Re: [Freeipa-devel] #4450: how to allow password migration?
On 07/22/2014 05:01 PM, Martin Kosek wrote: Hello, I was thinking more about the solution to fix migration in FreeIPA 4.0 as proposed in https://fedorahosted.org/freeipa/ticket/4450#comment:6 and I realized it will be more complicated. Conditionally enabling nsslapd-allow-hashed-passwords in cn=config when migration mode is enabled is tricky as this setting is not replicated, compared to ipamigrationenabled. So enabling the migration on one server would still leave it broken on other servers. The same applies for disabling it again. Any ideas how to solve the issue? I am thinking we may need to unconditionally enable this cn=config setting for now to unblock migration (thus effectively revert https://fedorahosted.org/389/ticket/47389). Any other solution I can think of would be too complicated. if you alwayys enable it, you would have the same behaviour as before #47389 (which you see as a regression), so it should be ok. Ludwig Thanks. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] ipa trust-add command should be interactive
On 23.7.2014 01:01, Gabe Alford wrote: Forgot about --trust-secret. Here is an updated patch. On Mon, Jul 21, 2014 at 2:31 AM, Jan Cholasta jchol...@redhat.com mailto:jchol...@redhat.com wrote: On 21.7.2014 10:28, Martin Kosek wrote: On 07/21/2014 09:56 AM, Jan Cholasta wrote: Hi, On 16.7.2014 05:48, Gabe Alford wrote: Hello, Adds AD admin and password to interactive commands. https://fedorahosted.org/__freeipa/ticket/3034 https://fedorahosted.org/freeipa/ticket/3034 Thanks, Gabe I think that instead of making the parameters mandatory, you should instead set alwaysask=True on them. Honza Trust can be established either with user+password options OR with --trust-secret option - i.e. you cannot use mandatory options nor alwaysask. Ah, right. This would rather lead to interactive_prompt_callback checking if any of authentication method is passed and asking for them if they aren't. +1 Martin -- Jan Cholasta I don't think using an extra function to update a value in a dictionary is very beneficial, is there a reason not to use kw[X] = self.prompt_param(self.params[X]) directly? -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Reasons for not using certmonger DBus API
While solving ticket #4280 I noticed that we are messing with certmonger's files right under its hands. That can lead to some unpleasant race condition issues. Is there any reason why not to call certmonger via DBus and ask it to stop tracking the requests? -- David Kupka ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
On 07/23/2014 09:56 AM, David Kupka wrote: While solving ticket #4280 I noticed that we are messing with certmonger's files right under its hands. That can lead to some unpleasant race condition issues. Is there any reason why not to call certmonger via DBus and ask it to stop tracking the requests? +1 for using the dbus API. When I saw the hacky way of parsing certmonger internal configuration files in ipapython/certmonger.py, I suggested the dbus way as IMO it would not be difficult to implement, it would make us more future proof and it would remove intermittent problems like #4280. Certmonger API looked complete enough to pull this off: https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/api.txt If I am wrong, please tell me. Thanks, Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
On 23.7.2014 10:12, Martin Kosek wrote: On 07/23/2014 09:56 AM, David Kupka wrote: While solving ticket #4280 I noticed that we are messing with certmonger's files right under its hands. That can lead to some unpleasant race condition issues. Is there any reason why not to call certmonger via DBus and ask it to stop tracking the requests? +1 for using the dbus API. When I saw the hacky way of parsing certmonger internal configuration files in ipapython/certmonger.py, I suggested the dbus way as IMO it would not be difficult to implement, it would make us more future proof and it would remove intermittent problems like #4280. I have already started using the API, e.g. for adding/removing of the CA helper in cainstance. Word of warning, the API apparently does not exercised much and there might be bugs (I found one causing certmonger to segfault which Nalin promptly fixed). Certmonger API looked complete enough to pull this off: https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/api.txt If I am wrong, please tell me. IIRC some of the properties in requests might not be accessible using the API. But I'm not sure if this is true or if it affects us. Thanks, Martin -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
On Wed, 23 Jul 2014, Martin Kosek wrote: On 07/23/2014 09:56 AM, David Kupka wrote: While solving ticket #4280 I noticed that we are messing with certmonger's files right under its hands. That can lead to some unpleasant race condition issues. Is there any reason why not to call certmonger via DBus and ask it to stop tracking the requests? +1 for using the dbus API. When I saw the hacky way of parsing certmonger internal configuration files in ipapython/certmonger.py, I suggested the dbus way as IMO it would not be difficult to implement, it would make us more future proof and it would remove intermittent problems like #4280. Certmonger API looked complete enough to pull this off: https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/api.txt If I am wrong, please tell me. Were there DBus Python bindings available in RHEL 5/6 at the time when the code was written? Anyway, it looks good target to rewrite this code to use DBus these days. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
On 07/23/2014 10:33 AM, Jan Cholasta wrote:
On 23.7.2014 10:12, Martin Kosek wrote:
On 07/23/2014 09:56 AM, David Kupka wrote:
While solving ticket #4280 I noticed that we are messing with certmonger's
files right under its hands. That can lead to some unpleasant race condition
issues.
Is there any reason why not to call certmonger via DBus and ask it to stop
tracking the requests?
+1 for using the dbus API. When I saw the hacky way of parsing certmonger
internal configuration files in ipapython/certmonger.py, I suggested the dbus
way as IMO it would not be difficult to implement, it would make us more
future
proof and it would remove intermittent problems like #4280.
I have already started using the API, e.g. for adding/removing of the CA
helper
in cainstance. Word of warning, the API apparently does not exercised much and
there might be bugs (I found one causing certmonger to segfault which Nalin
promptly fixed).
Yup, this is the place where the inspiration came from :-)
Certmonger API looked complete enough to pull this off:
https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/api.txt
If I am wrong, please tell me.
IIRC some of the properties in requests might not be accessible using the API.
But I'm not sure if this is true or if it affects us.
I did couple tests and it seems that getting properties works fine:
import dbus
bus = dbus.SystemBus()
obj =
bus.get_object('org.fedorahosted.certmonger','/org/fedorahosted/certmonger')
iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
reqs = iface.get_requests()
req = bus.get_object('org.fedorahosted.certmonger', reqs[0])
iface_request = dbus.Interface(req, 'org.fedorahosted.certmonger.request')
iface_request.get_nickname()
dbus.String(u'20140723081859')
iface_request.get_status()
(dbus.String(u'MONITORING'), dbus.Boolean(False))
iface_request.get_key_storage_info()
(dbus.String(u'NSSDB'), dbus.String(u'/etc/pki/pki-tomcat/alias'),
dbus.String(u'auditSigningCert cert-pki-ca'), dbus.String(u'NSS Certificate
DB'))
iface_request.get_cert_data()
dbus.String(u'-BEGIN
CERTIFICATE-\nMIIDZzCCAk+gAwIBAgIBBTANBgkqhkiG9w0BAQsFADA/MR0wGwYDVQQKDBRNS09T\r\nRUstRkVET1JBMjAuVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5\r\nMB4XDTE0MDcyMzA4MTc1OVoXDTE2MDcxMjA4MTc1OVowMjEdMBsGA1UECgwUTUtP\r\nU0VLLUZFRE9SQTIwLlRFU1QxETAPBgNVBAMMCENBIEF1ZGl0MIIBIjANBgkqhkiG\r\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxHJ6iNEUOCLybjMsuC1X3ojJFDml91caAT6u\r\nvySSnz6S79Y2Z3CgpnS71p842SukEXtawkBH+4Vzv3EkiT2OEGFMIFPxtg0z6KJw\r\n64Kv7R6qP1N9iW091pSsui8CoypINtvOmdZtop6meqPEcbjqVzYqQxZ2nq4FI1Ed\r\ncPiirF33OkAJQ5CuvzJFotoZ7f7tAisTpUqghCBAr0kg5MtvcjtlB+hysdVWf+rf\r\nCpzsVA1DbXRNdwsZpOv07Lhm1EGIsJZ3/wZszBpycM1H+8mIuTa5mpNpluDHoDrG\r\ne51TzF5F/DQI7ctMoI6CGxPvyPGbammKcID/yDzyePx3XBnCaQIDAQABo3sweTAf\r\nBgNVHSMEGDAWgBQoqt6chwnASMhQa2DwaWvSF9C/GDAOBgNVHQ8BAf8EBAMCBsAw\r\nRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHRwOi8vaXBhLm1rb3Nlay1m\r\nZWRvcmEyMC50ZXN0OjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAEDoy8AW\r\nJinIA4pYEDuTYG/mUBJvvaH+XR7a8pZtX0mnWOlS1mbI1gjlkCCBi7t//c2U3Nmx\r\nb+EiG8isXT0urowI3iB!
jhOXyweJDF
7+Wa1kN57SRkMeJIhCTBWOVGEBYGA6nUUKb\r\nnULomV9XXE5Bj+yP3IRewe0AYL0Gyk5QnSNLCYUMA+u/oi4i+uloKv3yZd6On0Re\r\nuIVSvmwXNHMKgGPg2cKSu1fd9tZ7qvQo6Vblf/zYp17tg2Vgd/ESeqgclgJs8AaL\r\nRDED3RT0FaOR/6SCTrXTGymmRaAVA6gGCUScyWD+MaKldOu2qDBG32obPiSw9lm8\r\nnxQBR2IlqByyeDA=\n-END
CERTIFICATE-\n\n')
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
On 23.7.2014 10:38, Martin Kosek wrote:
On 07/23/2014 10:33 AM, Jan Cholasta wrote:
On 23.7.2014 10:12, Martin Kosek wrote:
On 07/23/2014 09:56 AM, David Kupka wrote:
While solving ticket #4280 I noticed that we are messing with certmonger's
files right under its hands. That can lead to some unpleasant race condition
issues.
Is there any reason why not to call certmonger via DBus and ask it to stop
tracking the requests?
+1 for using the dbus API. When I saw the hacky way of parsing certmonger
internal configuration files in ipapython/certmonger.py, I suggested the dbus
way as IMO it would not be difficult to implement, it would make us more future
proof and it would remove intermittent problems like #4280.
I have already started using the API, e.g. for adding/removing of the CA helper
in cainstance. Word of warning, the API apparently does not exercised much and
there might be bugs (I found one causing certmonger to segfault which Nalin
promptly fixed).
Yup, this is the place where the inspiration came from :-)
Certmonger API looked complete enough to pull this off:
https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/api.txt
If I am wrong, please tell me.
IIRC some of the properties in requests might not be accessible using the API.
But I'm not sure if this is true or if it affects us.
I did couple tests and it seems that getting properties works fine:
import dbus
bus = dbus.SystemBus()
obj =
bus.get_object('org.fedorahosted.certmonger','/org/fedorahosted/certmonger')
iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
reqs = iface.get_requests()
req = bus.get_object('org.fedorahosted.certmonger', reqs[0])
iface_request = dbus.Interface(req, 'org.fedorahosted.certmonger.request')
iface_request.get_nickname()
dbus.String(u'20140723081859')
iface_request.get_status()
(dbus.String(u'MONITORING'), dbus.Boolean(False))
iface_request.get_key_storage_info()
(dbus.String(u'NSSDB'), dbus.String(u'/etc/pki/pki-tomcat/alias'),
dbus.String(u'auditSigningCert cert-pki-ca'), dbus.String(u'NSS Certificate
DB'))
iface_request.get_cert_data()
dbus.String(u'-BEGIN
CERTIFICATE-\nMIIDZzCCAk+gAwIBAgIBBTANBgkqhkiG9w0BAQsFADA/MR0wGwYDVQQKDBRNS09T\r\nRUstRkVET1JBMjAuVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5\r\nMB4XDTE0MDcyMzA4MTc1OVoXDTE2MDcxMjA4MTc1OVowMjEdMBsGA1UECgwUTUtP\r\nU0VLLUZFRE9SQTIwLlRFU1QxETAPBgNVBAMMCENBIEF1ZGl0MIIBIjANBgkqhkiG\r\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxHJ6iNEUOCLybjMsuC1X3ojJFDml91caAT6u\r\nvySSnz6S79Y2Z3CgpnS71p842SukEXtawkBH+4Vzv3EkiT2OEGFMIFPxtg0z6KJw\r\n64Kv7R6qP1N9iW091pSsui8CoypINtvOmdZtop6meqPEcbjqVzYqQxZ2nq4FI1Ed\r\ncPiirF33OkAJQ5CuvzJFotoZ7f7tAisTpUqghCBAr0kg5MtvcjtlB+hysdVWf+rf\r\nCpzsVA1DbXRNdwsZpOv07Lhm1EGIsJZ3/wZszBpycM1H+8mIuTa5mpNpluDHoDrG\r\ne51TzF5F/DQI7ctMoI6CGxPvyPGbammKcID/yDzyePx3XBnCaQIDAQABo3sweTAf\r\nBgNVHSMEGDAWgBQoqt6chwnASMhQa2DwaWvSF9C/GDAOBgNVHQ8BAf8EBAMCBsAw\r\nRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHRwOi8vaXBhLm1rb3Nlay1m\r\nZWRvcmEyMC50ZXN0OjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAEDoy8AW\r\nJinIA4pYEDuTYG/mUBJvvaH+XR7a8pZtX0mnWOlS1mbI1gjlkCCBi7t//c2U3Nmx\r\nb+EiG8isXT0urowI3!
iB!
jhOXyweJDF
7+Wa1kN57SRkMeJIhCTBWOVGEBYGA6nUUKb\r\nnULomV9XXE5Bj+yP3IRewe0AYL0Gyk5QnSNLCYUMA+u/oi4i+uloKv3yZd6On0Re\r\nuIVSvmwXNHMKgGPg2cKSu1fd9tZ7qvQo6Vblf/zYp17tg2Vgd/ESeqgclgJs8AaL\r\nRDED3RT0FaOR/6SCTrXTGymmRaAVA6gGCUScyWD+MaKldOu2qDBG32obPiSw9lm8\r\nnxQBR2IlqByyeDA=\n-END
CERTIFICATE-\n\n')
Martin
When I said some of the properties, I certainly did not mean the
absolute basics, but rather stuff like cert-presave-command.
--
Jan Cholasta
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Ipsilon vs. FedOAuth
Hello list, I have noticed that Fedora is heavily using project FedOAuth: Federated Open Authentication FedOAuth is a provider for federated authentication mechanisms with a modular authentication backend. It sounds somewhat similar to our Ipsilon project and it is also written in Python. Maybe it would be beneficial to somehow cooperate ... -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
On 07/23/2014 10:49 AM, Jan Cholasta wrote:
On 23.7.2014 10:38, Martin Kosek wrote:
On 07/23/2014 10:33 AM, Jan Cholasta wrote:
On 23.7.2014 10:12, Martin Kosek wrote:
On 07/23/2014 09:56 AM, David Kupka wrote:
While solving ticket #4280 I noticed that we are messing with certmonger's
files right under its hands. That can lead to some unpleasant race
condition
issues.
Is there any reason why not to call certmonger via DBus and ask it to stop
tracking the requests?
+1 for using the dbus API. When I saw the hacky way of parsing certmonger
internal configuration files in ipapython/certmonger.py, I suggested the
dbus
way as IMO it would not be difficult to implement, it would make us more
future
proof and it would remove intermittent problems like #4280.
I have already started using the API, e.g. for adding/removing of the CA
helper
in cainstance. Word of warning, the API apparently does not exercised much
and
there might be bugs (I found one causing certmonger to segfault which Nalin
promptly fixed).
Yup, this is the place where the inspiration came from :-)
Certmonger API looked complete enough to pull this off:
https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/api.txt
If I am wrong, please tell me.
IIRC some of the properties in requests might not be accessible using the
API.
But I'm not sure if this is true or if it affects us.
I did couple tests and it seems that getting properties works fine:
import dbus
bus = dbus.SystemBus()
obj =
bus.get_object('org.fedorahosted.certmonger','/org/fedorahosted/certmonger')
iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
reqs = iface.get_requests()
req = bus.get_object('org.fedorahosted.certmonger', reqs[0])
iface_request = dbus.Interface(req, 'org.fedorahosted.certmonger.request')
iface_request.get_nickname()
dbus.String(u'20140723081859')
iface_request.get_status()
(dbus.String(u'MONITORING'), dbus.Boolean(False))
iface_request.get_key_storage_info()
(dbus.String(u'NSSDB'), dbus.String(u'/etc/pki/pki-tomcat/alias'),
dbus.String(u'auditSigningCert cert-pki-ca'), dbus.String(u'NSS Certificate
DB'))
iface_request.get_cert_data()
dbus.String(u'-BEGIN
CERTIFICATE-\nMIIDZzCCAk+gAwIBAgIBBTANBgkqhkiG9w0BAQsFADA/MR0wGwYDVQQKDBRNS09T\r\nRUstRkVET1JBMjAuVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5\r\nMB4XDTE0MDcyMzA4MTc1OVoXDTE2MDcxMjA4MTc1OVowMjEdMBsGA1UECgwUTUtP\r\nU0VLLUZFRE9SQTIwLlRFU1QxETAPBgNVBAMMCENBIEF1ZGl0MIIBIjANBgkqhkiG\r\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxHJ6iNEUOCLybjMsuC1X3ojJFDml91caAT6u\r\nvySSnz6S79Y2Z3CgpnS71p842SukEXtawkBH+4Vzv3EkiT2OEGFMIFPxtg0z6KJw\r\n64Kv7R6qP1N9iW091pSsui8CoypINtvOmdZtop6meqPEcbjqVzYqQxZ2nq4FI1Ed\r\ncPiirF33OkAJQ5CuvzJFotoZ7f7tAisTpUqghCBAr0kg5MtvcjtlB+hysdVWf+rf\r\nCpzsVA1DbXRNdwsZpOv07Lhm1EGIsJZ3/wZszBpycM1H+8mIuTa5mpNpluDHoDrG\r\ne51TzF5F/DQI7ctMoI6CGxPvyPGbammKcID/yDzyePx3XBnCaQIDAQABo3sweTAf\r\nBgNVHSMEGDAWgBQoqt6chwnASMhQa2DwaWvSF9C/GDAOBgNVHQ8BAf8EBAMCBsAw\r\nRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHRwOi8vaXBhLm1rb3Nlay1m\r\nZWRvcmEyMC50ZXN0OjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAEDoy8AW\r\nJinIA4pYEDuTYG/mUBJvvaH+XR7a8pZtX0mnWOlS1mbI1gjlkCCBi7t//c2U3Nmx\r\nb+EiG8isXT0urowI!
3!
iB!
jhOXyweJDF
7+Wa1kN57SRkMeJIhCTBWOVGEBYGA6nUUKb\r\nnULomV9XXE5Bj+yP3IRewe0AYL0Gyk5QnSNLCYUMA+u/oi4i+uloKv3yZd6On0Re\r\nuIVSvmwXNHMKgGPg2cKSu1fd9tZ7qvQo6Vblf/zYp17tg2Vgd/ESeqgclgJs8AaL\r\nRDED3RT0FaOR/6SCTrXTGymmRaAVA6gGCUScyWD+MaKldOu2qDBG32obPiSw9lm8\r\nnxQBR2IlqByyeDA=\n-END
CERTIFICATE-\n\n')
Martin
When I said some of the properties, I certainly did not mean the absolute
basics, but rather stuff like cert-presave-command.
Ah, ok. Then I think this snippet will help:
properties_manager = dbus.Interface(req, 'org.freedesktop.DBus.Properties')
properties_manager.Get('org.fedorahosted.certmonger.request',
'cert-presave-command')
dbus.String(u'/usr/lib64/ipa/certmonger/stop_pkicad')
properties_manager.Get('org.fedorahosted.certmonger.request',
'cert-postsave-command')
dbus.String(u'/usr/lib64/ipa/certmonger/renew_ca_cert auditSigningCert
cert-pki-ca')
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
On 23.7.2014 12:23, Martin Kosek wrote:
On 07/23/2014 10:49 AM, Jan Cholasta wrote:
On 23.7.2014 10:38, Martin Kosek wrote:
On 07/23/2014 10:33 AM, Jan Cholasta wrote:
On 23.7.2014 10:12, Martin Kosek wrote:
On 07/23/2014 09:56 AM, David Kupka wrote:
While solving ticket #4280 I noticed that we are messing with certmonger's
files right under its hands. That can lead to some unpleasant race condition
issues.
Is there any reason why not to call certmonger via DBus and ask it to stop
tracking the requests?
+1 for using the dbus API. When I saw the hacky way of parsing certmonger
internal configuration files in ipapython/certmonger.py, I suggested the dbus
way as IMO it would not be difficult to implement, it would make us more
future
proof and it would remove intermittent problems like #4280.
I have already started using the API, e.g. for adding/removing of the CA helper
in cainstance. Word of warning, the API apparently does not exercised much and
there might be bugs (I found one causing certmonger to segfault which Nalin
promptly fixed).
Yup, this is the place where the inspiration came from :-)
Certmonger API looked complete enough to pull this off:
https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/api.txt
If I am wrong, please tell me.
IIRC some of the properties in requests might not be accessible using the API.
But I'm not sure if this is true or if it affects us.
I did couple tests and it seems that getting properties works fine:
import dbus
bus = dbus.SystemBus()
obj =
bus.get_object('org.fedorahosted.certmonger','/org/fedorahosted/certmonger')
iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
reqs = iface.get_requests()
req = bus.get_object('org.fedorahosted.certmonger', reqs[0])
iface_request = dbus.Interface(req, 'org.fedorahosted.certmonger.request')
iface_request.get_nickname()
dbus.String(u'20140723081859')
iface_request.get_status()
(dbus.String(u'MONITORING'), dbus.Boolean(False))
iface_request.get_key_storage_info()
(dbus.String(u'NSSDB'), dbus.String(u'/etc/pki/pki-tomcat/alias'),
dbus.String(u'auditSigningCert cert-pki-ca'), dbus.String(u'NSS Certificate
DB'))
iface_request.get_cert_data()
dbus.String(u'-BEGIN
CERTIFICATE-\nMIIDZzCCAk+gAwIBAgIBBTANBgkqhkiG9w0BAQsFADA/MR0wGwYDVQQKDBRNS09T\r\nRUstRkVET1JBMjAuVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5\r\nMB4XDTE0MDcyMzA4MTc1OVoXDTE2MDcxMjA4MTc1OVowMjEdMBsGA1UECgwUTUtP\r\nU0VLLUZFRE9SQTIwLlRFU1QxETAPBgNVBAMMCENBIEF1ZGl0MIIBIjANBgkqhkiG\r\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxHJ6iNEUOCLybjMsuC1X3ojJFDml91caAT6u\r\nvySSnz6S79Y2Z3CgpnS71p842SukEXtawkBH+4Vzv3EkiT2OEGFMIFPxtg0z6KJw\r\n64Kv7R6qP1N9iW091pSsui8CoypINtvOmdZtop6meqPEcbjqVzYqQxZ2nq4FI1Ed\r\ncPiirF33OkAJQ5CuvzJFotoZ7f7tAisTpUqghCBAr0kg5MtvcjtlB+hysdVWf+rf\r\nCpzsVA1DbXRNdwsZpOv07Lhm1EGIsJZ3/wZszBpycM1H+8mIuTa5mpNpluDHoDrG\r\ne51TzF5F/DQI7ctMoI6CGxPvyPGbammKcID/yDzyePx3XBnCaQIDAQABo3sweTAf\r\nBgNVHSMEGDAWgBQoqt6chwnASMhQa2DwaWvSF9C/GDAOBgNVHQ8BAf8EBAMCBsAw\r\nRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHRwOi8vaXBhLm1rb3Nlay1m\r\nZWRvcmEyMC50ZXN0OjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAEDoy8AW\r\nJinIA4pYEDuTYG/mUBJvvaH+XR7a8pZtX0mnWOlS1mbI1gjlkCCBi7t//c2U3Nmx\r\nb+EiG8isXT0urow!
I!
3!
iB!
jhOXyweJDF
7+Wa1kN57SRkMeJIhCTBWOVGEBYGA6nUUKb\r\nnULomV9XXE5Bj+yP3IRewe0AYL0Gyk5QnSNLCYUMA+u/oi4i+uloKv3yZd6On0Re\r\nuIVSvmwXNHMKgGPg2cKSu1fd9tZ7qvQo6Vblf/zYp17tg2Vgd/ESeqgclgJs8AaL\r\nRDED3RT0FaOR/6SCTrXTGymmRaAVA6gGCUScyWD+MaKldOu2qDBG32obPiSw9lm8\r\nnxQBR2IlqByyeDA=\n-END
CERTIFICATE-\n\n')
Martin
When I said some of the properties, I certainly did not mean the absolute
basics, but rather stuff like cert-presave-command.
Ah, ok. Then I think this snippet will help:
properties_manager = dbus.Interface(req, 'org.freedesktop.DBus.Properties')
properties_manager.Get('org.fedorahosted.certmonger.request',
'cert-presave-command')
dbus.String(u'/usr/lib64/ipa/certmonger/stop_pkicad')
properties_manager.Get('org.fedorahosted.certmonger.request',
'cert-postsave-command')
dbus.String(u'/usr/lib64/ipa/certmonger/renew_ca_cert auditSigningCert
cert-pki-ca')
Martin
Nice, I think we are good to go then.
--
Jan Cholasta
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 478 Allow hashed passwords in DS
See related thread #4450: how to allow password migration? for more
information.
---
Without nsslapd-allow-hashed-passwords being turned on, user password
migration fails.
https://fedorahosted.org/freeipa/ticket/4450
--
Martin Kosek mko...@redhat.com
Supervisor, Software Engineering - Identity Management Team
Red Hat Inc.
From 6ec1f70cb25e5841f3ab51a0025797e9ecad1d8f Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Wed, 23 Jul 2014 13:03:57 +0200
Subject: [PATCH] Allow hashed passwords in DS
Without nsslapd-allow-hashed-passwords being turned on, user password
migration fails.
https://fedorahosted.org/freeipa/ticket/4450
---
freeipa.spec.in | 4 ++--
install/updates/10-config.update | 5 +
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 447b532b66a0329a5715aca98222ab0ef1aebee4..5a977f5251ecaee6b6eef7e6bf426e088161f761 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -86,7 +86,7 @@ Group: System Environment/Base
Requires: %{name}-python = %{version}-%{release}
Requires: %{name}-client = %{version}-%{release}
Requires: %{name}-admintools = %{version}-%{release}
-Requires: 389-ds-base = 1.3.2.19
+Requires: 389-ds-base = 1.3.2.20
Requires: openldap-clients 2.4.35-4
Requires: nss = 3.14.3-12.0
Requires: nss-tools = 3.14.3-12.0
@@ -123,7 +123,7 @@ Requires: zip
Requires: policycoreutils = %{POLICYCOREUTILSVER}
Requires: tar
Requires(pre): certmonger = 0.65
-Requires(pre): 389-ds-base = 1.3.2.19
+Requires(pre): 389-ds-base = 1.3.2.20
Requires: fontawesome-fonts
Requires: open-sans-fonts
diff --git a/install/updates/10-config.update b/install/updates/10-config.update
index 1512b3601bcb2337392b82bf54f540cd48ee8382..30fafbf9e93279633cc5760104fb68456720d2b3 100644
--- a/install/updates/10-config.update
+++ b/install/updates/10-config.update
@@ -63,3 +63,8 @@ dn: cn=Name
# Can be removed when https://fedorahosted.org/389/ticket/47457 is fixed
dn: cn=config
only:nsslapd-sasl-max-buffer-size:2097152
+
+# Allow hashed passwords to be added by non-DM users. Without this
+# setting, password migration fails
+dn: cn=config
+only:nsslapd-allow-hashed-passwords:on
--
1.9.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0275] Add TLSARecord to idnsRecord object class
Hello, Add TLSARecord to idnsRecord object class. -- Petr^2 Spacek From 2d358ccbc323ea6d4339f22b16d419195054e017 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Fri, 27 Jun 2014 09:33:05 +0200 Subject: [PATCH] Add TLSARecord to idnsRecord object class. Signed-off-by: Petr Spacek pspa...@redhat.com --- doc/schema | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/schema b/doc/schema index 73e8ee9d5fafd89b136b3f3cf248bfd23c91179c..5ed9e6f5d6ef11ebcf90e63d5b1e3492b7cc95d1 100644 --- a/doc/schema +++ b/doc/schema @@ -308,7 +308,7 @@ objectclass ( 2.16.840.1.113730.3.8.6.0 SRVRecord $ TXTRecord $ MXRecord $ MDRecord $ HINFORecord $ MINFORecord $ AFSDBRecord $ LOCRecord $ NXTRecord $ NAPTRRecord $ KXRecord $ CERTRecord $ DNAMERecord $ - DSRecord $ SSHFPRecord $ DLVRecord + DSRecord $ SSHFPRecord $ DLVRecord $ TLSARecord ) ) objectclass ( 2.16.840.1.113730.3.8.6.1 -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0276] Fix crash during reconnection to LDAP
Hello,
Fix crash during reconnection to LDAP.
--
Petr^2 Spacek
From fb979d2f07be16f8cf441d393612504235ab26d8 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Wed, 23 Jul 2014 14:18:41 +0200
Subject: [PATCH] Fix crash during reconnection to LDAP.
Signed-off-by: Petr Spacek pspa...@redhat.com
---
NEWS | 4
src/ldap_helper.c | 6 --
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/NEWS b/NEWS
index 970ab7781d4775a499bded3c0299a759f4630f74..b8013a1ee6e01219d7190debb2c8f93817af47a5 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,7 @@
+5.1
+
+[1] Fix crash during reconnection to LDAP.
+
5.0
[1] Support for DNSSEC in-line signing was added. Now any LDAP zone can be
diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index a7a782fdfc5ae4d28b50155c9614d66a427dc3e0..a163ee9b06f7d4fbe0fe5473172e827bfd3c38c2 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -848,9 +848,11 @@ cleanup_files(ldap_instance_t *inst) {
do {
CHECK(zr_get_zone_ptr(inst-zone_register, name, raw, secure));
cleanup_zone_files(raw);
- cleanup_zone_files(secure);
dns_zone_detach(raw);
- dns_zone_detach(secure);
+ if (secure != NULL) {
+ cleanup_zone_files(secure);
+ dns_zone_detach(secure);
+ }
INIT_BUFFERED_NAME(name);
CHECK(rbt_iter_next(iter, name));
--
1.9.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES] 0102-0103 DNS upgrade: add missing tests if DNS is installed
This should be applied in 4.0.x, 4.1, master
Patches attached
--
Martin Basti
From 89e7dd87c1fad90084cb8fab38e985f95de8347e Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Mon, 21 Jul 2014 16:54:12 +0200
Subject: [PATCH 1/2] Fix DNS upgrade plugin should check if DNS container
exists
Fortunately this cause no error, because dnszone-find doesnt raise
exception if there is no DNS container
---
ipaserver/install/plugins/dns.py | 4
1 file changed, 4 insertions(+)
diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py
index 07c0325d7a7c6062c1827d08f211d317bdc63db4..1aef837f63176cd307868c726460485fd4a004ed 100644
--- a/ipaserver/install/plugins/dns.py
+++ b/ipaserver/install/plugins/dns.py
@@ -61,6 +61,8 @@ class update_dnszones(PostUpdate):
def execute(self, **options):
ldap = self.obj.backend
+if not dns_container_exists(ldap):
+return (False, False, [])
try:
zones = api.Command.dnszone_find(all=True)['result']
@@ -153,6 +155,8 @@ class update_check_forwardzones(PreSchemaUpdate):
# no upgrade is needed
return (False, False, [])
ldap = self.obj.backend
+if not dns_container_exists(ldap): # No DNS installed
+return (False, False, [])
result = ldap.schema.get_obj(_ldap.schema.models.ObjectClass, 'idnsforwardzone')
if result is None:
sysupgrade.set_upgrade_state('dns', 'update_to_forward_zones', True)
--
1.8.3.1
From 74b82e1d2a33912c779eb2d0df045ffc3a48f8e6 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Wed, 23 Jul 2014 14:40:39 +0200
Subject: [PATCH 2/2] FIX: named_enable_dnssec should verify if DNS is
installed
---
install/tools/ipa-upgradeconfig | 5 +
1 file changed, 5 insertions(+)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 2fecc14042ae9462fe6bde79578c27ce97425b57..54193e9e6f6c9e8e0ca56336ea86cee673893638 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -598,6 +598,11 @@ def named_enable_dnssec():
Enable dnssec in named.conf
+if not bindinstance.named_conf_exists():
+# DNS service may not be configured
+root_logger.info('DNS is not configured')
+return False
+
if not sysupgrade.get_upgrade_state('named.conf', 'dnssec_enabled'):
root_logger.info('[Enabling dnssec-enable configuration in DNS]')
try:
--
1.8.3.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0245] baseldap: Remove redundant search from LDAPAddReverseMember
On 07/23/2014 03:03 PM, Jan Cholasta wrote: On 23.7.2014 14:40, Tomas Babej wrote: Hi, when poking in the depths of the baseldap, I found this seemingly redundant search. ACK. For the record, before commit f1f1b4e the result was used for wait_for_memberof. Pushed to master, ipa-4-1. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 710 webui: review pending operation after expired session
Disable automatic re-execution of command after pending authentication.
It's possible to enable it again globally by
'freeipa/config':`rpc_retry_auth`.
https://fedorahosted.org/freeipa/ticket/4374
# Additional info:
This ticket is in 4.0 stabilization milestone. I don't think it's the
best fit. It has a potential to break things. It's also harder to test
because integration tests don't test it - one has to remove session
cookie every time and then react appropriately.
It's also first usage of ./config module (other items there are not
used). This module was originally implemented to contain global webui
config which could be overwritten by config configured on server, ie for
disabling paging in large deployments. The server part doesn't exist
yet. Other reason is to split ipa.js into more single-purpose files.
--
Petr Vobornik
From fa28c0fbf5451802d640fcb9a9cd09fc1b8082cc Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Tue, 22 Jul 2014 10:49:38 +0200
Subject: [PATCH] webui: review pending operation after expired session
Disable automatic re-execution of command after pending authentication.
It's possible to enable it again globally by
'freeipa/config':`rpc_retry_auth`.
https://fedorahosted.org/freeipa/ticket/4374
---
install/ui/src/freeipa/config.js | 8 +++-
install/ui/src/freeipa/ipa.js| 1 +
install/ui/src/freeipa/rpc.js| 19 +++
3 files changed, 23 insertions(+), 5 deletions(-)
diff --git a/install/ui/src/freeipa/config.js b/install/ui/src/freeipa/config.js
index 632bc136df5e342b7f2d99d8615b3d0d3645b772..08083908f5d727c7ee948dc6aa9dff9042e5a60b 100644
--- a/install/ui/src/freeipa/config.js
+++ b/install/ui/src/freeipa/config.js
@@ -70,8 +70,14 @@ define([], function() {
dataType: 'json',
async: true,
processData: false
-}
+},
+/**
+ * Retry RPC command after successful authentication if it failed or was not
+ * executed because of authentication issue.
+ * @type {Boolean}
+ */
+rpc_retry_auth: false
};
return config;
diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js
index 0fb35632e9147c901f1a961c978d6ed8ff84aa2e..63bab26f2dfa365a9b8ac4c1431982eddf6d8fa0 100644
--- a/install/ui/src/freeipa/ipa.js
+++ b/install/ui/src/freeipa/ipa.js
@@ -137,6 +137,7 @@ var IPA = function () {
var batch = rpc.batch_command({
name: 'ipa_init',
retry: false,
+retry_auth: true,
on_success: function() {
that.init_metadata({
on_success: params.on_success,
diff --git a/install/ui/src/freeipa/rpc.js b/install/ui/src/freeipa/rpc.js
index 784f7555b7c2d9a7dbf6b28d7b5f2e0a030f58aa..ada6aeb8db3dc8accd2b5ce49cd2b289bd806f35 100644
--- a/install/ui/src/freeipa/rpc.js
+++ b/install/ui/src/freeipa/rpc.js
@@ -25,12 +25,13 @@
define([
'dojo/_base/lang',
'./auth',
+'./config',
'./ipa',
'./text',
'./util',
'exports'
],
- function(lang, auth, IPA, text, util, rpc /*exports*/) {
+ function(lang, auth, config, IPA, text, util, rpc /*exports*/) {
/**
* Call an IPA command over JSON-RPC.
@@ -93,7 +94,14 @@ rpc.command = function(spec) {
* error handling without any dialog.
* @property {Boolean} retry=true
*/
-that.retry = typeof spec.retry == 'undefined' ? true : spec.retry;
+that.retry = spec.retry === undefined ? true : spec.retry;
+
+/**
+ * Retry command after successful authentication if it failed or was not
+ * executed because of authentication issue.
+ * @property {Boolean} retry_auth=false
+ */
+that.retry_auth = spec.retry_auth === undefined ? config.rpc_retry_auth : spec.retry_auth;
/** @property {string} error_message Default error message */
that.error_message = text.get(spec.error_message || '@i18n:dialogs.batch_error_message', 'Some operations failed.');
@@ -229,7 +237,9 @@ rpc.command = function(spec) {
auth.current.set_authenticated(false, '');
auth.current.authenticate().then(function() {
-that.execute();
+if (that.retry_auth) {
+that.execute();
+}
});
}
@@ -541,7 +551,8 @@ rpc.batch_command = function(spec) {
method: that.method,
args: that.args,
options: that.options,
-retry: that.retry
+retry: that.retry,
+retry_auth: that.retry_auth
});
command.on_success = that.batch_command_on_success;
--
1.9.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0105 FIX: LDAP_updater
This patch fixes ordering problem of schema updates
Martin should it be in IPA 4.0.x ? It requires rebased ldap_python (will
be in Fedora 21)
Patch attached
--
Martin Basti
From 25aaa9872bbc725648c066f1d253f64c5f84ffc1 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Wed, 23 Jul 2014 14:42:33 +0200
Subject: [PATCH] FIX: ldap_updater needs correct orderng of the updates
Required bugfix in python-ldap 2.4.15
Updates must respect SUP objectclasses/attributes and update
dependencies first
---
freeipa.spec.in | 2 +-
ipaserver/install/schemaupdate.py | 124 ++
2 files changed, 86 insertions(+), 40 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 447b532b66a0329a5715aca98222ab0ef1aebee4..202df6a6b85d62b17a711014261f69f86c9763df 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -98,7 +98,7 @@ Requires: httpd = 2.4.6-6
Requires: mod_wsgi
Requires: mod_auth_kerb = 5.4-16
Requires: mod_nss = 1.0.8-26
-Requires: python-ldap
+Requires: python-ldap = 2.4.15
Requires: python-krbV
Requires: acl
Requires: python-pyasn1
diff --git a/ipaserver/install/schemaupdate.py b/ipaserver/install/schemaupdate.py
index bb2f0f161499c0358452d97f27f5c39b9b64a5ad..ba313feb05aee25bf071d5786a28e64f6e453836 100644
--- a/ipaserver/install/schemaupdate.py
+++ b/ipaserver/install/schemaupdate.py
@@ -29,17 +29,58 @@ from ipaserver.install.ldapupdate import connect
from ipaserver.install import installutils
-SCHEMA_ELEMENT_CLASSES = {
+SCHEMA_ELEMENT_CLASSES = (
# All schema model classes this tool can modify
-'objectclasses': ldap.schema.models.ObjectClass,
-'attributetypes': ldap.schema.models.AttributeType,
-}
+# Depends on order, attributes first, then objectclasses
+('attributetypes', ldap.schema.models.AttributeType),
+('objectclasses', ldap.schema.models.ObjectClass),
+)
+
+SCHEMA_ELEMENT_CLASSES_KEYS = (x[0] for x in SCHEMA_ELEMENT_CLASSES)
ORIGIN = 'IPA v%s' % ipapython.version.VERSION
log = log_mgr.get_logger(__name__)
+def _get_oid_dependency_order(schema, cls):
+
+Returns a ordered list of OIDs sets, in order which respects inheritance in LDAP
+OIDs in second set, depend on first set, etc.
+
+:return [set(1st-tree-level), set(2nd-tree-level), ...]
+
+top_node = '_'
+ordered_oid_groups = []
+
+tree = schema.tree(cls) # tree structure of schema
+
+# remove top_node from tree, it breaks ordering
+# we don't need this, tree from file is not consistent
+del tree[top_node]
+unordered_oids = tree.keys()
+
+# split into two groups, parents and child nodes, and iterate until
+# child nodes are not empty
+while unordered_oids:
+parent_nodes = set()
+child_nodes = set()
+
+for node in unordered_oids:
+if node not in child_nodes:
+# if node was child once, must remain as child
+parent_nodes.add(node)
+for child_oid in tree[node]:
+# if any node is child, must be removed from parents
+parent_nodes.discard(child_oid)
+child_nodes.add(child_oid)
+
+ordered_oid_groups.append(parent_nodes)
+unordered_oids = child_nodes
+
+return ordered_oid_groups
+
+
def update_schema(schema_files, ldapi=False, dm_password=None, live_run=True):
Update schema to match the given ldif files
@@ -69,58 +110,63 @@ def update_schema(schema_files, ldapi=False, dm_password=None, live_run=True):
old_schema = conn.schema
schema_entry = conn.get_entry(DN(('cn', 'schema')),
- SCHEMA_ELEMENT_CLASSES.keys())
+ SCHEMA_ELEMENT_CLASSES_KEYS)
modified = False
# The exact representation the DS gives us for each OID
# (for debug logging)
old_entries_by_oid = {cls(str(attr)).oid: str(attr)
- for attrname, cls in SCHEMA_ELEMENT_CLASSES.items()
+ for (attrname, cls) in SCHEMA_ELEMENT_CLASSES
for attr in schema_entry[attrname]}
for filename in schema_files:
log.info('Processing schema LDIF file %s', filename)
dn, new_schema = ldap.schema.subentry.urlfetch(filename)
-for attrname, cls in SCHEMA_ELEMENT_CLASSES.items():
+updating_schema = False
+for attrname, cls in SCHEMA_ELEMENT_CLASSES:
+for oids_set in _get_oid_dependency_order(new_schema, cls):
+# Set of all elements of this class, as strings given by the DS
+new_elements = []
+for oid in oids_set:
+new_obj = new_schema.get_obj(cls, oid)
+old_obj = old_schema.get_obj(cls, oid)
+# Compare python-ldap's sanitized string
[Freeipa-devel] [PATCH] 712 webui: detach facet nodes
Detach/attach facet nodes when switching facets instead of
hiding/showing.
Keeps dom-tree more simple.
This patch is not really needed. I implemented it while testing
something in IE. But it might have positive effect for poorly written
parts of Web UI(if there are any :) ) or plugins. Basically it
simplifies DOM tree to contain nodes only for the active facet.
Therefore ugly expressions like $('button .foobar') are much more
performant.
--
Petr Vobornik
From 46e9b59f526a4beccba02dbe815f21c3aa688eaa Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Tue, 22 Jul 2014 14:15:30 +0200
Subject: [PATCH] webui: detach facet nodes
Detach/attach facet nodes when switching facets instead of
hiding/showing.
Keeps dom-tree more simple.
---
install/ui/src/freeipa/facet.js| 5 +
install/ui/src/freeipa/facets/Facet.js | 5 +
2 files changed, 10 insertions(+)
diff --git a/install/ui/src/freeipa/facet.js b/install/ui/src/freeipa/facet.js
index 0bb697be0b606743279b661d2e901372d735f8c3..50c12d49c4716e2e8d799663b79e04fdeb4d3d86 100644
--- a/install/ui/src/freeipa/facet.js
+++ b/install/ui/src/freeipa/facet.js
@@ -672,6 +672,8 @@ exp.facet = IPA.facet = function(spec, no_init) {
if (!that.dom_node) {
that.create();
+} else if (!that.dom_node.parentElement) {
+construct.place(that.dom_node[0], that.container_node);
}
var state = that.state.clone();
@@ -728,6 +730,9 @@ exp.facet = IPA.facet = function(spec, no_init) {
*/
that.hide = function() {
that.is_shown = false;
+if (that.dom_node[0].parentElement) {
+that.container_node.removeChild(that.dom_node[0]);
+}
that.dom_node.removeClass('active-facet');
};
diff --git a/install/ui/src/freeipa/facets/Facet.js b/install/ui/src/freeipa/facets/Facet.js
index e015329c94c69b6c316c2ce65a1bfda2a98a8c91..0608ab6fb1e1983fbbb51f9795c4aabb49cb535a 100644
--- a/install/ui/src/freeipa/facets/Facet.js
+++ b/install/ui/src/freeipa/facets/Facet.js
@@ -285,6 +285,8 @@ define(['dojo/_base/declare',
if (!this.dom_node) {
this.create();
this.render_children();
+} else if (!this.dom_node.parentElement) {
+construct.place(this.dom_node, this.container_node);
}
dom_class.add(this.dom_node, 'active-facet');
@@ -295,6 +297,9 @@ define(['dojo/_base/declare',
* Un-mark itself as active facet
*/
hide: function() {
+if (this.dom_node.parentElement) {
+this.container_node.removeChild(this.dom_node);
+}
dom_class.remove(this.dom_node, 'active-facet');
this.emit('hide', { source: this });
},
--
1.9.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 713-714 webui: replace action_buttons with action_widget
[PATCH] 713 webui: replace action_buttons with action_widget
Simplify code base by reuse of 'disable' feature of button_widget. All
occurrences of action-button which were disabled/enabled were replaced
by button-widget.
https://fedorahosted.org/freeipa/ticket/4258
[PATCH] 714 webui: remove remaining action-button-disabled occurrences
Buttons in hbactest check for 'action-button-disabled' but it's never set.
https://fedorahosted.org/freeipa/ticket/4258
--
Petr Vobornik
From 8151b70b2ac3cdc856c3e888eeb9cfd76a3ab140 Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Tue, 22 Jul 2014 16:43:28 +0200
Subject: [PATCH] webui: remove remaining action-button-disabled occurrences
Buttons in hbactest check for 'action-button-disabled' but it's never set.
https://fedorahosted.org/freeipa/ticket/4258
---
install/ui/ipa.css | 9 -
install/ui/src/freeipa/hbactest.js | 35 +--
2 files changed, 5 insertions(+), 39 deletions(-)
diff --git a/install/ui/ipa.css b/install/ui/ipa.css
index ec79688a2efc9a3620334e72368816e454ba3c47..2e70a1adc9c97fd9930925adbe6a76b778022eb6 100644
--- a/install/ui/ipa.css
+++ b/install/ui/ipa.css
@@ -252,15 +252,6 @@ div[name=settings].facet-group li a {
word-wrap: break-word;
}
-.action-button-disabled,
-.action-button-disabled:focus,
-.action-button-disabled:hover {
-color: gray;
-cursor: default;
-text-decoration: none;
-outline: none;
-}
-
.aci-attribute-table tbody {
height: 10em;
}
diff --git a/install/ui/src/freeipa/hbactest.js b/install/ui/src/freeipa/hbactest.js
index 7a9d85ab33ea34b9bcc176bb366aadee83d38509..9ac4e8293e3b5c624f156f7f70a5dd051237e44e 100644
--- a/install/ui/src/freeipa/hbactest.js
+++ b/install/ui/src/freeipa/hbactest.js
@@ -184,12 +184,7 @@ IPA.hbac.test_facet = function(spec) {
name: 'prev',
label: '@i18n:widget.prev',
icon: 'fa-chevron-left',
-click: function() {
-if (!that.prev_button.hasClass('action-button-disabled')) {
-that.prev();
-}
-return false;
-}
+click: that.prev
}).appendTo(buttons);
buttons.append(' ');
@@ -199,12 +194,7 @@ IPA.hbac.test_facet = function(spec) {
name: 'next',
label: '@i18n:widget.next',
icon: 'fa-chevron-right',
-click: function() {
-if (!that.next_button.hasClass('action-button-disabled')) {
-that.next();
-}
-return false;
-}
+click: that.next
}).appendTo(buttons);
};
@@ -535,12 +525,7 @@ IPA.hbac.test_run_facet = function(spec) {
name: 'run_test',
label: '@i18n:objects.hbactest.run_test',
icon: 'fa-gear',
-click: function() {
-if (!that.run_button.hasClass('action-button-disabled')) {
-that.run();
-}
-return false;
-}
+click: that.run
}).appendTo(button_panel);
var result_panel = $('div/', {
@@ -608,12 +593,7 @@ IPA.hbac.test_run_facet = function(spec) {
name: 'prev',
label: '@i18n:widget.prev',
icon: 'fa-chevron-left',
-click: function() {
-if (!that.prev_button.hasClass('action-button-disabled')) {
-that.prev();
-}
-return false;
-}
+click: that.prev
}).appendTo(buttons);
buttons.append(' ');
@@ -622,12 +602,7 @@ IPA.hbac.test_run_facet = function(spec) {
name: 'new_test',
label: '@i18n:objects.hbactest.new_test',
icon: 'fa-repeat',
-click: function() {
-if (!that.new_test_button.hasClass('action-button-disabled')) {
-that.new_test();
-}
-return false;
-}
+click: that.new_test
}).appendTo(buttons);
};
--
1.9.3
From ff9dacb6b231008e19888e614cacd10598d116ba Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Tue, 22 Jul 2014 16:39:36 +0200
Subject: [PATCH] webui: replace action_buttons with action_widget
Simplify code base by reuse of 'disable' feature of button_widget. All
occurrences of action-button which were disabled/enabled were replaced
by button-widget.
https://fedorahosted.org/freeipa/ticket/4258
---
install/ui/src/freeipa/association.js | 45 +++-
install/ui/src/freeipa/dns.js | 45 +++-
install/ui/src/freeipa/sudo.js| 34 --
install/ui/src/freeipa/widget.js | 55 +--
ipatests/test_webui/ui_driver.py | 42
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
On Wed, Jul 23, 2014 at 11:32:52AM +0300, Alexander Bokovoy wrote: Were there DBus Python bindings available in RHEL 5/6 at the time when the code was written? Yes, but the API itself wasn't all there, and large parts of the internals needed to be rewritten around its 0.53 release. Before then, it didn't expose _anything_ as properties. The methods that return data were all that it provided. HTH, Nalin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
On Wed, Jul 23, 2014 at 10:12:39AM +0200, Martin Kosek wrote: Certmonger API looked complete enough to pull this off: https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/api.txt If I am wrong, please tell me. No, it's meant to be complete -- the getcert command only uses the APIs to talk to the daemon, so they provide at least what it needs. Two words of caution: * That file's manually maintained, so it might not completely reflect what's available. The introspection data's generated at runtime, so if you poke the service with an introspection request, or using d-feet, which does so under the covers, you might spot discrepancies. It probably goes without saying, but please report any that you find. * The majority of properties are currently marked read-only, and you currently have to use the 'modify' API request to change them. Mostly this is a result of 'getcert' not having needed anything more than that, and properties having been added after the initial versions, so it's not set in stone. HTH, Nalin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0105 FIX: LDAP_updater
On 07/23/2014 03:17 PM, Martin Basti wrote: This patch fixes ordering problem of schema updates Martin should it be in IPA 4.0.x ? It requires rebased ldap_python (will be in Fedora 21) Patch attached If current LDAP updater does not fail or crash on 4.0.x, I would personally leave this change for FreeIPA 4.1. Note that you may need to also add the new python-ldap build to pviktori's COPR repo to make it available to Fedora 20 users. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0005 Verify otptoken timespan is valid
https://fedorahosted.org/freeipa/ticket/4244
--
David Kupka
From 513fd9b6cf7502ed08e31318dd9425bc12392720 Mon Sep 17 00:00:00 2001
From: David Kupka dku...@redhat.com
Date: Wed, 23 Jul 2014 15:32:18 +0200
Subject: [PATCH] Verify otptoken timespan is valid
When creating or modifying otptoken check that token validity start is not after
validity end.
https://fedorahosted.org/freeipa/ticket/4244
---
ipalib/plugins/otptoken.py | 38 +-
1 file changed, 37 insertions(+), 1 deletion(-)
diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py
index 2880ee660d5dcdb18c504f50d7b72f5b8fb43d48..7dc01caafdf73e3f54bb4fbdb2ee5e8540e09e74 100644
--- a/ipalib/plugins/otptoken.py
+++ b/ipalib/plugins/otptoken.py
@@ -21,7 +21,7 @@ from ipalib.plugins.baseldap import DN, LDAPObject, LDAPAddMember, LDAPRemoveMem
from ipalib.plugins.baseldap import LDAPCreate, LDAPDelete, LDAPUpdate, LDAPSearch, LDAPRetrieve
from ipalib import api, Int, Str, Bool, DateTime, Flag, Bytes, IntEnum, StrEnum, Password, _, ngettext
from ipalib.plugable import Registry
-from ipalib.errors import PasswordMismatch, ConversionError, LastMemberError, NotFound
+from ipalib.errors import PasswordMismatch, ConversionError, LastMemberError, NotFound, ValidationError
from ipalib.request import context
from ipalib.frontend import Local
@@ -103,6 +103,17 @@ def _normalize_owner(userobj, entry_attrs):
if owner is not None:
entry_attrs['ipatokenowner'] = userobj.get_dn(owner)
+def _check_interval(not_before, not_after):
+
+if not_before and not_after:
+if type(not_before) is str:
+not_before = DateTime('not_before')._convert_scalar(not_before)
+if type(not_after) is str:
+not_after = DateTime('not_after')._convert_scalar(not_after)
+
+if not_before not_after:
+return False
+return True
@register()
class otptoken(LDAPObject):
@@ -254,6 +265,11 @@ class otptoken_add(LDAPCreate):
entry_attrs['ipatokenuniqueid'] = str(uuid.uuid4())
dn = DN(ipatokenuniqueid=%s % entry_attrs['ipatokenuniqueid'], dn)
+if not _check_interval(entry_attrs.get('ipatokennotbefore', None),
+ entry_attrs.get('ipatokennotafter', None)):
+raise ValidationError(name='not_after',
+error='is before not_before!')
+
# Set the object class and defaults for specific token types
entry_attrs['objectclass'] = otptoken.object_class + ['ipatoken' + options['type']]
for ttype, tattrs in TOKEN_TYPES.items():
@@ -336,6 +352,26 @@ class otptoken_mod(LDAPUpdate):
msg_summary = _('Modified OTP token %(value)s')
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+notafter_set = True
+notbefore = entry_attrs.get('ipatokennotbefore', None)
+notafter = entry_attrs.get('ipatokennotafter', None)
+# notbefore xor notafter, exactly one of them is not None
+if bool(notbefore) ^ bool(notafter):
+result = self.api.Command.otptoken_find(ipatokenuniqueid=
+entry_attrs.get('ipatokenuniqueid', None))['result']
+if result:
+if notbefore is None:
+notbefore = result[0]['ipatokennotbefore'][0]
+if notafter is None:
+notafter_set = False
+notafter = result[0]['ipatokennotafter'][0]
+if not _check_interval(notbefore, notafter):
+if notafter_set:
+raise ValidationError(name='not_after',
+error='is before not_before!')
+else:
+raise ValidationError(name='not_before',
+error='is after not_after!')
_normalize_owner(self.api.Object.user, entry_attrs)
return dn
--
1.9.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0006 Fix group-remove-member crash when group is removed from a protected group
https://fedorahosted.org/freeipa/ticket/4448
--
David Kupka
From 306fd94ae35f153bd7eabf80217219ec25b2189b Mon Sep 17 00:00:00 2001
From: David Kupka dku...@redhat.com
Date: Wed, 23 Jul 2014 16:02:17 +0200
Subject: [PATCH] Fix group-remove-member crash when group is removed from a
protected group
https://fedorahosted.org/freeipa/ticket/4448
---
ipalib/plugins/group.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index af5d4b6bf5217fcda912a92453d15cd0974c1c53..4890bab111c2882ed34cfe28e7384982b9815ac4 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -526,7 +526,7 @@ class group_remove_member(LDAPRemoveMember):
protected_group_name = keys[0]
result = api.Command.group_show(protected_group_name)
users_left = set(result['result'].get('member_user', []))
-users_deleted = set(options['user'])
+users_deleted = set(options.get('user',[]))
if users_left.issubset(users_deleted):
raise errors.LastMemberError(key=sorted(users_deleted)[0],
label=_(u'group'), container=protected_group_name)
--
1.9.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0006 Fix group-remove-member crash when group is removed from a protected group
On 07/23/2014 04:08 PM, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4448 Alternatively, we could also update the if condition to avoid running this section at all when options['user'] does not exist or is empty. This would save us at least from api.Command.group_show call. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0006 Fix group-remove-member crash when group is removed from a protected group
Martin Kosek wrote: On 07/23/2014 04:08 PM, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4448 Alternatively, we could also update the if condition to avoid running this section at all when options['user'] does not exist or is empty. This would save us at least from api.Command.group_show call. A new test or tests would be nice as well. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 479 Do not require dogtag-pki-server-theme
Theme package is contains resources for PKI web interface. This interface
is not needed by FreeIPA as it rather utilizes it's API. As recommended in
https://bugzilla.redhat.com/show_bug.cgi?id=1068029#c5, remove this hard
dependency.
--
Martin Kosek mko...@redhat.com
Supervisor, Software Engineering - Identity Management Team
Red Hat Inc.
From 6f3d9105ac1a822e5cdbf58148dd609c9256fad5 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Wed, 23 Jul 2014 16:35:13 +0200
Subject: [PATCH] Do not require dogtag-pki-server-theme
Theme package is contains resources for PKI web interface. This interface
is not needed by FreeIPA as it rather utilizes it's API. As recommended in
https://bugzilla.redhat.com/show_bug.cgi?id=1068029#c5, remove this hard
dependency.
---
freeipa.spec.in | 1 -
1 file changed, 1 deletion(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 447b532b66a0329a5715aca98222ab0ef1aebee4..5e0fe961f2a90a67ecaa8f12f0b0f031d64ca4ce 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -112,7 +112,6 @@ Requires: selinux-policy = 3.12.1-176
Requires(post): selinux-policy-base
Requires: slapi-nis = 0.47.7
Requires: pki-ca = 10.1.1
-Requires: dogtag-pki-server-theme
%if 0%{?rhel}
Requires: subscription-manager
%endif
--
1.9.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0105 FIX: LDAP_updater
On 23/07/14 15:30, Rob Crittenden wrote:
Martin Basti wrote:
This patch fixes ordering problem of schema updates
Martin should it be in IPA 4.0.x ? It requires rebased ldap_python (will
be in Fedora 21)
Patch attached
It looks like the modlist is only generated during a live run which
would diminish the utility of the --test mode.
Is it safe to assume this was done on purpose because schema changes are
being done incrementally vs done all at once, so that parent classes may
not exist in test mode?
rob
My bad, I fixed it. Now modlist will show updated data in --test mode too.
Data are not updated to LDAP in test mode, so there is no restrictions
to have a proper order of classes, and could be written all at once.
Updated patch attached.
--
Martin Basti
From cfc259534ea5d8aaff2c57f66cf41a87864e1fcd Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Wed, 23 Jul 2014 14:42:33 +0200
Subject: [PATCH] FIX: ldap_updater needs correct orderng of the updates
Required bugfix in python-ldap 2.4.15
Updates must respect SUP objectclasses/attributes and update
dependencies first
---
freeipa.spec.in | 2 +-
ipaserver/install/schemaupdate.py | 116 ++
2 files changed, 80 insertions(+), 38 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 447b532b66a0329a5715aca98222ab0ef1aebee4..202df6a6b85d62b17a711014261f69f86c9763df 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -98,7 +98,7 @@ Requires: httpd = 2.4.6-6
Requires: mod_wsgi
Requires: mod_auth_kerb = 5.4-16
Requires: mod_nss = 1.0.8-26
-Requires: python-ldap
+Requires: python-ldap = 2.4.15
Requires: python-krbV
Requires: acl
Requires: python-pyasn1
diff --git a/ipaserver/install/schemaupdate.py b/ipaserver/install/schemaupdate.py
index bb2f0f161499c0358452d97f27f5c39b9b64a5ad..3dbcf7882e410af5a08fe23d23677ad5d0ea01c4 100644
--- a/ipaserver/install/schemaupdate.py
+++ b/ipaserver/install/schemaupdate.py
@@ -29,17 +29,58 @@ from ipaserver.install.ldapupdate import connect
from ipaserver.install import installutils
-SCHEMA_ELEMENT_CLASSES = {
+SCHEMA_ELEMENT_CLASSES = (
# All schema model classes this tool can modify
-'objectclasses': ldap.schema.models.ObjectClass,
-'attributetypes': ldap.schema.models.AttributeType,
-}
+# Depends on order, attributes first, then objectclasses
+('attributetypes', ldap.schema.models.AttributeType),
+('objectclasses', ldap.schema.models.ObjectClass),
+)
+
+SCHEMA_ELEMENT_CLASSES_KEYS = (x[0] for x in SCHEMA_ELEMENT_CLASSES)
ORIGIN = 'IPA v%s' % ipapython.version.VERSION
log = log_mgr.get_logger(__name__)
+def _get_oid_dependency_order(schema, cls):
+
+Returns a ordered list of OIDs sets, in order which respects inheritance in LDAP
+OIDs in second set, depend on first set, etc.
+
+:return [set(1st-tree-level), set(2nd-tree-level), ...]
+
+top_node = '_'
+ordered_oid_groups = []
+
+tree = schema.tree(cls) # tree structure of schema
+
+# remove top_node from tree, it breaks ordering
+# we don't need this, tree from file is not consistent
+del tree[top_node]
+unordered_oids = tree.keys()
+
+# split into two groups, parents and child nodes, and iterate until
+# child nodes are not empty
+while unordered_oids:
+parent_nodes = set()
+child_nodes = set()
+
+for node in unordered_oids:
+if node not in child_nodes:
+# if node was child once, must remain as child
+parent_nodes.add(node)
+for child_oid in tree[node]:
+# if any node is child, must be removed from parents
+parent_nodes.discard(child_oid)
+child_nodes.add(child_oid)
+
+ordered_oid_groups.append(parent_nodes)
+unordered_oids = child_nodes
+
+return ordered_oid_groups
+
+
def update_schema(schema_files, ldapi=False, dm_password=None, live_run=True):
Update schema to match the given ldif files
@@ -69,57 +110,58 @@ def update_schema(schema_files, ldapi=False, dm_password=None, live_run=True):
old_schema = conn.schema
schema_entry = conn.get_entry(DN(('cn', 'schema')),
- SCHEMA_ELEMENT_CLASSES.keys())
+ SCHEMA_ELEMENT_CLASSES_KEYS)
modified = False
# The exact representation the DS gives us for each OID
# (for debug logging)
old_entries_by_oid = {cls(str(attr)).oid: str(attr)
- for attrname, cls in SCHEMA_ELEMENT_CLASSES.items()
+ for (attrname, cls) in SCHEMA_ELEMENT_CLASSES
for attr in schema_entry[attrname]}
for filename in schema_files:
log.info('Processing schema LDIF file %s', filename)
dn, new_schema =
[Freeipa-devel] [PATCH] 715 webui: add bounce url to reset_password.html
reset_password.html now redirects browser to URL specified in 'redirect'
uri component (if present).
The component has to be URI encoded. ie (in browser console):
$
encodeURIComponent('http://pvoborni.fedorapeople.org/doc/#!/guide/Debugging')
--
http%3A%2F%2Fpvoborni.fedorapeople.org%2Fdoc%2F%23!%2Fguide%2FDebugging
--
https://my.freeipa.server/ipa/ui/reset_password.html?redirect=http%3A%2F%2Fpvoborni.fedorapeople.org%2Fdoc%2F%23!%2Fguide%2FDebugging
https://fedorahosted.org/freeipa/ticket/4440
--
Petr Vobornik
From 975c1afb4a96d699a43f9c68af343316659d7c6d Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Wed, 23 Jul 2014 16:53:56 +0200
Subject: [PATCH] webui: add bounce url to reset_password.html
reset_password.html now redirects browser to URL specified in 'redirect'
uri component (if present).
The component has to be URI encoded. ie (in browser console):
$ encodeURIComponent('http://pvoborni.fedorapeople.org/doc/#!/guide/Debugging')
--
http%3A%2F%2Fpvoborni.fedorapeople.org%2Fdoc%2F%23!%2Fguide%2FDebugging
--
https://my.freeipa.server/ipa/ui/reset_password.html?redirect=http%3A%2F%2Fpvoborni.fedorapeople.org%2Fdoc%2F%23!%2Fguide%2FDebugging
https://fedorahosted.org/freeipa/ticket/4440
---
install/ui/reset_password.js | 24
1 file changed, 24 insertions(+)
diff --git a/install/ui/reset_password.js b/install/ui/reset_password.js
index bc08349876ea18d204ce4d6e8ae7724878967620..1afc76eba061a7015d1e817e840177fd60e35160 100644
--- a/install/ui/reset_password.js
+++ b/install/ui/reset_password.js
@@ -114,6 +114,7 @@ RP.on_submit = function() {
} else {
RP.reset_form();
RP.show_success(Password reset was successful.);
+RP.redirect();
}
};
@@ -140,6 +141,29 @@ RP.show_success = function(message) {
$('.alert-success').css('display', '');
};
+RP.parse_uri = function() {
+var opts = {};
+if (window.location.search.length 1) {
+var couples = window.location.search.substr(1).split();
+for (var i=0,l=couples.length; i l; i++) {
+var couple = couples[i].split(=);
+var key = decodeURIComponent(couple[0]);
+var value = couple.length 1 ? decodeURIComponent(couple[1]) : '';
+opts[key] = value;
+}
+}
+return opts;
+};
+
+RP.redirect = function() {
+
+var opts = RP.parse_uri();
+var url = opts['redirect'];
+if (url) {
+window.location = url;
+}
+};
+
RP.init = function() {
--
1.9.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0005 Verify otptoken timespan is valid
Hi,
On 23.7.2014 15:46, David Kupka wrote:
https://fedorahosted.org/freeipa/ticket/4244
1) Use isinstance(X, Y) instead of type(X) is Y.
2) When is type(not_before) is str or type(not_after) is str true?
The values coming from command options or LDAP should always be
datetime, never str.
3) There are some misindentations:
+raise ValidationError(name='not_after',
+error='is before not_before!')
+raise ValidationError(name='not_after',
+error='is before not_before!')
+raise ValidationError(name='not_before',
+error='is after not_after!')
4) We don't do exclamation marks in errors messages.
5) Generally, when you want to validate command options, you should look
into options, not entry_attrs.
6) This is not right:
+result = self.api.Command.otptoken_find(ipatokenuniqueid=
+entry_attrs.get('ipatokenuniqueid', None))['result']
This is:
+result = self.api.Command.otptoken_show(keys[-1])['result']
Honza
--
Jan Cholasta
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 479 Do not require dogtag-pki-server-theme
On Wed, 23 Jul 2014, Martin Kosek wrote: Theme package is contains resources for PKI web interface. This interface is not needed by FreeIPA as it rather utilizes it's API. As recommended in https://bugzilla.redhat.com/show_bug.cgi?id=1068029#c5, remove this hard dependency. I've seen several times that people continue using PKI web interfaces for things we do not support yet, like issuing user certificates and the rest of features supported in Dogtag. I think this change might be subtle but otherwise breaking for some users. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 479 Do not require dogtag-pki-server-theme
On 07/23/2014 05:07 PM, Alexander Bokovoy wrote: On Wed, 23 Jul 2014, Martin Kosek wrote: Theme package is contains resources for PKI web interface. This interface is not needed by FreeIPA as it rather utilizes it's API. As recommended in https://bugzilla.redhat.com/show_bug.cgi?id=1068029#c5, remove this hard dependency. I've seen several times that people continue using PKI web interfaces for things we do not support yet, like issuing user certificates and the rest of features supported in Dogtag. I think this change might be subtle but otherwise breaking for some users. Ah, I personally did not see that yet. However, as this is still quite hacky and experimental use of FreeIPA PKI, it should not be in the list of hard requirements IMO. People who really need to use this interface can always install the package. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 479 Do not require dogtag-pki-server-theme
On Wed, 23 Jul 2014, Martin Kosek wrote: On 07/23/2014 05:07 PM, Alexander Bokovoy wrote: On Wed, 23 Jul 2014, Martin Kosek wrote: Theme package is contains resources for PKI web interface. This interface is not needed by FreeIPA as it rather utilizes it's API. As recommended in https://bugzilla.redhat.com/show_bug.cgi?id=1068029#c5, remove this hard dependency. I've seen several times that people continue using PKI web interfaces for things we do not support yet, like issuing user certificates and the rest of features supported in Dogtag. I think this change might be subtle but otherwise breaking for some users. Ah, I personally did not see that yet. However, as this is still quite hacky and experimental use of FreeIPA PKI, it should not be in the list of hard requirements IMO. People who really need to use this interface can always install the package. At the very least this change has to be in the release notes. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 479 Do not require dogtag-pki-server-theme
On 07/23/2014 05:21 PM, Alexander Bokovoy wrote: On Wed, 23 Jul 2014, Martin Kosek wrote: On 07/23/2014 05:07 PM, Alexander Bokovoy wrote: On Wed, 23 Jul 2014, Martin Kosek wrote: Theme package is contains resources for PKI web interface. This interface is not needed by FreeIPA as it rather utilizes it's API. As recommended in https://bugzilla.redhat.com/show_bug.cgi?id=1068029#c5, remove this hard dependency. I've seen several times that people continue using PKI web interfaces for things we do not support yet, like issuing user certificates and the rest of features supported in Dogtag. I think this change might be subtle but otherwise breaking for some users. Ah, I personally did not see that yet. However, as this is still quite hacky and experimental use of FreeIPA PKI, it should not be in the list of hard requirements IMO. People who really need to use this interface can always install the package. At the very least this change has to be in the release notes. I think I see the deal - apply the patch only for FreeIPA 4.1 and master (and not for 4.0.x) and add appropriate release notes for 4.1, when released. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 479 Do not require dogtag-pki-server-theme
On Wed, 23 Jul 2014, Martin Kosek wrote: On 07/23/2014 05:21 PM, Alexander Bokovoy wrote: On Wed, 23 Jul 2014, Martin Kosek wrote: On 07/23/2014 05:07 PM, Alexander Bokovoy wrote: On Wed, 23 Jul 2014, Martin Kosek wrote: Theme package is contains resources for PKI web interface. This interface is not needed by FreeIPA as it rather utilizes it's API. As recommended in https://bugzilla.redhat.com/show_bug.cgi?id=1068029#c5, remove this hard dependency. I've seen several times that people continue using PKI web interfaces for things we do not support yet, like issuing user certificates and the rest of features supported in Dogtag. I think this change might be subtle but otherwise breaking for some users. Ah, I personally did not see that yet. However, as this is still quite hacky and experimental use of FreeIPA PKI, it should not be in the list of hard requirements IMO. People who really need to use this interface can always install the package. At the very least this change has to be in the release notes. I think I see the deal - apply the patch only for FreeIPA 4.1 and master (and not for 4.0.x) and add appropriate release notes for 4.1, when released. Agreed. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] ipa trust-add command should be interactive
Nope. Somehow in my head it felt cleaner. Updated patched attached.
On Wed, Jul 23, 2014 at 1:18 AM, Jan Cholasta jchol...@redhat.com wrote:
On 23.7.2014 01:01, Gabe Alford wrote:
Forgot about --trust-secret. Here is an updated patch.
On Mon, Jul 21, 2014 at 2:31 AM, Jan Cholasta jchol...@redhat.com
mailto:jchol...@redhat.com wrote:
On 21.7.2014 10:28, Martin Kosek wrote:
On 07/21/2014 09:56 AM, Jan Cholasta wrote:
Hi,
On 16.7.2014 05:48, Gabe Alford wrote:
Hello,
Adds AD admin and password to interactive commands.
https://fedorahosted.org/__freeipa/ticket/3034
https://fedorahosted.org/freeipa/ticket/3034
Thanks,
Gabe
I think that instead of making the parameters mandatory, you
should instead set
alwaysask=True on them.
Honza
Trust can be established either with user+password options OR with
--trust-secret option - i.e. you cannot use mandatory options
nor alwaysask.
Ah, right.
This would rather lead to interactive_prompt_callback checking
if any of
authentication method is passed and asking for them if they
aren't.
+1
Martin
--
Jan Cholasta
I don't think using an extra function to update a value in a dictionary is
very beneficial, is there a reason not to use kw[X] =
self.prompt_param(self.params[X]) directly?
--
Jan Cholasta
From cae886c1d3810d89feb3a2f26afcb6a38319005f Mon Sep 17 00:00:00 2001
From: Gabe redhatri...@gmail.com
Date: Wed, 23 Jul 2014 16:12:25 -0600
Subject: [PATCH] ipa trust-add command should be interactive
- Make ipa trust-add command interactive for realm_admin and realm_passwd
- Fix 'Active directory' typo to 'Active Directory'
https://fedorahosted.org/freeipa/ticket/3034
---
ipalib/plugins/trust.py | 33 -
1 file changed, 32 insertions(+), 1 deletion(-)
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index fe1a76719b0e35136fb46d917bd998cdfd631695..7153253167001cca05c87d199c0843112d5333bd 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -435,7 +435,7 @@ sides.
),
Password('realm_passwd?',
cli_name='password',
-label=_(Active directory domain administrator's password),
+label=_(Active Directory domain administrator's password),
confirm=False,
),
Str('realm_server?',
@@ -511,6 +511,37 @@ sides.
return result
+def interactive_prompt_callback(self, kw):
+
+Ensure that trust_type is prompted for if any reason there is no
+default.
+
+Also ensure that realm_admin is prompted for if --admin or
+--trust-secret is not specified when 'ipa trust-add' is run on the
+system.
+
+Also ensure that realm_passwd is prompted for if --password or
+--trust-secret is not specified when 'ipa trust-add' is run on the
+system.
+
+
+trust_secret = kw.get('trust_secret')
+trust_type = kw.get('trust_type')
+realm_admin = kw.get('realm_admin')
+realm_passwd = kw.get('realm_passwd')
+
+if trust_type is None:
+kw['trust_type'] = self.prompt_param(self.params['trust_type'])
+
+if trust_secret is None:
+if realm_admin is None:
+kw['realm_admin'] = self.prompt_param(
+ self.params['realm_admin'])
+
+if realm_passwd is None:
+kw['realm_passwd'] = self.Backend.textui.prompt_password(
+ self.params['realm_passwd'].label, confirm=False)
+
def validate_options(self, *keys, **options):
if not _bindings_installed:
raise errors.NotFound(
--
2.0.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0026][DOC] Type in sudocmd in documentation
Hello, Fix for https://fedorahosted.org/freeipa/ticket/4451 Thanks, Gabe From e995aa908933b31509ce02ba6a57fc20fa4fc245 Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Wed, 23 Jul 2014 16:19:18 -0600 Subject: [PATCH] Typo in upstream documentation - Fix typo with --sudocmds option https://fedorahosted.org/freeipa/ticket/4451 --- src/user_guide/en-US/Sudo.xml | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/user_guide/en-US/Sudo.xml b/src/user_guide/en-US/Sudo.xml index 64127aa8d787f5d484c3897eb5dba17c6375ac9c..5b4b9088a46b69855a75f69a619cbe8b24f4497d 100644 --- a/src/user_guide/en-US/Sudo.xml +++ b/src/user_guide/en-US/Sudo.xml @@ -632,9 +632,9 @@ Added sudo rule files-commands /screen para - Next, add the commands to emphasisgrant/emphasis access to. This can be a single command, using option--sudocmd/option, or a group of commands, using option--sudocmdgroups/option. + Next, add the commands to emphasisgrant/emphasis access to. This can be a single command, using option--sudocmds/option, or a group of commands, using option--sudocmdgroups/option. -screen$ ipa sudorule-add-allow-command --sudocmd /usr/bin/vim files-commands +screen$ ipa sudorule-add-allow-command --sudocmds /usr/bin/vim files-commands Rule name: files-commands Enabled: TRUE sudo Commands: /usr/bin/vim @@ -673,9 +673,9 @@ Number of members added 1 para The commandsudo/command rule can grant access or deny access to commands. For example, this rule would allow read access to files but prevent editing: /para -screen$ ipa sudorule-add-allow-command --sudocmd /usr/bin/less readfiles -$ ipa sudorule-add-allow-command --sudocmd /usr/bin/tail readfiles -$ ipa sudorule-add-deny-command --sudocmd /usr/bin/vim readfiles/screen +screen$ ipa sudorule-add-allow-command --sudocmds /usr/bin/less readfiles +$ ipa sudorule-add-allow-command --sudocmds /usr/bin/tail readfiles +$ ipa sudorule-add-deny-command --sudocmds /usr/bin/vim readfiles/screen /example example id=Ex.sudo-optionstitleUsing sudoers Options/title para -- 2.0.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Storing/Looking up the creation time of a type
Hi devel, It would be particularly useful if each FreeIPA entry (eg: user, host, service, etc...) had creation and last modified timestamps. Do these fields already exist, and if they do, how can I access them? If they do not, I would like to propose these as a feature request. One use case for this feature: if this data exists, then actions could be scripted based on how old something is. For example: * an admin could check for old entries in case they are unneeded * puppet could be told to not manage entries older than a certain date * entries could be sorted by last modified to browse recent activity * and so on... An example of how this could be specifically useful is explained in my just published Puppet+FreeIPA article: https://ttboj.wordpress.com/2014/07/24/hybrid-management-of-freeipa-types-with-puppet/ Thank you again, James signature.asc Description: This is a digitally signed message part ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Storing/Looking up the creation time of a type
On Thu, 24 Jul 2014, James wrote: Hi devel, It would be particularly useful if each FreeIPA entry (eg: user, host, service, etc...) had creation and last modified timestamps. Do these fields already exist, and if they do, how can I access them? If they do not, I would like to propose these as a feature request. These are called operational attributes and are available already, look at RFC 2251. 389-ds implements some more, check http://directory.fedoraproject.org/wiki/Howto:OperationalAttributes for details. $ ldapsearch -Y GSSAPI uid=admin modifyTimestamp createTimestamp SASL/GSSAPI authentication started SASL username: ad...@t.vda.li SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base dc=t,dc=vda,dc=li (default) with scope subtree # filter: uid=admin # requesting: modifyTimestamp createTimestamp # # admin, users, compat, t.vda.li dn: uid=admin,cn=users,cn=compat,dc=t,dc=vda,dc=li modifyTimestamp: 20140722091651Z createTimestamp: 20140722091651Z # admin, users, accounts, t.vda.li dn: uid=admin,cn=users,cn=accounts,dc=t,dc=vda,dc=li modifyTimestamp: 20140724053745Z createTimestamp: 20140722091018Z # search result search: 4 result: 0 Success # numResponses: 3 # numEntries: 2 Note that operational attributes modifyTimestamp and createTimestamp for compat tree differ from the main tree due to the way of working of slapi-nis plugin. If you stick to the main tree, you should be fine. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
