[Freeipa-devel] [PATCH 0138] only search for Kerberos SRV records when autodiscovery was requested
A quick fix for https://fedorahosted.org/freeipa/ticket/4305 I'm aware that we were talking about putting realmd discovery into IPADiscovery class and stuff, but that is a bit beyond the scope of this ticket. I will open ticket(s) tracking: 1.) Offload at least the IPA realm DNS discovery to realmd D-Bus interface 2.) rewrite (not refactoring: the stuff also needs a substantial functional redesign IMHO) of the DNS discovery in the client-side installers. I will make sure that this effort is not forgotten and we are not left with yet-another temporary fix. -- Martin^3 Babinsky From 36f5626c3bbd930193f03576b01574fa00bdcf2f Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Mon, 7 Mar 2016 17:41:15 +0100 Subject: [PATCH] only search for Kerberos SRV records when autodiscovery was requested When a list of servers is passed to ipa-client-{install,automount} the search of Kerberos and LDAP SRV records should be suppressed and the specified hostnames used directly as LDAP servers/KDCs. We thus should not performed search for KDCs when the autodiscovery was actually not requested. https://fedorahosted.org/freeipa/ticket/4305 --- ipaclient/ipadiscovery.py | 10 +++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/ipaclient/ipadiscovery.py b/ipaclient/ipadiscovery.py index ed59529fbbf7f3973872439de377175c7a9d5589..1ba7c1a2d6ae071543b76812463d114de494c296 100644 --- a/ipaclient/ipadiscovery.py +++ b/ipaclient/ipadiscovery.py @@ -273,9 +273,13 @@ class IPADiscovery(object): if not servers and not realm: return REALM_NOT_FOUND -self.kdc = self.ipadnssearchkrbkdc() -self.kdc_source = ( -'Discovered Kerberos DNS records from %s' % self.domain) +if autodiscovered: +self.kdc = self.ipadnssearchkrbkdc() +self.kdc_source = ( +'Discovered Kerberos DNS records from %s' % self.domain) +else: +self.kdc = ', '.join(servers) +self.kdc_source = "Kerberos DNS record discovery bypassed" # We may have received multiple servers corresponding to the domain # Iterate through all of those to check if it is IPA LDAP server -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [TESTS][PATCH 0011] WebUI: Creating user without private group
On 02/25/2016 03:08 PM, Lenka Doudova wrote: Hi, here's a patch for webUI tests that provides test for creating user without private group. Related to ticket https://fedorahosted.org/freeipa/ticket/4986 Since the option to specify GID when creating a user is not available https://fedorahosted.org/freeipa/ticket/5505 the test creates a new posix group, makes it a default user group instead of 'ipausers' and then attemps to create the user without private group. Returning default user group value to 'ipausers' is provided even for cases when the test fails so it would not block other tests from performing properly. Lenka Hi, ACK, works well. Pavel^3 Vomacka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0137] spec: add conflict with bind-chroot to freeipa-server-dns
On 03/07/2016 03:17 PM, Petr Spacek wrote: > On 7.3.2016 13:27, Jan Cholasta wrote: >> Hi, >> >> On 7.3.2016 12:47, Martin Babinsky wrote: >>> https://fedorahosted.org/freeipa/ticket/5696 >> >> Shouldn't we rather fix IPA to work with bind running in chroot (which is >> AFAIK considered good security practice)? > > I would not invest into it: > http://www.freeipa.org/page/Howto/FreeIPA_with_integrated_BIND_inside_chroot#NOTE:_Chroot_should_not_be_considered_a_security_feature +1 Martin -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0137] spec: add conflict with bind-chroot to freeipa-server-dns
On 7.3.2016 13:27, Jan Cholasta wrote: > Hi, > > On 7.3.2016 12:47, Martin Babinsky wrote: >> https://fedorahosted.org/freeipa/ticket/5696 > > Shouldn't we rather fix IPA to work with bind running in chroot (which is > AFAIK considered good security practice)? I would not invest into it: http://www.freeipa.org/page/Howto/FreeIPA_with_integrated_BIND_inside_chroot#NOTE:_Chroot_should_not_be_considered_a_security_feature -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0006] Refactor test_hostgroup_plugin
Sorry, forgot to cc you, Milan. F. On Tue, 22 Dec 2015 05:57:50 -0500 (EST) Filip Skola wrote: > And also sending refactored hostgroup plugin test. > > F -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0137] spec: add conflict with bind-chroot to freeipa-server-dns
Hi, On 7.3.2016 12:47, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5696 Shouldn't we rather fix IPA to work with bind running in chroot (which is AFAIK considered good security practice)? Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] French translation for FreeIPA
On 03/07/2016 12:57 PM, Lukas Slebodnik wrote: > On (07/03/16 12:20), Martin Kosek wrote: >> On 03/07/2016 11:48 AM, Jérôme Fenal wrote: >>> 2016-02-29 18:45 GMT+01:00 Jérôme Fenal : >>> Hi all, Just a quick note to let you that I completed the translation of what was available to translate on Zanata. Can you please check it passes the QA, that the strings available on Zanata are the latest ones, and that it can flow back into RHEL7? >>> >>> ​Hello there, >>> >>> No news good news, or everybody is swamped in BZs? :-)​ >> >> Hi Jérôme, >> >> Thanks for the translation! The new strings should get to FreeIPA 4.3.1, >> right >> Tomas? > FreeIPA 4.2.x will be released sooner :-) > Do you plan to include new translation there? As we do not have branches with our translations, I am actually not sure adding new translations there is a good idea, there may be too big differences with current master in Zanata and what is in FreeIPA 4.2.x. Tomas should know better than I. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] French translation for FreeIPA
On (07/03/16 12:20), Martin Kosek wrote: >On 03/07/2016 11:48 AM, Jérôme Fenal wrote: >> 2016-02-29 18:45 GMT+01:00 Jérôme Fenal : >> >>> Hi all, >>> >>> Just a quick note to let you that I completed the translation of what >>> was available to translate on Zanata. >>> >>> Can you please check it passes the QA, that the strings available on >>> Zanata are the latest ones, and that it can flow back into RHEL7? >>> >> >> ​Hello there, >> >> No news good news, or everybody is swamped in BZs? :-)​ > >Hi Jérôme, > >Thanks for the translation! The new strings should get to FreeIPA 4.3.1, right >Tomas? FreeIPA 4.2.x will be released sooner :-) Do you plan to include new translation there? LS -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0137] spec: add conflict with bind-chroot to freeipa-server-dns
https://fedorahosted.org/freeipa/ticket/5696 -- Martin^3 Babinsky From 2be6f975868ef897d273550365dafdfeaf060c54 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Mon, 7 Mar 2016 12:41:53 +0100 Subject: [PATCH] spec: add conflict with bind-chroot to freeipa-server-dns https://fedorahosted.org/freeipa/ticket/5696 --- freeipa.spec.in | 1 + 1 file changed, 1 insertion(+) diff --git a/freeipa.spec.in b/freeipa.spec.in index bc47df4c916bd8f091fc2f70330d95bd116ad187..cd6f188c540d22de648df8bc19a3ddc1dcc10eb1 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -262,6 +262,7 @@ Requires: bind-utils >= 9.9.4-21 Requires: bind-pkcs11 >= 9.9.4-21 Requires: bind-pkcs11-utils >= 9.9.4-21 %endif +Conflicts: bind-chroot Requires: opendnssec >= 1.4.6-4 Provides: %{alt_name}-server-dns = %{version} -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] FreeIPA COPR repos for 4.2.4 and 4.3.1 release candidates
On (04/03/16 17:33), Petr Vobornik wrote: >Hello all, > >COPR repostories for testing of upcoming 4.3.1 and 4.2.4 releases were >created in new @freeipa group: >* @freeipa/freeipa-4-2-rc for f23 >* @freeipa/freeipa-4-3-rc for f23, f24, rawhide > >@freeipa/freeipa-4-2-rc is undergoing pre-release testing. It also means that >there is push freeze in ipa-4-2 branch. > >4.3.1 is not finished yet, but the COPR repository already contains initial >package matching state of ipa-4-3 branch from today. > >[1] https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-2-rc/ I can see three test failing with freeipa-4.2 test_dnssec.py -- it' s known bug in freeipa test_vault.py -- there are failures due to problem with installation of replica test_caless.py -- TypeError: install() takes exactly 2 arguments (1 given) -- It should be already fixed in master e5189ef6e23e4691f6c74541da5bc1a0b0f2e73f 3507bcd3dfe2b0f1e7fae6f219a925ec6904ab47 BTW I'm lazy to file bugs in track. Feel free to file it yourselft if you need to backport/fix tests. LS -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0087] Pylint: enable parallelism
On 03/07/2016 10:58 AM, Petr Spacek wrote: > On 4.3.2016 14:13, Tomas Babej wrote: >> On 03/01/2016 03:46 PM, Petr Spacek wrote: >>> Hello, >>> >>> Pylint: enable parallelism >>> >>> The config file specifies 8 cores but Pylint very quickly >>> ends up with 3 cores so do not worry about overwhelming your system. >> >> I like the idea of the patch, however, on my single-CPU VM this causes >> additional overhead and lint ends up taking more time (+15%). >> >> >From the pylint docs [1]: >> >> If the provided number is 0 then the number of CPUs will be used. >> >> I'd suggest we use this value instead, to get the best of both worlds :) > > Here you go. > > Petr^2 Spacek > > >> Tomas >> >> [1] https://docs.pylint.org/run.html >> >> Thanks, ACK. Pushed to master: 42c01eb3270d8c47c41f7f9b0da7064edb4b0e47 Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0404] ipalib: Fix user certificate docstrings
On 03/07/2016 05:50 AM, Fraser Tweedale wrote: > On Fri, Mar 04, 2016 at 12:49:46PM +0100, Tomas Babej wrote: >> Hi, >> >> this fixes incorrect usercertificate attribute docstrings in several IPA >> objects. >> >> Tomas >> > ACK. > Pushed to master: 8bf6aa2c1c957025c7d466f7a33202a191764f0b -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] French translation for FreeIPA
On 03/07/2016 11:48 AM, Jérôme Fenal wrote: > 2016-02-29 18:45 GMT+01:00 Jérôme Fenal : > >> Hi all, >> >> Just a quick note to let you that I completed the translation of what >> was available to translate on Zanata. >> >> Can you please check it passes the QA, that the strings available on >> Zanata are the latest ones, and that it can flow back into RHEL7? >> > > ​Hello there, > > No news good news, or everybody is swamped in BZs? :-)​ Hi Jérôme, Thanks for the translation! The new strings should get to FreeIPA 4.3.1, right Tomas? As for RHEL, there is not special process around adding the translated strings. The new ones should get there whenever the FreeIPA is rebased. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] French translation for FreeIPA
2016-02-29 18:45 GMT+01:00 Jérôme Fenal : > Hi all, > > Just a quick note to let you that I completed the translation of what > was available to translate on Zanata. > > Can you please check it passes the QA, that the strings available on > Zanata are the latest ones, and that it can flow back into RHEL7? > Hello there, No news good news, or everybody is swamped in BZs? :-) Cheers, J. -- Jérôme Fenal -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0007 webui: Add a field for GID in the user add dialog
On 03/04/2016 07:03 PM, Petr Vobornik wrote: On 03/01/2016 01:37 PM, Pavel Vomacka wrote: Hi, The patch adds new field in user add dialog. This combo box lists GIDs of posix groups so user can choose one. It is also possible to fill a GID number which is not in the list. Link to the ticket: https://fedorahosted.org/freeipa/ticket/5505 -- Pavel^3 Vomacka 1. We can keep default label 'GID' by removing 'label' from spec, which is also used on details page. No need to add a new string. 2. It is hard to pick a group from a list because the only thing administrator see are GID numbers, e.g.,: * 33080 * 33082 It would be good to show a group name there or group name + GID * admins * editors Reasoning: a) If admin wants to set arbitrary GID number not manage in IPA, he already knows it and can enter it directly. b) If he want's to set a specific group then he will search for it by name. Such change will require a change in combobox widget so that we can specify a label field and a value field. E.g. list will operate with e.g.: [ { label: 'admins', value: 33080 }, { label: 'editors', value: 33080 } ] and not [ 33080, 33080 ] I tried if it is possible to do easily and yes. See attached wippatch. Would be good to check if it breaks anything. If not then we can merge it into your patch. Hi, thank you for your patch. It's definitely better to see names of groups instead of numbers. Your solution works well. I merged your patch with mine and the result is attached. I also removed definitions of new string (was used as label) from my first patch . Pavel^3 Vomacka >From 553b7388e480123443e1c788daf95228422ed530 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Tue, 1 Mar 2016 12:17:04 +0100 Subject: [PATCH] Add field for group id in user add dialog Add new field in user add dialog. This combo box lists all posix groups so user can choose one. It is also possible to fill a GID number which is not in the list. https://fedorahosted.org/freeipa/ticket/5505 --- install/ui/src/freeipa/user.js | 10 ++ install/ui/src/freeipa/widget.js | 6 -- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/install/ui/src/freeipa/user.js b/install/ui/src/freeipa/user.js index a920e088aacd02585cd131dce725272f47e4cf1c..a9727f57d69e7126d87707f541786ffab4d0c999 100644 --- a/install/ui/src/freeipa/user.js +++ b/install/ui/src/freeipa/user.js @@ -447,6 +447,16 @@ return { name: 'noprivate', label: '@i18n:objects.user.noprivate', metadata: '@mc-opt:user_add:noprivate' +}, +{ +$type: 'entity_select', +name: 'gidnumber', +editable: true, +searchable: true, +other_entity: 'group', +other_field: 'gidnumber', +label_field: 'cn', +filter_options: {'posix': true} } ] }, diff --git a/install/ui/src/freeipa/widget.js b/install/ui/src/freeipa/widget.js index 41d75fe0cd80024f6bb44405456bedc5f3fbca47..fc2d6ef0bf9fd9361a88c9bf7523077739dc615f 100644 --- a/install/ui/src/freeipa/widget.js +++ b/install/ui/src/freeipa/widget.js @@ -4299,6 +4299,7 @@ IPA.entity_select_widget = function(spec) { that.other_entity = IPA.get_entity(spec.other_entity); that.other_field = spec.other_field; +that.label_field = spec.label_field || spec.other_field; that.options = spec.options || []; that.filter_options = spec.filter_options || {}; @@ -4339,9 +4340,10 @@ IPA.entity_select_widget = function(spec) { for (var i=0; i-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0087] Pylint: enable parallelism
On 4.3.2016 14:13, Tomas Babej wrote: > On 03/01/2016 03:46 PM, Petr Spacek wrote: >> Hello, >> >> Pylint: enable parallelism >> >> The config file specifies 8 cores but Pylint very quickly >> ends up with 3 cores so do not worry about overwhelming your system. > > I like the idea of the patch, however, on my single-CPU VM this causes > additional overhead and lint ends up taking more time (+15%). > >>From the pylint docs [1]: > > If the provided number is 0 then the number of CPUs will be used. > > I'd suggest we use this value instead, to get the best of both worlds :) Here you go. Petr^2 Spacek > Tomas > > [1] https://docs.pylint.org/run.html From 700579ca97956e85c7501a96003627d301f5ebb8 Mon Sep 17 00:00:00 2001 From: Petr Spacek Date: Tue, 1 Mar 2016 15:42:48 +0100 Subject: [PATCH] Pylint: enable parallelism The config file specifies 8 cores but Pylint very quickly ends up with 3 cores so do not worry about overwhelming your system. --- pylintrc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pylintrc b/pylintrc index 1003e49217ec9761ea5e17d3e965376a0cca1a32..2a4dd7b09ef8b7ab052fc12e382c88a7af2ed568 100644 --- a/pylintrc +++ b/pylintrc @@ -7,7 +7,7 @@ persistent=no load-plugins=pylint_plugins # Use multiple processes to speed up Pylint. -jobs=1 +jobs=0 [MESSAGES CONTROL] -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code