Re: [Freeipa-devel] [PATCH 0161] Fix dyndb-ldap working dir permission
On 11/11/14 16:58, Jan Cholasta wrote:
Hi,
Dne 11.11.2014 v 16:22 Martin Basti napsal(a):
Using specfile to create file doesn't work if named user is not on
system.
Appropriate permission have to be set during ipa-dns installation.
Patch attached
Why is the directory set up in dnskeysyncinstance instead of
bindinstance?
Because, dnskeysyncinstance is the daemon which requires permission change.
(dir is created by dyndb-ldap plugin)
The original patch was released with 4.1.1, shouldn't there be update
in ipa-upgradeconfig?
Cases:
1) fresh RPM install, no named user during RPM install - named doesn't
start, user had to fix it immediately, can't wait until next release.
2) fresh RPM install, named user - no impact
3) upgrade IPA with DNS - no impact
4) upgrade IPA without DNS - after DNS installation, same as 1)
5) IPA 4.1.0 with installed DNS, upgrade to 4.1.2 - DNSSEC will not
work (If user doesnt use DNSSEC)
Only 5) looks serious for me, so here is updated patch.
Martin^2
Honza
--
Martin Basti
From 6412d1bd6d5a21941c50f56996b81b04c6d86cb0 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Tue, 11 Nov 2014 13:00:18 +0100
Subject: [PATCH] Fix named working directory permissions
Just adding dir to specfile doesnt work, because is not guarantee the
named is installed, during RPM installation.
Ticket: https://fedorahosted.org/freeipa/ticket/4657#comment:6
---
freeipa.spec.in | 3 +--
install/tools/ipa-upgradeconfig | 29 +
ipaplatform/base/paths.py | 1 +
ipaserver/install/dnskeysyncinstance.py | 21 +
4 files changed, 52 insertions(+), 2 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 36c2a35e7a0c60d4f68e2d945688ee30506e47c6..d0e9f910e2247ce1620e9b62f412d43ff663652d 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -420,7 +420,6 @@ mkdir -p %{buildroot}%{_usr}/share/ipa/html/
/bin/touch %{buildroot}%{_usr}/share/ipa/html/preferences.html
mkdir -p %{buildroot}%{_initrddir}
mkdir %{buildroot}%{_sysconfdir}/sysconfig/
-mkdir -p %{buildroot}%{_localstatedir}/named/dyndb-ldap/ipa/
install -m 644 init/ipa_memcached.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa_memcached
install -m 644 init/ipa-dnskeysyncd.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-dnskeysyncd
install -m 644 init/ipa-ods-exporter.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-ods-exporter
@@ -660,7 +659,6 @@ fi
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
%dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
-%dir %attr(0770,named,named) %{_localstatedir}/named/dyndb-ldap/ipa/
# NOTE: systemd specific section
%{_tmpfilesdir}/%{name}.conf
%attr(644,root,root) %{_unitdir}/ipa.service
@@ -774,6 +772,7 @@ fi
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
%ghost %{_localstatedir}/lib/ipa/pki-ca/publish
+%ghost %{_localstatedir}/named/dyndb-ldap/ipa
%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so
%{_mandir}/man1/ipa-replica-conncheck.1.gz
%{_mandir}/man1/ipa-replica-install.1.gz
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 6556d8f313d3a9efeb32d4cba97cb82796459652..aa9fcd1e0802911c0f1f389afc99a83fc8052493 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -30,6 +30,7 @@ import shutil
import pwd
import fileinput
import ConfigParser
+import grp
from ipalib import api
import SSSDConfig
@@ -1161,6 +1162,33 @@ def mask_named_regular():
return False
+def fix_dyndb_ldap_ipa_workdir_perm():
+Fix dyndb-ldap working dir permissions. DNSSEC daemons requires it
+if sysupgrade.get_upgrade_state('dns', 'dyndb_ipa_workdir_perm'):
+return
+
+if bindinstance.named_conf_exists():
+root_logger.info('[Fix bind-dyndb-ldap IPA working directory]')
+named = services.knownservices.named
+
+try:
+named_uid = pwd.getpwnam(named.get_user_name()).pw_uid
+except KeyError:
+raise RuntimeError(Named UID not found)
+
+try:
+named_gid = grp.getgrnam(named.get_group_name()).gr_gid
+except KeyError:
+raise RuntimeError(Named GID not found)
+
+if not os.path.exists(paths.BIND_LDAP_DNS_IPA_WORKDIR):
+os.mkdir(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0770)
+
+os.chmod(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0770)
+os.chown(paths.BIND_LDAP_DNS_IPA_WORKDIR, named_uid, named_gid)
+
+sysupgrade.set_upgrade_state('dns', 'dyndb_ipa_workdir_perm', True)
+
def fix_schema_file_syntax():
Fix syntax errors in schema files
@@ -1433,6 +1461,7 @@ def main():
named_managed_keys_dir_option(),
named_root_key_include(),
[Freeipa-devel] [PATCH 0162] Upgrade fix: masking named service should be executed only once
Hello,
masking named service is executed more than once, following patch fixes it.
Patch attached.
--
Martin Basti
From 9ac55b15ff7b418e9ec82efb2cc1070c864ccac9 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Wed, 12 Nov 2014 12:09:27 +0100
Subject: [PATCH] Upgrade fix: masking named should be executed only once
There was error in code, masking was executed more times, even it was
succesful
---
install/tools/ipa-upgradeconfig | 30 --
1 file changed, 16 insertions(+), 14 deletions(-)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index aa9fcd1e0802911c0f1f389afc99a83fc8052493..63fb7d690187f0d199ceb459f21a40c4b39945ce 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1141,23 +1141,25 @@ def uninstall_selfsign(ds, http):
def mask_named_regular():
Disable named, we need to run only named-pkcs11, running both named and
named-pkcs can cause unexpected errors
-if not sysupgrade.get_upgrade_state('dns', 'regular_named_masked'):
-if bindinstance.named_conf_exists():
-root_logger.info('[Masking named]')
-named = services.service('named-regular')
-try:
-named.stop()
-except Exception as e:
-root_logger.warning('Unable to stop named service (%s)', e)
+if sysupgrade.get_upgrade_state('dns', 'regular_named_masked'):
+return
-try:
-named.mask()
-except Exception as e:
-root_logger.warning('Unable to mask named service (%s)', e)
+sysupgrade.set_upgrade_state('dns', 'regular_named_masked', True)
-return True
+if bindinstance.named_conf_exists():
+root_logger.info('[Masking named]')
+named = services.service('named-regular')
+try:
+named.stop()
+except Exception as e:
+root_logger.warning('Unable to stop named service (%s)', e)
-sysupgrade.set_upgrade_state('dns', 'regular_named_masked', True)
+try:
+named.mask()
+except Exception as e:
+root_logger.warning('Unable to mask named service (%s)', e)
+
+return True
return False
--
1.8.3.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] FreeIPA translations
Hi folks, With Petr changing focus out of FreeIPA, somebody will need to replace his work as the person behind FreeIPA Transifex translation. I think this is now the right time and place to ask - Is Transifex still the translation tool we want to continue supporting? I know there were objections in the past it is not completely open source. But AFAIK, it is one of the most used ones, even OpenStack uses it. If no, we need to find something better. If yes, we will need to make sure the process is well documented on the FreeIPA.org wiki + integrated to our Release process so that it can be handed to someone else. (volunteers? :) Thanks. -- Martin Kosek mko...@redhat.com Supervisor, Software Engineering - Identity Management Team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA translations
On 11/12/2014 07:44 AM, Martin Kosek wrote: Hi folks, With Petr changing focus out of FreeIPA, somebody will need to replace his work as the person behind FreeIPA Transifex translation. I think this is now the right time and place to ask - Is Transifex still the translation tool we want to continue supporting? I know there were objections in the past it is not completely open source. But AFAIK, it is one of the most used ones, even OpenStack uses it. I have not been following it closely but there was talk of both Fedora and Openstack moving from Transifex to Zanata http://zanata.org/ As a matter of fact there was recent emails concerning the new Fedora Zanta instance Move to Zanata Stage 1 - fedora.zanata instance available now! https://lists.fedoraproject.org/pipermail/trans/2014-November/011717.html Like I said, I haven't followed this closely but it seems like Zanata is the future. If no, we need to find something better. If yes, we will need to make sure the process is well documented on the FreeIPA.org wiki + integrated to our Release process so that it can be handed to someone else. (volunteers? :) Thanks. -- John ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH][bind-dyndb-ldap] AUTOCONF: Improve detection of bind9 header files
On 24.7.2014 11:00, Petr Spacek wrote:
On 27.2.2014 15:19, Lukas Slebodnik wrote:
ehlo,
I did some reviews of bind-dyndb-ldap last week and it was little bit
annoying
to export special CFLAGS for bind9 header files. It can be automatically
detected in configure script using utility isc-config.
Attached patch should improve this and CFLAGS needn't be exported.
Kind NACK. It would be valuable to test if isc/errno2result.h header is
present and throw appropriate error.
Current check with isc-config.sh only will pass if you have bind-devel package
installed but you are missing bind-lite-devel package.
I have a question: How
+ldap_la_CFLAGS = $(BIND9_CFLAGS) -Wall -Wextra @WERROR@ -std=gnu99
works?
Will it take user-defined CFLAGS into account? I would like to place
user-defined flags at the end of the list so you can easily override settings
given by autotools.
Thank you for clarification :-)
I will be really happy to commit complete fix. Thank you for cleaning this
autotools mess!
This version actually works. Previous version did not take CFLAGS from
isc-config.sh into account during libdns version check so it actually did not
work at all :-)
Please review it (and send me a modified patch if you see a problem).
Thank you for your time!
--
Petr^2 Spacek
From 4b17099abe2169ddb86b24e53cd2769b76f3ea2d Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik lsleb...@redhat.com
Date: Tue, 25 Feb 2014 10:46:50 +0100
Subject: [PATCH] Improve detection of BIND 9 header files and necessary
CFLAGS.
BIND 9 header files can be stored in non-default path (/usr/include/bind9).
The isc-config.sh utility can provide necessary CFLAGS.
---
configure.ac | 43 ++-
contrib/bind-dyndb-ldap.spec | 1 -
2 files changed, 34 insertions(+), 10 deletions(-)
diff --git a/configure.ac b/configure.ac
index d471038ada54c07dcfc211c8a2572850e3b28205..c985908c760c974f7c02b6fa3d183e839bbeb9ad 100644
--- a/configure.ac
+++ b/configure.ac
@@ -15,14 +15,6 @@ m4_ifdef([AM_PROG_AR], [AM_PROG_AR])
AC_PROG_CC
AC_PROG_LIBTOOL
-# Checks for libraries.
-AC_CHECK_LIB([dns], [dns_name_init], [],
- AC_MSG_ERROR([Install BIND9 development files]))
-AC_CHECK_LIB([ldap], [ldap_initialize], [],
- AC_MSG_ERROR([Install OpenLDAP development files]))
-AC_CHECK_LIB([krb5], [krb5_cc_initialize], [],
- AC_MSG_ERROR([Install Kerberos 5 development files]))
-
# Checks for header files.
AC_CHECK_HEADERS([stddef.h stdlib.h string.h strings.h])
@@ -47,6 +39,39 @@ AC_TRY_COMPILE([
[CFLAGS=$SAVED_CFLAGS
AC_MSG_RESULT([no])])
+# Get CFLAGS from isc-config.sh
+AC_ARG_VAR([BIND9_CFLAGS],
+ [C compiler flags for bind9, overriding isc-config.sh])
+AC_SUBST(BIND9_CFLAGS)
+
+dnl do not override enviroment variables BIND9_CFLAGS
+if test -z $BIND9_CFLAGS; then
+ AC_PATH_PROG(ISC_CONFIG, [isc-config.sh])
+ AC_MSG_CHECKING([for working isc-config])
+ if test -x $ISC_CONFIG; then
+ AC_MSG_RESULT([yes]);
+ BIND9_CFLAGS=`$ISC_CONFIG --cflags dns`
+ dnl We do not need all libraries suggested by isc-config.sh
+ dnl {-lcrypto, -lcap} are useless
+ dnl BIND9_LIBS=`$ISC_CONFIG --libs dns`
+ else
+ AC_MSG_RESULT([no])
+ AC_MSG_WARN([
+ Could not detect script isc-config.sh. Compilation may fail.
+ Defining variable BIND9_CFLAGS will fix this problem.
+ ])
+ fi
+fi
+CFLAGS=$BIND9_CFLAGS $CFLAGS
+
+# Checks for libraries.
+AC_CHECK_LIB([dns], [dns_name_init], [],
+ AC_MSG_ERROR([Install BIND9 development files]))
+AC_CHECK_LIB([ldap], [ldap_initialize], [],
+ AC_MSG_ERROR([Install OpenLDAP development files]))
+AC_CHECK_LIB([krb5], [krb5_cc_initialize], [],
+ AC_MSG_ERROR([Install Kerberos 5 development files]))
+
# Check version of libdns
AC_MSG_CHECKING([libdns version])
AC_TRY_RUN([
@@ -62,7 +87,7 @@ int main(void) {
[AC_MSG_ERROR([Cross compiling is not supported.])]
)
-# Older autoconf (2.59, for example) doesn't define docdir
+dnl Older autoconf (2.59, for example) doesn't define docdir
[[ ! -n $docdir ]] docdir='${datadir}/doc/${PACKAGE_TARNAME}'
AC_SUBST([docdir])
diff --git a/contrib/bind-dyndb-ldap.spec b/contrib/bind-dyndb-ldap.spec
index 572076597a7597c8495ac7a977f26578e840603e..574519982463d811c482bdaaa70839e2c15e9e12 100644
--- a/contrib/bind-dyndb-ldap.spec
+++ b/contrib/bind-dyndb-ldap.spec
@@ -28,7 +28,6 @@ off of your LDAP server.
%setup -q -n %{name}-%{VERSION}
%build
-export CFLAGS=`isc-config.sh --cflags dns` $RPM_OPT_FLAGS
%configure
make %{?_smp_mflags}
--
2.1.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA translations
2014-11-12 15:22 GMT+01:00 John Dennis jden...@redhat.com: On 11/12/2014 07:44 AM, Martin Kosek wrote: Hi folks, With Petr changing focus out of FreeIPA, somebody will need to replace his work as the person behind FreeIPA Transifex translation. I think this is now the right time and place to ask - Is Transifex still the translation tool we want to continue supporting? I know there were objections in the past it is not completely open source. But AFAIK, it is one of the most used ones, even OpenStack uses it. I have not been following it closely but there was talk of both Fedora and Openstack moving from Transifex to Zanata http://zanata.org/ As a matter of fact there was recent emails concerning the new Fedora Zanta instance Move to Zanata Stage 1 - fedora.zanata instance available now! https://lists.fedoraproject.org/pipermail/trans/2014-November/011717.html Like I said, I haven't followed this closely but it seems like Zanata is the future. +1 The Fedora Zanata instance is the place to go. Regards, J. -- Jérôme Fenal ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0163] Fix compiler warning for pk11helper module
Part of ticket: https://fedorahosted.org/freeipa/ticket/4657 -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0308] Improve detection of BIND 9 isc__errno2result header file
Hello,
Improve detection of BIND 9 isc__errno2result header file.
This header file is not in standard distribution so normal isc-config.sh
detection is not enough.
With this patch, ./configure should work even without explicit CFLAGS and it
should also detect that bind-devel or bind-lite-devel packages are missing.
--
Petr^2 Spacek
From e8feffa54b8e5835d32bfba2c20ef686b8349ec7 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Wed, 12 Nov 2014 16:03:12 +0100
Subject: [PATCH] Improve detection of BIND 9 isc__errno2result header file.
This header file is not in standard distribution so normal isc-config.sh
detection is not enough.
---
configure.ac | 17 +
1 file changed, 17 insertions(+)
diff --git a/configure.ac b/configure.ac
index c985908c760c974f7c02b6fa3d183e839bbeb9ad..d12ef7bb8c32f320e872d74405b980ced9bd28d8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -65,6 +65,8 @@ fi
CFLAGS=$BIND9_CFLAGS $CFLAGS
# Checks for libraries.
+AC_CHECK_LIB([isc], [isc_dir_open], [],
+ AC_MSG_ERROR([Install BIND9 ISC development files]))
AC_CHECK_LIB([dns], [dns_name_init], [],
AC_MSG_ERROR([Install BIND9 development files]))
AC_CHECK_LIB([ldap], [ldap_initialize], [],
@@ -87,6 +89,21 @@ int main(void) {
[AC_MSG_ERROR([Cross compiling is not supported.])]
)
+dnl isc__errno2result() is typically not present in standard header files
+AC_MSG_CHECKING([isc__errno2result availability in header files])
+AC_TRY_RUN([
+#include isc/errno2result.h
+int main(void) {
+ isc__errno2result(0);
+ return 0;
+}],
+[AC_MSG_RESULT([yes])],
+[AC_MSG_ERROR([
+ Can't find isc__errno2result() or header isc/errno2result.h:
+ Please install bind-lite-devel package or similar.])],
+[AC_MSG_ERROR([Cross compiling is not supported.])]
+)
+
dnl Older autoconf (2.59, for example) doesn't define docdir
[[ ! -n $docdir ]] docdir='${datadir}/doc/${PACKAGE_TARNAME}'
AC_SUBST([docdir])
--
2.1.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 784-786 webui: offer suffixes of trusted domains for overrides
https://fedorahosted.org/freeipa/ticket/4554
[PATCH] 784 webui: refactor combobox search to support search providers
Comboboxe's search logic was moved into a separate object - a search
provider. This change makes Entity Select a regular combobox with a
special provider.
new JointCBSearchProvider allows to combine results of two providers
into a single result.
[PATCH] 785 webui: offer suffixes of trusted domains for overrides
[PATCH] 786 webui: unable to select single value in CB by enter key
Fix: If editable combobox has one value, the value is selected and
changed by hand, it can't be re-selected by enter key.
--
Petr Vobornik
From 091139c851c18155f3b3d75afafbb202a4b12859 Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Wed, 12 Nov 2014 14:58:46 +0100
Subject: [PATCH] webui: offer suffixes of trusted domains for overrides
https://fedorahosted.org/freeipa/ticket/4554
---
install/ui/src/freeipa/idviews.js | 86 ++-
1 file changed, 76 insertions(+), 10 deletions(-)
diff --git a/install/ui/src/freeipa/idviews.js b/install/ui/src/freeipa/idviews.js
index 823936401653096a0a649282e3b18f573de09804..f85aedebc0b2b50773a183c1b7a7648791ec3bbf 100644
--- a/install/ui/src/freeipa/idviews.js
+++ b/install/ui/src/freeipa/idviews.js
@@ -20,7 +20,10 @@
*/
define([
+'dojo/_base/declare',
+'dojo/Deferred',
'dojo/on',
+'dojo/when',
'./ipa',
'./jquery',
'./menu',
@@ -30,9 +33,11 @@ define([
'./text',
'./details',
'./facet',
+'./widget',
'./search',
'./entity'],
-function(on, IPA, $, menu, phases, reg, rpc, text, mod_details, mod_facet) {
+function(declare, Deferred, on, when, IPA, $, menu, phases,
+reg, rpc, text, mod_details, mod_facet, mod_widget) {
/**
* ID Views module
* @class
@@ -274,21 +279,36 @@ return {
],
fields: [
{
-$type: 'entity_select',
+$type: 'combobox',
label: '@i18n:objects.idoverrideuser.anchor_label',
name: 'ipaanchoruuid',
-other_entity: 'user',
-other_field: 'uid',
editable: true,
-tooltip: '@i18n:objects.idoverrideuser.anchor_tooltip'
+tooltip: '@i18n:objects.idoverrideuser.anchor_tooltip',
+search_provider: {
+$ctor: mod_widget.JointCBSearchProvider,
+providers: [
+{
+$ctor: idviews.TrustSuffixCBSearchProvider
+},
+{
+$ctor: mod_widget.EntityCBSearchProvider,
+entity: 'user'
+}
+]
+}
},
{
+$type: 'combobox',
label: '@i18n:objects.idoverrideuser.anchor_label',
name: 'ipaanchoruuid_default',
param: 'ipaanchoruuid',
tooltip: '@i18n:objects.idoverrideuser.anchor_tooltip_ad',
visible: false,
-enabled: false
+enabled: false,
+editable: true,
+search_provider: {
+$ctor: idviews.TrustSuffixCBSearchProvider
+}
},
'uid',
'gecos',
@@ -361,18 +381,33 @@ return {
$type: 'entity_select',
label: '@i18n:objects.idoverridegroup.anchor_label',
name: 'ipaanchoruuid',
-other_entity: 'group',
-other_field: 'cn',
editable: true,
-tooltip: '@i18n:objects.idoverridegroup.anchor_tooltip'
+tooltip: '@i18n:objects.idoverridegroup.anchor_tooltip',
+search_provider: {
+$ctor: mod_widget.JointCBSearchProvider,
+providers: [
+{
+$ctor: idviews.TrustSuffixCBSearchProvider
+},
+{
+$ctor: mod_widget.EntityCBSearchProvider,
+entity: 'group'
+}
+]
+}
},
{
+$type: 'combobox',
label: '@i18n:objects.idoverridegroup.anchor_label',
name: 'ipaanchoruuid_default',
param: 'ipaanchoruuid',
tooltip: '@i18n:objects.idoverridegroup.anchor_tooltip_ad',
visible: false,
-enabled: false
+enabled: false,
+editable: true,
+search_provider: {
+$ctor: idviews.TrustSuffixCBSearchProvider
+}
Re: [Freeipa-devel] [PATCH 0228] Drop unnecessary #define _BSD_SOURCE
On 25.2.2014 15:05, Lukas Slebodnik wrote: On (25/02/14 09:54), Petr Spacek wrote: On 24.2.2014 18:56, Lukas Slebodnik wrote: On (24/02/14 16:48), Petr Spacek wrote: Hello, Drop unnecessary #define _BSD_SOURCE. -- Petr^2 Spacek From 1b5105e3ab92f2a898313da5f7e20e6f3e9d1d2a Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Mon, 24 Feb 2014 16:48:09 +0100 Subject: [PATCH] Drop unnecessary #define _BSD_SOURCE. Signed-off-by: Petr Spacek pspa...@redhat.com --- src/krb5_helper.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/krb5_helper.c b/src/krb5_helper.c index d1787209483f2ae49b480492290ff5d4bafc677c..71f4fff9fec551abbd81e25c59de80d2ded0dfc6 100644 --- a/src/krb5_helper.c +++ b/src/krb5_helper.c @@ -15,8 +15,6 @@ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ -#define _BSD_SOURCE - #include isc/util.h #include string.h #include stdlib.h -- 1.8.5.3 Simo is an author (according to git blame) He defined this macro due to function setenv from man setenv: NAME setenv - change or add an environment variable SYNOPSIS #include stdlib.h int setenv(const char *name, const char *value, int overwrite); int unsetenv(const char *name); Feature Test Macro Requirements for glibc (see feature_test_macros(7)): setenv(), unsetenv(): _BSD_SOURCE || _POSIX_C_SOURCE = 200112L || _XOPEN_SOURCE = 600 Macros _BSD_SOURCE _POSIX_C_SOURCE were defined when I included header file stdlib.h. I tested only on fedora 20. It can be used on the other distributions. I would rather let this macro as is. Wow, I didn't expect that somebody will spend time on this :-) See build logs from Fedora 21 http://koji.fedoraproject.org/koji/getfile?taskID=6565007name=build.log You should have noticed this in the 1st mail. Because it is difference between removing unnecessary macro and depprecated usage of macro. /usr/include/features.h:145:3: error: #warning _BSD_SOURCE and _SVID_SOURCE are deprecated, use _DEFAULT_SOURCE [-Werror=cpp] # warning _BSD_SOURCE and _SVID_SOURCE are deprecated, use _DEFAULT_SOURCE Patches with 'the right' solution are welcome. I'm not going to spend more time on this. Attached patch should fix the warning in the 'proper' way, I hope. Without this patch the warning constantly pops up on Fedora 21. -- Petr^2 Spacek From 873334fb1ede302b3a6cbf52ac8bc7e98a4659f9 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Wed, 12 Nov 2014 16:30:56 +0100 Subject: [PATCH] Replace deprecated macro #define _BSD_SOURCE with _POSIX_C_SOURCE. See https://sourceware.org/glibc/wiki/Release/2.20#Packaging_Changes --- src/krb5_helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/krb5_helper.c b/src/krb5_helper.c index 169d384cddb5ab9fc9cce1f5ec773836a4c383bb..85c8df9f15af839786ded50d41313763f6463579 100644 --- a/src/krb5_helper.c +++ b/src/krb5_helper.c @@ -15,7 +15,7 @@ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ -#define _BSD_SOURCE +#define _POSIX_C_SOURCE 200112L /* setenv */ #include isc/util.h #include string.h -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0158] FIX: upgrade refential integrity plugin configuration
On 11/07/2014 03:22 PM, Martin Basti wrote: Ticket: https://fedorahosted.org/freeipa/ticket/4622 Patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel LGTM, please rebase to ipa-4-0. -- David Kupka ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Gaps in upstream tests
On 07/11/14 14:41, Martin Kosek wrote: FreeIPA team will soon grow with a new member focusing on upstream QE tests. I would like to collect ideas what are the biggest gaps in the current upstream test suite from your POV. Existing requests are tracked here: https://fedorahosted.org/freeipa/query?status=assignedstatus=newstatus=reopenedcomponent=Testscol=idcol=summarycol=componentcol=statuscol=ownercol=typecol=prioritycol=milestonegroup=milestoneorder=priority First idea that I head proposed are Upgrade tests. These are often done manually. I think that upgrade test from currently supported FreeIPA/Fedora version would go a long way (like 3.3.5 on F20 upgraded built RPMs and running unit tests). Second, it would be nice to try testing FreeIPA server in a container. Not only it would verify our container efforts, but it may also allow easy multi-master tests on one Jenkins VM or local host instead of expensive VM orchestration. Any other areas worth focusing on (besides of course testing newly developed features)? 1) DNS: We should testing more complicated DNS toplogy with forwarders, testing if a forward zone forwards data as expected (we had regression), test if DNS (named) works as expected with various configurations. Currently the wait_for_dns option tests if record is resolvable, but we should test if the record is correct in better way. Test installation with various DNS options (or non DNS as well) 2) Upgrade tests: +1000 Martin^2 -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA translations
On 11/12/2014 01:44 PM, Martin Kosek wrote: Hi folks, With Petr changing focus out of FreeIPA, somebody will need to replace his work as the person behind FreeIPA Transifex translation. I think this is now the right time and place to ask - Is Transifex still the translation tool we want to continue supporting? I know there were objections in the past it is not completely open source. But AFAIK, it is one of the most used ones, even OpenStack uses it. If no, we need to find something better. If yes, we will need to make sure the process is well documented on the FreeIPA.org wiki + integrated to our Release process so that it can be handed to someone else. (volunteers? :) Thanks. I'll gladly take the translations, I've translated several projects, and Zanata looks interesting too learn to work with. -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0079] Catch USBError during YubiKey location
On Mon, 2014-11-10 at 09:08 +0100, Martin Kosek wrote:
On 11/10/2014 08:31 AM, Alexander Bokovoy wrote:
On Mon, 10 Nov 2014, Jan Cholasta wrote:
Hi,
Dne 7.11.2014 v 16:51 Nathaniel McCallum napsal(a):
https://fedorahosted.org/freeipa/ticket/4693
Is it good enough to just say No YubiKey found? Would it make sense to
log
the original message, for the sake of debugging why the yubikey was not
found?
This is logged on the client side so it only would be visible if you
would run 'ipa' tool with -v. Perhaps useful but my practice with
yubikeys says that most of issues are basically permission-related:
you've inserted the key and udev rules didn't change access to allow
getting to it via libusb. In this case our debugging will hardly be
helpful beyond 'yes, it is not accessible' which is already conveyed by
the original message.
Ok. Though IMO, passing the USBError string to the error would still be a good
thing to do - unless we have a strong reason to hide it. Error stating Access
denied (insufficient permissions) would steer the person closer to the root
cause that just No YubiKey found.
It took a bit to figure out exactly how to handle the errors, but the
attached patch passes the error codes through.
From b8b7a4e34309120c012a8ec466f1b66d3a2bff9d Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum npmccal...@redhat.com
Date: Fri, 7 Nov 2014 10:47:43 -0500
Subject: [PATCH] Catch USBError during YubiKey location
https://fedorahosted.org/freeipa/ticket/4693
---
ipalib/plugins/otptoken_yubikey.py | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/ipalib/plugins/otptoken_yubikey.py b/ipalib/plugins/otptoken_yubikey.py
index e70ddb6e42b5ea34d7ebecb252d6bbd73ac64d03..1540117093386ef29c6ec47c07731d7a432d26bf 100644
--- a/ipalib/plugins/otptoken_yubikey.py
+++ b/ipalib/plugins/otptoken_yubikey.py
@@ -25,6 +25,7 @@ from ipalib.plugins.otptoken import otptoken
import os
+import usb.core
import yubico
__doc__ = _(
@@ -81,8 +82,10 @@ class otptoken_add_yubikey(Command):
# Open the YubiKey
try:
yk = yubico.find_yubikey()
-except yubico.yubikey.YubiKeyError, e:
-raise NotFound(reason=_('No YubiKey found'))
+except usb.core.USBError as e:
+raise NotFound(reason=No YubiKey found: %s % e.strerror)
+except yubico.yubikey.YubiKeyError as e:
+raise NotFound(reason=e.reason)
assert yk.version_num() = (2, 1)
--
2.1.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0077] Improve otptoken help messages
On Mon, 2014-11-10 at 08:44 +0100, Jan Cholasta wrote:
Hi,
Dne 6.11.2014 v 21:24 Nathaniel McCallum napsal(a):
https://fedorahosted.org/freeipa/ticket/4689
we don't usually use the Set the prefix in doc kwargs, so IMO it
should not be used here as well.
Fixed.
From f272b3f7b4ac8bdc0ec7ab7acc69dd30aa3c7adf Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum npmccal...@redhat.com
Date: Thu, 6 Nov 2014 15:19:01 -0500
Subject: [PATCH] Improve otptoken help messages
https://fedorahosted.org/freeipa/ticket/4689
---
ipalib/plugins/otptoken.py | 18 +-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py
index 2b5f1c5fb83341d392e165a3507f5076820f1d3a..77366bafe7a102f5d2c048ac3d5f7d9948ed7fe4 100644
--- a/ipalib/plugins/otptoken.py
+++ b/ipalib/plugins/otptoken.py
@@ -153,6 +153,7 @@ class otptoken(LDAPObject):
),
StrEnum('type?',
label=_('Type'),
+doc=_('Type of the token'),
default=u'totp',
autofill=True,
values=tuple(TOKEN_TYPES.keys() + [x.upper() for x in TOKEN_TYPES]),
@@ -161,42 +162,52 @@ class otptoken(LDAPObject):
Str('description?',
cli_name='desc',
label=_('Description'),
+doc=_('Token description (informational only)'),
),
Str('ipatokenowner?',
cli_name='owner',
label=_('Owner'),
+doc=_('Assigned user of the token (default: self)'),
),
Str('managedby_user?',
label=_('Manager'),
+doc=_('Assigned manager of the token (default: self)'),
flags=['no_create', 'no_update', 'no_search'],
),
Bool('ipatokendisabled?',
cli_name='disabled',
-label=_('Disabled state')
+label=_('Disabled'),
+doc=_('Mark the token as disabled (default: false)')
),
DateTime('ipatokennotbefore?',
cli_name='not_before',
label=_('Validity start'),
+doc=_('First date/time the token can be used'),
),
DateTime('ipatokennotafter?',
cli_name='not_after',
label=_('Validity end'),
+doc=_('Last date/time the token can be used'),
),
Str('ipatokenvendor?',
cli_name='vendor',
label=_('Vendor'),
+doc=_('Token vendor name (informational only)'),
),
Str('ipatokenmodel?',
cli_name='model',
label=_('Model'),
+doc=_('Token model (informational only)'),
),
Str('ipatokenserial?',
cli_name='serial',
label=_('Serial'),
+doc=_('Token serial (informational only)'),
),
OTPTokenKey('ipatokenotpkey?',
cli_name='key',
label=_('Key'),
+doc=_('Token secret (Base32; default: random)'),
default_from=lambda: os.urandom(KEY_LENGTH),
autofill=True,
flags=('no_display', 'no_update', 'no_search'),
@@ -204,6 +215,7 @@ class otptoken(LDAPObject):
StrEnum('ipatokenotpalgorithm?',
cli_name='algo',
label=_('Algorithm'),
+doc=_('Token hash algorithm'),
default=u'sha1',
autofill=True,
flags=('no_update'),
@@ -212,6 +224,7 @@ class otptoken(LDAPObject):
IntEnum('ipatokenotpdigits?',
cli_name='digits',
label=_('Digits'),
+doc=_('Number of digits each token code will have'),
values=(6, 8),
default=6,
autofill=True,
@@ -220,6 +233,7 @@ class otptoken(LDAPObject):
Int('ipatokentotpclockoffset?',
cli_name='offset',
label=_('Clock offset'),
+doc=_('TOTP token / FreeIPA server time difference'),
default=0,
autofill=True,
flags=('no_update'),
@@ -227,6 +241,7 @@ class otptoken(LDAPObject):
Int('ipatokentotptimestep?',
cli_name='interval',
label=_('Clock interval'),
+doc=_('Length of TOTP token code validity'),
default=30,
autofill=True,
minvalue=5,
@@ -235,6 +250,7 @@ class otptoken(LDAPObject):
Int('ipatokenhotpcounter?',
cli_name='counter',
label=_('Counter'),
+doc=_('Initial counter for the HOTP token'),
default=0,
autofill=True,
minvalue=0,
--
2.1.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0075] Ensure users exist when assigning tokens to them
On Mon, 2014-11-10 at 08:36 +0100, Jan Cholasta wrote:
Hi,
Dne 24.10.2014 v 22:21 Nathaniel McCallum napsal(a):
https://fedorahosted.org/freeipa/ticket/4642
please use userobj.handle_not_found(owner) instead of raising NotFound
manually.
Fixed.
From 620444f2878d0b83e528f4fdb6089d437c758fa4 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum npmccal...@redhat.com
Date: Fri, 24 Oct 2014 16:16:50 -0400
Subject: [PATCH] Ensure users exist when assigning tokens to them
https://fedorahosted.org/freeipa/ticket/4642
---
ipalib/plugins/otptoken.py | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py
index 2b5f1c5fb83341d392e165a3507f5076820f1d3a..f6cb62a5e8e44593373a4b9b0dd01bd4955f24f0 100644
--- a/ipalib/plugins/otptoken.py
+++ b/ipalib/plugins/otptoken.py
@@ -100,8 +100,11 @@ def _convert_owner(userobj, entry_attrs, options):
def _normalize_owner(userobj, entry_attrs):
owner = entry_attrs.get('ipatokenowner', None)
-if owner is not None:
-entry_attrs['ipatokenowner'] = userobj.get_dn(owner)
+if owner:
+try:
+entry_attrs['ipatokenowner'] = userobj._normalize_manager(owner)[0]
+except NotFound:
+userobj.handle_not_found(owner)
def _check_interval(not_before, not_after):
if not_before and not_after:
--
2.1.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0078] Enable QR code display by default in otptoken-add
On Thu, 2014-11-06 at 15:33 -0500, Nathaniel McCallum wrote:
This is possible because python-qrcode's output now fits in a standard
terminal. Also, update ipa-otp-import and otptoken-add-yubikey to
disable QR code output as it doesn't make sense in these contexts.
https://fedorahosted.org/freeipa/ticket/4703
I removed the period from the doc string to maintain consistency with
the rest of the plugin.
Nathaniel
From 24f8c5abe5c576e7399ce10b6634190bb67760d3 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum npmccal...@redhat.com
Date: Thu, 6 Nov 2014 15:30:13 -0500
Subject: [PATCH] Enable QR code display by default in otptoken-add
This is possible because python-qrcode's output now fits in a standard
terminal. Also, update ipa-otp-import and otptoken-add-yubikey to
disable QR code output as it doesn't make sense in these contexts.
https://fedorahosted.org/freeipa/ticket/4703
---
ipalib/plugins/otptoken.py | 4 ++--
ipalib/plugins/otptoken_yubikey.py | 1 +
ipaserver/install/ipa_otptoken_import.py | 2 +-
3 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py
index 2b5f1c5fb83341d392e165a3507f5076820f1d3a..ead6fb40884157b31305c0d8fe540715ecf6a2a2 100644
--- a/ipalib/plugins/otptoken.py
+++ b/ipalib/plugins/otptoken.py
@@ -249,7 +249,7 @@ class otptoken_add(LDAPCreate):
msg_summary = _('Added OTP token %(value)s')
takes_options = LDAPCreate.takes_options + (
-Flag('qrcode?', label=_('Display QR code')),
+Flag('qrcode', label=_('Display QR code'), default=True),
)
has_output_params = LDAPCreate.has_output_params + (
@@ -329,7 +329,7 @@ class otptoken_add(LDAPCreate):
rv = super(otptoken_add, self).output_for_cli(textui, output, *args, **options)
# Print QR code to terminal if specified
-if uri and options.get('qrcode', False):
+if uri and options['qrcode']:
print \n
qr = qrcode.QRCode()
qr.add_data(uri)
diff --git a/ipalib/plugins/otptoken_yubikey.py b/ipalib/plugins/otptoken_yubikey.py
index e70ddb6e42b5ea34d7ebecb252d6bbd73ac64d03..643096a507121f3596d7d3798bff024c08d738fb 100644
--- a/ipalib/plugins/otptoken_yubikey.py
+++ b/ipalib/plugins/otptoken_yubikey.py
@@ -124,6 +124,7 @@ class otptoken_add_yubikey(Command):
ipatokenotpalgorithm=u'sha1',
ipatokenhotpcounter=0,
ipatokenotpkey=key,
+qrcode=False,
**options)
# Suppress values we don't want to return.
diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py
index 31a6902014b8e3b2aafb3ba98a4190dc2059a3e7..70a38867c64674ce5879be6b7b03270856a31c77 100644
--- a/ipaserver/install/ipa_otptoken_import.py
+++ b/ipaserver/install/ipa_otptoken_import.py
@@ -517,7 +517,7 @@ class OTPTokenImport(admintool.AdminTool):
# Parse tokens
for keypkg in self.doc.getKeyPackages():
try:
-api.Command.otptoken_add(keypkg.id, **keypkg.options)
+api.Command.otptoken_add(keypkg.id, qrcode=False, **keypkg.options)
except Exception as e:
self.log.warn(Error adding token: %s, e)
else:
--
2.1.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0074] Make token window sizes configurable
On 11/12/2014 11:37 PM, Nathaniel McCallum wrote: On Mon, 2014-11-10 at 08:28 +0100, Martin Kosek wrote: On 11/07/2014 04:44 PM, Petr Vobornik wrote: On 7.11.2014 08:58, Martin Kosek wrote: On 11/04/2014 05:17 PM, Nathaniel McCallum wrote: On Wed, 2014-10-29 at 09:34 -0400, Nathaniel McCallum wrote: On Wed, 2014-10-29 at 12:21 +0100, Petr Viktorin wrote: On 10/29/2014 10:37 AM, Martin Kosek wrote: On 10/28/2014 09:59 PM, Nathaniel McCallum wrote: On Thu, 2014-10-23 at 18:07 -0400, Nathaniel McCallum wrote: This patch gives the administrator variables to control the size of the authentication and synchronization windows for OTP tokens. https://fedorahosted.org/freeipa/ticket/4511 NOTE: There is one known issue with this patch which I don't know how to solve. This patch changes the schema in install/share/60ipaconfig.ldif. On an upgrade, all of the new attributeTypes appear correctly. However, the modifications to the pre-existing objectClass do not show up on the server. What am I doing wrong? After modifying ipaGuiConfig manually, everything in this patch works just fine. This new version takes into account the new (proper) OIDs and attribute names. Thanks Nathaniel! The above known issue still remains. Petr3, any idea what could have gone wrong? ObjectClass MAY list extension should work just fine, AFAIK. You added a blank line to the LDIF file. This is an entry separator, so the objectClasses after the blank line don't belong to cn=schema, so they aren't considered in the update. Without the blank line it works fine. Thanks for the catch! Here is a version without the blank line. I forgot to remove the old steps defines. This patch performs this cleanup. I am now wondering, is the global config object really the nest place to add these OTP specific settings? I would prefer not to overload the object and instead: - create new ipaOTPConfig objectclass - add it to cn=otp,$SUFFIX - create otpconfig-mod and otpconfig-show commands to follow an example of dnsconfig-* and trustconfig-* commands IMO, this would allow more flexibility for the OTP settings and would also scale better for the future updates. +1 I will comment the patch as if ^^ would not exist because it will still be needed in the new plugin. Because of ^^ I did not test, just read. 1. Got: install/ui/src/freeipa/serverconfig.js(135): lint warning: extra comma is not recommended in array initializers Please run: jsl -nofilelisting -nosummary -nologo -conf jsl.conf in install/ui directory The goal is no have no warnings and errors. 2. new attrs should be added to 'System: Read Global Configuration' managed permission +1. Though if we go with OTP config, it should be called System: Read OTP Configuration Martin Attached is a new set of patches that replaces this single patch. This now fixes multiple issues. I now create two new entries: * cn=TOTP,cn=Token Config,cn=etc,$SUFFIX * cn=HOTP,cn=Token Config,cn=etc,$SUFFIX There are two corresponding CLI commands: * totpconfig-(show|mod) * hotpconfig-(show|mod) There is no UI support for this yet (pointers welcome). This is designed so that eventually tokens can grow a per-token override, but I have not yet implemented this feature (it should be easy in the future). Additionally, I had to do some shared refactoring to address issues in ipa-otp-lasttoken, which is why all of these are now merged into a single patch set. Nathaniel Ah, I meant adding the token config to cn=otp,SUFFIX directly, but if we want to make TOTP/HOTP token config as separate entries (to enable future per-token overrides), your approach should make sense. Rather adding Rob to CC for sanity. I am just not sure we should create them as separate plugins, I think the new commands should be rather added to otp plugin directly so that they show in ipa help otptoken instead of adding 2 new topics just for OTP config. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0074] Make token window sizes configurable
On Thu, 2014-11-13 at 08:48 +0100, Martin Kosek wrote: On 11/12/2014 11:37 PM, Nathaniel McCallum wrote: On Mon, 2014-11-10 at 08:28 +0100, Martin Kosek wrote: On 11/07/2014 04:44 PM, Petr Vobornik wrote: On 7.11.2014 08:58, Martin Kosek wrote: On 11/04/2014 05:17 PM, Nathaniel McCallum wrote: On Wed, 2014-10-29 at 09:34 -0400, Nathaniel McCallum wrote: On Wed, 2014-10-29 at 12:21 +0100, Petr Viktorin wrote: On 10/29/2014 10:37 AM, Martin Kosek wrote: On 10/28/2014 09:59 PM, Nathaniel McCallum wrote: On Thu, 2014-10-23 at 18:07 -0400, Nathaniel McCallum wrote: This patch gives the administrator variables to control the size of the authentication and synchronization windows for OTP tokens. https://fedorahosted.org/freeipa/ticket/4511 NOTE: There is one known issue with this patch which I don't know how to solve. This patch changes the schema in install/share/60ipaconfig.ldif. On an upgrade, all of the new attributeTypes appear correctly. However, the modifications to the pre-existing objectClass do not show up on the server. What am I doing wrong? After modifying ipaGuiConfig manually, everything in this patch works just fine. This new version takes into account the new (proper) OIDs and attribute names. Thanks Nathaniel! The above known issue still remains. Petr3, any idea what could have gone wrong? ObjectClass MAY list extension should work just fine, AFAIK. You added a blank line to the LDIF file. This is an entry separator, so the objectClasses after the blank line don't belong to cn=schema, so they aren't considered in the update. Without the blank line it works fine. Thanks for the catch! Here is a version without the blank line. I forgot to remove the old steps defines. This patch performs this cleanup. I am now wondering, is the global config object really the nest place to add these OTP specific settings? I would prefer not to overload the object and instead: - create new ipaOTPConfig objectclass - add it to cn=otp,$SUFFIX - create otpconfig-mod and otpconfig-show commands to follow an example of dnsconfig-* and trustconfig-* commands IMO, this would allow more flexibility for the OTP settings and would also scale better for the future updates. +1 I will comment the patch as if ^^ would not exist because it will still be needed in the new plugin. Because of ^^ I did not test, just read. 1. Got: install/ui/src/freeipa/serverconfig.js(135): lint warning: extra comma is not recommended in array initializers Please run: jsl -nofilelisting -nosummary -nologo -conf jsl.conf in install/ui directory The goal is no have no warnings and errors. 2. new attrs should be added to 'System: Read Global Configuration' managed permission +1. Though if we go with OTP config, it should be called System: Read OTP Configuration Martin Attached is a new set of patches that replaces this single patch. This now fixes multiple issues. I now create two new entries: * cn=TOTP,cn=Token Config,cn=etc,$SUFFIX * cn=HOTP,cn=Token Config,cn=etc,$SUFFIX There are two corresponding CLI commands: * totpconfig-(show|mod) * hotpconfig-(show|mod) There is no UI support for this yet (pointers welcome). This is designed so that eventually tokens can grow a per-token override, but I have not yet implemented this feature (it should be easy in the future). Additionally, I had to do some shared refactoring to address issues in ipa-otp-lasttoken, which is why all of these are now merged into a single patch set. Nathaniel Ah, I meant adding the token config to cn=otp,SUFFIX directly, but if we want to make TOTP/HOTP token config as separate entries (to enable future per-token overrides), your approach should make sense. Rather adding Rob to CC for sanity. That would work too. I'm open to that. I am just not sure we should create them as separate plugins, I think the new commands should be rather added to otp plugin directly so that they show in ipa help otptoken instead of adding 2 new topics just for OTP config. I can play with that. Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0074] Make token window sizes configurable
On 11/13/2014 08:51 AM, Nathaniel McCallum wrote: On Thu, 2014-11-13 at 08:48 +0100, Martin Kosek wrote: On 11/12/2014 11:37 PM, Nathaniel McCallum wrote: On Mon, 2014-11-10 at 08:28 +0100, Martin Kosek wrote: On 11/07/2014 04:44 PM, Petr Vobornik wrote: On 7.11.2014 08:58, Martin Kosek wrote: On 11/04/2014 05:17 PM, Nathaniel McCallum wrote: On Wed, 2014-10-29 at 09:34 -0400, Nathaniel McCallum wrote: On Wed, 2014-10-29 at 12:21 +0100, Petr Viktorin wrote: On 10/29/2014 10:37 AM, Martin Kosek wrote: On 10/28/2014 09:59 PM, Nathaniel McCallum wrote: On Thu, 2014-10-23 at 18:07 -0400, Nathaniel McCallum wrote: This patch gives the administrator variables to control the size of the authentication and synchronization windows for OTP tokens. https://fedorahosted.org/freeipa/ticket/4511 NOTE: There is one known issue with this patch which I don't know how to solve. This patch changes the schema in install/share/60ipaconfig.ldif. On an upgrade, all of the new attributeTypes appear correctly. However, the modifications to the pre-existing objectClass do not show up on the server. What am I doing wrong? After modifying ipaGuiConfig manually, everything in this patch works just fine. This new version takes into account the new (proper) OIDs and attribute names. Thanks Nathaniel! The above known issue still remains. Petr3, any idea what could have gone wrong? ObjectClass MAY list extension should work just fine, AFAIK. You added a blank line to the LDIF file. This is an entry separator, so the objectClasses after the blank line don't belong to cn=schema, so they aren't considered in the update. Without the blank line it works fine. Thanks for the catch! Here is a version without the blank line. I forgot to remove the old steps defines. This patch performs this cleanup. I am now wondering, is the global config object really the nest place to add these OTP specific settings? I would prefer not to overload the object and instead: - create new ipaOTPConfig objectclass - add it to cn=otp,$SUFFIX - create otpconfig-mod and otpconfig-show commands to follow an example of dnsconfig-* and trustconfig-* commands IMO, this would allow more flexibility for the OTP settings and would also scale better for the future updates. +1 I will comment the patch as if ^^ would not exist because it will still be needed in the new plugin. Because of ^^ I did not test, just read. 1. Got: install/ui/src/freeipa/serverconfig.js(135): lint warning: extra comma is not recommended in array initializers Please run: jsl -nofilelisting -nosummary -nologo -conf jsl.conf in install/ui directory The goal is no have no warnings and errors. 2. new attrs should be added to 'System: Read Global Configuration' managed permission +1. Though if we go with OTP config, it should be called System: Read OTP Configuration Martin Attached is a new set of patches that replaces this single patch. This now fixes multiple issues. I now create two new entries: * cn=TOTP,cn=Token Config,cn=etc,$SUFFIX * cn=HOTP,cn=Token Config,cn=etc,$SUFFIX There are two corresponding CLI commands: * totpconfig-(show|mod) * hotpconfig-(show|mod) There is no UI support for this yet (pointers welcome). This is designed so that eventually tokens can grow a per-token override, but I have not yet implemented this feature (it should be easy in the future). Additionally, I had to do some shared refactoring to address issues in ipa-otp-lasttoken, which is why all of these are now merged into a single patch set. Nathaniel Ah, I meant adding the token config to cn=otp,SUFFIX directly, but if we want to make TOTP/HOTP token config as separate entries (to enable future per-token overrides), your approach should make sense. Rather adding Rob to CC for sanity. That would work too. I'm open to that. I am just not sure we should create them as separate plugins, I think the new commands should be rather added to otp plugin directly so that they show in ipa help otptoken instead of adding 2 new topics just for OTP config. I can play with that. Nathaniel No worries ATM, you can wait for proper review. I was just looking at the new API to make sure we are on the same page - we seem to mostly are. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
