Re: [Freeipa-devel] More types of replicas in FreeIPA

[Ondrej Hamada]

Dne 13.2.2013 14:36, Simo Sorce napsal(a):

On Tue, 2013-02-12 at 19:30 -0500, Dmitri Pal wrote:


It looks like thinks are starting to boil down to building a Kerberos proxy.
Is this something that fits within your thesis agenda Ondra?

I guess that's for Ondrej to say, if it is too much we can simply start
working on the LDAP/replication side with rekeying and what not, and
deal with the KDC part at a later time.

Simo.

Working on the LDAP/repl side fits the thesis agenda better, so I would 
like to go that way.


Rekeying - do you mean some sort of plugin for transporting the krb keys 
from masters to consumers?


Besides securing transport of keys what else should be done in ldap? 
I've only partial replication in my mind - I mean replication of entries 
selected by some kind of ldap filters.


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] More types of replicas in FreeIPA

[Ondrej Hamada]

Hello,
I'm starting to work on my thesis about 'More types of replicas in 
FreeIPA' again. One of the main problems is the way how should the 
read-only replicas deal with KDC because they're not supposed to posses 
the Kerberos (krb) master key. The task was to investigate how is this 
solved in Active Directory and its Read Only Domain Controllers.


I found out that the basic of RODC behaviour is described on technet 
page 
(http://technet.microsoft.com/en-us/library/cc754218%28v=ws.10%29.aspx).


Login situation:
RODC by default forwards the KRB requests to the DC. RODC then forwards 
the response back to the client and also requests the password to be 
replicated to RODC. Both the user and his host must be members of 
'Allowed RODC Password Replication' group in order to let user's 
passwords being replicated to RODCs.


Request services that the RODC doesn't have credentials for:
Client sends TGS-REQ to RODC. RODC can read the TGT in the request, but 
doesn't have credentials for the service. So the request is forwarded to 
the DC. DC can decrypt the TGT that was created by RODC and sends back 
the TGS-RES that is forwarded to the client. (but it does not trust the 
RODC so it recalculates the privilege attribute certificate). RODC does 
not cache the credentials for the service.


During my experiments the credentials got replicated to the RODC on the 
first log on of the user. The user's KRB requests were first forwarded 
to the DC. When the user got krbtgt and TGS for host, ldap and cifs, his 
TGT was revoked by RODC. He run through the auth. process again, but 
this time the requests were served by RODC only - no forwarding - and 
not TGS for host was requested.


Unfortunately I can not still recognize how the keys are processed. 
There's barely any RPC communication - only one DCERPC packet exchange 
between RODC and DC that takes place when the user sends his first TGS 
request (this exchange happens also for the clients with disabled 
replication).


It looks to me like the DC knows all the RODC keys. According to 
Technet, the MS implementation of Kerberos is able to recognize the key 
owner from the Key Version Number value.


I think I can't get more info from the network traffic examination. Do 
you have any ideas or hints on further investigation of the problem?


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 26 Fix '--random' param behaviour for host plugin

[Ondrej Hamada]

On 06/25/2012 04:59 PM, Petr Viktorin wrote:

On 06/20/2012 05:43 PM, Ondrej Hamada wrote:

On 06/15/2012 07:36 AM, Martin Kosek wrote:

On Thu, 2012-06-14 at 16:35 -0400, Rob Crittenden wrote:

Ondrej Hamada wrote:

Improved options checking so that host-mod operation is not changing
password for enrolled host when '--random' option is used.

https://fedorahosted.org/freeipa/ticket/2799

Updated set of characters that is used for generating random 
passwords
for ipa hosts. Following characters were removed from the set: 
'`\$


https://fedorahosted.org/freeipa/ticket/2800

This works ok but it would be nice to have a test for both setting a
password and random on an enrolled host to prevent regressions. We 
have
some ipa-getkeytab tests already and these can be extended to test 
this

I think.

Might be nice to mention in the inline comment the set of characters
excluded and why.

rob


I've added new test class into test_host_plugin.py that takes care of
that. Just there is a problem that the ipa-join command always fails on
'adding key into keytab'. But the attributes necessary for testing are
set correctly, so the testing can continue.

We already generate passwords for users with this character set:
user_pwdchars = string.digits + string.ascii_letters + '_,.@+-='

Why would we want to generate passwords for host enrolling with a
different set? Additionally, I think the set of characters you chose is
too wide, try entering a passwords with ' ', !, (, ), , or ; without
careful escaping or quoting...

Martin


Ok, I've used the same set of characters as for the user passwords.


Should this set just be used for generated passwords by default? 
Possibly with slightly longer passwords so they aren't suddenly weaker.


I prefer to generate strong passwords by default and if anyone needs 
easier one, then he must adjust it. Especially in this case when we use 
one generator in different places.




Anyway, the patch works great here. I just have a few style issues:



freeipa-ohamada-26-2-Change-random-passwords-behaviour.patch


 From bc19f44023643ff726e6e36634fbcbcbd0859583 Mon Sep 17 00:00:00 2001
From: Ondrej Hamadaoham...@redhat.com
Date: Mon, 18 Jun 2012 15:25:05 +0200
Subject: [PATCH] Change random passwords behaviour

Improved options checking so that host-mod operation is not changing
password for enrolled host when '--random' option is used.

Unit tests added.

https://fedorahosted.org/freeipa/ticket/2799

Updated set of characters that is used for generating random passwords
for ipa hosts. All characters that might need escaping were removed.

https://fedorahosted.org/freeipa/ticket/2800
---
  ipalib/plugins/host.py|   11 -
  tests/test_xmlrpc/test_host_plugin.py |   75 
-

  2 files changed, 82 insertions(+), 4 deletions(-)

diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 
96b73cc5594335ad02dd43f87e7e011ab84157a1..9680d7c024ea8976f92a71bf576d6712c44a2bcf 
100644

--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -24,6 +24,7 @@ import sys
  from nss.error import NSPRError
  import nss.nss as nss
  import netaddr
+import string

  from ipalib import api, errors, util
  from ipalib import Str, Flag, Bytes
@@ -99,6 +100,10 @@ EXAMPLES:
 ipa host-add-managedby --hosts=test2 test
  )

+# Characters to be used by random password generator
+# The set was chosen to avoid the need for escaping the characters 
by user

+host_pwd_chars=string.digits + string.ascii_letters + '_,.@+-='
+
  def remove_fwd_ptr(ipaddr, host, domain, recordtype):
  api.log.debug('deleting ipaddr %s' % ipaddr)
  try:
@@ -404,7 +409,7 @@ class host_add(LDAPCreate):
  if 'krbprincipal' in entry_attrs['objectclass']:
entry_attrs['objectclass'].remove('krbprincipal')
  if options.get('random'):
-entry_attrs['userpassword'] = ipa_generate_password()
+entry_attrs['userpassword'] = 
ipa_generate_password(characters=host_pwd_chars)
  # save the password so it can be displayed in 
post_callback
  setattr(context, 'randompassword', 
entry_attrs['userpassword'])

  cert = options.get('usercertificate')
@@ -596,7 +601,7 @@ class host_mod(LDAPUpdate):
  def pre_callback(self, ldap, dn, entry_attrs, attrs_list, 
*keys, **options):
  # Allow an existing OTP to be reset but don't allow a OTP 
to be

  # added to an enrolled host.
-if 'userpassword' in options:
+if options.get('userpassword') or options.get('random'):
  entry = {}
  self.obj.get_password_attributes(ldap, dn, entry)
  if not entry['has_password'] and entry['has_keytab']:
@@ -649,7 +654,7 @@ class host_mod(LDAPUpdate):
  entry_attrs['usercertificate'] = cert

  if options.get('random'):
-entry_attrs['userpassword'] = ipa_generate_password()
+entry_attrs['userpassword'] = 
ipa_generate_password

Re: [Freeipa-devel] [PATCH] 26 Fix '--random' param behaviour for host plugin

[Ondrej Hamada]

On 06/15/2012 07:36 AM, Martin Kosek wrote:

On Thu, 2012-06-14 at 16:35 -0400, Rob Crittenden wrote:

Ondrej Hamada wrote:

Improved options checking so that host-mod operation is not changing
password for enrolled host when '--random' option is used.

https://fedorahosted.org/freeipa/ticket/2799

Updated set of characters that is used for generating random passwords
for ipa hosts. Following characters were removed from the set: '`\$

https://fedorahosted.org/freeipa/ticket/2800

This works ok but it would be nice to have a test for both setting a
password and random on an enrolled host to prevent regressions. We have
some ipa-getkeytab tests already and these can be extended to test this
I think.

Might be nice to mention in the inline comment the set of characters
excluded and why.

rob

I've added new test class into test_host_plugin.py that takes care of 
that. Just there is a problem that the ipa-join command always fails on 
'adding key into keytab'. But the attributes necessary for testing are 
set correctly, so the testing can continue.

We already generate passwords for users with this character set:
user_pwdchars = string.digits + string.ascii_letters + '_,.@+-='

Why would we want to generate passwords for host enrolling with a
different set? Additionally, I think the set of characters you chose is
too wide, try entering a passwords with ' ', !, (, ), , or ; without
careful escaping or quoting...

Martin


Ok, I've used the same set of characters as for the user passwords.

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From bc19f44023643ff726e6e36634fbcbcbd0859583 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Mon, 18 Jun 2012 15:25:05 +0200
Subject: [PATCH] Change random passwords behaviour

Improved options checking so that host-mod operation is not changing
password for enrolled host when '--random' option is used.

Unit tests added.

https://fedorahosted.org/freeipa/ticket/2799

Updated set of characters that is used for generating random passwords
for ipa hosts. All characters that might need escaping were removed.

https://fedorahosted.org/freeipa/ticket/2800
---
 ipalib/plugins/host.py|   11 -
 tests/test_xmlrpc/test_host_plugin.py |   75 -
 2 files changed, 82 insertions(+), 4 deletions(-)

diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 96b73cc5594335ad02dd43f87e7e011ab84157a1..9680d7c024ea8976f92a71bf576d6712c44a2bcf 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -24,6 +24,7 @@ import sys
 from nss.error import NSPRError
 import nss.nss as nss
 import netaddr
+import string
 
 from ipalib import api, errors, util
 from ipalib import Str, Flag, Bytes
@@ -99,6 +100,10 @@ EXAMPLES:
ipa host-add-managedby --hosts=test2 test
 )
 
+# Characters to be used by random password generator
+# The set was chosen to avoid the need for escaping the characters by user
+host_pwd_chars=string.digits + string.ascii_letters + '_,.@+-='
+
 def remove_fwd_ptr(ipaddr, host, domain, recordtype):
 api.log.debug('deleting ipaddr %s' % ipaddr)
 try:
@@ -404,7 +409,7 @@ class host_add(LDAPCreate):
 if 'krbprincipal' in entry_attrs['objectclass']:
 entry_attrs['objectclass'].remove('krbprincipal')
 if options.get('random'):
-entry_attrs['userpassword'] = ipa_generate_password()
+entry_attrs['userpassword'] = ipa_generate_password(characters=host_pwd_chars)
 # save the password so it can be displayed in post_callback
 setattr(context, 'randompassword', entry_attrs['userpassword'])
 cert = options.get('usercertificate')
@@ -596,7 +601,7 @@ class host_mod(LDAPUpdate):
 def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 # Allow an existing OTP to be reset but don't allow a OTP to be
 # added to an enrolled host.
-if 'userpassword' in options:
+if options.get('userpassword') or options.get('random'):
 entry = {}
 self.obj.get_password_attributes(ldap, dn, entry)
 if not entry['has_password'] and entry['has_keytab']:
@@ -649,7 +654,7 @@ class host_mod(LDAPUpdate):
 entry_attrs['usercertificate'] = cert
 
 if options.get('random'):
-entry_attrs['userpassword'] = ipa_generate_password()
+entry_attrs['userpassword'] = ipa_generate_password(characters=host_pwd_chars)
 setattr(context, 'randompassword', entry_attrs['userpassword'])
 if 'macaddress' in entry_attrs:
 if 'objectclass' in entry_attrs:
diff --git a/tests/test_xmlrpc/test_host_plugin.py b/tests/test_xmlrpc/test_host_plugin.py
index 8798168afa71653b64870c77d11a7fa81ec4c952..fa1f2906f556af388499eac316c4b7c05c66ad85 100644
--- a/tests/test_xmlrpc/test_host_plugin.py
+++ b/tests/test_xmlrpc/test_host_plugin.py
@@ -22,9 +22,13 @@
 Test

[Freeipa-devel] [PATCH] 26 Fix '--random' param behaviour for host plugin

[Ondrej Hamada]

Improved options checking so that host-mod operation is not changing
password for enrolled host when '--random' option is used.

https://fedorahosted.org/freeipa/ticket/2799

Updated set of characters that is used for generating random passwords
for ipa hosts. Following characters were removed from the set: '`\$

https://fedorahosted.org/freeipa/ticket/2800 
https://fedorahosted.org/freeipa/ticket/2800


--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From a6e41564225b9b9efe7fd2ae3e21ae90288680b2 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Wed, 13 Jun 2012 16:27:51 +0200
Subject: [PATCH] Change random passwords behaviour

Improved options checking so that host-mod operation is not changing
password for enrolled host when '--random' option is used.

https://fedorahosted.org/freeipa/ticket/2799

Updated set of characters that is used for generating random passwords
for ipa hosts. Following characters were removed from the set: '`\$

https://fedorahosted.org/freeipa/ticket/2800
---
 ipalib/plugins/host.py |   10 +++---
 1 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 96b73cc5594335ad02dd43f87e7e011ab84157a1..4a3330f5ae4214a65aa56983c983e86cc4423b48 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -24,6 +24,7 @@ import sys
 from nss.error import NSPRError
 import nss.nss as nss
 import netaddr
+import string
 
 from ipalib import api, errors, util
 from ipalib import Str, Flag, Bytes
@@ -99,6 +100,9 @@ EXAMPLES:
ipa host-add-managedby --hosts=test2 test
 )
 
+# characters to be used by random password generator
+host_pwd_chars=string.digits + string.ascii_letters + '~!@#%^*()-_=+{}[]:;|,.?/ '
+
 def remove_fwd_ptr(ipaddr, host, domain, recordtype):
 api.log.debug('deleting ipaddr %s' % ipaddr)
 try:
@@ -404,7 +408,7 @@ class host_add(LDAPCreate):
 if 'krbprincipal' in entry_attrs['objectclass']:
 entry_attrs['objectclass'].remove('krbprincipal')
 if options.get('random'):
-entry_attrs['userpassword'] = ipa_generate_password()
+entry_attrs['userpassword'] = ipa_generate_password(characters=host_pwd_chars)
 # save the password so it can be displayed in post_callback
 setattr(context, 'randompassword', entry_attrs['userpassword'])
 cert = options.get('usercertificate')
@@ -596,7 +600,7 @@ class host_mod(LDAPUpdate):
 def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 # Allow an existing OTP to be reset but don't allow a OTP to be
 # added to an enrolled host.
-if 'userpassword' in options:
+if options.get('userpassword') or options.get('random'):
 entry = {}
 self.obj.get_password_attributes(ldap, dn, entry)
 if not entry['has_password'] and entry['has_keytab']:
@@ -649,7 +653,7 @@ class host_mod(LDAPUpdate):
 entry_attrs['usercertificate'] = cert
 
 if options.get('random'):
-entry_attrs['userpassword'] = ipa_generate_password()
+entry_attrs['userpassword'] = ipa_generate_password(characters=host_pwd_chars)
 setattr(context, 'randompassword', entry_attrs['userpassword'])
 if 'macaddress' in entry_attrs:
 if 'objectclass' in entry_attrs:
-- 
1.7.6.5

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 269 permission-find missed some results with --pkey-only option

[Ondrej Hamada]

On 05/31/2012 12:42 PM, Martin Kosek wrote:

On Wed, 2012-05-30 at 14:43 +0200, Ondrej Hamada wrote:

On 05/30/2012 07:45 AM, Martin Kosek wrote:

When permission-find post callback detected a --pkey-only option,
it just terminated. However, this way the results that could have
been added from aci_find matches were not included.

Fix the post callback to go through the entire matching process.
Also make sure that DNS permissions have a correct objectclass
(ipapermission), otherwise such objects are not matched by the
permission LDAP search.

https://fedorahosted.org/freeipa/ticket/2658



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Patch needs rebase

It does not apply because of changes made to
ipalib/plugins/permission.py (by Rob's patch #1018)


Rebased version attached.

Martin

ACK

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 25 ipa-server-install: s/calculated/determined/

[Ondrej Hamada]

https://fedorahosted.org/freeipa/ticket/2704

Output message of the 'read_domain_name' function in ipa-server-install
was reworded.

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From 4a7eda9b2a97b10ee0767696406fda09c1a9de86 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Tue, 22 May 2012 12:19:53 +0200
Subject: [PATCH] ipa-server-install reword message

Output message of the 'read_domain_name' function in ipa-server-install
was reworded.

https://fedorahosted.org/freeipa/ticket/2704
---
 install/tools/ipa-server-install |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index d3327a6803d10012f412fbb8365b80e39e9124c3..2f06a9e879902eb1c2ac340757fcd1762959fe30 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -386,7 +386,7 @@ def read_host_name(host_default,no_host_dns=False):
 return host_name
 
 def read_domain_name(domain_name, unattended):
-print The domain name has been calculated based on the host name.
+print The domain name has been determined based on the host name.
 print 
 if not unattended:
 domain_name = user_input(Please confirm the domain name, domain_name)
-- 
1.7.6.5

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0044 Validate externalhost (when added by --addattr/--setattr)

[Ondrej Hamada]

On 05/10/2012 01:40 PM, Petr Viktorin wrote:

On 05/10/2012 12:05 PM, Ondrej Hamada wrote:

On 05/09/2012 04:49 PM, Petr Viktorin wrote:

On 05/04/2012 01:25 PM, Ondrej Hamada wrote:

On 04/30/2012 02:13 PM, Petr Viktorin wrote:


Change the externalhost attribute of hbacrule, netgroup
and sudorule into a full-fledged Parameter, and attach
a validator to it.

RFC 1123 specifies that only [-a-z0-9] are allowed, but apparently
Windows and some phones also use underscores in hostnames.
So the new validator allows the underscore.


https://fedorahosted.org/freeipa/ticket/2649



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
1) Current validation of external hostnames does not require them 
to be

fully qualified, but you do. It's inconsistent.

2) one test case failed:
FAIL: Test adding an invalid external host to Sudo rule using
--
Traceback (most recent call last):
File /usr/lib/python2.7/site-packages/nose/case.py, line 197, in
runTest
self.test(*self.arg)
File /home/ohamada/2649/tests/test_xmlrpc/test_sudorule_plugin.py,
line 500, in test_a_sudorule_mod_externalhost_invalid_addattr
character)
AssertionError



Thanks. Attaching updated patch.




___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Suggestion: you can use ipalib.utils.validate_hostname function with
check_fqdn param set to False. Sorry for not mentioning it before.

Otherwise ACK



Attached patch uses your suggestion. Thanks.




___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 257 Fix python Requires in Fedora 17 build

[Ondrej Hamada]

On 05/04/2012 05:45 PM, Martin Kosek wrote:

This one actually took me some time to track it down (details are in a
patch description). To check the result, simply build freeipa on Fedora
17 with make rpms, install rpms on the machine and check Requires of
freeipa-admintools package:

$ rpm -qR freeipa-admintools

Before the patch, there was a requirement for /bin/python which
effectively blocked an update of python package until freeipa packages
were removed.

With this patch, there should be a correct requirement for
/usr/bin/python and python updates will work again - yay.

Our newest freeipa package on F-17 (2.2.0-1) is not affected, koji F-17
build root may have a different $PATH which translates python to
/usr/bin/python and not /bin/python.

Martin


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

works as proposed, ACK

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 23 Allow one letter net/hostgroups names

[Ondrej Hamada]

On 05/03/2012 05:44 PM, Martin Kosek wrote:

On Thu, 2012-05-03 at 17:08 +0200, Ondrej Hamada wrote:

On 05/02/2012 05:49 PM, Ondrej Hamada wrote:

https://fedorahosted.org/freeipa/ticket/2671

Changed regex validating net/hostgroup names to allow single letter
names. Unit-tests added.

But the current validation allows weird (host|net)group names like:
.,  .-, ...
I'm just not sure, do we really want to allow stuff like this?

Patch also fixes one of netgroup and host unit-tests. The error
message in hostname validation function has changed (in ticket
#1966).



NACK.

1) This breaks the hostgroup tests as you overwrite dn1 variable:

+hostgroup_single = u'a'
+dn1 = DN(('cn',hostgroup_single),('cn','hostgroups'),('cn','accounts'),
+ api.env.basedn)
+


2) The extra comment in netgroup tests is redundant:

+result=dict(
+#dn=u'ipauniqueid=%s,cn=ng,cn=alt,%s' %
(fuzzy_uuid, api.env.basedn),
+dn=fuzzy_netgroupdn,

3) I don't think that we need to bump IPA_API_VERSION_MINOR since we
just changed the validating pattern and thus this really does not change
the API itself.

Martin


corrected patch attached

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From 4876c05c5a843a9653765c5fc6ddccd8151d061c Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Fri, 4 May 2012 10:25:42 +0200
Subject: [PATCH] Allow one letter net/hostgroups names

Changed regex validating net/hostgroup names to allow single letter
names. Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2671
---
 API.txt|   34 +-
 ipalib/plugins/netgroup.py |2 +-
 tests/test_xmlrpc/test_hostgroup_plugin.py |   37 
 tests/test_xmlrpc/test_netgroup_plugin.py  |   32 
 4 files changed, 87 insertions(+), 18 deletions(-)

diff --git a/API.txt b/API.txt
index 71241b4cc40e14c600127d1087092abf098eb40c..1d32913c0356bfa03574bfc4ef08d46fb408cd57 100644
--- a/API.txt
+++ b/API.txt
@@ -1758,7 +1758,7 @@ output: Entry('result', type 'dict', Gettext('A dictionary representing an LDA
 output: Output('value', type 'unicode', None)
 command: hostgroup_add
 args: 1,6,3
-arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', primary_key=True, required=True)
+arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*$', primary_key=True, required=True)
 option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=True)
 option: Str('setattr*', cli_name='setattr', exclude='webui')
 option: Str('addattr*', cli_name='addattr', exclude='webui')
@@ -1770,7 +1770,7 @@ output: Entry('result', type 'dict', Gettext('A dictionary representing an LDA
 output: Output('value', type 'unicode', None)
 command: hostgroup_add_member
 args: 1,5,3
-arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
+arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*$', primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('version?', exclude='webui')
@@ -1781,7 +1781,7 @@ output: Output('failed', type 'dict', None)
 output: Output('completed', type 'int', None)
 command: hostgroup_del
 args: 1,1,3
-arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=True, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
+arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=True, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*$', primary_key=True, query=True, required=True)
 option: Flag('continue', autofill=True, cli_name='continue', default=False)
 output: Output('summary', (type 'unicode', type 'NoneType'), None)
 output: Output('result', type 'dict', None)
@@ -1789,7 +1789,7 @@ output: Output('value', type 'unicode', None)
 command: hostgroup_find
 args: 1,20,4
 arg: Str('criteria?', noextrawhitespace=False)
-option: Str('cn', attribute=True, autofill=False, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=False)
+option: Str('cn', attribute=True, autofill=False, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*$', primary_key=True, query=True, required=False)
 option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False)
 option: Int('timelimit?', autofill=False, minvalue=0)
 option: Int('sizelimit?', autofill=False, minvalue=0)
@@ -1815,7 +1815,7 @@ output

Re: [Freeipa-devel] [PATCH] 0044 Validate externalhost (when added by --addattr/--setattr)

[Ondrej Hamada]

On 04/30/2012 02:13 PM, Petr Viktorin wrote:


Change the externalhost attribute of hbacrule, netgroup
and sudorule into a full-fledged Parameter, and attach
a validator to it.

RFC 1123 specifies that only [-a-z0-9] are allowed, but apparently 
Windows and some phones also use underscores in hostnames.

So the new validator allows the underscore.


https://fedorahosted.org/freeipa/ticket/2649



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
1) Current validation of external hostnames does not require them to be 
fully qualified, but you do. It's inconsistent.


2) one test case failed:
FAIL: Test adding an invalid external host to Sudo rule using
 --
 Traceback (most recent call last):
   File /usr/lib/python2.7/site-packages/nose/case.py, line 197, in 
runTest

 self.test(*self.arg)
   File /home/ohamada/2649/tests/test_xmlrpc/test_sudorule_plugin.py, 
line 500, in test_a_sudorule_mod_externalhost_invalid_addattr

 character)
 AssertionError

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 23 Allow one letter net/hostgroups names

[Ondrej Hamada]

On 05/02/2012 05:49 PM, Ondrej Hamada wrote:

https://fedorahosted.org/freeipa/ticket/2671

Changed regex validating net/hostgroup names to allow single letter
names. Unit-tests added.

But the current validation allows weird (host|net)group names like: 
.,  .-, ...

I'm just not sure, do we really want to allow stuff like this?

Patch also fixes one of netgroup and host unit-tests. The error
message in hostname validation function has changed (in ticket #1966).



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

The unit-test for #1966 were corrected by Petr³. Rebased patch attached.

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From fdf8ccd6992feb031b5c350471e659bfd42928f3 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Thu, 3 May 2012 16:56:51 +0200
Subject: [PATCH] Allow one letter net/hostgroups names

Changed regex validating net/hostgroup names to allow single letter
names. Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2671
---
 API.txt|   34 +-
 VERSION|2 +-
 ipalib/plugins/netgroup.py |2 +-
 tests/test_xmlrpc/test_hostgroup_plugin.py |   37 
 tests/test_xmlrpc/test_netgroup_plugin.py  |   33 +
 5 files changed, 89 insertions(+), 19 deletions(-)

diff --git a/API.txt b/API.txt
index 71241b4cc40e14c600127d1087092abf098eb40c..1d32913c0356bfa03574bfc4ef08d46fb408cd57 100644
--- a/API.txt
+++ b/API.txt
@@ -1758,7 +1758,7 @@ output: Entry('result', type 'dict', Gettext('A dictionary representing an LDA
 output: Output('value', type 'unicode', None)
 command: hostgroup_add
 args: 1,6,3
-arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', primary_key=True, required=True)
+arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*$', primary_key=True, required=True)
 option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=True)
 option: Str('setattr*', cli_name='setattr', exclude='webui')
 option: Str('addattr*', cli_name='addattr', exclude='webui')
@@ -1770,7 +1770,7 @@ output: Entry('result', type 'dict', Gettext('A dictionary representing an LDA
 output: Output('value', type 'unicode', None)
 command: hostgroup_add_member
 args: 1,5,3
-arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
+arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*$', primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('version?', exclude='webui')
@@ -1781,7 +1781,7 @@ output: Output('failed', type 'dict', None)
 output: Output('completed', type 'int', None)
 command: hostgroup_del
 args: 1,1,3
-arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=True, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
+arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=True, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*$', primary_key=True, query=True, required=True)
 option: Flag('continue', autofill=True, cli_name='continue', default=False)
 output: Output('summary', (type 'unicode', type 'NoneType'), None)
 output: Output('result', type 'dict', None)
@@ -1789,7 +1789,7 @@ output: Output('value', type 'unicode', None)
 command: hostgroup_find
 args: 1,20,4
 arg: Str('criteria?', noextrawhitespace=False)
-option: Str('cn', attribute=True, autofill=False, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=False)
+option: Str('cn', attribute=True, autofill=False, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*$', primary_key=True, query=True, required=False)
 option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False)
 option: Int('timelimit?', autofill=False, minvalue=0)
 option: Int('sizelimit?', autofill=False, minvalue=0)
@@ -1815,7 +1815,7 @@ output: Output('count', type 'int', None)
 output: Output('truncated', type 'bool', None)
 command: hostgroup_mod
 args: 1,8,3
-arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
+arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*$', primary_key=True, query=True

Re: [Freeipa-devel] More types of replica in FreeIPA

[Ondrej Hamada]

On 04/24/2012 10:47 AM, Ondrej Hamada wrote:

On 04/23/2012 07:58 PM, Simo Sorce wrote:

On Mon, 2012-04-23 at 13:50 -0400, Dmitri Pal wrote:

Ah OK. Another semantic difference. Doing it in phases is one thing and
delivering is another. Let us say we identified 10 things that needs to
be implemented. The problem is so huge that Ondrej would likely be able
to tackle only couple items from the list. So what should be do with 
the

rest if it is not possible to deliver until all 10 items are completed?

Ok, so most of the work here is in the KDC, so I think we should first
go to MIT, present the problem and see what htey think about the
solution we have in mind. I will try to have a preliminary discussion
With Tom and Greg about the general idea this week to see what they
think.

Once that is done we can slice the implementation how we want in a
private branch until it is fully backed. MIT wouldn't, rightly so,
accept a half backed solution I would guess, but we also do not need to
try to rush patches in. Once cleanup work in the KDC has been done as
part of the 1.11 work I think these interfaces will change little so
there shouldn't be a risk of wasting too much time to follow upstream
while we work on one of these problems at a time.

IMO the work can be started and deferred till someone else can come 
back

and continue what Ondrej have started and bring it to the shape when we
are comfortable releasing it.

Absolutely, esp if we can start after he changes MIT plans to make in
1.11 or at least if we plan together so we know which internal
interfaces are going to be destabilized so we can plan ahead.

Ondra it time for you to sit down, read this thread thoroughly and 
craft

a design out of it.  Then you would be able to focus on a reasonable
subset of what is possible to complete in the remaining time frame.
Ok, will do. I would like to start with the login server scenario. It 
will be possible to use it later as a 'training field' for the 
fractional replication and help deciding what entries should and 
shouldn't be replicated.

Ok.
Simo.




As I said before, I'm going to start with authentication only server. 
That will be the first iteration. (I also want to present it in my 
thesis as the implementation part)


Both the Hub and Consumer will be read only. In case of Hub the machine 
should contain only directory server that will be configured to behave 
as a hub. Consumers should behave same way as Dmitri described few posts 
above - means they will use ldap with pam-proxy to sssd. The sssd will 
be authenticating the user against master server. It might use caching 
to enable some user to authenticate when the master is unreachable. The 
consumer should be using chaining and trying to contact the master 
directly.


Replicas will replicate all data, just the confidential attributes such 
as passwords will be excluded from replication.


Main enhancements will be made in ipa-tools, mainly the 
ipa-replica-install and ipa-replica-manage. Also the ipa-client-install 
will be updated as the client in such environment won't use Kerberos. I 
think that at this stage those changes should be stored separately - I 
mean not pushing them into upstream.


Can you agree on that?

The second iteration should be focusing on development of plugins for 
handling the account locking situation and similiar situations that need 
to write some data to the replica. It might also focus on fractional 
replication if it will be available in directory server. I suppose that 
there won't be any more iterations necessary for the authentication server.


Besides working on the second iteration we can also start with the eSSO 
part. I assume that the account locks and fractional replication will 
definitely have something in common.


--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 23 Allow one letter net/hostgroups names

[Ondrej Hamada]

https://fedorahosted.org/freeipa/ticket/2671

Changed regex validating net/hostgroup names to allow single letter
names. Unit-tests added.

But the current validation allows weird (host|net)group names like: 
.,  .-, ...

I'm just not sure, do we really want to allow stuff like this?

Patch also fixes one of netgroup and host unit-tests. The error
message in hostname validation function has changed (in ticket #1966).

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From 62043ae72e77978c3315070eb09bb9939aa5b99e Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Wed, 2 May 2012 15:25:41 +0200
Subject: [PATCH] Allow one letter net/hostgroups names

Changed regex validating net/hostgroup names to allow single letter
names. Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2671

Patch also fixes one of netgroup and host unit-tests. The error
message in hostname validation function has changed (in ticket 1966).
---
 API.txt|   34 +-
 VERSION|2 +-
 ipalib/plugins/netgroup.py |2 +-
 tests/test_xmlrpc/test_host_plugin.py  |2 +-
 tests/test_xmlrpc/test_hostgroup_plugin.py |   37 
 tests/test_xmlrpc/test_netgroup_plugin.py  |   35 +-
 6 files changed, 91 insertions(+), 21 deletions(-)

diff --git a/API.txt b/API.txt
index 71241b4cc40e14c600127d1087092abf098eb40c..1d32913c0356bfa03574bfc4ef08d46fb408cd57 100644
--- a/API.txt
+++ b/API.txt
@@ -1758,7 +1758,7 @@ output: Entry('result', type 'dict', Gettext('A dictionary representing an LDA
 output: Output('value', type 'unicode', None)
 command: hostgroup_add
 args: 1,6,3
-arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', primary_key=True, required=True)
+arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*$', primary_key=True, required=True)
 option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=True)
 option: Str('setattr*', cli_name='setattr', exclude='webui')
 option: Str('addattr*', cli_name='addattr', exclude='webui')
@@ -1770,7 +1770,7 @@ output: Entry('result', type 'dict', Gettext('A dictionary representing an LDA
 output: Output('value', type 'unicode', None)
 command: hostgroup_add_member
 args: 1,5,3
-arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
+arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*$', primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('version?', exclude='webui')
@@ -1781,7 +1781,7 @@ output: Output('failed', type 'dict', None)
 output: Output('completed', type 'int', None)
 command: hostgroup_del
 args: 1,1,3
-arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=True, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
+arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=True, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*$', primary_key=True, query=True, required=True)
 option: Flag('continue', autofill=True, cli_name='continue', default=False)
 output: Output('summary', (type 'unicode', type 'NoneType'), None)
 output: Output('result', type 'dict', None)
@@ -1789,7 +1789,7 @@ output: Output('value', type 'unicode', None)
 command: hostgroup_find
 args: 1,20,4
 arg: Str('criteria?', noextrawhitespace=False)
-option: Str('cn', attribute=True, autofill=False, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=False)
+option: Str('cn', attribute=True, autofill=False, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*$', primary_key=True, query=True, required=False)
 option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False)
 option: Int('timelimit?', autofill=False, minvalue=0)
 option: Int('sizelimit?', autofill=False, minvalue=0)
@@ -1815,7 +1815,7 @@ output: Output('count', type 'int', None)
 output: Output('truncated', type 'bool', None)
 command: hostgroup_mod
 args: 1,8,3
-arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
+arg: Str('cn', attribute=True, cli_name='hostgroup_name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*$', primary_key=True, query=True, required=True)
 option: Str('description', attribute=True, autofill=False, cli_name='desc

Re: [Freeipa-devel] Ticket #2293 - permission attribute check

[Ondrej Hamada]

On 04/27/2012 02:36 PM, Martin Kosek wrote:

I revisited ticket #2293 after it failed QE check. After some
considerations, I think we should revert this type of check for
permissions. Here is my reasoning:

1) This check fails when the target type does not have all its possible
objectclasses defined in the LDAPObject, like when users or hosts miss
kerberos or samba auxiliary classes as they are just classes that the
object may potentially have:

# ipa permission-mod Change a user password
--attrs=userpassword,krbprincipalkey,sambalmpassword,passwordhistory
ipa: ERROR: attribute(s) sambalmpassword,passwordhistory not allowed

To fix this point, we would need to add all possible object classes to
our user, host, ... objectclasses.


2) It severely limits permission flexibility for custom user
objectclasses. They would need to extend our plugins to make them work.
Observe this inconsistency:

Setting custom OC+attribute works (replace sudocmd with some
meaningful object class):

# ipa user-mod fbar --addattr=objectclass=ipasudocmd --setattr=sudocmd=fbar

Modified user fbar

   User login: fbar
   First name: Foo
   Last name: Bar
   Home directory: /home/fbar
   Login shell: /bin/sh
   UID: 61400016
   GID: 61400016
   Account disabled: False
   Password: True
   Member of groups: ipausers
   Kerberos keys available: True

# ipa user-show --all fbar
   dn: uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
   User login: fbar
   First name: Foo
   Last name: Bar
...
   mepmanagedentry: 
cn=fbar,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
   objectclass: top, person, organizationalperson, inetorgperson, inetuser, 
posixaccount,
krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, 
ipaSshGroupOfPubKeys,
mepOriginEntry, ipasudocmd
   sudocmd: fbar


But adding a custom permission to control this attribute fails:
# ipa permission-add Can manage user sudocmd --type=user --permissions=write 
--attrs=sudocmd
ipa: ERROR: attribute(s) sudocmd not allowed


Bottom line is that I would remove this check at all and just check that
the attribute is right - as we already do for permission without
--type specified:

# ipa permission-add Can write barbar
--filter=(objectclass=posixuser) --permissions=write --attrs=barbar
ipa: ERROR: targetattr barbar does not exist in schema. Please add
attributeTypes barbar to schema if necessary. ACL Syntax
Error(-5):(targetattr = \22barbar\22)(targetfilter =
\22(objectclass=posixuser)\22)(version 3.0;acl \22permission:foo
\22;allow (write) groupdn =
\22ldap:///cn=foo,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com\22;):
 Invalid syntax.

Martin

What about simply let the command succeed and print out a warning like: 
'Attribute passwordhistory is not a default one for specified object 
type. The permission might not be properly evaluated.'


--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] More types of replica in FreeIPA

[Ondrej Hamada]

On 04/23/2012 07:58 PM, Simo Sorce wrote:

On Mon, 2012-04-23 at 13:50 -0400, Dmitri Pal wrote:

Ah OK. Another semantic difference. Doing it in phases is one thing and
delivering is another. Let us say we identified 10 things that needs to
be implemented. The problem is so huge that Ondrej would likely be able
to tackle only couple items from the list. So what should be do with the
rest if it is not possible to deliver until all 10 items are completed?

Ok, so most of the work here is in the KDC, so I think we should first
go to MIT, present the problem and see what htey think about the
solution we have in mind. I will try to have a preliminary discussion
With Tom and Greg about the general idea this week to see what they
think.

Once that is done we can slice the implementation how we want in a
private branch until it is fully backed. MIT wouldn't, rightly so,
accept a half backed solution I would guess, but we also do not need to
try to rush patches in. Once cleanup work in the KDC has been done as
part of the 1.11 work I think these interfaces will change little so
there shouldn't be a risk of wasting too much time to follow upstream
while we work on one of these problems at a time.


IMO the work can be started and deferred till someone else can come back
and continue what Ondrej have started and bring it to the shape when we
are comfortable releasing it.

Absolutely, esp if we can start after he changes MIT plans to make in
1.11 or at least if we plan together so we know which internal
interfaces are going to be destabilized so we can plan ahead.


Ondra it time for you to sit down, read this thread thoroughly and craft
a design out of it.  Then you would be able to focus on a reasonable
subset of what is possible to complete in the remaining time frame.
Ok, will do. I would like to start with the login server scenario. It 
will be possible to use it later as a 'training field' for the 
fractional replication and help deciding what entries should and 
shouldn't be replicated.

Ok.
Simo.




--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] More types of replica in FreeIPA

[Ondrej Hamada]

On 04/18/2012 08:30 PM, Rich Megginson wrote:

On 04/17/2012 06:42 AM, Simo Sorce wrote:

On Tue, 2012-04-17 at 01:13 +0200, Ondrej Hamada wrote:

Sorry for inactivity, I was struggling with a lot of school stuff.

I've summed up the main goals, do you agree on them or should I
add/remove any?


GOALS
===
Create Hub and Consumer types of replica with following features:

* Hub is read-only

* Hub interconnects Masters with Consumers or Masters with Hubs
 or Hubs with other Hubs

* Hub is hidden in the network topology

* Consumer is read-only

* Consumer interconnects Masters/Hubs with clients

* Write operations should be forwarded to Master

* Consumer should be able to log users into system without
 communication with master

We need to define how this can be done, it will almost certainly mean
part of the consumer is writable, plus it also means you need 
additional

access control and policies, on what the Consumer should be allowed to
see.


* Consumer should cache user's credentials

Ok what credentials ? As I explained earlier Kerberos creds cannot
really be cached. Either they are transferred with replication or the
KDC needs to be change to do chaining. Neither I consider as 
'caching'.

A password obtained through an LDAP bind could be cached, but I am not
sure it is worth it.


* Caching of credentials should be configurable

See above.


* CA server should not be allowed on Hubs and Consumers

Missing points:
- Masters should not transfer KRB keys to HUBs/Consumers by default.

- We need selective replication if you want to allow distributing a
partial set of Kerberos credentials to consumers. With Hubs it becomes
complicated to decide what to replicate about credentials.

Simo.


Can you please have a look at this draft and comment it please?


Design document draft: More types of replicas in FreeIPA

GOALS
=

Create Hub and Consumer types of replica with following features:

* Hub is read-only

* Hub interconnects Masters with Consumers or Masters with Hubs
or Hubs with other Hubs

* Hub is hidden in the network topology

* Consumer is read-only

* Consumer interconnects Masters/Hubs with clients

* Write operations should be forwarded to Master

Do we need to specify how this is done ? Referrals vs Chain-on-update ?

Both options are in game.



* Consumer should be able to log users into system without
communication with master

* Consumer should be able to store user's credentials

Can you expand on this ? Do you mean user keys ?
Yes, the consumer should be able to store all data necessary for user 
being authenticated.



* Storing of credentials should be configurable and disabled by default

* Credentials expiration on replica should be configurable

What does this mean ?
We should store credentials for a subset of users only. As this subset 
might change over time, we should flush the credentials for users that 
haven't showed up for some while (even despite the credentials are not 
expired yet).



* CA server should not be allowed on Hubs and Consumers

ISSUES
=

- SSSD is currently supposed to cooperate with one LDAP server only

Is this a problem in having an LDAP server that doesn't also have a KDC
on the same host ? Or something else ?


- OpenLDAP client and its support for referrals

Should we avoid referrals and use chain-on-update ?
Maybe. I've come across several mentions that the referrals support in 
openldap client is not working properly.

What does it mean for access control ?
How do consumers authenticate to masters ?
Should we use s4u2proxy ?


- 389-DS allows replication of whole suffix only

What kind of filters do we think we need ? We can already exclude
specific attributes from replication.


fractional replication had originally planned to support search 
filters in addition to attribute lists - I think Ondrej wants to 
include or exclude certain entries from being replicated


Yes, my point is, that the Consumer should strore credentials only for 
users that are authenticating against him, so we need to exclude some 
attributes, but just for specific subset of users.




- Storing credentials and allowing authentication against Consumer 
server



POSSIBLE SOLUTIONS
=

389-DS allows replication of whole suffix only:

* Rich said that they are planning to allow the fractional replication
in DS to
use LDAP filters. It will allow us to do selective replication what
is mainly
important for replication of user's credentials.

I guess we want to do this to selectively prevent replication of only
some kerberos keys ? Based on groups ? Would filtes allow that using
memberof ?


Using filters with fractional replication would allow you to include 
or exclude anything that can be expressed as an LDAP search filter

Re: [Freeipa-devel] More types of replica in FreeIPA

[Ondrej Hamada]

On 04/19/2012 04:10 PM, Dmitri Pal wrote:

On 04/19/2012 09:03 AM, Simo Sorce wrote:

On Thu, 2012-04-19 at 14:18 +0200, Ondrej Hamada wrote:

On 04/18/2012 08:30 PM, Rich Megginson wrote:

* Credentials expiration on replica should be configurable

What does this mean ?

We should store credentials for a subset of users only. As this subset
might change over time, we should flush the credentials for users that
haven't showed up for some while (even despite the credentials are not
expired yet).

This should be determined through group membership or similar mechanism,
talking about 'expiration' seem wrong and confusing, perhaps just a
language problem ?

Right, thanks for correction.



fractional replication had originally planned to support search
filters in addition to attribute lists - I think Ondrej wants to
include or exclude certain entries from being replicated

Yes, my point is, that the Consumer should strore credentials only for
users that are authenticating against him, so we need to exclude some
attributes, but just for specific subset of users.

I am not sure we can achieve this, with just a fractional replication
filter, not easily anyway. A search filter singles out entire entries.
In order to have different sets of attributes replicated we need an
additional, per-filter attribute exclusion list.


  3) find master dynamically - Consumers and Hubs will be in fact
master
 servers (from 389-DS point of view), this means that every
consumer or hub
 knows his direct suppliers a they know their suppliers ...

Not clear what this means, can you elaborate ?

Replication agreements posses the information about suppliers. It means
we can dynamically discover where are the masters by going through all
nodes and asking who's their supplier. Thinking about it again, it will
be probably very slow and less reliable. The lookup of dns records in
LDAP would be better.

Neither, we have the list of masters in LDAP in the cn=etc subtree for
these uses, it's a simple search, and it is the authoritative list.
Remember we may not always control the DNS, so relying on a manually
maintained DNS would be bad.

Good point, i forget about the master entries.

* SSSD must be improved to allow cooperation with more than one LDAP
server

Can you elaborate what you think is missing in SSSD ? Is it about the
need to fix referrals handling ? Or something else ?

I'm afraid of the situation when user authenticates and the information
is not present on Consumer. If we'll use referrals and the
authentication will have to be done against master, would the SSSD be
able to handle it?

Currently SSSD can handle referrals, although it does so poorly due to
issues with the openldap libraries. Stephen tells me there are plans to
handle referrals in the SSSD code directly instead of deferring to
openldap libs. When that is done we should have no more issues.
However, for authentication purposes I am not sure referrals are the way
to go.
For the Kerberos case referrals won't work, because we will not let a
consumer have read access to keys in a master (besides the consumer will
not have the same master key so will not be able to decrypt them), so we
will need to handle the Krb case differently.
For ldap binds, we might do referrals, or we could chain binds and avoid
that issue entirely. If we chain binds we can also temporarily cache
credentials in the same way we do in SSSD so that if the server get cut
off the network it can keep serving requests. I am not thrilled about
caching users passwords this way and should probably not enabled by
default, but we'd have the option.


* authentication policies, every user must authenticate against master
server by
default

If users always contact the master, what are the consumers for ?
Need to elaborate on this and explain.

As was mentioned earlier in the discussion, there are two scenarios - in
the first one the consumer serves only as a source of
information(dns,ntp,accounts...), the second one allows distribution of
credentials and thus enables the authentication against the consumer
locally. The first one is more secure since the creds are not stored on
consumers that might be more easily corrupted.

Ok, makes sense, but I would handle this transparently to the clients,
as noted above. Trying to build knowledge in clients or rely on
referrals is going to work poorly with a lot of clients, making the
solution not really useful in real deployments where a mix of machines
that do not use SSSD is present.


 - The policy must also specify the credentials expiration time. If
user tries to
   authenticate with expired credential, he will be refused and
redirected to Master
   server for authentication.

How is this different from current status ? All accounts already have
password expiration times and account expiration times. What am I
missing ?

Sorry, I wrote it unclear. I meant that the credentials, we store on
Consumer should be there available only

Re: [Freeipa-devel] More types of replica in FreeIPA

[Ondrej Hamada]

 to
authenticate with expired credential, he will be refused and 
redirected to Master

server for authentication.

ISSUE: How to deal with creds. expiration in replication? The replication of
credential to the Consumer could be stopped by removing the user 
from the
Consumer specific user group (mentioned above). The easiest way 
would be to
delete him when he tries to auth. with expired credentials or do a 
regular
check (intervals specified in policy) and delete all expired creds. 
Because

of the removal of expired creds. we will have to grant the Consumer the
permission to delete users from the Consumer specific user group 
(but only

deleting, adding users will be possible on Masters only).

Offline authentication:

* Consumer (and Hub) must allow write operations just for a small set of
  attributes: last login date and time, count of unsuccessful logins 
and the

  lockup of account

  - to be able to do that, both Consumers and Hubs must be Masters(from
  389-DS point of view). When the Master-Consumer connection is 
broken, the

  lockup information is saved only locally and will be pushed to Master
  on connection restoration. I suppose that only the lockup information 
should
  be replicated. In case of lockup the user will have to authenticate 
against

  Master server only.

Transfer of Krb keys:

* Consumer server will have to have realm krbtgt. This means that we 
will have
  to distribute every Consumer's krbtgt to the Master servers. The 
Masters will

  need to have a logic for using those keys instead of the normal krbtgt to
  perform operations when user's krbtgt are presented to a different 
server.



--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 22 Always set ipa_hostname for sssd.conf

[Ondrej Hamada]

https://fedorahosted.org/freeipa/ticket/2527

ipa-client-install will always set ipa_hostname for sssd.conf in order
to prevent the client from getting into weird state.

--
Regards,

Ondrej Hamada
FreeIPA team
jabber:oh...@jabbim.cz
IRC: ohamada

From 4f471211d6e0ab33e17bc1cda5d7c89045e2b3d5 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Thu, 12 Apr 2012 14:19:15 +0200
Subject: [PATCH] Always set ipa_hostname for sssd.conf

ipa-client-install will always set ipa_hostname for sssd.conf in order
to prevent the client from getting into weird state.

https://fedorahosted.org/freeipa/ticket/2527
---
 ipa-client/ipa-install/ipa-client-install |7 +++
 1 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 75c60653c6882a73d20a4d40fcb9713799aeea41..828dbd8fb5d41fb6e61c1abccd83cbbe8c3a838f 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -695,7 +695,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options):
 except:
 print %s request for host certificate failed % (cmonger.service_name)
 
-def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, client_domain):
+def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, client_domain, client_hostname):
 try:
 sssdconfig = SSSDConfig.SSSDConfig()
 sssdconfig.import_config()
@@ -758,8 +758,7 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, clie
 # the master should only use itself for Kerberos
 domain.set_option('ipa_server', cli_server)
 domain.set_option('ipa_domain', cli_domain)
-if options.hostname:
-domain.set_option('ipa_hostname', options.hostname)
+domain.set_option('ipa_hostname', client_hostname)
 if cli_domain.lower() != cli_realm.lower():
 domain.set_option('krb5_realm', cli_realm)
 
@@ -1352,7 +1351,7 @@ def install(options, env, fstore, statestore):
 # Always back up sssd.conf. It gets updated by authconfig --enablekrb5.
 fstore.backup_file(/etc/sssd/sssd.conf)
 if options.sssd:
-if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, client_domain):
+if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, client_domain, hostname):
 return CLIENT_INSTALL_ERROR
 print Configured /etc/sssd/sssd.conf
 
-- 
1.7.6.5

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 21 Unable to rename permission object

[Ondrej Hamada]

On 04/10/2012 09:35 PM, Rob Crittenden wrote:

Ondrej Hamada wrote:

https://fedorahosted.org/freeipa/ticket/2571

The update was failing because of the case insensitivity of permission
object DN.


Can you wrap the error in _() and add a couple of test cases for this, 
say one for the case insensitivity and one for empty rename attempt?


rob

fixed patch attached

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From 2e27cc3517fced8f48f7fa89963b72479f2c8bee Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Wed, 11 Apr 2012 09:37:15 +0200
Subject: [PATCH] Unable to rename permission object

The update was failing because of the case insensitivity of permission
object DN. Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2571
---
 ipalib/plugins/permission.py|   19 ++-
 tests/test_xmlrpc/test_permission_plugin.py |   45 --
 2 files changed, 52 insertions(+), 12 deletions(-)

diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index 9b669d9f57e81e885bd080703ba6c405395f6608..92203f17403d7c99dcc41525a771cf01ec31ce32 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -335,14 +335,17 @@ class permission_mod(LDAPUpdate):
 # when renaming permission, check if the target permission does not
 # exists already. Then, make changes to underlying ACI
 if 'rename' in options:
-try:
-new_dn = dn.replace(keys[-1], options['rename'], 1)
-(new_dn, attrs) = ldap.get_entry(
-new_dn, attrs_list, normalize=self.obj.normalize_dn
-)
-raise errors.DuplicateEntry()
-except errors.NotFound:
-pass# permission may be renamed, continue
+if options['rename']:
+try:
+new_dn = dn.replace(keys[-1].lower(), options['rename'], 1)
+(new_dn, attrs) = ldap.get_entry(
+new_dn, attrs_list, normalize=self.obj.normalize_dn
+)
+raise errors.DuplicateEntry()
+except errors.NotFound:
+pass# permission may be renamed, continue
+else:
+raise errors.ValidationError(name='rename',error=_('New name can not be empty'))
 
 opts = copy.copy(options)
 for o in ['all', 'raw', 'rights', 'rename']:
diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py
index ab28588609caf080911a29c6e76e7c81e8f296ef..d4551c9525748c3710c4dc66ea15f3fa08f08ea4 100644
--- a/tests/test_xmlrpc/test_permission_plugin.py
+++ b/tests/test_xmlrpc/test_permission_plugin.py
@@ -36,6 +36,10 @@ permission1_renamed = u'testperm1_rn'
 permission1_renamed_dn = DN(('cn',permission1_renamed),
 api.env.container_permission,api.env.basedn)
 
+permission1_renamed_ucase = u'Testperm_RN'
+permission1_renamed_ucase_dn = DN(('cn',permission1_renamed_ucase.lower()),
+api.env.container_permission,api.env.basedn)
+
 
 permission2 = u'testperm2'
 permission2_dn = DN(('cn',permission2),
@@ -463,6 +467,17 @@ class test_permission(Declarative):
 
 
 dict(
+desc='Try to rename %r to empty name' % (permission1),
+command=(
+'permission_mod', [permission1], dict(rename=u'',
+  permissions=u'all',)
+),
+expected=errors.ValidationError(name=u'rename',
+error=u'New name can not be empty'),
+),
+
+
+dict(
 desc='Check integrity of original permission %r' % permission1,
 command=('permission_show', [permission1], {}),
 expected=dict(
@@ -503,12 +518,34 @@ class test_permission(Declarative):
 
 
 dict(
-desc='Delete %r' % permission1_renamed,
-command=('permission_del', [permission1_renamed], {}),
+desc='Rename %r to permission %r' % (permission1_renamed,
+ permission1_renamed_ucase),
+command=(
+'permission_mod', [permission1_renamed], dict(rename=permission1_renamed_ucase,
+  permissions= u'write',)
+),
 expected=dict(
-result=dict(failed=u''),
 value=permission1_renamed,
-summary=u'Deleted permission %s' % permission1_renamed,
+summary=u'Modified permission %s' % permission1_renamed,
+result={
+'dn': lambda x: DN(x) == permission1_renamed_ucase_dn,
+'cn': [permission1_renamed_ucase.lower()],
+'member_privilege': [privilege1],
+'type': u'user

[Freeipa-devel] [PATCH] 21 Unable to rename permission object

[Ondrej Hamada]

https://fedorahosted.org/freeipa/ticket/2571

The update was failing because of the case insensitivity of permission
object DN.

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From 75772d91024d961fc4193654a8ca128664b2d4d5 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Tue, 10 Apr 2012 16:21:07 +0200
Subject: [PATCH] Unable to rename permission object

The update was failing because of the case insensitivity of permission
object DN.

https://fedorahosted.org/freeipa/ticket/2571
---
 ipalib/plugins/permission.py |   19 +++
 1 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index ce2536d9921ede73d2c26468f5d99609552e1881..05bd9901da82eea393a67255ff3d091b6fb02fd0 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -331,14 +331,17 @@ class permission_mod(LDAPUpdate):
 # when renaming permission, check if the target permission does not
 # exists already. Then, make changes to underlying ACI
 if 'rename' in options:
-try:
-new_dn = dn.replace(keys[-1], options['rename'], 1)
-(new_dn, attrs) = ldap.get_entry(
-new_dn, attrs_list, normalize=self.obj.normalize_dn
-)
-raise errors.DuplicateEntry()
-except errors.NotFound:
-pass# permission may be renamed, continue
+if options['rename']:
+try:
+new_dn = dn.replace(keys[-1].lower(), options['rename'], 1)
+(new_dn, attrs) = ldap.get_entry(
+new_dn, attrs_list, normalize=self.obj.normalize_dn
+)
+raise errors.DuplicateEntry()
+except errors.NotFound:
+pass# permission may be renamed, continue
+else:
+raise errors.ValidationError(name='rename',error='New name can not be empty')
 
 opts = copy.copy(options)
 for o in ['all', 'raw', 'rights', 'rename']:
-- 
1.7.6.5

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] More types of replica in FreeIPA

[Ondrej Hamada]

On 04/04/2012 06:16 PM, Ondrej Hamada wrote:

On 04/04/2012 03:02 PM, Simo Sorce wrote:

On Tue, 2012-04-03 at 18:45 +0200, Ondrej Hamada wrote:

On 03/13/2012 01:13 AM, Dmitri Pal wrote:

On 03/12/2012 06:10 PM, Simo Sorce wrote:

On Mon, 2012-03-12 at 17:40 -0400, Dmitri Pal wrote:

On 03/12/2012 04:16 PM, Simo Sorce wrote:

On Mon, 2012-03-12 at 20:38 +0100, Ondrej Hamada wrote:

USER'S operations when connection is OK:
---
read data -   local
write data -   forwarding to master
authentication:
-credentials cached -- authenticate against credentials in 
local cache
   -on failure: log failure locally, 
update

data
about failures only on lock-down of account
-credentials not cached -- forward request to master, on success
cache
the credentials


This scheme doesn't work with Kerberos.
Either you have a copy of the user's keys locally or you don't, 
there is

nothing you can really cache if you don't.

Simo.


Yes this is what we are talking about here - the cache would have to
contain user Kerberos key but there should be some expiration on the
cache so that fetched and stored keys periodically cleaned 
following the

policy an admin has defined.
We would need a mechanism to transfer Kerberos keys, but that 
would not

be sufficient, you'd have to give read-only servers also the realm
krbtgt in order to be able to do anything with those keys.

The way MS solves hits (I think) is by giving a special RODC 
krbtgt to

each RODC, and then replicating all RODC krbtgt's with full domain
controllers. Full domain controllers have logic to use RODC's krbtgt
keys instead of the normal krbtgt to perform operations when user's
krbtgt are presented to a different server. This is a lot of work and
changes in the KDC, not something we can implement easily.

As a first implementation I would restrict read-only replicas to 
not do
Kerberos at all, only LDAP for all the lookup stuff necessary. to 
add a

RO KDC we will need to plan a lot of changes in the KDC.

We will also need intelligent partial replication where the rules 
about
which object (and which attributes in the object) need/can be 
replicated
are established based on some grouping+filter mechanism. This also 
is a

pretty important change to 389ds.

Simo.

I agree. I am just trying to structure the discussion a bit so that 
all

what you are saying can be captured in the design document and then we
can pick a subset of what Ondrej will actually implement. So let us
capture all the complexity and then do a POC for just LDAP part.


Sorry for inactivity, I was struggling with a lot of school stuff.

I've summed up the main goals, do you agree on them or should I
add/remove any?


GOALS
===
Create Hub and Consumer types of replica with following features:

* Hub is read-only

* Hub interconnects Masters with Consumers or Masters with Hubs
or Hubs with other Hubs

* Hub is hidden in the network topology

* Consumer is read-only

* Consumer interconnects Masters/Hubs with clients

* Write operations should be forwarded to Master

* Consumer should be able to log users into system without
communication with master

We need to define how this can be done, it will almost certainly mean
part of the consumer is writable, plus it also means you need additional
access control and policies, on what the Consumer should be allowed to
see.
Right, in such case the Consumers and Hubs will have to be masters 
(from 389-DS's point of view).



* Consumer should cache user's credentials

Ok what credentials ? As I explained earlier Kerberos creds cannot
really be cached. Either they are transferred with replication or the
KDC needs to be change to do chaining. Neither I consider as 'caching'.
A password obtained through an LDAP bind could be cached, but I am not
sure it is worth it.


* Caching of credentials should be configurable

See above.


* CA server should not be allowed on Hubs and Consumers

Missing points:
- Masters should not transfer KRB keys to HUBs/Consumers by default.

Add point:
- storing of the Krb creds must be configurable and disabled by 
default

- We need selective replication if you want to allow distributing a
partial set of Kerberos credentials to consumers. With Hubs it becomes
complicated to decide what to replicate about credentials.

Simo.

Rich mentioned that they are planning support for LDAP filters in 
fractional replication in the future, but currently it is not supported.



Ad distribution of user's Krb creds:
When the user logs on any Consumer for a first time, he has to 
authenticate against master. If succeeds, he will be added to a specific 
user group. Each consumer will have one of these groups. These groups 
will be used by LDAP filters in fractional replication to distribute the 
Krb creds to the chosen Consumers only.


This will be more complicated because of the HUBs (as Simo already 
said). The easiest

Re: [Freeipa-devel] [PATCH] 15 Confusing default user groups

[Ondrej Hamada]

On 03/27/2012 12:39 PM, Petr Vobornik wrote:

On 03/26/2012 10:27 PM, Rob Crittenden wrote:

Ondrej Hamada wrote:

On 03/19/2012 05:25 PM, Martin Kosek wrote:

On Tue, 2012-03-06 at 19:07 +0100, Ondrej Hamada wrote:

https://fedorahosted.org/freeipa/ticket/2354

There was added '(fallback)' string in the automember plugin labels
referring to automember default groups to point out, that the 
users are

already members of default group specified in IPA config, thus the
default group specified in automember will be additional one - a
fallback group.

Hm, looks ok. Though I would also like some second opinion for this
change. I think naming it simply Fallback Group would be better, but
we cannot change the API at this stage and rename the parameter. So 
this

change is a good compromise so far, IMO.

I found few issues though:

1) The label of default group parameter in automember has not been
updated, i.e. the following command still shows the old name:

# ipa automember-default-group-show --type=group
Default Group:
cn=editors,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com

2) I think we could fix few issues in docstrings since we touch these
strings anyway:

a) Typo in doc

- label=_('Default Group'),
- doc=_('Default group for entires to land'),
+ label=_('Default (fallback) Group'),
+ doc=_('Default (fallback) group for entires to land'),

b) Non-translatable strings:

- entry_attrs['automemberdefaultgroup'] = u'No default group
set'
+ entry_attrs['automemberdefaultgroup'] = u'No default
(fallback) group set'


- entry_attrs['automemberdefaultgroup'] = u'No default group
set'
+ entry_attrs['automemberdefaultgroup'] = u'No default
(fallback) group set'

Martin


fixed

Ondra


Petr, related to handling in the UI, do you look for the string No
default group set' or just look for a string that isn't a dn?

rob


We are checking if the string looks like dn - if it contains 'cn='. If 
not, we consider it as an error message.



Fixed issues with json serialization

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From 89f28563ce57dd3e068fd2651b12df393399f402 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Thu, 5 Apr 2012 17:42:41 +0200
Subject: [PATCH] Confusing default user groups

Added 'fallback' into the labels for default automember group and
hostgroup.

https://fedorahosted.org/freeipa/ticket/2354
---
 ipalib/plugins/automember.py|   35 +++---
 tests/test_xmlrpc/test_automember_plugin.py |6 ++--
 2 files changed, 23 insertions(+), 18 deletions(-)

diff --git a/ipalib/plugins/automember.py b/ipalib/plugins/automember.py
index fabc9bb35a3803475ee1647aea264e29ea8a6f20..bf4cb355ced9760399bf05ceb3ef5d045570c0de 100644
--- a/ipalib/plugins/automember.py
+++ b/ipalib/plugins/automember.py
@@ -33,12 +33,17 @@ or exclusive regex paterns, you can automatically assign a new entries into
 a group or hostgroup based upon attribute information.
 
 A rule is directly associated with a group by name, so you cannot create
-a rule without an accompanying group or hostgroup
+a rule without an accompanying group or hostgroup.
 
 A condition is a regular expression used by 389-ds to match a new incoming
 entry with an automember rule. If it matches an inclusive rule then the
 entry is added to the appropriate group or hostgroup.
 
+A default group or hostgroup could be specified for entries that do not
+match any rule. In case of user entries this group will be a fallback group
+because all users are by default members of group specified in IPA config.
+
+
 EXAMPLES:
 
  Add the initial group or hostgroup:
@@ -80,15 +85,15 @@ EXAMPLES:
  Modify the automember rule:
 ipa automember-mod
 
- Set the default target group:
+ Set the default (fallback) target group:
 ipa automember-default-group-set --default-group=webservers --type=hostgroup
 ipa automember-default-group-set --default-group=ipausers --type=group
 
- Remove the default target group:
+ Remove the default (fallback) target group:
 ipa automember-default-group-remove --type=hostgroup
 ipa automember-default-group-remove --type=group
 
- Show the default target group:
+ Show the default (fallback) target group:
 ipa automember-default-group-show --type=hostgroup
 ipa automember-default-group-show --type=group
 
@@ -173,7 +178,7 @@ class automember(LDAPObject):
 ),
 Str('automemberdefaultgroup?',
 cli_name='default_group',
-label=_('Default Group'),
+label=_('Default (fallback) Group'),
 doc=_('Default group for entries to land'),
 flags=['no_create', 'no_update', 'no_search']
 ),
@@ -500,18 +505,18 @@ api.register(automember_show)
 
 class automember_default_group_set(LDAPUpdate):
 __doc__ = _(
-Set default group for all unmatched entries.
+Set default (fallback) group for all unmatched entries.
 )
 
 takes_options = (
 Str

Re: [Freeipa-devel] More types of replica in FreeIPA

[Ondrej Hamada]

On 04/04/2012 03:02 PM, Simo Sorce wrote:

On Tue, 2012-04-03 at 18:45 +0200, Ondrej Hamada wrote:

On 03/13/2012 01:13 AM, Dmitri Pal wrote:

On 03/12/2012 06:10 PM, Simo Sorce wrote:

On Mon, 2012-03-12 at 17:40 -0400, Dmitri Pal wrote:

On 03/12/2012 04:16 PM, Simo Sorce wrote:

On Mon, 2012-03-12 at 20:38 +0100, Ondrej Hamada wrote:

USER'S operations when connection is OK:
---
read data -   local
write data -   forwarding to master
authentication:
-credentials cached -- authenticate against credentials in local cache
   -on failure: log failure locally, update
data
about failures only on lock-down of account
-credentials not cached -- forward request to master, on success
cache
the credentials


This scheme doesn't work with Kerberos.
Either you have a copy of the user's keys locally or you don't, there is
nothing you can really cache if you don't.

Simo.


Yes this is what we are talking about here - the cache would have to
contain user Kerberos key but there should be some expiration on the
cache so that fetched and stored keys periodically cleaned following the
policy an admin has defined.

We would need a mechanism to transfer Kerberos keys, but that would not
be sufficient, you'd have to give read-only servers also the realm
krbtgt in order to be able to do anything with those keys.

The way MS solves hits (I think) is by giving a special RODC krbtgt to
each RODC, and then replicating all RODC krbtgt's with full domain
controllers. Full domain controllers have logic to use RODC's krbtgt
keys instead of the normal krbtgt to perform operations when user's
krbtgt are presented to a different server. This is a lot of work and
changes in the KDC, not something we can implement easily.

As a first implementation I would restrict read-only replicas to not do
Kerberos at all, only LDAP for all the lookup stuff necessary. to add a
RO KDC we will need to plan a lot of changes in the KDC.

We will also need intelligent partial replication where the rules about
which object (and which attributes in the object) need/can be replicated
are established based on some grouping+filter mechanism. This also is a
pretty important change to 389ds.

Simo.


I agree. I am just trying to structure the discussion a bit so that all
what you are saying can be captured in the design document and then we
can pick a subset of what Ondrej will actually implement. So let us
capture all the complexity and then do a POC for just LDAP part.


Sorry for inactivity, I was struggling with a lot of school stuff.

I've summed up the main goals, do you agree on them or should I
add/remove any?


GOALS
===
Create Hub and Consumer types of replica with following features:

* Hub is read-only

* Hub interconnects Masters with Consumers or Masters with Hubs
or Hubs with other Hubs

* Hub is hidden in the network topology

* Consumer is read-only

* Consumer interconnects Masters/Hubs with clients

* Write operations should be forwarded to Master

* Consumer should be able to log users into system without
communication with master

We need to define how this can be done, it will almost certainly mean
part of the consumer is writable, plus it also means you need additional
access control and policies, on what the Consumer should be allowed to
see.
Right, in such case the Consumers and Hubs will have to be masters (from 
389-DS's point of view).



* Consumer should cache user's credentials

Ok what credentials ? As I explained earlier Kerberos creds cannot
really be cached. Either they are transferred with replication or the
KDC needs to be change to do chaining. Neither I consider as 'caching'.
A password obtained through an LDAP bind could be cached, but I am not
sure it is worth it.


* Caching of credentials should be configurable

See above.


* CA server should not be allowed on Hubs and Consumers

Missing points:
- Masters should not transfer KRB keys to HUBs/Consumers by default.

Add point:
- storing of the Krb creds must be configurable and disabled by default

- We need selective replication if you want to allow distributing a
partial set of Kerberos credentials to consumers. With Hubs it becomes
complicated to decide what to replicate about credentials.

Simo.

Rich mentioned that they are planning support for LDAP filters in 
fractional replication in the future, but currently it is not supported.



--
Regards,

Ondrej Hamada
FreeIPA team
jabber:oh...@jabbim.cz
IRC: ohamada

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 20 Fix empty external member processing

[Ondrej Hamada]

https://fedorahosted.org/freeipa/ticket/2447

Validation of external member was failing for empty strings because of
wrong condition.

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From 137c676c6c182f839cbcd9332f9d0f6d8d18b3f0 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Tue, 3 Apr 2012 12:07:04 +0200
Subject: [PATCH] Fix empty external member processing

Validation of external member was failing for empty strings because of
wrong condition.

https://fedorahosted.org/freeipa/ticket/2447
---
 ipalib/plugins/baseldap.py |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 38f369a779adc53454837994bd2bec5b74d3bbd4..1c893018c6452b5979c2c721e325005cb0d676a9 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -326,7 +326,7 @@ def add_external_pre_callback(membertype, ldap, dn, keys, options):
 def validate_host(hostname):
 validate_hostname(hostname, check_fqdn=False, allow_underscore=True)
 
-if membertype in options:
+if membertype in options and options[membertype]:
 if membertype == 'host':
 validator = validate_host
 else:
-- 
1.7.6.5

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 20 Fix empty external member processing

[Ondrej Hamada]

On 04/03/2012 12:22 PM, Ondrej Hamada wrote:

https://fedorahosted.org/freeipa/ticket/2447

Validation of external member was failing for empty strings because of
wrong condition.



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Used clearer solution. Thanks to Rob for advice.

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From 837734d515b72fd10b5284b13acfdcba94deeec1 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Tue, 3 Apr 2012 15:16:58 +0200
Subject: [PATCH] Fix empty external member processing

Validation of external member was failing for empty strings because of
wrong condition.

https://fedorahosted.org/freeipa/ticket/2447
---
 ipalib/plugins/baseldap.py |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 38f369a779adc53454837994bd2bec5b74d3bbd4..11ec16fe10a7ebaf1cd00214f8c6c264952d81d4 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -326,7 +326,7 @@ def add_external_pre_callback(membertype, ldap, dn, keys, options):
 def validate_host(hostname):
 validate_hostname(hostname, check_fqdn=False, allow_underscore=True)
 
-if membertype in options:
+if options.get(membertype,False):
 if membertype == 'host':
 validator = validate_host
 else:
-- 
1.7.6.5

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] More types of replica in FreeIPA

[Ondrej Hamada]

On 03/13/2012 01:13 AM, Dmitri Pal wrote:

On 03/12/2012 06:10 PM, Simo Sorce wrote:

On Mon, 2012-03-12 at 17:40 -0400, Dmitri Pal wrote:

On 03/12/2012 04:16 PM, Simo Sorce wrote:

On Mon, 2012-03-12 at 20:38 +0100, Ondrej Hamada wrote:

USER'S operations when connection is OK:
---
read data -  local
write data -  forwarding to master
authentication:
-credentials cached -- authenticate against credentials in local cache
  -on failure: log failure locally, update
data
about failures only on lock-down of account
-credentials not cached -- forward request to master, on success
cache
the credentials


This scheme doesn't work with Kerberos.
Either you have a copy of the user's keys locally or you don't, there is
nothing you can really cache if you don't.

Simo.


Yes this is what we are talking about here - the cache would have to
contain user Kerberos key but there should be some expiration on the
cache so that fetched and stored keys periodically cleaned following the
policy an admin has defined.

We would need a mechanism to transfer Kerberos keys, but that would not
be sufficient, you'd have to give read-only servers also the realm
krbtgt in order to be able to do anything with those keys.

The way MS solves hits (I think) is by giving a special RODC krbtgt to
each RODC, and then replicating all RODC krbtgt's with full domain
controllers. Full domain controllers have logic to use RODC's krbtgt
keys instead of the normal krbtgt to perform operations when user's
krbtgt are presented to a different server. This is a lot of work and
changes in the KDC, not something we can implement easily.

As a first implementation I would restrict read-only replicas to not do
Kerberos at all, only LDAP for all the lookup stuff necessary. to add a
RO KDC we will need to plan a lot of changes in the KDC.

We will also need intelligent partial replication where the rules about
which object (and which attributes in the object) need/can be replicated
are established based on some grouping+filter mechanism. This also is a
pretty important change to 389ds.

Simo.


I agree. I am just trying to structure the discussion a bit so that all
what you are saying can be captured in the design document and then we
can pick a subset of what Ondrej will actually implement. So let us
capture all the complexity and then do a POC for just LDAP part.


Sorry for inactivity, I was struggling with a lot of school stuff.

I've summed up the main goals, do you agree on them or should I 
add/remove any?



GOALS
===
Create Hub and Consumer types of replica with following features:

* Hub is read-only

* Hub interconnects Masters with Consumers or Masters with Hubs
  or Hubs with other Hubs

* Hub is hidden in the network topology

* Consumer is read-only

* Consumer interconnects Masters/Hubs with clients

* Write operations should be forwarded to Master

* Consumer should be able to log users into system without
  communication with master

* Consumer should cache user's credentials

* Caching of credentials should be configurable

* CA server should not be allowed on Hubs and Consumers

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0030 Allow multi-line CSV parameters

[Ondrej Hamada]

On 03/22/2012 09:40 AM, Petr Viktorin wrote:
Feed individual lines of input into the CSV parser, and include all 
lines in the output.


https://fedorahosted.org/freeipa/ticket/2402



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 16 Netgroup nisdomain and hosts validation

[Ondrej Hamada]

On 03/27/2012 01:57 PM, Martin Kosek wrote:

On Fri, 2012-03-23 at 23:10 +0100, Ondrej Hamada wrote:

On 03/15/2012 08:13 AM, Martin Kosek wrote:

On Wed, 2012-03-14 at 16:54 +0100, Ondrej Hamada wrote:

On 03/09/2012 04:34 PM, Martin Kosek wrote:

On Thu, 2012-03-08 at 14:52 +0100, Ondrej Hamada wrote:

Netgroup nisdomain and hosts validation

nisdomain validation:
Added pattern to the 'nisdomain' parameter to validate the specified
nisdomain name. According to most common use cases the same patter as
for netgroup should fit. Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2447

hosts validation:
Added precallback to netgroup_add_member. It validates the specified
hostnames and raises ValidationError exception for invalid hostnames.
Unit-test added.

https://fedorahosted.org/freeipa/ticket/2448

I checked the host validation part and it could be improved. Issue
described in #2447 (you have switched the ticket IDs) affects all
objects that allow external hosts, users, ..., i.e. those who call
add_external_post_callback in their post_callback.

Should we fix all of these when we deal with this issue? Otherwise user
could do something like this:
# ipa sudorule-add-user foo --users=a+b
 Rule name: foo
 Enabled: TRUE
 External User: a+b

We could create a similar function called add_external_pre_callback()
and pass it attribute name and validating function (which would be
common with the linked object). It would then do the validation for all
these affected objects consistently and without redundant code.

I didn't liked much the implemented pre_callback anyway

+def pre_callback(self, ldap, dn, found, not_found, *keys,
**options):
+# validate entered hostnames
+if 'host' in options:
+invalid_hostnames=[]
+for hostname in options['host']:
+try:
+validate_hostname(hostname, False)
+except ValueError:
+invalid_hostnames.append(hostname)
+if invalid_hostnames:
+raise errors.ValidationError(name='host',
error='hostnames:\%s\ contain invalid characters' %
','.join(invalid_hostnames))
+return dn

I would rather raise the ValidationError with the first invalid hostname
and tell what's wrong (function validate_hostname tells it to you). If
you go with the proposed approach, you wouldn't have to deal with
formatting error messages, you would just raise the one returned by the
validator shared with the linked LDAP object (hostname, user, ...).

Martin

external_pre_callback function seems as a good idea, but there is a
problem how to get the validators for various LDAP objects. For the
hostname we already have one in ipalib.utils, but for the uid or group
name we use only patterns specified in the parameter objects.

Below I propose solution how to use the already defined parameter
objects for validation (the only problem is that I have to assume, that
it is always the first parameter in takes_params). Do you think this is
a good approach?

I think the approach is OK, it can just be much improved in order to get
rid of the hardcoded parts. See comments below.


def add_external_pre_callback(memberattr, membertype, externalattr,
ldap, dn, found, not_found, *keys, **options):
   
   Pre callback to validate external members.
   
   if membertype in options:
   validator = api.Object[membertype].takes_params[0]

You can use api.Object[membertype].params[memberattr]


   for value in options[membertype]:
   try:
   validator(value)
   except errors.ValidationError as e:
   error_msg = e[(e.find(':')+1):]

You don't have to parse error message, you can just use e.name or
e.error right from the caught ValidationError.


   raise errors.ValidationError(name=membertype,
error=e[e.find(':')+1:])
   return dn


nisdomain validation:
Added pattern to the 'nisdomain' parameter to validate the specified
nisdomain name. According to most common use cases the same pattern as
for netgroup should fit. Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2448

'add_external_pre_callback' function was created to allow validation of
all external members. Validation is based on usage of objects primary
key parameter. The 'add_external_pre_callback' fucntion has to be called
directly from in the 'pre_callback' function. This change affects
netgroup, hbacrule and sudorule commands.

Special validator is used only for hostname, the validator requires
fully qualified
domain name and enables the hostnames to contain underscores.

Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2447


This is better, but I still see few issues:

1) You copied hostname validator instead of extending validate_hostname
function in ipalib.util with allow_underscore parameter which is already
available in validate_dns_label. Having duplicate functions like this is
just

Re: [Freeipa-devel] [PATCH] 996 fix unit tests

[Ondrej Hamada]

On 03/23/2012 08:12 PM, Rob Crittenden wrote:
A few unit tests were failing due to new type enforcement and comman 
support.


Unit tests are passing 100% for me with this.

rob


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

You were faster. Works for me.

ACK

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 16 Netgroup nisdomain and hosts validation

[Ondrej Hamada]

On 03/15/2012 08:13 AM, Martin Kosek wrote:

On Wed, 2012-03-14 at 16:54 +0100, Ondrej Hamada wrote:

On 03/09/2012 04:34 PM, Martin Kosek wrote:

On Thu, 2012-03-08 at 14:52 +0100, Ondrej Hamada wrote:

Netgroup nisdomain and hosts validation

nisdomain validation:
Added pattern to the 'nisdomain' parameter to validate the specified
nisdomain name. According to most common use cases the same patter as
for netgroup should fit. Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2447

hosts validation:
Added precallback to netgroup_add_member. It validates the specified
hostnames and raises ValidationError exception for invalid hostnames.
Unit-test added.

https://fedorahosted.org/freeipa/ticket/2448

I checked the host validation part and it could be improved. Issue
described in #2447 (you have switched the ticket IDs) affects all
objects that allow external hosts, users, ..., i.e. those who call
add_external_post_callback in their post_callback.

Should we fix all of these when we deal with this issue? Otherwise user
could do something like this:
# ipa sudorule-add-user foo --users=a+b
Rule name: foo
Enabled: TRUE
External User: a+b

We could create a similar function called add_external_pre_callback()
and pass it attribute name and validating function (which would be
common with the linked object). It would then do the validation for all
these affected objects consistently and without redundant code.

I didn't liked much the implemented pre_callback anyway

+def pre_callback(self, ldap, dn, found, not_found, *keys,
**options):
+# validate entered hostnames
+if 'host' in options:
+invalid_hostnames=[]
+for hostname in options['host']:
+try:
+validate_hostname(hostname, False)
+except ValueError:
+invalid_hostnames.append(hostname)
+if invalid_hostnames:
+raise errors.ValidationError(name='host',
error='hostnames:\%s\ contain invalid characters' %
','.join(invalid_hostnames))
+return dn

I would rather raise the ValidationError with the first invalid hostname
and tell what's wrong (function validate_hostname tells it to you). If
you go with the proposed approach, you wouldn't have to deal with
formatting error messages, you would just raise the one returned by the
validator shared with the linked LDAP object (hostname, user, ...).

Martin

external_pre_callback function seems as a good idea, but there is a
problem how to get the validators for various LDAP objects. For the
hostname we already have one in ipalib.utils, but for the uid or group
name we use only patterns specified in the parameter objects.

Below I propose solution how to use the already defined parameter
objects for validation (the only problem is that I have to assume, that
it is always the first parameter in takes_params). Do you think this is
a good approach?

I think the approach is OK, it can just be much improved in order to get
rid of the hardcoded parts. See comments below.


def add_external_pre_callback(memberattr, membertype, externalattr,
ldap, dn, found, not_found, *keys, **options):
  
  Pre callback to validate external members.
  
  if membertype in options:
  validator = api.Object[membertype].takes_params[0]

You can use api.Object[membertype].params[memberattr]


  for value in options[membertype]:
  try:
  validator(value)
  except errors.ValidationError as e:
  error_msg = e[(e.find(':')+1):]

You don't have to parse error message, you can just use e.name or
e.error right from the caught ValidationError.


  raise errors.ValidationError(name=membertype,
error=e[e.find(':')+1:])
  return dn





nisdomain validation:
Added pattern to the 'nisdomain' parameter to validate the specified
nisdomain name. According to most common use cases the same pattern as
for netgroup should fit. Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2448

'add_external_pre_callback' function was created to allow validation of
all external members. Validation is based on usage of objects primary
key parameter. The 'add_external_pre_callback' fucntion has to be called
directly from in the 'pre_callback' function. This change affects
netgroup, hbacrule and sudorule commands.

Special validator is used only for hostname, the validator requires 
fully qualified

domain name and enables the hostnames to contain underscores.

Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2447

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From eaf9300a5c4236835932743447c53ea430d5194d Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Fri, 23 Mar 2012 13:16:36 +0100
Subject: [PATCH] Netgroup nisdomain and hosts validation

nisdomain validation:
Added pattern to the 'nisdomain' parameter to validate the specified

Re: [Freeipa-devel] [PATCH] 15 Confusing default user groups

[Ondrej Hamada]

On 03/19/2012 05:25 PM, Martin Kosek wrote:

On Tue, 2012-03-06 at 19:07 +0100, Ondrej Hamada wrote:

https://fedorahosted.org/freeipa/ticket/2354

There was added '(fallback)' string in the automember plugin labels
referring to automember default groups to point out, that the users are
already members of default group specified in IPA config, thus the
default group specified in automember will be additional one - a
fallback group.

Hm, looks ok. Though I would also like some second opinion for this
change. I think naming it simply Fallback Group would be better, but
we cannot change the API at this stage and rename the parameter. So this
change is a good compromise so far, IMO.

I found few issues though:

1) The label of default group parameter in automember has not been
updated, i.e. the following command still shows the old name:

# ipa automember-default-group-show --type=group
   Default Group:
cn=editors,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com

2) I think we could fix few issues in docstrings since we touch these
strings anyway:

a) Typo in doc

-label=_('Default Group'),
-doc=_('Default group for entires to land'),
+label=_('Default (fallback) Group'),
+doc=_('Default (fallback) group for entires to land'),

b) Non-translatable strings:

-entry_attrs['automemberdefaultgroup'] = u'No default group
set'
+entry_attrs['automemberdefaultgroup'] = u'No default
(fallback) group set'


-entry_attrs['automemberdefaultgroup'] = u'No default group
set'
+entry_attrs['automemberdefaultgroup'] = u'No default
(fallback) group set'

Martin


fixed

Ondra

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From 1a112e5d7ea5bbfd3ffae675352c83099ff1b1fe Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Thu, 22 Mar 2012 16:32:53 +0100
Subject: [PATCH] Confusing default user groups

Added 'fallback' into the labels for default automember group and
hostgroup.

https://fedorahosted.org/freeipa/ticket/2354
---
 ipalib/plugins/automember.py|   35 +++---
 tests/test_xmlrpc/test_automember_plugin.py |6 ++--
 2 files changed, 23 insertions(+), 18 deletions(-)

diff --git a/ipalib/plugins/automember.py b/ipalib/plugins/automember.py
index fabc9bb35a3803475ee1647aea264e29ea8a6f20..9aac94ab7aeaab0a19d8e8bca2cc040454a14af1 100644
--- a/ipalib/plugins/automember.py
+++ b/ipalib/plugins/automember.py
@@ -33,12 +33,17 @@ or exclusive regex paterns, you can automatically assign a new entries into
 a group or hostgroup based upon attribute information.
 
 A rule is directly associated with a group by name, so you cannot create
-a rule without an accompanying group or hostgroup
+a rule without an accompanying group or hostgroup.
 
 A condition is a regular expression used by 389-ds to match a new incoming
 entry with an automember rule. If it matches an inclusive rule then the
 entry is added to the appropriate group or hostgroup.
 
+A default group or hostgroup could be specified for entries that do not
+match any rule. In case of user entries this group will be a fallback group
+because all users are by default members of group specified in IPA config.
+
+
 EXAMPLES:
 
  Add the initial group or hostgroup:
@@ -80,15 +85,15 @@ EXAMPLES:
  Modify the automember rule:
 ipa automember-mod
 
- Set the default target group:
+ Set the default (fallback) target group:
 ipa automember-default-group-set --default-group=webservers --type=hostgroup
 ipa automember-default-group-set --default-group=ipausers --type=group
 
- Remove the default target group:
+ Remove the default (fallback) target group:
 ipa automember-default-group-remove --type=hostgroup
 ipa automember-default-group-remove --type=group
 
- Show the default target group:
+ Show the default (fallback) target group:
 ipa automember-default-group-show --type=hostgroup
 ipa automember-default-group-show --type=group
 
@@ -173,7 +178,7 @@ class automember(LDAPObject):
 ),
 Str('automemberdefaultgroup?',
 cli_name='default_group',
-label=_('Default Group'),
+label=_('Default (fallback) Group'),
 doc=_('Default group for entries to land'),
 flags=['no_create', 'no_update', 'no_search']
 ),
@@ -500,18 +505,18 @@ api.register(automember_show)
 
 class automember_default_group_set(LDAPUpdate):
 __doc__ = _(
-Set default group for all unmatched entries.
+Set default (fallback) group for all unmatched entries.
 )
 
 takes_options = (
 Str('automemberdefaultgroup',
 cli_name='default_group',
-label=_('Default Group'),
-doc=_('Default group for entires to land'),
+label=_('Default (fallback) Group'),
+doc=_('Default (fallback) group for entries to land'),
 flags=['no_create', 'no_update']
 ),
 ) + group_type

[Freeipa-devel] [PATCH] 19 Search allowed attributes in superior objectclasses

[Ondrej Hamada]

https://fedorahosted.org/freeipa/ticket/2293

This patch fixes regression caused by patch for ticket #2293. The 
function get_allowed_attributes was searching only through the specified 
objectclasses but not through their superior objectclasses. This patch 
adds such behaviour by recursive call of get_allowed_attributes on the 
superior objectclasses.


Test case that revealed the regression was added into the unit-tests.

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From 5399a72edd69c5f59ba1308e03a17531557faf11 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Wed, 21 Mar 2012 13:30:42 +0100
Subject: [PATCH] Search allowed attributes in superior objectclasses

get_allowed_attributes function was improved to look for allowed
attributes also in the superior objectclasses of specified objectclass.

This fixes the regression caused by patch for ticket #2293. Test-case
for unit-test was also created.

https://fedorahosted.org/freeipa/ticket/2293
---
 ipaserver/plugins/ldap2.py  |3 ++
 tests/test_xmlrpc/test_permission_plugin.py |   35 +++
 2 files changed, 38 insertions(+), 0 deletions(-)

diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index dd5756735405d5a5a9c76d4fa0d82459007a2233..178386c67001a5851e25f1640b301ae504ccab69 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -401,6 +401,9 @@ class ldap2(CrudBackend, Encoder):
 obj = self.schema.get_obj(_ldap.schema.ObjectClass, oc)
 if obj is not None:
 allowed_attributes += obj.must + obj.may
+# look for allowed attributes in the superior objectclasses
+if obj.sup:
+allowed_attributes += self.get_allowed_attributes(obj.sup,raise_on_unknown)
 elif raise_on_unknown:
 raise errors.NotFound(reason=_('objectclass %s not found') % oc)
 return [unicode(a).lower() for a in list(set(allowed_attributes))]
diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py
index 68a3cebf97943b330926fcf9837e9815e142d086..2ce1bdf31e1bb3022059088d84acb4267f8423a3 100644
--- a/tests/test_xmlrpc/test_permission_plugin.py
+++ b/tests/test_xmlrpc/test_permission_plugin.py
@@ -657,6 +657,41 @@ class test_permission(Declarative):
 
 
 dict(
+desc='Create permission %r with attributes from superior objectclass' % permission1,
+command=(
+'permission_add', [permission1], dict(
+ type=u'hostgroup',
+ permissions=u'add,delete,write',
+ attrs=u'businessCategory,owner,description',
+)
+),
+expected=dict(
+value=permission1,
+summary=u'Added permission %s' % permission1,
+result=dict(
+dn=lambda x: DN(x) == permission1_dn,
+cn=[permission1],
+objectclass=objectclasses.permission,
+type=u'hostgroup',
+permissions=[u'add',u'delete',u'write'],
+attrs=[u'businesscategory',u'owner',u'description'],
+),
+),
+),
+
+
+dict(
+desc='Delete %r' % permission1,
+command=('permission_del', [permission1], {}),
+expected=dict(
+result=dict(failed=u''),
+value=permission1,
+summary=u'Deleted permission %s' % permission1,
+),
+),
+
+
+dict(
 desc='Create targetgroup permission %r' % permission1,
 command=(
 'permission_add', [permission1], dict(
-- 
1.7.6.5

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 18 Typos in FreeIPA messages

[Ondrej Hamada]

https://fedorahosted.org/freeipa/ticket/2526

Rebased patch sent by Yuri Chornoivan (yurc...@ukr.net). Fixes 'occured'
and 'commond' typos in FreeIPA messages.

Longtitude/Longitude typo was already corrected in patch for ticket 
#2382 https://fedorahosted.org/freeipa/ticket/2382.


--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From 8cdd8d2000167a1db924f3eb73d50555ffc32768 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Wed, 14 Mar 2012 13:16:29 +0100
Subject: [PATCH] Typos in FreeIPA messages

Rebased patch sent by Yuri Chornoivan (yurc...@ukr.net). Fixes 'occured'
and 'commond' typos in FreeIPA messages.

https://fedorahosted.org/freeipa/ticket/2526
---
 install/ui/test/data/ipa_init.json |4 ++--
 ipalib/plugins/internal.py |2 +-
 ipalib/plugins/selinuxusermap.py   |2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json
index 0182aab733a5541d3149ea582bd975faf04db10a..1010cbfd68d99b81ebcf452f0a95bb8affc134cc 100644
--- a/install/ui/test/data/ipa_init.json
+++ b/install/ui/test/data/ipa_init.json
@@ -208,7 +208,7 @@
 ptr_redir_zone: Zone found: ${zone},
 ptr_redir_zone_err: Target reverse zone not found.,
 ptr_redir_zones: Fetching DNS zones.,
-ptr_redir_zones_err: An error occurd while fetching dns zones.,
+ptr_redir_zones_err: An error occurred while fetching dns zones.,
 redirection_dnszone: You will be redirected to DNS Zone.,
 standard: Standard Record Types,
 title: Records for DNS Zone,
@@ -608,4 +608,4 @@
 }
 ]
 }
-}
\ No newline at end of file
+}
diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py
index deff866eee1c073f3f786686fd2e74f9261ba6b4..bad75aeac32f2f6409ba36fe5ffe83a53f8b2b72 100644
--- a/ipalib/plugins/internal.py
+++ b/ipalib/plugins/internal.py
@@ -345,7 +345,7 @@ class i18n_messages(Command):
 ptr_redir_zone: _(Zone found: ${zone}),
 ptr_redir_zone_err: _(Target reverse zone not found.),
 ptr_redir_zones: _(Fetching DNS zones.),
-ptr_redir_zones_err: _(An error occurd while fetching dns zones.),
+ptr_redir_zones_err: _(An error occurred while fetching dns zones.),
 redirection_dnszone: _(You will be redirected to DNS Zone.),
 standard: _(Standard Record Types),
 title: _(Records for DNS Zone),
diff --git a/ipalib/plugins/selinuxusermap.py b/ipalib/plugins/selinuxusermap.py
index ee9a8133f8bd8f164cab3337714a7dec8d3aa05f..e33e1016192d62312aa5f4f0dcdbafea23327216 100644
--- a/ipalib/plugins/selinuxusermap.py
+++ b/ipalib/plugins/selinuxusermap.py
@@ -65,7 +65,7 @@ EXAMPLES:
 SEEALSO:
 
  The list controlling the order in which the SELinux user map is applied
- and the default SELinux user are available in the config-show commond.
+ and the default SELinux user are available in the config-show command.
 )
 
 notboth_err = _('HBAC rule and local members cannot both be set')
-- 
1.7.6.5

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 16 Netgroup nisdomain and hosts validation

[Ondrej Hamada]

On 03/09/2012 04:34 PM, Martin Kosek wrote:

On Thu, 2012-03-08 at 14:52 +0100, Ondrej Hamada wrote:

Netgroup nisdomain and hosts validation

nisdomain validation:
Added pattern to the 'nisdomain' parameter to validate the specified
nisdomain name. According to most common use cases the same patter as
for netgroup should fit. Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2447

hosts validation:
Added precallback to netgroup_add_member. It validates the specified
hostnames and raises ValidationError exception for invalid hostnames.
Unit-test added.

https://fedorahosted.org/freeipa/ticket/2448


I checked the host validation part and it could be improved. Issue
described in #2447 (you have switched the ticket IDs) affects all
objects that allow external hosts, users, ..., i.e. those who call
add_external_post_callback in their post_callback.

Should we fix all of these when we deal with this issue? Otherwise user
could do something like this:
# ipa sudorule-add-user foo --users=a+b
   Rule name: foo
   Enabled: TRUE
   External User: a+b

We could create a similar function called add_external_pre_callback()
and pass it attribute name and validating function (which would be
common with the linked object). It would then do the validation for all
these affected objects consistently and without redundant code.

I didn't liked much the implemented pre_callback anyway

+def pre_callback(self, ldap, dn, found, not_found, *keys,
**options):
+# validate entered hostnames
+if 'host' in options:
+invalid_hostnames=[]
+for hostname in options['host']:
+try:
+validate_hostname(hostname, False)
+except ValueError:
+invalid_hostnames.append(hostname)
+if invalid_hostnames:
+raise errors.ValidationError(name='host',
error='hostnames:\%s\ contain invalid characters' %
','.join(invalid_hostnames))
+return dn

I would rather raise the ValidationError with the first invalid hostname
and tell what's wrong (function validate_hostname tells it to you). If
you go with the proposed approach, you wouldn't have to deal with
formatting error messages, you would just raise the one returned by the
validator shared with the linked LDAP object (hostname, user, ...).

Martin


external_pre_callback function seems as a good idea, but there is a 
problem how to get the validators for various LDAP objects. For the 
hostname we already have one in ipalib.utils, but for the uid or group 
name we use only patterns specified in the parameter objects.


Below I propose solution how to use the already defined parameter 
objects for validation (the only problem is that I have to assume, that 
it is always the first parameter in takes_params). Do you think this is 
a good approach?


def add_external_pre_callback(memberattr, membertype, externalattr, 
ldap, dn, found, not_found, *keys, **options):


Pre callback to validate external members.

if membertype in options:
validator = api.Object[membertype].takes_params[0]
for value in options[membertype]:
try:
validator(value)
except errors.ValidationError as e:
error_msg = e[(e.find(':')+1):]
raise errors.ValidationError(name=membertype, 
error=e[e.find(':')+1:])

return dn

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] More types of replica in FreeIPA

[Ondrej Hamada]

On 03/08/2012 04:54 PM, Dmitri Pal wrote:

On 03/06/2012 01:30 PM, Ondrej Hamada wrote:

On 03/06/2012 05:47 PM, Dmitri Pal wrote:

On 03/06/2012 10:59 AM, Simo Sorce wrote:

On Tue, 2012-03-06 at 10:56 -0500, Dmitri Pal wrote:

[...]

For a read-only KDC we need to investigate what's the better

solution.

There are many ways we can handle the issue, one of the simplest is
probably to allow the RO KDC to use a special LDAP Extended

operation

against a full R/W server to get the user keys to sign,

authenticating

with a special R/O KDC principal. We can also investigate how MS

does

internal forwarding and do something similar as I suspect that's
something samba4-RODC will want to implement too, so we could share

some

of the development burden there.

Simo.


I do not think it is a good idea for the remote RO KDC to go back to
the main datacenter on every authentication without some sort of
caching. This is why I think that some kind of SSSD integration might
be due. If RO KDC would just pass the authentication to SSSD in some
way and SSSD would do the caching in case the office gets offline. I
understand that authhub as is will not work as the client sends time
stamp encrypted with password and SSSD needs plain text password as
credential. I do not know if there is a way to solve this without
actually sending the password in the tunnel. IMO it is more important
to make sure that remote office can have uninterrupted operation than
to worry about the password being sent inside the encrypted tunnel. It
is something that deployment should decide and weight risks against
convenience.

This is why MS does partial replication, ie allows the RODC to have
data
about the office users. It's complex and there are many ways to handle
it. We need to look at various options and see how they would work
against uses cases we want to support.
Simo.


Then may be Ondrej should start with formulating use cases and
requirements based on this discussion.


I see three possible use cases here, but only two should be considered
when speaking about consumer node:

1) The office that should rely on that replica is quite a big one
(hundreds of employees) or many different users are authenticating
against its replica or there are located admins, who need to do a lot
of write-operations. --  In this case I suppose the best solution is
to deploy master replica there.


2) Office that doesn't fulfil the conditions in 1) - not a desperate
need for write-operations on ipa-server, but the priority is to allow
(some) clients to authenticate and use available services even when
the network is down. --  We need a consumer with credentials caching,
authentication requests for non-cached users or write operations must
be forwarded to master.

3) Office that doesn't fulfil the conditions in 1), but the priority
is security, so that the consumer is not allowed to store or cache any
confidential data. --  We need a consumer, authentications and write
operations must be forwarded to master.

If we choose the second use case, both the caching and request
forwarding must be implemented. I suppose that there shouldn't be big
problem to decide during the installation to turn the caching off by
some option like '-no-chaching' so that the consumer could be used for
the third use case as well.


Can you please now create a set usage scenarios for the 2) and 3).
User logs in and he is in cache, he is not in cache, he is redirected
and data is cached, he failed and account lockout data is updated
locally or on the other server? Admin tries to perform and IPA command
or ldapmodify command - what happens?

Can those work flows be spelled out in details for caching and non use
cases?




I'll start with usage scenario for 3), it's shorter:
All write operations and authentication requests are forwarded to the master

Operations when connection is OK:
--
read -- local
write-forwarding to master
authentication-forwarding to master

Operations when connection is BROKEN:
-
read-local (only until ticket expires)
write-not available
authentication-not available


Usage scenario for 2):

USER'S operations when connection is OK:
---
read data - local
write data - forwarding to master
authentication:
-credentials cached -- authenticate against credentials in local cache
-on failure: log failure locally, update data 
about failures only on lock-down of account
-credentials not cached -- forward request to master, on success cache 
the credentials


USER'S operations when connection is BROKEN:
--
read data - local
write data - not available
authentication:
-credentials cached -- authenticate against credentials in local cache
-on failure: log failure locally, on 
lock-down lock account locally and update

[Freeipa-devel] [PATCH] 17 More exception handlers in ipa-client-install

[Ondrej Hamada]

https://fedorahosted.org/freeipa/ticket/2415
https://fedorahosted.org/freeipa/ticket/1995

Added exception handler to certutil operation of adding CA to the
default NSS database. If operation fails, installation is aborted and
changes are rolled back. #2415

If obtaining host TGT fails, the installation is aborted and changes are
rolled back. #1995

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From e3e556d68f4f04df5ca948341d6b8c0384df47b6 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Fri, 9 Mar 2012 13:04:23 +0100
Subject: [PATCH] More exception handlers in ipa-client-install

Added exception handler to certutil operation of adding CA to the
default NSS database. If operation fails, installation is aborted and
changes are rolled back.

https://fedorahosted.org/freeipa/ticket/2415

If obtaining host TGT fails, the installation is aborted and changes are
rolled back.

https://fedorahosted.org/freeipa/ticket/1995
---
 ipa-client/ipa-install/ipa-client-install |9 -
 1 files changed, 8 insertions(+), 1 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 22c6a925672b1e5e769bf09eaf49e48988bbea41..604283ae4da3ac2e668d9475a77f7053d5bc0ab2 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1337,7 +1337,11 @@ def install(options, env, fstore, statestore):
 print Configured /etc/sssd/sssd.conf
 
 # Add the CA to the default NSS database and trust it
-run([/usr/bin/certutil, -A, -d, /etc/pki/nssdb, -n, IPA CA, -t, CT,C,C, -a, -i, /etc/ipa/ca.crt])
+try:
+run([/usr/bin/certutil, -A, -d, /etc/pki/nssdb, -n, IPA CA, -t, CT,C,C, -a, -i, /etc/ipa/ca.crt])
+except CalledProcessError, e:
+print sys.stderr, Failed to add CA to the default NSS database.
+return CLIENT_INSTALL_ERROR
 
 # If on master assume kerberos is already configured properly.
 if not options.on_master:
@@ -1354,6 +1358,9 @@ def install(options, env, fstore, statestore):
 api.Backend.xmlclient.connect()
 except CalledProcessError, e:
 print sys.stderr, Failed to obtain host TGT.
+# fail to obtain ticket makes it impossible to login and bind from sssd to LDAP,
+# abort installation and rollback changes
+return CLIENT_INSTALL_ERROR
 
 if not options.on_master:
 client_dns(cli_server, hostname, options.dns_updates)
-- 
1.7.6.5

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 16 Netgroup nisdomain and hosts validation

[Ondrej Hamada]

Netgroup nisdomain and hosts validation

nisdomain validation:
Added pattern to the 'nisdomain' parameter to validate the specified
nisdomain name. According to most common use cases the same patter as
for netgroup should fit. Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2447

hosts validation:
Added precallback to netgroup_add_member. It validates the specified
hostnames and raises ValidationError exception for invalid hostnames.
Unit-test added.

https://fedorahosted.org/freeipa/ticket/2448

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From a796dbb1eea83ecbc1442f5f062f54183b8bbdf3 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Thu, 8 Mar 2012 14:50:14 +0100
Subject: [PATCH] Netgroup nisdomain and hosts validation

nisdomain validation:
Added pattern to the 'nisdomain' parameter to validate the specified
nisdomain name. According to most common use cases the same patter as
for netgroup should fit. Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2447

hosts validation:
Added precallback to netgroup_add_member. It validates the specified
hostnames and raises ValidationError exception for invalid hostnames.
Unit-test added.

https://fedorahosted.org/freeipa/ticket/2448
---
 API.txt   |6 ++--
 VERSION   |2 +-
 ipalib/plugins/netgroup.py|   22 
 tests/test_xmlrpc/test_netgroup_plugin.py |   39 +
 4 files changed, 65 insertions(+), 4 deletions(-)

diff --git a/API.txt b/API.txt
index f21dce7a81079a5f214ecb6a8e451eca4237af2e..d0e04ef754d86a62aa1c3be818c29c381c4bc3ea 100644
--- a/API.txt
+++ b/API.txt
@@ -1920,7 +1920,7 @@ command: netgroup_add
 args: 1,9,3
 arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', primary_key=True, required=True)
 option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=True)
-option: Str('nisdomainname', attribute=True, cli_name='nisdomain', multivalue=False, required=False)
+option: Str('nisdomainname', attribute=True, cli_name='nisdomain', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', required=False)
 option: StrEnum('usercategory', attribute=True, cli_name='usercat', multivalue=False, required=False, values=(u'all',))
 option: StrEnum('hostcategory', attribute=True, cli_name='hostcat', multivalue=False, required=False, values=(u'all',))
 option: Str('setattr*', cli_name='setattr', exclude='webui')
@@ -1957,7 +1957,7 @@ args: 1,26,4
 arg: Str('criteria?', noextrawhitespace=False)
 option: Str('cn', attribute=True, autofill=False, cli_name='name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', primary_key=True, query=True, required=False)
 option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False)
-option: Str('nisdomainname', attribute=True, autofill=False, cli_name='nisdomain', multivalue=False, query=True, required=False)
+option: Str('nisdomainname', attribute=True, autofill=False, cli_name='nisdomain', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', query=True, required=False)
 option: Str('ipauniqueid', attribute=True, autofill=False, cli_name='uuid', multivalue=False, query=True, required=False)
 option: StrEnum('usercategory', attribute=True, autofill=False, cli_name='usercat', multivalue=False, query=True, required=False, values=(u'all',))
 option: StrEnum('hostcategory', attribute=True, autofill=False, cli_name='hostcat', multivalue=False, query=True, required=False, values=(u'all',))
@@ -1989,7 +1989,7 @@ command: netgroup_mod
 args: 1,11,3
 arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', primary_key=True, query=True, required=True)
 option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False)
-option: Str('nisdomainname', attribute=True, autofill=False, cli_name='nisdomain', multivalue=False, required=False)
+option: Str('nisdomainname', attribute=True, autofill=False, cli_name='nisdomain', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', required=False)
 option: StrEnum('usercategory', attribute=True, autofill=False, cli_name='usercat', multivalue=False, required=False, values=(u'all',))
 option: StrEnum('hostcategory', attribute=True, autofill=False, cli_name='hostcat', multivalue=False, required=False, values=(u'all',))
 option: Str('setattr*', cli_name='setattr', exclude

[Freeipa-devel] [PATCH] 15 Confusing default user groups

[Ondrej Hamada]

https://fedorahosted.org/freeipa/ticket/2354

There was added '(fallback)' string in the automember plugin labels 
referring to automember default groups to point out, that the users are 
already members of default group specified in IPA config, thus the 
default group specified in automember will be additional one - a 
fallback group.


--
Regards,

Ondrej Hamada
FreeIPA team
jabber:oh...@jabbim.cz
IRC: ohamada

From d0cb34a172b23806e6047f85d668e478ae96c4f2 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Tue, 6 Mar 2012 12:00:34 +0100
Subject: [PATCH] Confusing default user groups

Added 'fallback' into the labels for default automember group and
hostgroup.

https://fedorahosted.org/freeipa/ticket/2354
---
 ipalib/plugins/automember.py|   33 +++---
 tests/test_xmlrpc/test_automember_plugin.py |6 ++--
 2 files changed, 22 insertions(+), 17 deletions(-)

diff --git a/ipalib/plugins/automember.py b/ipalib/plugins/automember.py
index fabc9bb35a3803475ee1647aea264e29ea8a6f20..216351a07fc317b2876e360fe0cb3cda9527623f 100644
--- a/ipalib/plugins/automember.py
+++ b/ipalib/plugins/automember.py
@@ -33,12 +33,17 @@ or exclusive regex paterns, you can automatically assign a new entries into
 a group or hostgroup based upon attribute information.
 
 A rule is directly associated with a group by name, so you cannot create
-a rule without an accompanying group or hostgroup
+a rule without an accompanying group or hostgroup.
 
 A condition is a regular expression used by 389-ds to match a new incoming
 entry with an automember rule. If it matches an inclusive rule then the
 entry is added to the appropriate group or hostgroup.
 
+A default group or hostgroup could be specified for entries that do not
+match any rule. In case of user entries this group will be a fallback group
+because all users are by default members of group specified in IPA config.
+
+
 EXAMPLES:
 
  Add the initial group or hostgroup:
@@ -80,15 +85,15 @@ EXAMPLES:
  Modify the automember rule:
 ipa automember-mod
 
- Set the default target group:
+ Set the default (fallback) target group:
 ipa automember-default-group-set --default-group=webservers --type=hostgroup
 ipa automember-default-group-set --default-group=ipausers --type=group
 
- Remove the default target group:
+ Remove the default (fallback) target group:
 ipa automember-default-group-remove --type=hostgroup
 ipa automember-default-group-remove --type=group
 
- Show the default target group:
+ Show the default (fallback) target group:
 ipa automember-default-group-show --type=hostgroup
 ipa automember-default-group-show --type=group
 
@@ -500,18 +505,18 @@ api.register(automember_show)
 
 class automember_default_group_set(LDAPUpdate):
 __doc__ = _(
-Set default group for all unmatched entries.
+Set default (fallback) group for all unmatched entries.
 )
 
 takes_options = (
 Str('automemberdefaultgroup',
 cli_name='default_group',
-label=_('Default Group'),
-doc=_('Default group for entires to land'),
+label=_('Default (fallback) Group'),
+doc=_('Default (fallback) group for entires to land'),
 flags=['no_create', 'no_update']
 ),
 ) + group_type
-msg_summary = _('Set default group for automember %(value)s')
+msg_summary = _('Set default (fallback) group for automember %(value)s')
 
 def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 dn = DN(('cn', options['type']), api.env.container_automember)
@@ -529,11 +534,11 @@ api.register(automember_default_group_set)
 
 class automember_default_group_remove(LDAPUpdate):
 __doc__ = _(
-Remove default group for all unmatched entries.
+Remove default (fallback) group for all unmatched entries.
 )
 
 takes_options = group_type
-msg_summary = _('Removed default group for automember %(value)s')
+msg_summary = _('Removed default (fallback) group for automember %(value)s')
 
 def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 dn = DN(('cn', options['type']), api.env.container_automember)
@@ -545,14 +550,14 @@ class automember_default_group_remove(LDAPUpdate):
 )
 
 if attr not in entry_attrs_:
-raise errors.NotFound(reason=_(u'No default group set'))
+raise errors.NotFound(reason=_(u'No default (fallback) group set'))
 else:
 entry_attrs[attr] = []
 return dn
 
 def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
 if 'automemberdefaultgroup' not in entry_attrs:
-entry_attrs['automemberdefaultgroup'] = u'No default group set'
+entry_attrs['automemberdefaultgroup'] = u'No default (fallback) group set'
 return dn
 
 def execute(self, *keys, **options):
@@ -565,7 +570,7 @@ api.register(automember_default_group_remove)
 
 class

Re: [Freeipa-devel] More types of replica in FreeIPA

[Ondrej Hamada]

On 03/06/2012 05:47 PM, Dmitri Pal wrote:

On 03/06/2012 10:59 AM, Simo Sorce wrote:

On Tue, 2012-03-06 at 10:56 -0500, Dmitri Pal wrote:

[...]

For a read-only KDC we need to investigate what's the better

solution.

There are many ways we can handle the issue, one of the simplest is
probably to allow the RO KDC to use a special LDAP Extended

operation

against a full R/W server to get the user keys to sign,

authenticating

with a special R/O KDC principal. We can also investigate how MS

does

internal forwarding and do something similar as I suspect that's
something samba4-RODC will want to implement too, so we could share

some

of the development burden there.

Simo.


I do not think it is a good idea for the remote RO KDC to go back to
the main datacenter on every authentication without some sort of
caching. This is why I think that some kind of SSSD integration might
be due. If RO KDC would just pass the authentication to SSSD in some
way and SSSD would do the caching in case the office gets offline. I
understand that authhub as is will not work as the client sends time
stamp encrypted with password and SSSD needs plain text password as
credential. I do not know if there is a way to solve this without
actually sending the password in the tunnel. IMO it is more important
to make sure that remote office can have uninterrupted operation than
to worry about the password being sent inside the encrypted tunnel. It
is something that deployment should decide and weight risks against
convenience.

This is why MS does partial replication, ie allows the RODC to have data
about the office users. It's complex and there are many ways to handle
it. We need to look at various options and see how they would work
against uses cases we want to support.
Simo.


Then may be Ondrej should start with formulating use cases and
requirements based on this discussion.

I see three possible use cases here, but only two should be considered 
when speaking about consumer node:


1) The office that should rely on that replica is quite a big one 
(hundreds of employees) or many different users are authenticating 
against its replica or there are located admins, who need to do a lot of 
write-operations. -- In this case I suppose the best solution is to 
deploy master replica there.



2) Office that doesn't fulfil the conditions in 1) - not a desperate 
need for write-operations on ipa-server, but the priority is to allow 
(some) clients to authenticate and use available services even when the 
network is down. -- We need a consumer with credentials caching, 
authentication requests for non-cached users or write operations must be 
forwarded to master.


3) Office that doesn't fulfil the conditions in 1), but the priority is 
security, so that the consumer is not allowed to store or cache any 
confidential data. -- We need a consumer, authentications and write 
operations must be forwarded to master.


If we choose the second use case, both the caching and request 
forwarding must be implemented. I suppose that there shouldn't be big 
problem to decide during the installation to turn the caching off by 
some option like '-no-chaching' so that the consumer could be used for 
the third use case as well.


--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 14 ipa permission-add does not fail if using invalid attribute

[Ondrej Hamada]

On 02/28/2012 09:57 PM, Rob Crittenden wrote:

Ondrej Hamada wrote:

On 02/27/2012 03:22 PM, Rob Crittenden wrote:

Ondrej Hamada wrote:

When adding or modifying permission with both type and attributes
specified, check whether the attributes are allowed for specified 
type.

In case of disallowed attributes the InvalidSyntax error is raised.

New tests were also added to the unit-tests.

https://fedorahosted.org/freeipa/ticket/2293

https://www.redhat.com/mailman/listinfo/freeipa-devel


NACK. You should use obj.object_class_config to determine if the
default list of objectclasses comes from LDAP.

I think that may be it, otherwise the patch reads ok.

I'm very glad to see unit tests!

rob

Corrected



Sorry, found a couple of more things I should have found the first 
review.


Please use the dn module to construct dn_ipaconfig. Or you can also 
get the DN on-the-fly since the config object using get_dn().


Probably just as safe to call: if obj.object_class_config: ... rather 
than hasattr. I suppose its just a style thing.

Done.


I wonder if ObjectclassViolation is a better exception. SyntaxError 
means the data type is wrong, not that it isn't allowed.
I agree that it makes more sense and I've updated the patch that way, 
but the documentation says: permission operation fails with schema 
syntax errors - maybe we should also update the documentation.


rob





--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From 1f98c50a64cfa5f564ac77f60796d952f2d44edf Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Wed, 29 Feb 2012 11:40:31 +0100
Subject: [PATCH] Validate attributes in permission-add

When adding or modifying permission with both type and attributes
specified, check whether the attributes are allowed for specified type.
In case of disallowed attributes raises the ObjectclassViolation
exception.

New tests were also added to the unit-tests.

https://fedorahosted.org/freeipa/ticket/2293
---
 ipalib/plugins/permission.py|   55 ++
 tests/test_xmlrpc/test_permission_plugin.py |   65 +++
 2 files changed, 120 insertions(+), 0 deletions(-)

diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index 08781ce2ef3df30d10565a071a338edf77c52d23..c9fd5649f338b5c92b86e471fb817b9d964084d3 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -23,6 +23,7 @@ from ipalib import api, _, ngettext
 from ipalib import Flag, Str, StrEnum
 from ipalib.request import context
 from ipalib import errors
+from ipalib.dn import DN
 
 __doc__ = _(
 Permissions
@@ -89,6 +90,43 @@ output_params = (
 ),
 )
 
+dn_ipaconfig = str(DN('cn=ipaconfig,cn=etc,%s' % api.env.basedn))
+
+def check_attrs(attrs, type):
+# Trying to delete attributes - no need for validation
+if attrs is None:
+return True
+allowed_objcls=[]
+disallowed_objcls=[]
+obj=api.Object[type]
+
+if obj.object_class_config:
+(dn,objcls)=api.Backend.ldap2.get_entry(
+dn_ipaconfig,[obj.object_class_config]
+)
+allowed_objcls=objcls[obj.object_class_config]
+else:
+allowed_objcls=obj.object_class
+if obj.possible_objectclasses:
+allowed_objcls+=obj.possible_objectclasses
+if obj.disallow_object_classes:
+disallowed_objcls=obj.disallow_object_classes
+
+allowed_attrs=[]
+disallowed_attrs=[]
+if allowed_objcls:
+allowed_attrs=api.Backend.ldap2.get_allowed_attributes(allowed_objcls)
+if disallowed_objcls:
+disallowed_attrs=api.Backend.ldap2.get_allowed_attributes(disallowed_objcls)
+failed_attrs=[]
+for attr in attrs:
+if (attr not in allowed_attrs) or (attr in disallowed_attrs):
+failed_attrs.append(attr)
+if failed_attrs:
+raise errors.ObjectclassViolation(info='attribute(s) \%s\ not allowed' % ','.join(failed_attrs))
+return True
+
+
 class permission(LDAPObject):
 
 Permission object.
@@ -192,6 +230,8 @@ class permission_add(LDAPCreate):
 opts['permission'] = keys[-1]
 opts['aciprefix'] = ACI_PREFIX
 try:
+if 'type' in entry_attrs and 'attrs' in entry_attrs:
+check_attrs(entry_attrs['attrs'],entry_attrs['type'])
 self.api.Command.aci_add(keys[-1], **opts)
 except Exception, e:
 raise e
@@ -273,6 +313,21 @@ class permission_mod(LDAPUpdate):
 except errors.NotFound:
 self.obj.handle_not_found(*keys)
 
+# check the correctness of attributes only when the type is specified
+type=None
+attrs_to_check=[]
+current_values=self.api.Command.permission_show(attrs['cn'][0])['result']
+if 'type' in entry_attrs:
+type = entry_attrs['type']
+elif 'type' in current_values:
+type = current_values['type']
+if 'attrs' in entry_attrs

Re: [Freeipa-devel] [PATCH] 12 When migrating warn user if compat is enabled

[Ondrej Hamada]

On 02/28/2012 10:52 PM, Rob Crittenden wrote:

Ondrej Hamada wrote:

On 02/27/2012 09:47 PM, Rob Crittenden wrote:

Ondrej Hamada wrote:

On 02/21/2012 02:32 PM, Ondrej Hamada wrote:

On 02/20/2012 06:53 PM, Rob Crittenden wrote:

Ondrej Hamada wrote:

https://fedorahosted.org/freeipa/ticket/2274

Added check into migration plugin to warn user when compat is
enabled.
If compat is enabled, the migration fails and user is warned 
that he

must turn the compat off or run the script with (the newly
introduced)
option '--compat'.

'--compat' is just a flag, by default set to false. If it is 
set, the

compat check is skipped.



Interesting approach. I think this is probably good, preventing
migration when the compat plugin is enabled unless you specifically
decide to.

I think the option may need another name, maybe --with-compat or
something.

I think in the message we should use enabled instead of on. That
is the language of ipa-compat-manage.

The migration help should have a discussion of why this is a problem
too, and what compat really is (provides a different view of the 
data

to be compatible with non RFC2703bis systems).

rob

corrected

Ondra



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

I forget to update the commit message about the change of flag name.
Corrected patch attached.



This works ok it just seems to be making an assumption on the client
when to print this. I think a similar value like enabled needs to be
created to explicitly say why we are returning.

rob

sorry for that, value created

Ondra



I think you need to define beter what compat means in the output, it 
coudl be very confusing. You can return a value for it without testing 
whether it is actually a problem or not.


I think what compat is supposed to mean is Am I failing because of 
compat and not an indication of whether compat is enabled or not.


Some documentation at a minimum should be added.

It otherwise seems to work ok.

rob
You could return a value for compat here without
I've updated the description of 'compat' value in output and also 
changed the condition when this value is set to False. Now it is set to 
False only when the migration fails because of compatibility plugin.


--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From f88df9859c1ea7a04a63b3c9d18d561c8aeee75d Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Wed, 29 Feb 2012 15:21:24 +0100
Subject: [PATCH] Migration warning when compat enabled

Added check into migration plugin to warn user when compat is enabled.
If compat is enabled, the migration fails and user is warned that he
must turn the compat off or run the script with (the newly introduced)
option '--with-compat'.

'--with-compat' is new flag. If it is set, the compat status is ignored.

https://fedorahosted.org/freeipa/ticket/2274
---
 API.txt |4 +++-
 VERSION |2 +-
 ipalib/plugins/migration.py |   34 --
 3 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/API.txt b/API.txt
index 548fc93d48128aab5cebd60dda7fd304b569785b..a44e391e2ab79cb566455def3299ed25714e 100644
--- a/API.txt
+++ b/API.txt
@@ -1893,7 +1893,7 @@ output: Output('summary', (type 'unicode', type 'NoneType'), None)
 output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('value', type 'unicode', None)
 command: migrate_ds
-args: 2,14,3
+args: 2,15,4
 arg: Str('ldapuri', cli_name='ldap_uri')
 arg: Password('bindpw', cli_name='password', confirm=False)
 option: Str('binddn?', autofill=True, cli_name='bind_dn', default=u'cn=directory manager')
@@ -1908,11 +1908,13 @@ option: Str('groupignoreattribute*', autofill=True, cli_name='group_ignore_attri
 option: Flag('groupoverwritegid', autofill=True, cli_name='group_overwrite_gid', default=False)
 option: StrEnum('schema?', autofill=True, cli_name='schema', default=u'RFC2307bis', values=(u'RFC2307bis', u'RFC2307'))
 option: Flag('continue?', autofill=True, default=False)
+option: Flag('compat?', autofill=True, cli_name='with_compat', default=False)
 option: Str('exclude_groups*', autofill=True, cli_name='exclude_groups', csv=True, default=())
 option: Str('exclude_users*', autofill=True, cli_name='exclude_users', csv=True, default=())
 output: Output('result', type 'dict', None)
 output: Output('failed', type 'dict', None)
 output: Output('enabled', type 'bool', None)
+output: Output('compat', type 'bool', None)
 command: netgroup_add
 args: 1,9,3
 arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', primary_key=True, required=True)
diff --git a/VERSION b/VERSION
index 523bde4a8ecdcac4c3a451c0e09ef75b156d7831

[Freeipa-devel] More types of replica in FreeIPA

[Ondrej Hamada]

Hi everyone,
I'm currently working on my thesis. It's objective is $SUBJ and we 
already have ticket for that: #194 
https://fedorahosted.org/freeipa/ticket/194. The task is to create two 
more replica types - the HUB and Consumer. In 389-DS both the HUB and 
Consumer are read-only. Additionally the HUB can push the data to the 
Consumers.


In case of FreeIPA the server is not only providing data, but also 
services like CA, NTP, DNS, Kerberos. Therefore I'm kindly asking you 
for advices and opinions on that:


1. What should be the position of HUB?
I mean should it be used as an interconnection between Masters and 
Consumers only, so that it will be 'hidden' in the topology and only 
forwards the updates, or should the HUB be also used as a regular 
Consumer which has additional ability to push the updates further to 
Consumers/HUBS?


2. Which services should be available on HUB and Consumer?
I think, the priority of these replicas would be to answer to data 
request by ipa whatever-(find|show) commands or to provide some LDAP 
data for email addressing etc. Also it shouldn't cause much trouble to 
run NTP on Consumer, but what about Kerberos or CA? Is it a good 
solution to let users authenticate against these replicas? Is it correct 
to leave classified data like passwords on these replicas?


Thanks in advance for your reactions

Ondra

--
Regards,

Ondrej Hamada
FreeIPA team
jabber:oh...@jabbim.cz
IRC: ohamada

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 12 When migrating warn user if compat is enabled

[Ondrej Hamada]

On 02/27/2012 09:47 PM, Rob Crittenden wrote:

Ondrej Hamada wrote:

On 02/21/2012 02:32 PM, Ondrej Hamada wrote:

On 02/20/2012 06:53 PM, Rob Crittenden wrote:

Ondrej Hamada wrote:

https://fedorahosted.org/freeipa/ticket/2274

Added check into migration plugin to warn user when compat is 
enabled.

If compat is enabled, the migration fails and user is warned that he
must turn the compat off or run the script with (the newly 
introduced)

option '--compat'.

'--compat' is just a flag, by default set to false. If it is set, the
compat check is skipped.



Interesting approach. I think this is probably good, preventing
migration when the compat plugin is enabled unless you specifically
decide to.

I think the option may need another name, maybe --with-compat or
something.

I think in the message we should use enabled instead of on. That
is the language of ipa-compat-manage.

The migration help should have a discussion of why this is a problem
too, and what compat really is (provides a different view of the data
to be compatible with non RFC2703bis systems).

rob

corrected

Ondra



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

I forget to update the commit message about the change of flag name.
Corrected patch attached.



This works ok it just seems to be making an assumption on the client 
when to print this. I think a similar value like enabled needs to be 
created to explicitly say why we are returning.


rob

sorry for that, value created

Ondra

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From 06688d4f9f1950d0e83f85240acf0ff09df73175 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Tue, 28 Feb 2012 13:41:36 +0100
Subject: [PATCH] Migration warning when compat enabled

Added check into migration plugin to warn user when compat is enabled.
If compat is enabled, the migration fails and user is warned that he
must turn the compat off or run the script with (the newly introduced)
option '--with-compat'.

'--with-compat' is new flag. If it is set, the compat status is ignored.

https://fedorahosted.org/freeipa/ticket/2274
---
 API.txt |4 +++-
 VERSION |2 +-
 ipalib/plugins/migration.py |   34 --
 3 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/API.txt b/API.txt
index 548fc93d48128aab5cebd60dda7fd304b569785b..a44e391e2ab79cb566455def3299ed25714e 100644
--- a/API.txt
+++ b/API.txt
@@ -1893,7 +1893,7 @@ output: Output('summary', (type 'unicode', type 'NoneType'), None)
 output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('value', type 'unicode', None)
 command: migrate_ds
-args: 2,14,3
+args: 2,15,4
 arg: Str('ldapuri', cli_name='ldap_uri')
 arg: Password('bindpw', cli_name='password', confirm=False)
 option: Str('binddn?', autofill=True, cli_name='bind_dn', default=u'cn=directory manager')
@@ -1908,11 +1908,13 @@ option: Str('groupignoreattribute*', autofill=True, cli_name='group_ignore_attri
 option: Flag('groupoverwritegid', autofill=True, cli_name='group_overwrite_gid', default=False)
 option: StrEnum('schema?', autofill=True, cli_name='schema', default=u'RFC2307bis', values=(u'RFC2307bis', u'RFC2307'))
 option: Flag('continue?', autofill=True, default=False)
+option: Flag('compat?', autofill=True, cli_name='with_compat', default=False)
 option: Str('exclude_groups*', autofill=True, cli_name='exclude_groups', csv=True, default=())
 option: Str('exclude_users*', autofill=True, cli_name='exclude_users', csv=True, default=())
 output: Output('result', type 'dict', None)
 output: Output('failed', type 'dict', None)
 output: Output('enabled', type 'bool', None)
+output: Output('compat', type 'bool', None)
 command: netgroup_add
 args: 1,9,3
 arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$', pattern_errmsg='may only include letters, numbers, _, -, and .', primary_key=True, required=True)
diff --git a/VERSION b/VERSION
index 523bde4a8ecdcac4c3a451c0e09ef75b156d7831..381e3088c0bcb0e64304a2ed1ad12bfe6be95c51 100644
--- a/VERSION
+++ b/VERSION
@@ -79,4 +79,4 @@ IPA_DATA_VERSION=2010061412
 #  #
 
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=27
+IPA_API_VERSION_MINOR=28
diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py
index 688265fd3ea7f62bb22bf78abbc7f26e64f7470b..ab4e523e5b505577f83be4f95724bd9a9a50f8b6 100644
--- a/ipalib/plugins/migration.py
+++ b/ipalib/plugins/migration.py
@@ -52,6 +52,11 @@ Two LDAP schemas define how group members are stored: RFC2307 and
 RFC2307bis. RFC2307bis uses member and uniquemember to specify group
 members, RFC2307 uses memberUid. The default

Re: [Freeipa-devel] [PATCH] 14 ipa permission-add does not fail if using invalid attribute

[Ondrej Hamada]

On 02/27/2012 03:22 PM, Rob Crittenden wrote:

Ondrej Hamada wrote:

When adding or modifying permission with both type and attributes
specified, check whether the attributes are allowed for specified type.
In case of disallowed attributes the InvalidSyntax error is raised.

New tests were also added to the unit-tests.

https://fedorahosted.org/freeipa/ticket/2293

https://www.redhat.com/mailman/listinfo/freeipa-devel


NACK. You should use obj.object_class_config to determine if the 
default list of objectclasses comes from LDAP.


I think that may be it, otherwise the patch reads ok.

I'm very glad to see unit tests!

rob

Corrected

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From f17224cf0d95cc1aefbbf78ebc79d43252100301 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Mon, 27 Feb 2012 17:52:51 +0100
Subject: [PATCH] Validate attributes in permission-add

When adding or modifying permission with both type and attributes
specified, check whether the attributes are allowed for specified type.
In case of disallowed attributes raise the InvalidSyntax exception.

New tests were also added to the unit-tests.

https://fedorahosted.org/freeipa/ticket/2293
---
 ipalib/plugins/permission.py|   54 ++
 tests/test_xmlrpc/test_permission_plugin.py |   65 +++
 2 files changed, 119 insertions(+), 0 deletions(-)

diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index 08781ce2ef3df30d10565a071a338edf77c52d23..9a32cc3d5b382a078a13b998ff9401b260302f89 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -89,6 +89,43 @@ output_params = (
 ),
 )
 
+dn_ipaconfig='cn=ipaconfig,cn=etc,'+api.env.basedn
+
+def check_attrs(attrs, type):
+# Trying to delete attributes - no need for validation
+if attrs is None:
+return True
+allowed_objcls=[]
+disallowed_objcls=[]
+obj=api.Object[type]
+
+if hasattr(obj,'object_class_config'):
+(dn,objcls)=api.Backend.ldap2.get_entry(
+dn_ipaconfig,[obj.object_class_config]
+)
+allowed_objcls=objcls[obj.object_class_config]
+else:
+allowed_objcls=obj.object_class
+if hasattr(obj,'possible_objectclasses'):
+allowed_objcls+=obj.possible_objectclasses
+if hasattr(obj,'disallow_object_classes'):
+disallowed_objcls=obj.disallow_object_classes
+
+allowed_attrs=[]
+disallowed_attrs=[]
+if allowed_objcls:
+allowed_attrs=api.Backend.ldap2.get_allowed_attributes(allowed_objcls)
+if disallowed_objcls:
+disallowed_attrs=api.Backend.ldap2.get_allowed_attributes(disallowed_objcls)
+failed_attrs=[]
+for attr in attrs:
+if (attr not in allowed_attrs) or (attr in disallowed_attrs):
+failed_attrs.append(attr)
+if failed_attrs:
+raise errors.InvalidSyntax(attr=','.join(failed_attrs))
+return True
+
+
 class permission(LDAPObject):
 
 Permission object.
@@ -192,6 +229,8 @@ class permission_add(LDAPCreate):
 opts['permission'] = keys[-1]
 opts['aciprefix'] = ACI_PREFIX
 try:
+if 'type' in entry_attrs and 'attrs' in entry_attrs:
+check_attrs(entry_attrs['attrs'],entry_attrs['type'])
 self.api.Command.aci_add(keys[-1], **opts)
 except Exception, e:
 raise e
@@ -273,6 +312,21 @@ class permission_mod(LDAPUpdate):
 except errors.NotFound:
 self.obj.handle_not_found(*keys)
 
+# check the correctness of attributes only when the type is specified
+type=None
+attrs_to_check=[]
+current_values=self.api.Command.permission_show(attrs['cn'][0])['result']
+if 'type' in entry_attrs:
+type = entry_attrs['type']
+elif 'type' in current_values:
+type = current_values['type']
+if 'attrs' in entry_attrs:
+attrs_to_check = entry_attrs['attrs']
+elif 'attrs' in current_values:
+attrs_to_check = current_values['attrs']
+if attrs_to_check and type is not None:
+check_attrs(attrs_to_check,type)
+
 # when renaming permission, check if the target permission does not
 # exists already. Then, make changes to underlying ACI
 if 'rename' in options:
diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py
index e8e6bebcd387307f30e4a7bc4d266092b7e41424..15e12e5c5868d7fbc21ce3f5797089150bf6c5e6 100644
--- a/tests/test_xmlrpc/test_permission_plugin.py
+++ b/tests/test_xmlrpc/test_permission_plugin.py
@@ -124,6 +124,71 @@ class test_permission(Declarative):
 
 
 dict(
+desc='Try to create %r with invalid attribute \'ipaclientversion\'' % permission2,
+command=(
+'permission_add', [permission2], dict(
+ type=u'user

Re: [Freeipa-devel] [PATCH] 13 ipa-client-install not calling authconfig

[Ondrej Hamada]

On 02/25/2012 08:30 PM, Alexander Bokovoy wrote:

On Thu, 23 Feb 2012, Ondrej Hamada wrote:


Option '--noac' was added. If set, the ipa-client-install will not call
authconfig for setting nsswitch.conf and PAM configuration. In
fact no configuration of nsswitch.conf or PAM would be done at
all.

https://fedorahosted.org/freeipa/ticket/2369

NACK.

According to the original request, authconfig will do
nsswitch/PAM configuration *after* ipa-client-install run so the
following check in ipa-client-install will fail with --noac:


+#Check that nss is working properly
+if not options.on_master:
+n = 0
+found = False
+# Loop for up to 10 seconds to see if nss is working properly.
+# It can sometimes take a few seconds to connect to the remote 
provider.
+# Particulary, SSSD might take longer than 6-8 seconds.
+while n  10 and not found:
+try:
+ipautil.run([getent, passwd, admin])
+found = True
+except Exception, e:
+time.sleep(1)
+n = n + 1


This check never happens with --noac. I've rechecked the indentation (I 
admit it's badly visible in the patch file) and it's ok.


--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 14 ipa permission-add does not fail if using invalid attribute

[Ondrej Hamada]

When adding or modifying permission with both type and attributes
specified, check whether the attributes are allowed for specified type.
In case of disallowed attributes the InvalidSyntax error is raised.

New tests were also added to the unit-tests.

https://fedorahosted.org/freeipa/ticket/2293

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From 80326444a08076f6e8a1f62296ea33413b526a9b Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Sun, 26 Feb 2012 03:38:08 +0100
Subject: [PATCH] Validate attributes in permission-add

When adding or modifying permission with both type and attributes
specified, check whether the attributes are allowed for specified type.
In case of disallowed attributes raise the InvalidSyntax exception.

New tests were also added to the unit-tests.

https://fedorahosted.org/freeipa/ticket/2293
---
 ipalib/plugins/permission.py|   54 ++
 tests/test_xmlrpc/test_permission_plugin.py |   65 +++
 2 files changed, 119 insertions(+), 0 deletions(-)

diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index 08781ce2ef3df30d10565a071a338edf77c52d23..ca10424532f65a13a62c88fa861945b63eade959 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -89,6 +89,43 @@ output_params = (
 ),
 )
 
+dn_ipaconfig='cn=ipaconfig,cn=etc,'+api.env.basedn
+
+def check_attrs(attrs, type):
+# Trying to delete attributes - no need for validation
+if attrs is None:
+return True
+allowed_objcls=[]
+disallowed_objcls=[]
+obj=api.Object[type]
+
+if type in ['user','group']:
+(dn,objcls)=api.Backend.ldap2.get_entry(
+dn_ipaconfig,[obj.object_class_config]
+)
+allowed_objcls=objcls[obj.object_class_config]
+else:
+allowed_objcls=obj.object_class
+if hasattr(obj,'possible_objectclasses'):
+allowed_objcls+=obj.possible_objectclasses
+if hasattr(obj,'disallow_object_classes'):
+disallowed_objcls=obj.disallow_object_classes
+
+allowed_attrs=[]
+disallowed_attrs=[]
+if allowed_objcls:
+allowed_attrs=api.Backend.ldap2.get_allowed_attributes(allowed_objcls)
+if disallowed_objcls:
+disallowed_attrs=api.Backend.ldap2.get_allowed_attributes(disallowed_objcls)
+failed_attrs=[]
+for attr in attrs:
+if (attr not in allowed_attrs) or (attr in disallowed_attrs):
+failed_attrs.append(attr)
+if failed_attrs:
+raise errors.InvalidSyntax(attr=','.join(failed_attrs))
+return True
+
+
 class permission(LDAPObject):
 
 Permission object.
@@ -192,6 +229,8 @@ class permission_add(LDAPCreate):
 opts['permission'] = keys[-1]
 opts['aciprefix'] = ACI_PREFIX
 try:
+if 'type' in entry_attrs and 'attrs' in entry_attrs:
+check_attrs(entry_attrs['attrs'],entry_attrs['type'])
 self.api.Command.aci_add(keys[-1], **opts)
 except Exception, e:
 raise e
@@ -273,6 +312,21 @@ class permission_mod(LDAPUpdate):
 except errors.NotFound:
 self.obj.handle_not_found(*keys)
 
+# check the correctness of attributes only when the type is specified
+type=None
+attrs_to_check=[]
+current_values=self.api.Command.permission_show(attrs['cn'][0])['result']
+if 'type' in entry_attrs:
+type = entry_attrs['type']
+elif 'type' in current_values:
+type = current_values['type']
+if 'attrs' in entry_attrs:
+attrs_to_check = entry_attrs['attrs']
+elif 'attrs' in current_values:
+attrs_to_check = current_values['attrs']
+if attrs_to_check and type is not None:
+check_attrs(attrs_to_check,type)
+
 # when renaming permission, check if the target permission does not
 # exists already. Then, make changes to underlying ACI
 if 'rename' in options:
diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py
index e8e6bebcd387307f30e4a7bc4d266092b7e41424..15e12e5c5868d7fbc21ce3f5797089150bf6c5e6 100644
--- a/tests/test_xmlrpc/test_permission_plugin.py
+++ b/tests/test_xmlrpc/test_permission_plugin.py
@@ -124,6 +124,71 @@ class test_permission(Declarative):
 
 
 dict(
+desc='Try to create %r with invalid attribute \'ipaclientversion\'' % permission2,
+command=(
+'permission_add', [permission2], dict(
+ type=u'user',
+ permissions=u'write',
+ attrs=u'ipaclientversion',
+),
+),
+expected=errors.InvalidSyntax(attr=u'ipaclientversion'),
+),
+
+
+dict(
+desc='Add allowed attribute \'cn\' to %r' % permission1,
+command=(
+'permission_mod

Re: [Freeipa-devel] [PATCH] 930 add conflicts on mod_ssl

[Ondrej Hamada]

On 01/20/2012 05:10 PM, Rob Crittenden wrote:
We again need to prevent mod_ssl from being installed since we proxy 
for dogtag now. mod_proxy provides a single API for doing SSL proxying 
and if mod_ssl is merely loaded in Apache it grabs the interface for 
doing this from mod_nss.


rob


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK, but needs rebase - there's problem in the changelog part

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 13 ipa-client-install not calling authconfig

[Ondrej Hamada]

Option '--noac' was added. If set, the ipa-client-install will not call
authconfig for setting nsswitch.conf and PAM configuration. In
fact no configuration of nsswitch.conf or PAM would be done at
all.

https://fedorahosted.org/freeipa/ticket/2369

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From 10bf87ef215642d5899da50f7b74f11b791e6a23 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Thu, 23 Feb 2012 17:24:46 +0100
Subject: [PATCH] ipa-client-install not calling authconfig

Option '--noac' was added. If set, the ipa-client-install will not call
authconfig for setting nsswitch.conf and PAM configuration.

https://fedorahosted.org/freeipa/ticket/2369
---
 ipa-client/ipa-install/ipa-client-install |  126 +++--
 1 files changed, 65 insertions(+), 61 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index f5c1efe0686020ce7cad79edfe19908ee3a55a30..36493e0b42de8230e6e8604f292284364885affd 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -90,6 +90,8 @@ def parse_options():
   help=do not configure OpenSSH server)
 basic_group.add_option(--no-dns-sshfp, dest=create_sshfp, default=True, action=store_false,
   help=do not automatically create DNS SSHFP records)
+basic_group.add_option(--noac, dest=no_ac, default=False, action=store_true,
+  help=do not use Authconfig to modify the nsswitch.conf and PAM configuration)
 basic_group.add_option(-f, --force, dest=force, action=store_true,
   default=False, help=force setting of LDAP/Kerberos conf)
 basic_group.add_option(-d, --debug, dest=debug, action=store_true,
@@ -1368,75 +1370,77 @@ def install(options, env, fstore, statestore):
 root_logger.info(%s daemon is not installed, skip configuration % (nscd.service_name))
 
 retcode, conf, filename = (0, None, None)
-# Modify nsswitch/pam stack
-auth_config = ipaservices.authconfig()
-if options.sssd:
-statestore.backup_state('authconfig', 'sssd', True)
-statestore.backup_state('authconfig', 'sssdauth', True)
-auth_config.enable(sssd).\
-enable(sssdauth)
-message = SSSD enabled
-conf = 'SSSD'
-else:
-statestore.backup_state('authconfig', 'ldap', True)
-auth_config.enable(ldap).\
-enable(forcelegacy)
-message = LDAP enabled
 
-if options.mkhomedir:
-statestore.backup_state('authconfig', 'mkhomedir', True)
-auth_config.enable(mkhomedir)
+if not options.no_ac:
+# Modify nsswitch/pam stack
+auth_config = ipaservices.authconfig()
+if options.sssd:
+statestore.backup_state('authconfig', 'sssd', True)
+statestore.backup_state('authconfig', 'sssdauth', True)
+auth_config.enable(sssd).\
+enable(sssdauth)
+message = SSSD enabled
+conf = 'SSSD'
+else:
+statestore.backup_state('authconfig', 'ldap', True)
+auth_config.enable(ldap).\
+enable(forcelegacy)
+message = LDAP enabled
 
-auth_config.add_option(update)
-auth_config.execute()
-print message
+if options.mkhomedir:
+statestore.backup_state('authconfig', 'mkhomedir', True)
+auth_config.enable(mkhomedir)
 
-if not options.sssd:
-#Modify pam to add pam_krb5 only when sssd is not in use
-auth_config.reset()
-statestore.backup_state('authconfig', 'krb5', True)
-auth_config.enable(krb5).\
-add_option(update).\
-add_option(nostart)
+auth_config.add_option(update)
 auth_config.execute()
-print Kerberos 5 enabled
+print message
 
-# Update non-SSSD LDAP configuration after authconfig calls as it would
-# change its configuration otherways
-if not options.sssd:
-for configurer in [configure_ldap_conf, configure_nslcd_conf]:
-(retcode, conf, filename) = configurer(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options, nosssd_files[configurer.__name__])
-if retcode:
-return CLIENT_INSTALL_ERROR
-if conf:
-print %s configured using configuration file(s) %s % (conf, filename)
+if not options.sssd:
+#Modify pam to add pam_krb5 only when sssd is not in use
+auth_config.reset()
+statestore.backup_state('authconfig', 'krb5', True)
+auth_config.enable(krb5).\
+add_option(update).\
+add_option(nostart)
+auth_config.execute()
+print Kerberos 5 enabled
 
-#Check that nss is working properly

Re: [Freeipa-devel] [PATCH] 12 When migrating warn user if compat is enabled

[Ondrej Hamada]

On 02/21/2012 02:32 PM, Ondrej Hamada wrote:

On 02/20/2012 06:53 PM, Rob Crittenden wrote:

Ondrej Hamada wrote:

https://fedorahosted.org/freeipa/ticket/2274

Added check into migration plugin to warn user when compat is enabled.
If compat is enabled, the migration fails and user is warned that he
must turn the compat off or run the script with (the newly introduced)
option '--compat'.

'--compat' is just a flag, by default set to false. If it is set, the
compat check is skipped.



Interesting approach. I think this is probably good, preventing 
migration when the compat plugin is enabled unless you specifically 
decide to.


I think the option may need another name, maybe --with-compat or 
something.


I think in the message we should use enabled instead of on. That 
is the language of ipa-compat-manage.


The migration help should have a discussion of why this is a problem 
too, and what compat really is (provides a different view of the data 
to be compatible with non RFC2703bis systems).


rob

corrected

Ondra



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
I forget to update the commit message about the change of flag name. 
Corrected patch attached.


--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From 8b068e25208d2724c714c95f666f24e699061f1d Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Wed, 22 Feb 2012 12:11:55 +0100
Subject: [PATCH] Migration warning when compat enabled

Added check into migration plugin to warn user when compat is enabled.
If compat is enabled, the migration fails and user is warned that he
must turn the compat off or run the script with (the newly introduced)
option '--with-compat'.

'--with-compat' is new flag. If it is set, the compat status is ignored.

https://fedorahosted.org/freeipa/ticket/2274
---
 API.txt |3 ++-
 VERSION |2 +-
 ipalib/plugins/migration.py |   26 ++
 3 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/API.txt b/API.txt
index 66713317c9b11057f12676c2afc7bc36d0ca3969..9eec33d4597cb96af870088eb827e39973d66fb6 100644
--- a/API.txt
+++ b/API.txt
@@ -1925,7 +1925,7 @@ output: Output('summary', (type 'unicode', type 'NoneType'), None)
 output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('value', type 'unicode', None)
 command: migrate_ds
-args: 2,14,3
+args: 2,15,3
 arg: Str('ldapuri', cli_name='ldap_uri')
 arg: Password('bindpw', cli_name='password', confirm=False)
 option: Str('binddn?', autofill=True, cli_name='bind_dn', default=u'cn=directory manager')
@@ -1940,6 +1940,7 @@ option: Str('groupignoreattribute*', autofill=True, cli_name='group_ignore_attri
 option: Flag('groupoverwritegid', autofill=True, cli_name='group_overwrite_gid', default=False)
 option: StrEnum('schema?', autofill=True, cli_name='schema', default=u'RFC2307bis', values=(u'RFC2307bis', u'RFC2307'))
 option: Flag('continue?', autofill=True, default=False)
+option: Flag('compat?', autofill=True, cli_name='with_compat', default=False)
 option: Str('exclude_groups*', autofill=True, cli_name='exclude_groups', csv=True, default=())
 option: Str('exclude_users*', autofill=True, cli_name='exclude_users', csv=True, default=())
 output: Output('result', type 'dict', None)
diff --git a/VERSION b/VERSION
index eba6b75cdd57e8ee4024b4e6aa2960022007bd0e..523bde4a8ecdcac4c3a451c0e09ef75b156d7831 100644
--- a/VERSION
+++ b/VERSION
@@ -79,4 +79,4 @@ IPA_DATA_VERSION=2010061412
 #  #
 
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=26
+IPA_API_VERSION_MINOR=27
diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py
index 688265fd3ea7f62bb22bf78abbc7f26e64f7470b..a31fff8597d856cbf67825f6ed990cb9f16725a6 100644
--- a/ipalib/plugins/migration.py
+++ b/ipalib/plugins/migration.py
@@ -52,6 +52,11 @@ Two LDAP schemas define how group members are stored: RFC2307 and
 RFC2307bis. RFC2307bis uses member and uniquemember to specify group
 members, RFC2307 uses memberUid. The default schema is RFC2307bis.
 
+In order to use other schema than RFC2307bis the compatibility plug-in
+must be enabled. Migration with enabled compatibility plug-in causes
+a lot of overhead. Because of that it is disabled by default but it can
+be overridden by the '--with-compat' option.
+
 Migrated users do not have Kerberos credentials, they have only their
 LDAP password. To complete the migration process, users need to go
 to http://ipa.example.com/ipa/migration and authenticate using their
@@ -67,6 +72,10 @@ EXAMPLES:
  The simplest migration, accepting all defaults:
ipa migrate-ds ldap://ds.example.com:389
 
+ The simplest migration, accepting all defaults and ignoring

Re: [Freeipa-devel] [PATCH] 12 When migrating warn user if compat is enabled

[Ondrej Hamada]

On 02/20/2012 06:53 PM, Rob Crittenden wrote:

Ondrej Hamada wrote:

https://fedorahosted.org/freeipa/ticket/2274

Added check into migration plugin to warn user when compat is enabled.
If compat is enabled, the migration fails and user is warned that he
must turn the compat off or run the script with (the newly introduced)
option '--compat'.

'--compat' is just a flag, by default set to false. If it is set, the
compat check is skipped.



Interesting approach. I think this is probably good, preventing 
migration when the compat plugin is enabled unless you specifically 
decide to.


I think the option may need another name, maybe --with-compat or 
something.


I think in the message we should use enabled instead of on. That 
is the language of ipa-compat-manage.


The migration help should have a discussion of why this is a problem 
too, and what compat really is (provides a different view of the data 
to be compatible with non RFC2703bis systems).


rob

corrected

Ondra

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From b4c368fc1c404c4a520c814f10d522b5b8e909aa Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Tue, 21 Feb 2012 11:13:38 +0100
Subject: [PATCH] Migration warning when compat enabled

Added check into migration plugin to warn user when compat is enabled.
If compat is enabled, the migration fails and user is warned that he
must turn the compat off or run the script with (the newly introduced)
option '--compat'.

'--compat' is new flag. If it is set, the compat status is ignored.

https://fedorahosted.org/freeipa/ticket/2274
---
 API.txt |3 ++-
 VERSION |2 +-
 ipalib/plugins/migration.py |   26 ++
 3 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/API.txt b/API.txt
index 66713317c9b11057f12676c2afc7bc36d0ca3969..9eec33d4597cb96af870088eb827e39973d66fb6 100644
--- a/API.txt
+++ b/API.txt
@@ -1925,7 +1925,7 @@ output: Output('summary', (type 'unicode', type 'NoneType'), None)
 output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('value', type 'unicode', None)
 command: migrate_ds
-args: 2,14,3
+args: 2,15,3
 arg: Str('ldapuri', cli_name='ldap_uri')
 arg: Password('bindpw', cli_name='password', confirm=False)
 option: Str('binddn?', autofill=True, cli_name='bind_dn', default=u'cn=directory manager')
@@ -1940,6 +1940,7 @@ option: Str('groupignoreattribute*', autofill=True, cli_name='group_ignore_attri
 option: Flag('groupoverwritegid', autofill=True, cli_name='group_overwrite_gid', default=False)
 option: StrEnum('schema?', autofill=True, cli_name='schema', default=u'RFC2307bis', values=(u'RFC2307bis', u'RFC2307'))
 option: Flag('continue?', autofill=True, default=False)
+option: Flag('compat?', autofill=True, cli_name='with_compat', default=False)
 option: Str('exclude_groups*', autofill=True, cli_name='exclude_groups', csv=True, default=())
 option: Str('exclude_users*', autofill=True, cli_name='exclude_users', csv=True, default=())
 output: Output('result', type 'dict', None)
diff --git a/VERSION b/VERSION
index eba6b75cdd57e8ee4024b4e6aa2960022007bd0e..523bde4a8ecdcac4c3a451c0e09ef75b156d7831 100644
--- a/VERSION
+++ b/VERSION
@@ -79,4 +79,4 @@ IPA_DATA_VERSION=2010061412
 #  #
 
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=26
+IPA_API_VERSION_MINOR=27
diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py
index 688265fd3ea7f62bb22bf78abbc7f26e64f7470b..a31fff8597d856cbf67825f6ed990cb9f16725a6 100644
--- a/ipalib/plugins/migration.py
+++ b/ipalib/plugins/migration.py
@@ -52,6 +52,11 @@ Two LDAP schemas define how group members are stored: RFC2307 and
 RFC2307bis. RFC2307bis uses member and uniquemember to specify group
 members, RFC2307 uses memberUid. The default schema is RFC2307bis.
 
+In order to use other schema than RFC2307bis the compatibility plug-in
+must be enabled. Migration with enabled compatibility plug-in causes
+a lot of overhead. Because of that it is disabled by default but it can
+be overridden by the '--with-compat' option.
+
 Migrated users do not have Kerberos credentials, they have only their
 LDAP password. To complete the migration process, users need to go
 to http://ipa.example.com/ipa/migration and authenticate using their
@@ -67,6 +72,10 @@ EXAMPLES:
  The simplest migration, accepting all defaults:
ipa migrate-ds ldap://ds.example.com:389
 
+ The simplest migration, accepting all defaults and ignoring the status
+ of compatibility plug-in:
+   ipa migrate-ds --with-compat ldap://ds.example.com:389
+
  Specify the user and group container. This can be used to migrate user
  and group data from an IPA v1 server:
ipa migrate-ds --user-container='cn=users,cn=accounts' \\
@@ -94,6 +103,8 @@ EXAMPLES:
ldap

[Freeipa-devel] [PATCH] 12 When migrating warn user if compat is enabled

[Ondrej Hamada]

https://fedorahosted.org/freeipa/ticket/2274

Added check into migration plugin to warn user when compat is enabled.
If compat is enabled, the migration fails and user is warned that he
must turn the compat off or run the script with (the newly introduced)
option '--compat'.

'--compat' is just a flag, by default set to false. If it is set, the 
compat check is skipped.


--
Regards,

Ondrej Hamada
FreeIPA team
jabber:oh...@jabbim.cz
IRC: ohamada

From 2b146dc28bdf35b5840cd193f59ff32db226548a Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Wed, 15 Feb 2012 14:56:39 +0100
Subject: [PATCH] Migration warning when compat enabled

Added check into migration plugin to warn user when compat is enabled.
If compat is enabled, the migration fails and user is warned that he
must turn the compat off or run the script with (the newly introduced)
option '--compat'.

'--compat' is new flag. If it is set, the compat status is ignored.

https://fedorahosted.org/freeipa/ticket/2274
---
 API.txt |3 ++-
 ipalib/plugins/migration.py |   16 
 2 files changed, 18 insertions(+), 1 deletions(-)

diff --git a/API.txt b/API.txt
index 66713317c9b11057f12676c2afc7bc36d0ca3969..54573ca1ca514d048e62802667956d6bda0d3199 100644
--- a/API.txt
+++ b/API.txt
@@ -1925,7 +1925,7 @@ output: Output('summary', (type 'unicode', type 'NoneType'), None)
 output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('value', type 'unicode', None)
 command: migrate_ds
-args: 2,14,3
+args: 2,15,3
 arg: Str('ldapuri', cli_name='ldap_uri')
 arg: Password('bindpw', cli_name='password', confirm=False)
 option: Str('binddn?', autofill=True, cli_name='bind_dn', default=u'cn=directory manager')
@@ -1940,6 +1940,7 @@ option: Str('groupignoreattribute*', autofill=True, cli_name='group_ignore_attri
 option: Flag('groupoverwritegid', autofill=True, cli_name='group_overwrite_gid', default=False)
 option: StrEnum('schema?', autofill=True, cli_name='schema', default=u'RFC2307bis', values=(u'RFC2307bis', u'RFC2307'))
 option: Flag('continue?', autofill=True, default=False)
+option: Flag('compat?', autofill=True, default=False)
 option: Str('exclude_groups*', autofill=True, cli_name='exclude_groups', csv=True, default=())
 option: Str('exclude_users*', autofill=True, cli_name='exclude_users', csv=True, default=())
 output: Output('result', type 'dict', None)
diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py
index 688265fd3ea7f62bb22bf78abbc7f26e64f7470b..50254d8f34e9a1ada9b3b4bd45c2949079ccedf5 100644
--- a/ipalib/plugins/migration.py
+++ b/ipalib/plugins/migration.py
@@ -94,6 +94,8 @@ EXAMPLES:
ldap://ds.example.com:389
 )
 
+compat_dn = cn=Schema Compatibility,cn=plugins,cn=config
+
 # USER MIGRATION CALLBACKS AND VARS
 
 _krb_err_msg = _('Kerberos principal %s already exists. Use \'ipa user-mod\' to set it manually.')
@@ -431,6 +433,11 @@ class migrate_ds(Command):
 doc=_('Continuous operation mode. Errors are reported but the process continues'),
 default=False,
 ),
+Flag('compat?',
+label=_('Ignore compat plugin'),
+doc=_('Allows migration despite the usage of compat plugin'),
+default=False,
+),
 )
 
 has_output = (
@@ -635,6 +642,12 @@ can use their Kerberos accounts.''')
 ds_ldap = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
 ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw)
 
+#check whether the compat plugin is enabled
+if not options.get('compat'):
+(dn,check_compat) = ds_ldap.get_entry(compat_dn, normalize=False)
+if check_compat is not None and check_compat.get('nsslapd-pluginenabled', [''])[0].lower() == 'on':
+return dict(result={},failed={},enabled=True)
+
 # retrieve DS base DN
 (entries, truncated) = ds_ldap.find_entries(
 '', ['namingcontexts'], '', ds_ldap.SCOPE_BASE,
@@ -657,6 +670,9 @@ can use their Kerberos accounts.''')
 if not result['enabled']:
 textui.print_plain(self.migration_disabled_msg)
 return 1
+if not result['result'] and not result['failed']:
+textui.print_plain(Compat plugin is on. This might cause troubles during migration. Disable the compat plugin or run this script with \'--compat\' option.)
+return 1
 textui.print_plain('Migrated:')
 textui.print_entry1(
 result['result'], attr_order=self.migrate_order,
-- 
1.7.6.5

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 11 Checking and modifying of memberof attribute

[Ondrej Hamada]

On 02/06/2012 05:03 PM, Martin Kosek wrote:

On Mon, 2012-02-06 at 12:14 +0100, Ondrej Hamada wrote:

https://fedorahosted.org/freeipa/ticket/2255
https://fedorahosted.org/freeipa/ticket/2286
https://fedorahosted.org/freeipa/ticket/2305

Added checking of existence of groups that are specified in permission
and delegation module. Also the permission plugin now allows to unset
memberof value. Additional unit tests for checking new behaviour were
created.

NACK

I think there are few things that could be improved:

1) I don't think that _make_aci function should have any side-effects to
kw like deleting some keys from it:

@@ -265,8 +265,15 @@ def _make_aci(ldap, current, aciname, kw):
...
+else:
+del kw['memberof']

IMO, this may break expectations when _make_aci is called and introduce
some issues in the future.

I think that entire _make_aci should be fixed to ignore attributes set
to None just like with other plugins. We just need to validate if the kw
combination is OK.

This would mean that the ACI validation should be updated as well:
...
 t1 = 'type' in kw  What if kw['type'] is None?
 t2 = 'filter' in kw
 t3 = 'subtree' in kw
 t4 = 'targetgroup' in kw
 t5 = 'attrs' in kw
 t6 = 'memberof' in kw
...

There are already some related fixes in aci_find.

2) This is a good opportunity to fix also other ACI attributes, like
--type. Now, it throws Internal Error:

# ipa permission-mod test --type=
ipa: ERROR: an internal error has occurred

Martin

The ACI validation was updated to validate all the six mentioned 
attributes and it was enabled to unset them.


--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From 4313a381e44986cdc26c88194297d6a0a4cfd112 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Tue, 7 Feb 2012 13:07:09 +0100
Subject: [PATCH] Memberof attribute control and update

Checking of parameters used by _make_aci funcion was rewritten.
Additional attributes of ACI(type, attribute, memberof, targetgroup,
subtree, filter) could be unset.

Permission plugin now allows to unset memberof value.
https://fedorahosted.org/freeipa/ticket/2255

Added checking of existence of groups that are specified in permission
and delegation module.

https://fedorahosted.org/freeipa/ticket/2286
https://fedorahosted.org/freeipa/ticket/2305
---
 ipalib/plugins/aci.py   |   36 ++---
 tests/test_xmlrpc/test_delegation_plugin.py |   12 ++
 tests/test_xmlrpc/test_permission_plugin.py |   57 +++
 3 files changed, 90 insertions(+), 15 deletions(-)

diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py
index e87ac9bff09fc87fec6987ae40b0cf1dd353dd3b..f0b81f48af1f9fbf8ab267a3d4b113c328ab1170 100644
--- a/ipalib/plugins/aci.py
+++ b/ipalib/plugins/aci.py
@@ -208,22 +208,24 @@ def _make_aci(ldap, current, aciname, kw):
 Given a name and a set of keywords construct an ACI.
 
 # Do some quick and dirty validation.
-t1 = 'type' in kw
-t2 = 'filter' in kw
-t3 = 'subtree' in kw
-t4 = 'targetgroup' in kw
-t5 = 'attrs' in kw
-t6 = 'memberof' in kw
-if t1 + t2 + t3 + t4  1:
+checked_args=['type','filter','subtree','targetgroup','attrs','memberof']
+valid={}
+for arg in checked_args:
+if arg in kw:
+valid[arg]=kw[arg] is not None
+else:
+valid[arg]=False
+
+if valid['type'] + valid['filter'] + valid['subtree'] + valid['targetgroup']  1:
 raise errors.ValidationError(name='target', error=_('type, filter, subtree and targetgroup are mutually exclusive'))
 
 if 'aciprefix' not in kw:
 raise errors.ValidationError(name='aciprefix', error=_('ACI prefix is required'))
 
-if t1 + t2 + t3 + t4 + t5 + t6 == 0:
+if sum(valid.itervalues()) == 0:
 raise errors.ValidationError(name='target', error=_('at least one of: type, filter, subtree, targetgroup, attrs or memberof are required'))
 
-if t2 + t6  1:
+if valid['filter'] + valid['memberof']  1:
 raise errors.ValidationError(name='target', error=_('filter and memberof are mutually exclusive'))
 
 group = 'group' in kw
@@ -262,12 +264,16 @@ def _make_aci(ldap, current, aciname, kw):
 else:
 dn = entry_attrs['dn']
 a.set_bindrule('groupdn = ldap:///%s;' % dn)
-if 'attrs' in kw:
+if valid['attrs']:
 a.set_target_attr(kw['attrs'])
-if 'memberof' in kw:
+if valid['memberof']:
+try:
+api.Command['group_show'](kw['memberof'])
+except errors.NotFound:
+api.Object['group'].handle_not_found(kw['memberof'])
 groupdn = _group_from_memberof(kw['memberof'])
 a.set_target_filter('memberOf=%s' % groupdn)
-if 'filter' in kw:
+if valid['filter']:
 # Test the filter by performing a simple search

[Freeipa-devel] [PATCH] 11 Checking and modifying of memberof attribute

[Ondrej Hamada]

https://fedorahosted.org/freeipa/ticket/2255
https://fedorahosted.org/freeipa/ticket/2286
https://fedorahosted.org/freeipa/ticket/2305

Added checking of existence of groups that are specified in permission
and delegation module. Also the permission plugin now allows to unset
memberof value. Additional unit tests for checking new behaviour were
created.

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From e26c980cffc5703845aeca4dba28dcca0364ab3a Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Mon, 6 Feb 2012 11:04:15 +0100
Subject: [PATCH] Memberof attribute control and update

Added checking of existence of groups that are specified in permission
and delegation module.

https://fedorahosted.org/freeipa/ticket/2286
https://fedorahosted.org/freeipa/ticket/2305

Permission plugin now allows to unset memberof value.
https://fedorahosted.org/freeipa/ticket/2255
---
 ipalib/plugins/aci.py   |   11 -
 tests/test_xmlrpc/test_delegation_plugin.py |   12 ++
 tests/test_xmlrpc/test_permission_plugin.py |   57 +++
 3 files changed, 78 insertions(+), 2 deletions(-)

diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py
index e87ac9bff09fc87fec6987ae40b0cf1dd353dd3b..83d43cab8c20ac04b4a546653a682b7860c7d1b4 100644
--- a/ipalib/plugins/aci.py
+++ b/ipalib/plugins/aci.py
@@ -265,8 +265,15 @@ def _make_aci(ldap, current, aciname, kw):
 if 'attrs' in kw:
 a.set_target_attr(kw['attrs'])
 if 'memberof' in kw:
-groupdn = _group_from_memberof(kw['memberof'])
-a.set_target_filter('memberOf=%s' % groupdn)
+if kw['memberof'] is not None:
+try:
+api.Command['group_show'](kw['memberof'])
+except errors.NotFound:
+api.Object['group'].handle_not_found(kw['memberof'])
+groupdn = _group_from_memberof(kw['memberof'])
+a.set_target_filter('memberOf=%s' % groupdn)
+else:
+del kw['memberof']
 if 'filter' in kw:
 # Test the filter by performing a simple search on it. The
 # filter is considered valid if either it returns some entries
diff --git a/tests/test_xmlrpc/test_delegation_plugin.py b/tests/test_xmlrpc/test_delegation_plugin.py
index 1a9c36743d305cc382350db8e866ace21331fc5c..db5f7186527d2e0c6567dd5a727e878144bd3020 100644
--- a/tests/test_xmlrpc/test_delegation_plugin.py
+++ b/tests/test_xmlrpc/test_delegation_plugin.py
@@ -68,6 +68,18 @@ class test_delegation(Declarative):
 ),
 ),
 
+dict(
+desc='Try to create %r for non-existing member group' % delegation1,
+command=(
+'delegation_add', [delegation1], dict(
+ attrs=u'street,c,l,st,postalCode',
+ permissions=u'write',
+ group=u'editors',
+ memberof=u'nonexisting',
+),
+),
+expected=errors.NotFound(reason='group not found'),
+),
 
 # Note that we add postalCode but expect postalcode. This tests
 # the attrs normalizer.
diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py
index 50d368197cbc080f40fecf2038ae14337ed78b7c..e8e6bebcd387307f30e4a7bc4d266092b7e41424 100644
--- a/tests/test_xmlrpc/test_permission_plugin.py
+++ b/tests/test_xmlrpc/test_permission_plugin.py
@@ -500,6 +500,16 @@ class test_permission(Declarative):
 )
 ),
 
+dict(
+desc='Try to create permission %r with non-existing memberof' % permission1,
+command=(
+'permission_add', [permission1], dict(
+ memberof=u'nonexisting',
+ permissions=u'write',
+)
+),
+expected=errors.NotFound(reason='group not found'),
+),
 
 dict(
 desc='Create memberof permission %r' % permission1,
@@ -507,6 +517,7 @@ class test_permission(Declarative):
 'permission_add', [permission1], dict(
  memberof=u'editors',
  permissions=u'write',
+ type=u'user',
 )
 ),
 expected=dict(
@@ -518,6 +529,52 @@ class test_permission(Declarative):
 objectclass=objectclasses.permission,
 memberof=u'editors',
 permissions=[u'write'],
+type=u'user',
+),
+),
+),
+
+dict(
+desc='Try to update non-existent memberof of %r' % permission1,
+command=('permission_mod', [permission1], dict(memberof=u'nonexisting')),
+expected=errors.NotFound(reason='group not found'),
+),
+
+dict(
+desc='Update memberof

Re: [Freeipa-devel] [PATCH] 10 --no-reverse option in ipa-replica-install is not honoured

[Ondrej Hamada]

On 01/26/2012 09:24 AM, Jan Cholasta wrote:

Dne 25.1.2012 17:50, Ondrej Hamada napsal(a):

https://fedorahosted.org/freeipa/ticket/2161

The option '--no-reverse' was not honoured in replica-install because of
wrongly placed condition checking.



NACK

The --no-reverse options means do not create new reverse zone if 
there is no existing suitable reverse zone. Your patch changes the 
semantics of the option to do not use any reverse zone.


One problem I see is that the name of the option is misleading. It 
should probably be changed to --no-new-reverse.


Anyway, the ticket should IMO be closed as invalid. It is a case of 
people not reading documentation and then being surprised why things 
don't work the way they assumed.


Honza

According to discussion with jgalipea and rcrit: the option will stay as 
it is, just the manpages and documentation will be updated.


This patch patches the option descriptions in code and in manpages. For 
documentation update was created a new ticket: 
https://fedorahosted.org/freeipa/ticket/2330


--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From 372aa7fd3a656f4092cd27a0cf7bd611f87f0e35 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Tue, 31 Jan 2012 15:16:56 +0100
Subject: [PATCH] Fix 'no-reverse' option description

The description of 'no-reverse' option was fixed in both code and
manpages of ipa-replica-install and ipa-dns-install.

https://fedorahosted.org/freeipa/ticket/2161
---
 install/tools/ipa-dns-install   |2 +-
 install/tools/ipa-replica-install   |2 +-
 install/tools/man/ipa-dns-install.1 |2 +-
 install/tools/man/ipa-replica-install.1 |2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index 98929bdc35dbd4cfde657e7711ed3eee98e1598f..70cc00d33df981a6f57dab56c7598cd35f562fbc 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -48,7 +48,7 @@ def parse_options():
   default=False, help=Do not add any DNS forwarders, use root servers instead)
 parser.add_option(--reverse-zone, dest=reverse_zone, help=The reverse DNS zone to use)
 parser.add_option(--no-reverse, dest=no_reverse, action=store_true,
-  default=False, help=Do not create reverse DNS zone)
+  default=False, help=Do not create new reverse DNS zone)
 parser.add_option(--zonemgr, action=callback, callback=bindinstance.zonemgr_callback,
   type=string,
   help=DNS zone manager e-mail address. Defaults to root)
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index c1474ecbffc6ac5ccc22b91098dbdb1aa4613f0f..4af0358d86787f177a77b95743afff157a16726e 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -85,7 +85,7 @@ def parse_options():
   default=False, help=Do not add any DNS forwarders, use root servers instead)
 dns_group.add_option(--reverse-zone, dest=reverse_zone, help=The reverse DNS zone to use)
 dns_group.add_option(--no-reverse, dest=no_reverse, action=store_true,
-  default=False, help=Do not create reverse DNS zone)
+  default=False, help=Do not create new reverse DNS zone)
 dns_group.add_option(--no-host-dns, dest=no_host_dns, action=store_true,
   default=False,
   help=Do not use DNS for hostname lookup during installation)
diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1
index adcab95e0dca9711cb6f3a8f45f62b3bdc26b58c..c9dfbb560355d67404540acddd8c6c3450b6f540 100644
--- a/install/tools/man/ipa-dns-install.1
+++ b/install/tools/man/ipa-dns-install.1
@@ -44,7 +44,7 @@ Do not add any DNS forwarders, send non\-resolvable addresses to the DNS root se
 The reverse DNS zone to use
 .TP
 \fB\-\-no\-reverse\fR
-Do not create reverse DNS zone
+Do not create new reverse DNS zone. If used on a replica and a reverse DNS zone already exists for the subnet, it will be used.
 .TP
 \fB\-\-zonemgr\fR
 The e\-mail address of the DNS zone manager. Defaults too root@host.domain
diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1
index f8fa148d076b2e4a53682b1d48e08e57380892d7..074162f0c74207643d3f83e39e15534666899b27 100644
--- a/install/tools/man/ipa-replica-install.1
+++ b/install/tools/man/ipa-replica-install.1
@@ -80,7 +80,7 @@ Do not add any DNS forwarders. Root DNS servers will be used instead.
 The reverse DNS zone to use
 .TP
 \fB\-\-no\-reverse\fR
-Do not create reverse DNS zone
+Do not create new reverse DNS zone. If a reverse DNS zone already exists for the subnet, it will be used.
 .TP
 \fB\-\-no\-host\-dns\fR
 Do not use DNS for hostname lookup during installation
-- 
1.7.6.5

___
Freeipa-devel

[Freeipa-devel] [PATCH] 10 --no-reverse option in ipa-replica-install is not honoured

[Ondrej Hamada]

https://fedorahosted.org/freeipa/ticket/2161

The option '--no-reverse' was not honoured in replica-install because of
wrongly placed condition checking.

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From 5aa9a2238ee5c32aeebf3c2cabc6aa5c31794822 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Wed, 25 Jan 2012 16:53:01 +0100
Subject: [PATCH] Honor no-reverse option on replica

The option '--no-reverse' was not honored in replica-install because of
wrongly placed condition checking.

https://fedorahosted.org/freeipa/ticket/2161
---
 install/tools/ipa-replica-install |   13 -
 1 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index c1474ecbffc6ac5ccc22b91098dbdb1aa4613f0f..4df7b5c0152e2462fae8667e7108cce891f33ef2 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -206,11 +206,14 @@ def install_bind(config, options):
 sys.exit(1)
 reverse_zone = bindinstance.normalize_zone(options.reverse_zone)
 else:
-reverse_zone = bindinstance.find_reverse_zone(config.ip)
-if reverse_zone is None and not options.no_reverse:
-reverse_zone = bindinstance.get_reverse_zone_default(config.ip)
-if not options.unattended and bindinstance.create_reverse():
-reverse_zone = bindinstance.read_reverse_zone(reverse_zone, config.ip)
+if not options.no_reverse:
+reverse_zone = bindinstance.find_reverse_zone(config.ip)
+if reverse_zone is None:
+reverse_zone = bindinstance.get_reverse_zone_default(config.ip)
+if not options.unattended and bindinstance.create_reverse():
+reverse_zone = bindinstance.read_reverse_zone(reverse_zone, config.ip)
+else:
+reverse_zone = None
 
 if reverse_zone is not None:
 print Using reverse zone %s % reverse_zone
-- 
1.7.6.5

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 9 Don't set nsds5replicaupdateschedule in replication agreements

[Ondrej Hamada]

https://fedorahosted.org/freeipa/ticket/1482

The nsDS5ReplicaUpdateSchedule parameter is omitted what results in
replication being run all the time. The parameter is still used for
forcing replica update but after that action it is always deleted.

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From f0c0cd98c30c8557a6b8168cab7b5f50e31e9c9a Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Mon, 23 Jan 2012 17:28:37 +0100
Subject: [PATCH] Leave nsds5replicaupdateschedule parameter unset

The nsDS5ReplicaUpdateSchedule parameter is omited what results in
replication being run all the time. The parameter is still used for
forcing replica update but after that action it is always deleted.

https://fedorahosted.org/freeipa/ticket/1482
---
 ipaserver/install/replication.py |   19 ---
 1 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 3ac99e6bd75f2990be346c14fce424927c6550fa..052f183468e0f65e410174ba3529c53d69fcdbeb 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -460,7 +460,6 @@ class ReplicationManager(object):
 entry.setValues('nsds5replicatimeout', str(TIMEOUT))
 entry.setValues('nsds5replicaroot', self.suffix)
 if master is None:
-entry.setValues('nsds5replicaupdateschedule', '-2359 0123456')
 entry.setValues('nsDS5ReplicatedAttributeList',
 '(objectclass=*) $ EXCLUDE %s' %  .join(excludes))
 entry.setValues('description', me to %s % b_hostname)
@@ -853,22 +852,20 @@ class ReplicationManager(object):
 
 dn = entry[0].dn
 schedule = entry[0].nsds5replicaupdateschedule
-if schedule is None:
-schedule = '-2359 0123456'
 
 # On the remote chance of a match. We force a synch to happen right
-# now by changing the schedule to something else and quickly changing
-# it back.
-if newschedule == schedule:
-newschedule = '2358-2359 1'
-root_logger.info(Changing agreement %s schedule to %s to force synch %
+# now by setting the schedule to something and quickly removing it.
+if schedule is not None:
+if newschedule == schedule:
+newschedule = '2358-2359 1'
+root_logger.info(Setting agreement %s schedule to %s to force synch %
  (dn, newschedule))
 mod = [(ldap.MOD_REPLACE, 'nsDS5ReplicaUpdateSchedule', [ newschedule ])]
 conn.modify_s(dn, mod)
 time.sleep(1)
-root_logger.info(Changing agreement %s to restore original schedule %s %
- (dn, schedule))
-mod = [(ldap.MOD_REPLACE, 'nsDS5ReplicaUpdateSchedule', [ schedule ])]
+root_logger.info(Deleting schedule %s from agreement %s %
+ (newschedule, dn))
+mod = [(ldap.MOD_DELETE, 'nsDS5ReplicaUpdateSchedule', None)]
 conn.modify_s(dn, mod)
 
 def get_agreement_type(self, hostname):
-- 
1.7.6.5

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 8 localhost.localdomain clients refused to join ipa domain

[Ondrej Hamada]

https://fedorahosted.org/freeipa/ticket/2112

Machines with hostname 'localhost.localdomain' are refused from joining
IPA domain and proper error message is shown.

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From 0d91a4ba654ba47759cdecdd60bc7d938d11313b Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Mon, 16 Jan 2012 12:30:29 +0100
Subject: [PATCH] localhost.localdomain clients refused to join

Machines with hostname 'localhost.localdomain' are refused from joining
IPA domain and proper error message is shown.

https://fedorahosted.org/freeipa/ticket/2112
---
 ipa-client/ipa-join.c |6 ++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c
index c174e2c157d0878dedf0d302e547ff176deb9e98..95195535b4611f022df90d1e0e10f7e83b4c6c80 100644
--- a/ipa-client/ipa-join.c
+++ b/ipa-client/ipa-join.c
@@ -937,6 +937,12 @@ join(const char *server, const char *hostname, const char *bindpw, const char *b
 goto cleanup;
 }
 
+if (!strcmp(host, localhost.localdomain)) {
+fprintf(stderr, _(The hostname must not be: %s\n), host);
+rval = 16;
+goto cleanup;
+}
+
 if (bindpw)
 rval = join_ldap(ipaserver, host, hostdn, bindpw, basedn, princ, subject, quiet);
 else {
-- 
1.7.6.5

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 7 Ignore srchost option in hbactest

[Ondrej Hamada]

On 01/05/2012 05:40 PM, Alexander Bokovoy wrote:

On Thu, 05 Jan 2012, Ondrej Hamada wrote:

https://fedorahosted.org/freeipa/ticket/2085

New version of SSSD begins ignoring sourcehost value of HBAC rules by
default. In order to match this behaviour the sourcehost option in
hbactest is optional now, but the value of sourcehost is ignored in all
rules. Every rule's sourcehost value is set to 'ALL' what turns sourchost
value comparation off. For every such a rule warning is displayed to
inform the user about changes.

Also the unit tests for hbactest plugin were updated. Every test was
doubled. The second ones test the plugin without sourcehost option. They
are supposed to have the same result.

Looks OK for me. One possibility to enhance the tests is to verify
that sourcehost-based version also checks warning being set to
something other than None.

ACK
Done. I've also made one modification - warnings appear only when 
srchost option is used and unittests checks whether they've appeared. 
I've also updated the text in docstring to be mentioning srchost option 
as optional only.


--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From 65afccdfc3f4a663f541d26d39963e98e8139093 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Sat, 7 Jan 2012 20:17:25 +0100
Subject: [PATCH] HBAC test optional sourcehost option

New version of SSSD begins ignoring sourcehost value of HBAC rules by
default. In order to match this behaviour the sourcehost option in
hbactest is optional now, but the value of sourcehost is ignored in all
rules. Every rule's sourcehost value is set to 'ALL' what turns sourchost
value comparation off. If srchost option is used, warning is displayed to
inform the user about changes. Text of plugin help was also updated.

Also the unit tests for hbactest plugin were updated. Every test was
doubled. The second ones test the plugin without sourcehost option. They
are supposed to have the same result.

https://fedorahosted.org/freeipa/ticket/2085
---
 API.txt   |5 +-
 VERSION   |2 +-
 ipalib/plugins/hbactest.py|   66 ---
 tests/test_xmlrpc/test_hbactest_plugin.py |   71 +
 4 files changed, 115 insertions(+), 29 deletions(-)

diff --git a/API.txt b/API.txt
index aba3d8aa0250113d137878c97903922ff14ee664..493d5a3ff235e2a6f2599896114365af54086d16 100644
--- a/API.txt
+++ b/API.txt
@@ -1455,9 +1455,9 @@ output: Output('summary', (type 'unicode', type 'NoneType'), None)
 output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('value', type 'unicode', None)
 command: hbactest
-args: 0,8,5
+args: 0,8,6
 option: Str('user', cli_name='user', primary_key=True)
-option: Str('sourcehost', cli_name='srchost')
+option: Str('sourcehost?', cli_name='srchost')
 option: Str('targethost', cli_name='host')
 option: Str('service', cli_name='service')
 option: Str('rules*', cli_name='rules', csv=True)
@@ -1465,6 +1465,7 @@ option: Flag('nodetail?', autofill=True, cli_name='nodetail', default=False)
 option: Flag('enabled?', autofill=True, cli_name='enabled', default=False)
 option: Flag('disabled?', autofill=True, cli_name='disabled', default=False)
 output: Output('summary', (type 'unicode', type 'NoneType'), None)
+output: Output('warning', (type 'list', type 'tuple', type 'NoneType'), None)
 output: Output('matched', (type 'list', type 'tuple', type 'NoneType'), None)
 output: Output('notmatched', (type 'list', type 'tuple', type 'NoneType'), None)
 output: Output('error', (type 'list', type 'tuple', type 'NoneType'), None)
diff --git a/VERSION b/VERSION
index 081643745c47e78e7739f2b1092be762acd14e5f..b6ef09fc5119d04cc54e031762fa3e21987d2867 100644
--- a/VERSION
+++ b/VERSION
@@ -79,4 +79,4 @@ IPA_DATA_VERSION=2010061412
 #  #
 
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=18
+IPA_API_VERSION_MINOR=19
diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py
index fbc3dbb2e15076665bf712ce94821d46bf52f6df..f1b608d21a69bbd57577455157d8e78e11a54733 100644
--- a/ipalib/plugins/hbactest.py
+++ b/ipalib/plugins/hbactest.py
@@ -28,20 +28,21 @@ __doc__ = _(
 Simulate use of Host-based access controls
 
 HBAC rules control who can access what services on what hosts and from where.
-You can use HBAC to control which users or groups on a source host can
-access a service, or group of services, on a target host.
+You can use HBAC to control which users or groups can access a service,
+or group of services, on a target host.
 
 Since applying HBAC rules implies use of a production environment,
 this plugin aims to provide simulation of HBAC rules evaluation without
 having access to the production environment.
 
- Test user coming from source host

[Freeipa-devel] [PATCH] 7 Ignore srchost option in hbactest

[Ondrej Hamada]

https://fedorahosted.org/freeipa/ticket/2085

New version of SSSD begins ignoring sourcehost value of HBAC rules by
default. In order to match this behaviour the sourcehost option in
hbactest is optional now, but the value of sourcehost is ignored in all
rules. Every rule's sourcehost value is set to 'ALL' what turns sourchost
value comparation off. For every such a rule warning is displayed to
inform the user about changes.

Also the unit tests for hbactest plugin were updated. Every test was
doubled. The second ones test the plugin without sourcehost option. They
are supposed to have the same result.

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From fd585c817c57596cba1caaee86f41d8b115040e6 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Thu, 5 Jan 2012 17:03:53 +0100
Subject: [PATCH] HBAC test optional sourcehost option

New version of SSSD begins ignoring sourcehost value of HBAC rules by
default. In order to match this behaviour the sourcehost option in
hbactest is optional now, but the value of sourcehost is ignored in all
rules. Every rule's sourcehost value is set to 'ALL' what turns sourchost
value comparation off. For every such a rule warning is displayed to
inform the user about changes.

Also the unit tests for hbactest plugin were updated. Every test was
doubled. The second ones test the plugin without sourcehost option. They
are supposed to have the same result.

https://fedorahosted.org/freeipa/ticket/2085
---
 API.txt   |5 +-
 VERSION   |2 +-
 ipalib/plugins/hbactest.py|   35 ++---
 tests/test_xmlrpc/test_hbactest_plugin.py |   60 +
 4 files changed, 85 insertions(+), 17 deletions(-)

diff --git a/API.txt b/API.txt
index aba3d8aa0250113d137878c97903922ff14ee664..493d5a3ff235e2a6f2599896114365af54086d16 100644
--- a/API.txt
+++ b/API.txt
@@ -1455,9 +1455,9 @@ output: Output('summary', (type 'unicode', type 'NoneType'), None)
 output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('value', type 'unicode', None)
 command: hbactest
-args: 0,8,5
+args: 0,8,6
 option: Str('user', cli_name='user', primary_key=True)
-option: Str('sourcehost', cli_name='srchost')
+option: Str('sourcehost?', cli_name='srchost')
 option: Str('targethost', cli_name='host')
 option: Str('service', cli_name='service')
 option: Str('rules*', cli_name='rules', csv=True)
@@ -1465,6 +1465,7 @@ option: Flag('nodetail?', autofill=True, cli_name='nodetail', default=False)
 option: Flag('enabled?', autofill=True, cli_name='enabled', default=False)
 option: Flag('disabled?', autofill=True, cli_name='disabled', default=False)
 output: Output('summary', (type 'unicode', type 'NoneType'), None)
+output: Output('warning', (type 'list', type 'tuple', type 'NoneType'), None)
 output: Output('matched', (type 'list', type 'tuple', type 'NoneType'), None)
 output: Output('notmatched', (type 'list', type 'tuple', type 'NoneType'), None)
 output: Output('error', (type 'list', type 'tuple', type 'NoneType'), None)
diff --git a/VERSION b/VERSION
index 081643745c47e78e7739f2b1092be762acd14e5f..b6ef09fc5119d04cc54e031762fa3e21987d2867 100644
--- a/VERSION
+++ b/VERSION
@@ -79,4 +79,4 @@ IPA_DATA_VERSION=2010061412
 #  #
 
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=18
+IPA_API_VERSION_MINOR=19
diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py
index fbc3dbb2e15076665bf712ce94821d46bf52f6df..4152507f3ca3fa0a2ccebe0272010839ecd3a56c 100644
--- a/ipalib/plugins/hbactest.py
+++ b/ipalib/plugins/hbactest.py
@@ -139,8 +139,9 @@ def convert_to_ipa_rule(rule):
 )
 for element in structure:
 category = '%scategory' % (element[0])
-if category in rule and rule[category][0] == u'all':
+if (category in rule and rule[category][0] == u'all') or (element[0] == 'sourcehost'):
 # rule applies to all elements
+# sourcehost is always set to 'all'
 element[4].category = set([pyhbac.HBAC_CATEGORY_ALL])
 else:
 # rule is about specific entities
@@ -162,6 +163,7 @@ class hbactest(Command):
 
 has_output = (
 output.summary,
+output.Output('warning', (list, tuple, NoneType),   _('Warning')),
 output.Output('matched', (list, tuple, NoneType),   _('Matched rules')),
 output.Output('notmatched', (list, tuple, NoneType), _('Not matched rules')),
 output.Output('error', (list, tuple, NoneType), _('Non-existent or invalid rules')),
@@ -174,7 +176,7 @@ class hbactest(Command):
 label=_('User name'),
 primary_key=True,
 ),
-Str('sourcehost',
+Str('sourcehost?',
 cli_name='srchost

Re: [Freeipa-devel] [PATCH] 5 User-add random password support

[Ondrej Hamada]

On 11/29/2011 10:31 AM, Martin Kosek wrote:

On Thu, 2011-11-24 at 17:51 +0100, Ondrej Hamada wrote:

On 11/24/2011 03:54 PM, Ondrej Hamada wrote:

https://fedorahosted.org/freeipa/ticket/1979

I've used code from ipalib/plugins/host.py to add support for
random
password generation. The '--random' option is now available in
user-add and user-mod commands. If both the 'password' and 'random'
options are used the 'random' option will be ignored.



Functionally, it works OK. I would just like to propose few
improvements:

1) Minor API version in VERSION file should be bumped since you add a
new option
2) We should add some tests exercising this new functionality so that we
can detect regressions early
3) (optional) I am thinking if the passwords we generate are not very
user friendly. I would love to see user's face when he is told that his
new password is 5QU;8l2%]y? .

While this is may be OK for hosts bulk passwords which are only
manipulated by admins, we may want to develop more user friendly
passwords in the user plugin.

Martin


https://fedorahosted.org/freeipa/ticket/1979

I've used code from ipalib/plugins/host.py to add
support for random password generation. The
'--random' option is now available in user-add and
user-mod commands. If both the 'password' and 'random'
options are used the 'random' option will be ignored.

Two test cases were added to unit test's module
test_user_plugin.py - they test creating and modifying
user with random password. Two fuzzy tests were added:
test for password(string that doesn't start or end with
whitespace and doesn't containt other whitespace than
' ') and for whatever string(because of krbextradata).

I've slightly modified ipa_generate_password in order
to make passwords for users more user-friendly(reduce
number of non-letters). It has two optional parameters
now - first one is string of characters that should be
used for generating the passwd and second one is length
of password. If none parameter is set default values will
be used so there's no need to modify other plugins that
use random password generator.

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From 19ca0f9e64861a10f940492bd2824f7885348a72 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Fri, 9 Dec 2011 15:41:41 +0100
Subject: [PATCH] User-add random password support

I've used code from ipalib/plugins/host.py to add
support for random password generation. The
'--random' option is now available in user-add and
user-mod commands. If both the 'password' and 'random'
options are used the 'random' option will be ignored.

Two test cases were added to unit test's module
test_user_plugin.py - they test creating and modifying
user with random password. Two fuzzy tests were added:
test for password(string that doesn't start or end with
whitespace and doesn't containt other whitespace than
' ') and for whatever string(because of krbextradata).

I've slightly modified ipa_generate_password in order
to make passwords for users more user-friendly(reduce
number of non-letters). It has two optional parameters
now - first one is string of characters that should be
used for generating the passwd and second one is length
of password. If none parameter is set default values will
be used so there's no need to modify other plugins that
use random password generator.

https://fedorahosted.org/freeipa/ticket/1979
---
 API.txt   |6 +-
 VERSION   |2 +-
 ipalib/plugins/user.py|   35 +
 ipapython/ipautil.py  |   32 ++--
 tests/test_xmlrpc/test_user_plugin.py |  128 -
 tests/test_xmlrpc/xmlrpc_test.py  |7 ++
 6 files changed, 198 insertions(+), 12 deletions(-)

diff --git a/API.txt b/API.txt
index ed8b5553d25fbf242d49fbb338401dfd27491091..befb484eddd9316b221010c941cbb07d3b9ec3ce 100644
--- a/API.txt
+++ b/API.txt
@@ -2766,7 +2766,7 @@ output: Output('summary', (type 'unicode', type 'NoneType'), None)
 output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('value', type 'unicode', None)
 command: user_add
-args: 1,31,3
+args: 1,32,3
 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', pattern_errmsg='may only include letters, numbers, _, -, . and $', primary_key=True, required=True)
 option: Str('givenname', attribute=True, cli_name='first', multivalue=False, required=True)
 option: Str('sn', attribute=True, cli_name='last', multivalue=False, required=True)
@@ -2779,6 +2779,7 @@ option: Str('loginshell', attribute=True, cli_name='shell', default=u'/bin/sh',
 option: Str('krbprincipalname', attribute=True, autofill=True, cli_name='principal', multivalue=False, required=False)
 option: Str('mail', attribute=True, cli_name='email', multivalue=True

Re: [Freeipa-devel] [PATCH] 6 Sort password policy by priority

[Ondrej Hamada]

On 11/29/2011 08:43 PM, Rob Crittenden wrote:

Ondrej Hamada wrote:

On 11/29/2011 03:46 PM, Ondrej Hamada wrote:

https://fedorahosted.org/freeipa/ticket/2045

'ipa pwpolicy-find' output is now sorted by priority of the policies.
Lower position means lower priority. Global policy is then at the 
bottom.


The changes has also affected LDAPSearch class in baseldap.py:
LDAPSearch class sorts the search results by primary key be default
(which is usually 'cn'). Therefor a function pointer entries_sortfn
was added. If no sorting function exists, default sorting by primary 
key

is used.

Sorting function had to be introduced due to the fact that pwpolicy's
primary
key is also it's 'cn' and global policy is not allowed to have any
priority.


forget to attach the patch, sorry :-[




Doesn't work with the lite-server due to changing a ReadOnly value. I 
think you have the right idea you just need to assign the sorting 
statically instead of dynamically (it won't change after finalization).


$ ./ipa pwpolicy-add editors --minlife=2 --priority=9

ipa: DEBUG: Created connection context.ldap2
ipa: DEBUG: raw: pwpolicy_add(u'editors', krbminpwdlife=2, 
cospriority=9, all=False, raw=False, version=u'2.15')
ipa: DEBUG: pwpolicy_add(u'editors', krbminpwdlife=2, cospriority=9, 
all=False, raw=False, version=u'2.15')
ipa: DEBUG: raw: cosentry_add(u'editors', 
krbpwdpolicyreference=u'cn=editors,cn=GREYOAK.COM,cn=kerberos,dc=greyoak,dc=com', 
cospriority=9)
ipa: DEBUG: cosentry_add(u'editors', 
krbpwdpolicyreference=u'cn=editors,cn=GREYOAK.COM,cn=kerberos,dc=greyoak,dc=com', 
cospriority=9, all=False, raw=False)

ipa: DEBUG: raw: group_show(u'editors', all=True)
ipa: DEBUG: group_show(u'editors', rights=False, all=True, raw=False)
ipa: DEBUG: raw: cosentry_find(None, cospriority=9)
ipa: DEBUG: cosentry_find(None, cospriority=9, all=False, raw=False, 
pkey_only=False)
ipa: ERROR: non-public: AttributeError: locked: cannot set 
cosentry_find.entries_sortfn to function lambda at 0x7f7abc33ec80

Traceback (most recent call last):
  File /home/rcrit/redhat/freeipa-review/ipaserver/rpcserver.py, 
line 223, in wsgi_execute

result = self.Command[name](*args, **options)
  File /home/rcrit/redhat/freeipa-review/ipalib/frontend.py, line 
438, in __call__

ret = self.run(*args, **options)
  File /home/rcrit/redhat/freeipa-review/ipalib/frontend.py, line 
756, in run

return self.execute(*args, **options)
  File /home/rcrit/redhat/freeipa-review/ipalib/plugins/baseldap.py, 
line 700, in execute

ldap, dn, entry_attrs, attrs_list, *keys, **options
  File /home/rcrit/redhat/freeipa-review/ipalib/plugins/pwpolicy.py, 
line 346, in pre_callback

cospriority=options.get('cospriority')
  File /home/rcrit/redhat/freeipa-review/ipalib/frontend.py, line 
438, in __call__

ret = self.run(*args, **options)
  File /home/rcrit/redhat/freeipa-review/ipalib/frontend.py, line 
756, in run

return self.execute(*args, **options)
  File /home/rcrit/redhat/freeipa-review/ipalib/plugins/baseldap.py, 
line 700, in execute

ldap, dn, entry_attrs, attrs_list, *keys, **options
  File /home/rcrit/redhat/freeipa-review/ipalib/plugins/pwpolicy.py, 
line 127, in pre_callback

self.obj.check_priority_uniqueness(*keys, **options)
  File /home/rcrit/redhat/freeipa-review/ipalib/plugins/pwpolicy.py, 
line 101, in check_priority_uniqueness

cospriority=options['cospriority']
  File /home/rcrit/redhat/freeipa-review/ipalib/frontend.py, line 
438, in __call__

ret = self.run(*args, **options)
  File /home/rcrit/redhat/freeipa-review/ipalib/frontend.py, line 
756, in run

return self.execute(*args, **options)
  File /home/rcrit/redhat/freeipa-review/ipalib/plugins/baseldap.py, 
line 1620, in execute
self.entries_sortfn=lambda x,y: 
cmp(x[1][self.obj.primary_key.name][0].lower(), 
y[1][self.obj.primary_key.name][0].lower())
  File /home/rcrit/redhat/freeipa-review/ipalib/base.py, line 131, 
in __setattr__

SET_ERROR % (self.__class__.__name__, name, value)
AttributeError: locked: cannot set cosentry_find.entries_sortfn to 
function lambda at 0x7f7abc33ec80
ipa: INFO: ad...@greyoak.com: pwpolicy_add(u'editors', 
krbminpwdlife=2, cospriority=9, all=False, raw=False, 
version=u'2.15'): AttributeError

ipa: DEBUG: response: InternalError: an internal error has occurred
ipa: DEBUG: Destroyed connection context.ldap2


corrected, patch attached

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From 826826626e2c816dda8fa9039157e895e7bc740c Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Fri, 2 Dec 2011 13:51:35 +0100
Subject: [PATCH] Sort password policy by priority

'ipa pwpolicy-find' output is now sorted by priority of the policies.
Lower position means lower priority. Global policy is then at the bottom.

The changes has also affected LDAPSearch class in baseldap.py:
LDAPSearch class sorts the search results by primary key be default
(which is usually 'cn

Re: [Freeipa-devel] [PATCH] ipa-client-install with --no-sssd option should check for nss_ldap

[Ondrej Hamada]

On 11/29/2011 10:33 PM, Rob Crittenden wrote:

Ondrej Hamada wrote:

On 11/11/2011 02:55 PM, Ondrej Hamada wrote:

https://fedorahosted.org/freeipa/ticket/2063

In order to check presence of nss_ldap when installing client with
'--no-sssd' option there was added code into ipa-client-install. Check
is base on existence of nss_ldap configuration files. This
configuration could be in 'etc/ldap.conf', '/etc/nss_ldap.conf' or
'/etc/libnss_ldap.conf'. Presence of any of these files is considered
as success otherwise failure.



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

I've rewritten it. Additionally it checks for existence of nss-pam-ldapd
and makes the results reusable by configure_{ldap|nslcd}_conf() 
functions.


https://fedorahosted.org/freeipa/ticket/2063

In order to check presence of nss_ldap or nss-pam-ldapd when installing
client
with '--no-sssd' option there was added code into ipa-client-install.
Checking is based on existence of nss_ldap configuration files. This
configuration could be in 'etc/ldap.conf', '/etc/nss_ldap.conf' or
'/etc/libnss_ldap.conf'. Optionaly the nss_ldap could cooperate with
pam_ldap
module and hence the presence of it is checked by looking for
'pam_ldap.conf' file.
Existence of nss-pam-ldapd is checked against existence of 'nslcd.conf'
file.
All this checking is done by function nssldap_exists().
Because both main modules are maintained by two different functions, the
function
returns tuple containing return code and dictionary structure - its key
is name
of target function and value is list of existing configuration files.
Files to check are specified inside the nssldap_exists() function.

In order to fit the returned values, the functions
configure_{ldap|nslcd}_conf()
were slightly modified. They accept one more parameter which is list of
existing files.
They are not checking existence of above mentioned files anymore.


The patch looks good, just a couple of issues.

1. In the nslcd configurator you add ''.join(files). Did you mean 
','.join(files)?


2. The commit message lines wrap making it difficult to read. Can you 
limit the lines to ~70 chars per line?


3. I think the message printed when neither package is available can 
be simplified to:


One of these packages must be installed: nss_ldap or nss-pam-ldapd

It needs a rebase too.

rob

corrected, corrected, changed, rebased



In order to check presence of nss_ldap or nss-pam-ldapd when
installing client with '--no-sssd' option there was added
code intoipa-client-install. Checking is based on existence
of one of nss_ldap configuration files. This configuration
could be in 'etc/ldap.conf', '/etc/nss_ldap.conf' or
'/etc/libnss_ldap.conf'. Optionaly the nss_ldap could
cooperate with pam_ldap module and hence the presence of it
is checked by looking for 'pam_ldap.conf' file. Existence
of nss-pam-ldapd is checked against existence of
'nslcd.conf' file. All this checking is done by function
nssldap_exists(). Because both modules are maintained by
two different functions, the function returns tuple
containing return code and dictionary structure - its
key is name of target function and value is list of
existing configuration files. Files to check are specified
inside the nssldap_exists() function.

In order to fit the returned values, the functions
configure_{ldap|nslcd}_conf() were slightly modified. They
accept one more parameter which is list of existing files.
They are not checking existence of above mentioned
files anymore.

https://fedorahosted.org/freeipa/ticket/2063

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From e855cf4a544ba9b3fd69df3d5d5837dab005ee12 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Thu, 1 Dec 2011 13:03:34 +0100
Subject: [PATCH] Client install checks for nss_ldap

In order to check presence of nss_ldap or nss-pam-ldapd when
installing client with '--no-sssd' option there was added
code intoipa-client-install. Checking is based on existence
of one of nss_ldap configuration files. This configuration
could be in 'etc/ldap.conf', '/etc/nss_ldap.conf' or
'/etc/libnss_ldap.conf'. Optionaly the nss_ldap could
cooperate with pam_ldap module and hence the presence of it
is checked by looking for 'pam_ldap.conf' file. Existence
of nss-pam-ldapd is checked against existence of
'nslcd.conf' file. All this checking is done by function
nssldap_exists(). Because both modules are maintained by
two different functions, the function returns tuple
containing return code and dictionary structure - its
key is name of target function and value is list of
existing configuration files. Files to check are specified
inside the nssldap_exists() function.

In order to fit the returned values, the functions
configure_{ldap|nslcd}_conf() were slightly modified. They
accept one more parameter which is list of existing files.
They are not checking existence

[Freeipa-devel] [PATCH] 6 Sort password policy by priority

[Ondrej Hamada]

https://fedorahosted.org/freeipa/ticket/2045

'ipa pwpolicy-find' output is now sorted by priority of the policies.
Lower position means lower priority. Global policy is then at the bottom.

The changes has also affected LDAPSearch class in baseldap.py:
LDAPSearch class sorts the search results by primary key be default
(which is usually 'cn'). Therefor a function pointer entries_sortfn
was added. If no sorting function exists, default sorting by primary key
is used.

Sorting function had to be introduced due to the fact that pwpolicy's 
primary

key is also it's 'cn' and global policy is not allowed to have any priority.

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 6 Sort password policy by priority

[Ondrej Hamada]

On 11/29/2011 03:46 PM, Ondrej Hamada wrote:

https://fedorahosted.org/freeipa/ticket/2045

'ipa pwpolicy-find' output is now sorted by priority of the policies.
Lower position means lower priority. Global policy is then at the bottom.

The changes has also affected LDAPSearch class in baseldap.py:
LDAPSearch class sorts the search results by primary key be default
(which is usually 'cn'). Therefor a function pointer entries_sortfn
was added. If no sorting function exists, default sorting by primary key
is used.

Sorting function had to be introduced due to the fact that pwpolicy's 
primary
key is also it's 'cn' and global policy is not allowed to have any 
priority.



forget to attach the patch, sorry :-[

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From 8078a025aaa68fb55482bfe7b3c410773d0583d4 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Tue, 29 Nov 2011 15:18:48 +0100
Subject: [PATCH] Sort password policy by priority

'ipa pwpolicy-find' output is now sorted by priority of the policies.
Lower position means lower priority. Global policy is then at the bottom.

The changes has also affected LDAPSearch class in baseldap.py:
LDAPSearch class sorts the search results by primary key be default
(which is usually 'cn'). Therefor a function pointer entries_sortfn
was added. If no sorting function exists, default sorting by primary key
is used.

Sorting function had to be introduced due to the fact that pwpolicy's primary
key is also it's 'cn' and global policy is not allowed to have any priority.

https://fedorahosted.org/freeipa/ticket/2045
---
 ipalib/plugins/baseldap.py |   12 +---
 ipalib/plugins/pwpolicy.py |   13 +
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 4fd5fe4a1e7ff2d8fac7d3a65379b4ae0c5eb554..f35412f0abef6c1a6ca6881e0b475ee2e54e8d28 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -1434,6 +1434,9 @@ class LDAPSearch(CallbackInterface, crud.Search):
 member_param_incl_doc = _('Search for %s with these %s %s.')
 member_param_excl_doc = _('Search for %s without these %s %s.')
 
+# if True, self.execute function won't sort the entries by 'cn' value
+entries_sortfn = None
+
 takes_options = (
 Int('timelimit?',
 label=_('Time Limit'),
@@ -1612,9 +1615,12 @@ class LDAPSearch(CallbackInterface, crud.Search):
 else:
 callback(self, ldap, entries, truncated, *args, **options)
 
-if self.obj.primary_key:
-sortfn=lambda x,y: cmp(x[1][self.obj.primary_key.name][0].lower(), y[1][self.obj.primary_key.name][0].lower())
-entries.sort(sortfn)
+if not self.entries_sortfn:
+if self.obj.primary_key:
+self.entries_sortfn=lambda x,y: cmp(x[1][self.obj.primary_key.name][0].lower(), y[1][self.obj.primary_key.name][0].lower())
+entries.sort(self.entries_sortfn)
+else:
+entries.sort(self.entries_sortfn)
 
 if not options.get('raw', False):
 for e in entries:
diff --git a/ipalib/plugins/pwpolicy.py b/ipalib/plugins/pwpolicy.py
index db42bca0424da34bc17b7df376d529bd60f55751..0f9175eb9691470ba94f4fcbbc2e4b76e5c0a199 100644
--- a/ipalib/plugins/pwpolicy.py
+++ b/ipalib/plugins/pwpolicy.py
@@ -455,7 +455,20 @@ api.register(pwpolicy_show)
 class pwpolicy_find(LDAPSearch):
 __doc__ = _('Search for group password policies.')
 
+def sort_priority(self,x,y):
+# global policy will be always last in the output
+if x[1]['cn'][0] == global_policy_name:
+return 1
+elif y[1]['cn'][0] == global_policy_name:
+return -1
+else:
+# policies with higher priority will be at the beginning of the list
+return cmp(int(x[1]['cospriority'][0]), int(y[1]['cospriority'][0]))
+
+entries_sortfn = sort_priority
+
 def post_callback(self, ldap, entries, truncated, *args, **options):
+
 if options.get('pkey_only', False):
 return False
 for e in entries:
-- 
1.7.6.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 5 User-add random password support

[Ondrej Hamada]

https://fedorahosted.org/freeipa/ticket/1979

I've used code from ipalib/plugins/host.py to add support for random
password generation. The '--random' option is now available in
user-add and user-mod commands. If both the 'password' and 'random'
options are used the 'random' option will be ignored.

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From 5787f847de123f1426080830db138ac88bc83751 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Thu, 24 Nov 2011 15:39:22 +0100
Subject: [PATCH] User-add random password support

I've used code from ipalib/plugins/host.py to add support for random
password generation. The '--random' option is now available in
user-add and user-mod commands. If both the 'password' and 'random'
options are used - the 'random' option will be ignored.

https://fedorahosted.org/freeipa/ticket/1979
---
 API.txt|6 --
 ipalib/plugins/user.py |   29 +
 2 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/API.txt b/API.txt
index 135b07908f08e20fba3391bbd8ad13252ea55b47..ffed0c2452fa01d6daeeafd74212cd2b0af4ad83 100644
--- a/API.txt
+++ b/API.txt
@@ -2741,7 +2741,7 @@ output: Output('summary', (type 'unicode', type 'NoneType'), None)
 output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('value', type 'unicode', None)
 command: user_add
-args: 1,31,3
+args: 1,32,3
 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', pattern_errmsg='may only include letters, numbers, _, -, . and $', primary_key=True, required=True)
 option: Str('givenname', attribute=True, cli_name='first', multivalue=False, required=True)
 option: Str('sn', attribute=True, cli_name='last', multivalue=False, required=True)
@@ -2754,6 +2754,7 @@ option: Str('loginshell', attribute=True, cli_name='shell', default=u'/bin/sh',
 option: Str('krbprincipalname', attribute=True, autofill=True, cli_name='principal', multivalue=False, required=False)
 option: Str('mail', attribute=True, cli_name='email', multivalue=True, required=False)
 option: Password('userpassword', attribute=True, cli_name='password', exclude='webui', multivalue=False, required=False)
+option: Flag('random', attribute=False, autofill=True, cli_name='random', default=False, multivalue=False, required=False)
 option: Int('uidnumber', attribute=True, autofill=True, cli_name='uid', default=999, minvalue=1, multivalue=False, required=False)
 option: Int('gidnumber', attribute=True, cli_name='gidnumber', multivalue=False, required=False)
 option: Str('street', attribute=True, cli_name='street', multivalue=False, required=False)
@@ -2847,7 +2848,7 @@ output: ListOfEntries('result', (type 'list', type 'tuple'), Gettext('A list
 output: Output('count', type 'int', None)
 output: Output('truncated', type 'bool', None)
 command: user_mod
-args: 1,31,3
+args: 1,32,3
 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', pattern_errmsg='may only include letters, numbers, _, -, . and $', primary_key=True, query=True, required=True)
 option: Str('givenname', attribute=True, autofill=False, cli_name='first', multivalue=False, required=False)
 option: Str('sn', attribute=True, autofill=False, cli_name='last', multivalue=False, required=False)
@@ -2859,6 +2860,7 @@ option: Str('gecos', attribute=True, autofill=False, cli_name='gecos', multivalu
 option: Str('loginshell', attribute=True, autofill=False, cli_name='shell', default=u'/bin/sh', multivalue=False, required=False)
 option: Str('mail', attribute=True, autofill=False, cli_name='email', multivalue=True, required=False)
 option: Password('userpassword', attribute=True, autofill=False, cli_name='password', exclude='webui', multivalue=False, required=False)
+option: Flag('random', attribute=False, autofill=True, cli_name='random', default=False, multivalue=False, required=False)
 option: Int('uidnumber', attribute=True, autofill=False, cli_name='uid', default=999, minvalue=1, multivalue=False, required=False)
 option: Int('gidnumber', attribute=True, autofill=False, cli_name='gidnumber', multivalue=False, required=False)
 option: Str('street', attribute=True, autofill=False, cli_name='street', multivalue=False, required=False)
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index d3e63ef9a7bcf98d0bd34396b144134be38c17c3..f719efed1bba4dbb98a7a6289c6039bf21ef4e07 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -25,6 +25,7 @@ from ipalib.request import context
 from time import gmtime, strftime
 import copy
 from ipalib import _, ngettext
+from ipapython.ipautil import ipa_generate_password
 
 __doc__ = _(
 Users
@@ -237,6 +238,15 @@ class user(LDAPObject):
 # bomb out via the webUI.
 exclude='webui

[Freeipa-devel] [PATCH] 4 ipa-client-install fails when not run as root

[Ondrej Hamada]

https://fedorahosted.org/freeipa/ticket/2123

ipa-client-install was failing and returning traceback when
wasn't run by root. It was caused by logging initialization that
was taking part before the root privileges check. To correct it,
the privileges check was moved before the logging initialization.

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From f7a53fa52cd2e757a183015d17b6d5c4d8dae08d Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Fri, 18 Nov 2011 13:55:16 +0100
Subject: [PATCH] Client install root privileges check

ipa-client-install was failing and returning traceback when
wasn't run by root. It was caused by logging initialization that
was taking part before the root privileges check. To correct it,
the check was moved before the logging initialization.

https://fedorahosted.org/freeipa/ticket/2123
---
 ipa-client/ipa-install/ipa-client-install |4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index cdea6dbe6fbbdca608ad8e858cf9fa042f7de9d1..9f7d3fd33bab5e9cc7748ffc0601d6e2f88bc24b 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1250,11 +1250,11 @@ def install(options, env, fstore, statestore):
 def main():
 safe_options, options = parse_options()
 
+if not os.getegid() == 0:
+sys.exit(\nYou must be root to run ipa-client-install.\n)
 logging_setup(options)
 logging.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options))
 logging.debug(missing options might be asked for interactively later\n)
-if not os.getegid() == 0:
-sys.exit(\nYou must be root to run ipa-client-install.\n)
 
 env={PATH:/bin:/sbin:/usr/kerberos/bin:/usr/kerberos/sbin:/usr/bin:/usr/sbin}
 
-- 
1.7.6.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] ipa-client-install with --no-sssd option should check for nss_ldap

[Ondrej Hamada]

On 11/11/2011 02:55 PM, Ondrej Hamada wrote:

https://fedorahosted.org/freeipa/ticket/2063

In order to check presence of nss_ldap when installing client with 
'--no-sssd' option there was added code into ipa-client-install. Check 
is base on existence of nss_ldap configuration files. This 
configuration could be in 'etc/ldap.conf', '/etc/nss_ldap.conf' or 
'/etc/libnss_ldap.conf'. Presence of any of these files is considered 
as success otherwise failure.




___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
I've rewritten it. Additionally it checks for existence of nss-pam-ldapd 
and makes the results reusable by configure_{ldap|nslcd}_conf() functions.


https://fedorahosted.org/freeipa/ticket/2063

In order to check presence of nss_ldap or nss-pam-ldapd when installing 
client

with '--no-sssd' option there was added code into ipa-client-install.
Checking is based on existence of nss_ldap configuration files. This
configuration could be in 'etc/ldap.conf', '/etc/nss_ldap.conf' or
'/etc/libnss_ldap.conf'. Optionaly the nss_ldap could cooperate with 
pam_ldap
module and hence the presence of it is checked by looking for 
'pam_ldap.conf' file.
Existence of nss-pam-ldapd is checked against existence of 'nslcd.conf' 
file.

All this checking is done by function nssldap_exists().
Because both main modules are maintained by two different functions, the 
function
returns tuple containing return code and dictionary structure - its key 
is name

of target function and value is list of existing configuration files.
Files to check are specified inside the nssldap_exists() function.

In order to fit the returned values, the functions 
configure_{ldap|nslcd}_conf()
were slightly modified. They accept one more parameter which is list of 
existing files.

They are not checking existence of above mentioned files anymore.

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From 82483a006bd99ce4d021b7b93ab7e828cb788c7a Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Mon, 14 Nov 2011 16:45:36 +0100
Subject: [PATCH] Client install checks for nss_ldap

In order to check presence of nss_ldap or nss-pam-ldapd when installing client
with '--no-sssd' option there was added code into ipa-client-install.
Checking is based on existence of nss_ldap configuration files. This
configuration could be in 'etc/ldap.conf', '/etc/nss_ldap.conf' or
'/etc/libnss_ldap.conf'. Optionaly the nss_ldap could cooperate with pam_ldap
module and hence the presence of it is checked by looking for 'pam_ldap.conf' file.
Existence of nss-pam-ldapd is checked against existence of 'nslcd.conf' file.
All this checking is done by function nssldap_exists().
Because both main modules are maintained by two different functions, the function
returns tuple containing return code and dictionary structure - its key is name
of target function and value is list of existing configuration files.
Files to check are specified inside the nssldap_exists() function.

In order to fit the returned values, the functions configure_{ldap|nslcd}_conf()
were slightly modified. They accept one more parameter which is list of existing files.
They are not checking existence of above mentioned files anymore.

https://fedorahosted.org/freeipa/ticket/2063
---
 ipa-client/ipa-install/ipa-client-install |   60 -
 1 files changed, 42 insertions(+), 18 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index cdea6dbe6fbbdca608ad8e858cf9fa042f7de9d1..65537da21890365e29370f9af76edf93317b5154 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -402,6 +402,26 @@ def uninstall(options, env, quiet=False):
 
 return 0
 
+def nssldap_exists():
+files_to_check = [{'function':'configure_ldap_conf', 'mandatory':['/etc/ldap.conf','/etc/nss_ldap.conf','/etc/libnss-ldap.conf'], 'optional':['/etc/pam_ldap.conf']},
+  {'function':'configure_nslcd_conf', 'mandatory':['/etc/nslcd.conf']}]
+files_found = {}
+retval = 1
+
+for function in files_to_check:
+files_found[function['function']]=[]
+for file_type in ['mandatory','optional']:
+try:
+for filename in function[file_type]:
+if file_exists(filename):
+files_found[function['function']].append(filename)
+if file_type == 'mandatory':
+retval = 0
+except KeyError:
+pass
+
+return (retval, files_found)
+
 def configure_ipa_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server):
 ipaconf = ipaclient.ipachangeconf.IPAChangeConf(IPA Installer)
 ipaconf.setOptionAssignment( = )
@@ -428,7 +448,7 @@ def configure_ipa_conf(fstore, cli_basedn, cli_realm

[Freeipa-devel] [PATCH] ipa-client-install with --no-sssd option should check for nss_ldap

[Ondrej Hamada]

https://fedorahosted.org/freeipa/ticket/2063

In order to check presence of nss_ldap when installing client with 
'--no-sssd' option there was added code into ipa-client-install. Check 
is base on existence of nss_ldap configuration files. This configuration 
could be in 'etc/ldap.conf', '/etc/nss_ldap.conf' or 
'/etc/libnss_ldap.conf'. Presence of any of these files is considered as 
success otherwise failure.


--
Regards,

Ondrej Hamada
FreeIPA team
jabber:oh...@jabbim.cz
IRC: ohamada

From 741e6da0531986ed32f4e3ef0fbb53e5fbd5ee44 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Fri, 11 Nov 2011 14:03:30 +0100
Subject: [PATCH] Client install checks for nss_ldap

In order to check presence of nss_ldap when installing client
with '--no-sssd' option there was added code into ipa-client-install.
Check is base on existence of nss_ldap configuration files. This
configuration could be in 'etc/ldap.conf', '/etc/nss_ldap.conf' or
'/etc/libnss_ldap.conf'. Presence of any of these files is considered
as success otherwise failure and installation is aborted with proper
error message.

https://fedorahosted.org/freeipa/ticket/2063
---
 ipa-client/ipa-install/ipa-client-install |   11 +++
 1 files changed, 11 insertions(+), 0 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index cdea6dbe6fbbdca608ad8e858cf9fa042f7de9d1..362f167307189fab746478b2362dfe685241a4ee 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -870,6 +870,17 @@ def install(options, env, fstore, statestore):
 print 'Invalid hostname \'%s\', must be lower-case.' % hostname
 return CLIENT_INSTALL_ERROR
 
+# When --no-sssd option set, there must be nss_ldap module installed.
+if not options.sssd:
+nss_ldap = False
+for filename in ['/etc/ldap.conf', '/etc/nss_ldap.conf', '/etc/libnss-ldap.conf']:
+if file_exists(filename):
+nss_ldap = True
+break
+if not nss_ldap:
+print sys.stderr, 'nss_ldap' not installed
+return CLIENT_INSTALL_ERROR
+
 # Create the discovery instance
 ds = ipadiscovery.IPADiscovery()
 
-- 
1.7.6.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] ipa-client-install with --no-sssd option should check for nss_ldap

[Ondrej Hamada]

On 11/11/2011 03:25 PM, Alexander Bokovoy wrote:

On Fri, 11 Nov 2011, Rob Crittenden wrote:

Ondrej Hamada wrote:

https://fedorahosted.org/freeipa/ticket/2063

In order to check presence of nss_ldap when installing client with
'--no-sssd' option there was added code into ipa-client-install. Check
is base on existence of nss_ldap configuration files. This configuration
could be in 'etc/ldap.conf', '/etc/nss_ldap.conf' or
'/etc/libnss_ldap.conf'. Presence of any of these files is considered as
success otherwise failure.

I think we should check for nslcd.conf as well and report that
neither nss-ldap nor nss-pam-ldapd are installed.

We have already code in configure_ldap_config() and
configure_nslcd_conf that checks all these different files and after
configuration reports what was configured.

I would rather did a commonalization of detection instead of
duplicating the code. We can re-use result of detecting what exists
later in configure_{ldap,nslcd}_config().


I'll do it, but I have question:
configure_ldap_config() also checks whether file 'pam_ldap.conf' exists. 
Is installed pam_ldap package without nss_ldap enough to allow 
ipa-client installation with --no-sssd option?


--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] the 'Keytab:' field in ipa user-show output is misleading

[Ondrej Hamada]

On 11/10/2011 10:30 AM, Martin Kosek wrote:

On Tue, 2011-11-08 at 20:41 +0100, Ondrej Hamada wrote:

https://fedorahosted.org/freeipa/ticket/1961

The 'Keytab' filed in output of all 'user-*' commands was changed to
'Kerberos keys available'. In order to do this change for 'user-*'
commands only, the flag 'has_keytab' had to be removed from common
output parametrs in ipalib/baseldap.py. This change also affected the
host.py and service.py, where the 'has_keytab' flag was added to their
local output params. Both host.py and service.py holds the old field
caption - 'Keytab' - because of compatibility with older clients.


Ondra, thanks for the patch. It looks OK, everything behaves as
expected.

I am still concerned about your patch formatting:
1) Patch naming does not follow FreeIPA conventions. You can check
others patch file names - mine, Rob's or Alexander's for example. The
patch file name should be freeipa-ohamada-2-description.patch. The
patch number should also be in your mail subject - it helps when
searching mails etc.

2) Patch title is wrong - you don't need to include [PATCH] in git
commit's title. This then makes it here twice.

3) Patch description is insufficient. I miss link to ticket and some
description. You only added it to the mail. When I am traversing FreeIPA
git logs, I must be able to quickly read what this patch does.

You would have seen all these conventions I wrote you about if you had
read some patches in freeipa-devel or had read some in FreeIPA git log.

Martin



Shame on me. Sorry for that.

Corrected patch attached.

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From 3e5f5da083779866ab3d92d8d1cd789d417def26 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Thu, 10 Nov 2011 13:46:16 +0100
Subject: [PATCH] Misleading Keytab field

The 'Keytab' field in output of all 'user-*' commands was changed
to 'Kerberos keys available'. In order to do this change for 'user-*'
commands only, the flag 'has_keytab' had to be removed from common
output parametrs in ipalib/baseldap.py. This change also affected the
host.py and service.py, where the 'has_keytab' flag was added to their
local output params. Both host.py and service.py holds the old field
caption - 'Keytab' - because of compatibility with older clients.

https://fedorahosted.org/freeipa/ticket/1961
---
 ipalib/plugins/baseldap.py |3 ---
 ipalib/plugins/host.py |3 +++
 ipalib/plugins/service.py  |5 +
 ipalib/plugins/user.py |   14 ++
 4 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 88f312998d27ecd8311eb4204c95e1ca212afeb2..4fd5fe4a1e7ff2d8fac7d3a65379b4ae0c5eb554 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -36,9 +36,6 @@ from ipalib.util import json_serialize
 from ipalib.dn import *
 
 global_output_params = (
-Flag('has_keytab',
-label=_('Keytab'),
-),
 Flag('has_password',
 label=_('Password'),
 ),
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 0f3f91565cedb699726421ec00cb8f7a93b821bb..6557880aa82598857251f3d8b80e6d3b326fbca6 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -162,6 +162,9 @@ def remove_fwd_ptr(ipaddr, host, domain, recordtype):
 pass
 
 host_output_params = (
+Flag('has_keytab',
+label=_('Keytab'),
+),
 Str('managedby_host',
 label='Managed by',
 ),
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index 048a6b4f04b761131108874fbd09962be33e8a80..dad3ded434d241ae55e1352889c577ba1a08d8c4 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -84,6 +84,9 @@ EXAMPLES:
 )
 
 output_params = (
+Flag('has_keytab',
+label=_('Keytab'),
+),
 Str('managedby_host',
 label='Managed by',
 ),
@@ -358,6 +361,7 @@ class service_find(LDAPSearch):
 member_attributes = ['managedby']
 takes_options = LDAPSearch.takes_options
 has_output_params = LDAPSearch.has_output_params + output_params
+
 def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options):
 # lisp style!
 custom_filter = '((objectclass=ipaService)' \
@@ -392,6 +396,7 @@ class service_show(LDAPRetrieve):
 doc=_('file to store certificate in'),
 ),
 )
+has_output_params = LDAPRetrieve.has_output_params + output_params
 
 def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
 self.obj.get_password_attributes(ldap, dn, entry_attrs)
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 273c68fb2457da7493227ae820c263ebf7598327..d3e63ef9a7bcf98d0bd34396b144134be38c17c3 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -68,6 +68,12 @@ EXAMPLES:
 
 NO_UPG_MAGIC = '__no_upg__'
 
+user_output_params = (
+Flag('has_keytab',
+label=_('Kerberos keys available

[Freeipa-devel] [PATCH] the 'Keytab:' field in ipa user-show output is misleading

[Ondrej Hamada]

https://fedorahosted.org/freeipa/ticket/1961

The 'Keytab' filed in output of all 'user-*' commands was changed to 
'Kerberos keys available'. In order to do this change for 'user-*' 
commands only, the flag 'has_keytab' had to be removed from common 
output parametrs in ipalib/baseldap.py. This change also affected the 
host.py and service.py, where the 'has_keytab' flag was added to their 
local output params. Both host.py and service.py holds the old field 
caption - 'Keytab' - because of compatibility with older clients.


--
Regards,

Ondrej Hamada
FreeIPA team
jabber:oh...@jabbim.cz
IRC: ohamada

From 77d719d184126e85c27b20db1a3735e7d14b83f2 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Tue, 8 Nov 2011 19:12:48 +0100
Subject: [PATCH] [PATCH] the 'Keytab:' field in ipa user-show output is
 misleading

---
 ipalib/plugins/baseldap.py |3 ---
 ipalib/plugins/host.py |3 +++
 ipalib/plugins/service.py  |5 +
 ipalib/plugins/user.py |   14 ++
 4 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 88f312998d27ecd8311eb4204c95e1ca212afeb2..4fd5fe4a1e7ff2d8fac7d3a65379b4ae0c5eb554 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -36,9 +36,6 @@ from ipalib.util import json_serialize
 from ipalib.dn import *
 
 global_output_params = (
-Flag('has_keytab',
-label=_('Keytab'),
-),
 Flag('has_password',
 label=_('Password'),
 ),
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 0f3f91565cedb699726421ec00cb8f7a93b821bb..6557880aa82598857251f3d8b80e6d3b326fbca6 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -162,6 +162,9 @@ def remove_fwd_ptr(ipaddr, host, domain, recordtype):
 pass
 
 host_output_params = (
+Flag('has_keytab',
+label=_('Keytab'),
+),
 Str('managedby_host',
 label='Managed by',
 ),
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index 048a6b4f04b761131108874fbd09962be33e8a80..dad3ded434d241ae55e1352889c577ba1a08d8c4 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -84,6 +84,9 @@ EXAMPLES:
 )
 
 output_params = (
+Flag('has_keytab',
+label=_('Keytab'),
+),
 Str('managedby_host',
 label='Managed by',
 ),
@@ -358,6 +361,7 @@ class service_find(LDAPSearch):
 member_attributes = ['managedby']
 takes_options = LDAPSearch.takes_options
 has_output_params = LDAPSearch.has_output_params + output_params
+
 def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options):
 # lisp style!
 custom_filter = '((objectclass=ipaService)' \
@@ -392,6 +396,7 @@ class service_show(LDAPRetrieve):
 doc=_('file to store certificate in'),
 ),
 )
+has_output_params = LDAPRetrieve.has_output_params + output_params
 
 def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
 self.obj.get_password_attributes(ldap, dn, entry_attrs)
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 273c68fb2457da7493227ae820c263ebf7598327..d3e63ef9a7bcf98d0bd34396b144134be38c17c3 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -68,6 +68,12 @@ EXAMPLES:
 
 NO_UPG_MAGIC = '__no_upg__'
 
+user_output_params = (
+Flag('has_keytab',
+label=_('Kerberos keys available'),
+),
+   )
+
 def validate_nsaccountlock(entry_attrs):
 if 'nsaccountlock' in entry_attrs:
 nsaccountlock = entry_attrs['nsaccountlock']
@@ -352,6 +358,8 @@ class user_add(LDAPCreate):
 
 msg_summary = _('Added user %(value)s')
 
+has_output_params = LDAPCreate.has_output_params + user_output_params
+
 takes_options = LDAPCreate.takes_options + (
 Flag('noprivate',
 cli_name='noprivate',
@@ -477,6 +485,8 @@ class user_mod(LDAPUpdate):
 
 msg_summary = _('Modified user %(value)s')
 
+has_output_params = LDAPUpdate.has_output_params + user_output_params
+
 def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 if 'mail' in entry_attrs:
 entry_attrs['mail'] = self.obj._normalize_email(entry_attrs['mail'])
@@ -498,6 +508,7 @@ class user_find(LDAPSearch):
 __doc__ = _('Search for users.')
 
 member_attributes = ['memberof']
+has_output_params = LDAPSearch.has_output_params + user_output_params
 
 takes_options = LDAPSearch.takes_options + (
 Flag('whoami',
@@ -532,6 +543,8 @@ api.register(user_find)
 class user_show(LDAPRetrieve):
 __doc__ = _('Display information about a user.')
 
+has_output_params = LDAPRetrieve.has_output_params + user_output_params
+
 def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
 convert_nsaccountlock(entry_attrs)
 self.obj._convert_manager(entry_attrs, **options)
@@ -566,6 +579,7 @@ class user_enable(LDAPQuery

[Freeipa-devel] [PATCH] 1 Do lazy initializiation ipalib

[Ondrej Hamada]

https://fedorahosted.org/freeipa/ticket/1336

Lazy initialization of ipalib plugins is used under all contexts, not 
only when context = cli. Every loaded plugin is pre-finalized - a flag 
is set, which means, that the plugin needs to be finalized. Then every 
call of plugin's __gettattr__ checks the flag and finalizes the plugin 
if necessary. The code was implemented by jcholast. Time reduction of 
commands execution is quite markable:


patch [s] |   normal [s]|   command
---
1.468  |   2.287   |   ipa user-add jsmith --firt=john 
--last=smith

1.658  |   2.235   |   ipa user-del jsmith
1.624  |   2.204   |   ipa dnsrecord-find example.com

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

diff --git a/ipalib/plugable.py b/ipalib/plugable.py
index b0e4156..2aed1cd 100644
--- a/ipalib/plugable.py
+++ b/ipalib/plugable.py
@@ -173,6 +173,7 @@ class Plugin(ReadOnly):
 
 
 label = None
+__try_finalize = False
 
 def __init__(self):
 self.__api = None
@@ -208,6 +209,16 @@ class Plugin(ReadOnly):
 )
 )
 
+def __getattribute__(self, name):
+if name.startswith('_Plugin__') or name.startswith('_ReadOnly__'):
+return object.__getattribute__(self, name)
+if self.__try_finalize:
+self.__try_finalize = False
+self.finalize()
+if not is_production_mode(self.__api):
+assert islocked(self) is True
+return object.__getattribute__(self, name)
+
 def __get_api(self):
 
 Return `API` instance passed to `finalize()`.
@@ -217,6 +228,9 @@ class Plugin(ReadOnly):
 return self.__api
 api = property(__get_api)
 
+def prefinalize(self):
+self.__try_finalize = True
+
 def finalize(self):
 
 
@@ -638,9 +652,7 @@ class API(DictProxy):
 assert p.instance.api is self
 
 for p in plugins.itervalues():
-p.instance.finalize()
-if not production_mode:
-assert islocked(p.instance) is True
+p.instance.prefinalize()
 object.__setattr__(self, '_API__finalized', True)
 tuple(PluginInfo(p) for p in plugins.itervalues())
 object.__setattr__(self, 'plugins',
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 1 Do lazy initializiation ipalib

[Ondrej Hamada]

On 10/25/2011 04:01 PM, Martin Kosek wrote:

On Tue, 2011-10-25 at 15:29 +0200, Ondrej Hamada wrote:

https://fedorahosted.org/freeipa/ticket/1336

Lazy initialization of ipalib plugins is used under all contexts, not
only when context = cli. Every loaded plugin is pre-finalized - a flag
is set, which means, that the plugin needs to be finalized. Then every
call of plugin's __gettattr__ checks the flag and finalizes the plugin
if necessary. The code was implemented by jcholast. Time reduction of
commands execution is quite markable:

patch [s] |   normal [s]|   command
---
1.468  |   2.287   |   ipa user-add jsmith --firt=john
--last=smith
1.658  |   2.235   |   ipa user-del jsmith
1.624  |   2.204   |   ipa dnsrecord-find example.com


Thanks for submitting the patch. Ondra, just please provide the patch in
proper format (exported via command `git format-patch -M -C --patience
--full-index -1' which I sent you earlier).

Martin



Sorry, correct version attached

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From 798d8f8a624f8350974e54c328c1c58c06944b26 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Tue, 25 Oct 2011 16:20:44 +0200
Subject: [PATCH] lazy initialization patch

---
 ipalib/plugable.py |   18 +++---
 1 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/ipalib/plugable.py b/ipalib/plugable.py
index b0e415656e0428eb164c35a2862fcfbf50883381..2aed1cdcda18840728558ed53435ab10ae28e802 100644
--- a/ipalib/plugable.py
+++ b/ipalib/plugable.py
@@ -173,6 +173,7 @@ class Plugin(ReadOnly):
 
 
 label = None
+__try_finalize = False
 
 def __init__(self):
 self.__api = None
@@ -208,6 +209,16 @@ class Plugin(ReadOnly):
 )
 )
 
+def __getattribute__(self, name):
+if name.startswith('_Plugin__') or name.startswith('_ReadOnly__'):
+return object.__getattribute__(self, name)
+if self.__try_finalize:
+self.__try_finalize = False
+self.finalize()
+if not is_production_mode(self.__api):
+assert islocked(self) is True
+return object.__getattribute__(self, name)
+
 def __get_api(self):
 
 Return `API` instance passed to `finalize()`.
@@ -217,6 +228,9 @@ class Plugin(ReadOnly):
 return self.__api
 api = property(__get_api)
 
+def prefinalize(self):
+self.__try_finalize = True
+
 def finalize(self):
 
 
@@ -638,9 +652,7 @@ class API(DictProxy):
 assert p.instance.api is self
 
 for p in plugins.itervalues():
-p.instance.finalize()
-if not production_mode:
-assert islocked(p.instance) is True
+p.instance.prefinalize()
 object.__setattr__(self, '_API__finalized', True)
 tuple(PluginInfo(p) for p in plugins.itervalues())
 object.__setattr__(self, 'plugins',
-- 
1.7.6.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel