Re: [Freeipa-devel] #4450: how to allow password migration?
On 07/22/2014 05:01 PM, Martin Kosek wrote: Hello, I was thinking more about the solution to fix migration in FreeIPA 4.0 as proposed in https://fedorahosted.org/freeipa/ticket/4450#comment:6 and I realized it will be more complicated. Conditionally enabling nsslapd-allow-hashed-passwords in cn=config when migration mode is enabled is tricky as this setting is not replicated, compared to ipamigrationenabled. So enabling the migration on one server would still leave it broken on other servers. The same applies for disabling it again. Any ideas how to solve the issue? I am thinking we may need to unconditionally enable this cn=config setting for now to unblock migration (thus effectively revert https://fedorahosted.org/389/ticket/47389). Any other solution I can think of would be too complicated. if you alwayys enable it, you would have the same behaviour as before #47389 (which you see as a regression), so it should be ok. Ludwig Thanks. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] ipa trust-add command should be interactive
On 23.7.2014 01:01, Gabe Alford wrote: Forgot about --trust-secret. Here is an updated patch. On Mon, Jul 21, 2014 at 2:31 AM, Jan Cholasta jchol...@redhat.com mailto:jchol...@redhat.com wrote: On 21.7.2014 10:28, Martin Kosek wrote: On 07/21/2014 09:56 AM, Jan Cholasta wrote: Hi, On 16.7.2014 05:48, Gabe Alford wrote: Hello, Adds AD admin and password to interactive commands. https://fedorahosted.org/__freeipa/ticket/3034 https://fedorahosted.org/freeipa/ticket/3034 Thanks, Gabe I think that instead of making the parameters mandatory, you should instead set alwaysask=True on them. Honza Trust can be established either with user+password options OR with --trust-secret option - i.e. you cannot use mandatory options nor alwaysask. Ah, right. This would rather lead to interactive_prompt_callback checking if any of authentication method is passed and asking for them if they aren't. +1 Martin -- Jan Cholasta I don't think using an extra function to update a value in a dictionary is very beneficial, is there a reason not to use kw[X] = self.prompt_param(self.params[X]) directly? -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Reasons for not using certmonger DBus API
While solving ticket #4280 I noticed that we are messing with certmonger's files right under its hands. That can lead to some unpleasant race condition issues. Is there any reason why not to call certmonger via DBus and ask it to stop tracking the requests? -- David Kupka ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
On 07/23/2014 09:56 AM, David Kupka wrote: While solving ticket #4280 I noticed that we are messing with certmonger's files right under its hands. That can lead to some unpleasant race condition issues. Is there any reason why not to call certmonger via DBus and ask it to stop tracking the requests? +1 for using the dbus API. When I saw the hacky way of parsing certmonger internal configuration files in ipapython/certmonger.py, I suggested the dbus way as IMO it would not be difficult to implement, it would make us more future proof and it would remove intermittent problems like #4280. Certmonger API looked complete enough to pull this off: https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/api.txt If I am wrong, please tell me. Thanks, Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
On 23.7.2014 10:12, Martin Kosek wrote: On 07/23/2014 09:56 AM, David Kupka wrote: While solving ticket #4280 I noticed that we are messing with certmonger's files right under its hands. That can lead to some unpleasant race condition issues. Is there any reason why not to call certmonger via DBus and ask it to stop tracking the requests? +1 for using the dbus API. When I saw the hacky way of parsing certmonger internal configuration files in ipapython/certmonger.py, I suggested the dbus way as IMO it would not be difficult to implement, it would make us more future proof and it would remove intermittent problems like #4280. I have already started using the API, e.g. for adding/removing of the CA helper in cainstance. Word of warning, the API apparently does not exercised much and there might be bugs (I found one causing certmonger to segfault which Nalin promptly fixed). Certmonger API looked complete enough to pull this off: https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/api.txt If I am wrong, please tell me. IIRC some of the properties in requests might not be accessible using the API. But I'm not sure if this is true or if it affects us. Thanks, Martin -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
On Wed, 23 Jul 2014, Martin Kosek wrote: On 07/23/2014 09:56 AM, David Kupka wrote: While solving ticket #4280 I noticed that we are messing with certmonger's files right under its hands. That can lead to some unpleasant race condition issues. Is there any reason why not to call certmonger via DBus and ask it to stop tracking the requests? +1 for using the dbus API. When I saw the hacky way of parsing certmonger internal configuration files in ipapython/certmonger.py, I suggested the dbus way as IMO it would not be difficult to implement, it would make us more future proof and it would remove intermittent problems like #4280. Certmonger API looked complete enough to pull this off: https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/api.txt If I am wrong, please tell me. Were there DBus Python bindings available in RHEL 5/6 at the time when the code was written? Anyway, it looks good target to rewrite this code to use DBus these days. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
On 07/23/2014 10:33 AM, Jan Cholasta wrote: On 23.7.2014 10:12, Martin Kosek wrote: On 07/23/2014 09:56 AM, David Kupka wrote: While solving ticket #4280 I noticed that we are messing with certmonger's files right under its hands. That can lead to some unpleasant race condition issues. Is there any reason why not to call certmonger via DBus and ask it to stop tracking the requests? +1 for using the dbus API. When I saw the hacky way of parsing certmonger internal configuration files in ipapython/certmonger.py, I suggested the dbus way as IMO it would not be difficult to implement, it would make us more future proof and it would remove intermittent problems like #4280. I have already started using the API, e.g. for adding/removing of the CA helper in cainstance. Word of warning, the API apparently does not exercised much and there might be bugs (I found one causing certmonger to segfault which Nalin promptly fixed). Yup, this is the place where the inspiration came from :-) Certmonger API looked complete enough to pull this off: https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/api.txt If I am wrong, please tell me. IIRC some of the properties in requests might not be accessible using the API. But I'm not sure if this is true or if it affects us. I did couple tests and it seems that getting properties works fine: import dbus bus = dbus.SystemBus() obj = bus.get_object('org.fedorahosted.certmonger','/org/fedorahosted/certmonger') iface = dbus.Interface(obj, 'org.fedorahosted.certmonger') reqs = iface.get_requests() req = bus.get_object('org.fedorahosted.certmonger', reqs[0]) iface_request = dbus.Interface(req, 'org.fedorahosted.certmonger.request') iface_request.get_nickname() dbus.String(u'20140723081859') iface_request.get_status() (dbus.String(u'MONITORING'), dbus.Boolean(False)) iface_request.get_key_storage_info() (dbus.String(u'NSSDB'), dbus.String(u'/etc/pki/pki-tomcat/alias'), dbus.String(u'auditSigningCert cert-pki-ca'), dbus.String(u'NSS Certificate DB')) iface_request.get_cert_data() dbus.String(u'-BEGIN CERTIFICATE-\nMIIDZzCCAk+gAwIBAgIBBTANBgkqhkiG9w0BAQsFADA/MR0wGwYDVQQKDBRNS09T\r\nRUstRkVET1JBMjAuVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5\r\nMB4XDTE0MDcyMzA4MTc1OVoXDTE2MDcxMjA4MTc1OVowMjEdMBsGA1UECgwUTUtP\r\nU0VLLUZFRE9SQTIwLlRFU1QxETAPBgNVBAMMCENBIEF1ZGl0MIIBIjANBgkqhkiG\r\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxHJ6iNEUOCLybjMsuC1X3ojJFDml91caAT6u\r\nvySSnz6S79Y2Z3CgpnS71p842SukEXtawkBH+4Vzv3EkiT2OEGFMIFPxtg0z6KJw\r\n64Kv7R6qP1N9iW091pSsui8CoypINtvOmdZtop6meqPEcbjqVzYqQxZ2nq4FI1Ed\r\ncPiirF33OkAJQ5CuvzJFotoZ7f7tAisTpUqghCBAr0kg5MtvcjtlB+hysdVWf+rf\r\nCpzsVA1DbXRNdwsZpOv07Lhm1EGIsJZ3/wZszBpycM1H+8mIuTa5mpNpluDHoDrG\r\ne51TzF5F/DQI7ctMoI6CGxPvyPGbammKcID/yDzyePx3XBnCaQIDAQABo3sweTAf\r\nBgNVHSMEGDAWgBQoqt6chwnASMhQa2DwaWvSF9C/GDAOBgNVHQ8BAf8EBAMCBsAw\r\nRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHRwOi8vaXBhLm1rb3Nlay1m\r\nZWRvcmEyMC50ZXN0OjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAEDoy8AW\r\nJinIA4pYEDuTYG/mUBJvvaH+XR7a8pZtX0mnWOlS1mbI1gjlkCCBi7t//c2U3Nmx\r\nb+EiG8isXT0urowI3iB! jhOXyweJDF 7+Wa1kN57SRkMeJIhCTBWOVGEBYGA6nUUKb\r\nnULomV9XXE5Bj+yP3IRewe0AYL0Gyk5QnSNLCYUMA+u/oi4i+uloKv3yZd6On0Re\r\nuIVSvmwXNHMKgGPg2cKSu1fd9tZ7qvQo6Vblf/zYp17tg2Vgd/ESeqgclgJs8AaL\r\nRDED3RT0FaOR/6SCTrXTGymmRaAVA6gGCUScyWD+MaKldOu2qDBG32obPiSw9lm8\r\nnxQBR2IlqByyeDA=\n-END CERTIFICATE-\n\n') Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
On 23.7.2014 10:38, Martin Kosek wrote: On 07/23/2014 10:33 AM, Jan Cholasta wrote: On 23.7.2014 10:12, Martin Kosek wrote: On 07/23/2014 09:56 AM, David Kupka wrote: While solving ticket #4280 I noticed that we are messing with certmonger's files right under its hands. That can lead to some unpleasant race condition issues. Is there any reason why not to call certmonger via DBus and ask it to stop tracking the requests? +1 for using the dbus API. When I saw the hacky way of parsing certmonger internal configuration files in ipapython/certmonger.py, I suggested the dbus way as IMO it would not be difficult to implement, it would make us more future proof and it would remove intermittent problems like #4280. I have already started using the API, e.g. for adding/removing of the CA helper in cainstance. Word of warning, the API apparently does not exercised much and there might be bugs (I found one causing certmonger to segfault which Nalin promptly fixed). Yup, this is the place where the inspiration came from :-) Certmonger API looked complete enough to pull this off: https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/api.txt If I am wrong, please tell me. IIRC some of the properties in requests might not be accessible using the API. But I'm not sure if this is true or if it affects us. I did couple tests and it seems that getting properties works fine: import dbus bus = dbus.SystemBus() obj = bus.get_object('org.fedorahosted.certmonger','/org/fedorahosted/certmonger') iface = dbus.Interface(obj, 'org.fedorahosted.certmonger') reqs = iface.get_requests() req = bus.get_object('org.fedorahosted.certmonger', reqs[0]) iface_request = dbus.Interface(req, 'org.fedorahosted.certmonger.request') iface_request.get_nickname() dbus.String(u'20140723081859') iface_request.get_status() (dbus.String(u'MONITORING'), dbus.Boolean(False)) iface_request.get_key_storage_info() (dbus.String(u'NSSDB'), dbus.String(u'/etc/pki/pki-tomcat/alias'), dbus.String(u'auditSigningCert cert-pki-ca'), dbus.String(u'NSS Certificate DB')) iface_request.get_cert_data() dbus.String(u'-BEGIN CERTIFICATE-\nMIIDZzCCAk+gAwIBAgIBBTANBgkqhkiG9w0BAQsFADA/MR0wGwYDVQQKDBRNS09T\r\nRUstRkVET1JBMjAuVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5\r\nMB4XDTE0MDcyMzA4MTc1OVoXDTE2MDcxMjA4MTc1OVowMjEdMBsGA1UECgwUTUtP\r\nU0VLLUZFRE9SQTIwLlRFU1QxETAPBgNVBAMMCENBIEF1ZGl0MIIBIjANBgkqhkiG\r\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxHJ6iNEUOCLybjMsuC1X3ojJFDml91caAT6u\r\nvySSnz6S79Y2Z3CgpnS71p842SukEXtawkBH+4Vzv3EkiT2OEGFMIFPxtg0z6KJw\r\n64Kv7R6qP1N9iW091pSsui8CoypINtvOmdZtop6meqPEcbjqVzYqQxZ2nq4FI1Ed\r\ncPiirF33OkAJQ5CuvzJFotoZ7f7tAisTpUqghCBAr0kg5MtvcjtlB+hysdVWf+rf\r\nCpzsVA1DbXRNdwsZpOv07Lhm1EGIsJZ3/wZszBpycM1H+8mIuTa5mpNpluDHoDrG\r\ne51TzF5F/DQI7ctMoI6CGxPvyPGbammKcID/yDzyePx3XBnCaQIDAQABo3sweTAf\r\nBgNVHSMEGDAWgBQoqt6chwnASMhQa2DwaWvSF9C/GDAOBgNVHQ8BAf8EBAMCBsAw\r\nRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHRwOi8vaXBhLm1rb3Nlay1m\r\nZWRvcmEyMC50ZXN0OjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAEDoy8AW\r\nJinIA4pYEDuTYG/mUBJvvaH+XR7a8pZtX0mnWOlS1mbI1gjlkCCBi7t//c2U3Nmx\r\nb+EiG8isXT0urowI3! iB! jhOXyweJDF 7+Wa1kN57SRkMeJIhCTBWOVGEBYGA6nUUKb\r\nnULomV9XXE5Bj+yP3IRewe0AYL0Gyk5QnSNLCYUMA+u/oi4i+uloKv3yZd6On0Re\r\nuIVSvmwXNHMKgGPg2cKSu1fd9tZ7qvQo6Vblf/zYp17tg2Vgd/ESeqgclgJs8AaL\r\nRDED3RT0FaOR/6SCTrXTGymmRaAVA6gGCUScyWD+MaKldOu2qDBG32obPiSw9lm8\r\nnxQBR2IlqByyeDA=\n-END CERTIFICATE-\n\n') Martin When I said some of the properties, I certainly did not mean the absolute basics, but rather stuff like cert-presave-command. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Ipsilon vs. FedOAuth
Hello list, I have noticed that Fedora is heavily using project FedOAuth: Federated Open Authentication FedOAuth is a provider for federated authentication mechanisms with a modular authentication backend. It sounds somewhat similar to our Ipsilon project and it is also written in Python. Maybe it would be beneficial to somehow cooperate ... -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
On 07/23/2014 10:49 AM, Jan Cholasta wrote: On 23.7.2014 10:38, Martin Kosek wrote: On 07/23/2014 10:33 AM, Jan Cholasta wrote: On 23.7.2014 10:12, Martin Kosek wrote: On 07/23/2014 09:56 AM, David Kupka wrote: While solving ticket #4280 I noticed that we are messing with certmonger's files right under its hands. That can lead to some unpleasant race condition issues. Is there any reason why not to call certmonger via DBus and ask it to stop tracking the requests? +1 for using the dbus API. When I saw the hacky way of parsing certmonger internal configuration files in ipapython/certmonger.py, I suggested the dbus way as IMO it would not be difficult to implement, it would make us more future proof and it would remove intermittent problems like #4280. I have already started using the API, e.g. for adding/removing of the CA helper in cainstance. Word of warning, the API apparently does not exercised much and there might be bugs (I found one causing certmonger to segfault which Nalin promptly fixed). Yup, this is the place where the inspiration came from :-) Certmonger API looked complete enough to pull this off: https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/api.txt If I am wrong, please tell me. IIRC some of the properties in requests might not be accessible using the API. But I'm not sure if this is true or if it affects us. I did couple tests and it seems that getting properties works fine: import dbus bus = dbus.SystemBus() obj = bus.get_object('org.fedorahosted.certmonger','/org/fedorahosted/certmonger') iface = dbus.Interface(obj, 'org.fedorahosted.certmonger') reqs = iface.get_requests() req = bus.get_object('org.fedorahosted.certmonger', reqs[0]) iface_request = dbus.Interface(req, 'org.fedorahosted.certmonger.request') iface_request.get_nickname() dbus.String(u'20140723081859') iface_request.get_status() (dbus.String(u'MONITORING'), dbus.Boolean(False)) iface_request.get_key_storage_info() (dbus.String(u'NSSDB'), dbus.String(u'/etc/pki/pki-tomcat/alias'), dbus.String(u'auditSigningCert cert-pki-ca'), dbus.String(u'NSS Certificate DB')) iface_request.get_cert_data() dbus.String(u'-BEGIN CERTIFICATE-\nMIIDZzCCAk+gAwIBAgIBBTANBgkqhkiG9w0BAQsFADA/MR0wGwYDVQQKDBRNS09T\r\nRUstRkVET1JBMjAuVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5\r\nMB4XDTE0MDcyMzA4MTc1OVoXDTE2MDcxMjA4MTc1OVowMjEdMBsGA1UECgwUTUtP\r\nU0VLLUZFRE9SQTIwLlRFU1QxETAPBgNVBAMMCENBIEF1ZGl0MIIBIjANBgkqhkiG\r\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxHJ6iNEUOCLybjMsuC1X3ojJFDml91caAT6u\r\nvySSnz6S79Y2Z3CgpnS71p842SukEXtawkBH+4Vzv3EkiT2OEGFMIFPxtg0z6KJw\r\n64Kv7R6qP1N9iW091pSsui8CoypINtvOmdZtop6meqPEcbjqVzYqQxZ2nq4FI1Ed\r\ncPiirF33OkAJQ5CuvzJFotoZ7f7tAisTpUqghCBAr0kg5MtvcjtlB+hysdVWf+rf\r\nCpzsVA1DbXRNdwsZpOv07Lhm1EGIsJZ3/wZszBpycM1H+8mIuTa5mpNpluDHoDrG\r\ne51TzF5F/DQI7ctMoI6CGxPvyPGbammKcID/yDzyePx3XBnCaQIDAQABo3sweTAf\r\nBgNVHSMEGDAWgBQoqt6chwnASMhQa2DwaWvSF9C/GDAOBgNVHQ8BAf8EBAMCBsAw\r\nRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHRwOi8vaXBhLm1rb3Nlay1m\r\nZWRvcmEyMC50ZXN0OjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAEDoy8AW\r\nJinIA4pYEDuTYG/mUBJvvaH+XR7a8pZtX0mnWOlS1mbI1gjlkCCBi7t//c2U3Nmx\r\nb+EiG8isXT0urowI! 3! iB! jhOXyweJDF 7+Wa1kN57SRkMeJIhCTBWOVGEBYGA6nUUKb\r\nnULomV9XXE5Bj+yP3IRewe0AYL0Gyk5QnSNLCYUMA+u/oi4i+uloKv3yZd6On0Re\r\nuIVSvmwXNHMKgGPg2cKSu1fd9tZ7qvQo6Vblf/zYp17tg2Vgd/ESeqgclgJs8AaL\r\nRDED3RT0FaOR/6SCTrXTGymmRaAVA6gGCUScyWD+MaKldOu2qDBG32obPiSw9lm8\r\nnxQBR2IlqByyeDA=\n-END CERTIFICATE-\n\n') Martin When I said some of the properties, I certainly did not mean the absolute basics, but rather stuff like cert-presave-command. Ah, ok. Then I think this snippet will help: properties_manager = dbus.Interface(req, 'org.freedesktop.DBus.Properties') properties_manager.Get('org.fedorahosted.certmonger.request', 'cert-presave-command') dbus.String(u'/usr/lib64/ipa/certmonger/stop_pkicad') properties_manager.Get('org.fedorahosted.certmonger.request', 'cert-postsave-command') dbus.String(u'/usr/lib64/ipa/certmonger/renew_ca_cert auditSigningCert cert-pki-ca') Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
On 23.7.2014 12:23, Martin Kosek wrote: On 07/23/2014 10:49 AM, Jan Cholasta wrote: On 23.7.2014 10:38, Martin Kosek wrote: On 07/23/2014 10:33 AM, Jan Cholasta wrote: On 23.7.2014 10:12, Martin Kosek wrote: On 07/23/2014 09:56 AM, David Kupka wrote: While solving ticket #4280 I noticed that we are messing with certmonger's files right under its hands. That can lead to some unpleasant race condition issues. Is there any reason why not to call certmonger via DBus and ask it to stop tracking the requests? +1 for using the dbus API. When I saw the hacky way of parsing certmonger internal configuration files in ipapython/certmonger.py, I suggested the dbus way as IMO it would not be difficult to implement, it would make us more future proof and it would remove intermittent problems like #4280. I have already started using the API, e.g. for adding/removing of the CA helper in cainstance. Word of warning, the API apparently does not exercised much and there might be bugs (I found one causing certmonger to segfault which Nalin promptly fixed). Yup, this is the place where the inspiration came from :-) Certmonger API looked complete enough to pull this off: https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/api.txt If I am wrong, please tell me. IIRC some of the properties in requests might not be accessible using the API. But I'm not sure if this is true or if it affects us. I did couple tests and it seems that getting properties works fine: import dbus bus = dbus.SystemBus() obj = bus.get_object('org.fedorahosted.certmonger','/org/fedorahosted/certmonger') iface = dbus.Interface(obj, 'org.fedorahosted.certmonger') reqs = iface.get_requests() req = bus.get_object('org.fedorahosted.certmonger', reqs[0]) iface_request = dbus.Interface(req, 'org.fedorahosted.certmonger.request') iface_request.get_nickname() dbus.String(u'20140723081859') iface_request.get_status() (dbus.String(u'MONITORING'), dbus.Boolean(False)) iface_request.get_key_storage_info() (dbus.String(u'NSSDB'), dbus.String(u'/etc/pki/pki-tomcat/alias'), dbus.String(u'auditSigningCert cert-pki-ca'), dbus.String(u'NSS Certificate DB')) iface_request.get_cert_data() dbus.String(u'-BEGIN CERTIFICATE-\nMIIDZzCCAk+gAwIBAgIBBTANBgkqhkiG9w0BAQsFADA/MR0wGwYDVQQKDBRNS09T\r\nRUstRkVET1JBMjAuVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5\r\nMB4XDTE0MDcyMzA4MTc1OVoXDTE2MDcxMjA4MTc1OVowMjEdMBsGA1UECgwUTUtP\r\nU0VLLUZFRE9SQTIwLlRFU1QxETAPBgNVBAMMCENBIEF1ZGl0MIIBIjANBgkqhkiG\r\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxHJ6iNEUOCLybjMsuC1X3ojJFDml91caAT6u\r\nvySSnz6S79Y2Z3CgpnS71p842SukEXtawkBH+4Vzv3EkiT2OEGFMIFPxtg0z6KJw\r\n64Kv7R6qP1N9iW091pSsui8CoypINtvOmdZtop6meqPEcbjqVzYqQxZ2nq4FI1Ed\r\ncPiirF33OkAJQ5CuvzJFotoZ7f7tAisTpUqghCBAr0kg5MtvcjtlB+hysdVWf+rf\r\nCpzsVA1DbXRNdwsZpOv07Lhm1EGIsJZ3/wZszBpycM1H+8mIuTa5mpNpluDHoDrG\r\ne51TzF5F/DQI7ctMoI6CGxPvyPGbammKcID/yDzyePx3XBnCaQIDAQABo3sweTAf\r\nBgNVHSMEGDAWgBQoqt6chwnASMhQa2DwaWvSF9C/GDAOBgNVHQ8BAf8EBAMCBsAw\r\nRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHRwOi8vaXBhLm1rb3Nlay1m\r\nZWRvcmEyMC50ZXN0OjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAEDoy8AW\r\nJinIA4pYEDuTYG/mUBJvvaH+XR7a8pZtX0mnWOlS1mbI1gjlkCCBi7t//c2U3Nmx\r\nb+EiG8isXT0urow! I! 3! iB! jhOXyweJDF 7+Wa1kN57SRkMeJIhCTBWOVGEBYGA6nUUKb\r\nnULomV9XXE5Bj+yP3IRewe0AYL0Gyk5QnSNLCYUMA+u/oi4i+uloKv3yZd6On0Re\r\nuIVSvmwXNHMKgGPg2cKSu1fd9tZ7qvQo6Vblf/zYp17tg2Vgd/ESeqgclgJs8AaL\r\nRDED3RT0FaOR/6SCTrXTGymmRaAVA6gGCUScyWD+MaKldOu2qDBG32obPiSw9lm8\r\nnxQBR2IlqByyeDA=\n-END CERTIFICATE-\n\n') Martin When I said some of the properties, I certainly did not mean the absolute basics, but rather stuff like cert-presave-command. Ah, ok. Then I think this snippet will help: properties_manager = dbus.Interface(req, 'org.freedesktop.DBus.Properties') properties_manager.Get('org.fedorahosted.certmonger.request', 'cert-presave-command') dbus.String(u'/usr/lib64/ipa/certmonger/stop_pkicad') properties_manager.Get('org.fedorahosted.certmonger.request', 'cert-postsave-command') dbus.String(u'/usr/lib64/ipa/certmonger/renew_ca_cert auditSigningCert cert-pki-ca') Martin Nice, I think we are good to go then. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 478 Allow hashed passwords in DS
See related thread #4450: how to allow password migration? for more information. --- Without nsslapd-allow-hashed-passwords being turned on, user password migration fails. https://fedorahosted.org/freeipa/ticket/4450 -- Martin Kosek mko...@redhat.com Supervisor, Software Engineering - Identity Management Team Red Hat Inc. From 6ec1f70cb25e5841f3ab51a0025797e9ecad1d8f Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Wed, 23 Jul 2014 13:03:57 +0200 Subject: [PATCH] Allow hashed passwords in DS Without nsslapd-allow-hashed-passwords being turned on, user password migration fails. https://fedorahosted.org/freeipa/ticket/4450 --- freeipa.spec.in | 4 ++-- install/updates/10-config.update | 5 + 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 447b532b66a0329a5715aca98222ab0ef1aebee4..5a977f5251ecaee6b6eef7e6bf426e088161f761 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -86,7 +86,7 @@ Group: System Environment/Base Requires: %{name}-python = %{version}-%{release} Requires: %{name}-client = %{version}-%{release} Requires: %{name}-admintools = %{version}-%{release} -Requires: 389-ds-base = 1.3.2.19 +Requires: 389-ds-base = 1.3.2.20 Requires: openldap-clients 2.4.35-4 Requires: nss = 3.14.3-12.0 Requires: nss-tools = 3.14.3-12.0 @@ -123,7 +123,7 @@ Requires: zip Requires: policycoreutils = %{POLICYCOREUTILSVER} Requires: tar Requires(pre): certmonger = 0.65 -Requires(pre): 389-ds-base = 1.3.2.19 +Requires(pre): 389-ds-base = 1.3.2.20 Requires: fontawesome-fonts Requires: open-sans-fonts diff --git a/install/updates/10-config.update b/install/updates/10-config.update index 1512b3601bcb2337392b82bf54f540cd48ee8382..30fafbf9e93279633cc5760104fb68456720d2b3 100644 --- a/install/updates/10-config.update +++ b/install/updates/10-config.update @@ -63,3 +63,8 @@ dn: cn=Name # Can be removed when https://fedorahosted.org/389/ticket/47457 is fixed dn: cn=config only:nsslapd-sasl-max-buffer-size:2097152 + +# Allow hashed passwords to be added by non-DM users. Without this +# setting, password migration fails +dn: cn=config +only:nsslapd-allow-hashed-passwords:on -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0275] Add TLSARecord to idnsRecord object class
Hello, Add TLSARecord to idnsRecord object class. -- Petr^2 Spacek From 2d358ccbc323ea6d4339f22b16d419195054e017 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Fri, 27 Jun 2014 09:33:05 +0200 Subject: [PATCH] Add TLSARecord to idnsRecord object class. Signed-off-by: Petr Spacek pspa...@redhat.com --- doc/schema | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/schema b/doc/schema index 73e8ee9d5fafd89b136b3f3cf248bfd23c91179c..5ed9e6f5d6ef11ebcf90e63d5b1e3492b7cc95d1 100644 --- a/doc/schema +++ b/doc/schema @@ -308,7 +308,7 @@ objectclass ( 2.16.840.1.113730.3.8.6.0 SRVRecord $ TXTRecord $ MXRecord $ MDRecord $ HINFORecord $ MINFORecord $ AFSDBRecord $ LOCRecord $ NXTRecord $ NAPTRRecord $ KXRecord $ CERTRecord $ DNAMERecord $ - DSRecord $ SSHFPRecord $ DLVRecord + DSRecord $ SSHFPRecord $ DLVRecord $ TLSARecord ) ) objectclass ( 2.16.840.1.113730.3.8.6.1 -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0276] Fix crash during reconnection to LDAP
Hello, Fix crash during reconnection to LDAP. -- Petr^2 Spacek From fb979d2f07be16f8cf441d393612504235ab26d8 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Wed, 23 Jul 2014 14:18:41 +0200 Subject: [PATCH] Fix crash during reconnection to LDAP. Signed-off-by: Petr Spacek pspa...@redhat.com --- NEWS | 4 src/ldap_helper.c | 6 -- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index 970ab7781d4775a499bded3c0299a759f4630f74..b8013a1ee6e01219d7190debb2c8f93817af47a5 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,7 @@ +5.1 + +[1] Fix crash during reconnection to LDAP. + 5.0 [1] Support for DNSSEC in-line signing was added. Now any LDAP zone can be diff --git a/src/ldap_helper.c b/src/ldap_helper.c index a7a782fdfc5ae4d28b50155c9614d66a427dc3e0..a163ee9b06f7d4fbe0fe5473172e827bfd3c38c2 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -848,9 +848,11 @@ cleanup_files(ldap_instance_t *inst) { do { CHECK(zr_get_zone_ptr(inst-zone_register, name, raw, secure)); cleanup_zone_files(raw); - cleanup_zone_files(secure); dns_zone_detach(raw); - dns_zone_detach(secure); + if (secure != NULL) { + cleanup_zone_files(secure); + dns_zone_detach(secure); + } INIT_BUFFERED_NAME(name); CHECK(rbt_iter_next(iter, name)); -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES] 0102-0103 DNS upgrade: add missing tests if DNS is installed
This should be applied in 4.0.x, 4.1, master Patches attached -- Martin Basti From 89e7dd87c1fad90084cb8fab38e985f95de8347e Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Mon, 21 Jul 2014 16:54:12 +0200 Subject: [PATCH 1/2] Fix DNS upgrade plugin should check if DNS container exists Fortunately this cause no error, because dnszone-find doesnt raise exception if there is no DNS container --- ipaserver/install/plugins/dns.py | 4 1 file changed, 4 insertions(+) diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py index 07c0325d7a7c6062c1827d08f211d317bdc63db4..1aef837f63176cd307868c726460485fd4a004ed 100644 --- a/ipaserver/install/plugins/dns.py +++ b/ipaserver/install/plugins/dns.py @@ -61,6 +61,8 @@ class update_dnszones(PostUpdate): def execute(self, **options): ldap = self.obj.backend +if not dns_container_exists(ldap): +return (False, False, []) try: zones = api.Command.dnszone_find(all=True)['result'] @@ -153,6 +155,8 @@ class update_check_forwardzones(PreSchemaUpdate): # no upgrade is needed return (False, False, []) ldap = self.obj.backend +if not dns_container_exists(ldap): # No DNS installed +return (False, False, []) result = ldap.schema.get_obj(_ldap.schema.models.ObjectClass, 'idnsforwardzone') if result is None: sysupgrade.set_upgrade_state('dns', 'update_to_forward_zones', True) -- 1.8.3.1 From 74b82e1d2a33912c779eb2d0df045ffc3a48f8e6 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Wed, 23 Jul 2014 14:40:39 +0200 Subject: [PATCH 2/2] FIX: named_enable_dnssec should verify if DNS is installed --- install/tools/ipa-upgradeconfig | 5 + 1 file changed, 5 insertions(+) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 2fecc14042ae9462fe6bde79578c27ce97425b57..54193e9e6f6c9e8e0ca56336ea86cee673893638 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -598,6 +598,11 @@ def named_enable_dnssec(): Enable dnssec in named.conf +if not bindinstance.named_conf_exists(): +# DNS service may not be configured +root_logger.info('DNS is not configured') +return False + if not sysupgrade.get_upgrade_state('named.conf', 'dnssec_enabled'): root_logger.info('[Enabling dnssec-enable configuration in DNS]') try: -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0245] baseldap: Remove redundant search from LDAPAddReverseMember
On 07/23/2014 03:03 PM, Jan Cholasta wrote: On 23.7.2014 14:40, Tomas Babej wrote: Hi, when poking in the depths of the baseldap, I found this seemingly redundant search. ACK. For the record, before commit f1f1b4e the result was used for wait_for_memberof. Pushed to master, ipa-4-1. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 710 webui: review pending operation after expired session
Disable automatic re-execution of command after pending authentication. It's possible to enable it again globally by 'freeipa/config':`rpc_retry_auth`. https://fedorahosted.org/freeipa/ticket/4374 # Additional info: This ticket is in 4.0 stabilization milestone. I don't think it's the best fit. It has a potential to break things. It's also harder to test because integration tests don't test it - one has to remove session cookie every time and then react appropriately. It's also first usage of ./config module (other items there are not used). This module was originally implemented to contain global webui config which could be overwritten by config configured on server, ie for disabling paging in large deployments. The server part doesn't exist yet. Other reason is to split ipa.js into more single-purpose files. -- Petr Vobornik From fa28c0fbf5451802d640fcb9a9cd09fc1b8082cc Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Tue, 22 Jul 2014 10:49:38 +0200 Subject: [PATCH] webui: review pending operation after expired session Disable automatic re-execution of command after pending authentication. It's possible to enable it again globally by 'freeipa/config':`rpc_retry_auth`. https://fedorahosted.org/freeipa/ticket/4374 --- install/ui/src/freeipa/config.js | 8 +++- install/ui/src/freeipa/ipa.js| 1 + install/ui/src/freeipa/rpc.js| 19 +++ 3 files changed, 23 insertions(+), 5 deletions(-) diff --git a/install/ui/src/freeipa/config.js b/install/ui/src/freeipa/config.js index 632bc136df5e342b7f2d99d8615b3d0d3645b772..08083908f5d727c7ee948dc6aa9dff9042e5a60b 100644 --- a/install/ui/src/freeipa/config.js +++ b/install/ui/src/freeipa/config.js @@ -70,8 +70,14 @@ define([], function() { dataType: 'json', async: true, processData: false -} +}, +/** + * Retry RPC command after successful authentication if it failed or was not + * executed because of authentication issue. + * @type {Boolean} + */ +rpc_retry_auth: false }; return config; diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js index 0fb35632e9147c901f1a961c978d6ed8ff84aa2e..63bab26f2dfa365a9b8ac4c1431982eddf6d8fa0 100644 --- a/install/ui/src/freeipa/ipa.js +++ b/install/ui/src/freeipa/ipa.js @@ -137,6 +137,7 @@ var IPA = function () { var batch = rpc.batch_command({ name: 'ipa_init', retry: false, +retry_auth: true, on_success: function() { that.init_metadata({ on_success: params.on_success, diff --git a/install/ui/src/freeipa/rpc.js b/install/ui/src/freeipa/rpc.js index 784f7555b7c2d9a7dbf6b28d7b5f2e0a030f58aa..ada6aeb8db3dc8accd2b5ce49cd2b289bd806f35 100644 --- a/install/ui/src/freeipa/rpc.js +++ b/install/ui/src/freeipa/rpc.js @@ -25,12 +25,13 @@ define([ 'dojo/_base/lang', './auth', +'./config', './ipa', './text', './util', 'exports' ], - function(lang, auth, IPA, text, util, rpc /*exports*/) { + function(lang, auth, config, IPA, text, util, rpc /*exports*/) { /** * Call an IPA command over JSON-RPC. @@ -93,7 +94,14 @@ rpc.command = function(spec) { * error handling without any dialog. * @property {Boolean} retry=true */ -that.retry = typeof spec.retry == 'undefined' ? true : spec.retry; +that.retry = spec.retry === undefined ? true : spec.retry; + +/** + * Retry command after successful authentication if it failed or was not + * executed because of authentication issue. + * @property {Boolean} retry_auth=false + */ +that.retry_auth = spec.retry_auth === undefined ? config.rpc_retry_auth : spec.retry_auth; /** @property {string} error_message Default error message */ that.error_message = text.get(spec.error_message || '@i18n:dialogs.batch_error_message', 'Some operations failed.'); @@ -229,7 +237,9 @@ rpc.command = function(spec) { auth.current.set_authenticated(false, ''); auth.current.authenticate().then(function() { -that.execute(); +if (that.retry_auth) { +that.execute(); +} }); } @@ -541,7 +551,8 @@ rpc.batch_command = function(spec) { method: that.method, args: that.args, options: that.options, -retry: that.retry +retry: that.retry, +retry_auth: that.retry_auth }); command.on_success = that.batch_command_on_success; -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0105 FIX: LDAP_updater
This patch fixes ordering problem of schema updates Martin should it be in IPA 4.0.x ? It requires rebased ldap_python (will be in Fedora 21) Patch attached -- Martin Basti From 25aaa9872bbc725648c066f1d253f64c5f84ffc1 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Wed, 23 Jul 2014 14:42:33 +0200 Subject: [PATCH] FIX: ldap_updater needs correct orderng of the updates Required bugfix in python-ldap 2.4.15 Updates must respect SUP objectclasses/attributes and update dependencies first --- freeipa.spec.in | 2 +- ipaserver/install/schemaupdate.py | 124 ++ 2 files changed, 86 insertions(+), 40 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 447b532b66a0329a5715aca98222ab0ef1aebee4..202df6a6b85d62b17a711014261f69f86c9763df 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -98,7 +98,7 @@ Requires: httpd = 2.4.6-6 Requires: mod_wsgi Requires: mod_auth_kerb = 5.4-16 Requires: mod_nss = 1.0.8-26 -Requires: python-ldap +Requires: python-ldap = 2.4.15 Requires: python-krbV Requires: acl Requires: python-pyasn1 diff --git a/ipaserver/install/schemaupdate.py b/ipaserver/install/schemaupdate.py index bb2f0f161499c0358452d97f27f5c39b9b64a5ad..ba313feb05aee25bf071d5786a28e64f6e453836 100644 --- a/ipaserver/install/schemaupdate.py +++ b/ipaserver/install/schemaupdate.py @@ -29,17 +29,58 @@ from ipaserver.install.ldapupdate import connect from ipaserver.install import installutils -SCHEMA_ELEMENT_CLASSES = { +SCHEMA_ELEMENT_CLASSES = ( # All schema model classes this tool can modify -'objectclasses': ldap.schema.models.ObjectClass, -'attributetypes': ldap.schema.models.AttributeType, -} +# Depends on order, attributes first, then objectclasses +('attributetypes', ldap.schema.models.AttributeType), +('objectclasses', ldap.schema.models.ObjectClass), +) + +SCHEMA_ELEMENT_CLASSES_KEYS = (x[0] for x in SCHEMA_ELEMENT_CLASSES) ORIGIN = 'IPA v%s' % ipapython.version.VERSION log = log_mgr.get_logger(__name__) +def _get_oid_dependency_order(schema, cls): + +Returns a ordered list of OIDs sets, in order which respects inheritance in LDAP +OIDs in second set, depend on first set, etc. + +:return [set(1st-tree-level), set(2nd-tree-level), ...] + +top_node = '_' +ordered_oid_groups = [] + +tree = schema.tree(cls) # tree structure of schema + +# remove top_node from tree, it breaks ordering +# we don't need this, tree from file is not consistent +del tree[top_node] +unordered_oids = tree.keys() + +# split into two groups, parents and child nodes, and iterate until +# child nodes are not empty +while unordered_oids: +parent_nodes = set() +child_nodes = set() + +for node in unordered_oids: +if node not in child_nodes: +# if node was child once, must remain as child +parent_nodes.add(node) +for child_oid in tree[node]: +# if any node is child, must be removed from parents +parent_nodes.discard(child_oid) +child_nodes.add(child_oid) + +ordered_oid_groups.append(parent_nodes) +unordered_oids = child_nodes + +return ordered_oid_groups + + def update_schema(schema_files, ldapi=False, dm_password=None, live_run=True): Update schema to match the given ldif files @@ -69,58 +110,63 @@ def update_schema(schema_files, ldapi=False, dm_password=None, live_run=True): old_schema = conn.schema schema_entry = conn.get_entry(DN(('cn', 'schema')), - SCHEMA_ELEMENT_CLASSES.keys()) + SCHEMA_ELEMENT_CLASSES_KEYS) modified = False # The exact representation the DS gives us for each OID # (for debug logging) old_entries_by_oid = {cls(str(attr)).oid: str(attr) - for attrname, cls in SCHEMA_ELEMENT_CLASSES.items() + for (attrname, cls) in SCHEMA_ELEMENT_CLASSES for attr in schema_entry[attrname]} for filename in schema_files: log.info('Processing schema LDIF file %s', filename) dn, new_schema = ldap.schema.subentry.urlfetch(filename) -for attrname, cls in SCHEMA_ELEMENT_CLASSES.items(): +updating_schema = False +for attrname, cls in SCHEMA_ELEMENT_CLASSES: +for oids_set in _get_oid_dependency_order(new_schema, cls): +# Set of all elements of this class, as strings given by the DS +new_elements = [] +for oid in oids_set: +new_obj = new_schema.get_obj(cls, oid) +old_obj = old_schema.get_obj(cls, oid) +# Compare python-ldap's sanitized string
[Freeipa-devel] [PATCH] 712 webui: detach facet nodes
Detach/attach facet nodes when switching facets instead of hiding/showing. Keeps dom-tree more simple. This patch is not really needed. I implemented it while testing something in IE. But it might have positive effect for poorly written parts of Web UI(if there are any :) ) or plugins. Basically it simplifies DOM tree to contain nodes only for the active facet. Therefore ugly expressions like $('button .foobar') are much more performant. -- Petr Vobornik From 46e9b59f526a4beccba02dbe815f21c3aa688eaa Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Tue, 22 Jul 2014 14:15:30 +0200 Subject: [PATCH] webui: detach facet nodes Detach/attach facet nodes when switching facets instead of hiding/showing. Keeps dom-tree more simple. --- install/ui/src/freeipa/facet.js| 5 + install/ui/src/freeipa/facets/Facet.js | 5 + 2 files changed, 10 insertions(+) diff --git a/install/ui/src/freeipa/facet.js b/install/ui/src/freeipa/facet.js index 0bb697be0b606743279b661d2e901372d735f8c3..50c12d49c4716e2e8d799663b79e04fdeb4d3d86 100644 --- a/install/ui/src/freeipa/facet.js +++ b/install/ui/src/freeipa/facet.js @@ -672,6 +672,8 @@ exp.facet = IPA.facet = function(spec, no_init) { if (!that.dom_node) { that.create(); +} else if (!that.dom_node.parentElement) { +construct.place(that.dom_node[0], that.container_node); } var state = that.state.clone(); @@ -728,6 +730,9 @@ exp.facet = IPA.facet = function(spec, no_init) { */ that.hide = function() { that.is_shown = false; +if (that.dom_node[0].parentElement) { +that.container_node.removeChild(that.dom_node[0]); +} that.dom_node.removeClass('active-facet'); }; diff --git a/install/ui/src/freeipa/facets/Facet.js b/install/ui/src/freeipa/facets/Facet.js index e015329c94c69b6c316c2ce65a1bfda2a98a8c91..0608ab6fb1e1983fbbb51f9795c4aabb49cb535a 100644 --- a/install/ui/src/freeipa/facets/Facet.js +++ b/install/ui/src/freeipa/facets/Facet.js @@ -285,6 +285,8 @@ define(['dojo/_base/declare', if (!this.dom_node) { this.create(); this.render_children(); +} else if (!this.dom_node.parentElement) { +construct.place(this.dom_node, this.container_node); } dom_class.add(this.dom_node, 'active-facet'); @@ -295,6 +297,9 @@ define(['dojo/_base/declare', * Un-mark itself as active facet */ hide: function() { +if (this.dom_node.parentElement) { +this.container_node.removeChild(this.dom_node); +} dom_class.remove(this.dom_node, 'active-facet'); this.emit('hide', { source: this }); }, -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 713-714 webui: replace action_buttons with action_widget
[PATCH] 713 webui: replace action_buttons with action_widget Simplify code base by reuse of 'disable' feature of button_widget. All occurrences of action-button which were disabled/enabled were replaced by button-widget. https://fedorahosted.org/freeipa/ticket/4258 [PATCH] 714 webui: remove remaining action-button-disabled occurrences Buttons in hbactest check for 'action-button-disabled' but it's never set. https://fedorahosted.org/freeipa/ticket/4258 -- Petr Vobornik From 8151b70b2ac3cdc856c3e888eeb9cfd76a3ab140 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Tue, 22 Jul 2014 16:43:28 +0200 Subject: [PATCH] webui: remove remaining action-button-disabled occurrences Buttons in hbactest check for 'action-button-disabled' but it's never set. https://fedorahosted.org/freeipa/ticket/4258 --- install/ui/ipa.css | 9 - install/ui/src/freeipa/hbactest.js | 35 +-- 2 files changed, 5 insertions(+), 39 deletions(-) diff --git a/install/ui/ipa.css b/install/ui/ipa.css index ec79688a2efc9a3620334e72368816e454ba3c47..2e70a1adc9c97fd9930925adbe6a76b778022eb6 100644 --- a/install/ui/ipa.css +++ b/install/ui/ipa.css @@ -252,15 +252,6 @@ div[name=settings].facet-group li a { word-wrap: break-word; } -.action-button-disabled, -.action-button-disabled:focus, -.action-button-disabled:hover { -color: gray; -cursor: default; -text-decoration: none; -outline: none; -} - .aci-attribute-table tbody { height: 10em; } diff --git a/install/ui/src/freeipa/hbactest.js b/install/ui/src/freeipa/hbactest.js index 7a9d85ab33ea34b9bcc176bb366aadee83d38509..9ac4e8293e3b5c624f156f7f70a5dd051237e44e 100644 --- a/install/ui/src/freeipa/hbactest.js +++ b/install/ui/src/freeipa/hbactest.js @@ -184,12 +184,7 @@ IPA.hbac.test_facet = function(spec) { name: 'prev', label: '@i18n:widget.prev', icon: 'fa-chevron-left', -click: function() { -if (!that.prev_button.hasClass('action-button-disabled')) { -that.prev(); -} -return false; -} +click: that.prev }).appendTo(buttons); buttons.append(' '); @@ -199,12 +194,7 @@ IPA.hbac.test_facet = function(spec) { name: 'next', label: '@i18n:widget.next', icon: 'fa-chevron-right', -click: function() { -if (!that.next_button.hasClass('action-button-disabled')) { -that.next(); -} -return false; -} +click: that.next }).appendTo(buttons); }; @@ -535,12 +525,7 @@ IPA.hbac.test_run_facet = function(spec) { name: 'run_test', label: '@i18n:objects.hbactest.run_test', icon: 'fa-gear', -click: function() { -if (!that.run_button.hasClass('action-button-disabled')) { -that.run(); -} -return false; -} +click: that.run }).appendTo(button_panel); var result_panel = $('div/', { @@ -608,12 +593,7 @@ IPA.hbac.test_run_facet = function(spec) { name: 'prev', label: '@i18n:widget.prev', icon: 'fa-chevron-left', -click: function() { -if (!that.prev_button.hasClass('action-button-disabled')) { -that.prev(); -} -return false; -} +click: that.prev }).appendTo(buttons); buttons.append(' '); @@ -622,12 +602,7 @@ IPA.hbac.test_run_facet = function(spec) { name: 'new_test', label: '@i18n:objects.hbactest.new_test', icon: 'fa-repeat', -click: function() { -if (!that.new_test_button.hasClass('action-button-disabled')) { -that.new_test(); -} -return false; -} +click: that.new_test }).appendTo(buttons); }; -- 1.9.3 From ff9dacb6b231008e19888e614cacd10598d116ba Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Tue, 22 Jul 2014 16:39:36 +0200 Subject: [PATCH] webui: replace action_buttons with action_widget Simplify code base by reuse of 'disable' feature of button_widget. All occurrences of action-button which were disabled/enabled were replaced by button-widget. https://fedorahosted.org/freeipa/ticket/4258 --- install/ui/src/freeipa/association.js | 45 +++- install/ui/src/freeipa/dns.js | 45 +++- install/ui/src/freeipa/sudo.js| 34 -- install/ui/src/freeipa/widget.js | 55 +-- ipatests/test_webui/ui_driver.py | 42
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
On Wed, Jul 23, 2014 at 11:32:52AM +0300, Alexander Bokovoy wrote: Were there DBus Python bindings available in RHEL 5/6 at the time when the code was written? Yes, but the API itself wasn't all there, and large parts of the internals needed to be rewritten around its 0.53 release. Before then, it didn't expose _anything_ as properties. The methods that return data were all that it provided. HTH, Nalin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
On Wed, Jul 23, 2014 at 10:12:39AM +0200, Martin Kosek wrote: Certmonger API looked complete enough to pull this off: https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/api.txt If I am wrong, please tell me. No, it's meant to be complete -- the getcert command only uses the APIs to talk to the daemon, so they provide at least what it needs. Two words of caution: * That file's manually maintained, so it might not completely reflect what's available. The introspection data's generated at runtime, so if you poke the service with an introspection request, or using d-feet, which does so under the covers, you might spot discrepancies. It probably goes without saying, but please report any that you find. * The majority of properties are currently marked read-only, and you currently have to use the 'modify' API request to change them. Mostly this is a result of 'getcert' not having needed anything more than that, and properties having been added after the initial versions, so it's not set in stone. HTH, Nalin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0105 FIX: LDAP_updater
On 07/23/2014 03:17 PM, Martin Basti wrote: This patch fixes ordering problem of schema updates Martin should it be in IPA 4.0.x ? It requires rebased ldap_python (will be in Fedora 21) Patch attached If current LDAP updater does not fail or crash on 4.0.x, I would personally leave this change for FreeIPA 4.1. Note that you may need to also add the new python-ldap build to pviktori's COPR repo to make it available to Fedora 20 users. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0005 Verify otptoken timespan is valid
https://fedorahosted.org/freeipa/ticket/4244 -- David Kupka From 513fd9b6cf7502ed08e31318dd9425bc12392720 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Wed, 23 Jul 2014 15:32:18 +0200 Subject: [PATCH] Verify otptoken timespan is valid When creating or modifying otptoken check that token validity start is not after validity end. https://fedorahosted.org/freeipa/ticket/4244 --- ipalib/plugins/otptoken.py | 38 +- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py index 2880ee660d5dcdb18c504f50d7b72f5b8fb43d48..7dc01caafdf73e3f54bb4fbdb2ee5e8540e09e74 100644 --- a/ipalib/plugins/otptoken.py +++ b/ipalib/plugins/otptoken.py @@ -21,7 +21,7 @@ from ipalib.plugins.baseldap import DN, LDAPObject, LDAPAddMember, LDAPRemoveMem from ipalib.plugins.baseldap import LDAPCreate, LDAPDelete, LDAPUpdate, LDAPSearch, LDAPRetrieve from ipalib import api, Int, Str, Bool, DateTime, Flag, Bytes, IntEnum, StrEnum, Password, _, ngettext from ipalib.plugable import Registry -from ipalib.errors import PasswordMismatch, ConversionError, LastMemberError, NotFound +from ipalib.errors import PasswordMismatch, ConversionError, LastMemberError, NotFound, ValidationError from ipalib.request import context from ipalib.frontend import Local @@ -103,6 +103,17 @@ def _normalize_owner(userobj, entry_attrs): if owner is not None: entry_attrs['ipatokenowner'] = userobj.get_dn(owner) +def _check_interval(not_before, not_after): + +if not_before and not_after: +if type(not_before) is str: +not_before = DateTime('not_before')._convert_scalar(not_before) +if type(not_after) is str: +not_after = DateTime('not_after')._convert_scalar(not_after) + +if not_before not_after: +return False +return True @register() class otptoken(LDAPObject): @@ -254,6 +265,11 @@ class otptoken_add(LDAPCreate): entry_attrs['ipatokenuniqueid'] = str(uuid.uuid4()) dn = DN(ipatokenuniqueid=%s % entry_attrs['ipatokenuniqueid'], dn) +if not _check_interval(entry_attrs.get('ipatokennotbefore', None), + entry_attrs.get('ipatokennotafter', None)): +raise ValidationError(name='not_after', +error='is before not_before!') + # Set the object class and defaults for specific token types entry_attrs['objectclass'] = otptoken.object_class + ['ipatoken' + options['type']] for ttype, tattrs in TOKEN_TYPES.items(): @@ -336,6 +352,26 @@ class otptoken_mod(LDAPUpdate): msg_summary = _('Modified OTP token %(value)s') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): +notafter_set = True +notbefore = entry_attrs.get('ipatokennotbefore', None) +notafter = entry_attrs.get('ipatokennotafter', None) +# notbefore xor notafter, exactly one of them is not None +if bool(notbefore) ^ bool(notafter): +result = self.api.Command.otptoken_find(ipatokenuniqueid= +entry_attrs.get('ipatokenuniqueid', None))['result'] +if result: +if notbefore is None: +notbefore = result[0]['ipatokennotbefore'][0] +if notafter is None: +notafter_set = False +notafter = result[0]['ipatokennotafter'][0] +if not _check_interval(notbefore, notafter): +if notafter_set: +raise ValidationError(name='not_after', +error='is before not_before!') +else: +raise ValidationError(name='not_before', +error='is after not_after!') _normalize_owner(self.api.Object.user, entry_attrs) return dn -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0006 Fix group-remove-member crash when group is removed from a protected group
https://fedorahosted.org/freeipa/ticket/4448 -- David Kupka From 306fd94ae35f153bd7eabf80217219ec25b2189b Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Wed, 23 Jul 2014 16:02:17 +0200 Subject: [PATCH] Fix group-remove-member crash when group is removed from a protected group https://fedorahosted.org/freeipa/ticket/4448 --- ipalib/plugins/group.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index af5d4b6bf5217fcda912a92453d15cd0974c1c53..4890bab111c2882ed34cfe28e7384982b9815ac4 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -526,7 +526,7 @@ class group_remove_member(LDAPRemoveMember): protected_group_name = keys[0] result = api.Command.group_show(protected_group_name) users_left = set(result['result'].get('member_user', [])) -users_deleted = set(options['user']) +users_deleted = set(options.get('user',[])) if users_left.issubset(users_deleted): raise errors.LastMemberError(key=sorted(users_deleted)[0], label=_(u'group'), container=protected_group_name) -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0006 Fix group-remove-member crash when group is removed from a protected group
On 07/23/2014 04:08 PM, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4448 Alternatively, we could also update the if condition to avoid running this section at all when options['user'] does not exist or is empty. This would save us at least from api.Command.group_show call. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0006 Fix group-remove-member crash when group is removed from a protected group
Martin Kosek wrote: On 07/23/2014 04:08 PM, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4448 Alternatively, we could also update the if condition to avoid running this section at all when options['user'] does not exist or is empty. This would save us at least from api.Command.group_show call. A new test or tests would be nice as well. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 479 Do not require dogtag-pki-server-theme
Theme package is contains resources for PKI web interface. This interface is not needed by FreeIPA as it rather utilizes it's API. As recommended in https://bugzilla.redhat.com/show_bug.cgi?id=1068029#c5, remove this hard dependency. -- Martin Kosek mko...@redhat.com Supervisor, Software Engineering - Identity Management Team Red Hat Inc. From 6f3d9105ac1a822e5cdbf58148dd609c9256fad5 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Wed, 23 Jul 2014 16:35:13 +0200 Subject: [PATCH] Do not require dogtag-pki-server-theme Theme package is contains resources for PKI web interface. This interface is not needed by FreeIPA as it rather utilizes it's API. As recommended in https://bugzilla.redhat.com/show_bug.cgi?id=1068029#c5, remove this hard dependency. --- freeipa.spec.in | 1 - 1 file changed, 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 447b532b66a0329a5715aca98222ab0ef1aebee4..5e0fe961f2a90a67ecaa8f12f0b0f031d64ca4ce 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -112,7 +112,6 @@ Requires: selinux-policy = 3.12.1-176 Requires(post): selinux-policy-base Requires: slapi-nis = 0.47.7 Requires: pki-ca = 10.1.1 -Requires: dogtag-pki-server-theme %if 0%{?rhel} Requires: subscription-manager %endif -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0105 FIX: LDAP_updater
On 23/07/14 15:30, Rob Crittenden wrote: Martin Basti wrote: This patch fixes ordering problem of schema updates Martin should it be in IPA 4.0.x ? It requires rebased ldap_python (will be in Fedora 21) Patch attached It looks like the modlist is only generated during a live run which would diminish the utility of the --test mode. Is it safe to assume this was done on purpose because schema changes are being done incrementally vs done all at once, so that parent classes may not exist in test mode? rob My bad, I fixed it. Now modlist will show updated data in --test mode too. Data are not updated to LDAP in test mode, so there is no restrictions to have a proper order of classes, and could be written all at once. Updated patch attached. -- Martin Basti From cfc259534ea5d8aaff2c57f66cf41a87864e1fcd Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Wed, 23 Jul 2014 14:42:33 +0200 Subject: [PATCH] FIX: ldap_updater needs correct orderng of the updates Required bugfix in python-ldap 2.4.15 Updates must respect SUP objectclasses/attributes and update dependencies first --- freeipa.spec.in | 2 +- ipaserver/install/schemaupdate.py | 116 ++ 2 files changed, 80 insertions(+), 38 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 447b532b66a0329a5715aca98222ab0ef1aebee4..202df6a6b85d62b17a711014261f69f86c9763df 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -98,7 +98,7 @@ Requires: httpd = 2.4.6-6 Requires: mod_wsgi Requires: mod_auth_kerb = 5.4-16 Requires: mod_nss = 1.0.8-26 -Requires: python-ldap +Requires: python-ldap = 2.4.15 Requires: python-krbV Requires: acl Requires: python-pyasn1 diff --git a/ipaserver/install/schemaupdate.py b/ipaserver/install/schemaupdate.py index bb2f0f161499c0358452d97f27f5c39b9b64a5ad..3dbcf7882e410af5a08fe23d23677ad5d0ea01c4 100644 --- a/ipaserver/install/schemaupdate.py +++ b/ipaserver/install/schemaupdate.py @@ -29,17 +29,58 @@ from ipaserver.install.ldapupdate import connect from ipaserver.install import installutils -SCHEMA_ELEMENT_CLASSES = { +SCHEMA_ELEMENT_CLASSES = ( # All schema model classes this tool can modify -'objectclasses': ldap.schema.models.ObjectClass, -'attributetypes': ldap.schema.models.AttributeType, -} +# Depends on order, attributes first, then objectclasses +('attributetypes', ldap.schema.models.AttributeType), +('objectclasses', ldap.schema.models.ObjectClass), +) + +SCHEMA_ELEMENT_CLASSES_KEYS = (x[0] for x in SCHEMA_ELEMENT_CLASSES) ORIGIN = 'IPA v%s' % ipapython.version.VERSION log = log_mgr.get_logger(__name__) +def _get_oid_dependency_order(schema, cls): + +Returns a ordered list of OIDs sets, in order which respects inheritance in LDAP +OIDs in second set, depend on first set, etc. + +:return [set(1st-tree-level), set(2nd-tree-level), ...] + +top_node = '_' +ordered_oid_groups = [] + +tree = schema.tree(cls) # tree structure of schema + +# remove top_node from tree, it breaks ordering +# we don't need this, tree from file is not consistent +del tree[top_node] +unordered_oids = tree.keys() + +# split into two groups, parents and child nodes, and iterate until +# child nodes are not empty +while unordered_oids: +parent_nodes = set() +child_nodes = set() + +for node in unordered_oids: +if node not in child_nodes: +# if node was child once, must remain as child +parent_nodes.add(node) +for child_oid in tree[node]: +# if any node is child, must be removed from parents +parent_nodes.discard(child_oid) +child_nodes.add(child_oid) + +ordered_oid_groups.append(parent_nodes) +unordered_oids = child_nodes + +return ordered_oid_groups + + def update_schema(schema_files, ldapi=False, dm_password=None, live_run=True): Update schema to match the given ldif files @@ -69,57 +110,58 @@ def update_schema(schema_files, ldapi=False, dm_password=None, live_run=True): old_schema = conn.schema schema_entry = conn.get_entry(DN(('cn', 'schema')), - SCHEMA_ELEMENT_CLASSES.keys()) + SCHEMA_ELEMENT_CLASSES_KEYS) modified = False # The exact representation the DS gives us for each OID # (for debug logging) old_entries_by_oid = {cls(str(attr)).oid: str(attr) - for attrname, cls in SCHEMA_ELEMENT_CLASSES.items() + for (attrname, cls) in SCHEMA_ELEMENT_CLASSES for attr in schema_entry[attrname]} for filename in schema_files: log.info('Processing schema LDIF file %s', filename) dn, new_schema =
[Freeipa-devel] [PATCH] 715 webui: add bounce url to reset_password.html
reset_password.html now redirects browser to URL specified in 'redirect' uri component (if present). The component has to be URI encoded. ie (in browser console): $ encodeURIComponent('http://pvoborni.fedorapeople.org/doc/#!/guide/Debugging') -- http%3A%2F%2Fpvoborni.fedorapeople.org%2Fdoc%2F%23!%2Fguide%2FDebugging -- https://my.freeipa.server/ipa/ui/reset_password.html?redirect=http%3A%2F%2Fpvoborni.fedorapeople.org%2Fdoc%2F%23!%2Fguide%2FDebugging https://fedorahosted.org/freeipa/ticket/4440 -- Petr Vobornik From 975c1afb4a96d699a43f9c68af343316659d7c6d Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Wed, 23 Jul 2014 16:53:56 +0200 Subject: [PATCH] webui: add bounce url to reset_password.html reset_password.html now redirects browser to URL specified in 'redirect' uri component (if present). The component has to be URI encoded. ie (in browser console): $ encodeURIComponent('http://pvoborni.fedorapeople.org/doc/#!/guide/Debugging') -- http%3A%2F%2Fpvoborni.fedorapeople.org%2Fdoc%2F%23!%2Fguide%2FDebugging -- https://my.freeipa.server/ipa/ui/reset_password.html?redirect=http%3A%2F%2Fpvoborni.fedorapeople.org%2Fdoc%2F%23!%2Fguide%2FDebugging https://fedorahosted.org/freeipa/ticket/4440 --- install/ui/reset_password.js | 24 1 file changed, 24 insertions(+) diff --git a/install/ui/reset_password.js b/install/ui/reset_password.js index bc08349876ea18d204ce4d6e8ae7724878967620..1afc76eba061a7015d1e817e840177fd60e35160 100644 --- a/install/ui/reset_password.js +++ b/install/ui/reset_password.js @@ -114,6 +114,7 @@ RP.on_submit = function() { } else { RP.reset_form(); RP.show_success(Password reset was successful.); +RP.redirect(); } }; @@ -140,6 +141,29 @@ RP.show_success = function(message) { $('.alert-success').css('display', ''); }; +RP.parse_uri = function() { +var opts = {}; +if (window.location.search.length 1) { +var couples = window.location.search.substr(1).split(); +for (var i=0,l=couples.length; i l; i++) { +var couple = couples[i].split(=); +var key = decodeURIComponent(couple[0]); +var value = couple.length 1 ? decodeURIComponent(couple[1]) : ''; +opts[key] = value; +} +} +return opts; +}; + +RP.redirect = function() { + +var opts = RP.parse_uri(); +var url = opts['redirect']; +if (url) { +window.location = url; +} +}; + RP.init = function() { -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0005 Verify otptoken timespan is valid
Hi, On 23.7.2014 15:46, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4244 1) Use isinstance(X, Y) instead of type(X) is Y. 2) When is type(not_before) is str or type(not_after) is str true? The values coming from command options or LDAP should always be datetime, never str. 3) There are some misindentations: +raise ValidationError(name='not_after', +error='is before not_before!') +raise ValidationError(name='not_after', +error='is before not_before!') +raise ValidationError(name='not_before', +error='is after not_after!') 4) We don't do exclamation marks in errors messages. 5) Generally, when you want to validate command options, you should look into options, not entry_attrs. 6) This is not right: +result = self.api.Command.otptoken_find(ipatokenuniqueid= +entry_attrs.get('ipatokenuniqueid', None))['result'] This is: +result = self.api.Command.otptoken_show(keys[-1])['result'] Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 479 Do not require dogtag-pki-server-theme
On Wed, 23 Jul 2014, Martin Kosek wrote: Theme package is contains resources for PKI web interface. This interface is not needed by FreeIPA as it rather utilizes it's API. As recommended in https://bugzilla.redhat.com/show_bug.cgi?id=1068029#c5, remove this hard dependency. I've seen several times that people continue using PKI web interfaces for things we do not support yet, like issuing user certificates and the rest of features supported in Dogtag. I think this change might be subtle but otherwise breaking for some users. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 479 Do not require dogtag-pki-server-theme
On 07/23/2014 05:07 PM, Alexander Bokovoy wrote: On Wed, 23 Jul 2014, Martin Kosek wrote: Theme package is contains resources for PKI web interface. This interface is not needed by FreeIPA as it rather utilizes it's API. As recommended in https://bugzilla.redhat.com/show_bug.cgi?id=1068029#c5, remove this hard dependency. I've seen several times that people continue using PKI web interfaces for things we do not support yet, like issuing user certificates and the rest of features supported in Dogtag. I think this change might be subtle but otherwise breaking for some users. Ah, I personally did not see that yet. However, as this is still quite hacky and experimental use of FreeIPA PKI, it should not be in the list of hard requirements IMO. People who really need to use this interface can always install the package. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 479 Do not require dogtag-pki-server-theme
On Wed, 23 Jul 2014, Martin Kosek wrote: On 07/23/2014 05:07 PM, Alexander Bokovoy wrote: On Wed, 23 Jul 2014, Martin Kosek wrote: Theme package is contains resources for PKI web interface. This interface is not needed by FreeIPA as it rather utilizes it's API. As recommended in https://bugzilla.redhat.com/show_bug.cgi?id=1068029#c5, remove this hard dependency. I've seen several times that people continue using PKI web interfaces for things we do not support yet, like issuing user certificates and the rest of features supported in Dogtag. I think this change might be subtle but otherwise breaking for some users. Ah, I personally did not see that yet. However, as this is still quite hacky and experimental use of FreeIPA PKI, it should not be in the list of hard requirements IMO. People who really need to use this interface can always install the package. At the very least this change has to be in the release notes. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 479 Do not require dogtag-pki-server-theme
On 07/23/2014 05:21 PM, Alexander Bokovoy wrote: On Wed, 23 Jul 2014, Martin Kosek wrote: On 07/23/2014 05:07 PM, Alexander Bokovoy wrote: On Wed, 23 Jul 2014, Martin Kosek wrote: Theme package is contains resources for PKI web interface. This interface is not needed by FreeIPA as it rather utilizes it's API. As recommended in https://bugzilla.redhat.com/show_bug.cgi?id=1068029#c5, remove this hard dependency. I've seen several times that people continue using PKI web interfaces for things we do not support yet, like issuing user certificates and the rest of features supported in Dogtag. I think this change might be subtle but otherwise breaking for some users. Ah, I personally did not see that yet. However, as this is still quite hacky and experimental use of FreeIPA PKI, it should not be in the list of hard requirements IMO. People who really need to use this interface can always install the package. At the very least this change has to be in the release notes. I think I see the deal - apply the patch only for FreeIPA 4.1 and master (and not for 4.0.x) and add appropriate release notes for 4.1, when released. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 479 Do not require dogtag-pki-server-theme
On Wed, 23 Jul 2014, Martin Kosek wrote: On 07/23/2014 05:21 PM, Alexander Bokovoy wrote: On Wed, 23 Jul 2014, Martin Kosek wrote: On 07/23/2014 05:07 PM, Alexander Bokovoy wrote: On Wed, 23 Jul 2014, Martin Kosek wrote: Theme package is contains resources for PKI web interface. This interface is not needed by FreeIPA as it rather utilizes it's API. As recommended in https://bugzilla.redhat.com/show_bug.cgi?id=1068029#c5, remove this hard dependency. I've seen several times that people continue using PKI web interfaces for things we do not support yet, like issuing user certificates and the rest of features supported in Dogtag. I think this change might be subtle but otherwise breaking for some users. Ah, I personally did not see that yet. However, as this is still quite hacky and experimental use of FreeIPA PKI, it should not be in the list of hard requirements IMO. People who really need to use this interface can always install the package. At the very least this change has to be in the release notes. I think I see the deal - apply the patch only for FreeIPA 4.1 and master (and not for 4.0.x) and add appropriate release notes for 4.1, when released. Agreed. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] ipa trust-add command should be interactive
Nope. Somehow in my head it felt cleaner. Updated patched attached. On Wed, Jul 23, 2014 at 1:18 AM, Jan Cholasta jchol...@redhat.com wrote: On 23.7.2014 01:01, Gabe Alford wrote: Forgot about --trust-secret. Here is an updated patch. On Mon, Jul 21, 2014 at 2:31 AM, Jan Cholasta jchol...@redhat.com mailto:jchol...@redhat.com wrote: On 21.7.2014 10:28, Martin Kosek wrote: On 07/21/2014 09:56 AM, Jan Cholasta wrote: Hi, On 16.7.2014 05:48, Gabe Alford wrote: Hello, Adds AD admin and password to interactive commands. https://fedorahosted.org/__freeipa/ticket/3034 https://fedorahosted.org/freeipa/ticket/3034 Thanks, Gabe I think that instead of making the parameters mandatory, you should instead set alwaysask=True on them. Honza Trust can be established either with user+password options OR with --trust-secret option - i.e. you cannot use mandatory options nor alwaysask. Ah, right. This would rather lead to interactive_prompt_callback checking if any of authentication method is passed and asking for them if they aren't. +1 Martin -- Jan Cholasta I don't think using an extra function to update a value in a dictionary is very beneficial, is there a reason not to use kw[X] = self.prompt_param(self.params[X]) directly? -- Jan Cholasta From cae886c1d3810d89feb3a2f26afcb6a38319005f Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Wed, 23 Jul 2014 16:12:25 -0600 Subject: [PATCH] ipa trust-add command should be interactive - Make ipa trust-add command interactive for realm_admin and realm_passwd - Fix 'Active directory' typo to 'Active Directory' https://fedorahosted.org/freeipa/ticket/3034 --- ipalib/plugins/trust.py | 33 - 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index fe1a76719b0e35136fb46d917bd998cdfd631695..7153253167001cca05c87d199c0843112d5333bd 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -435,7 +435,7 @@ sides. ), Password('realm_passwd?', cli_name='password', -label=_(Active directory domain administrator's password), +label=_(Active Directory domain administrator's password), confirm=False, ), Str('realm_server?', @@ -511,6 +511,37 @@ sides. return result +def interactive_prompt_callback(self, kw): + +Ensure that trust_type is prompted for if any reason there is no +default. + +Also ensure that realm_admin is prompted for if --admin or +--trust-secret is not specified when 'ipa trust-add' is run on the +system. + +Also ensure that realm_passwd is prompted for if --password or +--trust-secret is not specified when 'ipa trust-add' is run on the +system. + + +trust_secret = kw.get('trust_secret') +trust_type = kw.get('trust_type') +realm_admin = kw.get('realm_admin') +realm_passwd = kw.get('realm_passwd') + +if trust_type is None: +kw['trust_type'] = self.prompt_param(self.params['trust_type']) + +if trust_secret is None: +if realm_admin is None: +kw['realm_admin'] = self.prompt_param( + self.params['realm_admin']) + +if realm_passwd is None: +kw['realm_passwd'] = self.Backend.textui.prompt_password( + self.params['realm_passwd'].label, confirm=False) + def validate_options(self, *keys, **options): if not _bindings_installed: raise errors.NotFound( -- 2.0.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0026][DOC] Type in sudocmd in documentation
Hello, Fix for https://fedorahosted.org/freeipa/ticket/4451 Thanks, Gabe From e995aa908933b31509ce02ba6a57fc20fa4fc245 Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Wed, 23 Jul 2014 16:19:18 -0600 Subject: [PATCH] Typo in upstream documentation - Fix typo with --sudocmds option https://fedorahosted.org/freeipa/ticket/4451 --- src/user_guide/en-US/Sudo.xml | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/user_guide/en-US/Sudo.xml b/src/user_guide/en-US/Sudo.xml index 64127aa8d787f5d484c3897eb5dba17c6375ac9c..5b4b9088a46b69855a75f69a619cbe8b24f4497d 100644 --- a/src/user_guide/en-US/Sudo.xml +++ b/src/user_guide/en-US/Sudo.xml @@ -632,9 +632,9 @@ Added sudo rule files-commands /screen para - Next, add the commands to emphasisgrant/emphasis access to. This can be a single command, using option--sudocmd/option, or a group of commands, using option--sudocmdgroups/option. + Next, add the commands to emphasisgrant/emphasis access to. This can be a single command, using option--sudocmds/option, or a group of commands, using option--sudocmdgroups/option. -screen$ ipa sudorule-add-allow-command --sudocmd /usr/bin/vim files-commands +screen$ ipa sudorule-add-allow-command --sudocmds /usr/bin/vim files-commands Rule name: files-commands Enabled: TRUE sudo Commands: /usr/bin/vim @@ -673,9 +673,9 @@ Number of members added 1 para The commandsudo/command rule can grant access or deny access to commands. For example, this rule would allow read access to files but prevent editing: /para -screen$ ipa sudorule-add-allow-command --sudocmd /usr/bin/less readfiles -$ ipa sudorule-add-allow-command --sudocmd /usr/bin/tail readfiles -$ ipa sudorule-add-deny-command --sudocmd /usr/bin/vim readfiles/screen +screen$ ipa sudorule-add-allow-command --sudocmds /usr/bin/less readfiles +$ ipa sudorule-add-allow-command --sudocmds /usr/bin/tail readfiles +$ ipa sudorule-add-deny-command --sudocmds /usr/bin/vim readfiles/screen /example example id=Ex.sudo-optionstitleUsing sudoers Options/title para -- 2.0.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Storing/Looking up the creation time of a type
Hi devel, It would be particularly useful if each FreeIPA entry (eg: user, host, service, etc...) had creation and last modified timestamps. Do these fields already exist, and if they do, how can I access them? If they do not, I would like to propose these as a feature request. One use case for this feature: if this data exists, then actions could be scripted based on how old something is. For example: * an admin could check for old entries in case they are unneeded * puppet could be told to not manage entries older than a certain date * entries could be sorted by last modified to browse recent activity * and so on... An example of how this could be specifically useful is explained in my just published Puppet+FreeIPA article: https://ttboj.wordpress.com/2014/07/24/hybrid-management-of-freeipa-types-with-puppet/ Thank you again, James signature.asc Description: This is a digitally signed message part ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Storing/Looking up the creation time of a type
On Thu, 24 Jul 2014, James wrote: Hi devel, It would be particularly useful if each FreeIPA entry (eg: user, host, service, etc...) had creation and last modified timestamps. Do these fields already exist, and if they do, how can I access them? If they do not, I would like to propose these as a feature request. These are called operational attributes and are available already, look at RFC 2251. 389-ds implements some more, check http://directory.fedoraproject.org/wiki/Howto:OperationalAttributes for details. $ ldapsearch -Y GSSAPI uid=admin modifyTimestamp createTimestamp SASL/GSSAPI authentication started SASL username: ad...@t.vda.li SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base dc=t,dc=vda,dc=li (default) with scope subtree # filter: uid=admin # requesting: modifyTimestamp createTimestamp # # admin, users, compat, t.vda.li dn: uid=admin,cn=users,cn=compat,dc=t,dc=vda,dc=li modifyTimestamp: 20140722091651Z createTimestamp: 20140722091651Z # admin, users, accounts, t.vda.li dn: uid=admin,cn=users,cn=accounts,dc=t,dc=vda,dc=li modifyTimestamp: 20140724053745Z createTimestamp: 20140722091018Z # search result search: 4 result: 0 Success # numResponses: 3 # numEntries: 2 Note that operational attributes modifyTimestamp and createTimestamp for compat tree differ from the main tree due to the way of working of slapi-nis plugin. If you stick to the main tree, you should be fine. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel