Groups - HBAC Test - Sudo - Sudo Rules - Sudo Commands - Sudo Command Groups - SELinux User Maps - Password Policies - Kerberos Ticket Policy Authentication (3-4) - Certificates - (future) User Certificates - OTP Tokens - RADIUS Servers Network services (2-3) - Automount - DNS - DNS Zones - DNS Forward Zones - DNS Global Configuration - (future) Vault IPA Server (5-7) - Role Based Access Control - Roles - Privileges - Permissions - Self Service Permissions - Delegations - ID Ranges - Realm Domain - (future) Replication Topology - Trusts - Trusts - Global Trust Configuration - (future) Views - Configuration (future) Help - Docs - API - ... Mostly it's a response to the last proposal: http://www.redhat.com/archives/freeipa-devel/2014-June/msg00107.html You can check live version at: http://pvoborni.fedorapeople.org/ui/ From the earlier discussion I would say, that there was an agreement on Identity and Policy tabs which are very similar to current implementation. Simo had a proposal to introduce Authentication tab in a future. I guess we can do it now. We already have radius server proxies and certificates are also related. It will solve the OTP doesn't fit anywhere problem I've kept the Network Services tab because IDK where to put DNS and Automount :) Simo's 'Directory' and 'Configuration' were merged into existing 'IPA server' with the difference that all RBAC related stuff is under one item (this option was mentioned by Petr3). Btw RBAC === Existing items in 'Directory'. The label is 'IPA Server' because almost everything is related to configuration of the server itself maybe with exception of Trust and Views. Label 'Configuration' is too general. Label Directory was quite low-level as pointed out by Dmitry. This merge allows us to add 'Help' in a future. It would be good to move something into Network services (and maybe rename it) since it has only two(three in future) items. Thanks for returning to this effort. 4.0 is indeed the right place to do this change. Note that with this proposal, Identity tab is already full. I would still prefer my original proposal to split Users and Hosts operations + have Infrastructure/Trusts tab (some variation of http://www.redhat.com/archives/freeipa-devel/2014-June/msg00060.html), but apparently this crowded Identity tab is what people want :) I would still recommend running it by UX. Few comments: - s/Network services/Network Services/ - Radius Proxy page returns an error, instead of 0 configured proxies Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0070] Normalization check only for IDNA domains
On Fri, 2014-06-27 at 14:03 +0300, Alexander Bokovoy wrote: On Fri, 27 Jun 2014, Martin Kosek wrote: On 06/27/2014 12:10 PM, Alexander Bokovoy wrote: On Fri, 27 Jun 2014, Petr Spacek wrote: On 27.6.2014 11:21, Jan Cholasta wrote: On 27.6.2014 10:58, Alexander Bokovoy wrote: On Fri, 27 Jun 2014, Jan Cholasta wrote: On 27.6.2014 10:29, Alexander Bokovoy wrote: On Fri, 27 Jun 2014, Jan Cholasta wrote: On 27.6.2014 10:15, Alexander Bokovoy wrote: On Fri, 20 Jun 2014, Martin Basti wrote: On Fri, 2014-06-20 at 10:32 +0200, Jan Cholasta wrote: On 18.6.2014 16:49, Martin Basti wrote: Due to compability with older versions, only IDNA domains should be checked Patch attached. I'm not particularly happy about the u'\xdf' special case. Isn't there a better way to do this check? I cant find better way. u'\xdf' is mapped to ss, and ss is not IDN string. Or just remove this validation. (BTW I really think this should be a warning, not an error, but that would require larger amount of work, so I guess it's OK for now.) (More pain than gain) Main thing in this patch is that the check should not be done against non-IDN strings. I want this version of the patch to go in for that reason as currently you cannot even complete ipa-adtrust-install run due to IDN normalisation check being applied to non-IDN domains. On non-IDN domains, the only effect of IDN normalization is that it lower-cases the names (right?), so the check should compare lower-cased original name with the normalized name, instead of special-casing certain characters etc. .. what's the reason to do such comparison then? lower-cased non-IDN name will be equal to lower-cased normalized non-IDN name by definition, so the check is not needed in this case, at all. The point is that it works for both IDN and non-IDN, without u'\xdf'-style hacks. No, your proposal of comparing low-cased value and normalized value is not going to work because low-cased value is in general not equal to normalized value for IDN names, only for non-IDN ones, due to the fact that lower case for non-ASCII Unicode character may map to a completely different character than in normalization situation. Take, for example, Turkish alphabet where there are six letters with different case rules (uppercase dotted i, dottless lowercase i, upper- and lowercase G with breve accent, and upper- and lowercase S with cedilla), which will break your generalized check. So you'll anyway will need to split these cases. I see. I'm still not comfortable with carrying the bit of knowledge about u'\xdf' in this particular spot. Can we check that a name is IDN some other way than domain_name.is_idn() or u'\xdf' in value? Why can't we simply fix string constants in ipa-adtrust-install and avoid adding hacks for it? Because they are correct, in the sense that they follow what is defined for Active Directory. Yes, AD puts them in that case into DNS. There is simply no reason to force lower case for non-IDN names. That said, a newer fix is attached, where error message is formatted properly. I would personally be OK with the change if the is_* are fixed as Honza proposed, current way is not so Python-ic/readable. I.e.: Instead of +is_idna = True in [encodings.idna.ToASCII(x) != x for x in labels] Use +is_idna = any(encodings.idna.ToASCII(x) != x for x in labels) Instead of +is_nonnorm = True in [encodings.idna.nameprep(x) != x for x in labels] use +is_nonnorm = any(encodings.idna.nameprep(x) != x for x in labels) However, we can wait till Monday for Martin2's feedback. I've fixed this and also made a proper split on all dots that could separate labels according to RFC3490: U+002E ( . ) FULL STOP U+FF0E ( . ) FULLWIDTH FULL STOP U+3002 ( 。 ) IDEOGRAPHIC FULL STOP U+FF61 ( 。 ) HALFWIDTH IDEOGRAPHIC FULL STOP ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Hi, I analyzed how python detects IDNA labels. Python tests if domain is IDNA in this way: def ToASCII(label): try: # Step 1: try ASCII label = label.encode(ascii) except UnicodeError: pass else: # Skip to step 3: UseSTD3ASCIIRules is false, so # Skip to step 8. if 0 len(label) 64: return label raise UnicodeError(label empty or too long) # Step 2: nameprep label = nameprep(label) ... We can use 'label = label.encode(ascii)' to detect if IDNA is needed, without idna.ToASCII() conversion, and then use: is_nonnorm = any(encodings.idna.nameprep(x) != x for x in labels) -- Martin^2 Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com
Re: [Freeipa-devel] [PATCH 0070] Normalization check only for IDNA domains
On Mon, 30 Jun 2014, Martin Basti wrote: On Fri, 2014-06-27 at 14:03 +0300, Alexander Bokovoy wrote: On Fri, 27 Jun 2014, Martin Kosek wrote: On 06/27/2014 12:10 PM, Alexander Bokovoy wrote: On Fri, 27 Jun 2014, Petr Spacek wrote: On 27.6.2014 11:21, Jan Cholasta wrote: On 27.6.2014 10:58, Alexander Bokovoy wrote: On Fri, 27 Jun 2014, Jan Cholasta wrote: On 27.6.2014 10:29, Alexander Bokovoy wrote: On Fri, 27 Jun 2014, Jan Cholasta wrote: On 27.6.2014 10:15, Alexander Bokovoy wrote: On Fri, 20 Jun 2014, Martin Basti wrote: On Fri, 2014-06-20 at 10:32 +0200, Jan Cholasta wrote: On 18.6.2014 16:49, Martin Basti wrote: Due to compability with older versions, only IDNA domains should be checked Patch attached. I'm not particularly happy about the u'\xdf' special case. Isn't there a better way to do this check? I cant find better way. u'\xdf' is mapped to ss, and ss is not IDN string. Or just remove this validation. (BTW I really think this should be a warning, not an error, but that would require larger amount of work, so I guess it's OK for now.) (More pain than gain) Main thing in this patch is that the check should not be done against non-IDN strings. I want this version of the patch to go in for that reason as currently you cannot even complete ipa-adtrust-install run due to IDN normalisation check being applied to non-IDN domains. On non-IDN domains, the only effect of IDN normalization is that it lower-cases the names (right?), so the check should compare lower-cased original name with the normalized name, instead of special-casing certain characters etc. .. what's the reason to do such comparison then? lower-cased non-IDN name will be equal to lower-cased normalized non-IDN name by definition, so the check is not needed in this case, at all. The point is that it works for both IDN and non-IDN, without u'\xdf'-style hacks. No, your proposal of comparing low-cased value and normalized value is not going to work because low-cased value is in general not equal to normalized value for IDN names, only for non-IDN ones, due to the fact that lower case for non-ASCII Unicode character may map to a completely different character than in normalization situation. Take, for example, Turkish alphabet where there are six letters with different case rules (uppercase dotted i, dottless lowercase i, upper- and lowercase G with breve accent, and upper- and lowercase S with cedilla), which will break your generalized check. So you'll anyway will need to split these cases. I see. I'm still not comfortable with carrying the bit of knowledge about u'\xdf' in this particular spot. Can we check that a name is IDN some other way than domain_name.is_idn() or u'\xdf' in value? Why can't we simply fix string constants in ipa-adtrust-install and avoid adding hacks for it? Because they are correct, in the sense that they follow what is defined for Active Directory. Yes, AD puts them in that case into DNS. There is simply no reason to force lower case for non-IDN names. That said, a newer fix is attached, where error message is formatted properly. I would personally be OK with the change if the is_* are fixed as Honza proposed, current way is not so Python-ic/readable. I.e.: Instead of +is_idna = True in [encodings.idna.ToASCII(x) != x for x in labels] Use +is_idna = any(encodings.idna.ToASCII(x) != x for x in labels) Instead of +is_nonnorm = True in [encodings.idna.nameprep(x) != x for x in labels] use +is_nonnorm = any(encodings.idna.nameprep(x) != x for x in labels) However, we can wait till Monday for Martin2's feedback. I've fixed this and also made a proper split on all dots that could separate labels according to RFC3490: U+002E ( . ) FULL STOP U+FF0E ( . ) FULLWIDTH FULL STOP U+3002 ( 。 ) IDEOGRAPHIC FULL STOP U+FF61 ( 。 ) HALFWIDTH IDEOGRAPHIC FULL STOP ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Hi, I analyzed how python detects IDNA labels. Python tests if domain is IDNA in this way: def ToASCII(label): try: # Step 1: try ASCII label = label.encode(ascii) except UnicodeError: pass else: # Skip to step 3: UseSTD3ASCIIRules is false, so # Skip to step 8. if 0 len(label) 64: return label raise UnicodeError(label empty or too long) # Step 2: nameprep label = nameprep(label) ... We can use 'label = label.encode(ascii)' to detect if IDNA is needed, without idna.ToASCII() conversion, and then use: is_nonnorm = any(encodings.idna.nameprep(x) != x for x in labels) Sounds good but don't forget exceptions' handling. :) -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 692 webui: capitalize labels of undo and undo all buttons
On 30.6.2014 09:13, Fraser Tweedale wrote:
On Fri, Jun 27, 2014 at 02:11:47PM +0200, Petr Vobornik wrote:
Make the label of these buttons consistent with other buttons which have
capital first letters.
--
Petr Vobornik
From 7214242fb0c5accc45b6af476a8ff7e7b1a7883f Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Fri, 27 Jun 2014 13:59:11 +0200
Subject: [PATCH] webui: capitalize labels of undo and undo all buttons
Make the label of these buttons consistent with other buttons which have
capital first letters.
---
install/ui/test/data/ipa_init.json | 4 ++--
ipalib/plugins/internal.py | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/install/ui/test/data/ipa_init.json
b/install/ui/test/data/ipa_init.json
index
0c32395ee7d68440aea0271359b0ac88fed86c42..20a462fff3b664d2320946765d1dac21ac2b1929
100644
--- a/install/ui/test/data/ipa_init.json
+++ b/install/ui/test/data/ipa_init.json
@@ -563,8 +563,8 @@
next: Next,
page: Page,
prev: Prev,
-undo: undo,
-undo_all: undo all,
+undo: Undo,
+undo_all: Undo All,
validation: {
error: Text does not match field pattern,
datetime: Must be an UTC date/time value (e.g.,
\2014-01-20 17:58:01Z\),
diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py
index
f9ae831dc665b1282ded798023856dacec480e3b..cda9fdc7ba5237bc5bcfddbce20f47abbc210a40
100644
--- a/ipalib/plugins/internal.py
+++ b/ipalib/plugins/internal.py
@@ -708,8 +708,8 @@ class i18n_messages(Command):
next: _(Next),
page: _(Page),
prev: _(Prev),
-undo: _(undo),
-undo_all: _(undo all),
+undo: _(Undo),
+undo_all: _(Undo All),
Does this affect translations? The msgid undo all is present in
the PO files.
Yes
Fraser
validation: {
error: _(Text does not match field pattern),
datetime: _(Must be an UTC date/time value (e.g., \2014-01-20
17:58:01Z\)),
--
1.9.0
--
Petr Vobornik
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 472 Let Host Administrators use host-disable command
On 06/27/2014 05:18 PM, Martin Kosek wrote: On 06/27/2014 05:16 PM, Simo Sorce wrote: On Fri, 2014-06-27 at 17:12 +0200, Martin Kosek wrote: On 06/27/2014 05:10 PM, Simo Sorce wrote: On Fri, 2014-06-27 at 16:16 +0200, Martin Kosek wrote: Host Administrators could not write to service keytab attribute and thus they could not run the host-disable command. https://fedorahosted.org/freeipa/ticket/4284 Any reason why Host Administrators are not members of the service Administrators group/permission by default ? Simo. I assume that the original intent was to allow admins to separate this privileges. I.e. allow service administrators manage services on hosts but do not allow them delete or disable the hosts. Sure, but I asked the opposite question. I understand you may want to have Service Administrators that cannot manage the host object. But is there ever a case where Host Administrator is not also Service Administrator ? This patch fixes the reported request for Foreman integration, if you have a better one fixing it as well, we can go different way. I was wondering if a group membership change wouldn't solve a class of problems, instead of fixing this on per permission basis, that's all. Simo. Sure, good thinking. I do not think that current framework can make one privilege a member of another one, so this would need to be hacked in. CCing Petr3 to get his view on this. Right, it would need to be hacked in. At the directory level there's normal membership, so any permission/privilege/role/group can be nested in any other, but IPA will probably give incomplete/confusing output for such memberships, and it won't let you edit them. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 472 Let Host Administrators use host-disable command
On 06/30/2014 10:55 AM, Petr Viktorin wrote: On 06/27/2014 05:18 PM, Martin Kosek wrote: On 06/27/2014 05:16 PM, Simo Sorce wrote: On Fri, 2014-06-27 at 17:12 +0200, Martin Kosek wrote: On 06/27/2014 05:10 PM, Simo Sorce wrote: On Fri, 2014-06-27 at 16:16 +0200, Martin Kosek wrote: Host Administrators could not write to service keytab attribute and thus they could not run the host-disable command. https://fedorahosted.org/freeipa/ticket/4284 Any reason why Host Administrators are not members of the service Administrators group/permission by default ? Simo. I assume that the original intent was to allow admins to separate this privileges. I.e. allow service administrators manage services on hosts but do not allow them delete or disable the hosts. Sure, but I asked the opposite question. I understand you may want to have Service Administrators that cannot manage the host object. But is there ever a case where Host Administrator is not also Service Administrator ? This patch fixes the reported request for Foreman integration, if you have a better one fixing it as well, we can go different way. I was wondering if a group membership change wouldn't solve a class of problems, instead of fixing this on per permission basis, that's all. Simo. Sure, good thinking. I do not think that current framework can make one privilege a member of another one, so this would need to be hacked in. CCing Petr3 to get his view on this. Right, it would need to be hacked in. At the directory level there's normal membership, so any permission/privilege/role/group can be nested in any other, but IPA will probably give incomplete/confusing output for such memberships, and it won't let you edit them. Ok. In that case, it seems to me that the lesser evil would be to just add this missing permission (or defer the ticket if nacked). Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 470 Add python-yubico to BuildRequires
Please note that python-yubico package is currently available in F20 updates-testing repository only. On 06/27/2014 10:18 AM, Martin Kosek wrote: python-yubico needs to be on a machine to be able to build FreeIPA. Without it, even ./makeapi and ./makeaci fails. -- Pushed to master under one-liner rule. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 472 Let Host Administrators use host-disable command
On 06/30/2014 10:58 AM, Martin Kosek wrote: On 06/30/2014 10:55 AM, Petr Viktorin wrote: On 06/27/2014 05:18 PM, Martin Kosek wrote: On 06/27/2014 05:16 PM, Simo Sorce wrote: On Fri, 2014-06-27 at 17:12 +0200, Martin Kosek wrote: On 06/27/2014 05:10 PM, Simo Sorce wrote: On Fri, 2014-06-27 at 16:16 +0200, Martin Kosek wrote: Host Administrators could not write to service keytab attribute and thus they could not run the host-disable command. https://fedorahosted.org/freeipa/ticket/4284 Any reason why Host Administrators are not members of the service Administrators group/permission by default ? Simo. I assume that the original intent was to allow admins to separate this privileges. I.e. allow service administrators manage services on hosts but do not allow them delete or disable the hosts. Sure, but I asked the opposite question. I understand you may want to have Service Administrators that cannot manage the host object. But is there ever a case where Host Administrator is not also Service Administrator ? This patch fixes the reported request for Foreman integration, if you have a better one fixing it as well, we can go different way. I was wondering if a group membership change wouldn't solve a class of problems, instead of fixing this on per permission basis, that's all. Simo. Sure, good thinking. I do not think that current framework can make one privilege a member of another one, so this would need to be hacked in. CCing Petr3 to get his view on this. Right, it would need to be hacked in. At the directory level there's normal membership, so any permission/privilege/role/group can be nested in any other, but IPA will probably give incomplete/confusing output for such memberships, and it won't let you edit them. Ok. In that case, it seems to me that the lesser evil would be to just add this missing permission (or defer the ticket if nacked). Martin I agree. ACK if Simo is OK with it as well. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0610 Allow admins to write krbLoginFailedCount
Fix for https://fedorahosted.org/freeipa/ticket/4409 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 683-690 webui: OTP token sync
On 28.6.2014 01:59, Endi Sukma Dewata wrote: On 6/26/2014 9:11 AM, Petr Vobornik wrote: This set of patches creates page(s) for OTP Token Sync. there are two options: 1. from login page by Sync OTP Token link. - user can navigate between those two pages 2. standalone page on `ipa/ui/sync_otp.html` which is not linked to UI and can be used separately. Both share the same code. All dependencies should be in master. This implements only ticket: https://fedorahosted.org/freeipa/ticket/4218 Sync by authenticated user will be implemented later in tickets: https://fedorahosted.org/freeipa/ticket/4365 https://fedorahosted.org/freeipa/ticket/4366 Patch descriptions: == [PATCH] 683 webui: base class for LoginScreen-like facets == LoginScreen has layout which can be reused for other facets/widgets, e.g. for Sync OTP facet == [PATCH] 684 webui: add OTP token synchronization == New SyncOTPScreen widget and related facet == [PATCH] 685 webui: add link pointing to OTP sync page to login == == [PATCH] 686 webui: support global notifications in all containers == Global notifications were limited to main container. Now they have their own container which is displayed over other ones. It makes them usable everywhere. == [PATCH] 687 webui: bind Login facet and OTP sync facet == Simple plugin which handles transition from login facet to OTP sync facet and vice versa. == [PATCH] 688 webui: fix confirmation mixin origin check == Current check is not enough. == [PATCH] 689 webui: layer for standalone pages which use WebUI framework == Current compiled Web UI layer (app.js) contains every FreeIPA plugin and not just the UI framework. It's not possible to start just a simple facet. This commit creates a basis for a layer (core.js) which contains only framework code and not entity related code. == [PATCH] 690 webui: add sync_otp.html == standalone page for OTP token synchronization. It reuses SyncOTPScreen widget instead of reimplementing the logic as in other standalone pages. ACK. Some functionalities are not working, but they seem to be server issues. The UI itself seems to be fine with possible improvements below. pushed to master: * d159662aded445418516c3ccb492bca33fbb11e5 webui: base class for LoginScreen-like facets * 30b1256b6231610812b394e3363394690a297201 webui: add OTP token synchronization * 72a107c9d73d1576f3adf7928deef4b5e5f35a83 webui: add link pointing to OTP sync page to login * d9a7fcb5e1c1f18cff1287353b9316fe69e07a78 webui: support global notifications in all containers * 9dbeeb7556929e76d652579533d0972479c0dc98 webui: bind Login facet and OTP sync facet * c2c1131a7a3745a3bdcf9cea8a5c8203e3ae555b webui: fix confirmation mixin origin check * 46a42de5324390496fa70984c2d8cef7a6251b7a webui: layer for standalone pages which use WebUI framework * b36a3c693b7eeb36b25eac11da89c0dd5446eb71 webui: add sync_otp.html 1. The link to Sync OTP Token is not very visible and probably rarely used, so probably it can be moved together with the other messages (To login with...) and be given a longer description. 2. The Sync OTP page should explain that for the second OTP the user should generate or wait for a new one. #1, #2, #4 added to https://fedorahosted.org/freeipa/ticket/4402#comment:1 I would like to focus UI work in 4.1 release on usability issues. 3. In the standalone Sync OTP page, after a successful sync should it just display a confirmation message without displaying the form again? Or maybe it should go to the Login page, or provide a link to it, because most people probably wants to login after sync. Yes, it's intentional. It's for single purpose use cases where you don't want to do anything with the UI. But, maybe we should make possible to bookmark UI's sync facet. Atm, there is an obstacle that routing is enabled after login. 4. Unrelated. In the password reset page the Reset Password and Login button is not quite accurate for OTP case since the user will not be logged in automatically. 5. Server issue. TOTP can be used multiple times: https://fedorahosted.org/freeipa/ticket/4410 6. Server issue. Kinit doesn't seem to be working with OTP. https://fedorahosted.org/freeipa/ticket/4411 7. Seems to be server issue too. HOTP doesn't seem to be working for login or sync. https://fedorahosted.org/freeipa/ticket/4412 -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0082] Forward zones: add warning about forwarders semantic change in dnszone-add/mod
Ticket: https://fedorahosted.org/freeipa/ticket/3210#comment:16
Patch attached.
--
Martin^2 Basti
From 9334ebbe6f7965496faec63c15324dfc3eea6471 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Mon, 30 Jun 2014 11:58:46 +0200
Subject: [PATCH] Add warning about semantic change for zones
--forwarder, --forward-policy have different semantic since
forward zones support.
Add warning if zone contains forwarders or specified policy.
Ticket: https://fedorahosted.org/freeipa/ticket/3210#comment:16
---
ipalib/plugins/dns.py | 26 ++
1 file changed, 26 insertions(+)
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index 9de542b0f61e877fef201e237c003eba7db24672..b693bb9c3ce091fa26ed14d27213b84ef61f8f0c 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -36,6 +36,7 @@ from ipalib.parameters import (Flag, Bool, Int, Decimal, Str, StrEnum, Any,
from ipalib.plugable import Registry
from ipalib.plugins.baseldap import *
from ipalib import _, ngettext
+from ipalib import messages
from ipalib.util import (validate_zonemgr, normalize_zonemgr,
get_dns_forward_zone_update_policy,
get_dns_reverse_zone_update_policy,
@@ -267,6 +268,13 @@ _output_permissions = (
output.Output('value', unicode, _('Permission value')),
)
+forwarders_warning = _(
+DNS forwarder and forward-policy semantics changed in IPA 4.0.
+You may want to use forward zones (dnsforwardzone-*) instead. For more details read the docs.
+
+)
+
+
def _rname_validator(ugettext, zonemgr):
try:
validate_zonemgr(zonemgr)
@@ -2204,6 +2212,14 @@ class dnszone(DNSZoneBase):
return
_records_idn_postprocess(record, **options)
+def _warning_forwarding(self, result, **options):
+if ('idnsforwarders' in result['result'] or
+'idnsforwardpolicy' in result['result']
+):
+messages.add_message(options['version'], result,
+ messages.PublicMessage(type='warning',
+ message=forwarders_warning))
+
@register()
@@ -2292,6 +2308,11 @@ class dnszone_add(DNSZoneBase_add):
entry_attrs['idnssoamname'] = nameserver
return dn
+def execute(self, *keys, **options):
+result = super(dnszone_add, self).execute(*keys, **options)
+self.obj._warning_forwarding(result, **options)
+return result
+
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN)
nameserver_ip_address = options.get('ip_address')
@@ -2369,6 +2390,11 @@ class dnszone_mod(DNSZoneBase_mod):
return dn
+def execute(self, *keys, **options):
+result = super(dnszone_mod, self).execute(*keys, **options)
+self.obj._warning_forwarding(result, **options)
+return result
+
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN)
self.obj._rr_zone_postprocess(entry_attrs, **options)
--
1.8.3.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0083] Add DNSSEC experimental support warning message
Patch attached. -- Martin^2 Basti From e29d8a89485fa9f36446517b69a0082c4a85f747 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Mon, 30 Jun 2014 12:32:31 +0200 Subject: [PATCH] Add DNSSEC experimental support warning message Ticket: https://fedorahosted.org/freeipa/ticket/4408 --- ipalib/plugins/dns.py | 31 +++ 1 file changed, 31 insertions(+) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index b693bb9c3ce091fa26ed14d27213b84ef61f8f0c..5314cce242ffaf54a91b9e24ada331ccf9e02a0b 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -274,6 +274,24 @@ You may want to use forward zones (dnsforwardzone-*) instead. For more details r ) +dnssec_experimental_true_warning = _( +DNSSEC support is experimental. +You have to manually generate DNSSEC signing keys and distribute them to all IPA DNS servers. +# In the following text, please replace %s with zone name without trailing period +$ cd /var/named/dyndb-ldap/ipa/%s/keys +$ dnssec-keygen -3 -b 2048 -f KSK %s +$ dnssec-keygen -3 -b 2048 %s +# please distribute all keys in this directory to all IPA DNS servers +$ chown named: * +$ rndc sign %s + +) + +dnssec_experimental_false_warning = _( +DNSSEC support is experimental. +If you encounter any problems please report them and restart 'named' service on affected IPA server. + +) def _rname_validator(ugettext, zonemgr): try: @@ -2220,6 +2238,17 @@ class dnszone(DNSZoneBase): messages.PublicMessage(type='warning', message=forwarders_warning)) +def _warning_dnssec_experimental(self, result, **options): +# add warning when user use option --dnssec +if 'idnssecinlinesigning' in options: +if options['idnssecinlinesigning'] is True: +messages.add_message(options['version'], result, + messages.PublicMessage(type='warning', + message=dnssec_experimental_true_warning)) +else: +messages.add_message(options['version'], result, + messages.PublicMessage(type='warning', + message=dnssec_experimental_false_warning)) @register() @@ -2311,6 +2340,7 @@ class dnszone_add(DNSZoneBase_add): def execute(self, *keys, **options): result = super(dnszone_add, self).execute(*keys, **options) self.obj._warning_forwarding(result, **options) +self.obj._warning_dnssec_experimental(result, **options) return result def post_callback(self, ldap, dn, entry_attrs, *keys, **options): @@ -2393,6 +2423,7 @@ class dnszone_mod(DNSZoneBase_mod): def execute(self, *keys, **options): result = super(dnszone_mod, self).execute(*keys, **options) self.obj._warning_forwarding(result, **options) +self.obj._warning_dnssec_experimental(result, **options) return result def post_callback(self, ldap, dn, entry_attrs, *keys, **options): -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 691 webui-ci: fix action list action visibility and enablement assertion
On 28.6.2014 02:04, Endi Sukma Dewata wrote: On 6/26/2014 9:15 AM, Petr Vobornik wrote: Fixes CA-less CI test fail The new html structure was not addressed properly. The new code is checking for the 'disabled' class in the list element, not the link element, is this correct? is_enabled = not self.has_class(li, 'disabled') Yes, the html structure of a disabled item is: li data-name=enable role=presentation class=disabled a href=#enable tabindex=-1 Enable/a /li If test works, ACK. Pushed to master: 029649c05cbf9edfc80d4552dec479ab24d4872c -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0237] ipa-client-install: Restart nisdomain service instead of
Hi, To ensure new NIS domain name is loaded after ipa-client-install even in case when nisdomainname service is already running, we need to restart the service rather than starting it. https://fedorahosted.org/freeipa/ticket/4393 -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org From 12df3b1c87072f9d0d45dcbf3b931220241ac561 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Mon, 30 Jun 2014 11:43:49 +0200 Subject: [PATCH] ipa-client-install: Restart nisdomain service instead of starting To ensure new NIS domain name is loaded after ipa-client-install even in case when nisdomainname service is already running, we need to restart the service rather than starting it. https://fedorahosted.org/freeipa/ticket/4393 --- ipa-client/ipa-install/ipa-client-install | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 73c564818e022eda7b100abff628c95ee237b181..bfa43b1468887dcd408cd8f2941f9fd961f372ce 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1439,7 +1439,9 @@ def configure_nisdomain(options, domain): # Enable and start the domainname service services.knownservices.domainname.enable() -services.knownservices.domainname.start() +# Restart rather than start so that new NIS domain name is loaded +# if the service is already running +services.knownservices.domainname.restart() def unconfigure_nisdomain(): -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 677 webui: support unlock user command
On 27.6.2014 18:09, Endi Sukma Dewata wrote: On 6/24/2014 10:44 AM, Petr Vobornik wrote: Call user-unlock command from Web UI. It will unlock displayed user on current master. related to: https://fedorahosted.org/freeipa/ticket/2792 Looks like there's a server problem (ticket #4409), but the UI is fine, so ACK. Pushed to master: 35d3f03843536613b6fdb4e0cf07c44f5d8b5140 -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 680-682 webui: validation reporting improvements
On 30.6.2014 06:41, Fraser Tweedale wrote: On Fri, Jun 27, 2014 at 10:54:39AM +0200, Petr Vobornik wrote: On 27.6.2014 09:48, Fraser Tweedale wrote: On Wed, Jun 25, 2014 at 06:58:52PM +0200, Petr Vobornik wrote: Patch 618 fixes a bug. Patches 680 and 681 were implemented along with it. They address pspacek's usability rant :). [PATCH] 680 webui: show notification instead of modal dialog on validation error [PATCH] 681 webui: fix required error notification in multivalued widget [PATCH] 682 webui: focus invalid widget on validation error -- Petr Vobornik ACK on 680 and 682. On 681: diff makes sense; I'm not 100% sure my testing has covered cases that were previously failing. ACK if you're confident, otherwise could you provide steps to verify? You need to find a required multivalued field. One is in Identity/Realm Domains. Delete all values and hit update. It's little bit related to ticket: https://fedorahosted.org/freeipa/ticket/4057 Also when verifying validators in multivalued field, it's good to check if errors are provided only for invalid values, etc.. good test field is in DNS/DNS Zones/some zone/Settings/ there is Allow query field which accepts network address, any or none. I can't discern any difference in behaviour of the multi-value fields from before and after your patch. I tried with the Identity/Realm Domains as suggested. Maybe I missed something. Has someone else been able to verify? Expected result is: http://pvoborni.fedorapeople.org/images/multivalued-w-required-msg.png Without the patch, there is no red highlight and no error message. Fraser Cheers, Fraser -- Petr Vobornik -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 470 Add python-yubico to BuildRequires
Right. I assume that Nathaniel would soon move that to stable updates repository if no blocking issue emerges. Martin On 06/30/2014 12:17 PM, Tomas Babej wrote: Please note that python-yubico package is currently available in F20 updates-testing repository only. On 06/27/2014 10:18 AM, Martin Kosek wrote: python-yubico needs to be on a machine to be able to build FreeIPA. Without it, even ./makeapi and ./makeaci fails. -- Pushed to master under one-liner rule. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0237] ipa-client-install: Restart nisdomain service instead of
On Mon, 30 Jun 2014, Tomas Babej wrote: Hi, To ensure new NIS domain name is loaded after ipa-client-install even in case when nisdomainname service is already running, we need to restart the service rather than starting it. https://fedorahosted.org/freeipa/ticket/4393 ACK. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 470 Add python-yubico to BuildRequires
On Mon, 30 Jun 2014, Martin Kosek wrote: Right. I assume that Nathaniel would soon move that to stable updates repository if no blocking issue emerges. Also for those using automatic git master builds, python-yubico is in ipa-devel repo too. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0070] Normalization check only for IDNA domains
On Mon, 2014-06-30 at 11:43 +0300, Alexander Bokovoy wrote: On Mon, 30 Jun 2014, Martin Basti wrote: On Fri, 2014-06-27 at 14:03 +0300, Alexander Bokovoy wrote: On Fri, 27 Jun 2014, Martin Kosek wrote: On 06/27/2014 12:10 PM, Alexander Bokovoy wrote: On Fri, 27 Jun 2014, Petr Spacek wrote: On 27.6.2014 11:21, Jan Cholasta wrote: On 27.6.2014 10:58, Alexander Bokovoy wrote: On Fri, 27 Jun 2014, Jan Cholasta wrote: On 27.6.2014 10:29, Alexander Bokovoy wrote: On Fri, 27 Jun 2014, Jan Cholasta wrote: On 27.6.2014 10:15, Alexander Bokovoy wrote: On Fri, 20 Jun 2014, Martin Basti wrote: On Fri, 2014-06-20 at 10:32 +0200, Jan Cholasta wrote: On 18.6.2014 16:49, Martin Basti wrote: Due to compability with older versions, only IDNA domains should be checked Patch attached. I'm not particularly happy about the u'\xdf' special case. Isn't there a better way to do this check? I cant find better way. u'\xdf' is mapped to ss, and ss is not IDN string. Or just remove this validation. (BTW I really think this should be a warning, not an error, but that would require larger amount of work, so I guess it's OK for now.) (More pain than gain) Main thing in this patch is that the check should not be done against non-IDN strings. I want this version of the patch to go in for that reason as currently you cannot even complete ipa-adtrust-install run due to IDN normalisation check being applied to non-IDN domains. On non-IDN domains, the only effect of IDN normalization is that it lower-cases the names (right?), so the check should compare lower-cased original name with the normalized name, instead of special-casing certain characters etc. .. what's the reason to do such comparison then? lower-cased non-IDN name will be equal to lower-cased normalized non-IDN name by definition, so the check is not needed in this case, at all. The point is that it works for both IDN and non-IDN, without u'\xdf'-style hacks. No, your proposal of comparing low-cased value and normalized value is not going to work because low-cased value is in general not equal to normalized value for IDN names, only for non-IDN ones, due to the fact that lower case for non-ASCII Unicode character may map to a completely different character than in normalization situation. Take, for example, Turkish alphabet where there are six letters with different case rules (uppercase dotted i, dottless lowercase i, upper- and lowercase G with breve accent, and upper- and lowercase S with cedilla), which will break your generalized check. So you'll anyway will need to split these cases. I see. I'm still not comfortable with carrying the bit of knowledge about u'\xdf' in this particular spot. Can we check that a name is IDN some other way than domain_name.is_idn() or u'\xdf' in value? Why can't we simply fix string constants in ipa-adtrust-install and avoid adding hacks for it? Because they are correct, in the sense that they follow what is defined for Active Directory. Yes, AD puts them in that case into DNS. There is simply no reason to force lower case for non-IDN names. That said, a newer fix is attached, where error message is formatted properly. I would personally be OK with the change if the is_* are fixed as Honza proposed, current way is not so Python-ic/readable. I.e.: Instead of +is_idna = True in [encodings.idna.ToASCII(x) != x for x in labels] Use +is_idna = any(encodings.idna.ToASCII(x) != x for x in labels) Instead of +is_nonnorm = True in [encodings.idna.nameprep(x) != x for x in labels] use +is_nonnorm = any(encodings.idna.nameprep(x) != x for x in labels) However, we can wait till Monday for Martin2's feedback. I've fixed this and also made a proper split on all dots that could separate labels according to RFC3490: U+002E ( . ) FULL STOP U+FF0E ( . ) FULLWIDTH FULL STOP U+3002 ( 。 ) IDEOGRAPHIC FULL STOP U+FF61 ( 。 ) HALFWIDTH IDEOGRAPHIC FULL STOP ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Hi, I analyzed how python detects IDNA labels. Python tests if domain is IDNA in this way: def ToASCII(label): try: # Step 1: try ASCII label = label.encode(ascii) except UnicodeError: pass else: # Skip to step 3: UseSTD3ASCIIRules is false, so # Skip to step 8. if 0 len(label) 64: return label raise UnicodeError(label empty or too long) # Step 2: nameprep label = nameprep(label) ... We can use 'label = label.encode(ascii)' to
[Freeipa-devel] [RFC] Release notes for FreeIPA 4.0
Hello all, We should start working on FreeIPA 4.0 release notes. Lot of work has been done, there is a lot if relase information we need to address. I created the first draft partially generated and updated from Trac enhancement tickets, including the ticket+design links: http://www.freeipa.org/page/Releases/4.0.0 I think that especially the links to respective designs will be helpful for people googling for this release. I would like to ask for your help to clean and enhance the releases notes and add more information for features doing big changes or changes in behavior. I currently have these special sections defined, other proposals welcome: * 2FA Kerberos Authenication (Nathaniel) * Reworked Control Access (Petr3) * DNS Master Forward Zones (Martin) * Experimental DNSSEC Support (Petr2, Martin) Thank you! -- Martin Kosek mko...@redhat.com Supervisor, Software Engineering - Identity Management Team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0610 Allow admins to write krbLoginFailedCount
On 06/30/2014 12:32 PM, Petr Viktorin wrote: Fix for https://fedorahosted.org/freeipa/ticket/4409 I think something is missing here :-) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0082] Forward zones: add warning about forwarders semantic change in dnszone-add/mod
On 06/30/2014 12:48 PM, Martin Basti wrote: Ticket: https://fedorahosted.org/freeipa/ticket/3210#comment:16 Patch attached. When you add a new message, you should also define a new class for it in messages.py with a new errno, not just reuse PublicMessage with a custom string. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0610 Allow admins to write krbLoginFailedCount
On 06/30/2014 01:53 PM, Martin Kosek wrote: On 06/30/2014 12:32 PM, Petr Viktorin wrote: Fix for https://fedorahosted.org/freeipa/ticket/4409 I think something is missing here :-) Sorry for that. -- Petr³ From 36fa1e33b21791d722ccc91353273935f154b280 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Mon, 30 Jun 2014 12:26:36 +0200 Subject: [PATCH] Allow admins to write krbLoginFailedCount Without write access to this attribute, admins could not unlock users. https://fedorahosted.org/freeipa/ticket/4409 --- install/updates/20-aci.update | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index 76179bfb68c011eaa6e8828a0b80eb38b373b51f..4e8608a195572bd8b1fac7ab4d3a163b42bcaad4 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -44,13 +44,15 @@ dn: $SUFFIX remove:aci:'(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)' remove:aci:'(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)' remove:aci:'(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || enrolledBy || ipaNTHash)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)' -add:aci:'(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || enrolledBy || ipaNTHash || ipaProtectedOperation)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)' +remove:aci:'(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || enrolledBy || ipaNTHash || ipaProtectedOperation)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)' +add:aci:'(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || ipaUniqueId || memberOf || enrolledBy || ipaNTHash || ipaProtectedOperation)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)' # Write-only remove:aci:'(targetattr = userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory)(version 3.0; acl Admins can write passwords; allow (add,delete,write) groupdn=ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)' add:aci:'(targetattr = userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash)(version 3.0; acl Admins can write passwords; allow (add,delete,write) groupdn=ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)' add:aci:'(targetfilter = (objectClass=krbPwdPolicy))(targetattr = krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength)(version 3.0;acl Admins can write password policies; allow (read, search, compare, write) groupdn =
Re: [Freeipa-devel] [PATCH 0237] ipa-client-install: Restart nisdomain service instead of
On 06/30/2014 01:46 PM, Alexander Bokovoy wrote: On Mon, 30 Jun 2014, Tomas Babej wrote: Hi, To ensure new NIS domain name is loaded after ipa-client-install even in case when nisdomainname service is already running, we need to restart the service rather than starting it. https://fedorahosted.org/freeipa/ticket/4393 ACK. Pushed to master: ffab09a7ef7a16b220e657e24813c90ba1a13523 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0083] Add DNSSEC experimental support warning message
On Mon, 2014-06-30 at 12:49 +0200, Martin Basti wrote:
Patch attached.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Updated patch attached
--
Martin^2 Basti
From 1f2dd2c86b49aa1d66915505564eb3f3cbd0ceae Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Mon, 30 Jun 2014 12:32:31 +0200
Subject: [PATCH] Add DNSSEC experimental support warning message
Ticket: https://fedorahosted.org/freeipa/ticket/4408
---
ipalib/plugins/dns.py | 35 +++
1 file changed, 35 insertions(+)
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index b693bb9c3ce091fa26ed14d27213b84ef61f8f0c..ecae67c1369f641fb2a5594dff7c43929fd9339f 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -274,6 +274,25 @@ You may want to use forward zones (dnsforwardzone-*) instead. For more details r
)
+dnssec_experimental_true_warning = _(
+DNSSEC support is experimental.
+You have to manually generate DNSSEC signing keys and distribute them
+to all IPA DNS servers. Run:
+cd /var/named/dyndb-ldap/ipa/%(zone)s/keys
+dnssec-keygen -3 -b 2048 -f KSK %(zone)s
+dnssec-keygen -3 -b 2048 %(zone)s
+# please distribute all keys in this directory to all IPA DNS servers
+chown named: *
+rndc sign %(zone)s
+
+)
+
+dnssec_experimental_false_warning = _(
+DNSSEC support is experimental.
+If you encounter any problems please report them and restart 'named' service
+on affected IPA server.
+
+)
def _rname_validator(ugettext, zonemgr):
try:
@@ -2220,6 +2239,20 @@ class dnszone(DNSZoneBase):
messages.PublicMessage(type='warning',
message=forwarders_warning))
+def _warning_dnssec_experimental(self, result, *keys, **options):
+# add warning when user use option --dnssec
+if 'idnssecinlinesigning' in options:
+if options['idnssecinlinesigning'] is True:
+msg = dnssec_experimental_true_warning % {
+'zone': keys[-1].relativize(DNSName.root),
+}
+messages.add_message(options['version'], result,
+ messages.PublicMessage(type='warning',
+ message=msg))
+else:
+messages.add_message(options['version'], result,
+ messages.PublicMessage(type='warning',
+ message=dnssec_experimental_false_warning))
@register()
@@ -2311,6 +2344,7 @@ class dnszone_add(DNSZoneBase_add):
def execute(self, *keys, **options):
result = super(dnszone_add, self).execute(*keys, **options)
self.obj._warning_forwarding(result, **options)
+self.obj._warning_dnssec_experimental(result, *keys, **options)
return result
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
@@ -2393,6 +2427,7 @@ class dnszone_mod(DNSZoneBase_mod):
def execute(self, *keys, **options):
result = super(dnszone_mod, self).execute(*keys, **options)
self.obj._warning_forwarding(result, **options)
+self.obj._warning_dnssec_experimental(result, *keys, **options)
return result
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
--
1.8.3.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 472 Let Host Administrators use host-disable command
On Mon, 2014-06-30 at 12:19 +0200, Petr Viktorin wrote: On 06/30/2014 10:58 AM, Martin Kosek wrote: On 06/30/2014 10:55 AM, Petr Viktorin wrote: On 06/27/2014 05:18 PM, Martin Kosek wrote: On 06/27/2014 05:16 PM, Simo Sorce wrote: On Fri, 2014-06-27 at 17:12 +0200, Martin Kosek wrote: On 06/27/2014 05:10 PM, Simo Sorce wrote: On Fri, 2014-06-27 at 16:16 +0200, Martin Kosek wrote: Host Administrators could not write to service keytab attribute and thus they could not run the host-disable command. https://fedorahosted.org/freeipa/ticket/4284 Any reason why Host Administrators are not members of the service Administrators group/permission by default ? Simo. I assume that the original intent was to allow admins to separate this privileges. I.e. allow service administrators manage services on hosts but do not allow them delete or disable the hosts. Sure, but I asked the opposite question. I understand you may want to have Service Administrators that cannot manage the host object. But is there ever a case where Host Administrator is not also Service Administrator ? This patch fixes the reported request for Foreman integration, if you have a better one fixing it as well, we can go different way. I was wondering if a group membership change wouldn't solve a class of problems, instead of fixing this on per permission basis, that's all. Simo. Sure, good thinking. I do not think that current framework can make one privilege a member of another one, so this would need to be hacked in. CCing Petr3 to get his view on this. Right, it would need to be hacked in. At the directory level there's normal membership, so any permission/privilege/role/group can be nested in any other, but IPA will probably give incomplete/confusing output for such memberships, and it won't let you edit them. Ok. In that case, it seems to me that the lesser evil would be to just add this missing permission (or defer the ticket if nacked). Martin I agree. ACK if Simo is OK with it as well. Sure, no issues here. Simo. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 472 Let Host Administrators use host-disable command
On 06/30/2014 02:37 PM, Simo Sorce wrote: On Mon, 2014-06-30 at 12:19 +0200, Petr Viktorin wrote: On 06/30/2014 10:58 AM, Martin Kosek wrote: On 06/30/2014 10:55 AM, Petr Viktorin wrote: On 06/27/2014 05:18 PM, Martin Kosek wrote: On 06/27/2014 05:16 PM, Simo Sorce wrote: On Fri, 2014-06-27 at 17:12 +0200, Martin Kosek wrote: On 06/27/2014 05:10 PM, Simo Sorce wrote: On Fri, 2014-06-27 at 16:16 +0200, Martin Kosek wrote: Host Administrators could not write to service keytab attribute and thus they could not run the host-disable command. https://fedorahosted.org/freeipa/ticket/4284 Any reason why Host Administrators are not members of the service Administrators group/permission by default ? Simo. I assume that the original intent was to allow admins to separate this privileges. I.e. allow service administrators manage services on hosts but do not allow them delete or disable the hosts. Sure, but I asked the opposite question. I understand you may want to have Service Administrators that cannot manage the host object. But is there ever a case where Host Administrator is not also Service Administrator ? This patch fixes the reported request for Foreman integration, if you have a better one fixing it as well, we can go different way. I was wondering if a group membership change wouldn't solve a class of problems, instead of fixing this on per permission basis, that's all. Simo. Sure, good thinking. I do not think that current framework can make one privilege a member of another one, so this would need to be hacked in. CCing Petr3 to get his view on this. Right, it would need to be hacked in. At the directory level there's normal membership, so any permission/privilege/role/group can be nested in any other, but IPA will probably give incomplete/confusing output for such memberships, and it won't let you edit them. Ok. In that case, it seems to me that the lesser evil would be to just add this missing permission (or defer the ticket if nacked). Martin I agree. ACK if Simo is OK with it as well. Sure, no issues here. Simo. Pushed to master: 50c30c8401c21d43414404bd5caa157196449e4c -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0070] Normalization check only for IDNA domains
On Mon, 30 Jun 2014, Martin Basti wrote: We can use 'label = label.encode(ascii)' to detect if IDNA is needed, without idna.ToASCII() conversion, and then use: is_nonnorm = any(encodings.idna.nameprep(x) != x for x in labels) Sounds good but don't forget exceptions' handling. :) Updated patch attached. I modified error messages, IDNA mapping is not only mapping to lowercase Looks good to me. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reorganization of Web UI navigation items
- Original Message - On 06/27/2014 07:27 PM, Petr Vobornik wrote: On 2.6.2014 15:59, Petr Vobornik wrote: Hi List, the purpose if this mail is to start a discussion about reorganization of navigation items. Users are not fond of such change so we should come up with a solution which would last for some time. Problem: UX recommendation is that one menu level should contain maximum of 7 items. We have 10 items in Identity, 7 in Policy and 7 in IPA Server. Basically we reached max. capacity of all 1st-level items. Solution: Introduce new 1st-level items and redistribute 2nd-level items. It would be great to get this into 4.0, resuming the discussion. My proposal which takes into account various other proposals: Identity (7) - Users - User Groups - Hosts - Host Groups - Netgroups - Services - Automember - User group rules - Host group rules Policy (5) - Host Based Access Control - HBAC Rules - HBAC Services - HBAC Service Groups - HBAC Test - Sudo - Sudo Rules - Sudo Commands - Sudo Command Groups - SELinux User Maps - Password Policies - Kerberos Ticket Policy Authentication (3-4) - Certificates - (future) User Certificates - OTP Tokens - RADIUS Servers Network services (2-3) - Automount - DNS - DNS Zones - DNS Forward Zones - DNS Global Configuration - (future) Vault IPA Server (5-7) - Role Based Access Control - Roles - Privileges - Permissions - Self Service Permissions - Delegations - ID Ranges - Realm Domain - (future) Replication Topology - Trusts - Trusts - Global Trust Configuration - (future) Views - Configuration (future) Help - Docs - API - ... Mostly it's a response to the last proposal: http://www.redhat.com/archives/freeipa-devel/2014-June/msg00107.html You can check live version at: http://pvoborni.fedorapeople.org/ui/ From the earlier discussion I would say, that there was an agreement on Identity and Policy tabs which are very similar to current implementation. Simo had a proposal to introduce Authentication tab in a future. I guess we can do it now. We already have radius server proxies and certificates are also related. It will solve the OTP doesn't fit anywhere problem I've kept the Network Services tab because IDK where to put DNS and Automount :) Simo's 'Directory' and 'Configuration' were merged into existing 'IPA server' with the difference that all RBAC related stuff is under one item (this option was mentioned by Petr3). Btw RBAC === Existing items in 'Directory'. The label is 'IPA Server' because almost everything is related to configuration of the server itself maybe with exception of Trust and Views. Label 'Configuration' is too general. Label Directory was quite low-level as pointed out by Dmitry. This merge allows us to add 'Help' in a future. It would be good to move something into Network services (and maybe rename it) since it has only two(three in future) items. Thanks for returning to this effort. 4.0 is indeed the right place to do this change. Note that with this proposal, Identity tab is already full. I would still prefer my original proposal to split Users and Hosts operations + have Infrastructure/Trusts tab (some variation of http://www.redhat.com/archives/freeipa-devel/2014-June/msg00060.html), but apparently this crowded Identity tab is what people want :) I would still recommend running it by UX. Been following the thread and the map Petr has put together here does a great job of categorizing these items. The ratio of level one to level two options is secondary to logical, intuitive groupings. I think the way Identity is here is fine. 7 options is just an average guide not the max number. I don't see the types of currency we manage increasing dramatically in the future. Even if we add four more options under Identity it should have little effect due to the logical groupings. The goal here is to not require users memorize tons of options because the top level bucket is too big or the label is to generic/specific. I think Petr has struck a great balance here. One comment - Is 'IPA Server' going to make sense in the downstream? May make sense to call it Identity Server which will make sense in both cases. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 680-682 webui: validation reporting improvements
On 6/27/2014 3:54 AM, Petr Vobornik wrote: On 27.6.2014 09:48, Fraser Tweedale wrote: On Wed, Jun 25, 2014 at 06:58:52PM +0200, Petr Vobornik wrote: Patch 618 fixes a bug. Patches 680 and 681 were implemented along with it. They address pspacek's usability rant :). [PATCH] 680 webui: show notification instead of modal dialog on validation error [PATCH] 681 webui: fix required error notification in multivalued widget [PATCH] 682 webui: focus invalid widget on validation error -- Petr Vobornik ACK on 680 and 682. On 681: diff makes sense; I'm not 100% sure my testing has covered cases that were previously failing. ACK if you're confident, otherwise could you provide steps to verify? You need to find a required multivalued field. One is in Identity/Realm Domains. Delete all values and hit update. It's little bit related to ticket: https://fedorahosted.org/freeipa/ticket/4057 Also when verifying validators in multivalued field, it's good to check if errors are provided only for invalid values, etc.. good test field is in DNS/DNS Zones/some zone/Settings/ there is Allow query field which accepts network address, any or none. ACK. This should be sufficient to close #4057. But just wondering, the Realm Domains page right now is implemented as a details page with a multi-valued widget. Would it make more sense to be a list page instead? The realmdomains-mod CLI is kind of unusual too with the --add/del-domain parameters. Why not use realmdomain-add/del commands? Are there other commands implemented in this fashion? -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0610 Allow admins to write krbLoginFailedCount
On 06/30/2014 01:58 PM, Petr Viktorin wrote: On 06/30/2014 01:53 PM, Martin Kosek wrote: On 06/30/2014 12:32 PM, Petr Viktorin wrote: Fix for https://fedorahosted.org/freeipa/ticket/4409 I think something is missing here :-) Sorry for that. Looks ok. Do we need to add the new remove definitions given that the respective ACIs were never released? I am just aiming for update file sanity. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0082] Forward zones: add warning about forwarders semantic change in dnszone-add/mod
On 30.6.2014 13:57, Petr Viktorin wrote: On 06/30/2014 12:48 PM, Martin Basti wrote: Ticket: https://fedorahosted.org/freeipa/ticket/3210#comment:16 Patch attached. When you add a new message, you should also define a new class for it in messages.py with a new errno, not just reuse PublicMessage with a custom string. Otherwise the patch works for me. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0083] Add DNSSEC experimental support warning message
On 30.6.2014 14:33, Martin Basti wrote: On Mon, 2014-06-30 at 12:49 +0200, Martin Basti wrote: Patch attached. It works for me. Please change the string little bit, I have realized that we should ensure that file permissions are correct: chown named: * chmod u= * (the chmod part new) Thanks! -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0083] Add DNSSEC experimental support warning message
On Mon, 2014-06-30 at 16:57 +0200, Petr Spacek wrote:
On 30.6.2014 14:33, Martin Basti wrote:
On Mon, 2014-06-30 at 12:49 +0200, Martin Basti wrote:
Patch attached.
It works for me.
Please change the string little bit, I have realized that we should ensure
that file permissions are correct:
chown named: *
chmod u= *
(the chmod part new)
Thanks!
Updated patch attached
--
Martin^2 Basti
From 64a0a645650103a245ccc483bfe56786633657f7 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Mon, 30 Jun 2014 12:32:31 +0200
Subject: [PATCH] Add DNSSEC experimental support warning message
Ticket: https://fedorahosted.org/freeipa/ticket/4408
---
ipalib/plugins/dns.py | 36
1 file changed, 36 insertions(+)
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index b693bb9c3ce091fa26ed14d27213b84ef61f8f0c..03a0f9a5dd6cae35fa5b850f91b88e0249fb2cb5 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -274,6 +274,26 @@ You may want to use forward zones (dnsforwardzone-*) instead. For more details r
)
+dnssec_experimental_true_warning = _(
+DNSSEC support is experimental.
+You have to manually generate DNSSEC signing keys and distribute them
+to all IPA DNS servers. Run:
+cd /var/named/dyndb-ldap/ipa/%(zone)s/keys
+dnssec-keygen -3 -b 2048 -f KSK %(zone)s
+dnssec-keygen -3 -b 2048 %(zone)s
+# please distribute all keys in this directory to all IPA DNS servers
+chown named: *
+chmod u= *
+rndc sign %(zone)s
+
+)
+
+dnssec_experimental_false_warning = _(
+DNSSEC support is experimental.
+If you encounter any problems please report them and restart 'named' service
+on affected IPA server.
+
+)
def _rname_validator(ugettext, zonemgr):
try:
@@ -2220,6 +2240,20 @@ class dnszone(DNSZoneBase):
messages.PublicMessage(type='warning',
message=forwarders_warning))
+def _warning_dnssec_experimental(self, result, *keys, **options):
+# add warning when user use option --dnssec
+if 'idnssecinlinesigning' in options:
+if options['idnssecinlinesigning'] is True:
+msg = dnssec_experimental_true_warning % {
+'zone': keys[-1].relativize(DNSName.root),
+}
+messages.add_message(options['version'], result,
+ messages.PublicMessage(type='warning',
+ message=msg))
+else:
+messages.add_message(options['version'], result,
+ messages.PublicMessage(type='warning',
+ message=dnssec_experimental_false_warning))
@register()
@@ -2311,6 +2345,7 @@ class dnszone_add(DNSZoneBase_add):
def execute(self, *keys, **options):
result = super(dnszone_add, self).execute(*keys, **options)
self.obj._warning_forwarding(result, **options)
+self.obj._warning_dnssec_experimental(result, *keys, **options)
return result
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
@@ -2393,6 +2428,7 @@ class dnszone_mod(DNSZoneBase_mod):
def execute(self, *keys, **options):
result = super(dnszone_mod, self).execute(*keys, **options)
self.obj._warning_forwarding(result, **options)
+self.obj._warning_dnssec_experimental(result, *keys, **options)
return result
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
--
1.8.3.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] DNSSEC: IPA Installation/Upgrade
On Tue, 2014-06-24 at 11:49 +0200, Petr Spacek wrote: On 23.6.2014 17:49, Martin Basti wrote: On Mon, 2014-06-23 at 17:44 +0200, Martin Basti wrote: Hello, I have following issues: #1 Upgrading existing replicas to support DNSSEC won't work for current design (replica-file as storage for temporal replica key). Temporal private key needs to be copied to replica, and no encrypted master-key for replica is prepared in LDAP, because user doesn't need to run ipa-replica-prepare. After discussion with Petr2, the solution is: a) Each replica (except first - which generates master-key) generates replica public and private keys. b) Replica uploads public key to LDAP c) Replica with generated master key, use the public key (b) to encrypt master-key and store it to LDAP. Replica with master-key must detect, if there is any new public replica key. d) Replica (b) is now able to get master-key using own private replica key #2 We need to choose only one replica which will generate, (rotate, ...) DNSSEC keys. and generate master key too My proposal is to test during installation/upgrade if any dnssec/master keys are in LDAP. If no key was found, the first server is installed/upgraded and DNSSEC key generator is required. But there is issue with parallel upgrade multiple replicas (or if replication temporarily doesn't work). There is no guarantee if replicas will be able to detect if any replica became DNSSEC key generator. Let me add that we are going to use syncrepl anyway so the overall latency should be minimal (if replication works). Simo what do you think about it, could you tell us your opinion? -- Martin^2 Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] DNSSEC: IPA Installation/Upgrade
On Mon, 2014-06-30 at 17:13 +0200, Martin Basti wrote: On Tue, 2014-06-24 at 11:49 +0200, Petr Spacek wrote: On 23.6.2014 17:49, Martin Basti wrote: On Mon, 2014-06-23 at 17:44 +0200, Martin Basti wrote: Hello, I have following issues: #1 Upgrading existing replicas to support DNSSEC won't work for current design (replica-file as storage for temporal replica key). Temporal private key needs to be copied to replica, and no encrypted master-key for replica is prepared in LDAP, because user doesn't need to run ipa-replica-prepare. After discussion with Petr2, the solution is: a) Each replica (except first - which generates master-key) generates replica public and private keys. b) Replica uploads public key to LDAP c) Replica with generated master key, use the public key (b) to encrypt master-key and store it to LDAP. Replica with master-key must detect, if there is any new public replica key. d) Replica (b) is now able to get master-key using own private replica key #2 We need to choose only one replica which will generate, (rotate, ...) DNSSEC keys. and generate master key too My proposal is to test during installation/upgrade if any dnssec/master keys are in LDAP. If no key was found, the first server is installed/upgraded and DNSSEC key generator is required. But there is issue with parallel upgrade multiple replicas (or if replication temporarily doesn't work). There is no guarantee if replicas will be able to detect if any replica became DNSSEC key generator. Let me add that we are going to use syncrepl anyway so the overall latency should be minimal (if replication works). Simo what do you think about it, could you tell us your opinion? I think DNSSEC should not be enabled by default, so on upgrade no action should be taken. Activation/upgrade of DNSSEC feature should be manual so that no conflict can arise. Simo. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0611 install/ui/build: Build core.js
IPA wouldn't build for me because of a Makefile problem. This should solve the issue. -- Petr³ From c1d2e90c41c8939f02c7fcb2613163dd05abe4aa Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Mon, 30 Jun 2014 17:39:17 +0200 Subject: [PATCH] install/ui/build: Build core.js The make-ui.sh script builds both app.js and core.js, but only one was specified in the Makefile. Correct the mistake. --- install/ui/build/freeipa/Makefile.am | 2 ++ 1 file changed, 2 insertions(+) diff --git a/install/ui/build/freeipa/Makefile.am b/install/ui/build/freeipa/Makefile.am index d21004d1efe0548ffc4609202006a1561778c18a..0543872e65ec08f981d190fe5c223901b80e8015 100644 --- a/install/ui/build/freeipa/Makefile.am +++ b/install/ui/build/freeipa/Makefile.am @@ -21,3 +21,5 @@ nav := $(wildcard ../../src/freeipa/navigation/*.js) app.js: $(core) $(base) $(widgets) $(nav) ../../util/make-ui.sh + +core.js: app.js -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0078-0079] DNSSEC: Add TLSA record
On 27.6.2014 14:55, Martin Basti wrote: On Thu, 2014-06-26 at 13:57 +0200, Petr Vobornik wrote: On 25.6.2014 14:35, Martin Basti wrote: On Wed, 2014-06-25 at 14:31 +0200, Martin Basti wrote: Ticket https://fedorahosted.org/freeipa/ticket/4328#comment:12 Patches attached. Note: ACI will be updated in another patch which fix ACIs in DNS plugin Patches are here What are patch 0078's dependencies? I'm missing necessary blobs.. (current master). Also it requires rebase because of today's pushes to master (VERSION conflict). Rebased patch attached Patch 0078-2: Just nitpicks. 1. The LDAP attribute type description should be changed to something more meaningful. the DNS-Based Authentication of Named Entities - Transport Layer Security Protocol, RFC 6698 is the complete effort. It does not say anything about the TLSA record itself. I suggest: TLSA certificate association, RFC 6698 which is used in chapter 2 of RFC 6698. 2. Nitpick: Not a proper alphabetic order ;) -u'TSIG', u'TXT', +u'TSIG', u'TLSA', u'TXT', Patch 0079: 3. A js-lint warning: /dns.js(1140): lint warning: extra comma is not recommended in array initializers ] ^ Just remove the comma on line 1139. To check it, run: `jsl -nofilelisting -nologo -nosummary -conf jsl.conf` in install/ui directory -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 470 Add python-yubico to BuildRequires
Please feel free to provide karma: https://admin.fedoraproject.org/updates/FEDORA-2014-7700/python-yubico-1.2.1-3.fc20 On Mon, 2014-06-30 at 13:40 +0200, Martin Kosek wrote: Right. I assume that Nathaniel would soon move that to stable updates repository if no blocking issue emerges. Martin On 06/30/2014 12:17 PM, Tomas Babej wrote: Please note that python-yubico package is currently available in F20 updates-testing repository only. On 06/27/2014 10:18 AM, Martin Kosek wrote: python-yubico needs to be on a machine to be able to build FreeIPA. Without it, even ./makeapi and ./makeaci fails. -- Pushed to master under one-liner rule. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0611 install/ui/build: Build core.js
On 30.6.2014 17:43, Petr Viktorin wrote: IPA wouldn't build for me because of a Makefile problem. This should solve the issue. ACK Pushed to master: dfbd7170e901bc597462191c219c0e2b45c09afa Sorry about that. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0077] Fix ACI in DNS (was Add dnssecinlinesigning attribute to ACI)
On 06/25/2014 06:49 PM, Martin Basti wrote: On Wed, 2014-06-25 at 18:47 +0200, Martin Basti wrote: On Wed, 2014-06-25 at 12:13 +0200, Petr Viktorin wrote: On 06/20/2014 03:32 PM, Martin Basti wrote: Required patches: mbasti-0060, mbasti-0073 Patch attached. Hi, For the raw ACI in dns.ldif, there are some more hoops to jump through. Remove the ACI from /install/share/dns.ldif entirely (except for schema, we're slowly replacing the .ldif content by .update files). In install/updates/40-dns.update, you'll notice the Update DNS entries in a zone ACI is already being added. You'll need to replace it, using a line like: replace:aci:'old ACI::new ACI' This will remove the old value that IPA 3.x users still have. I see you already changed the ACI in 7cdc417, in dns.ldif only. Be sureto use the original value for old ACI. As we discuss personally, ACI requires more changes than add idnssecinlinesingning only. Updated patch attached. Patch freeipa-mbasti-0078-DNSSEC-add-TLSA-record-type.patch is required. If 0078 doesn't change substantially, ACK. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate
Rob Crittenden wrote: Jan Cholasta wrote: On 26.6.2014 20:05, Rob Crittenden wrote: Jan Cholasta wrote: On 16.6.2014 15:35, Jan Cholasta wrote: Hi, the attached patches implement https://fedorahosted.org/freeipa/ticket/3737. My patches 241-253 and 262-294 are required for this (http://www.redhat.com/archives/freeipa-devel/2014-June/msg00276.html, http://www.redhat.com/archives/freeipa-devel/2014-June/msg00307.html). The installation/testing guidelines from http://www.redhat.com/archives/freeipa-devel/2014-March/msg00385.html apply here as well. Honza Rebased on top of current master. 295 ACK 296, 297 299 TBD, need to test but no problems seen so far. 298 The man page, if not usage, should include what the valid trust flags are or point to NSS documentation. OK. rob Updated rebased patches attached. Also attaching all the required patches. A few more things after more testing. If one renews an externally-issued CA then you can end up with multiple certs for the IPA CA in /etc/pki/nssdb (for each issued cert). These do not seem to be cleaned up on uninstall. On upgrade from 3.3.5 seeing: Unexpected error - see /var/log/ipaupgrade.log for details: InvalidSyntax: object class ipaCertificate: Unknown required attribute type ipaPublicKey: Invalid syntax. /var/log/ipaupgrade ends with: 2014-06-30T15:03:11Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2014-06-30T15:08:12Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 640, in run_script return_value = main_function() File /usr/sbin/ipa-upgradeconfig, line 1171, in main ds.start(ds_serverid) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 297, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File /usr/lib/python2.7/site-packages/ipaplatform/base/services.py, line 262, in start self.wait_for_open_ports(self.service_instance(instance_name)) File /usr/lib/python2.7/site-packages/ipaplatform/base/services.py, line 228, in wait_for_open_ports self.api.env.startup_timeout) File /usr/lib/python2.7/site-packages/ipapython/ipautil.py, line 1153, in wait_for_open_ports raise socket.timeout() 2014-06-30T15:08:12Z DEBUG The ipa-upgradeconfig command failed, exception: timeout: Turns out it blew up so badly that it didn't restore dse.ldif when the upgrade finished, something I thought was impossible. This is a pretty serious problem in itself (and likely unrelated to these patches). rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate
On Fri, Jun 27, 2014 at 06:19:25PM -0400, Rob Crittenden wrote: How it is monitoring with a ca-error I don't know. If there's a previously-issued certificate present, the state machine goes back to monitoring rather than the dead-end rejected state, so that it'll try again later when certificate crosses the next enroll_ttl threshold. It's mainly a guess at the right thing to do in that situation (in case the CA rejected the request for a transient reason that gets remedied at the server at some point), so I'm not firmly wedded to it, and remain open to changing it. Now that I'm writing this, I'm thinking rejected requests should probably be re-attempted, eventually, though it risks annoying the CA. Cheers, Nalin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0612 permission plugin: Ignore unparseable ACIs
Hello,
The new ipaAllowedOperation ACIs cannot be parsed by the ACI parser.
This made operations on ACIs on the same entry fail (because the plugin
needs to go through all ACIs on the entry, parsing out the name, until
it finds one with the correct name).
This fixes the issue, and adds a test that fails without the patch.
Workaround for: https://fedorahosted.org/freeipa/ticket/4376
--
Petr³
From 13987f32c32904e35c6b5b57e943e38128b617ee Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Mon, 30 Jun 2014 20:56:23 +0200
Subject: [PATCH] permission plugin: Ignore unparseable ACIs
When manipulating a permission for an entry that has an ACI
that the parser cannot process, skip this ACI instead of
failing.
Add a test that manipulates permission in cn=accounts,
where there are complex ipaAllowedOperation-based ACIs.
Workaround for: https://fedorahosted.org/freeipa/ticket/4376
---
ipalib/plugins/permission.py | 7 +++-
ipatests/test_xmlrpc/test_permission_plugin.py | 52 ++
2 files changed, 58 insertions(+), 1 deletion(-)
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index e7bd2209105c374b8dfc4e1c78c22ec5ea9f873e..30571bea393d9c5010fb714be13a247b2c0aeaea 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -641,7 +641,12 @@ def _get_aci_entry_and_string(self, permission_entry, name=None,
acientry = ldap.make_entry(location)
acis = acientry.get('aci', ())
for acistring in acis:
-aci = ACI(acistring)
+try:
+aci = ACI(acistring)
+except SyntaxError as e:
+self.log.warning('Unparseable ACI %s: %s (at %s)',
+ acistring, e, location)
+continue
if aci.name == wanted_aciname:
return acientry, acistring
else:
diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py
index 46e0f1f0eceeb6f2244c1fe9a44158bde9eda716..bf902c367a4a38e4a4a6ea6b20d6140d61e3fbf5 100644
--- a/ipatests/test_xmlrpc/test_permission_plugin.py
+++ b/ipatests/test_xmlrpc/test_permission_plugin.py
@@ -3966,3 +3966,55 @@ class test_permission_filters(Declarative):
'allow (write) groupdn = ldap:///%s;;)' % permission1_dn,
),
]
+
+
+class test_permission_in_accounts(Declarative):
+Test managing a permission in cn=accounts
+
+tests = [
+dict(
+desc='Create %r in cn=accounts' % permission1,
+command=(
+'permission_add', [permission1], dict(
+ipapermlocation=DN('cn=accounts', api.env.basedn),
+ipapermright=u'add',
+attrs=[u'cn'],
+)
+),
+expected=dict(
+value=permission1,
+summary=u'Added permission %s' % permission1,
+result=dict(
+dn=permission1_dn,
+cn=[permission1],
+objectclass=objectclasses.permission,
+attrs=[u'cn'],
+ipapermright=[u'add'],
+ipapermbindruletype=[u'permission'],
+ipapermissiontype=[u'SYSTEM', u'V2'],
+ipapermlocation=[DN('cn=accounts', api.env.basedn)],
+),
+),
+),
+
+verify_permission_aci(
+permission1, DN('cn=accounts', api.env.basedn),
+'(targetattr = cn)' +
+'(version 3.0;acl permission:%s;' % permission1 +
+'allow (add) groupdn = ldap:///%s;;)' % permission1_dn,
+),
+
+dict(
+desc='Delete %r' % permission1,
+command=(
+'permission_del', [permission1], {}
+),
+expected=dict(
+result=dict(failed=[]),
+value=[permission1],
+summary=u'Deleted permission %s' % permission1,
+)
+),
+
+verify_permission_aci_missing(permission1, api.env.basedn),
+]
--
1.9.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 1108 Remove smartproxy
The Foreman Smart Proxy server has its own upstream now at
https://fedorahosted.org/freeipa-foreman-smartproxy/ so this source is
no longer needed.
rob
From 12ce774bc4e7867d583e6f80a1bc0a181e685d9c Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Mon, 30 Jun 2014 18:27:31 -0400
Subject: [PATCH] Remove IPA Foreman Smart Proxy
The code has been moved to its own, separate repository at
git://git.fedorahosted.org/git/freeipa-foreman-smartproxy.git
---
Makefile | 5 +-
freeipa.spec.in| 25 --
ipaplatform/base/paths.py | 1 -
ipatests/test_smartproxy/resttest.py | 170
ipatests/test_smartproxy/test_features.py | 35 ---
ipatests/test_smartproxy/test_host.py | 145 ---
ipatests/test_smartproxy/test_hostgroup.py | 97 ---
smartproxy/Makefile.am | 37 ---
smartproxy/configure.ac| 73 --
smartproxy/ipa-smartproxy-apache.conf | 30 ---
smartproxy/ipa-smartproxy.conf | 14 -
smartproxy/ipa-smartproxy.py | 399 -
smartproxy/man/Makefile.am | 19 --
smartproxy/man/ipa-smartproxy.1| 105
smartproxy/man/ipa-smartproxy.conf.5 | 62 -
15 files changed, 1 insertion(+), 1216 deletions(-)
delete mode 100644 ipatests/test_smartproxy/resttest.py
delete mode 100644 ipatests/test_smartproxy/test_features.py
delete mode 100644 ipatests/test_smartproxy/test_host.py
delete mode 100644 ipatests/test_smartproxy/test_hostgroup.py
delete mode 100644 smartproxy/Makefile.am
delete mode 100644 smartproxy/configure.ac
delete mode 100644 smartproxy/ipa-smartproxy-apache.conf
delete mode 100644 smartproxy/ipa-smartproxy.conf
delete mode 100644 smartproxy/ipa-smartproxy.py
delete mode 100644 smartproxy/man/Makefile.am
delete mode 100644 smartproxy/man/ipa-smartproxy.1
delete mode 100644 smartproxy/man/ipa-smartproxy.conf.5
diff --git a/Makefile b/Makefile
index e8f80a6885fee9a882ff800c46bd1cdb2ebc504e..ddb47bfd58b3784b07642823db142f8c2076a9b0 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,6 @@
include VERSION
-SUBDIRS=daemons install ipapython ipa-client smartproxy
+SUBDIRS=daemons install ipapython ipa-client
CLIENTDIRS=ipapython ipa-client
PRJ_PREFIX=freeipa
@@ -76,7 +76,6 @@ bootstrap-autogen: version-update client-autogen
@echo Building IPA $(IPA_VERSION)
cd daemons; if [ ! -e Makefile ]; then ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR) --with-openldap; fi
cd install; if [ ! -e Makefile ]; then ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi
- cd smartproxy; if [ ! -e Makefile ]; then ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi
client-autogen: version-update
cd ipa-client; if [ ! -e Makefile ]; then ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi
@@ -202,7 +201,6 @@ tarballs: local-archive
cd dist/$(TARBALL_PREFIX)/ipa-client; ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); make distclean
cd dist/$(TARBALL_PREFIX)/daemons; ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); make distclean
cd dist/$(TARBALL_PREFIX)/install; ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); make distclean
- cd dist/$(TARBALL_PREFIX)/smartproxy; ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); make distclean
cd dist; tar cfz sources/$(TARBALL) $(TARBALL_PREFIX)
rm -rf dist/$(TARBALL_PREFIX)
@@ -269,6 +267,5 @@ maintainer-clean: clean
cd install $(MAKE) maintainer-clean
cd ipa-client $(MAKE) maintainer-clean
cd ipapython $(MAKE) maintainer-clean
- cd smartproxy $(MAKE) maintainer-clean
rm -f version.m4
rm -f freeipa.spec
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 4ba4e87bc3a4692464c0c7a57d45211a3acae155..7d4231fa86847c993fa86c521a0d34e899f2c894 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -221,19 +221,6 @@ Cross-realm trusts with Active Directory in IPA require working Samba 4
installation. This package is provided for convenience to install all required
dependencies at once.
-
-%package server-foreman-smartproxy
-Summary: Foreman-compatible REST API for IPA
-Group: System Environment/Base
-Requires: %{name}-client = %version-%release
-Requires: python-cherrypy
-Requires: gssproxy = 0.3.1
-Requires: python-kerberos = 1.1-14
-Requires: mod_wsgi
-
-%description server-foreman-smartproxy
-A Foreman-compatible REST API for managing hosts and hostgroups.
-
%endif # ONLY_CLIENT
@@ -557,10 +544,6 @@ if [ $1 -eq 0 ]; then
%{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null
fi
-%post server-foreman-smartproxy
-if [ $1 -gt 1 ] ; then
-
