Re: [Freeipa-devel] Dogtag 10.2.0 is now in Debian
On 10/18/2014 05:42 PM, Timo Aaltonen wrote:
> On 18.10.2014 18:39, Timo Aaltonen wrote:
>>
>> Hi!
>>
>> I'm happy to announce that Dogtag (version 10.2.0) has finally entered
>> Debian unstable repository this week. Assuming there won't be any nasty
>> surprises, the next stable release ("Jessie") will include it. Many
>> thanks to Ade Lee who did the first pass of packaging the long chain of
>> dependencies, up to and including RESTEasy.
>
> forgot the link
> https://packages.qa.debian.org/d/dogtag-pki.html
>
> there's a small update coming early next week
>
Thanks Timo for your great work! With Dogtag in Debian, we are getting wery
close to including FreeIPA as well - looking forward to this day :-)
As usual, let us know if you hit problems with porting FreeIPA there or
extending our platform-independent code.
Thanks,
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 482 Update contributors
On 10/17/2014 09:18 PM, Gabe Alford wrote: > Not sure I can do this, but ACK. > > Gabe > > On Wed, Sep 24, 2014 at 6:32 AM, Martin Kosek wrote: > >> Add missing developers contributing to project git. Cancel "Past and >> Occcasional" section and merge the people in the right categories. >> >> Update .mailmap so that the Developer list can be easily re-generated. If you feel confident in some FreeIPA area, then you can obviously try and do the review! Thanks for ACKing this change though. I was mostly waiting before pushing it to see if there is some resistance, but apparently there is none. Pushed to: master: e296137853547cf62e7dc15476449a3b2f8d5a06 ipa-4-1: 3e94aee790b327d99ea27e9b305be887e982 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] slapi-nis: normalize memberUid search filter term for AD users
On Sun, 19 Oct 2014, Jakub Hrozek wrote: On Thu, Oct 09, 2014 at 02:01:16PM +0300, Alexander Bokovoy wrote: Hi, memberUid attribute has case-sensitive comparison defined but when we construct memberUid for AD users (coming through SSSD), they are normalized to lower case. Interestingly enough, 'uid' attribute has case-insensitive comparison. Work around the issue by low-casing the memberUid search term value when it is a fully-qualified name (user@domain), meaning we do ask for a SSSD user. This is the patch on top of my ID views support patch. https://bugzilla.redhat.com/show_bug.cgi?id=1130131 -- / Alexander Bokovoy The code reads good to me and passed some basic sanity testing..however, I'be been unable to reproduce the issue, so I'm not sure this counts as a full ACK... Thanks. I've already pushed the patch to slapi-nis and released 0.54 last week. To reproduce the issue you just need to have an AD group with an AD user searched in the compat tree with '(&(objectclass=posixgroup)(cn=Domain Admins@AD.DOMAIN))' and then search by memberUid with a case different from what is there, i.e. '(&(objectclass=posixgroup)(memberUid=Administrator@AD.DOMAIN))' -- given that memberUid will be set to a normalized name, administrator@ad.domain, the search will fail because memberUid comparison rule is case-sensitive in RFC2307 schema. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 767-770 webui: hide applied to hosts tab for Default Trust View
On Mon, 20 Oct 2014, Endi Sukma Dewata wrote: On 10/17/2014 4:55 PM, Petr Vobornik wrote: On 17.10.2014 22:51, Endi Sukma Dewata wrote: On 10/10/2014 6:44 AM, Petr Vobornik wrote: Web UI part of: https://fedorahosted.org/freeipa/ticket/4615 Patch 767 is a little refactoring needed for $pre_op(as plain object) work as intended even with instantiated objects + fixes a bug where Evented objects were not considered a framework object. Patch 768 switches tabs so we can hide it later Patch 769 hides the tab PAtch 770 is not really needed(would like to hear options whether to include it). It's in effect only if user somehow manages to open 'Applies to hosts' facet for 'Default trust view'. Maybe redirection would be better - if we need to act. For some reason I don't see the Default Trust View in the database/CLI/UI with a brand new server installation. Alexander said he will investigate on Monday. The patches seem to be fine, I don't have any objections, feel free to push. The missing Default Trust View is most likely unrelated to UI. It should be added when you run ipa-adtrust-install. OK, that fixed it. Some comments: 1. Shouldn't the Default Trust View entry be added during the initial installation? Although it's unlikely to conflict with user-defined entries, it's kind of strange to add a 'built-in' entry after the initial installation. It only can contain entries from the trusted domains. Adding it before we can serve trusted domains, i.e. before ipa-adtrust-install, makes it more complicated as users will not be able to add overrides to it. On the other hand, users will not be able to add entries there until actual trust is created so may be adding it as part of default configuration, even before ipa-adtrust-install isn't a big issue at all, if we would provide proper help/hint message. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 771 webui: do not offer ipa users to Default Trust View
On 10/19/2014 8:22 AM, Petr Vobornik wrote: On 17.10.2014 22:51, Endi Sukma Dewata wrote: On 10/10/2014 6:45 AM, Petr Vobornik wrote: https://fedorahosted.org/freeipa/ticket/4616 This patch does not apply. Does it depend on another patch? rebased version attached. Should be applicable on master, ipa-4-1 and patchset 767-770. ACK. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 767-770 webui: hide applied to hosts tab for Default Trust View
On 10/17/2014 4:55 PM, Petr Vobornik wrote: On 17.10.2014 22:51, Endi Sukma Dewata wrote: On 10/10/2014 6:44 AM, Petr Vobornik wrote: Web UI part of: https://fedorahosted.org/freeipa/ticket/4615 Patch 767 is a little refactoring needed for $pre_op(as plain object) work as intended even with instantiated objects + fixes a bug where Evented objects were not considered a framework object. Patch 768 switches tabs so we can hide it later Patch 769 hides the tab PAtch 770 is not really needed(would like to hear options whether to include it). It's in effect only if user somehow manages to open 'Applies to hosts' facet for 'Default trust view'. Maybe redirection would be better - if we need to act. For some reason I don't see the Default Trust View in the database/CLI/UI with a brand new server installation. Alexander said he will investigate on Monday. The patches seem to be fine, I don't have any objections, feel free to push. The missing Default Trust View is most likely unrelated to UI. It should be added when you run ipa-adtrust-install. OK, that fixed it. Some comments: 1. Shouldn't the Default Trust View entry be added during the initial installation? Although it's unlikely to conflict with user-defined entries, it's kind of strange to add a 'built-in' entry after the initial installation. 2. The description field in the Settings page for Default Trust View should be read-only since the entry cannot be modified. 3. The Delete action in the Settings page for Default Trust View should not exist since the entry cannot be deleted. Probably the Actions drop-down list can be disabled. 4. I think this was discussed before, but I'm just not sure what the plan is. The current facet tab titles seem to be redundant since we already have facet group headers that say " overrides/applies to". Are we going to change "User/Group ID overrides" into "Users/Groups" and "Applied to hosts" into "Hosts"? No major issue. ACK. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] [WIP] DNSSEC support - preview
On 17/10/14 10:35, Petr Spacek wrote: On 17.10.2014 10:08, Jan Cholasta wrote: Dne 16.10.2014 v 20:01 Petr Spacek napsal(a): On 16.10.2014 19:43, Jan Cholasta wrote: Dne 16.10.2014 v 17:59 Martin Basti napsal(a): On 10/10/14 09:17, Martin Kosek wrote: On 10/09/2014 03:57 PM, Petr Spacek wrote: Hello, it would be great if people could look at current state of DNSSEC patches for FreeIPA. It consist of several relatively independent parts: - python-pkcs#11 interface written by Martin Basti: https://github.com/spacekpe/freeipa-pkcs11 - DNSSEC daemons written by me: https://github.com/spacekpe/ipadnssecd - FreeIPA integration written by Martin Basti: https://github.com/bastiak/freeipa/tree/dnssec Here is updated repo with installers, please review: https://github.com/bastiak/freeipa/tree/dnssec-4 branch dnssec-4 TODO: integrate ipadnssecd daemons and pkcs11 helper, when finished ... 3) Not something you can fix in this commit, but shouldn't ipa-ods-exporter be named ipa-odsexportd, so that the naming is consistent with the rest of our daemons? Side note: ipa-ods-exporter is not a daemon :-) It is single-shot binary activated via socket. It is replacement for "ODS signer" and uses the same protocol. Anyway, I don't care much. Feel free pick a new name and let me know. Nevermind, I thought it was a daemon. 2) Why do you use the default /etc/softhsm2.conf file, instead of using e.g. /etc/ipa/dnssec/softhsm2.conf and passing it to SoftHSM in the SOFTHSM2_CONF environment variable? I don't like the idea. The same library is used from named and ods-enforcerd so we would have to modify environment variables for all of them and do some monkey patching in /etc/systemd. AFAIK current ipactl/framework is sooo clever so it deletes service files related to all services "managed" by IPA if they are located in /etc/systemd. As a result we don't have any way how to override values supplies by other packages now. IMO if we can have a private instance of something we should have it. To configure named properly, you just have to add a line with "SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf" to /etc/sysconfig/named. Ok, I did not realize that we don't actually need systemd unit overrides. We need to do the same with /etc/sysconfig/ods and unit files for ipa-dnskeysynd and ipa-ods-exporter. 4) I think /etc/ipa/softhsm_pin_so should be moved to /etc/ipa/dnssec/softhsm_pin_so. Is it a good idea to store both PINs on the same spot? softhsm_pin_so is not necessary at run-time so it can be readable only by root:root. What do you mean by "the same spot"? Nevermind, I can't read. Hello, the latest version: https://github.com/bastiak/freeipa/tree/dnssec-9 -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] slapi-nis: normalize memberUid search filter term for AD users
On Thu, Oct 09, 2014 at 02:01:16PM +0300, Alexander Bokovoy wrote: > Hi, > > memberUid attribute has case-sensitive comparison defined but when we > construct memberUid for AD users (coming through SSSD), they are > normalized to lower case. Interestingly enough, 'uid' attribute has > case-insensitive comparison. > > Work around the issue by low-casing the memberUid search term value when > it is a fully-qualified name (user@domain), meaning we do ask for a SSSD > user. > > This is the patch on top of my ID views support patch. > > https://bugzilla.redhat.com/show_bug.cgi?id=1130131 > -- > / Alexander Bokovoy The code reads good to me and passed some basic sanity testing..however, I'be been unable to reproduce the issue, so I'm not sure this counts as a full ACK... ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 131-132 extdom: add support for sss_nss_getorigbyname()
On Fri, Oct 17, 2014 at 11:53:44AM +0200, Sumit Bose wrote:
> Hi,
>
> the first patch replaces sss_nss_getsidbyname() by
> sss_nss_getorigbyname() for the new version of the extdom interface.
> The new call returns more data about the original object and allows the
> IPA client to have the same information about the object in the SSSD
> cache as the IPA servers.
>
> The second patch just removes an obsolete dependency.
>
> bye,
> Sumit
Hi,
I was unable to send the patches through Coverity, the RH server seems
to be having issues. I'll wait until tomorrow, if the problems persist,
we'll just skip Coverity and fix any potential problems post-push.
> From 928c04c35601b7bc1c57c1320e4a746abc35e947 Mon Sep 17 00:00:00 2001
> From: Sumit Bose
> Date: Fri, 10 Oct 2014 10:56:37 +0200
> Subject: [PATCH 131/132] extdom: add support for sss_nss_getorigbyname()
[...]
> @@ -576,13 +613,14 @@ static int handle_gid_request(enum request_types
> request_type, gid_t gid,
> enum sss_id_type id_type;
> size_t buf_len;
> char *buf = NULL;
> +struct sss_nss_kv *kv_list;
Please set kv_list to NULL here, you're freeing the pointer
unconditionally in the done handler, but in some cases (request_type ==
REQ_SIMPLE) kv_list is not set at all.
>
> ret = get_buffer(&buf_len, &buf);
> if (ret != LDAP_SUCCESS) {
> return ret;
> }
>
> -if (request_type == REQ_SIMPLE || request_type == REQ_FULL_WITH_GROUPS) {
> +if (request_type == REQ_SIMPLE) {
> ret = sss_nss_getsidbyid(gid, &sid_str, &id_type);
> if (ret != 0 || id_type != SSS_ID_TYPE_GID) {
> if (ret == ENOENT) {
> @@ -592,9 +630,7 @@ static int handle_gid_request(enum request_types
> request_type, gid_t gid,
> }
> goto done;
> }
> -}
>
> -if (request_type == REQ_SIMPLE) {
> ret = pack_ber_sid(sid_str, berval);
> } else {
> ret = getgrgid_r(gid, &grp, buf, buf_len, &grp_result);
> @@ -607,13 +643,27 @@ static int handle_gid_request(enum request_types
> request_type, gid_t gid,
> goto done;
> }
>
> +if (request_type == REQ_FULL_WITH_GROUPS) {
> +ret = sss_nss_getorigbyname(grp.gr_name, &kv_list, &id_type);
> +if (ret != 0 || !(id_type == SSS_ID_TYPE_GID
> +|| id_type == SSS_ID_TYPE_BOTH)) {
> +if (ret == ENOENT) {
> +ret = LDAP_NO_SUCH_OBJECT;
> +} else {
> +ret = LDAP_OPERATIONS_ERROR;
> +}
> +goto done;
> +}
> +}
> +
> ret = pack_ber_group((request_type == REQ_FULL ? RESP_GROUP
> : RESP_GROUP_MEMBERS),
> domain_name, grp.gr_name, grp.gr_gid,
> - grp.gr_mem, sid_str, berval);
> + grp.gr_mem, kv_list, berval);
> }
>
> done:
> +sss_nss_free_kv(kv_list);
> free(sid_str);
> free(buf);
> return ret;
> @@ -634,6 +684,7 @@ static int handle_sid_request(enum request_types
> request_type, const char *sid,
> size_t buf_len;
> char *buf = NULL;
> enum sss_id_type id_type;
> +struct sss_nss_kv *kv_list;
Also please set kv_list to NULL here...
>
> ret = sss_nss_getnamebysid(sid, &fq_name, &id_type);
> if (ret != 0) {
[...]
> @@ -733,6 +811,7 @@ static int handle_name_request(enum request_types
> request_type,
> enum sss_id_type id_type;
> size_t buf_len;
> char *buf = NULL;
> +struct sss_nss_kv *kv_list;
...and here.
>
> ret = asprintf(&fq_name, "%s%c%s", name, SSSD_DOMAIN_SEPARATOR,
> domain_name);
The rest of the patch looks good to me.
> From f83616c145d5d14d125c663f9ac4e31cff4af81b Mon Sep 17 00:00:00 2001
> From: Sumit Bose
> Date: Wed, 15 Oct 2014 16:21:53 +0200
> Subject: [PATCH 132/132] extdom: remove unused dependency to libsss_idmap
ACK
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 771 webui: do not offer ipa users to Default Trust View
On 17.10.2014 22:51, Endi Sukma Dewata wrote:
On 10/10/2014 6:45 AM, Petr Vobornik wrote:
https://fedorahosted.org/freeipa/ticket/4616
This patch does not apply. Does it depend on another patch?
rebased version attached. Should be applicable on master, ipa-4-1 and
patchset 767-770.
--
Petr Vobornik
From 033e88fb5d75092732d07449b76c0b9c3987456a Mon Sep 17 00:00:00 2001
From: Petr Vobornik
Date: Fri, 10 Oct 2014 10:50:56 +0200
Subject: [PATCH] webui: do not offer ipa users to Default Trust View
https://fedorahosted.org/freeipa/ticket/4616
---
install/ui/doc/categories.json | 6 +
install/ui/src/freeipa/add.js | 2 +-
install/ui/src/freeipa/idviews.js | 51 +-
install/ui/test/data/ipa_init.json | 6 +++--
ipalib/plugins/internal.py | 2 ++
5 files changed, 63 insertions(+), 4 deletions(-)
diff --git a/install/ui/doc/categories.json b/install/ui/doc/categories.json
index e9507795b9557880cfb4ce34c0808b6bd2d2ab2c..c84077682eafa42981e8a1c1a2f93c712e6421fd 100644
--- a/install/ui/doc/categories.json
+++ b/install/ui/doc/categories.json
@@ -149,6 +149,12 @@
]
},
{
+"name": "Dialog policies",
+"classes": [
+"idviews.idoverride_adder_policy"
+]
+},
+{
"name": "Evaluators & Summaries",
"classes": [
"*_evaluator",
diff --git a/install/ui/src/freeipa/add.js b/install/ui/src/freeipa/add.js
index 7f5c29807bae8cc9db00e4e826a68facd1e5758a..8f24c7733d1614aaf05b544ecfb641ff57f292f2 100644
--- a/install/ui/src/freeipa/add.js
+++ b/install/ui/src/freeipa/add.js
@@ -198,7 +198,7 @@ IPA.entity_adder_dialog = function(spec) {
var field = fields[j];
var values = record[field.param];
-if (!values || values.length === 0) continue;
+if (!values || values.length === 0 || !field.enabled) continue;
if (field.flags.indexOf('no_command') > -1) continue;
if (field.param === pkey_name) {
diff --git a/install/ui/src/freeipa/idviews.js b/install/ui/src/freeipa/idviews.js
index 1d082c4d4918c9ce70535febb6c9e5bf18a7d4b5..cbc78ae7c62916b6334a8ef0cdf12a92485b0876 100644
--- a/install/ui/src/freeipa/idviews.js
+++ b/install/ui/src/freeipa/idviews.js
@@ -20,6 +20,7 @@
*/
define([
+'dojo/on',
'./ipa',
'./jquery',
'./menu',
@@ -31,7 +32,7 @@ define([
'./facet',
'./search',
'./entity'],
-function(IPA, $, menu, phases, reg, rpc, text, mod_details, mod_facet) {
+function(on, IPA, $, menu, phases, reg, rpc, text, mod_details, mod_facet) {
/**
* ID Views module
* @class
@@ -268,6 +269,9 @@ return {
],
adder_dialog: {
+policies: [
+{ $factory: idviews.idoverride_adder_policy }
+],
fields: [
{
$type: 'entity_select',
@@ -278,6 +282,14 @@ return {
editable: true,
tooltip: '@i18n:objects.idoverrideuser.anchor_tooltip'
},
+{
+label: '@i18n:objects.idoverrideuser.anchor_label',
+name: 'ipaanchoruuid_default',
+param: 'ipaanchoruuid',
+tooltip: '@i18n:objects.idoverrideuser.anchor_tooltip_ad',
+visible: false,
+enabled: false
+},
'uid',
'gecos',
'uidnumber',
@@ -341,6 +353,9 @@ return {
],
adder_dialog: {
+policies: [
+{ $factory: idviews.idoverride_adder_policy }
+],
fields: [
{
$type: 'entity_select',
@@ -351,6 +366,14 @@ return {
editable: true,
tooltip: '@i18n:objects.idoverridegroup.anchor_tooltip'
},
+{
+label: '@i18n:objects.idoverridegroup.anchor_label',
+name: 'ipaanchoruuid_default',
+param: 'ipaanchoruuid',
+tooltip: '@i18n:objects.idoverridegroup.anchor_tooltip_ad',
+visible: false,
+enabled: false
+},
'cn',
'gidnumber',
{
@@ -406,6 +429,32 @@ idviews.idview_facet_header = function(spec) {
};
/**
+ * Switches between combobox and textbox for ipaanchoruuid, depending on if
+ * current view is Default Trust View
+ * @class idviews.idoverride_adder_policy
+ * @extends IPA.facet_policy
+ */
+idviews.idoverride_adder_policy = function (spec) {
+var that = IPA.facet_policy(spec);
+that.init = function() {
+on(that.container, 'open', that.on_open);
+};
+
+that.on_open = function() {
+var d = that.container; // dialog
+var default_view = d.pkey_prefix.slice(-1)[0] === idviews.DEFAULT_TRUST_VIEW;
+var f1 = d.fields.g
