Re: [Freeipa-devel] More types of replicas in FreeIPA
Dne 13.2.2013 14:36, Simo Sorce napsal(a): On Tue, 2013-02-12 at 19:30 -0500, Dmitri Pal wrote: It looks like thinks are starting to boil down to building a Kerberos proxy. Is this something that fits within your thesis agenda Ondra? I guess that's for Ondrej to say, if it is too much we can simply start working on the LDAP/replication side with rekeying and what not, and deal with the KDC part at a later time. Simo. Working on the LDAP/repl side fits the thesis agenda better, so I would like to go that way. Rekeying - do you mean some sort of plugin for transporting the krb keys from masters to consumers? Besides securing transport of keys what else should be done in ldap? I've only partial replication in my mind - I mean replication of entries selected by some kind of ldap filters. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] More types of replicas in FreeIPA
Hello, I'm starting to work on my thesis about 'More types of replicas in FreeIPA' again. One of the main problems is the way how should the read-only replicas deal with KDC because they're not supposed to posses the Kerberos (krb) master key. The task was to investigate how is this solved in Active Directory and its Read Only Domain Controllers. I found out that the basic of RODC behaviour is described on technet page (http://technet.microsoft.com/en-us/library/cc754218%28v=ws.10%29.aspx). Login situation: RODC by default forwards the KRB requests to the DC. RODC then forwards the response back to the client and also requests the password to be replicated to RODC. Both the user and his host must be members of 'Allowed RODC Password Replication' group in order to let user's passwords being replicated to RODCs. Request services that the RODC doesn't have credentials for: Client sends TGS-REQ to RODC. RODC can read the TGT in the request, but doesn't have credentials for the service. So the request is forwarded to the DC. DC can decrypt the TGT that was created by RODC and sends back the TGS-RES that is forwarded to the client. (but it does not trust the RODC so it recalculates the privilege attribute certificate). RODC does not cache the credentials for the service. During my experiments the credentials got replicated to the RODC on the first log on of the user. The user's KRB requests were first forwarded to the DC. When the user got krbtgt and TGS for host, ldap and cifs, his TGT was revoked by RODC. He run through the auth. process again, but this time the requests were served by RODC only - no forwarding - and not TGS for host was requested. Unfortunately I can not still recognize how the keys are processed. There's barely any RPC communication - only one DCERPC packet exchange between RODC and DC that takes place when the user sends his first TGS request (this exchange happens also for the clients with disabled replication). It looks to me like the DC knows all the RODC keys. According to Technet, the MS implementation of Kerberos is able to recognize the key owner from the Key Version Number value. I think I can't get more info from the network traffic examination. Do you have any ideas or hints on further investigation of the problem? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 26 Fix '--random' param behaviour for host plugin
On 06/25/2012 04:59 PM, Petr Viktorin wrote: On 06/20/2012 05:43 PM, Ondrej Hamada wrote: On 06/15/2012 07:36 AM, Martin Kosek wrote: On Thu, 2012-06-14 at 16:35 -0400, Rob Crittenden wrote: Ondrej Hamada wrote: Improved options checking so that host-mod operation is not changing password for enrolled host when '--random' option is used. https://fedorahosted.org/freeipa/ticket/2799 Updated set of characters that is used for generating random passwords for ipa hosts. Following characters were removed from the set: '`\$ https://fedorahosted.org/freeipa/ticket/2800 This works ok but it would be nice to have a test for both setting a password and random on an enrolled host to prevent regressions. We have some ipa-getkeytab tests already and these can be extended to test this I think. Might be nice to mention in the inline comment the set of characters excluded and why. rob I've added new test class into test_host_plugin.py that takes care of that. Just there is a problem that the ipa-join command always fails on 'adding key into keytab'. But the attributes necessary for testing are set correctly, so the testing can continue. We already generate passwords for users with this character set: user_pwdchars = string.digits + string.ascii_letters + '_,.@+-=' Why would we want to generate passwords for host enrolling with a different set? Additionally, I think the set of characters you chose is too wide, try entering a passwords with ' ', !, (, ), , or ; without careful escaping or quoting... Martin Ok, I've used the same set of characters as for the user passwords. Should this set just be used for generated passwords by default? Possibly with slightly longer passwords so they aren't suddenly weaker. I prefer to generate strong passwords by default and if anyone needs easier one, then he must adjust it. Especially in this case when we use one generator in different places. Anyway, the patch works great here. I just have a few style issues: freeipa-ohamada-26-2-Change-random-passwords-behaviour.patch From bc19f44023643ff726e6e36634fbcbcbd0859583 Mon Sep 17 00:00:00 2001 From: Ondrej Hamadaoham...@redhat.com Date: Mon, 18 Jun 2012 15:25:05 +0200 Subject: [PATCH] Change random passwords behaviour Improved options checking so that host-mod operation is not changing password for enrolled host when '--random' option is used. Unit tests added. https://fedorahosted.org/freeipa/ticket/2799 Updated set of characters that is used for generating random passwords for ipa hosts. All characters that might need escaping were removed. https://fedorahosted.org/freeipa/ticket/2800 --- ipalib/plugins/host.py| 11 - tests/test_xmlrpc/test_host_plugin.py | 75 - 2 files changed, 82 insertions(+), 4 deletions(-) diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 96b73cc5594335ad02dd43f87e7e011ab84157a1..9680d7c024ea8976f92a71bf576d6712c44a2bcf 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -24,6 +24,7 @@ import sys from nss.error import NSPRError import nss.nss as nss import netaddr +import string from ipalib import api, errors, util from ipalib import Str, Flag, Bytes @@ -99,6 +100,10 @@ EXAMPLES: ipa host-add-managedby --hosts=test2 test ) +# Characters to be used by random password generator +# The set was chosen to avoid the need for escaping the characters by user +host_pwd_chars=string.digits + string.ascii_letters + '_,.@+-=' + def remove_fwd_ptr(ipaddr, host, domain, recordtype): api.log.debug('deleting ipaddr %s' % ipaddr) try: @@ -404,7 +409,7 @@ class host_add(LDAPCreate): if 'krbprincipal' in entry_attrs['objectclass']: entry_attrs['objectclass'].remove('krbprincipal') if options.get('random'): -entry_attrs['userpassword'] = ipa_generate_password() +entry_attrs['userpassword'] = ipa_generate_password(characters=host_pwd_chars) # save the password so it can be displayed in post_callback setattr(context, 'randompassword', entry_attrs['userpassword']) cert = options.get('usercertificate') @@ -596,7 +601,7 @@ class host_mod(LDAPUpdate): def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): # Allow an existing OTP to be reset but don't allow a OTP to be # added to an enrolled host. -if 'userpassword' in options: +if options.get('userpassword') or options.get('random'): entry = {} self.obj.get_password_attributes(ldap, dn, entry) if not entry['has_password'] and entry['has_keytab']: @@ -649,7 +654,7 @@ class host_mod(LDAPUpdate): entry_attrs['usercertificate'] = cert if options.get('random'): -entry_attrs['userpassword'] = ipa_generate_password() +entry_attrs['userpassword'] = ipa_generate_password
Re: [Freeipa-devel] [PATCH] 26 Fix '--random' param behaviour for host plugin
On 06/15/2012 07:36 AM, Martin Kosek wrote: On Thu, 2012-06-14 at 16:35 -0400, Rob Crittenden wrote: Ondrej Hamada wrote: Improved options checking so that host-mod operation is not changing password for enrolled host when '--random' option is used. https://fedorahosted.org/freeipa/ticket/2799 Updated set of characters that is used for generating random passwords for ipa hosts. Following characters were removed from the set: '`\$ https://fedorahosted.org/freeipa/ticket/2800 This works ok but it would be nice to have a test for both setting a password and random on an enrolled host to prevent regressions. We have some ipa-getkeytab tests already and these can be extended to test this I think. Might be nice to mention in the inline comment the set of characters excluded and why. rob I've added new test class into test_host_plugin.py that takes care of that. Just there is a problem that the ipa-join command always fails on 'adding key into keytab'. But the attributes necessary for testing are set correctly, so the testing can continue. We already generate passwords for users with this character set: user_pwdchars = string.digits + string.ascii_letters + '_,.@+-=' Why would we want to generate passwords for host enrolling with a different set? Additionally, I think the set of characters you chose is too wide, try entering a passwords with ' ', !, (, ), , or ; without careful escaping or quoting... Martin Ok, I've used the same set of characters as for the user passwords. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From bc19f44023643ff726e6e36634fbcbcbd0859583 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Mon, 18 Jun 2012 15:25:05 +0200 Subject: [PATCH] Change random passwords behaviour Improved options checking so that host-mod operation is not changing password for enrolled host when '--random' option is used. Unit tests added. https://fedorahosted.org/freeipa/ticket/2799 Updated set of characters that is used for generating random passwords for ipa hosts. All characters that might need escaping were removed. https://fedorahosted.org/freeipa/ticket/2800 --- ipalib/plugins/host.py| 11 - tests/test_xmlrpc/test_host_plugin.py | 75 - 2 files changed, 82 insertions(+), 4 deletions(-) diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 96b73cc5594335ad02dd43f87e7e011ab84157a1..9680d7c024ea8976f92a71bf576d6712c44a2bcf 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -24,6 +24,7 @@ import sys from nss.error import NSPRError import nss.nss as nss import netaddr +import string from ipalib import api, errors, util from ipalib import Str, Flag, Bytes @@ -99,6 +100,10 @@ EXAMPLES: ipa host-add-managedby --hosts=test2 test ) +# Characters to be used by random password generator +# The set was chosen to avoid the need for escaping the characters by user +host_pwd_chars=string.digits + string.ascii_letters + '_,.@+-=' + def remove_fwd_ptr(ipaddr, host, domain, recordtype): api.log.debug('deleting ipaddr %s' % ipaddr) try: @@ -404,7 +409,7 @@ class host_add(LDAPCreate): if 'krbprincipal' in entry_attrs['objectclass']: entry_attrs['objectclass'].remove('krbprincipal') if options.get('random'): -entry_attrs['userpassword'] = ipa_generate_password() +entry_attrs['userpassword'] = ipa_generate_password(characters=host_pwd_chars) # save the password so it can be displayed in post_callback setattr(context, 'randompassword', entry_attrs['userpassword']) cert = options.get('usercertificate') @@ -596,7 +601,7 @@ class host_mod(LDAPUpdate): def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): # Allow an existing OTP to be reset but don't allow a OTP to be # added to an enrolled host. -if 'userpassword' in options: +if options.get('userpassword') or options.get('random'): entry = {} self.obj.get_password_attributes(ldap, dn, entry) if not entry['has_password'] and entry['has_keytab']: @@ -649,7 +654,7 @@ class host_mod(LDAPUpdate): entry_attrs['usercertificate'] = cert if options.get('random'): -entry_attrs['userpassword'] = ipa_generate_password() +entry_attrs['userpassword'] = ipa_generate_password(characters=host_pwd_chars) setattr(context, 'randompassword', entry_attrs['userpassword']) if 'macaddress' in entry_attrs: if 'objectclass' in entry_attrs: diff --git a/tests/test_xmlrpc/test_host_plugin.py b/tests/test_xmlrpc/test_host_plugin.py index 8798168afa71653b64870c77d11a7fa81ec4c952..fa1f2906f556af388499eac316c4b7c05c66ad85 100644 --- a/tests/test_xmlrpc/test_host_plugin.py +++ b/tests/test_xmlrpc/test_host_plugin.py @@ -22,9 +22,13 @@ Test
[Freeipa-devel] [PATCH] 26 Fix '--random' param behaviour for host plugin
Improved options checking so that host-mod operation is not changing password for enrolled host when '--random' option is used. https://fedorahosted.org/freeipa/ticket/2799 Updated set of characters that is used for generating random passwords for ipa hosts. Following characters were removed from the set: '`\$ https://fedorahosted.org/freeipa/ticket/2800 https://fedorahosted.org/freeipa/ticket/2800 -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From a6e41564225b9b9efe7fd2ae3e21ae90288680b2 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Wed, 13 Jun 2012 16:27:51 +0200 Subject: [PATCH] Change random passwords behaviour Improved options checking so that host-mod operation is not changing password for enrolled host when '--random' option is used. https://fedorahosted.org/freeipa/ticket/2799 Updated set of characters that is used for generating random passwords for ipa hosts. Following characters were removed from the set: '`\$ https://fedorahosted.org/freeipa/ticket/2800 --- ipalib/plugins/host.py | 10 +++--- 1 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 96b73cc5594335ad02dd43f87e7e011ab84157a1..4a3330f5ae4214a65aa56983c983e86cc4423b48 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -24,6 +24,7 @@ import sys from nss.error import NSPRError import nss.nss as nss import netaddr +import string from ipalib import api, errors, util from ipalib import Str, Flag, Bytes @@ -99,6 +100,9 @@ EXAMPLES: ipa host-add-managedby --hosts=test2 test ) +# characters to be used by random password generator +host_pwd_chars=string.digits + string.ascii_letters + '~!@#%^*()-_=+{}[]:;|,.?/ ' + def remove_fwd_ptr(ipaddr, host, domain, recordtype): api.log.debug('deleting ipaddr %s' % ipaddr) try: @@ -404,7 +408,7 @@ class host_add(LDAPCreate): if 'krbprincipal' in entry_attrs['objectclass']: entry_attrs['objectclass'].remove('krbprincipal') if options.get('random'): -entry_attrs['userpassword'] = ipa_generate_password() +entry_attrs['userpassword'] = ipa_generate_password(characters=host_pwd_chars) # save the password so it can be displayed in post_callback setattr(context, 'randompassword', entry_attrs['userpassword']) cert = options.get('usercertificate') @@ -596,7 +600,7 @@ class host_mod(LDAPUpdate): def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): # Allow an existing OTP to be reset but don't allow a OTP to be # added to an enrolled host. -if 'userpassword' in options: +if options.get('userpassword') or options.get('random'): entry = {} self.obj.get_password_attributes(ldap, dn, entry) if not entry['has_password'] and entry['has_keytab']: @@ -649,7 +653,7 @@ class host_mod(LDAPUpdate): entry_attrs['usercertificate'] = cert if options.get('random'): -entry_attrs['userpassword'] = ipa_generate_password() +entry_attrs['userpassword'] = ipa_generate_password(characters=host_pwd_chars) setattr(context, 'randompassword', entry_attrs['userpassword']) if 'macaddress' in entry_attrs: if 'objectclass' in entry_attrs: -- 1.7.6.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 269 permission-find missed some results with --pkey-only option
On 05/31/2012 12:42 PM, Martin Kosek wrote: On Wed, 2012-05-30 at 14:43 +0200, Ondrej Hamada wrote: On 05/30/2012 07:45 AM, Martin Kosek wrote: When permission-find post callback detected a --pkey-only option, it just terminated. However, this way the results that could have been added from aci_find matches were not included. Fix the post callback to go through the entire matching process. Also make sure that DNS permissions have a correct objectclass (ipapermission), otherwise such objects are not matched by the permission LDAP search. https://fedorahosted.org/freeipa/ticket/2658 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Patch needs rebase It does not apply because of changes made to ipalib/plugins/permission.py (by Rob's patch #1018) Rebased version attached. Martin ACK -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 25 ipa-server-install: s/calculated/determined/
https://fedorahosted.org/freeipa/ticket/2704 Output message of the 'read_domain_name' function in ipa-server-install was reworded. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From 4a7eda9b2a97b10ee0767696406fda09c1a9de86 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Tue, 22 May 2012 12:19:53 +0200 Subject: [PATCH] ipa-server-install reword message Output message of the 'read_domain_name' function in ipa-server-install was reworded. https://fedorahosted.org/freeipa/ticket/2704 --- install/tools/ipa-server-install |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index d3327a6803d10012f412fbb8365b80e39e9124c3..2f06a9e879902eb1c2ac340757fcd1762959fe30 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -386,7 +386,7 @@ def read_host_name(host_default,no_host_dns=False): return host_name def read_domain_name(domain_name, unattended): -print The domain name has been calculated based on the host name. +print The domain name has been determined based on the host name. print if not unattended: domain_name = user_input(Please confirm the domain name, domain_name) -- 1.7.6.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0044 Validate externalhost (when added by --addattr/--setattr)
On 05/10/2012 01:40 PM, Petr Viktorin wrote: On 05/10/2012 12:05 PM, Ondrej Hamada wrote: On 05/09/2012 04:49 PM, Petr Viktorin wrote: On 05/04/2012 01:25 PM, Ondrej Hamada wrote: On 04/30/2012 02:13 PM, Petr Viktorin wrote: Change the externalhost attribute of hbacrule, netgroup and sudorule into a full-fledged Parameter, and attach a validator to it. RFC 1123 specifies that only [-a-z0-9] are allowed, but apparently Windows and some phones also use underscores in hostnames. So the new validator allows the underscore. https://fedorahosted.org/freeipa/ticket/2649 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel 1) Current validation of external hostnames does not require them to be fully qualified, but you do. It's inconsistent. 2) one test case failed: FAIL: Test adding an invalid external host to Sudo rule using -- Traceback (most recent call last): File /usr/lib/python2.7/site-packages/nose/case.py, line 197, in runTest self.test(*self.arg) File /home/ohamada/2649/tests/test_xmlrpc/test_sudorule_plugin.py, line 500, in test_a_sudorule_mod_externalhost_invalid_addattr character) AssertionError Thanks. Attaching updated patch. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Suggestion: you can use ipalib.utils.validate_hostname function with check_fqdn param set to False. Sorry for not mentioning it before. Otherwise ACK Attached patch uses your suggestion. Thanks. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 257 Fix python Requires in Fedora 17 build
On 05/04/2012 05:45 PM, Martin Kosek wrote: This one actually took me some time to track it down (details are in a patch description). To check the result, simply build freeipa on Fedora 17 with make rpms, install rpms on the machine and check Requires of freeipa-admintools package: $ rpm -qR freeipa-admintools Before the patch, there was a requirement for /bin/python which effectively blocked an update of python package until freeipa packages were removed. With this patch, there should be a correct requirement for /usr/bin/python and python updates will work again - yay. Our newest freeipa package on F-17 (2.2.0-1) is not affected, koji F-17 build root may have a different $PATH which translates python to /usr/bin/python and not /bin/python. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel works as proposed, ACK -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 23 Allow one letter net/hostgroups names
On 05/03/2012 05:44 PM, Martin Kosek wrote: On Thu, 2012-05-03 at 17:08 +0200, Ondrej Hamada wrote: On 05/02/2012 05:49 PM, Ondrej Hamada wrote: https://fedorahosted.org/freeipa/ticket/2671 Changed regex validating net/hostgroup names to allow single letter names. Unit-tests added. But the current validation allows weird (host|net)group names like: ., .-, ... I'm just not sure, do we really want to allow stuff like this? Patch also fixes one of netgroup and host unit-tests. The error message in hostname validation function has changed (in ticket #1966). NACK. 1) This breaks the hostgroup tests as you overwrite dn1 variable: +hostgroup_single = u'a' +dn1 = DN(('cn',hostgroup_single),('cn','hostgroups'),('cn','accounts'), + api.env.basedn) + 2) The extra comment in netgroup tests is redundant: +result=dict( +#dn=u'ipauniqueid=%s,cn=ng,cn=alt,%s' % (fuzzy_uuid, api.env.basedn), +dn=fuzzy_netgroupdn, 3) I don't think that we need to bump IPA_API_VERSION_MINOR since we just changed the validating pattern and thus this really does not change the API itself. Martin corrected patch attached -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From 4876c05c5a843a9653765c5fc6ddccd8151d061c Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Fri, 4 May 2012 10:25:42 +0200 Subject: [PATCH] Allow one letter net/hostgroups names Changed regex validating net/hostgroup names to allow single letter names. Unit-tests added. https://fedorahosted.org/freeipa/ticket/2671 --- API.txt| 34 +- ipalib/plugins/netgroup.py |2 +- tests/test_xmlrpc/test_hostgroup_plugin.py | 37 tests/test_xmlrpc/test_netgroup_plugin.py | 32 4 files changed, 87 insertions(+), 18 deletions(-) diff --git a/API.txt b/API.txt index 71241b4cc40e14c600127d1087092abf098eb40c..1d32913c0356bfa03574bfc4ef08d46fb408cd57 100644 --- a/API.txt +++ b/API.txt @@ -1758,7 +1758,7 @@ output: Entry('result', type 'dict', Gettext('A dictionary representing an LDA output: Output('value', type 'unicode', None) command: hostgroup_add args: 1,6,3 -arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', primary_key=True, required=True) +arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*$', primary_key=True, required=True) option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=True) option: Str('setattr*', cli_name='setattr', exclude='webui') option: Str('addattr*', cli_name='addattr', exclude='webui') @@ -1770,7 +1770,7 @@ output: Entry('result', type 'dict', Gettext('A dictionary representing an LDA output: Output('value', type 'unicode', None) command: hostgroup_add_member args: 1,5,3 -arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) +arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('version?', exclude='webui') @@ -1781,7 +1781,7 @@ output: Output('failed', type 'dict', None) output: Output('completed', type 'int', None) command: hostgroup_del args: 1,1,3 -arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=True, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) +arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=True, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*$', primary_key=True, query=True, required=True) option: Flag('continue', autofill=True, cli_name='continue', default=False) output: Output('summary', (type 'unicode', type 'NoneType'), None) output: Output('result', type 'dict', None) @@ -1789,7 +1789,7 @@ output: Output('value', type 'unicode', None) command: hostgroup_find args: 1,20,4 arg: Str('criteria?', noextrawhitespace=False) -option: Str('cn', attribute=True, autofill=False, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=False) +option: Str('cn', attribute=True, autofill=False, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*$', primary_key=True, query=True, required=False) option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False) option: Int('timelimit?', autofill=False, minvalue=0) option: Int('sizelimit?', autofill=False, minvalue=0) @@ -1815,7 +1815,7 @@ output
Re: [Freeipa-devel] [PATCH] 0044 Validate externalhost (when added by --addattr/--setattr)
On 04/30/2012 02:13 PM, Petr Viktorin wrote: Change the externalhost attribute of hbacrule, netgroup and sudorule into a full-fledged Parameter, and attach a validator to it. RFC 1123 specifies that only [-a-z0-9] are allowed, but apparently Windows and some phones also use underscores in hostnames. So the new validator allows the underscore. https://fedorahosted.org/freeipa/ticket/2649 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel 1) Current validation of external hostnames does not require them to be fully qualified, but you do. It's inconsistent. 2) one test case failed: FAIL: Test adding an invalid external host to Sudo rule using -- Traceback (most recent call last): File /usr/lib/python2.7/site-packages/nose/case.py, line 197, in runTest self.test(*self.arg) File /home/ohamada/2649/tests/test_xmlrpc/test_sudorule_plugin.py, line 500, in test_a_sudorule_mod_externalhost_invalid_addattr character) AssertionError -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 23 Allow one letter net/hostgroups names
On 05/02/2012 05:49 PM, Ondrej Hamada wrote: https://fedorahosted.org/freeipa/ticket/2671 Changed regex validating net/hostgroup names to allow single letter names. Unit-tests added. But the current validation allows weird (host|net)group names like: ., .-, ... I'm just not sure, do we really want to allow stuff like this? Patch also fixes one of netgroup and host unit-tests. The error message in hostname validation function has changed (in ticket #1966). ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The unit-test for #1966 were corrected by PetrĀ³. Rebased patch attached. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From fdf8ccd6992feb031b5c350471e659bfd42928f3 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Thu, 3 May 2012 16:56:51 +0200 Subject: [PATCH] Allow one letter net/hostgroups names Changed regex validating net/hostgroup names to allow single letter names. Unit-tests added. https://fedorahosted.org/freeipa/ticket/2671 --- API.txt| 34 +- VERSION|2 +- ipalib/plugins/netgroup.py |2 +- tests/test_xmlrpc/test_hostgroup_plugin.py | 37 tests/test_xmlrpc/test_netgroup_plugin.py | 33 + 5 files changed, 89 insertions(+), 19 deletions(-) diff --git a/API.txt b/API.txt index 71241b4cc40e14c600127d1087092abf098eb40c..1d32913c0356bfa03574bfc4ef08d46fb408cd57 100644 --- a/API.txt +++ b/API.txt @@ -1758,7 +1758,7 @@ output: Entry('result', type 'dict', Gettext('A dictionary representing an LDA output: Output('value', type 'unicode', None) command: hostgroup_add args: 1,6,3 -arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', primary_key=True, required=True) +arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*$', primary_key=True, required=True) option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=True) option: Str('setattr*', cli_name='setattr', exclude='webui') option: Str('addattr*', cli_name='addattr', exclude='webui') @@ -1770,7 +1770,7 @@ output: Entry('result', type 'dict', Gettext('A dictionary representing an LDA output: Output('value', type 'unicode', None) command: hostgroup_add_member args: 1,5,3 -arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) +arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('version?', exclude='webui') @@ -1781,7 +1781,7 @@ output: Output('failed', type 'dict', None) output: Output('completed', type 'int', None) command: hostgroup_del args: 1,1,3 -arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=True, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) +arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=True, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*$', primary_key=True, query=True, required=True) option: Flag('continue', autofill=True, cli_name='continue', default=False) output: Output('summary', (type 'unicode', type 'NoneType'), None) output: Output('result', type 'dict', None) @@ -1789,7 +1789,7 @@ output: Output('value', type 'unicode', None) command: hostgroup_find args: 1,20,4 arg: Str('criteria?', noextrawhitespace=False) -option: Str('cn', attribute=True, autofill=False, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=False) +option: Str('cn', attribute=True, autofill=False, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*$', primary_key=True, query=True, required=False) option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False) option: Int('timelimit?', autofill=False, minvalue=0) option: Int('sizelimit?', autofill=False, minvalue=0) @@ -1815,7 +1815,7 @@ output: Output('count', type 'int', None) output: Output('truncated', type 'bool', None) command: hostgroup_mod args: 1,8,3 -arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) +arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*$', primary_key=True, query=True
Re: [Freeipa-devel] More types of replica in FreeIPA
On 04/24/2012 10:47 AM, Ondrej Hamada wrote: On 04/23/2012 07:58 PM, Simo Sorce wrote: On Mon, 2012-04-23 at 13:50 -0400, Dmitri Pal wrote: Ah OK. Another semantic difference. Doing it in phases is one thing and delivering is another. Let us say we identified 10 things that needs to be implemented. The problem is so huge that Ondrej would likely be able to tackle only couple items from the list. So what should be do with the rest if it is not possible to deliver until all 10 items are completed? Ok, so most of the work here is in the KDC, so I think we should first go to MIT, present the problem and see what htey think about the solution we have in mind. I will try to have a preliminary discussion With Tom and Greg about the general idea this week to see what they think. Once that is done we can slice the implementation how we want in a private branch until it is fully backed. MIT wouldn't, rightly so, accept a half backed solution I would guess, but we also do not need to try to rush patches in. Once cleanup work in the KDC has been done as part of the 1.11 work I think these interfaces will change little so there shouldn't be a risk of wasting too much time to follow upstream while we work on one of these problems at a time. IMO the work can be started and deferred till someone else can come back and continue what Ondrej have started and bring it to the shape when we are comfortable releasing it. Absolutely, esp if we can start after he changes MIT plans to make in 1.11 or at least if we plan together so we know which internal interfaces are going to be destabilized so we can plan ahead. Ondra it time for you to sit down, read this thread thoroughly and craft a design out of it. Then you would be able to focus on a reasonable subset of what is possible to complete in the remaining time frame. Ok, will do. I would like to start with the login server scenario. It will be possible to use it later as a 'training field' for the fractional replication and help deciding what entries should and shouldn't be replicated. Ok. Simo. As I said before, I'm going to start with authentication only server. That will be the first iteration. (I also want to present it in my thesis as the implementation part) Both the Hub and Consumer will be read only. In case of Hub the machine should contain only directory server that will be configured to behave as a hub. Consumers should behave same way as Dmitri described few posts above - means they will use ldap with pam-proxy to sssd. The sssd will be authenticating the user against master server. It might use caching to enable some user to authenticate when the master is unreachable. The consumer should be using chaining and trying to contact the master directly. Replicas will replicate all data, just the confidential attributes such as passwords will be excluded from replication. Main enhancements will be made in ipa-tools, mainly the ipa-replica-install and ipa-replica-manage. Also the ipa-client-install will be updated as the client in such environment won't use Kerberos. I think that at this stage those changes should be stored separately - I mean not pushing them into upstream. Can you agree on that? The second iteration should be focusing on development of plugins for handling the account locking situation and similiar situations that need to write some data to the replica. It might also focus on fractional replication if it will be available in directory server. I suppose that there won't be any more iterations necessary for the authentication server. Besides working on the second iteration we can also start with the eSSO part. I assume that the account locks and fractional replication will definitely have something in common. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 23 Allow one letter net/hostgroups names
https://fedorahosted.org/freeipa/ticket/2671 Changed regex validating net/hostgroup names to allow single letter names. Unit-tests added. But the current validation allows weird (host|net)group names like: ., .-, ... I'm just not sure, do we really want to allow stuff like this? Patch also fixes one of netgroup and host unit-tests. The error message in hostname validation function has changed (in ticket #1966). -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From 62043ae72e77978c3315070eb09bb9939aa5b99e Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Wed, 2 May 2012 15:25:41 +0200 Subject: [PATCH] Allow one letter net/hostgroups names Changed regex validating net/hostgroup names to allow single letter names. Unit-tests added. https://fedorahosted.org/freeipa/ticket/2671 Patch also fixes one of netgroup and host unit-tests. The error message in hostname validation function has changed (in ticket 1966). --- API.txt| 34 +- VERSION|2 +- ipalib/plugins/netgroup.py |2 +- tests/test_xmlrpc/test_host_plugin.py |2 +- tests/test_xmlrpc/test_hostgroup_plugin.py | 37 tests/test_xmlrpc/test_netgroup_plugin.py | 35 +- 6 files changed, 91 insertions(+), 21 deletions(-) diff --git a/API.txt b/API.txt index 71241b4cc40e14c600127d1087092abf098eb40c..1d32913c0356bfa03574bfc4ef08d46fb408cd57 100644 --- a/API.txt +++ b/API.txt @@ -1758,7 +1758,7 @@ output: Entry('result', type 'dict', Gettext('A dictionary representing an LDA output: Output('value', type 'unicode', None) command: hostgroup_add args: 1,6,3 -arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', primary_key=True, required=True) +arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*$', primary_key=True, required=True) option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=True) option: Str('setattr*', cli_name='setattr', exclude='webui') option: Str('addattr*', cli_name='addattr', exclude='webui') @@ -1770,7 +1770,7 @@ output: Entry('result', type 'dict', Gettext('A dictionary representing an LDA output: Output('value', type 'unicode', None) command: hostgroup_add_member args: 1,5,3 -arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) +arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('version?', exclude='webui') @@ -1781,7 +1781,7 @@ output: Output('failed', type 'dict', None) output: Output('completed', type 'int', None) command: hostgroup_del args: 1,1,3 -arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=True, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) +arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=True, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*$', primary_key=True, query=True, required=True) option: Flag('continue', autofill=True, cli_name='continue', default=False) output: Output('summary', (type 'unicode', type 'NoneType'), None) output: Output('result', type 'dict', None) @@ -1789,7 +1789,7 @@ output: Output('value', type 'unicode', None) command: hostgroup_find args: 1,20,4 arg: Str('criteria?', noextrawhitespace=False) -option: Str('cn', attribute=True, autofill=False, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=False) +option: Str('cn', attribute=True, autofill=False, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*$', primary_key=True, query=True, required=False) option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False) option: Int('timelimit?', autofill=False, minvalue=0) option: Int('sizelimit?', autofill=False, minvalue=0) @@ -1815,7 +1815,7 @@ output: Output('count', type 'int', None) output: Output('truncated', type 'bool', None) command: hostgroup_mod args: 1,8,3 -arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) +arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*$', primary_key=True, query=True, required=True) option: Str('description', attribute=True, autofill=False, cli_name='desc
Re: [Freeipa-devel] Ticket #2293 - permission attribute check
On 04/27/2012 02:36 PM, Martin Kosek wrote: I revisited ticket #2293 after it failed QE check. After some considerations, I think we should revert this type of check for permissions. Here is my reasoning: 1) This check fails when the target type does not have all its possible objectclasses defined in the LDAPObject, like when users or hosts miss kerberos or samba auxiliary classes as they are just classes that the object may potentially have: # ipa permission-mod Change a user password --attrs=userpassword,krbprincipalkey,sambalmpassword,passwordhistory ipa: ERROR: attribute(s) sambalmpassword,passwordhistory not allowed To fix this point, we would need to add all possible object classes to our user, host, ... objectclasses. 2) It severely limits permission flexibility for custom user objectclasses. They would need to extend our plugins to make them work. Observe this inconsistency: Setting custom OC+attribute works (replace sudocmd with some meaningful object class): # ipa user-mod fbar --addattr=objectclass=ipasudocmd --setattr=sudocmd=fbar Modified user fbar User login: fbar First name: Foo Last name: Bar Home directory: /home/fbar Login shell: /bin/sh UID: 61400016 GID: 61400016 Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True # ipa user-show --all fbar dn: uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com User login: fbar First name: Foo Last name: Bar ... mepmanagedentry: cn=fbar,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry, ipasudocmd sudocmd: fbar But adding a custom permission to control this attribute fails: # ipa permission-add Can manage user sudocmd --type=user --permissions=write --attrs=sudocmd ipa: ERROR: attribute(s) sudocmd not allowed Bottom line is that I would remove this check at all and just check that the attribute is right - as we already do for permission without --type specified: # ipa permission-add Can write barbar --filter=(objectclass=posixuser) --permissions=write --attrs=barbar ipa: ERROR: targetattr barbar does not exist in schema. Please add attributeTypes barbar to schema if necessary. ACL Syntax Error(-5):(targetattr = \22barbar\22)(targetfilter = \22(objectclass=posixuser)\22)(version 3.0;acl \22permission:foo \22;allow (write) groupdn = \22ldap:///cn=foo,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com\22;): Invalid syntax. Martin What about simply let the command succeed and print out a warning like: 'Attribute passwordhistory is not a default one for specified object type. The permission might not be properly evaluated.' -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] More types of replica in FreeIPA
On 04/23/2012 07:58 PM, Simo Sorce wrote: On Mon, 2012-04-23 at 13:50 -0400, Dmitri Pal wrote: Ah OK. Another semantic difference. Doing it in phases is one thing and delivering is another. Let us say we identified 10 things that needs to be implemented. The problem is so huge that Ondrej would likely be able to tackle only couple items from the list. So what should be do with the rest if it is not possible to deliver until all 10 items are completed? Ok, so most of the work here is in the KDC, so I think we should first go to MIT, present the problem and see what htey think about the solution we have in mind. I will try to have a preliminary discussion With Tom and Greg about the general idea this week to see what they think. Once that is done we can slice the implementation how we want in a private branch until it is fully backed. MIT wouldn't, rightly so, accept a half backed solution I would guess, but we also do not need to try to rush patches in. Once cleanup work in the KDC has been done as part of the 1.11 work I think these interfaces will change little so there shouldn't be a risk of wasting too much time to follow upstream while we work on one of these problems at a time. IMO the work can be started and deferred till someone else can come back and continue what Ondrej have started and bring it to the shape when we are comfortable releasing it. Absolutely, esp if we can start after he changes MIT plans to make in 1.11 or at least if we plan together so we know which internal interfaces are going to be destabilized so we can plan ahead. Ondra it time for you to sit down, read this thread thoroughly and craft a design out of it. Then you would be able to focus on a reasonable subset of what is possible to complete in the remaining time frame. Ok, will do. I would like to start with the login server scenario. It will be possible to use it later as a 'training field' for the fractional replication and help deciding what entries should and shouldn't be replicated. Ok. Simo. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] More types of replica in FreeIPA
On 04/18/2012 08:30 PM, Rich Megginson wrote: On 04/17/2012 06:42 AM, Simo Sorce wrote: On Tue, 2012-04-17 at 01:13 +0200, Ondrej Hamada wrote: Sorry for inactivity, I was struggling with a lot of school stuff. I've summed up the main goals, do you agree on them or should I add/remove any? GOALS === Create Hub and Consumer types of replica with following features: * Hub is read-only * Hub interconnects Masters with Consumers or Masters with Hubs or Hubs with other Hubs * Hub is hidden in the network topology * Consumer is read-only * Consumer interconnects Masters/Hubs with clients * Write operations should be forwarded to Master * Consumer should be able to log users into system without communication with master We need to define how this can be done, it will almost certainly mean part of the consumer is writable, plus it also means you need additional access control and policies, on what the Consumer should be allowed to see. * Consumer should cache user's credentials Ok what credentials ? As I explained earlier Kerberos creds cannot really be cached. Either they are transferred with replication or the KDC needs to be change to do chaining. Neither I consider as 'caching'. A password obtained through an LDAP bind could be cached, but I am not sure it is worth it. * Caching of credentials should be configurable See above. * CA server should not be allowed on Hubs and Consumers Missing points: - Masters should not transfer KRB keys to HUBs/Consumers by default. - We need selective replication if you want to allow distributing a partial set of Kerberos credentials to consumers. With Hubs it becomes complicated to decide what to replicate about credentials. Simo. Can you please have a look at this draft and comment it please? Design document draft: More types of replicas in FreeIPA GOALS = Create Hub and Consumer types of replica with following features: * Hub is read-only * Hub interconnects Masters with Consumers or Masters with Hubs or Hubs with other Hubs * Hub is hidden in the network topology * Consumer is read-only * Consumer interconnects Masters/Hubs with clients * Write operations should be forwarded to Master Do we need to specify how this is done ? Referrals vs Chain-on-update ? Both options are in game. * Consumer should be able to log users into system without communication with master * Consumer should be able to store user's credentials Can you expand on this ? Do you mean user keys ? Yes, the consumer should be able to store all data necessary for user being authenticated. * Storing of credentials should be configurable and disabled by default * Credentials expiration on replica should be configurable What does this mean ? We should store credentials for a subset of users only. As this subset might change over time, we should flush the credentials for users that haven't showed up for some while (even despite the credentials are not expired yet). * CA server should not be allowed on Hubs and Consumers ISSUES = - SSSD is currently supposed to cooperate with one LDAP server only Is this a problem in having an LDAP server that doesn't also have a KDC on the same host ? Or something else ? - OpenLDAP client and its support for referrals Should we avoid referrals and use chain-on-update ? Maybe. I've come across several mentions that the referrals support in openldap client is not working properly. What does it mean for access control ? How do consumers authenticate to masters ? Should we use s4u2proxy ? - 389-DS allows replication of whole suffix only What kind of filters do we think we need ? We can already exclude specific attributes from replication. fractional replication had originally planned to support search filters in addition to attribute lists - I think Ondrej wants to include or exclude certain entries from being replicated Yes, my point is, that the Consumer should strore credentials only for users that are authenticating against him, so we need to exclude some attributes, but just for specific subset of users. - Storing credentials and allowing authentication against Consumer server POSSIBLE SOLUTIONS = 389-DS allows replication of whole suffix only: * Rich said that they are planning to allow the fractional replication in DS to use LDAP filters. It will allow us to do selective replication what is mainly important for replication of user's credentials. I guess we want to do this to selectively prevent replication of only some kerberos keys ? Based on groups ? Would filtes allow that using memberof ? Using filters with fractional replication would allow you to include or exclude anything that can be expressed as an LDAP search filter
Re: [Freeipa-devel] More types of replica in FreeIPA
On 04/19/2012 04:10 PM, Dmitri Pal wrote: On 04/19/2012 09:03 AM, Simo Sorce wrote: On Thu, 2012-04-19 at 14:18 +0200, Ondrej Hamada wrote: On 04/18/2012 08:30 PM, Rich Megginson wrote: * Credentials expiration on replica should be configurable What does this mean ? We should store credentials for a subset of users only. As this subset might change over time, we should flush the credentials for users that haven't showed up for some while (even despite the credentials are not expired yet). This should be determined through group membership or similar mechanism, talking about 'expiration' seem wrong and confusing, perhaps just a language problem ? Right, thanks for correction. fractional replication had originally planned to support search filters in addition to attribute lists - I think Ondrej wants to include or exclude certain entries from being replicated Yes, my point is, that the Consumer should strore credentials only for users that are authenticating against him, so we need to exclude some attributes, but just for specific subset of users. I am not sure we can achieve this, with just a fractional replication filter, not easily anyway. A search filter singles out entire entries. In order to have different sets of attributes replicated we need an additional, per-filter attribute exclusion list. 3) find master dynamically - Consumers and Hubs will be in fact master servers (from 389-DS point of view), this means that every consumer or hub knows his direct suppliers a they know their suppliers ... Not clear what this means, can you elaborate ? Replication agreements posses the information about suppliers. It means we can dynamically discover where are the masters by going through all nodes and asking who's their supplier. Thinking about it again, it will be probably very slow and less reliable. The lookup of dns records in LDAP would be better. Neither, we have the list of masters in LDAP in the cn=etc subtree for these uses, it's a simple search, and it is the authoritative list. Remember we may not always control the DNS, so relying on a manually maintained DNS would be bad. Good point, i forget about the master entries. * SSSD must be improved to allow cooperation with more than one LDAP server Can you elaborate what you think is missing in SSSD ? Is it about the need to fix referrals handling ? Or something else ? I'm afraid of the situation when user authenticates and the information is not present on Consumer. If we'll use referrals and the authentication will have to be done against master, would the SSSD be able to handle it? Currently SSSD can handle referrals, although it does so poorly due to issues with the openldap libraries. Stephen tells me there are plans to handle referrals in the SSSD code directly instead of deferring to openldap libs. When that is done we should have no more issues. However, for authentication purposes I am not sure referrals are the way to go. For the Kerberos case referrals won't work, because we will not let a consumer have read access to keys in a master (besides the consumer will not have the same master key so will not be able to decrypt them), so we will need to handle the Krb case differently. For ldap binds, we might do referrals, or we could chain binds and avoid that issue entirely. If we chain binds we can also temporarily cache credentials in the same way we do in SSSD so that if the server get cut off the network it can keep serving requests. I am not thrilled about caching users passwords this way and should probably not enabled by default, but we'd have the option. * authentication policies, every user must authenticate against master server by default If users always contact the master, what are the consumers for ? Need to elaborate on this and explain. As was mentioned earlier in the discussion, there are two scenarios - in the first one the consumer serves only as a source of information(dns,ntp,accounts...), the second one allows distribution of credentials and thus enables the authentication against the consumer locally. The first one is more secure since the creds are not stored on consumers that might be more easily corrupted. Ok, makes sense, but I would handle this transparently to the clients, as noted above. Trying to build knowledge in clients or rely on referrals is going to work poorly with a lot of clients, making the solution not really useful in real deployments where a mix of machines that do not use SSSD is present. - The policy must also specify the credentials expiration time. If user tries to authenticate with expired credential, he will be refused and redirected to Master server for authentication. How is this different from current status ? All accounts already have password expiration times and account expiration times. What am I missing ? Sorry, I wrote it unclear. I meant that the credentials, we store on Consumer should be there available only
Re: [Freeipa-devel] More types of replica in FreeIPA
to authenticate with expired credential, he will be refused and redirected to Master server for authentication. ISSUE: How to deal with creds. expiration in replication? The replication of credential to the Consumer could be stopped by removing the user from the Consumer specific user group (mentioned above). The easiest way would be to delete him when he tries to auth. with expired credentials or do a regular check (intervals specified in policy) and delete all expired creds. Because of the removal of expired creds. we will have to grant the Consumer the permission to delete users from the Consumer specific user group (but only deleting, adding users will be possible on Masters only). Offline authentication: * Consumer (and Hub) must allow write operations just for a small set of attributes: last login date and time, count of unsuccessful logins and the lockup of account - to be able to do that, both Consumers and Hubs must be Masters(from 389-DS point of view). When the Master-Consumer connection is broken, the lockup information is saved only locally and will be pushed to Master on connection restoration. I suppose that only the lockup information should be replicated. In case of lockup the user will have to authenticate against Master server only. Transfer of Krb keys: * Consumer server will have to have realm krbtgt. This means that we will have to distribute every Consumer's krbtgt to the Master servers. The Masters will need to have a logic for using those keys instead of the normal krbtgt to perform operations when user's krbtgt are presented to a different server. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 22 Always set ipa_hostname for sssd.conf
https://fedorahosted.org/freeipa/ticket/2527 ipa-client-install will always set ipa_hostname for sssd.conf in order to prevent the client from getting into weird state. -- Regards, Ondrej Hamada FreeIPA team jabber:oh...@jabbim.cz IRC: ohamada From 4f471211d6e0ab33e17bc1cda5d7c89045e2b3d5 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Thu, 12 Apr 2012 14:19:15 +0200 Subject: [PATCH] Always set ipa_hostname for sssd.conf ipa-client-install will always set ipa_hostname for sssd.conf in order to prevent the client from getting into weird state. https://fedorahosted.org/freeipa/ticket/2527 --- ipa-client/ipa-install/ipa-client-install |7 +++ 1 files changed, 3 insertions(+), 4 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 75c60653c6882a73d20a4d40fcb9713799aeea41..828dbd8fb5d41fb6e61c1abccd83cbbe8c3a838f 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -695,7 +695,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options): except: print %s request for host certificate failed % (cmonger.service_name) -def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, client_domain): +def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, client_domain, client_hostname): try: sssdconfig = SSSDConfig.SSSDConfig() sssdconfig.import_config() @@ -758,8 +758,7 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, clie # the master should only use itself for Kerberos domain.set_option('ipa_server', cli_server) domain.set_option('ipa_domain', cli_domain) -if options.hostname: -domain.set_option('ipa_hostname', options.hostname) +domain.set_option('ipa_hostname', client_hostname) if cli_domain.lower() != cli_realm.lower(): domain.set_option('krb5_realm', cli_realm) @@ -1352,7 +1351,7 @@ def install(options, env, fstore, statestore): # Always back up sssd.conf. It gets updated by authconfig --enablekrb5. fstore.backup_file(/etc/sssd/sssd.conf) if options.sssd: -if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, client_domain): +if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, client_domain, hostname): return CLIENT_INSTALL_ERROR print Configured /etc/sssd/sssd.conf -- 1.7.6.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 21 Unable to rename permission object
On 04/10/2012 09:35 PM, Rob Crittenden wrote: Ondrej Hamada wrote: https://fedorahosted.org/freeipa/ticket/2571 The update was failing because of the case insensitivity of permission object DN. Can you wrap the error in _() and add a couple of test cases for this, say one for the case insensitivity and one for empty rename attempt? rob fixed patch attached -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From 2e27cc3517fced8f48f7fa89963b72479f2c8bee Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Wed, 11 Apr 2012 09:37:15 +0200 Subject: [PATCH] Unable to rename permission object The update was failing because of the case insensitivity of permission object DN. Unit-tests added. https://fedorahosted.org/freeipa/ticket/2571 --- ipalib/plugins/permission.py| 19 ++- tests/test_xmlrpc/test_permission_plugin.py | 45 -- 2 files changed, 52 insertions(+), 12 deletions(-) diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index 9b669d9f57e81e885bd080703ba6c405395f6608..92203f17403d7c99dcc41525a771cf01ec31ce32 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -335,14 +335,17 @@ class permission_mod(LDAPUpdate): # when renaming permission, check if the target permission does not # exists already. Then, make changes to underlying ACI if 'rename' in options: -try: -new_dn = dn.replace(keys[-1], options['rename'], 1) -(new_dn, attrs) = ldap.get_entry( -new_dn, attrs_list, normalize=self.obj.normalize_dn -) -raise errors.DuplicateEntry() -except errors.NotFound: -pass# permission may be renamed, continue +if options['rename']: +try: +new_dn = dn.replace(keys[-1].lower(), options['rename'], 1) +(new_dn, attrs) = ldap.get_entry( +new_dn, attrs_list, normalize=self.obj.normalize_dn +) +raise errors.DuplicateEntry() +except errors.NotFound: +pass# permission may be renamed, continue +else: +raise errors.ValidationError(name='rename',error=_('New name can not be empty')) opts = copy.copy(options) for o in ['all', 'raw', 'rights', 'rename']: diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py index ab28588609caf080911a29c6e76e7c81e8f296ef..d4551c9525748c3710c4dc66ea15f3fa08f08ea4 100644 --- a/tests/test_xmlrpc/test_permission_plugin.py +++ b/tests/test_xmlrpc/test_permission_plugin.py @@ -36,6 +36,10 @@ permission1_renamed = u'testperm1_rn' permission1_renamed_dn = DN(('cn',permission1_renamed), api.env.container_permission,api.env.basedn) +permission1_renamed_ucase = u'Testperm_RN' +permission1_renamed_ucase_dn = DN(('cn',permission1_renamed_ucase.lower()), +api.env.container_permission,api.env.basedn) + permission2 = u'testperm2' permission2_dn = DN(('cn',permission2), @@ -463,6 +467,17 @@ class test_permission(Declarative): dict( +desc='Try to rename %r to empty name' % (permission1), +command=( +'permission_mod', [permission1], dict(rename=u'', + permissions=u'all',) +), +expected=errors.ValidationError(name=u'rename', +error=u'New name can not be empty'), +), + + +dict( desc='Check integrity of original permission %r' % permission1, command=('permission_show', [permission1], {}), expected=dict( @@ -503,12 +518,34 @@ class test_permission(Declarative): dict( -desc='Delete %r' % permission1_renamed, -command=('permission_del', [permission1_renamed], {}), +desc='Rename %r to permission %r' % (permission1_renamed, + permission1_renamed_ucase), +command=( +'permission_mod', [permission1_renamed], dict(rename=permission1_renamed_ucase, + permissions= u'write',) +), expected=dict( -result=dict(failed=u''), value=permission1_renamed, -summary=u'Deleted permission %s' % permission1_renamed, +summary=u'Modified permission %s' % permission1_renamed, +result={ +'dn': lambda x: DN(x) == permission1_renamed_ucase_dn, +'cn': [permission1_renamed_ucase.lower()], +'member_privilege': [privilege1], +'type': u'user
[Freeipa-devel] [PATCH] 21 Unable to rename permission object
https://fedorahosted.org/freeipa/ticket/2571 The update was failing because of the case insensitivity of permission object DN. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From 75772d91024d961fc4193654a8ca128664b2d4d5 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Tue, 10 Apr 2012 16:21:07 +0200 Subject: [PATCH] Unable to rename permission object The update was failing because of the case insensitivity of permission object DN. https://fedorahosted.org/freeipa/ticket/2571 --- ipalib/plugins/permission.py | 19 +++ 1 files changed, 11 insertions(+), 8 deletions(-) diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index ce2536d9921ede73d2c26468f5d99609552e1881..05bd9901da82eea393a67255ff3d091b6fb02fd0 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -331,14 +331,17 @@ class permission_mod(LDAPUpdate): # when renaming permission, check if the target permission does not # exists already. Then, make changes to underlying ACI if 'rename' in options: -try: -new_dn = dn.replace(keys[-1], options['rename'], 1) -(new_dn, attrs) = ldap.get_entry( -new_dn, attrs_list, normalize=self.obj.normalize_dn -) -raise errors.DuplicateEntry() -except errors.NotFound: -pass# permission may be renamed, continue +if options['rename']: +try: +new_dn = dn.replace(keys[-1].lower(), options['rename'], 1) +(new_dn, attrs) = ldap.get_entry( +new_dn, attrs_list, normalize=self.obj.normalize_dn +) +raise errors.DuplicateEntry() +except errors.NotFound: +pass# permission may be renamed, continue +else: +raise errors.ValidationError(name='rename',error='New name can not be empty') opts = copy.copy(options) for o in ['all', 'raw', 'rights', 'rename']: -- 1.7.6.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] More types of replica in FreeIPA
On 04/04/2012 06:16 PM, Ondrej Hamada wrote: On 04/04/2012 03:02 PM, Simo Sorce wrote: On Tue, 2012-04-03 at 18:45 +0200, Ondrej Hamada wrote: On 03/13/2012 01:13 AM, Dmitri Pal wrote: On 03/12/2012 06:10 PM, Simo Sorce wrote: On Mon, 2012-03-12 at 17:40 -0400, Dmitri Pal wrote: On 03/12/2012 04:16 PM, Simo Sorce wrote: On Mon, 2012-03-12 at 20:38 +0100, Ondrej Hamada wrote: USER'S operations when connection is OK: --- read data - local write data - forwarding to master authentication: -credentials cached -- authenticate against credentials in local cache -on failure: log failure locally, update data about failures only on lock-down of account -credentials not cached -- forward request to master, on success cache the credentials This scheme doesn't work with Kerberos. Either you have a copy of the user's keys locally or you don't, there is nothing you can really cache if you don't. Simo. Yes this is what we are talking about here - the cache would have to contain user Kerberos key but there should be some expiration on the cache so that fetched and stored keys periodically cleaned following the policy an admin has defined. We would need a mechanism to transfer Kerberos keys, but that would not be sufficient, you'd have to give read-only servers also the realm krbtgt in order to be able to do anything with those keys. The way MS solves hits (I think) is by giving a special RODC krbtgt to each RODC, and then replicating all RODC krbtgt's with full domain controllers. Full domain controllers have logic to use RODC's krbtgt keys instead of the normal krbtgt to perform operations when user's krbtgt are presented to a different server. This is a lot of work and changes in the KDC, not something we can implement easily. As a first implementation I would restrict read-only replicas to not do Kerberos at all, only LDAP for all the lookup stuff necessary. to add a RO KDC we will need to plan a lot of changes in the KDC. We will also need intelligent partial replication where the rules about which object (and which attributes in the object) need/can be replicated are established based on some grouping+filter mechanism. This also is a pretty important change to 389ds. Simo. I agree. I am just trying to structure the discussion a bit so that all what you are saying can be captured in the design document and then we can pick a subset of what Ondrej will actually implement. So let us capture all the complexity and then do a POC for just LDAP part. Sorry for inactivity, I was struggling with a lot of school stuff. I've summed up the main goals, do you agree on them or should I add/remove any? GOALS === Create Hub and Consumer types of replica with following features: * Hub is read-only * Hub interconnects Masters with Consumers or Masters with Hubs or Hubs with other Hubs * Hub is hidden in the network topology * Consumer is read-only * Consumer interconnects Masters/Hubs with clients * Write operations should be forwarded to Master * Consumer should be able to log users into system without communication with master We need to define how this can be done, it will almost certainly mean part of the consumer is writable, plus it also means you need additional access control and policies, on what the Consumer should be allowed to see. Right, in such case the Consumers and Hubs will have to be masters (from 389-DS's point of view). * Consumer should cache user's credentials Ok what credentials ? As I explained earlier Kerberos creds cannot really be cached. Either they are transferred with replication or the KDC needs to be change to do chaining. Neither I consider as 'caching'. A password obtained through an LDAP bind could be cached, but I am not sure it is worth it. * Caching of credentials should be configurable See above. * CA server should not be allowed on Hubs and Consumers Missing points: - Masters should not transfer KRB keys to HUBs/Consumers by default. Add point: - storing of the Krb creds must be configurable and disabled by default - We need selective replication if you want to allow distributing a partial set of Kerberos credentials to consumers. With Hubs it becomes complicated to decide what to replicate about credentials. Simo. Rich mentioned that they are planning support for LDAP filters in fractional replication in the future, but currently it is not supported. Ad distribution of user's Krb creds: When the user logs on any Consumer for a first time, he has to authenticate against master. If succeeds, he will be added to a specific user group. Each consumer will have one of these groups. These groups will be used by LDAP filters in fractional replication to distribute the Krb creds to the chosen Consumers only. This will be more complicated because of the HUBs (as Simo already said). The easiest
Re: [Freeipa-devel] [PATCH] 15 Confusing default user groups
On 03/27/2012 12:39 PM, Petr Vobornik wrote: On 03/26/2012 10:27 PM, Rob Crittenden wrote: Ondrej Hamada wrote: On 03/19/2012 05:25 PM, Martin Kosek wrote: On Tue, 2012-03-06 at 19:07 +0100, Ondrej Hamada wrote: https://fedorahosted.org/freeipa/ticket/2354 There was added '(fallback)' string in the automember plugin labels referring to automember default groups to point out, that the users are already members of default group specified in IPA config, thus the default group specified in automember will be additional one - a fallback group. Hm, looks ok. Though I would also like some second opinion for this change. I think naming it simply Fallback Group would be better, but we cannot change the API at this stage and rename the parameter. So this change is a good compromise so far, IMO. I found few issues though: 1) The label of default group parameter in automember has not been updated, i.e. the following command still shows the old name: # ipa automember-default-group-show --type=group Default Group: cn=editors,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com 2) I think we could fix few issues in docstrings since we touch these strings anyway: a) Typo in doc - label=_('Default Group'), - doc=_('Default group for entires to land'), + label=_('Default (fallback) Group'), + doc=_('Default (fallback) group for entires to land'), b) Non-translatable strings: - entry_attrs['automemberdefaultgroup'] = u'No default group set' + entry_attrs['automemberdefaultgroup'] = u'No default (fallback) group set' - entry_attrs['automemberdefaultgroup'] = u'No default group set' + entry_attrs['automemberdefaultgroup'] = u'No default (fallback) group set' Martin fixed Ondra Petr, related to handling in the UI, do you look for the string No default group set' or just look for a string that isn't a dn? rob We are checking if the string looks like dn - if it contains 'cn='. If not, we consider it as an error message. Fixed issues with json serialization -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From 89f28563ce57dd3e068fd2651b12df393399f402 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Thu, 5 Apr 2012 17:42:41 +0200 Subject: [PATCH] Confusing default user groups Added 'fallback' into the labels for default automember group and hostgroup. https://fedorahosted.org/freeipa/ticket/2354 --- ipalib/plugins/automember.py| 35 +++--- tests/test_xmlrpc/test_automember_plugin.py |6 ++-- 2 files changed, 23 insertions(+), 18 deletions(-) diff --git a/ipalib/plugins/automember.py b/ipalib/plugins/automember.py index fabc9bb35a3803475ee1647aea264e29ea8a6f20..bf4cb355ced9760399bf05ceb3ef5d045570c0de 100644 --- a/ipalib/plugins/automember.py +++ b/ipalib/plugins/automember.py @@ -33,12 +33,17 @@ or exclusive regex paterns, you can automatically assign a new entries into a group or hostgroup based upon attribute information. A rule is directly associated with a group by name, so you cannot create -a rule without an accompanying group or hostgroup +a rule without an accompanying group or hostgroup. A condition is a regular expression used by 389-ds to match a new incoming entry with an automember rule. If it matches an inclusive rule then the entry is added to the appropriate group or hostgroup. +A default group or hostgroup could be specified for entries that do not +match any rule. In case of user entries this group will be a fallback group +because all users are by default members of group specified in IPA config. + + EXAMPLES: Add the initial group or hostgroup: @@ -80,15 +85,15 @@ EXAMPLES: Modify the automember rule: ipa automember-mod - Set the default target group: + Set the default (fallback) target group: ipa automember-default-group-set --default-group=webservers --type=hostgroup ipa automember-default-group-set --default-group=ipausers --type=group - Remove the default target group: + Remove the default (fallback) target group: ipa automember-default-group-remove --type=hostgroup ipa automember-default-group-remove --type=group - Show the default target group: + Show the default (fallback) target group: ipa automember-default-group-show --type=hostgroup ipa automember-default-group-show --type=group @@ -173,7 +178,7 @@ class automember(LDAPObject): ), Str('automemberdefaultgroup?', cli_name='default_group', -label=_('Default Group'), +label=_('Default (fallback) Group'), doc=_('Default group for entries to land'), flags=['no_create', 'no_update', 'no_search'] ), @@ -500,18 +505,18 @@ api.register(automember_show) class automember_default_group_set(LDAPUpdate): __doc__ = _( -Set default group for all unmatched entries. +Set default (fallback) group for all unmatched entries. ) takes_options = ( Str
Re: [Freeipa-devel] More types of replica in FreeIPA
On 04/04/2012 03:02 PM, Simo Sorce wrote: On Tue, 2012-04-03 at 18:45 +0200, Ondrej Hamada wrote: On 03/13/2012 01:13 AM, Dmitri Pal wrote: On 03/12/2012 06:10 PM, Simo Sorce wrote: On Mon, 2012-03-12 at 17:40 -0400, Dmitri Pal wrote: On 03/12/2012 04:16 PM, Simo Sorce wrote: On Mon, 2012-03-12 at 20:38 +0100, Ondrej Hamada wrote: USER'S operations when connection is OK: --- read data - local write data - forwarding to master authentication: -credentials cached -- authenticate against credentials in local cache -on failure: log failure locally, update data about failures only on lock-down of account -credentials not cached -- forward request to master, on success cache the credentials This scheme doesn't work with Kerberos. Either you have a copy of the user's keys locally or you don't, there is nothing you can really cache if you don't. Simo. Yes this is what we are talking about here - the cache would have to contain user Kerberos key but there should be some expiration on the cache so that fetched and stored keys periodically cleaned following the policy an admin has defined. We would need a mechanism to transfer Kerberos keys, but that would not be sufficient, you'd have to give read-only servers also the realm krbtgt in order to be able to do anything with those keys. The way MS solves hits (I think) is by giving a special RODC krbtgt to each RODC, and then replicating all RODC krbtgt's with full domain controllers. Full domain controllers have logic to use RODC's krbtgt keys instead of the normal krbtgt to perform operations when user's krbtgt are presented to a different server. This is a lot of work and changes in the KDC, not something we can implement easily. As a first implementation I would restrict read-only replicas to not do Kerberos at all, only LDAP for all the lookup stuff necessary. to add a RO KDC we will need to plan a lot of changes in the KDC. We will also need intelligent partial replication where the rules about which object (and which attributes in the object) need/can be replicated are established based on some grouping+filter mechanism. This also is a pretty important change to 389ds. Simo. I agree. I am just trying to structure the discussion a bit so that all what you are saying can be captured in the design document and then we can pick a subset of what Ondrej will actually implement. So let us capture all the complexity and then do a POC for just LDAP part. Sorry for inactivity, I was struggling with a lot of school stuff. I've summed up the main goals, do you agree on them or should I add/remove any? GOALS === Create Hub and Consumer types of replica with following features: * Hub is read-only * Hub interconnects Masters with Consumers or Masters with Hubs or Hubs with other Hubs * Hub is hidden in the network topology * Consumer is read-only * Consumer interconnects Masters/Hubs with clients * Write operations should be forwarded to Master * Consumer should be able to log users into system without communication with master We need to define how this can be done, it will almost certainly mean part of the consumer is writable, plus it also means you need additional access control and policies, on what the Consumer should be allowed to see. Right, in such case the Consumers and Hubs will have to be masters (from 389-DS's point of view). * Consumer should cache user's credentials Ok what credentials ? As I explained earlier Kerberos creds cannot really be cached. Either they are transferred with replication or the KDC needs to be change to do chaining. Neither I consider as 'caching'. A password obtained through an LDAP bind could be cached, but I am not sure it is worth it. * Caching of credentials should be configurable See above. * CA server should not be allowed on Hubs and Consumers Missing points: - Masters should not transfer KRB keys to HUBs/Consumers by default. Add point: - storing of the Krb creds must be configurable and disabled by default - We need selective replication if you want to allow distributing a partial set of Kerberos credentials to consumers. With Hubs it becomes complicated to decide what to replicate about credentials. Simo. Rich mentioned that they are planning support for LDAP filters in fractional replication in the future, but currently it is not supported. -- Regards, Ondrej Hamada FreeIPA team jabber:oh...@jabbim.cz IRC: ohamada ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 20 Fix empty external member processing
https://fedorahosted.org/freeipa/ticket/2447 Validation of external member was failing for empty strings because of wrong condition. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From 137c676c6c182f839cbcd9332f9d0f6d8d18b3f0 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Tue, 3 Apr 2012 12:07:04 +0200 Subject: [PATCH] Fix empty external member processing Validation of external member was failing for empty strings because of wrong condition. https://fedorahosted.org/freeipa/ticket/2447 --- ipalib/plugins/baseldap.py |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 38f369a779adc53454837994bd2bec5b74d3bbd4..1c893018c6452b5979c2c721e325005cb0d676a9 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -326,7 +326,7 @@ def add_external_pre_callback(membertype, ldap, dn, keys, options): def validate_host(hostname): validate_hostname(hostname, check_fqdn=False, allow_underscore=True) -if membertype in options: +if membertype in options and options[membertype]: if membertype == 'host': validator = validate_host else: -- 1.7.6.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 20 Fix empty external member processing
On 04/03/2012 12:22 PM, Ondrej Hamada wrote: https://fedorahosted.org/freeipa/ticket/2447 Validation of external member was failing for empty strings because of wrong condition. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Used clearer solution. Thanks to Rob for advice. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From 837734d515b72fd10b5284b13acfdcba94deeec1 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Tue, 3 Apr 2012 15:16:58 +0200 Subject: [PATCH] Fix empty external member processing Validation of external member was failing for empty strings because of wrong condition. https://fedorahosted.org/freeipa/ticket/2447 --- ipalib/plugins/baseldap.py |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 38f369a779adc53454837994bd2bec5b74d3bbd4..11ec16fe10a7ebaf1cd00214f8c6c264952d81d4 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -326,7 +326,7 @@ def add_external_pre_callback(membertype, ldap, dn, keys, options): def validate_host(hostname): validate_hostname(hostname, check_fqdn=False, allow_underscore=True) -if membertype in options: +if options.get(membertype,False): if membertype == 'host': validator = validate_host else: -- 1.7.6.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] More types of replica in FreeIPA
On 03/13/2012 01:13 AM, Dmitri Pal wrote: On 03/12/2012 06:10 PM, Simo Sorce wrote: On Mon, 2012-03-12 at 17:40 -0400, Dmitri Pal wrote: On 03/12/2012 04:16 PM, Simo Sorce wrote: On Mon, 2012-03-12 at 20:38 +0100, Ondrej Hamada wrote: USER'S operations when connection is OK: --- read data - local write data - forwarding to master authentication: -credentials cached -- authenticate against credentials in local cache -on failure: log failure locally, update data about failures only on lock-down of account -credentials not cached -- forward request to master, on success cache the credentials This scheme doesn't work with Kerberos. Either you have a copy of the user's keys locally or you don't, there is nothing you can really cache if you don't. Simo. Yes this is what we are talking about here - the cache would have to contain user Kerberos key but there should be some expiration on the cache so that fetched and stored keys periodically cleaned following the policy an admin has defined. We would need a mechanism to transfer Kerberos keys, but that would not be sufficient, you'd have to give read-only servers also the realm krbtgt in order to be able to do anything with those keys. The way MS solves hits (I think) is by giving a special RODC krbtgt to each RODC, and then replicating all RODC krbtgt's with full domain controllers. Full domain controllers have logic to use RODC's krbtgt keys instead of the normal krbtgt to perform operations when user's krbtgt are presented to a different server. This is a lot of work and changes in the KDC, not something we can implement easily. As a first implementation I would restrict read-only replicas to not do Kerberos at all, only LDAP for all the lookup stuff necessary. to add a RO KDC we will need to plan a lot of changes in the KDC. We will also need intelligent partial replication where the rules about which object (and which attributes in the object) need/can be replicated are established based on some grouping+filter mechanism. This also is a pretty important change to 389ds. Simo. I agree. I am just trying to structure the discussion a bit so that all what you are saying can be captured in the design document and then we can pick a subset of what Ondrej will actually implement. So let us capture all the complexity and then do a POC for just LDAP part. Sorry for inactivity, I was struggling with a lot of school stuff. I've summed up the main goals, do you agree on them or should I add/remove any? GOALS === Create Hub and Consumer types of replica with following features: * Hub is read-only * Hub interconnects Masters with Consumers or Masters with Hubs or Hubs with other Hubs * Hub is hidden in the network topology * Consumer is read-only * Consumer interconnects Masters/Hubs with clients * Write operations should be forwarded to Master * Consumer should be able to log users into system without communication with master * Consumer should cache user's credentials * Caching of credentials should be configurable * CA server should not be allowed on Hubs and Consumers -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0030 Allow multi-line CSV parameters
On 03/22/2012 09:40 AM, Petr Viktorin wrote: Feed individual lines of input into the CSV parser, and include all lines in the output. https://fedorahosted.org/freeipa/ticket/2402 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 16 Netgroup nisdomain and hosts validation
On 03/27/2012 01:57 PM, Martin Kosek wrote: On Fri, 2012-03-23 at 23:10 +0100, Ondrej Hamada wrote: On 03/15/2012 08:13 AM, Martin Kosek wrote: On Wed, 2012-03-14 at 16:54 +0100, Ondrej Hamada wrote: On 03/09/2012 04:34 PM, Martin Kosek wrote: On Thu, 2012-03-08 at 14:52 +0100, Ondrej Hamada wrote: Netgroup nisdomain and hosts validation nisdomain validation: Added pattern to the 'nisdomain' parameter to validate the specified nisdomain name. According to most common use cases the same patter as for netgroup should fit. Unit-tests added. https://fedorahosted.org/freeipa/ticket/2447 hosts validation: Added precallback to netgroup_add_member. It validates the specified hostnames and raises ValidationError exception for invalid hostnames. Unit-test added. https://fedorahosted.org/freeipa/ticket/2448 I checked the host validation part and it could be improved. Issue described in #2447 (you have switched the ticket IDs) affects all objects that allow external hosts, users, ..., i.e. those who call add_external_post_callback in their post_callback. Should we fix all of these when we deal with this issue? Otherwise user could do something like this: # ipa sudorule-add-user foo --users=a+b Rule name: foo Enabled: TRUE External User: a+b We could create a similar function called add_external_pre_callback() and pass it attribute name and validating function (which would be common with the linked object). It would then do the validation for all these affected objects consistently and without redundant code. I didn't liked much the implemented pre_callback anyway +def pre_callback(self, ldap, dn, found, not_found, *keys, **options): +# validate entered hostnames +if 'host' in options: +invalid_hostnames=[] +for hostname in options['host']: +try: +validate_hostname(hostname, False) +except ValueError: +invalid_hostnames.append(hostname) +if invalid_hostnames: +raise errors.ValidationError(name='host', error='hostnames:\%s\ contain invalid characters' % ','.join(invalid_hostnames)) +return dn I would rather raise the ValidationError with the first invalid hostname and tell what's wrong (function validate_hostname tells it to you). If you go with the proposed approach, you wouldn't have to deal with formatting error messages, you would just raise the one returned by the validator shared with the linked LDAP object (hostname, user, ...). Martin external_pre_callback function seems as a good idea, but there is a problem how to get the validators for various LDAP objects. For the hostname we already have one in ipalib.utils, but for the uid or group name we use only patterns specified in the parameter objects. Below I propose solution how to use the already defined parameter objects for validation (the only problem is that I have to assume, that it is always the first parameter in takes_params). Do you think this is a good approach? I think the approach is OK, it can just be much improved in order to get rid of the hardcoded parts. See comments below. def add_external_pre_callback(memberattr, membertype, externalattr, ldap, dn, found, not_found, *keys, **options): Pre callback to validate external members. if membertype in options: validator = api.Object[membertype].takes_params[0] You can use api.Object[membertype].params[memberattr] for value in options[membertype]: try: validator(value) except errors.ValidationError as e: error_msg = e[(e.find(':')+1):] You don't have to parse error message, you can just use e.name or e.error right from the caught ValidationError. raise errors.ValidationError(name=membertype, error=e[e.find(':')+1:]) return dn nisdomain validation: Added pattern to the 'nisdomain' parameter to validate the specified nisdomain name. According to most common use cases the same pattern as for netgroup should fit. Unit-tests added. https://fedorahosted.org/freeipa/ticket/2448 'add_external_pre_callback' function was created to allow validation of all external members. Validation is based on usage of objects primary key parameter. The 'add_external_pre_callback' fucntion has to be called directly from in the 'pre_callback' function. This change affects netgroup, hbacrule and sudorule commands. Special validator is used only for hostname, the validator requires fully qualified domain name and enables the hostnames to contain underscores. Unit-tests added. https://fedorahosted.org/freeipa/ticket/2447 This is better, but I still see few issues: 1) You copied hostname validator instead of extending validate_hostname function in ipalib.util with allow_underscore parameter which is already available in validate_dns_label. Having duplicate functions like this is just
Re: [Freeipa-devel] [PATCH] 996 fix unit tests
On 03/23/2012 08:12 PM, Rob Crittenden wrote: A few unit tests were failing due to new type enforcement and comman support. Unit tests are passing 100% for me with this. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel You were faster. Works for me. ACK -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 16 Netgroup nisdomain and hosts validation
On 03/15/2012 08:13 AM, Martin Kosek wrote: On Wed, 2012-03-14 at 16:54 +0100, Ondrej Hamada wrote: On 03/09/2012 04:34 PM, Martin Kosek wrote: On Thu, 2012-03-08 at 14:52 +0100, Ondrej Hamada wrote: Netgroup nisdomain and hosts validation nisdomain validation: Added pattern to the 'nisdomain' parameter to validate the specified nisdomain name. According to most common use cases the same patter as for netgroup should fit. Unit-tests added. https://fedorahosted.org/freeipa/ticket/2447 hosts validation: Added precallback to netgroup_add_member. It validates the specified hostnames and raises ValidationError exception for invalid hostnames. Unit-test added. https://fedorahosted.org/freeipa/ticket/2448 I checked the host validation part and it could be improved. Issue described in #2447 (you have switched the ticket IDs) affects all objects that allow external hosts, users, ..., i.e. those who call add_external_post_callback in their post_callback. Should we fix all of these when we deal with this issue? Otherwise user could do something like this: # ipa sudorule-add-user foo --users=a+b Rule name: foo Enabled: TRUE External User: a+b We could create a similar function called add_external_pre_callback() and pass it attribute name and validating function (which would be common with the linked object). It would then do the validation for all these affected objects consistently and without redundant code. I didn't liked much the implemented pre_callback anyway +def pre_callback(self, ldap, dn, found, not_found, *keys, **options): +# validate entered hostnames +if 'host' in options: +invalid_hostnames=[] +for hostname in options['host']: +try: +validate_hostname(hostname, False) +except ValueError: +invalid_hostnames.append(hostname) +if invalid_hostnames: +raise errors.ValidationError(name='host', error='hostnames:\%s\ contain invalid characters' % ','.join(invalid_hostnames)) +return dn I would rather raise the ValidationError with the first invalid hostname and tell what's wrong (function validate_hostname tells it to you). If you go with the proposed approach, you wouldn't have to deal with formatting error messages, you would just raise the one returned by the validator shared with the linked LDAP object (hostname, user, ...). Martin external_pre_callback function seems as a good idea, but there is a problem how to get the validators for various LDAP objects. For the hostname we already have one in ipalib.utils, but for the uid or group name we use only patterns specified in the parameter objects. Below I propose solution how to use the already defined parameter objects for validation (the only problem is that I have to assume, that it is always the first parameter in takes_params). Do you think this is a good approach? I think the approach is OK, it can just be much improved in order to get rid of the hardcoded parts. See comments below. def add_external_pre_callback(memberattr, membertype, externalattr, ldap, dn, found, not_found, *keys, **options): Pre callback to validate external members. if membertype in options: validator = api.Object[membertype].takes_params[0] You can use api.Object[membertype].params[memberattr] for value in options[membertype]: try: validator(value) except errors.ValidationError as e: error_msg = e[(e.find(':')+1):] You don't have to parse error message, you can just use e.name or e.error right from the caught ValidationError. raise errors.ValidationError(name=membertype, error=e[e.find(':')+1:]) return dn nisdomain validation: Added pattern to the 'nisdomain' parameter to validate the specified nisdomain name. According to most common use cases the same pattern as for netgroup should fit. Unit-tests added. https://fedorahosted.org/freeipa/ticket/2448 'add_external_pre_callback' function was created to allow validation of all external members. Validation is based on usage of objects primary key parameter. The 'add_external_pre_callback' fucntion has to be called directly from in the 'pre_callback' function. This change affects netgroup, hbacrule and sudorule commands. Special validator is used only for hostname, the validator requires fully qualified domain name and enables the hostnames to contain underscores. Unit-tests added. https://fedorahosted.org/freeipa/ticket/2447 -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From eaf9300a5c4236835932743447c53ea430d5194d Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Fri, 23 Mar 2012 13:16:36 +0100 Subject: [PATCH] Netgroup nisdomain and hosts validation nisdomain validation: Added pattern to the 'nisdomain' parameter to validate the specified
Re: [Freeipa-devel] [PATCH] 15 Confusing default user groups
On 03/19/2012 05:25 PM, Martin Kosek wrote: On Tue, 2012-03-06 at 19:07 +0100, Ondrej Hamada wrote: https://fedorahosted.org/freeipa/ticket/2354 There was added '(fallback)' string in the automember plugin labels referring to automember default groups to point out, that the users are already members of default group specified in IPA config, thus the default group specified in automember will be additional one - a fallback group. Hm, looks ok. Though I would also like some second opinion for this change. I think naming it simply Fallback Group would be better, but we cannot change the API at this stage and rename the parameter. So this change is a good compromise so far, IMO. I found few issues though: 1) The label of default group parameter in automember has not been updated, i.e. the following command still shows the old name: # ipa automember-default-group-show --type=group Default Group: cn=editors,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com 2) I think we could fix few issues in docstrings since we touch these strings anyway: a) Typo in doc -label=_('Default Group'), -doc=_('Default group for entires to land'), +label=_('Default (fallback) Group'), +doc=_('Default (fallback) group for entires to land'), b) Non-translatable strings: -entry_attrs['automemberdefaultgroup'] = u'No default group set' +entry_attrs['automemberdefaultgroup'] = u'No default (fallback) group set' -entry_attrs['automemberdefaultgroup'] = u'No default group set' +entry_attrs['automemberdefaultgroup'] = u'No default (fallback) group set' Martin fixed Ondra -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From 1a112e5d7ea5bbfd3ffae675352c83099ff1b1fe Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Thu, 22 Mar 2012 16:32:53 +0100 Subject: [PATCH] Confusing default user groups Added 'fallback' into the labels for default automember group and hostgroup. https://fedorahosted.org/freeipa/ticket/2354 --- ipalib/plugins/automember.py| 35 +++--- tests/test_xmlrpc/test_automember_plugin.py |6 ++-- 2 files changed, 23 insertions(+), 18 deletions(-) diff --git a/ipalib/plugins/automember.py b/ipalib/plugins/automember.py index fabc9bb35a3803475ee1647aea264e29ea8a6f20..9aac94ab7aeaab0a19d8e8bca2cc040454a14af1 100644 --- a/ipalib/plugins/automember.py +++ b/ipalib/plugins/automember.py @@ -33,12 +33,17 @@ or exclusive regex paterns, you can automatically assign a new entries into a group or hostgroup based upon attribute information. A rule is directly associated with a group by name, so you cannot create -a rule without an accompanying group or hostgroup +a rule without an accompanying group or hostgroup. A condition is a regular expression used by 389-ds to match a new incoming entry with an automember rule. If it matches an inclusive rule then the entry is added to the appropriate group or hostgroup. +A default group or hostgroup could be specified for entries that do not +match any rule. In case of user entries this group will be a fallback group +because all users are by default members of group specified in IPA config. + + EXAMPLES: Add the initial group or hostgroup: @@ -80,15 +85,15 @@ EXAMPLES: Modify the automember rule: ipa automember-mod - Set the default target group: + Set the default (fallback) target group: ipa automember-default-group-set --default-group=webservers --type=hostgroup ipa automember-default-group-set --default-group=ipausers --type=group - Remove the default target group: + Remove the default (fallback) target group: ipa automember-default-group-remove --type=hostgroup ipa automember-default-group-remove --type=group - Show the default target group: + Show the default (fallback) target group: ipa automember-default-group-show --type=hostgroup ipa automember-default-group-show --type=group @@ -173,7 +178,7 @@ class automember(LDAPObject): ), Str('automemberdefaultgroup?', cli_name='default_group', -label=_('Default Group'), +label=_('Default (fallback) Group'), doc=_('Default group for entries to land'), flags=['no_create', 'no_update', 'no_search'] ), @@ -500,18 +505,18 @@ api.register(automember_show) class automember_default_group_set(LDAPUpdate): __doc__ = _( -Set default group for all unmatched entries. +Set default (fallback) group for all unmatched entries. ) takes_options = ( Str('automemberdefaultgroup', cli_name='default_group', -label=_('Default Group'), -doc=_('Default group for entires to land'), +label=_('Default (fallback) Group'), +doc=_('Default (fallback) group for entries to land'), flags=['no_create', 'no_update'] ), ) + group_type
[Freeipa-devel] [PATCH] 19 Search allowed attributes in superior objectclasses
https://fedorahosted.org/freeipa/ticket/2293 This patch fixes regression caused by patch for ticket #2293. The function get_allowed_attributes was searching only through the specified objectclasses but not through their superior objectclasses. This patch adds such behaviour by recursive call of get_allowed_attributes on the superior objectclasses. Test case that revealed the regression was added into the unit-tests. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From 5399a72edd69c5f59ba1308e03a17531557faf11 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Wed, 21 Mar 2012 13:30:42 +0100 Subject: [PATCH] Search allowed attributes in superior objectclasses get_allowed_attributes function was improved to look for allowed attributes also in the superior objectclasses of specified objectclass. This fixes the regression caused by patch for ticket #2293. Test-case for unit-test was also created. https://fedorahosted.org/freeipa/ticket/2293 --- ipaserver/plugins/ldap2.py |3 ++ tests/test_xmlrpc/test_permission_plugin.py | 35 +++ 2 files changed, 38 insertions(+), 0 deletions(-) diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index dd5756735405d5a5a9c76d4fa0d82459007a2233..178386c67001a5851e25f1640b301ae504ccab69 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -401,6 +401,9 @@ class ldap2(CrudBackend, Encoder): obj = self.schema.get_obj(_ldap.schema.ObjectClass, oc) if obj is not None: allowed_attributes += obj.must + obj.may +# look for allowed attributes in the superior objectclasses +if obj.sup: +allowed_attributes += self.get_allowed_attributes(obj.sup,raise_on_unknown) elif raise_on_unknown: raise errors.NotFound(reason=_('objectclass %s not found') % oc) return [unicode(a).lower() for a in list(set(allowed_attributes))] diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py index 68a3cebf97943b330926fcf9837e9815e142d086..2ce1bdf31e1bb3022059088d84acb4267f8423a3 100644 --- a/tests/test_xmlrpc/test_permission_plugin.py +++ b/tests/test_xmlrpc/test_permission_plugin.py @@ -657,6 +657,41 @@ class test_permission(Declarative): dict( +desc='Create permission %r with attributes from superior objectclass' % permission1, +command=( +'permission_add', [permission1], dict( + type=u'hostgroup', + permissions=u'add,delete,write', + attrs=u'businessCategory,owner,description', +) +), +expected=dict( +value=permission1, +summary=u'Added permission %s' % permission1, +result=dict( +dn=lambda x: DN(x) == permission1_dn, +cn=[permission1], +objectclass=objectclasses.permission, +type=u'hostgroup', +permissions=[u'add',u'delete',u'write'], +attrs=[u'businesscategory',u'owner',u'description'], +), +), +), + + +dict( +desc='Delete %r' % permission1, +command=('permission_del', [permission1], {}), +expected=dict( +result=dict(failed=u''), +value=permission1, +summary=u'Deleted permission %s' % permission1, +), +), + + +dict( desc='Create targetgroup permission %r' % permission1, command=( 'permission_add', [permission1], dict( -- 1.7.6.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 18 Typos in FreeIPA messages
https://fedorahosted.org/freeipa/ticket/2526 Rebased patch sent by Yuri Chornoivan (yurc...@ukr.net). Fixes 'occured' and 'commond' typos in FreeIPA messages. Longtitude/Longitude typo was already corrected in patch for ticket #2382 https://fedorahosted.org/freeipa/ticket/2382. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From 8cdd8d2000167a1db924f3eb73d50555ffc32768 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Wed, 14 Mar 2012 13:16:29 +0100 Subject: [PATCH] Typos in FreeIPA messages Rebased patch sent by Yuri Chornoivan (yurc...@ukr.net). Fixes 'occured' and 'commond' typos in FreeIPA messages. https://fedorahosted.org/freeipa/ticket/2526 --- install/ui/test/data/ipa_init.json |4 ++-- ipalib/plugins/internal.py |2 +- ipalib/plugins/selinuxusermap.py |2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json index 0182aab733a5541d3149ea582bd975faf04db10a..1010cbfd68d99b81ebcf452f0a95bb8affc134cc 100644 --- a/install/ui/test/data/ipa_init.json +++ b/install/ui/test/data/ipa_init.json @@ -208,7 +208,7 @@ ptr_redir_zone: Zone found: ${zone}, ptr_redir_zone_err: Target reverse zone not found., ptr_redir_zones: Fetching DNS zones., -ptr_redir_zones_err: An error occurd while fetching dns zones., +ptr_redir_zones_err: An error occurred while fetching dns zones., redirection_dnszone: You will be redirected to DNS Zone., standard: Standard Record Types, title: Records for DNS Zone, @@ -608,4 +608,4 @@ } ] } -} \ No newline at end of file +} diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py index deff866eee1c073f3f786686fd2e74f9261ba6b4..bad75aeac32f2f6409ba36fe5ffe83a53f8b2b72 100644 --- a/ipalib/plugins/internal.py +++ b/ipalib/plugins/internal.py @@ -345,7 +345,7 @@ class i18n_messages(Command): ptr_redir_zone: _(Zone found: ${zone}), ptr_redir_zone_err: _(Target reverse zone not found.), ptr_redir_zones: _(Fetching DNS zones.), -ptr_redir_zones_err: _(An error occurd while fetching dns zones.), +ptr_redir_zones_err: _(An error occurred while fetching dns zones.), redirection_dnszone: _(You will be redirected to DNS Zone.), standard: _(Standard Record Types), title: _(Records for DNS Zone), diff --git a/ipalib/plugins/selinuxusermap.py b/ipalib/plugins/selinuxusermap.py index ee9a8133f8bd8f164cab3337714a7dec8d3aa05f..e33e1016192d62312aa5f4f0dcdbafea23327216 100644 --- a/ipalib/plugins/selinuxusermap.py +++ b/ipalib/plugins/selinuxusermap.py @@ -65,7 +65,7 @@ EXAMPLES: SEEALSO: The list controlling the order in which the SELinux user map is applied - and the default SELinux user are available in the config-show commond. + and the default SELinux user are available in the config-show command. ) notboth_err = _('HBAC rule and local members cannot both be set') -- 1.7.6.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 16 Netgroup nisdomain and hosts validation
On 03/09/2012 04:34 PM, Martin Kosek wrote: On Thu, 2012-03-08 at 14:52 +0100, Ondrej Hamada wrote: Netgroup nisdomain and hosts validation nisdomain validation: Added pattern to the 'nisdomain' parameter to validate the specified nisdomain name. According to most common use cases the same patter as for netgroup should fit. Unit-tests added. https://fedorahosted.org/freeipa/ticket/2447 hosts validation: Added precallback to netgroup_add_member. It validates the specified hostnames and raises ValidationError exception for invalid hostnames. Unit-test added. https://fedorahosted.org/freeipa/ticket/2448 I checked the host validation part and it could be improved. Issue described in #2447 (you have switched the ticket IDs) affects all objects that allow external hosts, users, ..., i.e. those who call add_external_post_callback in their post_callback. Should we fix all of these when we deal with this issue? Otherwise user could do something like this: # ipa sudorule-add-user foo --users=a+b Rule name: foo Enabled: TRUE External User: a+b We could create a similar function called add_external_pre_callback() and pass it attribute name and validating function (which would be common with the linked object). It would then do the validation for all these affected objects consistently and without redundant code. I didn't liked much the implemented pre_callback anyway +def pre_callback(self, ldap, dn, found, not_found, *keys, **options): +# validate entered hostnames +if 'host' in options: +invalid_hostnames=[] +for hostname in options['host']: +try: +validate_hostname(hostname, False) +except ValueError: +invalid_hostnames.append(hostname) +if invalid_hostnames: +raise errors.ValidationError(name='host', error='hostnames:\%s\ contain invalid characters' % ','.join(invalid_hostnames)) +return dn I would rather raise the ValidationError with the first invalid hostname and tell what's wrong (function validate_hostname tells it to you). If you go with the proposed approach, you wouldn't have to deal with formatting error messages, you would just raise the one returned by the validator shared with the linked LDAP object (hostname, user, ...). Martin external_pre_callback function seems as a good idea, but there is a problem how to get the validators for various LDAP objects. For the hostname we already have one in ipalib.utils, but for the uid or group name we use only patterns specified in the parameter objects. Below I propose solution how to use the already defined parameter objects for validation (the only problem is that I have to assume, that it is always the first parameter in takes_params). Do you think this is a good approach? def add_external_pre_callback(memberattr, membertype, externalattr, ldap, dn, found, not_found, *keys, **options): Pre callback to validate external members. if membertype in options: validator = api.Object[membertype].takes_params[0] for value in options[membertype]: try: validator(value) except errors.ValidationError as e: error_msg = e[(e.find(':')+1):] raise errors.ValidationError(name=membertype, error=e[e.find(':')+1:]) return dn -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] More types of replica in FreeIPA
On 03/08/2012 04:54 PM, Dmitri Pal wrote: On 03/06/2012 01:30 PM, Ondrej Hamada wrote: On 03/06/2012 05:47 PM, Dmitri Pal wrote: On 03/06/2012 10:59 AM, Simo Sorce wrote: On Tue, 2012-03-06 at 10:56 -0500, Dmitri Pal wrote: [...] For a read-only KDC we need to investigate what's the better solution. There are many ways we can handle the issue, one of the simplest is probably to allow the RO KDC to use a special LDAP Extended operation against a full R/W server to get the user keys to sign, authenticating with a special R/O KDC principal. We can also investigate how MS does internal forwarding and do something similar as I suspect that's something samba4-RODC will want to implement too, so we could share some of the development burden there. Simo. I do not think it is a good idea for the remote RO KDC to go back to the main datacenter on every authentication without some sort of caching. This is why I think that some kind of SSSD integration might be due. If RO KDC would just pass the authentication to SSSD in some way and SSSD would do the caching in case the office gets offline. I understand that authhub as is will not work as the client sends time stamp encrypted with password and SSSD needs plain text password as credential. I do not know if there is a way to solve this without actually sending the password in the tunnel. IMO it is more important to make sure that remote office can have uninterrupted operation than to worry about the password being sent inside the encrypted tunnel. It is something that deployment should decide and weight risks against convenience. This is why MS does partial replication, ie allows the RODC to have data about the office users. It's complex and there are many ways to handle it. We need to look at various options and see how they would work against uses cases we want to support. Simo. Then may be Ondrej should start with formulating use cases and requirements based on this discussion. I see three possible use cases here, but only two should be considered when speaking about consumer node: 1) The office that should rely on that replica is quite a big one (hundreds of employees) or many different users are authenticating against its replica or there are located admins, who need to do a lot of write-operations. -- In this case I suppose the best solution is to deploy master replica there. 2) Office that doesn't fulfil the conditions in 1) - not a desperate need for write-operations on ipa-server, but the priority is to allow (some) clients to authenticate and use available services even when the network is down. -- We need a consumer with credentials caching, authentication requests for non-cached users or write operations must be forwarded to master. 3) Office that doesn't fulfil the conditions in 1), but the priority is security, so that the consumer is not allowed to store or cache any confidential data. -- We need a consumer, authentications and write operations must be forwarded to master. If we choose the second use case, both the caching and request forwarding must be implemented. I suppose that there shouldn't be big problem to decide during the installation to turn the caching off by some option like '-no-chaching' so that the consumer could be used for the third use case as well. Can you please now create a set usage scenarios for the 2) and 3). User logs in and he is in cache, he is not in cache, he is redirected and data is cached, he failed and account lockout data is updated locally or on the other server? Admin tries to perform and IPA command or ldapmodify command - what happens? Can those work flows be spelled out in details for caching and non use cases? I'll start with usage scenario for 3), it's shorter: All write operations and authentication requests are forwarded to the master Operations when connection is OK: -- read -- local write-forwarding to master authentication-forwarding to master Operations when connection is BROKEN: - read-local (only until ticket expires) write-not available authentication-not available Usage scenario for 2): USER'S operations when connection is OK: --- read data - local write data - forwarding to master authentication: -credentials cached -- authenticate against credentials in local cache -on failure: log failure locally, update data about failures only on lock-down of account -credentials not cached -- forward request to master, on success cache the credentials USER'S operations when connection is BROKEN: -- read data - local write data - not available authentication: -credentials cached -- authenticate against credentials in local cache -on failure: log failure locally, on lock-down lock account locally and update
[Freeipa-devel] [PATCH] 17 More exception handlers in ipa-client-install
https://fedorahosted.org/freeipa/ticket/2415 https://fedorahosted.org/freeipa/ticket/1995 Added exception handler to certutil operation of adding CA to the default NSS database. If operation fails, installation is aborted and changes are rolled back. #2415 If obtaining host TGT fails, the installation is aborted and changes are rolled back. #1995 -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From e3e556d68f4f04df5ca948341d6b8c0384df47b6 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Fri, 9 Mar 2012 13:04:23 +0100 Subject: [PATCH] More exception handlers in ipa-client-install Added exception handler to certutil operation of adding CA to the default NSS database. If operation fails, installation is aborted and changes are rolled back. https://fedorahosted.org/freeipa/ticket/2415 If obtaining host TGT fails, the installation is aborted and changes are rolled back. https://fedorahosted.org/freeipa/ticket/1995 --- ipa-client/ipa-install/ipa-client-install |9 - 1 files changed, 8 insertions(+), 1 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 22c6a925672b1e5e769bf09eaf49e48988bbea41..604283ae4da3ac2e668d9475a77f7053d5bc0ab2 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1337,7 +1337,11 @@ def install(options, env, fstore, statestore): print Configured /etc/sssd/sssd.conf # Add the CA to the default NSS database and trust it -run([/usr/bin/certutil, -A, -d, /etc/pki/nssdb, -n, IPA CA, -t, CT,C,C, -a, -i, /etc/ipa/ca.crt]) +try: +run([/usr/bin/certutil, -A, -d, /etc/pki/nssdb, -n, IPA CA, -t, CT,C,C, -a, -i, /etc/ipa/ca.crt]) +except CalledProcessError, e: +print sys.stderr, Failed to add CA to the default NSS database. +return CLIENT_INSTALL_ERROR # If on master assume kerberos is already configured properly. if not options.on_master: @@ -1354,6 +1358,9 @@ def install(options, env, fstore, statestore): api.Backend.xmlclient.connect() except CalledProcessError, e: print sys.stderr, Failed to obtain host TGT. +# fail to obtain ticket makes it impossible to login and bind from sssd to LDAP, +# abort installation and rollback changes +return CLIENT_INSTALL_ERROR if not options.on_master: client_dns(cli_server, hostname, options.dns_updates) -- 1.7.6.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 16 Netgroup nisdomain and hosts validation
Netgroup nisdomain and hosts validation nisdomain validation: Added pattern to the 'nisdomain' parameter to validate the specified nisdomain name. According to most common use cases the same patter as for netgroup should fit. Unit-tests added. https://fedorahosted.org/freeipa/ticket/2447 hosts validation: Added precallback to netgroup_add_member. It validates the specified hostnames and raises ValidationError exception for invalid hostnames. Unit-test added. https://fedorahosted.org/freeipa/ticket/2448 -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From a796dbb1eea83ecbc1442f5f062f54183b8bbdf3 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Thu, 8 Mar 2012 14:50:14 +0100 Subject: [PATCH] Netgroup nisdomain and hosts validation nisdomain validation: Added pattern to the 'nisdomain' parameter to validate the specified nisdomain name. According to most common use cases the same patter as for netgroup should fit. Unit-tests added. https://fedorahosted.org/freeipa/ticket/2447 hosts validation: Added precallback to netgroup_add_member. It validates the specified hostnames and raises ValidationError exception for invalid hostnames. Unit-test added. https://fedorahosted.org/freeipa/ticket/2448 --- API.txt |6 ++-- VERSION |2 +- ipalib/plugins/netgroup.py| 22 tests/test_xmlrpc/test_netgroup_plugin.py | 39 + 4 files changed, 65 insertions(+), 4 deletions(-) diff --git a/API.txt b/API.txt index f21dce7a81079a5f214ecb6a8e451eca4237af2e..d0e04ef754d86a62aa1c3be818c29c381c4bc3ea 100644 --- a/API.txt +++ b/API.txt @@ -1920,7 +1920,7 @@ command: netgroup_add args: 1,9,3 arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', primary_key=True, required=True) option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=True) -option: Str('nisdomainname', attribute=True, cli_name='nisdomain', multivalue=False, required=False) +option: Str('nisdomainname', attribute=True, cli_name='nisdomain', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', required=False) option: StrEnum('usercategory', attribute=True, cli_name='usercat', multivalue=False, required=False, values=(u'all',)) option: StrEnum('hostcategory', attribute=True, cli_name='hostcat', multivalue=False, required=False, values=(u'all',)) option: Str('setattr*', cli_name='setattr', exclude='webui') @@ -1957,7 +1957,7 @@ args: 1,26,4 arg: Str('criteria?', noextrawhitespace=False) option: Str('cn', attribute=True, autofill=False, cli_name='name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', primary_key=True, query=True, required=False) option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False) -option: Str('nisdomainname', attribute=True, autofill=False, cli_name='nisdomain', multivalue=False, query=True, required=False) +option: Str('nisdomainname', attribute=True, autofill=False, cli_name='nisdomain', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', query=True, required=False) option: Str('ipauniqueid', attribute=True, autofill=False, cli_name='uuid', multivalue=False, query=True, required=False) option: StrEnum('usercategory', attribute=True, autofill=False, cli_name='usercat', multivalue=False, query=True, required=False, values=(u'all',)) option: StrEnum('hostcategory', attribute=True, autofill=False, cli_name='hostcat', multivalue=False, query=True, required=False, values=(u'all',)) @@ -1989,7 +1989,7 @@ command: netgroup_mod args: 1,11,3 arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', primary_key=True, query=True, required=True) option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) -option: Str('nisdomainname', attribute=True, autofill=False, cli_name='nisdomain', multivalue=False, required=False) +option: Str('nisdomainname', attribute=True, autofill=False, cli_name='nisdomain', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', required=False) option: StrEnum('usercategory', attribute=True, autofill=False, cli_name='usercat', multivalue=False, required=False, values=(u'all',)) option: StrEnum('hostcategory', attribute=True, autofill=False, cli_name='hostcat', multivalue=False, required=False, values=(u'all',)) option: Str('setattr*', cli_name='setattr', exclude
[Freeipa-devel] [PATCH] 15 Confusing default user groups
https://fedorahosted.org/freeipa/ticket/2354 There was added '(fallback)' string in the automember plugin labels referring to automember default groups to point out, that the users are already members of default group specified in IPA config, thus the default group specified in automember will be additional one - a fallback group. -- Regards, Ondrej Hamada FreeIPA team jabber:oh...@jabbim.cz IRC: ohamada From d0cb34a172b23806e6047f85d668e478ae96c4f2 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Tue, 6 Mar 2012 12:00:34 +0100 Subject: [PATCH] Confusing default user groups Added 'fallback' into the labels for default automember group and hostgroup. https://fedorahosted.org/freeipa/ticket/2354 --- ipalib/plugins/automember.py| 33 +++--- tests/test_xmlrpc/test_automember_plugin.py |6 ++-- 2 files changed, 22 insertions(+), 17 deletions(-) diff --git a/ipalib/plugins/automember.py b/ipalib/plugins/automember.py index fabc9bb35a3803475ee1647aea264e29ea8a6f20..216351a07fc317b2876e360fe0cb3cda9527623f 100644 --- a/ipalib/plugins/automember.py +++ b/ipalib/plugins/automember.py @@ -33,12 +33,17 @@ or exclusive regex paterns, you can automatically assign a new entries into a group or hostgroup based upon attribute information. A rule is directly associated with a group by name, so you cannot create -a rule without an accompanying group or hostgroup +a rule without an accompanying group or hostgroup. A condition is a regular expression used by 389-ds to match a new incoming entry with an automember rule. If it matches an inclusive rule then the entry is added to the appropriate group or hostgroup. +A default group or hostgroup could be specified for entries that do not +match any rule. In case of user entries this group will be a fallback group +because all users are by default members of group specified in IPA config. + + EXAMPLES: Add the initial group or hostgroup: @@ -80,15 +85,15 @@ EXAMPLES: Modify the automember rule: ipa automember-mod - Set the default target group: + Set the default (fallback) target group: ipa automember-default-group-set --default-group=webservers --type=hostgroup ipa automember-default-group-set --default-group=ipausers --type=group - Remove the default target group: + Remove the default (fallback) target group: ipa automember-default-group-remove --type=hostgroup ipa automember-default-group-remove --type=group - Show the default target group: + Show the default (fallback) target group: ipa automember-default-group-show --type=hostgroup ipa automember-default-group-show --type=group @@ -500,18 +505,18 @@ api.register(automember_show) class automember_default_group_set(LDAPUpdate): __doc__ = _( -Set default group for all unmatched entries. +Set default (fallback) group for all unmatched entries. ) takes_options = ( Str('automemberdefaultgroup', cli_name='default_group', -label=_('Default Group'), -doc=_('Default group for entires to land'), +label=_('Default (fallback) Group'), +doc=_('Default (fallback) group for entires to land'), flags=['no_create', 'no_update'] ), ) + group_type -msg_summary = _('Set default group for automember %(value)s') +msg_summary = _('Set default (fallback) group for automember %(value)s') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): dn = DN(('cn', options['type']), api.env.container_automember) @@ -529,11 +534,11 @@ api.register(automember_default_group_set) class automember_default_group_remove(LDAPUpdate): __doc__ = _( -Remove default group for all unmatched entries. +Remove default (fallback) group for all unmatched entries. ) takes_options = group_type -msg_summary = _('Removed default group for automember %(value)s') +msg_summary = _('Removed default (fallback) group for automember %(value)s') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): dn = DN(('cn', options['type']), api.env.container_automember) @@ -545,14 +550,14 @@ class automember_default_group_remove(LDAPUpdate): ) if attr not in entry_attrs_: -raise errors.NotFound(reason=_(u'No default group set')) +raise errors.NotFound(reason=_(u'No default (fallback) group set')) else: entry_attrs[attr] = [] return dn def post_callback(self, ldap, dn, entry_attrs, *keys, **options): if 'automemberdefaultgroup' not in entry_attrs: -entry_attrs['automemberdefaultgroup'] = u'No default group set' +entry_attrs['automemberdefaultgroup'] = u'No default (fallback) group set' return dn def execute(self, *keys, **options): @@ -565,7 +570,7 @@ api.register(automember_default_group_remove) class
Re: [Freeipa-devel] More types of replica in FreeIPA
On 03/06/2012 05:47 PM, Dmitri Pal wrote: On 03/06/2012 10:59 AM, Simo Sorce wrote: On Tue, 2012-03-06 at 10:56 -0500, Dmitri Pal wrote: [...] For a read-only KDC we need to investigate what's the better solution. There are many ways we can handle the issue, one of the simplest is probably to allow the RO KDC to use a special LDAP Extended operation against a full R/W server to get the user keys to sign, authenticating with a special R/O KDC principal. We can also investigate how MS does internal forwarding and do something similar as I suspect that's something samba4-RODC will want to implement too, so we could share some of the development burden there. Simo. I do not think it is a good idea for the remote RO KDC to go back to the main datacenter on every authentication without some sort of caching. This is why I think that some kind of SSSD integration might be due. If RO KDC would just pass the authentication to SSSD in some way and SSSD would do the caching in case the office gets offline. I understand that authhub as is will not work as the client sends time stamp encrypted with password and SSSD needs plain text password as credential. I do not know if there is a way to solve this without actually sending the password in the tunnel. IMO it is more important to make sure that remote office can have uninterrupted operation than to worry about the password being sent inside the encrypted tunnel. It is something that deployment should decide and weight risks against convenience. This is why MS does partial replication, ie allows the RODC to have data about the office users. It's complex and there are many ways to handle it. We need to look at various options and see how they would work against uses cases we want to support. Simo. Then may be Ondrej should start with formulating use cases and requirements based on this discussion. I see three possible use cases here, but only two should be considered when speaking about consumer node: 1) The office that should rely on that replica is quite a big one (hundreds of employees) or many different users are authenticating against its replica or there are located admins, who need to do a lot of write-operations. -- In this case I suppose the best solution is to deploy master replica there. 2) Office that doesn't fulfil the conditions in 1) - not a desperate need for write-operations on ipa-server, but the priority is to allow (some) clients to authenticate and use available services even when the network is down. -- We need a consumer with credentials caching, authentication requests for non-cached users or write operations must be forwarded to master. 3) Office that doesn't fulfil the conditions in 1), but the priority is security, so that the consumer is not allowed to store or cache any confidential data. -- We need a consumer, authentications and write operations must be forwarded to master. If we choose the second use case, both the caching and request forwarding must be implemented. I suppose that there shouldn't be big problem to decide during the installation to turn the caching off by some option like '-no-chaching' so that the consumer could be used for the third use case as well. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 14 ipa permission-add does not fail if using invalid attribute
On 02/28/2012 09:57 PM, Rob Crittenden wrote: Ondrej Hamada wrote: On 02/27/2012 03:22 PM, Rob Crittenden wrote: Ondrej Hamada wrote: When adding or modifying permission with both type and attributes specified, check whether the attributes are allowed for specified type. In case of disallowed attributes the InvalidSyntax error is raised. New tests were also added to the unit-tests. https://fedorahosted.org/freeipa/ticket/2293 https://www.redhat.com/mailman/listinfo/freeipa-devel NACK. You should use obj.object_class_config to determine if the default list of objectclasses comes from LDAP. I think that may be it, otherwise the patch reads ok. I'm very glad to see unit tests! rob Corrected Sorry, found a couple of more things I should have found the first review. Please use the dn module to construct dn_ipaconfig. Or you can also get the DN on-the-fly since the config object using get_dn(). Probably just as safe to call: if obj.object_class_config: ... rather than hasattr. I suppose its just a style thing. Done. I wonder if ObjectclassViolation is a better exception. SyntaxError means the data type is wrong, not that it isn't allowed. I agree that it makes more sense and I've updated the patch that way, but the documentation says: permission operation fails with schema syntax errors - maybe we should also update the documentation. rob -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From 1f98c50a64cfa5f564ac77f60796d952f2d44edf Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Wed, 29 Feb 2012 11:40:31 +0100 Subject: [PATCH] Validate attributes in permission-add When adding or modifying permission with both type and attributes specified, check whether the attributes are allowed for specified type. In case of disallowed attributes raises the ObjectclassViolation exception. New tests were also added to the unit-tests. https://fedorahosted.org/freeipa/ticket/2293 --- ipalib/plugins/permission.py| 55 ++ tests/test_xmlrpc/test_permission_plugin.py | 65 +++ 2 files changed, 120 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index 08781ce2ef3df30d10565a071a338edf77c52d23..c9fd5649f338b5c92b86e471fb817b9d964084d3 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -23,6 +23,7 @@ from ipalib import api, _, ngettext from ipalib import Flag, Str, StrEnum from ipalib.request import context from ipalib import errors +from ipalib.dn import DN __doc__ = _( Permissions @@ -89,6 +90,43 @@ output_params = ( ), ) +dn_ipaconfig = str(DN('cn=ipaconfig,cn=etc,%s' % api.env.basedn)) + +def check_attrs(attrs, type): +# Trying to delete attributes - no need for validation +if attrs is None: +return True +allowed_objcls=[] +disallowed_objcls=[] +obj=api.Object[type] + +if obj.object_class_config: +(dn,objcls)=api.Backend.ldap2.get_entry( +dn_ipaconfig,[obj.object_class_config] +) +allowed_objcls=objcls[obj.object_class_config] +else: +allowed_objcls=obj.object_class +if obj.possible_objectclasses: +allowed_objcls+=obj.possible_objectclasses +if obj.disallow_object_classes: +disallowed_objcls=obj.disallow_object_classes + +allowed_attrs=[] +disallowed_attrs=[] +if allowed_objcls: +allowed_attrs=api.Backend.ldap2.get_allowed_attributes(allowed_objcls) +if disallowed_objcls: +disallowed_attrs=api.Backend.ldap2.get_allowed_attributes(disallowed_objcls) +failed_attrs=[] +for attr in attrs: +if (attr not in allowed_attrs) or (attr in disallowed_attrs): +failed_attrs.append(attr) +if failed_attrs: +raise errors.ObjectclassViolation(info='attribute(s) \%s\ not allowed' % ','.join(failed_attrs)) +return True + + class permission(LDAPObject): Permission object. @@ -192,6 +230,8 @@ class permission_add(LDAPCreate): opts['permission'] = keys[-1] opts['aciprefix'] = ACI_PREFIX try: +if 'type' in entry_attrs and 'attrs' in entry_attrs: +check_attrs(entry_attrs['attrs'],entry_attrs['type']) self.api.Command.aci_add(keys[-1], **opts) except Exception, e: raise e @@ -273,6 +313,21 @@ class permission_mod(LDAPUpdate): except errors.NotFound: self.obj.handle_not_found(*keys) +# check the correctness of attributes only when the type is specified +type=None +attrs_to_check=[] +current_values=self.api.Command.permission_show(attrs['cn'][0])['result'] +if 'type' in entry_attrs: +type = entry_attrs['type'] +elif 'type' in current_values: +type = current_values['type'] +if 'attrs' in entry_attrs
Re: [Freeipa-devel] [PATCH] 12 When migrating warn user if compat is enabled
On 02/28/2012 10:52 PM, Rob Crittenden wrote: Ondrej Hamada wrote: On 02/27/2012 09:47 PM, Rob Crittenden wrote: Ondrej Hamada wrote: On 02/21/2012 02:32 PM, Ondrej Hamada wrote: On 02/20/2012 06:53 PM, Rob Crittenden wrote: Ondrej Hamada wrote: https://fedorahosted.org/freeipa/ticket/2274 Added check into migration plugin to warn user when compat is enabled. If compat is enabled, the migration fails and user is warned that he must turn the compat off or run the script with (the newly introduced) option '--compat'. '--compat' is just a flag, by default set to false. If it is set, the compat check is skipped. Interesting approach. I think this is probably good, preventing migration when the compat plugin is enabled unless you specifically decide to. I think the option may need another name, maybe --with-compat or something. I think in the message we should use enabled instead of on. That is the language of ipa-compat-manage. The migration help should have a discussion of why this is a problem too, and what compat really is (provides a different view of the data to be compatible with non RFC2703bis systems). rob corrected Ondra ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I forget to update the commit message about the change of flag name. Corrected patch attached. This works ok it just seems to be making an assumption on the client when to print this. I think a similar value like enabled needs to be created to explicitly say why we are returning. rob sorry for that, value created Ondra I think you need to define beter what compat means in the output, it coudl be very confusing. You can return a value for it without testing whether it is actually a problem or not. I think what compat is supposed to mean is Am I failing because of compat and not an indication of whether compat is enabled or not. Some documentation at a minimum should be added. It otherwise seems to work ok. rob You could return a value for compat here without I've updated the description of 'compat' value in output and also changed the condition when this value is set to False. Now it is set to False only when the migration fails because of compatibility plugin. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From f88df9859c1ea7a04a63b3c9d18d561c8aeee75d Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Wed, 29 Feb 2012 15:21:24 +0100 Subject: [PATCH] Migration warning when compat enabled Added check into migration plugin to warn user when compat is enabled. If compat is enabled, the migration fails and user is warned that he must turn the compat off or run the script with (the newly introduced) option '--with-compat'. '--with-compat' is new flag. If it is set, the compat status is ignored. https://fedorahosted.org/freeipa/ticket/2274 --- API.txt |4 +++- VERSION |2 +- ipalib/plugins/migration.py | 34 -- 3 files changed, 36 insertions(+), 4 deletions(-) diff --git a/API.txt b/API.txt index 548fc93d48128aab5cebd60dda7fd304b569785b..a44e391e2ab79cb566455def3299ed25714e 100644 --- a/API.txt +++ b/API.txt @@ -1893,7 +1893,7 @@ output: Output('summary', (type 'unicode', type 'NoneType'), None) output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', type 'unicode', None) command: migrate_ds -args: 2,14,3 +args: 2,15,4 arg: Str('ldapuri', cli_name='ldap_uri') arg: Password('bindpw', cli_name='password', confirm=False) option: Str('binddn?', autofill=True, cli_name='bind_dn', default=u'cn=directory manager') @@ -1908,11 +1908,13 @@ option: Str('groupignoreattribute*', autofill=True, cli_name='group_ignore_attri option: Flag('groupoverwritegid', autofill=True, cli_name='group_overwrite_gid', default=False) option: StrEnum('schema?', autofill=True, cli_name='schema', default=u'RFC2307bis', values=(u'RFC2307bis', u'RFC2307')) option: Flag('continue?', autofill=True, default=False) +option: Flag('compat?', autofill=True, cli_name='with_compat', default=False) option: Str('exclude_groups*', autofill=True, cli_name='exclude_groups', csv=True, default=()) option: Str('exclude_users*', autofill=True, cli_name='exclude_users', csv=True, default=()) output: Output('result', type 'dict', None) output: Output('failed', type 'dict', None) output: Output('enabled', type 'bool', None) +output: Output('compat', type 'bool', None) command: netgroup_add args: 1,9,3 arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', primary_key=True, required=True) diff --git a/VERSION b/VERSION index 523bde4a8ecdcac4c3a451c0e09ef75b156d7831
[Freeipa-devel] More types of replica in FreeIPA
Hi everyone, I'm currently working on my thesis. It's objective is $SUBJ and we already have ticket for that: #194 https://fedorahosted.org/freeipa/ticket/194. The task is to create two more replica types - the HUB and Consumer. In 389-DS both the HUB and Consumer are read-only. Additionally the HUB can push the data to the Consumers. In case of FreeIPA the server is not only providing data, but also services like CA, NTP, DNS, Kerberos. Therefore I'm kindly asking you for advices and opinions on that: 1. What should be the position of HUB? I mean should it be used as an interconnection between Masters and Consumers only, so that it will be 'hidden' in the topology and only forwards the updates, or should the HUB be also used as a regular Consumer which has additional ability to push the updates further to Consumers/HUBS? 2. Which services should be available on HUB and Consumer? I think, the priority of these replicas would be to answer to data request by ipa whatever-(find|show) commands or to provide some LDAP data for email addressing etc. Also it shouldn't cause much trouble to run NTP on Consumer, but what about Kerberos or CA? Is it a good solution to let users authenticate against these replicas? Is it correct to leave classified data like passwords on these replicas? Thanks in advance for your reactions Ondra -- Regards, Ondrej Hamada FreeIPA team jabber:oh...@jabbim.cz IRC: ohamada ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 12 When migrating warn user if compat is enabled
On 02/27/2012 09:47 PM, Rob Crittenden wrote: Ondrej Hamada wrote: On 02/21/2012 02:32 PM, Ondrej Hamada wrote: On 02/20/2012 06:53 PM, Rob Crittenden wrote: Ondrej Hamada wrote: https://fedorahosted.org/freeipa/ticket/2274 Added check into migration plugin to warn user when compat is enabled. If compat is enabled, the migration fails and user is warned that he must turn the compat off or run the script with (the newly introduced) option '--compat'. '--compat' is just a flag, by default set to false. If it is set, the compat check is skipped. Interesting approach. I think this is probably good, preventing migration when the compat plugin is enabled unless you specifically decide to. I think the option may need another name, maybe --with-compat or something. I think in the message we should use enabled instead of on. That is the language of ipa-compat-manage. The migration help should have a discussion of why this is a problem too, and what compat really is (provides a different view of the data to be compatible with non RFC2703bis systems). rob corrected Ondra ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I forget to update the commit message about the change of flag name. Corrected patch attached. This works ok it just seems to be making an assumption on the client when to print this. I think a similar value like enabled needs to be created to explicitly say why we are returning. rob sorry for that, value created Ondra -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From 06688d4f9f1950d0e83f85240acf0ff09df73175 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Tue, 28 Feb 2012 13:41:36 +0100 Subject: [PATCH] Migration warning when compat enabled Added check into migration plugin to warn user when compat is enabled. If compat is enabled, the migration fails and user is warned that he must turn the compat off or run the script with (the newly introduced) option '--with-compat'. '--with-compat' is new flag. If it is set, the compat status is ignored. https://fedorahosted.org/freeipa/ticket/2274 --- API.txt |4 +++- VERSION |2 +- ipalib/plugins/migration.py | 34 -- 3 files changed, 36 insertions(+), 4 deletions(-) diff --git a/API.txt b/API.txt index 548fc93d48128aab5cebd60dda7fd304b569785b..a44e391e2ab79cb566455def3299ed25714e 100644 --- a/API.txt +++ b/API.txt @@ -1893,7 +1893,7 @@ output: Output('summary', (type 'unicode', type 'NoneType'), None) output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', type 'unicode', None) command: migrate_ds -args: 2,14,3 +args: 2,15,4 arg: Str('ldapuri', cli_name='ldap_uri') arg: Password('bindpw', cli_name='password', confirm=False) option: Str('binddn?', autofill=True, cli_name='bind_dn', default=u'cn=directory manager') @@ -1908,11 +1908,13 @@ option: Str('groupignoreattribute*', autofill=True, cli_name='group_ignore_attri option: Flag('groupoverwritegid', autofill=True, cli_name='group_overwrite_gid', default=False) option: StrEnum('schema?', autofill=True, cli_name='schema', default=u'RFC2307bis', values=(u'RFC2307bis', u'RFC2307')) option: Flag('continue?', autofill=True, default=False) +option: Flag('compat?', autofill=True, cli_name='with_compat', default=False) option: Str('exclude_groups*', autofill=True, cli_name='exclude_groups', csv=True, default=()) option: Str('exclude_users*', autofill=True, cli_name='exclude_users', csv=True, default=()) output: Output('result', type 'dict', None) output: Output('failed', type 'dict', None) output: Output('enabled', type 'bool', None) +output: Output('compat', type 'bool', None) command: netgroup_add args: 1,9,3 arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', primary_key=True, required=True) diff --git a/VERSION b/VERSION index 523bde4a8ecdcac4c3a451c0e09ef75b156d7831..381e3088c0bcb0e64304a2ed1ad12bfe6be95c51 100644 --- a/VERSION +++ b/VERSION @@ -79,4 +79,4 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=27 +IPA_API_VERSION_MINOR=28 diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py index 688265fd3ea7f62bb22bf78abbc7f26e64f7470b..ab4e523e5b505577f83be4f95724bd9a9a50f8b6 100644 --- a/ipalib/plugins/migration.py +++ b/ipalib/plugins/migration.py @@ -52,6 +52,11 @@ Two LDAP schemas define how group members are stored: RFC2307 and RFC2307bis. RFC2307bis uses member and uniquemember to specify group members, RFC2307 uses memberUid. The default
Re: [Freeipa-devel] [PATCH] 14 ipa permission-add does not fail if using invalid attribute
On 02/27/2012 03:22 PM, Rob Crittenden wrote: Ondrej Hamada wrote: When adding or modifying permission with both type and attributes specified, check whether the attributes are allowed for specified type. In case of disallowed attributes the InvalidSyntax error is raised. New tests were also added to the unit-tests. https://fedorahosted.org/freeipa/ticket/2293 https://www.redhat.com/mailman/listinfo/freeipa-devel NACK. You should use obj.object_class_config to determine if the default list of objectclasses comes from LDAP. I think that may be it, otherwise the patch reads ok. I'm very glad to see unit tests! rob Corrected -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From f17224cf0d95cc1aefbbf78ebc79d43252100301 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Mon, 27 Feb 2012 17:52:51 +0100 Subject: [PATCH] Validate attributes in permission-add When adding or modifying permission with both type and attributes specified, check whether the attributes are allowed for specified type. In case of disallowed attributes raise the InvalidSyntax exception. New tests were also added to the unit-tests. https://fedorahosted.org/freeipa/ticket/2293 --- ipalib/plugins/permission.py| 54 ++ tests/test_xmlrpc/test_permission_plugin.py | 65 +++ 2 files changed, 119 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index 08781ce2ef3df30d10565a071a338edf77c52d23..9a32cc3d5b382a078a13b998ff9401b260302f89 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -89,6 +89,43 @@ output_params = ( ), ) +dn_ipaconfig='cn=ipaconfig,cn=etc,'+api.env.basedn + +def check_attrs(attrs, type): +# Trying to delete attributes - no need for validation +if attrs is None: +return True +allowed_objcls=[] +disallowed_objcls=[] +obj=api.Object[type] + +if hasattr(obj,'object_class_config'): +(dn,objcls)=api.Backend.ldap2.get_entry( +dn_ipaconfig,[obj.object_class_config] +) +allowed_objcls=objcls[obj.object_class_config] +else: +allowed_objcls=obj.object_class +if hasattr(obj,'possible_objectclasses'): +allowed_objcls+=obj.possible_objectclasses +if hasattr(obj,'disallow_object_classes'): +disallowed_objcls=obj.disallow_object_classes + +allowed_attrs=[] +disallowed_attrs=[] +if allowed_objcls: +allowed_attrs=api.Backend.ldap2.get_allowed_attributes(allowed_objcls) +if disallowed_objcls: +disallowed_attrs=api.Backend.ldap2.get_allowed_attributes(disallowed_objcls) +failed_attrs=[] +for attr in attrs: +if (attr not in allowed_attrs) or (attr in disallowed_attrs): +failed_attrs.append(attr) +if failed_attrs: +raise errors.InvalidSyntax(attr=','.join(failed_attrs)) +return True + + class permission(LDAPObject): Permission object. @@ -192,6 +229,8 @@ class permission_add(LDAPCreate): opts['permission'] = keys[-1] opts['aciprefix'] = ACI_PREFIX try: +if 'type' in entry_attrs and 'attrs' in entry_attrs: +check_attrs(entry_attrs['attrs'],entry_attrs['type']) self.api.Command.aci_add(keys[-1], **opts) except Exception, e: raise e @@ -273,6 +312,21 @@ class permission_mod(LDAPUpdate): except errors.NotFound: self.obj.handle_not_found(*keys) +# check the correctness of attributes only when the type is specified +type=None +attrs_to_check=[] +current_values=self.api.Command.permission_show(attrs['cn'][0])['result'] +if 'type' in entry_attrs: +type = entry_attrs['type'] +elif 'type' in current_values: +type = current_values['type'] +if 'attrs' in entry_attrs: +attrs_to_check = entry_attrs['attrs'] +elif 'attrs' in current_values: +attrs_to_check = current_values['attrs'] +if attrs_to_check and type is not None: +check_attrs(attrs_to_check,type) + # when renaming permission, check if the target permission does not # exists already. Then, make changes to underlying ACI if 'rename' in options: diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py index e8e6bebcd387307f30e4a7bc4d266092b7e41424..15e12e5c5868d7fbc21ce3f5797089150bf6c5e6 100644 --- a/tests/test_xmlrpc/test_permission_plugin.py +++ b/tests/test_xmlrpc/test_permission_plugin.py @@ -124,6 +124,71 @@ class test_permission(Declarative): dict( +desc='Try to create %r with invalid attribute \'ipaclientversion\'' % permission2, +command=( +'permission_add', [permission2], dict( + type=u'user
Re: [Freeipa-devel] [PATCH] 13 ipa-client-install not calling authconfig
On 02/25/2012 08:30 PM, Alexander Bokovoy wrote: On Thu, 23 Feb 2012, Ondrej Hamada wrote: Option '--noac' was added. If set, the ipa-client-install will not call authconfig for setting nsswitch.conf and PAM configuration. In fact no configuration of nsswitch.conf or PAM would be done at all. https://fedorahosted.org/freeipa/ticket/2369 NACK. According to the original request, authconfig will do nsswitch/PAM configuration *after* ipa-client-install run so the following check in ipa-client-install will fail with --noac: +#Check that nss is working properly +if not options.on_master: +n = 0 +found = False +# Loop for up to 10 seconds to see if nss is working properly. +# It can sometimes take a few seconds to connect to the remote provider. +# Particulary, SSSD might take longer than 6-8 seconds. +while n 10 and not found: +try: +ipautil.run([getent, passwd, admin]) +found = True +except Exception, e: +time.sleep(1) +n = n + 1 This check never happens with --noac. I've rechecked the indentation (I admit it's badly visible in the patch file) and it's ok. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 14 ipa permission-add does not fail if using invalid attribute
When adding or modifying permission with both type and attributes specified, check whether the attributes are allowed for specified type. In case of disallowed attributes the InvalidSyntax error is raised. New tests were also added to the unit-tests. https://fedorahosted.org/freeipa/ticket/2293 -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From 80326444a08076f6e8a1f62296ea33413b526a9b Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Sun, 26 Feb 2012 03:38:08 +0100 Subject: [PATCH] Validate attributes in permission-add When adding or modifying permission with both type and attributes specified, check whether the attributes are allowed for specified type. In case of disallowed attributes raise the InvalidSyntax exception. New tests were also added to the unit-tests. https://fedorahosted.org/freeipa/ticket/2293 --- ipalib/plugins/permission.py| 54 ++ tests/test_xmlrpc/test_permission_plugin.py | 65 +++ 2 files changed, 119 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index 08781ce2ef3df30d10565a071a338edf77c52d23..ca10424532f65a13a62c88fa861945b63eade959 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -89,6 +89,43 @@ output_params = ( ), ) +dn_ipaconfig='cn=ipaconfig,cn=etc,'+api.env.basedn + +def check_attrs(attrs, type): +# Trying to delete attributes - no need for validation +if attrs is None: +return True +allowed_objcls=[] +disallowed_objcls=[] +obj=api.Object[type] + +if type in ['user','group']: +(dn,objcls)=api.Backend.ldap2.get_entry( +dn_ipaconfig,[obj.object_class_config] +) +allowed_objcls=objcls[obj.object_class_config] +else: +allowed_objcls=obj.object_class +if hasattr(obj,'possible_objectclasses'): +allowed_objcls+=obj.possible_objectclasses +if hasattr(obj,'disallow_object_classes'): +disallowed_objcls=obj.disallow_object_classes + +allowed_attrs=[] +disallowed_attrs=[] +if allowed_objcls: +allowed_attrs=api.Backend.ldap2.get_allowed_attributes(allowed_objcls) +if disallowed_objcls: +disallowed_attrs=api.Backend.ldap2.get_allowed_attributes(disallowed_objcls) +failed_attrs=[] +for attr in attrs: +if (attr not in allowed_attrs) or (attr in disallowed_attrs): +failed_attrs.append(attr) +if failed_attrs: +raise errors.InvalidSyntax(attr=','.join(failed_attrs)) +return True + + class permission(LDAPObject): Permission object. @@ -192,6 +229,8 @@ class permission_add(LDAPCreate): opts['permission'] = keys[-1] opts['aciprefix'] = ACI_PREFIX try: +if 'type' in entry_attrs and 'attrs' in entry_attrs: +check_attrs(entry_attrs['attrs'],entry_attrs['type']) self.api.Command.aci_add(keys[-1], **opts) except Exception, e: raise e @@ -273,6 +312,21 @@ class permission_mod(LDAPUpdate): except errors.NotFound: self.obj.handle_not_found(*keys) +# check the correctness of attributes only when the type is specified +type=None +attrs_to_check=[] +current_values=self.api.Command.permission_show(attrs['cn'][0])['result'] +if 'type' in entry_attrs: +type = entry_attrs['type'] +elif 'type' in current_values: +type = current_values['type'] +if 'attrs' in entry_attrs: +attrs_to_check = entry_attrs['attrs'] +elif 'attrs' in current_values: +attrs_to_check = current_values['attrs'] +if attrs_to_check and type is not None: +check_attrs(attrs_to_check,type) + # when renaming permission, check if the target permission does not # exists already. Then, make changes to underlying ACI if 'rename' in options: diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py index e8e6bebcd387307f30e4a7bc4d266092b7e41424..15e12e5c5868d7fbc21ce3f5797089150bf6c5e6 100644 --- a/tests/test_xmlrpc/test_permission_plugin.py +++ b/tests/test_xmlrpc/test_permission_plugin.py @@ -124,6 +124,71 @@ class test_permission(Declarative): dict( +desc='Try to create %r with invalid attribute \'ipaclientversion\'' % permission2, +command=( +'permission_add', [permission2], dict( + type=u'user', + permissions=u'write', + attrs=u'ipaclientversion', +), +), +expected=errors.InvalidSyntax(attr=u'ipaclientversion'), +), + + +dict( +desc='Add allowed attribute \'cn\' to %r' % permission1, +command=( +'permission_mod
Re: [Freeipa-devel] [PATCH] 930 add conflicts on mod_ssl
On 01/20/2012 05:10 PM, Rob Crittenden wrote: We again need to prevent mod_ssl from being installed since we proxy for dogtag now. mod_proxy provides a single API for doing SSL proxying and if mod_ssl is merely loaded in Apache it grabs the interface for doing this from mod_nss. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK, but needs rebase - there's problem in the changelog part -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 13 ipa-client-install not calling authconfig
Option '--noac' was added. If set, the ipa-client-install will not call authconfig for setting nsswitch.conf and PAM configuration. In fact no configuration of nsswitch.conf or PAM would be done at all. https://fedorahosted.org/freeipa/ticket/2369 -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From 10bf87ef215642d5899da50f7b74f11b791e6a23 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Thu, 23 Feb 2012 17:24:46 +0100 Subject: [PATCH] ipa-client-install not calling authconfig Option '--noac' was added. If set, the ipa-client-install will not call authconfig for setting nsswitch.conf and PAM configuration. https://fedorahosted.org/freeipa/ticket/2369 --- ipa-client/ipa-install/ipa-client-install | 126 +++-- 1 files changed, 65 insertions(+), 61 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index f5c1efe0686020ce7cad79edfe19908ee3a55a30..36493e0b42de8230e6e8604f292284364885affd 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -90,6 +90,8 @@ def parse_options(): help=do not configure OpenSSH server) basic_group.add_option(--no-dns-sshfp, dest=create_sshfp, default=True, action=store_false, help=do not automatically create DNS SSHFP records) +basic_group.add_option(--noac, dest=no_ac, default=False, action=store_true, + help=do not use Authconfig to modify the nsswitch.conf and PAM configuration) basic_group.add_option(-f, --force, dest=force, action=store_true, default=False, help=force setting of LDAP/Kerberos conf) basic_group.add_option(-d, --debug, dest=debug, action=store_true, @@ -1368,75 +1370,77 @@ def install(options, env, fstore, statestore): root_logger.info(%s daemon is not installed, skip configuration % (nscd.service_name)) retcode, conf, filename = (0, None, None) -# Modify nsswitch/pam stack -auth_config = ipaservices.authconfig() -if options.sssd: -statestore.backup_state('authconfig', 'sssd', True) -statestore.backup_state('authconfig', 'sssdauth', True) -auth_config.enable(sssd).\ -enable(sssdauth) -message = SSSD enabled -conf = 'SSSD' -else: -statestore.backup_state('authconfig', 'ldap', True) -auth_config.enable(ldap).\ -enable(forcelegacy) -message = LDAP enabled -if options.mkhomedir: -statestore.backup_state('authconfig', 'mkhomedir', True) -auth_config.enable(mkhomedir) +if not options.no_ac: +# Modify nsswitch/pam stack +auth_config = ipaservices.authconfig() +if options.sssd: +statestore.backup_state('authconfig', 'sssd', True) +statestore.backup_state('authconfig', 'sssdauth', True) +auth_config.enable(sssd).\ +enable(sssdauth) +message = SSSD enabled +conf = 'SSSD' +else: +statestore.backup_state('authconfig', 'ldap', True) +auth_config.enable(ldap).\ +enable(forcelegacy) +message = LDAP enabled -auth_config.add_option(update) -auth_config.execute() -print message +if options.mkhomedir: +statestore.backup_state('authconfig', 'mkhomedir', True) +auth_config.enable(mkhomedir) -if not options.sssd: -#Modify pam to add pam_krb5 only when sssd is not in use -auth_config.reset() -statestore.backup_state('authconfig', 'krb5', True) -auth_config.enable(krb5).\ -add_option(update).\ -add_option(nostart) +auth_config.add_option(update) auth_config.execute() -print Kerberos 5 enabled +print message -# Update non-SSSD LDAP configuration after authconfig calls as it would -# change its configuration otherways -if not options.sssd: -for configurer in [configure_ldap_conf, configure_nslcd_conf]: -(retcode, conf, filename) = configurer(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options, nosssd_files[configurer.__name__]) -if retcode: -return CLIENT_INSTALL_ERROR -if conf: -print %s configured using configuration file(s) %s % (conf, filename) +if not options.sssd: +#Modify pam to add pam_krb5 only when sssd is not in use +auth_config.reset() +statestore.backup_state('authconfig', 'krb5', True) +auth_config.enable(krb5).\ +add_option(update).\ +add_option(nostart) +auth_config.execute() +print Kerberos 5 enabled -#Check that nss is working properly
Re: [Freeipa-devel] [PATCH] 12 When migrating warn user if compat is enabled
On 02/21/2012 02:32 PM, Ondrej Hamada wrote: On 02/20/2012 06:53 PM, Rob Crittenden wrote: Ondrej Hamada wrote: https://fedorahosted.org/freeipa/ticket/2274 Added check into migration plugin to warn user when compat is enabled. If compat is enabled, the migration fails and user is warned that he must turn the compat off or run the script with (the newly introduced) option '--compat'. '--compat' is just a flag, by default set to false. If it is set, the compat check is skipped. Interesting approach. I think this is probably good, preventing migration when the compat plugin is enabled unless you specifically decide to. I think the option may need another name, maybe --with-compat or something. I think in the message we should use enabled instead of on. That is the language of ipa-compat-manage. The migration help should have a discussion of why this is a problem too, and what compat really is (provides a different view of the data to be compatible with non RFC2703bis systems). rob corrected Ondra ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I forget to update the commit message about the change of flag name. Corrected patch attached. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From 8b068e25208d2724c714c95f666f24e699061f1d Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Wed, 22 Feb 2012 12:11:55 +0100 Subject: [PATCH] Migration warning when compat enabled Added check into migration plugin to warn user when compat is enabled. If compat is enabled, the migration fails and user is warned that he must turn the compat off or run the script with (the newly introduced) option '--with-compat'. '--with-compat' is new flag. If it is set, the compat status is ignored. https://fedorahosted.org/freeipa/ticket/2274 --- API.txt |3 ++- VERSION |2 +- ipalib/plugins/migration.py | 26 ++ 3 files changed, 29 insertions(+), 2 deletions(-) diff --git a/API.txt b/API.txt index 66713317c9b11057f12676c2afc7bc36d0ca3969..9eec33d4597cb96af870088eb827e39973d66fb6 100644 --- a/API.txt +++ b/API.txt @@ -1925,7 +1925,7 @@ output: Output('summary', (type 'unicode', type 'NoneType'), None) output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', type 'unicode', None) command: migrate_ds -args: 2,14,3 +args: 2,15,3 arg: Str('ldapuri', cli_name='ldap_uri') arg: Password('bindpw', cli_name='password', confirm=False) option: Str('binddn?', autofill=True, cli_name='bind_dn', default=u'cn=directory manager') @@ -1940,6 +1940,7 @@ option: Str('groupignoreattribute*', autofill=True, cli_name='group_ignore_attri option: Flag('groupoverwritegid', autofill=True, cli_name='group_overwrite_gid', default=False) option: StrEnum('schema?', autofill=True, cli_name='schema', default=u'RFC2307bis', values=(u'RFC2307bis', u'RFC2307')) option: Flag('continue?', autofill=True, default=False) +option: Flag('compat?', autofill=True, cli_name='with_compat', default=False) option: Str('exclude_groups*', autofill=True, cli_name='exclude_groups', csv=True, default=()) option: Str('exclude_users*', autofill=True, cli_name='exclude_users', csv=True, default=()) output: Output('result', type 'dict', None) diff --git a/VERSION b/VERSION index eba6b75cdd57e8ee4024b4e6aa2960022007bd0e..523bde4a8ecdcac4c3a451c0e09ef75b156d7831 100644 --- a/VERSION +++ b/VERSION @@ -79,4 +79,4 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=26 +IPA_API_VERSION_MINOR=27 diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py index 688265fd3ea7f62bb22bf78abbc7f26e64f7470b..a31fff8597d856cbf67825f6ed990cb9f16725a6 100644 --- a/ipalib/plugins/migration.py +++ b/ipalib/plugins/migration.py @@ -52,6 +52,11 @@ Two LDAP schemas define how group members are stored: RFC2307 and RFC2307bis. RFC2307bis uses member and uniquemember to specify group members, RFC2307 uses memberUid. The default schema is RFC2307bis. +In order to use other schema than RFC2307bis the compatibility plug-in +must be enabled. Migration with enabled compatibility plug-in causes +a lot of overhead. Because of that it is disabled by default but it can +be overridden by the '--with-compat' option. + Migrated users do not have Kerberos credentials, they have only their LDAP password. To complete the migration process, users need to go to http://ipa.example.com/ipa/migration and authenticate using their @@ -67,6 +72,10 @@ EXAMPLES: The simplest migration, accepting all defaults: ipa migrate-ds ldap://ds.example.com:389 + The simplest migration, accepting all defaults and ignoring
Re: [Freeipa-devel] [PATCH] 12 When migrating warn user if compat is enabled
On 02/20/2012 06:53 PM, Rob Crittenden wrote: Ondrej Hamada wrote: https://fedorahosted.org/freeipa/ticket/2274 Added check into migration plugin to warn user when compat is enabled. If compat is enabled, the migration fails and user is warned that he must turn the compat off or run the script with (the newly introduced) option '--compat'. '--compat' is just a flag, by default set to false. If it is set, the compat check is skipped. Interesting approach. I think this is probably good, preventing migration when the compat plugin is enabled unless you specifically decide to. I think the option may need another name, maybe --with-compat or something. I think in the message we should use enabled instead of on. That is the language of ipa-compat-manage. The migration help should have a discussion of why this is a problem too, and what compat really is (provides a different view of the data to be compatible with non RFC2703bis systems). rob corrected Ondra -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From b4c368fc1c404c4a520c814f10d522b5b8e909aa Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Tue, 21 Feb 2012 11:13:38 +0100 Subject: [PATCH] Migration warning when compat enabled Added check into migration plugin to warn user when compat is enabled. If compat is enabled, the migration fails and user is warned that he must turn the compat off or run the script with (the newly introduced) option '--compat'. '--compat' is new flag. If it is set, the compat status is ignored. https://fedorahosted.org/freeipa/ticket/2274 --- API.txt |3 ++- VERSION |2 +- ipalib/plugins/migration.py | 26 ++ 3 files changed, 29 insertions(+), 2 deletions(-) diff --git a/API.txt b/API.txt index 66713317c9b11057f12676c2afc7bc36d0ca3969..9eec33d4597cb96af870088eb827e39973d66fb6 100644 --- a/API.txt +++ b/API.txt @@ -1925,7 +1925,7 @@ output: Output('summary', (type 'unicode', type 'NoneType'), None) output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', type 'unicode', None) command: migrate_ds -args: 2,14,3 +args: 2,15,3 arg: Str('ldapuri', cli_name='ldap_uri') arg: Password('bindpw', cli_name='password', confirm=False) option: Str('binddn?', autofill=True, cli_name='bind_dn', default=u'cn=directory manager') @@ -1940,6 +1940,7 @@ option: Str('groupignoreattribute*', autofill=True, cli_name='group_ignore_attri option: Flag('groupoverwritegid', autofill=True, cli_name='group_overwrite_gid', default=False) option: StrEnum('schema?', autofill=True, cli_name='schema', default=u'RFC2307bis', values=(u'RFC2307bis', u'RFC2307')) option: Flag('continue?', autofill=True, default=False) +option: Flag('compat?', autofill=True, cli_name='with_compat', default=False) option: Str('exclude_groups*', autofill=True, cli_name='exclude_groups', csv=True, default=()) option: Str('exclude_users*', autofill=True, cli_name='exclude_users', csv=True, default=()) output: Output('result', type 'dict', None) diff --git a/VERSION b/VERSION index eba6b75cdd57e8ee4024b4e6aa2960022007bd0e..523bde4a8ecdcac4c3a451c0e09ef75b156d7831 100644 --- a/VERSION +++ b/VERSION @@ -79,4 +79,4 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=26 +IPA_API_VERSION_MINOR=27 diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py index 688265fd3ea7f62bb22bf78abbc7f26e64f7470b..a31fff8597d856cbf67825f6ed990cb9f16725a6 100644 --- a/ipalib/plugins/migration.py +++ b/ipalib/plugins/migration.py @@ -52,6 +52,11 @@ Two LDAP schemas define how group members are stored: RFC2307 and RFC2307bis. RFC2307bis uses member and uniquemember to specify group members, RFC2307 uses memberUid. The default schema is RFC2307bis. +In order to use other schema than RFC2307bis the compatibility plug-in +must be enabled. Migration with enabled compatibility plug-in causes +a lot of overhead. Because of that it is disabled by default but it can +be overridden by the '--with-compat' option. + Migrated users do not have Kerberos credentials, they have only their LDAP password. To complete the migration process, users need to go to http://ipa.example.com/ipa/migration and authenticate using their @@ -67,6 +72,10 @@ EXAMPLES: The simplest migration, accepting all defaults: ipa migrate-ds ldap://ds.example.com:389 + The simplest migration, accepting all defaults and ignoring the status + of compatibility plug-in: + ipa migrate-ds --with-compat ldap://ds.example.com:389 + Specify the user and group container. This can be used to migrate user and group data from an IPA v1 server: ipa migrate-ds --user-container='cn=users,cn=accounts' \\ @@ -94,6 +103,8 @@ EXAMPLES: ldap
[Freeipa-devel] [PATCH] 12 When migrating warn user if compat is enabled
https://fedorahosted.org/freeipa/ticket/2274 Added check into migration plugin to warn user when compat is enabled. If compat is enabled, the migration fails and user is warned that he must turn the compat off or run the script with (the newly introduced) option '--compat'. '--compat' is just a flag, by default set to false. If it is set, the compat check is skipped. -- Regards, Ondrej Hamada FreeIPA team jabber:oh...@jabbim.cz IRC: ohamada From 2b146dc28bdf35b5840cd193f59ff32db226548a Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Wed, 15 Feb 2012 14:56:39 +0100 Subject: [PATCH] Migration warning when compat enabled Added check into migration plugin to warn user when compat is enabled. If compat is enabled, the migration fails and user is warned that he must turn the compat off or run the script with (the newly introduced) option '--compat'. '--compat' is new flag. If it is set, the compat status is ignored. https://fedorahosted.org/freeipa/ticket/2274 --- API.txt |3 ++- ipalib/plugins/migration.py | 16 2 files changed, 18 insertions(+), 1 deletions(-) diff --git a/API.txt b/API.txt index 66713317c9b11057f12676c2afc7bc36d0ca3969..54573ca1ca514d048e62802667956d6bda0d3199 100644 --- a/API.txt +++ b/API.txt @@ -1925,7 +1925,7 @@ output: Output('summary', (type 'unicode', type 'NoneType'), None) output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', type 'unicode', None) command: migrate_ds -args: 2,14,3 +args: 2,15,3 arg: Str('ldapuri', cli_name='ldap_uri') arg: Password('bindpw', cli_name='password', confirm=False) option: Str('binddn?', autofill=True, cli_name='bind_dn', default=u'cn=directory manager') @@ -1940,6 +1940,7 @@ option: Str('groupignoreattribute*', autofill=True, cli_name='group_ignore_attri option: Flag('groupoverwritegid', autofill=True, cli_name='group_overwrite_gid', default=False) option: StrEnum('schema?', autofill=True, cli_name='schema', default=u'RFC2307bis', values=(u'RFC2307bis', u'RFC2307')) option: Flag('continue?', autofill=True, default=False) +option: Flag('compat?', autofill=True, default=False) option: Str('exclude_groups*', autofill=True, cli_name='exclude_groups', csv=True, default=()) option: Str('exclude_users*', autofill=True, cli_name='exclude_users', csv=True, default=()) output: Output('result', type 'dict', None) diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py index 688265fd3ea7f62bb22bf78abbc7f26e64f7470b..50254d8f34e9a1ada9b3b4bd45c2949079ccedf5 100644 --- a/ipalib/plugins/migration.py +++ b/ipalib/plugins/migration.py @@ -94,6 +94,8 @@ EXAMPLES: ldap://ds.example.com:389 ) +compat_dn = cn=Schema Compatibility,cn=plugins,cn=config + # USER MIGRATION CALLBACKS AND VARS _krb_err_msg = _('Kerberos principal %s already exists. Use \'ipa user-mod\' to set it manually.') @@ -431,6 +433,11 @@ class migrate_ds(Command): doc=_('Continuous operation mode. Errors are reported but the process continues'), default=False, ), +Flag('compat?', +label=_('Ignore compat plugin'), +doc=_('Allows migration despite the usage of compat plugin'), +default=False, +), ) has_output = ( @@ -635,6 +642,12 @@ can use their Kerberos accounts.''') ds_ldap = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='') ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw) +#check whether the compat plugin is enabled +if not options.get('compat'): +(dn,check_compat) = ds_ldap.get_entry(compat_dn, normalize=False) +if check_compat is not None and check_compat.get('nsslapd-pluginenabled', [''])[0].lower() == 'on': +return dict(result={},failed={},enabled=True) + # retrieve DS base DN (entries, truncated) = ds_ldap.find_entries( '', ['namingcontexts'], '', ds_ldap.SCOPE_BASE, @@ -657,6 +670,9 @@ can use their Kerberos accounts.''') if not result['enabled']: textui.print_plain(self.migration_disabled_msg) return 1 +if not result['result'] and not result['failed']: +textui.print_plain(Compat plugin is on. This might cause troubles during migration. Disable the compat plugin or run this script with \'--compat\' option.) +return 1 textui.print_plain('Migrated:') textui.print_entry1( result['result'], attr_order=self.migrate_order, -- 1.7.6.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 11 Checking and modifying of memberof attribute
On 02/06/2012 05:03 PM, Martin Kosek wrote: On Mon, 2012-02-06 at 12:14 +0100, Ondrej Hamada wrote: https://fedorahosted.org/freeipa/ticket/2255 https://fedorahosted.org/freeipa/ticket/2286 https://fedorahosted.org/freeipa/ticket/2305 Added checking of existence of groups that are specified in permission and delegation module. Also the permission plugin now allows to unset memberof value. Additional unit tests for checking new behaviour were created. NACK I think there are few things that could be improved: 1) I don't think that _make_aci function should have any side-effects to kw like deleting some keys from it: @@ -265,8 +265,15 @@ def _make_aci(ldap, current, aciname, kw): ... +else: +del kw['memberof'] IMO, this may break expectations when _make_aci is called and introduce some issues in the future. I think that entire _make_aci should be fixed to ignore attributes set to None just like with other plugins. We just need to validate if the kw combination is OK. This would mean that the ACI validation should be updated as well: ... t1 = 'type' in kw What if kw['type'] is None? t2 = 'filter' in kw t3 = 'subtree' in kw t4 = 'targetgroup' in kw t5 = 'attrs' in kw t6 = 'memberof' in kw ... There are already some related fixes in aci_find. 2) This is a good opportunity to fix also other ACI attributes, like --type. Now, it throws Internal Error: # ipa permission-mod test --type= ipa: ERROR: an internal error has occurred Martin The ACI validation was updated to validate all the six mentioned attributes and it was enabled to unset them. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From 4313a381e44986cdc26c88194297d6a0a4cfd112 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Tue, 7 Feb 2012 13:07:09 +0100 Subject: [PATCH] Memberof attribute control and update Checking of parameters used by _make_aci funcion was rewritten. Additional attributes of ACI(type, attribute, memberof, targetgroup, subtree, filter) could be unset. Permission plugin now allows to unset memberof value. https://fedorahosted.org/freeipa/ticket/2255 Added checking of existence of groups that are specified in permission and delegation module. https://fedorahosted.org/freeipa/ticket/2286 https://fedorahosted.org/freeipa/ticket/2305 --- ipalib/plugins/aci.py | 36 ++--- tests/test_xmlrpc/test_delegation_plugin.py | 12 ++ tests/test_xmlrpc/test_permission_plugin.py | 57 +++ 3 files changed, 90 insertions(+), 15 deletions(-) diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py index e87ac9bff09fc87fec6987ae40b0cf1dd353dd3b..f0b81f48af1f9fbf8ab267a3d4b113c328ab1170 100644 --- a/ipalib/plugins/aci.py +++ b/ipalib/plugins/aci.py @@ -208,22 +208,24 @@ def _make_aci(ldap, current, aciname, kw): Given a name and a set of keywords construct an ACI. # Do some quick and dirty validation. -t1 = 'type' in kw -t2 = 'filter' in kw -t3 = 'subtree' in kw -t4 = 'targetgroup' in kw -t5 = 'attrs' in kw -t6 = 'memberof' in kw -if t1 + t2 + t3 + t4 1: +checked_args=['type','filter','subtree','targetgroup','attrs','memberof'] +valid={} +for arg in checked_args: +if arg in kw: +valid[arg]=kw[arg] is not None +else: +valid[arg]=False + +if valid['type'] + valid['filter'] + valid['subtree'] + valid['targetgroup'] 1: raise errors.ValidationError(name='target', error=_('type, filter, subtree and targetgroup are mutually exclusive')) if 'aciprefix' not in kw: raise errors.ValidationError(name='aciprefix', error=_('ACI prefix is required')) -if t1 + t2 + t3 + t4 + t5 + t6 == 0: +if sum(valid.itervalues()) == 0: raise errors.ValidationError(name='target', error=_('at least one of: type, filter, subtree, targetgroup, attrs or memberof are required')) -if t2 + t6 1: +if valid['filter'] + valid['memberof'] 1: raise errors.ValidationError(name='target', error=_('filter and memberof are mutually exclusive')) group = 'group' in kw @@ -262,12 +264,16 @@ def _make_aci(ldap, current, aciname, kw): else: dn = entry_attrs['dn'] a.set_bindrule('groupdn = ldap:///%s;' % dn) -if 'attrs' in kw: +if valid['attrs']: a.set_target_attr(kw['attrs']) -if 'memberof' in kw: +if valid['memberof']: +try: +api.Command['group_show'](kw['memberof']) +except errors.NotFound: +api.Object['group'].handle_not_found(kw['memberof']) groupdn = _group_from_memberof(kw['memberof']) a.set_target_filter('memberOf=%s' % groupdn) -if 'filter' in kw: +if valid['filter']: # Test the filter by performing a simple search
[Freeipa-devel] [PATCH] 11 Checking and modifying of memberof attribute
https://fedorahosted.org/freeipa/ticket/2255 https://fedorahosted.org/freeipa/ticket/2286 https://fedorahosted.org/freeipa/ticket/2305 Added checking of existence of groups that are specified in permission and delegation module. Also the permission plugin now allows to unset memberof value. Additional unit tests for checking new behaviour were created. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From e26c980cffc5703845aeca4dba28dcca0364ab3a Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Mon, 6 Feb 2012 11:04:15 +0100 Subject: [PATCH] Memberof attribute control and update Added checking of existence of groups that are specified in permission and delegation module. https://fedorahosted.org/freeipa/ticket/2286 https://fedorahosted.org/freeipa/ticket/2305 Permission plugin now allows to unset memberof value. https://fedorahosted.org/freeipa/ticket/2255 --- ipalib/plugins/aci.py | 11 - tests/test_xmlrpc/test_delegation_plugin.py | 12 ++ tests/test_xmlrpc/test_permission_plugin.py | 57 +++ 3 files changed, 78 insertions(+), 2 deletions(-) diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py index e87ac9bff09fc87fec6987ae40b0cf1dd353dd3b..83d43cab8c20ac04b4a546653a682b7860c7d1b4 100644 --- a/ipalib/plugins/aci.py +++ b/ipalib/plugins/aci.py @@ -265,8 +265,15 @@ def _make_aci(ldap, current, aciname, kw): if 'attrs' in kw: a.set_target_attr(kw['attrs']) if 'memberof' in kw: -groupdn = _group_from_memberof(kw['memberof']) -a.set_target_filter('memberOf=%s' % groupdn) +if kw['memberof'] is not None: +try: +api.Command['group_show'](kw['memberof']) +except errors.NotFound: +api.Object['group'].handle_not_found(kw['memberof']) +groupdn = _group_from_memberof(kw['memberof']) +a.set_target_filter('memberOf=%s' % groupdn) +else: +del kw['memberof'] if 'filter' in kw: # Test the filter by performing a simple search on it. The # filter is considered valid if either it returns some entries diff --git a/tests/test_xmlrpc/test_delegation_plugin.py b/tests/test_xmlrpc/test_delegation_plugin.py index 1a9c36743d305cc382350db8e866ace21331fc5c..db5f7186527d2e0c6567dd5a727e878144bd3020 100644 --- a/tests/test_xmlrpc/test_delegation_plugin.py +++ b/tests/test_xmlrpc/test_delegation_plugin.py @@ -68,6 +68,18 @@ class test_delegation(Declarative): ), ), +dict( +desc='Try to create %r for non-existing member group' % delegation1, +command=( +'delegation_add', [delegation1], dict( + attrs=u'street,c,l,st,postalCode', + permissions=u'write', + group=u'editors', + memberof=u'nonexisting', +), +), +expected=errors.NotFound(reason='group not found'), +), # Note that we add postalCode but expect postalcode. This tests # the attrs normalizer. diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py index 50d368197cbc080f40fecf2038ae14337ed78b7c..e8e6bebcd387307f30e4a7bc4d266092b7e41424 100644 --- a/tests/test_xmlrpc/test_permission_plugin.py +++ b/tests/test_xmlrpc/test_permission_plugin.py @@ -500,6 +500,16 @@ class test_permission(Declarative): ) ), +dict( +desc='Try to create permission %r with non-existing memberof' % permission1, +command=( +'permission_add', [permission1], dict( + memberof=u'nonexisting', + permissions=u'write', +) +), +expected=errors.NotFound(reason='group not found'), +), dict( desc='Create memberof permission %r' % permission1, @@ -507,6 +517,7 @@ class test_permission(Declarative): 'permission_add', [permission1], dict( memberof=u'editors', permissions=u'write', + type=u'user', ) ), expected=dict( @@ -518,6 +529,52 @@ class test_permission(Declarative): objectclass=objectclasses.permission, memberof=u'editors', permissions=[u'write'], +type=u'user', +), +), +), + +dict( +desc='Try to update non-existent memberof of %r' % permission1, +command=('permission_mod', [permission1], dict(memberof=u'nonexisting')), +expected=errors.NotFound(reason='group not found'), +), + +dict( +desc='Update memberof
Re: [Freeipa-devel] [PATCH] 10 --no-reverse option in ipa-replica-install is not honoured
On 01/26/2012 09:24 AM, Jan Cholasta wrote: Dne 25.1.2012 17:50, Ondrej Hamada napsal(a): https://fedorahosted.org/freeipa/ticket/2161 The option '--no-reverse' was not honoured in replica-install because of wrongly placed condition checking. NACK The --no-reverse options means do not create new reverse zone if there is no existing suitable reverse zone. Your patch changes the semantics of the option to do not use any reverse zone. One problem I see is that the name of the option is misleading. It should probably be changed to --no-new-reverse. Anyway, the ticket should IMO be closed as invalid. It is a case of people not reading documentation and then being surprised why things don't work the way they assumed. Honza According to discussion with jgalipea and rcrit: the option will stay as it is, just the manpages and documentation will be updated. This patch patches the option descriptions in code and in manpages. For documentation update was created a new ticket: https://fedorahosted.org/freeipa/ticket/2330 -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From 372aa7fd3a656f4092cd27a0cf7bd611f87f0e35 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Tue, 31 Jan 2012 15:16:56 +0100 Subject: [PATCH] Fix 'no-reverse' option description The description of 'no-reverse' option was fixed in both code and manpages of ipa-replica-install and ipa-dns-install. https://fedorahosted.org/freeipa/ticket/2161 --- install/tools/ipa-dns-install |2 +- install/tools/ipa-replica-install |2 +- install/tools/man/ipa-dns-install.1 |2 +- install/tools/man/ipa-replica-install.1 |2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index 98929bdc35dbd4cfde657e7711ed3eee98e1598f..70cc00d33df981a6f57dab56c7598cd35f562fbc 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -48,7 +48,7 @@ def parse_options(): default=False, help=Do not add any DNS forwarders, use root servers instead) parser.add_option(--reverse-zone, dest=reverse_zone, help=The reverse DNS zone to use) parser.add_option(--no-reverse, dest=no_reverse, action=store_true, - default=False, help=Do not create reverse DNS zone) + default=False, help=Do not create new reverse DNS zone) parser.add_option(--zonemgr, action=callback, callback=bindinstance.zonemgr_callback, type=string, help=DNS zone manager e-mail address. Defaults to root) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index c1474ecbffc6ac5ccc22b91098dbdb1aa4613f0f..4af0358d86787f177a77b95743afff157a16726e 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -85,7 +85,7 @@ def parse_options(): default=False, help=Do not add any DNS forwarders, use root servers instead) dns_group.add_option(--reverse-zone, dest=reverse_zone, help=The reverse DNS zone to use) dns_group.add_option(--no-reverse, dest=no_reverse, action=store_true, - default=False, help=Do not create reverse DNS zone) + default=False, help=Do not create new reverse DNS zone) dns_group.add_option(--no-host-dns, dest=no_host_dns, action=store_true, default=False, help=Do not use DNS for hostname lookup during installation) diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1 index adcab95e0dca9711cb6f3a8f45f62b3bdc26b58c..c9dfbb560355d67404540acddd8c6c3450b6f540 100644 --- a/install/tools/man/ipa-dns-install.1 +++ b/install/tools/man/ipa-dns-install.1 @@ -44,7 +44,7 @@ Do not add any DNS forwarders, send non\-resolvable addresses to the DNS root se The reverse DNS zone to use .TP \fB\-\-no\-reverse\fR -Do not create reverse DNS zone +Do not create new reverse DNS zone. If used on a replica and a reverse DNS zone already exists for the subnet, it will be used. .TP \fB\-\-zonemgr\fR The e\-mail address of the DNS zone manager. Defaults too root@host.domain diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1 index f8fa148d076b2e4a53682b1d48e08e57380892d7..074162f0c74207643d3f83e39e15534666899b27 100644 --- a/install/tools/man/ipa-replica-install.1 +++ b/install/tools/man/ipa-replica-install.1 @@ -80,7 +80,7 @@ Do not add any DNS forwarders. Root DNS servers will be used instead. The reverse DNS zone to use .TP \fB\-\-no\-reverse\fR -Do not create reverse DNS zone +Do not create new reverse DNS zone. If a reverse DNS zone already exists for the subnet, it will be used. .TP \fB\-\-no\-host\-dns\fR Do not use DNS for hostname lookup during installation -- 1.7.6.5 ___ Freeipa-devel
[Freeipa-devel] [PATCH] 10 --no-reverse option in ipa-replica-install is not honoured
https://fedorahosted.org/freeipa/ticket/2161 The option '--no-reverse' was not honoured in replica-install because of wrongly placed condition checking. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From 5aa9a2238ee5c32aeebf3c2cabc6aa5c31794822 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Wed, 25 Jan 2012 16:53:01 +0100 Subject: [PATCH] Honor no-reverse option on replica The option '--no-reverse' was not honored in replica-install because of wrongly placed condition checking. https://fedorahosted.org/freeipa/ticket/2161 --- install/tools/ipa-replica-install | 13 - 1 files changed, 8 insertions(+), 5 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index c1474ecbffc6ac5ccc22b91098dbdb1aa4613f0f..4df7b5c0152e2462fae8667e7108cce891f33ef2 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -206,11 +206,14 @@ def install_bind(config, options): sys.exit(1) reverse_zone = bindinstance.normalize_zone(options.reverse_zone) else: -reverse_zone = bindinstance.find_reverse_zone(config.ip) -if reverse_zone is None and not options.no_reverse: -reverse_zone = bindinstance.get_reverse_zone_default(config.ip) -if not options.unattended and bindinstance.create_reverse(): -reverse_zone = bindinstance.read_reverse_zone(reverse_zone, config.ip) +if not options.no_reverse: +reverse_zone = bindinstance.find_reverse_zone(config.ip) +if reverse_zone is None: +reverse_zone = bindinstance.get_reverse_zone_default(config.ip) +if not options.unattended and bindinstance.create_reverse(): +reverse_zone = bindinstance.read_reverse_zone(reverse_zone, config.ip) +else: +reverse_zone = None if reverse_zone is not None: print Using reverse zone %s % reverse_zone -- 1.7.6.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 9 Don't set nsds5replicaupdateschedule in replication agreements
https://fedorahosted.org/freeipa/ticket/1482 The nsDS5ReplicaUpdateSchedule parameter is omitted what results in replication being run all the time. The parameter is still used for forcing replica update but after that action it is always deleted. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From f0c0cd98c30c8557a6b8168cab7b5f50e31e9c9a Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Mon, 23 Jan 2012 17:28:37 +0100 Subject: [PATCH] Leave nsds5replicaupdateschedule parameter unset The nsDS5ReplicaUpdateSchedule parameter is omited what results in replication being run all the time. The parameter is still used for forcing replica update but after that action it is always deleted. https://fedorahosted.org/freeipa/ticket/1482 --- ipaserver/install/replication.py | 19 --- 1 files changed, 8 insertions(+), 11 deletions(-) diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 3ac99e6bd75f2990be346c14fce424927c6550fa..052f183468e0f65e410174ba3529c53d69fcdbeb 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -460,7 +460,6 @@ class ReplicationManager(object): entry.setValues('nsds5replicatimeout', str(TIMEOUT)) entry.setValues('nsds5replicaroot', self.suffix) if master is None: -entry.setValues('nsds5replicaupdateschedule', '-2359 0123456') entry.setValues('nsDS5ReplicatedAttributeList', '(objectclass=*) $ EXCLUDE %s' % .join(excludes)) entry.setValues('description', me to %s % b_hostname) @@ -853,22 +852,20 @@ class ReplicationManager(object): dn = entry[0].dn schedule = entry[0].nsds5replicaupdateschedule -if schedule is None: -schedule = '-2359 0123456' # On the remote chance of a match. We force a synch to happen right -# now by changing the schedule to something else and quickly changing -# it back. -if newschedule == schedule: -newschedule = '2358-2359 1' -root_logger.info(Changing agreement %s schedule to %s to force synch % +# now by setting the schedule to something and quickly removing it. +if schedule is not None: +if newschedule == schedule: +newschedule = '2358-2359 1' +root_logger.info(Setting agreement %s schedule to %s to force synch % (dn, newschedule)) mod = [(ldap.MOD_REPLACE, 'nsDS5ReplicaUpdateSchedule', [ newschedule ])] conn.modify_s(dn, mod) time.sleep(1) -root_logger.info(Changing agreement %s to restore original schedule %s % - (dn, schedule)) -mod = [(ldap.MOD_REPLACE, 'nsDS5ReplicaUpdateSchedule', [ schedule ])] +root_logger.info(Deleting schedule %s from agreement %s % + (newschedule, dn)) +mod = [(ldap.MOD_DELETE, 'nsDS5ReplicaUpdateSchedule', None)] conn.modify_s(dn, mod) def get_agreement_type(self, hostname): -- 1.7.6.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 8 localhost.localdomain clients refused to join ipa domain
https://fedorahosted.org/freeipa/ticket/2112 Machines with hostname 'localhost.localdomain' are refused from joining IPA domain and proper error message is shown. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From 0d91a4ba654ba47759cdecdd60bc7d938d11313b Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Mon, 16 Jan 2012 12:30:29 +0100 Subject: [PATCH] localhost.localdomain clients refused to join Machines with hostname 'localhost.localdomain' are refused from joining IPA domain and proper error message is shown. https://fedorahosted.org/freeipa/ticket/2112 --- ipa-client/ipa-join.c |6 ++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c index c174e2c157d0878dedf0d302e547ff176deb9e98..95195535b4611f022df90d1e0e10f7e83b4c6c80 100644 --- a/ipa-client/ipa-join.c +++ b/ipa-client/ipa-join.c @@ -937,6 +937,12 @@ join(const char *server, const char *hostname, const char *bindpw, const char *b goto cleanup; } +if (!strcmp(host, localhost.localdomain)) { +fprintf(stderr, _(The hostname must not be: %s\n), host); +rval = 16; +goto cleanup; +} + if (bindpw) rval = join_ldap(ipaserver, host, hostdn, bindpw, basedn, princ, subject, quiet); else { -- 1.7.6.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 7 Ignore srchost option in hbactest
On 01/05/2012 05:40 PM, Alexander Bokovoy wrote: On Thu, 05 Jan 2012, Ondrej Hamada wrote: https://fedorahosted.org/freeipa/ticket/2085 New version of SSSD begins ignoring sourcehost value of HBAC rules by default. In order to match this behaviour the sourcehost option in hbactest is optional now, but the value of sourcehost is ignored in all rules. Every rule's sourcehost value is set to 'ALL' what turns sourchost value comparation off. For every such a rule warning is displayed to inform the user about changes. Also the unit tests for hbactest plugin were updated. Every test was doubled. The second ones test the plugin without sourcehost option. They are supposed to have the same result. Looks OK for me. One possibility to enhance the tests is to verify that sourcehost-based version also checks warning being set to something other than None. ACK Done. I've also made one modification - warnings appear only when srchost option is used and unittests checks whether they've appeared. I've also updated the text in docstring to be mentioning srchost option as optional only. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From 65afccdfc3f4a663f541d26d39963e98e8139093 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Sat, 7 Jan 2012 20:17:25 +0100 Subject: [PATCH] HBAC test optional sourcehost option New version of SSSD begins ignoring sourcehost value of HBAC rules by default. In order to match this behaviour the sourcehost option in hbactest is optional now, but the value of sourcehost is ignored in all rules. Every rule's sourcehost value is set to 'ALL' what turns sourchost value comparation off. If srchost option is used, warning is displayed to inform the user about changes. Text of plugin help was also updated. Also the unit tests for hbactest plugin were updated. Every test was doubled. The second ones test the plugin without sourcehost option. They are supposed to have the same result. https://fedorahosted.org/freeipa/ticket/2085 --- API.txt |5 +- VERSION |2 +- ipalib/plugins/hbactest.py| 66 --- tests/test_xmlrpc/test_hbactest_plugin.py | 71 + 4 files changed, 115 insertions(+), 29 deletions(-) diff --git a/API.txt b/API.txt index aba3d8aa0250113d137878c97903922ff14ee664..493d5a3ff235e2a6f2599896114365af54086d16 100644 --- a/API.txt +++ b/API.txt @@ -1455,9 +1455,9 @@ output: Output('summary', (type 'unicode', type 'NoneType'), None) output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', type 'unicode', None) command: hbactest -args: 0,8,5 +args: 0,8,6 option: Str('user', cli_name='user', primary_key=True) -option: Str('sourcehost', cli_name='srchost') +option: Str('sourcehost?', cli_name='srchost') option: Str('targethost', cli_name='host') option: Str('service', cli_name='service') option: Str('rules*', cli_name='rules', csv=True) @@ -1465,6 +1465,7 @@ option: Flag('nodetail?', autofill=True, cli_name='nodetail', default=False) option: Flag('enabled?', autofill=True, cli_name='enabled', default=False) option: Flag('disabled?', autofill=True, cli_name='disabled', default=False) output: Output('summary', (type 'unicode', type 'NoneType'), None) +output: Output('warning', (type 'list', type 'tuple', type 'NoneType'), None) output: Output('matched', (type 'list', type 'tuple', type 'NoneType'), None) output: Output('notmatched', (type 'list', type 'tuple', type 'NoneType'), None) output: Output('error', (type 'list', type 'tuple', type 'NoneType'), None) diff --git a/VERSION b/VERSION index 081643745c47e78e7739f2b1092be762acd14e5f..b6ef09fc5119d04cc54e031762fa3e21987d2867 100644 --- a/VERSION +++ b/VERSION @@ -79,4 +79,4 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=18 +IPA_API_VERSION_MINOR=19 diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py index fbc3dbb2e15076665bf712ce94821d46bf52f6df..f1b608d21a69bbd57577455157d8e78e11a54733 100644 --- a/ipalib/plugins/hbactest.py +++ b/ipalib/plugins/hbactest.py @@ -28,20 +28,21 @@ __doc__ = _( Simulate use of Host-based access controls HBAC rules control who can access what services on what hosts and from where. -You can use HBAC to control which users or groups on a source host can -access a service, or group of services, on a target host. +You can use HBAC to control which users or groups can access a service, +or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. - Test user coming from source host
[Freeipa-devel] [PATCH] 7 Ignore srchost option in hbactest
https://fedorahosted.org/freeipa/ticket/2085 New version of SSSD begins ignoring sourcehost value of HBAC rules by default. In order to match this behaviour the sourcehost option in hbactest is optional now, but the value of sourcehost is ignored in all rules. Every rule's sourcehost value is set to 'ALL' what turns sourchost value comparation off. For every such a rule warning is displayed to inform the user about changes. Also the unit tests for hbactest plugin were updated. Every test was doubled. The second ones test the plugin without sourcehost option. They are supposed to have the same result. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From fd585c817c57596cba1caaee86f41d8b115040e6 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Thu, 5 Jan 2012 17:03:53 +0100 Subject: [PATCH] HBAC test optional sourcehost option New version of SSSD begins ignoring sourcehost value of HBAC rules by default. In order to match this behaviour the sourcehost option in hbactest is optional now, but the value of sourcehost is ignored in all rules. Every rule's sourcehost value is set to 'ALL' what turns sourchost value comparation off. For every such a rule warning is displayed to inform the user about changes. Also the unit tests for hbactest plugin were updated. Every test was doubled. The second ones test the plugin without sourcehost option. They are supposed to have the same result. https://fedorahosted.org/freeipa/ticket/2085 --- API.txt |5 +- VERSION |2 +- ipalib/plugins/hbactest.py| 35 ++--- tests/test_xmlrpc/test_hbactest_plugin.py | 60 + 4 files changed, 85 insertions(+), 17 deletions(-) diff --git a/API.txt b/API.txt index aba3d8aa0250113d137878c97903922ff14ee664..493d5a3ff235e2a6f2599896114365af54086d16 100644 --- a/API.txt +++ b/API.txt @@ -1455,9 +1455,9 @@ output: Output('summary', (type 'unicode', type 'NoneType'), None) output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', type 'unicode', None) command: hbactest -args: 0,8,5 +args: 0,8,6 option: Str('user', cli_name='user', primary_key=True) -option: Str('sourcehost', cli_name='srchost') +option: Str('sourcehost?', cli_name='srchost') option: Str('targethost', cli_name='host') option: Str('service', cli_name='service') option: Str('rules*', cli_name='rules', csv=True) @@ -1465,6 +1465,7 @@ option: Flag('nodetail?', autofill=True, cli_name='nodetail', default=False) option: Flag('enabled?', autofill=True, cli_name='enabled', default=False) option: Flag('disabled?', autofill=True, cli_name='disabled', default=False) output: Output('summary', (type 'unicode', type 'NoneType'), None) +output: Output('warning', (type 'list', type 'tuple', type 'NoneType'), None) output: Output('matched', (type 'list', type 'tuple', type 'NoneType'), None) output: Output('notmatched', (type 'list', type 'tuple', type 'NoneType'), None) output: Output('error', (type 'list', type 'tuple', type 'NoneType'), None) diff --git a/VERSION b/VERSION index 081643745c47e78e7739f2b1092be762acd14e5f..b6ef09fc5119d04cc54e031762fa3e21987d2867 100644 --- a/VERSION +++ b/VERSION @@ -79,4 +79,4 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=18 +IPA_API_VERSION_MINOR=19 diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py index fbc3dbb2e15076665bf712ce94821d46bf52f6df..4152507f3ca3fa0a2ccebe0272010839ecd3a56c 100644 --- a/ipalib/plugins/hbactest.py +++ b/ipalib/plugins/hbactest.py @@ -139,8 +139,9 @@ def convert_to_ipa_rule(rule): ) for element in structure: category = '%scategory' % (element[0]) -if category in rule and rule[category][0] == u'all': +if (category in rule and rule[category][0] == u'all') or (element[0] == 'sourcehost'): # rule applies to all elements +# sourcehost is always set to 'all' element[4].category = set([pyhbac.HBAC_CATEGORY_ALL]) else: # rule is about specific entities @@ -162,6 +163,7 @@ class hbactest(Command): has_output = ( output.summary, +output.Output('warning', (list, tuple, NoneType), _('Warning')), output.Output('matched', (list, tuple, NoneType), _('Matched rules')), output.Output('notmatched', (list, tuple, NoneType), _('Not matched rules')), output.Output('error', (list, tuple, NoneType), _('Non-existent or invalid rules')), @@ -174,7 +176,7 @@ class hbactest(Command): label=_('User name'), primary_key=True, ), -Str('sourcehost', +Str('sourcehost?', cli_name='srchost
Re: [Freeipa-devel] [PATCH] 5 User-add random password support
On 11/29/2011 10:31 AM, Martin Kosek wrote: On Thu, 2011-11-24 at 17:51 +0100, Ondrej Hamada wrote: On 11/24/2011 03:54 PM, Ondrej Hamada wrote: https://fedorahosted.org/freeipa/ticket/1979 I've used code from ipalib/plugins/host.py to add support for random password generation. The '--random' option is now available in user-add and user-mod commands. If both the 'password' and 'random' options are used the 'random' option will be ignored. Functionally, it works OK. I would just like to propose few improvements: 1) Minor API version in VERSION file should be bumped since you add a new option 2) We should add some tests exercising this new functionality so that we can detect regressions early 3) (optional) I am thinking if the passwords we generate are not very user friendly. I would love to see user's face when he is told that his new password is 5QU;8l2%]y? . While this is may be OK for hosts bulk passwords which are only manipulated by admins, we may want to develop more user friendly passwords in the user plugin. Martin https://fedorahosted.org/freeipa/ticket/1979 I've used code from ipalib/plugins/host.py to add support for random password generation. The '--random' option is now available in user-add and user-mod commands. If both the 'password' and 'random' options are used the 'random' option will be ignored. Two test cases were added to unit test's module test_user_plugin.py - they test creating and modifying user with random password. Two fuzzy tests were added: test for password(string that doesn't start or end with whitespace and doesn't containt other whitespace than ' ') and for whatever string(because of krbextradata). I've slightly modified ipa_generate_password in order to make passwords for users more user-friendly(reduce number of non-letters). It has two optional parameters now - first one is string of characters that should be used for generating the passwd and second one is length of password. If none parameter is set default values will be used so there's no need to modify other plugins that use random password generator. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From 19ca0f9e64861a10f940492bd2824f7885348a72 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Fri, 9 Dec 2011 15:41:41 +0100 Subject: [PATCH] User-add random password support I've used code from ipalib/plugins/host.py to add support for random password generation. The '--random' option is now available in user-add and user-mod commands. If both the 'password' and 'random' options are used the 'random' option will be ignored. Two test cases were added to unit test's module test_user_plugin.py - they test creating and modifying user with random password. Two fuzzy tests were added: test for password(string that doesn't start or end with whitespace and doesn't containt other whitespace than ' ') and for whatever string(because of krbextradata). I've slightly modified ipa_generate_password in order to make passwords for users more user-friendly(reduce number of non-letters). It has two optional parameters now - first one is string of characters that should be used for generating the passwd and second one is length of password. If none parameter is set default values will be used so there's no need to modify other plugins that use random password generator. https://fedorahosted.org/freeipa/ticket/1979 --- API.txt |6 +- VERSION |2 +- ipalib/plugins/user.py| 35 + ipapython/ipautil.py | 32 ++-- tests/test_xmlrpc/test_user_plugin.py | 128 - tests/test_xmlrpc/xmlrpc_test.py |7 ++ 6 files changed, 198 insertions(+), 12 deletions(-) diff --git a/API.txt b/API.txt index ed8b5553d25fbf242d49fbb338401dfd27491091..befb484eddd9316b221010c941cbb07d3b9ec3ce 100644 --- a/API.txt +++ b/API.txt @@ -2766,7 +2766,7 @@ output: Output('summary', (type 'unicode', type 'NoneType'), None) output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', type 'unicode', None) command: user_add -args: 1,31,3 +args: 1,32,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', pattern_errmsg='may only include letters, numbers, _, -, . and $', primary_key=True, required=True) option: Str('givenname', attribute=True, cli_name='first', multivalue=False, required=True) option: Str('sn', attribute=True, cli_name='last', multivalue=False, required=True) @@ -2779,6 +2779,7 @@ option: Str('loginshell', attribute=True, cli_name='shell', default=u'/bin/sh', option: Str('krbprincipalname', attribute=True, autofill=True, cli_name='principal', multivalue=False, required=False) option: Str('mail', attribute=True, cli_name='email', multivalue=True
Re: [Freeipa-devel] [PATCH] 6 Sort password policy by priority
On 11/29/2011 08:43 PM, Rob Crittenden wrote: Ondrej Hamada wrote: On 11/29/2011 03:46 PM, Ondrej Hamada wrote: https://fedorahosted.org/freeipa/ticket/2045 'ipa pwpolicy-find' output is now sorted by priority of the policies. Lower position means lower priority. Global policy is then at the bottom. The changes has also affected LDAPSearch class in baseldap.py: LDAPSearch class sorts the search results by primary key be default (which is usually 'cn'). Therefor a function pointer entries_sortfn was added. If no sorting function exists, default sorting by primary key is used. Sorting function had to be introduced due to the fact that pwpolicy's primary key is also it's 'cn' and global policy is not allowed to have any priority. forget to attach the patch, sorry :-[ Doesn't work with the lite-server due to changing a ReadOnly value. I think you have the right idea you just need to assign the sorting statically instead of dynamically (it won't change after finalization). $ ./ipa pwpolicy-add editors --minlife=2 --priority=9 ipa: DEBUG: Created connection context.ldap2 ipa: DEBUG: raw: pwpolicy_add(u'editors', krbminpwdlife=2, cospriority=9, all=False, raw=False, version=u'2.15') ipa: DEBUG: pwpolicy_add(u'editors', krbminpwdlife=2, cospriority=9, all=False, raw=False, version=u'2.15') ipa: DEBUG: raw: cosentry_add(u'editors', krbpwdpolicyreference=u'cn=editors,cn=GREYOAK.COM,cn=kerberos,dc=greyoak,dc=com', cospriority=9) ipa: DEBUG: cosentry_add(u'editors', krbpwdpolicyreference=u'cn=editors,cn=GREYOAK.COM,cn=kerberos,dc=greyoak,dc=com', cospriority=9, all=False, raw=False) ipa: DEBUG: raw: group_show(u'editors', all=True) ipa: DEBUG: group_show(u'editors', rights=False, all=True, raw=False) ipa: DEBUG: raw: cosentry_find(None, cospriority=9) ipa: DEBUG: cosentry_find(None, cospriority=9, all=False, raw=False, pkey_only=False) ipa: ERROR: non-public: AttributeError: locked: cannot set cosentry_find.entries_sortfn to function lambda at 0x7f7abc33ec80 Traceback (most recent call last): File /home/rcrit/redhat/freeipa-review/ipaserver/rpcserver.py, line 223, in wsgi_execute result = self.Command[name](*args, **options) File /home/rcrit/redhat/freeipa-review/ipalib/frontend.py, line 438, in __call__ ret = self.run(*args, **options) File /home/rcrit/redhat/freeipa-review/ipalib/frontend.py, line 756, in run return self.execute(*args, **options) File /home/rcrit/redhat/freeipa-review/ipalib/plugins/baseldap.py, line 700, in execute ldap, dn, entry_attrs, attrs_list, *keys, **options File /home/rcrit/redhat/freeipa-review/ipalib/plugins/pwpolicy.py, line 346, in pre_callback cospriority=options.get('cospriority') File /home/rcrit/redhat/freeipa-review/ipalib/frontend.py, line 438, in __call__ ret = self.run(*args, **options) File /home/rcrit/redhat/freeipa-review/ipalib/frontend.py, line 756, in run return self.execute(*args, **options) File /home/rcrit/redhat/freeipa-review/ipalib/plugins/baseldap.py, line 700, in execute ldap, dn, entry_attrs, attrs_list, *keys, **options File /home/rcrit/redhat/freeipa-review/ipalib/plugins/pwpolicy.py, line 127, in pre_callback self.obj.check_priority_uniqueness(*keys, **options) File /home/rcrit/redhat/freeipa-review/ipalib/plugins/pwpolicy.py, line 101, in check_priority_uniqueness cospriority=options['cospriority'] File /home/rcrit/redhat/freeipa-review/ipalib/frontend.py, line 438, in __call__ ret = self.run(*args, **options) File /home/rcrit/redhat/freeipa-review/ipalib/frontend.py, line 756, in run return self.execute(*args, **options) File /home/rcrit/redhat/freeipa-review/ipalib/plugins/baseldap.py, line 1620, in execute self.entries_sortfn=lambda x,y: cmp(x[1][self.obj.primary_key.name][0].lower(), y[1][self.obj.primary_key.name][0].lower()) File /home/rcrit/redhat/freeipa-review/ipalib/base.py, line 131, in __setattr__ SET_ERROR % (self.__class__.__name__, name, value) AttributeError: locked: cannot set cosentry_find.entries_sortfn to function lambda at 0x7f7abc33ec80 ipa: INFO: ad...@greyoak.com: pwpolicy_add(u'editors', krbminpwdlife=2, cospriority=9, all=False, raw=False, version=u'2.15'): AttributeError ipa: DEBUG: response: InternalError: an internal error has occurred ipa: DEBUG: Destroyed connection context.ldap2 corrected, patch attached -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From 826826626e2c816dda8fa9039157e895e7bc740c Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Fri, 2 Dec 2011 13:51:35 +0100 Subject: [PATCH] Sort password policy by priority 'ipa pwpolicy-find' output is now sorted by priority of the policies. Lower position means lower priority. Global policy is then at the bottom. The changes has also affected LDAPSearch class in baseldap.py: LDAPSearch class sorts the search results by primary key be default (which is usually 'cn
Re: [Freeipa-devel] [PATCH] ipa-client-install with --no-sssd option should check for nss_ldap
On 11/29/2011 10:33 PM, Rob Crittenden wrote: Ondrej Hamada wrote: On 11/11/2011 02:55 PM, Ondrej Hamada wrote: https://fedorahosted.org/freeipa/ticket/2063 In order to check presence of nss_ldap when installing client with '--no-sssd' option there was added code into ipa-client-install. Check is base on existence of nss_ldap configuration files. This configuration could be in 'etc/ldap.conf', '/etc/nss_ldap.conf' or '/etc/libnss_ldap.conf'. Presence of any of these files is considered as success otherwise failure. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I've rewritten it. Additionally it checks for existence of nss-pam-ldapd and makes the results reusable by configure_{ldap|nslcd}_conf() functions. https://fedorahosted.org/freeipa/ticket/2063 In order to check presence of nss_ldap or nss-pam-ldapd when installing client with '--no-sssd' option there was added code into ipa-client-install. Checking is based on existence of nss_ldap configuration files. This configuration could be in 'etc/ldap.conf', '/etc/nss_ldap.conf' or '/etc/libnss_ldap.conf'. Optionaly the nss_ldap could cooperate with pam_ldap module and hence the presence of it is checked by looking for 'pam_ldap.conf' file. Existence of nss-pam-ldapd is checked against existence of 'nslcd.conf' file. All this checking is done by function nssldap_exists(). Because both main modules are maintained by two different functions, the function returns tuple containing return code and dictionary structure - its key is name of target function and value is list of existing configuration files. Files to check are specified inside the nssldap_exists() function. In order to fit the returned values, the functions configure_{ldap|nslcd}_conf() were slightly modified. They accept one more parameter which is list of existing files. They are not checking existence of above mentioned files anymore. The patch looks good, just a couple of issues. 1. In the nslcd configurator you add ''.join(files). Did you mean ','.join(files)? 2. The commit message lines wrap making it difficult to read. Can you limit the lines to ~70 chars per line? 3. I think the message printed when neither package is available can be simplified to: One of these packages must be installed: nss_ldap or nss-pam-ldapd It needs a rebase too. rob corrected, corrected, changed, rebased In order to check presence of nss_ldap or nss-pam-ldapd when installing client with '--no-sssd' option there was added code intoipa-client-install. Checking is based on existence of one of nss_ldap configuration files. This configuration could be in 'etc/ldap.conf', '/etc/nss_ldap.conf' or '/etc/libnss_ldap.conf'. Optionaly the nss_ldap could cooperate with pam_ldap module and hence the presence of it is checked by looking for 'pam_ldap.conf' file. Existence of nss-pam-ldapd is checked against existence of 'nslcd.conf' file. All this checking is done by function nssldap_exists(). Because both modules are maintained by two different functions, the function returns tuple containing return code and dictionary structure - its key is name of target function and value is list of existing configuration files. Files to check are specified inside the nssldap_exists() function. In order to fit the returned values, the functions configure_{ldap|nslcd}_conf() were slightly modified. They accept one more parameter which is list of existing files. They are not checking existence of above mentioned files anymore. https://fedorahosted.org/freeipa/ticket/2063 -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From e855cf4a544ba9b3fd69df3d5d5837dab005ee12 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Thu, 1 Dec 2011 13:03:34 +0100 Subject: [PATCH] Client install checks for nss_ldap In order to check presence of nss_ldap or nss-pam-ldapd when installing client with '--no-sssd' option there was added code intoipa-client-install. Checking is based on existence of one of nss_ldap configuration files. This configuration could be in 'etc/ldap.conf', '/etc/nss_ldap.conf' or '/etc/libnss_ldap.conf'. Optionaly the nss_ldap could cooperate with pam_ldap module and hence the presence of it is checked by looking for 'pam_ldap.conf' file. Existence of nss-pam-ldapd is checked against existence of 'nslcd.conf' file. All this checking is done by function nssldap_exists(). Because both modules are maintained by two different functions, the function returns tuple containing return code and dictionary structure - its key is name of target function and value is list of existing configuration files. Files to check are specified inside the nssldap_exists() function. In order to fit the returned values, the functions configure_{ldap|nslcd}_conf() were slightly modified. They accept one more parameter which is list of existing files. They are not checking existence
[Freeipa-devel] [PATCH] 6 Sort password policy by priority
https://fedorahosted.org/freeipa/ticket/2045 'ipa pwpolicy-find' output is now sorted by priority of the policies. Lower position means lower priority. Global policy is then at the bottom. The changes has also affected LDAPSearch class in baseldap.py: LDAPSearch class sorts the search results by primary key be default (which is usually 'cn'). Therefor a function pointer entries_sortfn was added. If no sorting function exists, default sorting by primary key is used. Sorting function had to be introduced due to the fact that pwpolicy's primary key is also it's 'cn' and global policy is not allowed to have any priority. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 6 Sort password policy by priority
On 11/29/2011 03:46 PM, Ondrej Hamada wrote: https://fedorahosted.org/freeipa/ticket/2045 'ipa pwpolicy-find' output is now sorted by priority of the policies. Lower position means lower priority. Global policy is then at the bottom. The changes has also affected LDAPSearch class in baseldap.py: LDAPSearch class sorts the search results by primary key be default (which is usually 'cn'). Therefor a function pointer entries_sortfn was added. If no sorting function exists, default sorting by primary key is used. Sorting function had to be introduced due to the fact that pwpolicy's primary key is also it's 'cn' and global policy is not allowed to have any priority. forget to attach the patch, sorry :-[ -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From 8078a025aaa68fb55482bfe7b3c410773d0583d4 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Tue, 29 Nov 2011 15:18:48 +0100 Subject: [PATCH] Sort password policy by priority 'ipa pwpolicy-find' output is now sorted by priority of the policies. Lower position means lower priority. Global policy is then at the bottom. The changes has also affected LDAPSearch class in baseldap.py: LDAPSearch class sorts the search results by primary key be default (which is usually 'cn'). Therefor a function pointer entries_sortfn was added. If no sorting function exists, default sorting by primary key is used. Sorting function had to be introduced due to the fact that pwpolicy's primary key is also it's 'cn' and global policy is not allowed to have any priority. https://fedorahosted.org/freeipa/ticket/2045 --- ipalib/plugins/baseldap.py | 12 +--- ipalib/plugins/pwpolicy.py | 13 + 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 4fd5fe4a1e7ff2d8fac7d3a65379b4ae0c5eb554..f35412f0abef6c1a6ca6881e0b475ee2e54e8d28 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -1434,6 +1434,9 @@ class LDAPSearch(CallbackInterface, crud.Search): member_param_incl_doc = _('Search for %s with these %s %s.') member_param_excl_doc = _('Search for %s without these %s %s.') +# if True, self.execute function won't sort the entries by 'cn' value +entries_sortfn = None + takes_options = ( Int('timelimit?', label=_('Time Limit'), @@ -1612,9 +1615,12 @@ class LDAPSearch(CallbackInterface, crud.Search): else: callback(self, ldap, entries, truncated, *args, **options) -if self.obj.primary_key: -sortfn=lambda x,y: cmp(x[1][self.obj.primary_key.name][0].lower(), y[1][self.obj.primary_key.name][0].lower()) -entries.sort(sortfn) +if not self.entries_sortfn: +if self.obj.primary_key: +self.entries_sortfn=lambda x,y: cmp(x[1][self.obj.primary_key.name][0].lower(), y[1][self.obj.primary_key.name][0].lower()) +entries.sort(self.entries_sortfn) +else: +entries.sort(self.entries_sortfn) if not options.get('raw', False): for e in entries: diff --git a/ipalib/plugins/pwpolicy.py b/ipalib/plugins/pwpolicy.py index db42bca0424da34bc17b7df376d529bd60f55751..0f9175eb9691470ba94f4fcbbc2e4b76e5c0a199 100644 --- a/ipalib/plugins/pwpolicy.py +++ b/ipalib/plugins/pwpolicy.py @@ -455,7 +455,20 @@ api.register(pwpolicy_show) class pwpolicy_find(LDAPSearch): __doc__ = _('Search for group password policies.') +def sort_priority(self,x,y): +# global policy will be always last in the output +if x[1]['cn'][0] == global_policy_name: +return 1 +elif y[1]['cn'][0] == global_policy_name: +return -1 +else: +# policies with higher priority will be at the beginning of the list +return cmp(int(x[1]['cospriority'][0]), int(y[1]['cospriority'][0])) + +entries_sortfn = sort_priority + def post_callback(self, ldap, entries, truncated, *args, **options): + if options.get('pkey_only', False): return False for e in entries: -- 1.7.6.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 5 User-add random password support
https://fedorahosted.org/freeipa/ticket/1979 I've used code from ipalib/plugins/host.py to add support for random password generation. The '--random' option is now available in user-add and user-mod commands. If both the 'password' and 'random' options are used the 'random' option will be ignored. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From 5787f847de123f1426080830db138ac88bc83751 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Thu, 24 Nov 2011 15:39:22 +0100 Subject: [PATCH] User-add random password support I've used code from ipalib/plugins/host.py to add support for random password generation. The '--random' option is now available in user-add and user-mod commands. If both the 'password' and 'random' options are used - the 'random' option will be ignored. https://fedorahosted.org/freeipa/ticket/1979 --- API.txt|6 -- ipalib/plugins/user.py | 29 + 2 files changed, 33 insertions(+), 2 deletions(-) diff --git a/API.txt b/API.txt index 135b07908f08e20fba3391bbd8ad13252ea55b47..ffed0c2452fa01d6daeeafd74212cd2b0af4ad83 100644 --- a/API.txt +++ b/API.txt @@ -2741,7 +2741,7 @@ output: Output('summary', (type 'unicode', type 'NoneType'), None) output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', type 'unicode', None) command: user_add -args: 1,31,3 +args: 1,32,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', pattern_errmsg='may only include letters, numbers, _, -, . and $', primary_key=True, required=True) option: Str('givenname', attribute=True, cli_name='first', multivalue=False, required=True) option: Str('sn', attribute=True, cli_name='last', multivalue=False, required=True) @@ -2754,6 +2754,7 @@ option: Str('loginshell', attribute=True, cli_name='shell', default=u'/bin/sh', option: Str('krbprincipalname', attribute=True, autofill=True, cli_name='principal', multivalue=False, required=False) option: Str('mail', attribute=True, cli_name='email', multivalue=True, required=False) option: Password('userpassword', attribute=True, cli_name='password', exclude='webui', multivalue=False, required=False) +option: Flag('random', attribute=False, autofill=True, cli_name='random', default=False, multivalue=False, required=False) option: Int('uidnumber', attribute=True, autofill=True, cli_name='uid', default=999, minvalue=1, multivalue=False, required=False) option: Int('gidnumber', attribute=True, cli_name='gidnumber', multivalue=False, required=False) option: Str('street', attribute=True, cli_name='street', multivalue=False, required=False) @@ -2847,7 +2848,7 @@ output: ListOfEntries('result', (type 'list', type 'tuple'), Gettext('A list output: Output('count', type 'int', None) output: Output('truncated', type 'bool', None) command: user_mod -args: 1,31,3 +args: 1,32,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', pattern_errmsg='may only include letters, numbers, _, -, . and $', primary_key=True, query=True, required=True) option: Str('givenname', attribute=True, autofill=False, cli_name='first', multivalue=False, required=False) option: Str('sn', attribute=True, autofill=False, cli_name='last', multivalue=False, required=False) @@ -2859,6 +2860,7 @@ option: Str('gecos', attribute=True, autofill=False, cli_name='gecos', multivalu option: Str('loginshell', attribute=True, autofill=False, cli_name='shell', default=u'/bin/sh', multivalue=False, required=False) option: Str('mail', attribute=True, autofill=False, cli_name='email', multivalue=True, required=False) option: Password('userpassword', attribute=True, autofill=False, cli_name='password', exclude='webui', multivalue=False, required=False) +option: Flag('random', attribute=False, autofill=True, cli_name='random', default=False, multivalue=False, required=False) option: Int('uidnumber', attribute=True, autofill=False, cli_name='uid', default=999, minvalue=1, multivalue=False, required=False) option: Int('gidnumber', attribute=True, autofill=False, cli_name='gidnumber', multivalue=False, required=False) option: Str('street', attribute=True, autofill=False, cli_name='street', multivalue=False, required=False) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index d3e63ef9a7bcf98d0bd34396b144134be38c17c3..f719efed1bba4dbb98a7a6289c6039bf21ef4e07 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -25,6 +25,7 @@ from ipalib.request import context from time import gmtime, strftime import copy from ipalib import _, ngettext +from ipapython.ipautil import ipa_generate_password __doc__ = _( Users @@ -237,6 +238,15 @@ class user(LDAPObject): # bomb out via the webUI. exclude='webui
[Freeipa-devel] [PATCH] 4 ipa-client-install fails when not run as root
https://fedorahosted.org/freeipa/ticket/2123 ipa-client-install was failing and returning traceback when wasn't run by root. It was caused by logging initialization that was taking part before the root privileges check. To correct it, the privileges check was moved before the logging initialization. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From f7a53fa52cd2e757a183015d17b6d5c4d8dae08d Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Fri, 18 Nov 2011 13:55:16 +0100 Subject: [PATCH] Client install root privileges check ipa-client-install was failing and returning traceback when wasn't run by root. It was caused by logging initialization that was taking part before the root privileges check. To correct it, the check was moved before the logging initialization. https://fedorahosted.org/freeipa/ticket/2123 --- ipa-client/ipa-install/ipa-client-install |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index cdea6dbe6fbbdca608ad8e858cf9fa042f7de9d1..9f7d3fd33bab5e9cc7748ffc0601d6e2f88bc24b 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1250,11 +1250,11 @@ def install(options, env, fstore, statestore): def main(): safe_options, options = parse_options() +if not os.getegid() == 0: +sys.exit(\nYou must be root to run ipa-client-install.\n) logging_setup(options) logging.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options)) logging.debug(missing options might be asked for interactively later\n) -if not os.getegid() == 0: -sys.exit(\nYou must be root to run ipa-client-install.\n) env={PATH:/bin:/sbin:/usr/kerberos/bin:/usr/kerberos/sbin:/usr/bin:/usr/sbin} -- 1.7.6.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] ipa-client-install with --no-sssd option should check for nss_ldap
On 11/11/2011 02:55 PM, Ondrej Hamada wrote: https://fedorahosted.org/freeipa/ticket/2063 In order to check presence of nss_ldap when installing client with '--no-sssd' option there was added code into ipa-client-install. Check is base on existence of nss_ldap configuration files. This configuration could be in 'etc/ldap.conf', '/etc/nss_ldap.conf' or '/etc/libnss_ldap.conf'. Presence of any of these files is considered as success otherwise failure. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I've rewritten it. Additionally it checks for existence of nss-pam-ldapd and makes the results reusable by configure_{ldap|nslcd}_conf() functions. https://fedorahosted.org/freeipa/ticket/2063 In order to check presence of nss_ldap or nss-pam-ldapd when installing client with '--no-sssd' option there was added code into ipa-client-install. Checking is based on existence of nss_ldap configuration files. This configuration could be in 'etc/ldap.conf', '/etc/nss_ldap.conf' or '/etc/libnss_ldap.conf'. Optionaly the nss_ldap could cooperate with pam_ldap module and hence the presence of it is checked by looking for 'pam_ldap.conf' file. Existence of nss-pam-ldapd is checked against existence of 'nslcd.conf' file. All this checking is done by function nssldap_exists(). Because both main modules are maintained by two different functions, the function returns tuple containing return code and dictionary structure - its key is name of target function and value is list of existing configuration files. Files to check are specified inside the nssldap_exists() function. In order to fit the returned values, the functions configure_{ldap|nslcd}_conf() were slightly modified. They accept one more parameter which is list of existing files. They are not checking existence of above mentioned files anymore. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From 82483a006bd99ce4d021b7b93ab7e828cb788c7a Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Mon, 14 Nov 2011 16:45:36 +0100 Subject: [PATCH] Client install checks for nss_ldap In order to check presence of nss_ldap or nss-pam-ldapd when installing client with '--no-sssd' option there was added code into ipa-client-install. Checking is based on existence of nss_ldap configuration files. This configuration could be in 'etc/ldap.conf', '/etc/nss_ldap.conf' or '/etc/libnss_ldap.conf'. Optionaly the nss_ldap could cooperate with pam_ldap module and hence the presence of it is checked by looking for 'pam_ldap.conf' file. Existence of nss-pam-ldapd is checked against existence of 'nslcd.conf' file. All this checking is done by function nssldap_exists(). Because both main modules are maintained by two different functions, the function returns tuple containing return code and dictionary structure - its key is name of target function and value is list of existing configuration files. Files to check are specified inside the nssldap_exists() function. In order to fit the returned values, the functions configure_{ldap|nslcd}_conf() were slightly modified. They accept one more parameter which is list of existing files. They are not checking existence of above mentioned files anymore. https://fedorahosted.org/freeipa/ticket/2063 --- ipa-client/ipa-install/ipa-client-install | 60 - 1 files changed, 42 insertions(+), 18 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index cdea6dbe6fbbdca608ad8e858cf9fa042f7de9d1..65537da21890365e29370f9af76edf93317b5154 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -402,6 +402,26 @@ def uninstall(options, env, quiet=False): return 0 +def nssldap_exists(): +files_to_check = [{'function':'configure_ldap_conf', 'mandatory':['/etc/ldap.conf','/etc/nss_ldap.conf','/etc/libnss-ldap.conf'], 'optional':['/etc/pam_ldap.conf']}, + {'function':'configure_nslcd_conf', 'mandatory':['/etc/nslcd.conf']}] +files_found = {} +retval = 1 + +for function in files_to_check: +files_found[function['function']]=[] +for file_type in ['mandatory','optional']: +try: +for filename in function[file_type]: +if file_exists(filename): +files_found[function['function']].append(filename) +if file_type == 'mandatory': +retval = 0 +except KeyError: +pass + +return (retval, files_found) + def configure_ipa_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server): ipaconf = ipaclient.ipachangeconf.IPAChangeConf(IPA Installer) ipaconf.setOptionAssignment( = ) @@ -428,7 +448,7 @@ def configure_ipa_conf(fstore, cli_basedn, cli_realm
[Freeipa-devel] [PATCH] ipa-client-install with --no-sssd option should check for nss_ldap
https://fedorahosted.org/freeipa/ticket/2063 In order to check presence of nss_ldap when installing client with '--no-sssd' option there was added code into ipa-client-install. Check is base on existence of nss_ldap configuration files. This configuration could be in 'etc/ldap.conf', '/etc/nss_ldap.conf' or '/etc/libnss_ldap.conf'. Presence of any of these files is considered as success otherwise failure. -- Regards, Ondrej Hamada FreeIPA team jabber:oh...@jabbim.cz IRC: ohamada From 741e6da0531986ed32f4e3ef0fbb53e5fbd5ee44 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Fri, 11 Nov 2011 14:03:30 +0100 Subject: [PATCH] Client install checks for nss_ldap In order to check presence of nss_ldap when installing client with '--no-sssd' option there was added code into ipa-client-install. Check is base on existence of nss_ldap configuration files. This configuration could be in 'etc/ldap.conf', '/etc/nss_ldap.conf' or '/etc/libnss_ldap.conf'. Presence of any of these files is considered as success otherwise failure and installation is aborted with proper error message. https://fedorahosted.org/freeipa/ticket/2063 --- ipa-client/ipa-install/ipa-client-install | 11 +++ 1 files changed, 11 insertions(+), 0 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index cdea6dbe6fbbdca608ad8e858cf9fa042f7de9d1..362f167307189fab746478b2362dfe685241a4ee 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -870,6 +870,17 @@ def install(options, env, fstore, statestore): print 'Invalid hostname \'%s\', must be lower-case.' % hostname return CLIENT_INSTALL_ERROR +# When --no-sssd option set, there must be nss_ldap module installed. +if not options.sssd: +nss_ldap = False +for filename in ['/etc/ldap.conf', '/etc/nss_ldap.conf', '/etc/libnss-ldap.conf']: +if file_exists(filename): +nss_ldap = True +break +if not nss_ldap: +print sys.stderr, 'nss_ldap' not installed +return CLIENT_INSTALL_ERROR + # Create the discovery instance ds = ipadiscovery.IPADiscovery() -- 1.7.6.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] ipa-client-install with --no-sssd option should check for nss_ldap
On 11/11/2011 03:25 PM, Alexander Bokovoy wrote: On Fri, 11 Nov 2011, Rob Crittenden wrote: Ondrej Hamada wrote: https://fedorahosted.org/freeipa/ticket/2063 In order to check presence of nss_ldap when installing client with '--no-sssd' option there was added code into ipa-client-install. Check is base on existence of nss_ldap configuration files. This configuration could be in 'etc/ldap.conf', '/etc/nss_ldap.conf' or '/etc/libnss_ldap.conf'. Presence of any of these files is considered as success otherwise failure. I think we should check for nslcd.conf as well and report that neither nss-ldap nor nss-pam-ldapd are installed. We have already code in configure_ldap_config() and configure_nslcd_conf that checks all these different files and after configuration reports what was configured. I would rather did a commonalization of detection instead of duplicating the code. We can re-use result of detecting what exists later in configure_{ldap,nslcd}_config(). I'll do it, but I have question: configure_ldap_config() also checks whether file 'pam_ldap.conf' exists. Is installed pam_ldap package without nss_ldap enough to allow ipa-client installation with --no-sssd option? -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] the 'Keytab:' field in ipa user-show output is misleading
On 11/10/2011 10:30 AM, Martin Kosek wrote: On Tue, 2011-11-08 at 20:41 +0100, Ondrej Hamada wrote: https://fedorahosted.org/freeipa/ticket/1961 The 'Keytab' filed in output of all 'user-*' commands was changed to 'Kerberos keys available'. In order to do this change for 'user-*' commands only, the flag 'has_keytab' had to be removed from common output parametrs in ipalib/baseldap.py. This change also affected the host.py and service.py, where the 'has_keytab' flag was added to their local output params. Both host.py and service.py holds the old field caption - 'Keytab' - because of compatibility with older clients. Ondra, thanks for the patch. It looks OK, everything behaves as expected. I am still concerned about your patch formatting: 1) Patch naming does not follow FreeIPA conventions. You can check others patch file names - mine, Rob's or Alexander's for example. The patch file name should be freeipa-ohamada-2-description.patch. The patch number should also be in your mail subject - it helps when searching mails etc. 2) Patch title is wrong - you don't need to include [PATCH] in git commit's title. This then makes it here twice. 3) Patch description is insufficient. I miss link to ticket and some description. You only added it to the mail. When I am traversing FreeIPA git logs, I must be able to quickly read what this patch does. You would have seen all these conventions I wrote you about if you had read some patches in freeipa-devel or had read some in FreeIPA git log. Martin Shame on me. Sorry for that. Corrected patch attached. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From 3e5f5da083779866ab3d92d8d1cd789d417def26 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Thu, 10 Nov 2011 13:46:16 +0100 Subject: [PATCH] Misleading Keytab field The 'Keytab' field in output of all 'user-*' commands was changed to 'Kerberos keys available'. In order to do this change for 'user-*' commands only, the flag 'has_keytab' had to be removed from common output parametrs in ipalib/baseldap.py. This change also affected the host.py and service.py, where the 'has_keytab' flag was added to their local output params. Both host.py and service.py holds the old field caption - 'Keytab' - because of compatibility with older clients. https://fedorahosted.org/freeipa/ticket/1961 --- ipalib/plugins/baseldap.py |3 --- ipalib/plugins/host.py |3 +++ ipalib/plugins/service.py |5 + ipalib/plugins/user.py | 14 ++ 4 files changed, 22 insertions(+), 3 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 88f312998d27ecd8311eb4204c95e1ca212afeb2..4fd5fe4a1e7ff2d8fac7d3a65379b4ae0c5eb554 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -36,9 +36,6 @@ from ipalib.util import json_serialize from ipalib.dn import * global_output_params = ( -Flag('has_keytab', -label=_('Keytab'), -), Flag('has_password', label=_('Password'), ), diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 0f3f91565cedb699726421ec00cb8f7a93b821bb..6557880aa82598857251f3d8b80e6d3b326fbca6 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -162,6 +162,9 @@ def remove_fwd_ptr(ipaddr, host, domain, recordtype): pass host_output_params = ( +Flag('has_keytab', +label=_('Keytab'), +), Str('managedby_host', label='Managed by', ), diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index 048a6b4f04b761131108874fbd09962be33e8a80..dad3ded434d241ae55e1352889c577ba1a08d8c4 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -84,6 +84,9 @@ EXAMPLES: ) output_params = ( +Flag('has_keytab', +label=_('Keytab'), +), Str('managedby_host', label='Managed by', ), @@ -358,6 +361,7 @@ class service_find(LDAPSearch): member_attributes = ['managedby'] takes_options = LDAPSearch.takes_options has_output_params = LDAPSearch.has_output_params + output_params + def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options): # lisp style! custom_filter = '((objectclass=ipaService)' \ @@ -392,6 +396,7 @@ class service_show(LDAPRetrieve): doc=_('file to store certificate in'), ), ) +has_output_params = LDAPRetrieve.has_output_params + output_params def post_callback(self, ldap, dn, entry_attrs, *keys, **options): self.obj.get_password_attributes(ldap, dn, entry_attrs) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 273c68fb2457da7493227ae820c263ebf7598327..d3e63ef9a7bcf98d0bd34396b144134be38c17c3 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -68,6 +68,12 @@ EXAMPLES: NO_UPG_MAGIC = '__no_upg__' +user_output_params = ( +Flag('has_keytab', +label=_('Kerberos keys available
[Freeipa-devel] [PATCH] the 'Keytab:' field in ipa user-show output is misleading
https://fedorahosted.org/freeipa/ticket/1961 The 'Keytab' filed in output of all 'user-*' commands was changed to 'Kerberos keys available'. In order to do this change for 'user-*' commands only, the flag 'has_keytab' had to be removed from common output parametrs in ipalib/baseldap.py. This change also affected the host.py and service.py, where the 'has_keytab' flag was added to their local output params. Both host.py and service.py holds the old field caption - 'Keytab' - because of compatibility with older clients. -- Regards, Ondrej Hamada FreeIPA team jabber:oh...@jabbim.cz IRC: ohamada From 77d719d184126e85c27b20db1a3735e7d14b83f2 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Tue, 8 Nov 2011 19:12:48 +0100 Subject: [PATCH] [PATCH] the 'Keytab:' field in ipa user-show output is misleading --- ipalib/plugins/baseldap.py |3 --- ipalib/plugins/host.py |3 +++ ipalib/plugins/service.py |5 + ipalib/plugins/user.py | 14 ++ 4 files changed, 22 insertions(+), 3 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 88f312998d27ecd8311eb4204c95e1ca212afeb2..4fd5fe4a1e7ff2d8fac7d3a65379b4ae0c5eb554 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -36,9 +36,6 @@ from ipalib.util import json_serialize from ipalib.dn import * global_output_params = ( -Flag('has_keytab', -label=_('Keytab'), -), Flag('has_password', label=_('Password'), ), diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 0f3f91565cedb699726421ec00cb8f7a93b821bb..6557880aa82598857251f3d8b80e6d3b326fbca6 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -162,6 +162,9 @@ def remove_fwd_ptr(ipaddr, host, domain, recordtype): pass host_output_params = ( +Flag('has_keytab', +label=_('Keytab'), +), Str('managedby_host', label='Managed by', ), diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index 048a6b4f04b761131108874fbd09962be33e8a80..dad3ded434d241ae55e1352889c577ba1a08d8c4 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -84,6 +84,9 @@ EXAMPLES: ) output_params = ( +Flag('has_keytab', +label=_('Keytab'), +), Str('managedby_host', label='Managed by', ), @@ -358,6 +361,7 @@ class service_find(LDAPSearch): member_attributes = ['managedby'] takes_options = LDAPSearch.takes_options has_output_params = LDAPSearch.has_output_params + output_params + def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options): # lisp style! custom_filter = '((objectclass=ipaService)' \ @@ -392,6 +396,7 @@ class service_show(LDAPRetrieve): doc=_('file to store certificate in'), ), ) +has_output_params = LDAPRetrieve.has_output_params + output_params def post_callback(self, ldap, dn, entry_attrs, *keys, **options): self.obj.get_password_attributes(ldap, dn, entry_attrs) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 273c68fb2457da7493227ae820c263ebf7598327..d3e63ef9a7bcf98d0bd34396b144134be38c17c3 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -68,6 +68,12 @@ EXAMPLES: NO_UPG_MAGIC = '__no_upg__' +user_output_params = ( +Flag('has_keytab', +label=_('Kerberos keys available'), +), + ) + def validate_nsaccountlock(entry_attrs): if 'nsaccountlock' in entry_attrs: nsaccountlock = entry_attrs['nsaccountlock'] @@ -352,6 +358,8 @@ class user_add(LDAPCreate): msg_summary = _('Added user %(value)s') +has_output_params = LDAPCreate.has_output_params + user_output_params + takes_options = LDAPCreate.takes_options + ( Flag('noprivate', cli_name='noprivate', @@ -477,6 +485,8 @@ class user_mod(LDAPUpdate): msg_summary = _('Modified user %(value)s') +has_output_params = LDAPUpdate.has_output_params + user_output_params + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): if 'mail' in entry_attrs: entry_attrs['mail'] = self.obj._normalize_email(entry_attrs['mail']) @@ -498,6 +508,7 @@ class user_find(LDAPSearch): __doc__ = _('Search for users.') member_attributes = ['memberof'] +has_output_params = LDAPSearch.has_output_params + user_output_params takes_options = LDAPSearch.takes_options + ( Flag('whoami', @@ -532,6 +543,8 @@ api.register(user_find) class user_show(LDAPRetrieve): __doc__ = _('Display information about a user.') +has_output_params = LDAPRetrieve.has_output_params + user_output_params + def post_callback(self, ldap, dn, entry_attrs, *keys, **options): convert_nsaccountlock(entry_attrs) self.obj._convert_manager(entry_attrs, **options) @@ -566,6 +579,7 @@ class user_enable(LDAPQuery
[Freeipa-devel] [PATCH] 1 Do lazy initializiation ipalib
https://fedorahosted.org/freeipa/ticket/1336 Lazy initialization of ipalib plugins is used under all contexts, not only when context = cli. Every loaded plugin is pre-finalized - a flag is set, which means, that the plugin needs to be finalized. Then every call of plugin's __gettattr__ checks the flag and finalizes the plugin if necessary. The code was implemented by jcholast. Time reduction of commands execution is quite markable: patch [s] | normal [s]| command --- 1.468 | 2.287 | ipa user-add jsmith --firt=john --last=smith 1.658 | 2.235 | ipa user-del jsmith 1.624 | 2.204 | ipa dnsrecord-find example.com -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada diff --git a/ipalib/plugable.py b/ipalib/plugable.py index b0e4156..2aed1cd 100644 --- a/ipalib/plugable.py +++ b/ipalib/plugable.py @@ -173,6 +173,7 @@ class Plugin(ReadOnly): label = None +__try_finalize = False def __init__(self): self.__api = None @@ -208,6 +209,16 @@ class Plugin(ReadOnly): ) ) +def __getattribute__(self, name): +if name.startswith('_Plugin__') or name.startswith('_ReadOnly__'): +return object.__getattribute__(self, name) +if self.__try_finalize: +self.__try_finalize = False +self.finalize() +if not is_production_mode(self.__api): +assert islocked(self) is True +return object.__getattribute__(self, name) + def __get_api(self): Return `API` instance passed to `finalize()`. @@ -217,6 +228,9 @@ class Plugin(ReadOnly): return self.__api api = property(__get_api) +def prefinalize(self): +self.__try_finalize = True + def finalize(self): @@ -638,9 +652,7 @@ class API(DictProxy): assert p.instance.api is self for p in plugins.itervalues(): -p.instance.finalize() -if not production_mode: -assert islocked(p.instance) is True +p.instance.prefinalize() object.__setattr__(self, '_API__finalized', True) tuple(PluginInfo(p) for p in plugins.itervalues()) object.__setattr__(self, 'plugins', ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1 Do lazy initializiation ipalib
On 10/25/2011 04:01 PM, Martin Kosek wrote: On Tue, 2011-10-25 at 15:29 +0200, Ondrej Hamada wrote: https://fedorahosted.org/freeipa/ticket/1336 Lazy initialization of ipalib plugins is used under all contexts, not only when context = cli. Every loaded plugin is pre-finalized - a flag is set, which means, that the plugin needs to be finalized. Then every call of plugin's __gettattr__ checks the flag and finalizes the plugin if necessary. The code was implemented by jcholast. Time reduction of commands execution is quite markable: patch [s] | normal [s]| command --- 1.468 | 2.287 | ipa user-add jsmith --firt=john --last=smith 1.658 | 2.235 | ipa user-del jsmith 1.624 | 2.204 | ipa dnsrecord-find example.com Thanks for submitting the patch. Ondra, just please provide the patch in proper format (exported via command `git format-patch -M -C --patience --full-index -1' which I sent you earlier). Martin Sorry, correct version attached -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From 798d8f8a624f8350974e54c328c1c58c06944b26 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Tue, 25 Oct 2011 16:20:44 +0200 Subject: [PATCH] lazy initialization patch --- ipalib/plugable.py | 18 +++--- 1 files changed, 15 insertions(+), 3 deletions(-) diff --git a/ipalib/plugable.py b/ipalib/plugable.py index b0e415656e0428eb164c35a2862fcfbf50883381..2aed1cdcda18840728558ed53435ab10ae28e802 100644 --- a/ipalib/plugable.py +++ b/ipalib/plugable.py @@ -173,6 +173,7 @@ class Plugin(ReadOnly): label = None +__try_finalize = False def __init__(self): self.__api = None @@ -208,6 +209,16 @@ class Plugin(ReadOnly): ) ) +def __getattribute__(self, name): +if name.startswith('_Plugin__') or name.startswith('_ReadOnly__'): +return object.__getattribute__(self, name) +if self.__try_finalize: +self.__try_finalize = False +self.finalize() +if not is_production_mode(self.__api): +assert islocked(self) is True +return object.__getattribute__(self, name) + def __get_api(self): Return `API` instance passed to `finalize()`. @@ -217,6 +228,9 @@ class Plugin(ReadOnly): return self.__api api = property(__get_api) +def prefinalize(self): +self.__try_finalize = True + def finalize(self): @@ -638,9 +652,7 @@ class API(DictProxy): assert p.instance.api is self for p in plugins.itervalues(): -p.instance.finalize() -if not production_mode: -assert islocked(p.instance) is True +p.instance.prefinalize() object.__setattr__(self, '_API__finalized', True) tuple(PluginInfo(p) for p in plugins.itervalues()) object.__setattr__(self, 'plugins', -- 1.7.6.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel