Re: [Freeipa-devel] [PATCH] Add a new user-add flag param to disable the creation of UPG.
On 2011-03-28 23:05, Rob Crittenden wrote: Pavel Zůna wrote: This patch handles the issue in a kind of stupid way, but I couldn't think of anything better. It adds a new flag parameter to user-add (--noprivate). With this flag, the command marks the private group about to be created for deletion and is deleted after the user is created. The only exception is when there is a group, that is named the same way as the user, but isn't a private group - then the group is left there. Private groups are created automatically by the managed entry DS plugin and I didn't find a way to disable its creation for a specific user. Ticket #1131 Pavel I wonder if you can modify the originFilter entry in the Managed Entry plugin and set something special so the user gets created w/o a group. The trick would be getting the filter right. Currently it is originFilter: objectclass=posixAccount I wonder if we could stuff something else in there that would cause it to evaluate false when we don't want a managed group. rob I thought about it, but changing the filter temporarily isn't an option since more user-add operations can be running at the same time and this entry is global. Maybe adding a special object class or temporary attribute to mark users to be created without UPG. Or creating the user without the posixAccount object class and attributes and adding them later using user-mod. This might be a bit faster than deleting the UPG. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add a new user-add flag param to disable the creation of UPG.
This patch handles the issue in a kind of stupid way, but I couldn't
think of anything better.
It adds a new flag parameter to user-add (--noprivate). With this flag,
the command marks the private group about to be created for deletion and
is deleted after the user is created. The only exception is when there
is a group, that is named the same way as the user, but isn't a private
group - then the group is left there.
Private groups are created automatically by the managed entry DS plugin
and I didn't find a way to disable its creation for a specific user.
Ticket #1131
Pavel
>From 28d6663b67894f1697e900f7d9518c2f7c168371 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Mon, 28 Mar 2011 15:10:57 -0400
Subject: [PATCH] Add a new user-add flag param to disable the creation of UPG.
Ticket #1131
---
ipalib/plugins/user.py | 21 ++---
1 files changed, 18 insertions(+), 3 deletions(-)
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index c3bcddd..66ca8d8 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -250,10 +250,17 @@ class user_add(LDAPCreate):
"""
Add a new user.
"""
-
msg_summary = _('Added user "%(value)s"')
+takes_options = LDAPCreate.takes_args + (
+Flag('noprivate',
+cli_name='noprivate',
+doc=_('don\'t create user private group'),
+),
+)
+
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+setattr(context, 'delupg', options.get('noprivate', False))
try:
# The Managed Entries plugin will allow a user to be created
# even if a group has a duplicate name. This would leave a user
@@ -263,7 +270,9 @@ class user_add(LDAPCreate):
self.api.Command['user_show'](keys[-1])
raise errors.DuplicateEntry()
except errors.NotFound:
-raise errors.ManagedGroupExistsError(group=keys[-1])
+if not options.get('noprivate', False):
+raise errors.ManagedGroupExistsError(group=keys[-1])
+setattr(context, 'delupg', False)
except errors.NotFound:
pass
validate_nsaccountlock(entry_attrs)
@@ -291,7 +300,7 @@ class user_add(LDAPCreate):
if 'gidnumber' not in entry_attrs:
# gidNumber wasn't specified explicity, find out what it should be
-if ldap.has_upg():
+if not options.get('noprivate', False) and ldap.has_upg():
# User Private Groups - uidNumber == gidNumber
entry_attrs['gidnumber'] = entry_attrs['uidnumber']
else:
@@ -317,6 +326,12 @@ class user_add(LDAPCreate):
def_primary_group = config.get('ipadefaultprimarygroup')
group_dn = self.api.Object['group'].get_dn(def_primary_group)
ldap.add_entry_to_group(dn, group_dn)
+if getattr(context, 'delupg', False):
+try:
+self.api.Command['group_detach'](keys[-1])
+self.api.Command['group_del'](keys[-1])
+except errors.NotFound:
+pass
return dn
api.register(user_add)
--
1.7.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On 2011-02-25 18:12, JR Aquino wrote: On 2/25/11 5:58 AM, "Pavel Zuna" wrote: On 02/23/2011 11:53 PM, Simo Sorce wrote: On Wed, 23 Feb 2011 23:41:33 +0100 Pavel Zůna wrote: On 2011-02-15 16:36, JR Aquino wrote: On 2/15/11 6:52 AM, "Simo Sorce"wrote: On Tue, 15 Feb 2011 15:19:50 +0100 Pavel Zunawrote: I can't reproduce this. :-/ For me it goes fine: [root@ipadev tools]# ./ipa-nis-manage enable Directory Manager password: Enabling plugin This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. Pavel, Jr has set the minimum ssf to a non default value to test a configuration in which all communications are required to be encrypted. That's why you can't reproduce with the vanilla configuration. We want to support that mode although it won't be the default, so we need to fix any issue that causes that configuration to break (ie all non-encrypted/non-ldapi connections). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The best way to do this is: -=- service ipa stop Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif Change: nsslapd-minssf: 0 To: nsslapd-minssf: 56<- 56 is chosen because SASL communicates a 56bit handshake even though we utilize a much strong cipher... (It is a known bug/feature) service ipa start I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) with ldapi=True, but it raises a NotFound exception when trying to call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This exception originates in IPAdmin.__lateinit() when trying to retrieve this cn=config,cn=ldbm database,cn=plugins,cn=config For some reason it looks like this entry is inaccessible when doing a SASL EXTERNAL bind as root. I can retrieve the entry as "cn=directory manager": [root@vm-090 freeipa]# ldapsearch -D "cn=directory manager" -W -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b "cn=config,cn=ldbm database,cn=plugins,cn=config" -s one Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope oneLevel # filter: (objectclass=*) # requesting: ALL # # default indexes, config, ldbm database, plugins, config dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: default indexes # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 but not as root: [root@vm-090 freeipa]# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b "cn=config" SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # SNMP, config dn: cn=SNMP,cn=config objectClass: top objectClass: nsSNMP cn: SNMP nsSNMPEnabled: on # 2.16.840.1.113730.3.4.9, features, config dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 2.16.840.1.113730.3.4.9 cn: VLV Request Control # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 I'm not sure what the problem is, I tried setting different SASL security properties, but nothing helped. :( Next step is to analyze DS logs, but before I do that, I wanted to ask if anyone has any tips on what the solution might be. We have very strict ACIs when using EXTERNAL SASL as root. Is there any reason you need to operate as root ? you can also authenticate with SIMPLE (Dir MGr credentials), or SASL/GSSAPI if you ahve credentials. If you need to run unattended as root then we may need to make root+SASL/EXTERNAL more powerful but I'd like to understand exactly why you need that and can't use regular authentication with DirMgr or GSSAPI credentials. Simo. Thanks for advice! New version of the patch attached. Sorry Pavel, I Have to NACK again: It looks like some comment info got left in the patch perhaps. [root@auth2 ~]# ipa-compat-manage status File "/usr/sbin/ipa-compat-manage", line 169 <<<<<<< HEAD [root@auth2 ~]# ipa-host-net-manage status File "/usr/sbin/ipa-host-net-manage", line 195 <<<<<<< HEAD ^ That's cool, I just wonder how it got there. :) Fixed version attached. Pavel freeipa-pzuna-78-5-toolsldapi.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Localization patches.
On 2011-02-23 20:26, Rob Crittenden wrote: Pavel Zůna wrote: Rebased patch 81 and 83 (pygettext). Created a new patch to fix these latest test failures - it was easier than doing a complex rebase. All latest versions of localization patches are attached to this email for review. I tried to apply them on a clean master clone, build RPMs, installed and run all unit tests. So hopefully, we're finally going to get this in. :) Pavel I don't understand some of these (and past changes): - Updated patch 83-2 just changes the commit message slightly I rebased everything and did, generated new patches and did a diff to see if anything has changed. This patch had differences in line numbers, so I decided to make a new one, just to make sure it applies cleanly on master. - Patch 84 comments out several lines in the tests.There isn't any explaination what these changes do and why they are needed. It seems to be disabling a confirmation that changing locale works. It comments out parts that tests the deprecated code removed by patch 69. I probably should have removed the lines completely, but wanted to keep them for reference - guess there's no point really. We no longer setup languages in the code, but rather get them from what is passed from the terminal OR from what is requested over XML-RPC. All localization code that uses the context thread local variable doesn't work anyway - that's why the tests were failing. - Patch 82 drops a bunch of the old ugettext code which is fine, but I think one of the purposes was to make sure that translation was occurring. - Patch 82 in test_text.py changing the languages is removed. Are we really exercising this code? Same deal as 84. rob Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On 2011-02-15 16:36, JR Aquino wrote: On 2/15/11 6:52 AM, "Simo Sorce" wrote: On Tue, 15 Feb 2011 15:19:50 +0100 Pavel Zuna wrote: I can't reproduce this. :-/ For me it goes fine: [root@ipadev tools]# ./ipa-nis-manage enable Directory Manager password: Enabling plugin This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. Pavel, Jr has set the minimum ssf to a non default value to test a configuration in which all communications are required to be encrypted. That's why you can't reproduce with the vanilla configuration. We want to support that mode although it won't be the default, so we need to fix any issue that causes that configuration to break (ie all non-encrypted/non-ldapi connections). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The best way to do this is: -=- service ipa stop Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif Change: nsslapd-minssf: 0 To: nsslapd-minssf: 56<- 56 is chosen because SASL communicates a 56bit handshake even though we utilize a much strong cipher... (It is a known bug/feature) service ipa start I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) with ldapi=True, but it raises a NotFound exception when trying to call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This exception originates in IPAdmin.__lateinit() when trying to retrieve this cn=config,cn=ldbm database,cn=plugins,cn=config For some reason it looks like this entry is inaccessible when doing a SASL EXTERNAL bind as root. I can retrieve the entry as "cn=directory manager": [root@vm-090 freeipa]# ldapsearch -D "cn=directory manager" -W -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b "cn=config,cn=ldbm database,cn=plugins,cn=config" -s one Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope oneLevel # filter: (objectclass=*) # requesting: ALL # # default indexes, config, ldbm database, plugins, config dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: default indexes # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 but not as root: [root@vm-090 freeipa]# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b "cn=config" SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # SNMP, config dn: cn=SNMP,cn=config objectClass: top objectClass: nsSNMP cn: SNMP nsSNMPEnabled: on # 2.16.840.1.113730.3.4.9, features, config dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 2.16.840.1.113730.3.4.9 cn: VLV Request Control # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 I'm not sure what the problem is, I tried setting different SASL security properties, but nothing helped. :( Next step is to analyze DS logs, but before I do that, I wanted to ask if anyone has any tips on what the solution might be. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Use pygettext to generate translatable strings from plugin files.
This goes on top of my other localization patches! This patch replaces xgettext with a custom pygettext to generate translatable strings from plugin files in ipalib/plugins. pygettext was modified to handle plural forms (credit goes to Jan Hendrik Goellner) and had some bugs fixed by myself. We only use it for plugins, because it's the only place where we need to extract docstrings for the built-in help system. I also had to make some changes to the way the built-in documentation system gets docstrings from modules for this to work. How to test? 1) First, apply all of the localization patches found in thread "Localization patches" on freeipa-devel. Then apply this patch. 2) Regenerate your install/po/Makefile: - delete install/po/Makefile - run `./configure` in install 3) Regenerate the pot and po files: - run `make update-pot` in install/po - run `make update-po` in install/po 4) Make a change to one of the translations: - example: add translation to the ACI docstring * find docstring for ACI in install/po/es.po * change the corresponding msgstr "" to msgstr "\nBuenos dias, amigos!\n" Note: if the translatable string begins with \n, the translation also needs to begin with \n. Same goes for ending. 5) Install the modified translations: - run `make install` in install/po Note: I had some problems with this and had to make rpms and install IPA from beginning for it to work. Looks like doing `make install` manually updates /usr/local/share/locale instead of /usr/share/locale, but maybe I just did something wrong. 6) Set language to Spanish or whatever translation you modified: - example: * # LANG="es_ES.utf8" # export LANG 7) Display the translated documentation: - example: * # ipa help aci Buenos dias, amigos! Pavel freeipa-pzuna-83-pygettext.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Localization patches.
On 2011-02-17 22:52, Rob Crittenden wrote:
Pavel Zůna wrote:
On 2011-02-17 05:09, Rob Crittenden wrote:
Pavel Zůna wrote:
My efforts in fixing localization all around the framework and
preparing
it for localizing docstrings have resulted in a lot of patches. Because
I understand they have become a bit hard to track, I decided to post
them all together in this thread to make review easier.
After this is committed, there will be one more patch that switches
xgettext for pygettext. Then hopefully, we'll be pretty much set
when it
comes to i18n.
Pavel
Patch 81 isn't applying for me.
Help is not working for me either, this is due to patch 80.
$ ipa help user
ipa: ERROR: NameError: global name '_' is not defined
Traceback (most recent call last):
File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1087, in
run
api.finalize()
File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 619,
in finalize
plugin_iter(base, (magic[k] for k in magic))
File "/home/rcrit/redhat/freeipa-version/ipalib/base.py", line 397, in
__init__
sorted(members, key=lambda m: getattr(m, name_attr))
File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 608,
in plugin_iter
plugins[klass] = PluginInstance(klass)
File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 585,
in __init__
self.instance = klass()
File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 184,
in __init__
self.doc = _(inspect.getdoc(cls))
NameError: global name '_' is not defined
ipa: ERROR: an internal error has occurred
Patches 69, 71 and 73 are still working fine.
What is switching from xgettext to pygettext going to do?
This was answered by John Dennis: xgettext doesn't parse python
docstrings.
rob
Rebased version of 81 attached. It should also fix the traceback you're
getting.
Pavel
Something is still not working. I'm having a hard time reproducing how I
got this but with LANG=es_US.UTF-8 for a while I was getting this with
every ipa user-* request:
ipa: ERROR: UnicodeEncodeError: 'ascii' codec can't encode character
u'\xf1' in position 20: ordinal not in range(128)
Traceback (most recent call last):
File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1090, in run
sys.exit(api.Backend.cli.run(argv))
File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 917, in run
rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, **options)
File "/home/rcrit/redhat/freeipa-version/ipalib/frontend.py", line 953,
in output_for_cli
textui.print_entries(result, order, labels, flags, print_all)
File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 346, in
print_entries
self.print_entry(entry, order, labels, flags, print_all, format, indent)
File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 378, in
print_entry
label, value, format, indent, one_value_per_line
File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 309, in
print_attribute
self.print_indented(format % (attr, text[0]), indent)
File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 232, in
print_indented
print (CLI_TAB * indent + text)
UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in
position 20: ordinal not in range(128)
ipa: ERROR: ha ocurrido un error interno
I think it is blowing up on this user:
User login: jose
First name: Jose
Last name: contraseñas
Home directory: /home/jose
Login shell: /bin/sh
Account disabled: TRUE
Member of groups: ipausers
Then all of a sudden things started working fine, so I'm not sure what's
going on.
Is this traceback meaningful to you?
rob
This looks like a bug in the textui backend.
You get this error when you do something like this:
>>> a = u'\xf1'
>>> a.decode('utf-8')
Traceback (most recent call last):
File "", line 1, in
File "/usr/lib/python2.6/encodings/utf_8.py", line 16, in decode
return codecs.utf_8_decode(input, errors, True)
UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in
position 0: ordinal not in range(128)
It means we're not handling encoding/decoding from/to the CLI right
somewhere.
The character \xf1 corresponds to the small N with tilde in Jose's last
name.
I'm going to look into it, but I don't think it's related to the
localization patches.
Pavel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Localization patches.
On 2011-02-17 05:09, Rob Crittenden wrote: Pavel Zůna wrote: My efforts in fixing localization all around the framework and preparing it for localizing docstrings have resulted in a lot of patches. Because I understand they have become a bit hard to track, I decided to post them all together in this thread to make review easier. After this is committed, there will be one more patch that switches xgettext for pygettext. Then hopefully, we'll be pretty much set when it comes to i18n. Pavel Patch 81 isn't applying for me. Help is not working for me either, this is due to patch 80. $ ipa help user ipa: ERROR: NameError: global name '_' is not defined Traceback (most recent call last): File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1087, in run api.finalize() File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 619, in finalize plugin_iter(base, (magic[k] for k in magic)) File "/home/rcrit/redhat/freeipa-version/ipalib/base.py", line 397, in __init__ sorted(members, key=lambda m: getattr(m, name_attr)) File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 608, in plugin_iter plugins[klass] = PluginInstance(klass) File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 585, in __init__ self.instance = klass() File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 184, in __init__ self.doc = _(inspect.getdoc(cls)) NameError: global name '_' is not defined ipa: ERROR: an internal error has occurred Patches 69, 71 and 73 are still working fine. What is switching from xgettext to pygettext going to do? This was answered by John Dennis: xgettext doesn't parse python docstrings. rob Rebased version of 81 attached. It should also fix the traceback you're getting. Pavel freeipa-pzuna-81-2-fixlocstrings.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix translatable strings in ipalib plugins.
On 2011-02-16 16:25, Pavel Zůna wrote: Some translatable strings were in a wrong format a there were some more related issues. This patch tries to fix all of them. Needed for xgettext/pygettext processing. Pavel Rebased version attached. Pavel freeipa-pzuna-81-2-fixlocstrings.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix i18n related failures in unit tests.
Fixes unit test failures cause by the changes introduced in my other localization related patches. Pavel freeipa-pzuna-82-fixlocutests.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix translatable strings in ipalib plugins.
Some translatable strings were in a wrong format a there were some more related issues. This patch tries to fix all of them. Needed for xgettext/pygettext processing. Pavel freeipa-pzuna-81-fixlocstrings.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Translate docstrings.
This patch prepares the built-in help system for localized docstrings. Pavel freeipa-pzuna-80-docstringloc.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Send Accept-Language header over XML-RPC and translate on server.
On 2011-02-04 18:35, Pavel Zůna wrote: On 2011-02-04 16:23, Rob Crittenden wrote: Pavel Zuna wrote: This patch makes the ipa client send the Accept-Language header, so that the server can translate things like exceptions, that cannot be translated on the client. It also fixes the language recognition for the webUI. The values in Accept-Language header are a bit different than what is accepted by the LANG variable as a valid locale - some additional parsing was needed. For example: >>> Accept-Language: es-es;q=1 needs to translate to >>> es_ES otherwise it won't be recognized by gettext Fix #904 Fix #917 Pavel nack. ast is imported but not used Leftover. Removed in the attached updated version. Why are you calling locale.setlocale() instead of locale.getlocale()? Because that's how it should be done. setlocale() with an empty string as second argument gets the current environment settings. getlocale() without a previous call to setlocale returns (None, None). If extra_headers is passed in as a string this will drop it: That's never going to happen. I checked the underlying implementation in xmlrpclib and it can either be a list or dict. In this case, LanguageAwareTransport is calling Transport.get_host_info() which always returns extra_headers as a list or None if empty. The original implementation (before this patch) always dropped the whole thing and used a new list instead. + if not isinstance(extra_headers, list): + extra_headers = [] Multiple Authorization is actually legal though it may be a good idea to remove any others found, so I'll let this part go. I don't know that it is really needed though. Because the underlying Transport class can fill Authorization with 'Basic ' and the original implementation was dropping it as well. Some formatting is changed to make it less readable IMHO: - else: - scheme = "http" + else: scheme = "http" That's unintentional, sorry. The code to break HTTP_ACCEPT_LANGUAGE into language and region is broken. Passing in en-gb returns en_EN. (I think you want [1] not [0]). Nice catch. I was probably thinking that since I'm using rsplit(), the indexes will be the other way around. :) Fixed in attached version. Ideally we would loop through all acceptable languages until we find one that we actually provide. So if we are passed in da, en-gb;q=0.8, en;q=0.7 we would first look for Danish but fall back to British English or any other English (preferring British English). That's a good idea! However I would keep it simple for now and do this in a separate patch. rob Pavel Rebased version attached. Pavel freeipa-pzuna-71-3-acceptlang.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Send Accept-Language header over XML-RPC and translate on server.
On 2011-02-04 16:23, Rob Crittenden wrote: Pavel Zuna wrote: This patch makes the ipa client send the Accept-Language header, so that the server can translate things like exceptions, that cannot be translated on the client. It also fixes the language recognition for the webUI. The values in Accept-Language header are a bit different than what is accepted by the LANG variable as a valid locale - some additional parsing was needed. For example: >>> Accept-Language: es-es;q=1 needs to translate to >>> es_ES otherwise it won't be recognized by gettext Fix #904 Fix #917 Pavel nack. ast is imported but not used Leftover. Removed in the attached updated version. Why are you calling locale.setlocale() instead of locale.getlocale()? Because that's how it should be done. setlocale() with an empty string as second argument gets the current environment settings. getlocale() without a previous call to setlocale returns (None, None). If extra_headers is passed in as a string this will drop it: That's never going to happen. I checked the underlying implementation in xmlrpclib and it can either be a list or dict. In this case, LanguageAwareTransport is calling Transport.get_host_info() which always returns extra_headers as a list or None if empty. The original implementation (before this patch) always dropped the whole thing and used a new list instead. + if not isinstance(extra_headers, list): + extra_headers = [] Multiple Authorization is actually legal though it may be a good idea to remove any others found, so I'll let this part go. I don't know that it is really needed though. Because the underlying Transport class can fill Authorization with 'Basic ' and the original implementation was dropping it as well. Some formatting is changed to make it less readable IMHO: - else: - scheme = "http" + else: scheme = "http" That's unintentional, sorry. The code to break HTTP_ACCEPT_LANGUAGE into language and region is broken. Passing in en-gb returns en_EN. (I think you want [1] not [0]). Nice catch. I was probably thinking that since I'm using rsplit(), the indexes will be the other way around. :) Fixed in attached version. Ideally we would loop through all acceptable languages until we find one that we actually provide. So if we are passed in da, en-gb;q=0.8, en;q=0.7 we would first look for Danish but fall back to British English or any other English (preferring British English). That's a good idea! However I would keep it simple for now and do this in a separate patch. rob Pavel freeipa-pzuna-71-2-acceptlang.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Remove deprecated i18n code from ipalib.request and all references to it.
On 2011-02-04 16:24, Rob Crittenden wrote: Pavel Zuna wrote: On 02/04/2011 04:03 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 02/02/2011 09:36 PM, Rob Crittenden wrote: Pavel Zuna wrote: This ticket effectively fixes the translation of exception messages. Ticket #903 Pavel On hold for now, see also patch 'Translate exception messages on the client side.' rob This should get pushed for the translation in exceptions to work. It only removes the defunct code and replaces it with something functional. Pavel If the server locale is not en_US.UTF-8 then messages are translated. rob I know, but it's not the purpose of this patch to do the right translation for the client. It's purpose is to fix the code to actually perform the translation. There's another patch (71) to do the right thing and it depends on this one. Pavel Right but 71 fails if there are keywords to translate. I'd prefer to hold off on both of these until we come to a more complete solution. rob No, that's 70 failing. :) 71 is the Accept-Language patch I posted today. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix crash when displaying values composed of white chars only in CLI.
Fix #825 Pavel >From 8a7e6119399aa974457eda41b998cb765186d4eb Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Fri, 21 Jan 2011 09:30:23 -0500 Subject: [PATCH] Fix crash when displaying values composed of white-space chars only in CLI. Ticket #825 --- ipalib/cli.py |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/ipalib/cli.py b/ipalib/cli.py index 54ab1c4..a30375f 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -302,6 +302,8 @@ class textui(backend.Backend): text = textwrap.wrap( text, line_len, break_long_words=False ) +if len(text) == 0: +text = [u''] else: text = [text] self.print_indented(format % (attr, text[0]), indent) -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0127-add-missing-files-in-rpm
On 2011-01-05 20:57, Adam Young wrote: Had to move some files around, and added to both Makefile.am and ipa.spec ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Disable action panel links when the selected entry is deleted.
Fix #685
Pavel
>From 2dd2304d8f10272d3e376090cbe2565e21ff627d Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Thu, 30 Dec 2010 16:41:50 -0500
Subject: [PATCH] Disable action panel links when the selected entry is deleted.
Fix #685
---
install/static/search.js |6 +-
1 files changed, 5 insertions(+), 1 deletions(-)
diff --git a/install/static/search.js b/install/static/search.js
index 061824c..a111e0c 100644
--- a/install/static/search.js
+++ b/install/static/search.js
@@ -206,6 +206,11 @@ function ipa_search_widget(spec) {
function on_success(data, text_status, xhr) {
+var action_panel = that.facet.get_action_panel();
+$('li.entity-facet', action_panel).
+addClass('entity-facet-disabled');
+$('input', action_panel).val(null);
+
that.tbody.empty();
var result = data.result.result;
@@ -215,7 +220,6 @@ function ipa_search_widget(spec) {
}
var summary = $('span[name=summary]', that.tfoot);
-
if (data.result.truncated) {
summary.text(
'Query returned results than configured size limit will show.' +
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Translate IA5Str paramaters the editable text fields in the webUI.
On 2010-12-30 10:29, Pavel Zůna wrote:
Fix #684
Pavel
Left some debugging output in the original patch. Fixed version attached.
Pavel
>From 508a68cc41f812683cbf62640c3dc2de02dd2981 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Thu, 30 Dec 2010 09:11:58 -0500
Subject: [PATCH] Translate IA5Str paramaters the editable text fields in the webUI.
Fix #684
---
install/static/details.js |1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/install/static/details.js b/install/static/details.js
index 1aeffb1..77dc88f 100644
--- a/install/static/details.js
+++ b/install/static/details.js
@@ -724,6 +724,7 @@ function ipa_insert_dd(jobj, content, dd_class){
/* mapping of parameter types to handlers used to create inputs */
var _ipa_param_type_2_handler_map = {
'Str': _ipa_create_text_input,
+'IA5Str': _ipa_create_text_input,
'Int': _ipa_create_text_input,
'Bool': _ipa_create_text_input,
'List': _ipa_create_text_input
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix 'ipa help permissions'; add 'dns' in allowed types.
Pavel
>From 08534b8e0fe9ab9713599de166a5bfb4232c1776 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Thu, 30 Dec 2010 09:12:35 -0500
Subject: [PATCH 4/4] Fix 'ipa help permissions'; add 'dns' in allowed types.
---
ipalib/plugins/permission.py |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index 1a707c4..43bb263 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -120,7 +120,7 @@ class permission(LDAPObject):
StrEnum('type?',
cli_name='type',
label=_('Type'),
-doc=_('Type of IPA object (user, group, host, hostgroup, service, netgroup)'),
+doc=_('Type of IPA object (user, group, host, hostgroup, service, netgroup, dns)'),
values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dns',),
),
Str('memberof?',
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Translate IA5Str paramaters the editable text fields in the webUI.
Fix #684
Pavel
>From ea2cd3c1c97c11c216c0c2baff07615d2f14298e Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Thu, 30 Dec 2010 09:11:58 -0500
Subject: [PATCH 3/4] Translate IA5Str paramaters the editable text fields in the webUI.
Fix #684
---
install/static/details.js |3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/install/static/details.js b/install/static/details.js
index 1aeffb1..6afe743 100644
--- a/install/static/details.js
+++ b/install/static/details.js
@@ -75,7 +75,9 @@ function ipa_details_field(spec) {
var rights = 'rsc';
if (that.record.attributelevelrights){
+alert(this.name);
rights = that.record.attributelevelrights[this.name] || rights ;
+alert(rights);
}
if (that.values) {
@@ -724,6 +726,7 @@ function ipa_insert_dd(jobj, content, dd_class){
/* mapping of parameter types to handlers used to create inputs */
var _ipa_param_type_2_handler_map = {
'Str': _ipa_create_text_input,
+'IA5Str': _ipa_create_text_input,
'Int': _ipa_create_text_input,
'Bool': _ipa_create_text_input,
'List': _ipa_create_text_input
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Enable custom list of attributes to retrieve effective rights.
LDAPObject sub-classes can define a custom list of attributes for
effective rights retrieval.
Fix #677
Pavel
>From 98b7456f1c4d872e265ea4e8c26ab42e206375e8 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Thu, 30 Dec 2010 08:48:12 -0500
Subject: [PATCH 2/4] Enable custom list of attributes to retrieve effective rights.
Fix #677
---
ipalib/plugins/baseldap.py | 38 --
ipalib/plugins/config.py |4
2 files changed, 24 insertions(+), 18 deletions(-)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 259d02b..1cd181c 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -162,20 +162,6 @@ def get_attributes(attrs):
return attrlist
-def get_effective_rights(ldap, dn, attrs=None):
-if attrs is None:
-attrs = ['*', 'nsaccountlock', 'cospriority']
-rights = ldap.get_effective_rights(dn, attrs)
-rdict = {}
-if 'attributelevelrights' in rights[1]:
-rights = rights[1]['attributelevelrights']
-rights = rights[0].split(', ')
-for r in rights:
-(k,v) = r.split(':')
-rdict[k.strip().lower()] = v
-
-return rdict
-
def wait_for_memberof(keys, entry_start, completed, show_command, adding=True):
"""
When adding or removing reverse members we are faking an update to
@@ -240,6 +226,7 @@ class LDAPObject(Object):
search_attributes_config = None
default_attributes = []
hidden_attributes = ['objectclass', 'aci']
+rights_attributes = ['*', 'nsaccountlock', 'cospriority']
# set rdn_attribute only if RDN attribute differs from primary key!
rdn_attribute = ''
uuid_attribute = ''
@@ -288,6 +275,19 @@ class LDAPObject(Object):
pass
return dn[len(self.primary_key.name) + 1:dn.find(',')]
+def get_effective_rights(self, dn, attrs=None):
+rdict = {}
+if attrs is None:
+attrs = self.rights_attributes
+rights = self.backend.get_effective_rights(dn, attrs)
+if 'attributelevelrights' in rights[1]:
+rights = rights[1]['attributelevelrights']
+rights = rights[0].split(', ')
+for r in rights:
+(k, v) = r.split(':')
+rdict[k.strip().lower()] = v
+return rdict
+
def get_ancestor_primary_keys(self):
if self.parent_object:
parent_obj = self.api.Object[self.parent_object]
@@ -674,8 +674,9 @@ class LDAPRetrieve(LDAPQuery):
except errors.NotFound:
self.obj.handle_not_found(*keys)
-if options.get('rights', False) and options.get('all', False):
-entry_attrs['attributelevelrights'] = get_effective_rights(ldap, dn)
+if options.get('rights', False):
+rights = self.obj.get_effective_rights(dn)
+entry_attrs['attributelevelrights'] = rights
for callback in self.POST_CALLBACKS:
if hasattr(callback, 'im_self'):
@@ -830,8 +831,9 @@ class LDAPUpdate(LDAPQuery, crud.Update):
format=_('the entry was deleted while being modified')
)
-if options.get('rights', False) and options.get('all', False):
-entry_attrs['attributelevelrights'] = get_effective_rights(ldap, dn)
+if options.get('rights', False):
+rights = self.obj.get_effective_rights(dn)
+entry_attrs['attributelevelrights'] = rights
for callback in self.POST_CALLBACKS:
if hasattr(callback, 'im_self'):
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index cabfd76..7c9f458 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -81,6 +81,9 @@ class config(LDAPObject):
'ipasearchrecordslimit', 'ipausersearchfields', 'ipagroupsearchfields',
'ipamigrationenabled', 'ipacertificatesubjectbase',
]
+rights_attributes = LDAPObject.rights_attributes + [
+'ipahomesrootdir', 'ipagroupsearchfields',
+]
label = _('Configuration')
@@ -200,3 +203,4 @@ class config_show(LDAPRetrieve):
"""
api.register(config_show)
+
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix search filter generator in ldap2 for NOT operator.
Search filters generated from attributes with multiple values were incorrect when the NOT operator was used (ldap.MATCH_NONE). Pavel >From 332fe9fc4d1c10fd20107afdb9328faea7d5c97c Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Tue, 30 Nov 2010 21:53:28 -0500 Subject: [PATCH 1/2] Fix search filter generator in ldap2 for NOT operator. Search filters generated from attributes with multiple values were incorrect when the NOT operator was used (ldap.MATCH_NONE). --- ipaserver/plugins/ldap2.py |6 ++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index cbb8ddb..8f75dc0 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -450,6 +450,12 @@ class ldap2(CrudBackend, Encoder): """ if isinstance(value, (list, tuple)): flts = [] +if rules == self.MATCH_NONE: +for v in value: +flts.append( +self.make_filter_from_attr(attr, v, exact=exact) +) +return '(!%s)' % self.combine_filters(flts) for v in value: flts.append(self.make_filter_from_attr(attr, v, rules, exact)) return self.combine_filters(flts, rules) -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Enable filtering search results by member attributes.
On 2010-11-30 04:06, Rob Crittenden wrote:
Pavel Zůna wrote:
LDAPSearch base class has now the ability to generate additional
options for objects with member attributes. These options are
used to filter search results - search only for objects without
the specified members.
Any class that extends LDAPSearch can benefit from this functionality.
This patch enables it for the following objects:
group, netgroup, rolegroup, hostgroup, taskgroup
Example:
ipa group-find --no-users=admin
Only direct members are taken into account, but if we need indirect
members as well - it's not a problem.
Ticket #288
Pavel
This works as advertised but I wonder what would happen if a huge list
of members was passed in to ignore. Is there a limit on the search
filter size (remember that the member will be translated into a full dn
so will quickly grow in size).
Should we impose a cofigurable limit on the # of members to be excluded?
Is there a max search filter size and should we check that we haven't
exceeded that before doing a search?
rob
I tried it out with more than a 1000 users and was getting an unwilling
to perform error (search filter nested too deep).
After a little bit of investigation, I figured the filter was being
generated like this:
(&(&(!(a=v))(!(a2=v2
We were going deeper with each additional DN!
I updated the patch to generate the filter like this instead:
(!(|(a=v)(a2=v2)))
Tried it again with more than 1000 users (~55Kb) - it worked and wasn't
even slow.
Updated patch attached.
I also had to fix a bug in ldap2 filter generator, as a result this
patch depends on my patch number 43.
Pavel
>From b8c6fa683715d0221b1be33dde6b8065283125d3 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Mon, 29 Nov 2010 06:44:09 -0500
Subject: [PATCH 2/2] Enable filtering search results by member attributes.
LDAPSearch base class has now the ability to generate additional
options for objects with member attributes. These options are
used to filter search results - search only for objects without
the specified members.
Example:
ipa group-find --no-users=admin
Only direct members are taken into account.
Ticket #288
---
ipalib/plugins/baseldap.py | 34 +-
ipalib/plugins/group.py |2 ++
ipalib/plugins/hostgroup.py |2 +-
ipalib/plugins/netgroup.py |1 +
ipalib/plugins/rolegroup.py |2 +-
ipalib/plugins/taskgroup.py |2 +-
6 files changed, 39 insertions(+), 4 deletions(-)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index a67b84d..ea5454b 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -1091,6 +1091,9 @@ class LDAPSearch(CallbackInterface, crud.Search):
"""
Retrieve all LDAP entries matching the given criteria.
"""
+member_attributes = []
+member_param_doc = 'exclude %s with member %s (comma-separated list)'
+
takes_options = (
Int('timelimit?',
label=_('Time Limit'),
@@ -1118,6 +1121,33 @@ class LDAPSearch(CallbackInterface, crud.Search):
def get_options(self):
for option in super(LDAPSearch, self).get_options():
yield option
+for attr in self.member_attributes:
+for ldap_obj_name in self.obj.attribute_members[attr]:
+ldap_obj = self.api.Object[ldap_obj_name]
+name = to_cli(ldap_obj_name)
+doc = self.member_param_doc % (
+self.obj.object_name_plural, ldap_obj.object_name_plural
+)
+yield List('no_%s?' % name, cli_name='no_%ss' % name, doc=doc,
+ label=ldap_obj.object_name)
+
+def get_member_filter(self, ldap, **options):
+filter = ''
+for attr in self.member_attributes:
+for ldap_obj_name in self.obj.attribute_members[attr]:
+param_name = 'no_%s' % to_cli(ldap_obj_name)
+if param_name in options:
+dns = []
+ldap_obj = self.api.Object[ldap_obj_name]
+for pkey in options[param_name]:
+dns.append(ldap_obj.get_dn(pkey))
+flt = ldap.make_filter_from_attr(
+attr, dns, ldap.MATCH_NONE
+)
+filter = ldap.combine_filters(
+(filter, flt), ldap.MATCH_ALL
+)
+return filter
has_output_params = global_output_params
@@ -1159,8 +1189,10 @@ class LDAPSearch(CallbackInterface, crud.Search):
search_kw[a] = term
term_filter = ldap.make_filter(search_kw, exact=False)
+member_filter = self.get_member_filter(ldap, **options)
+
filter = ldap.combine_filters(
-(term_filter, attr_filter), rules=ldap.MATCH_ALL
+
[Freeipa-devel] [PATCH] Enable filtering search results by member attributes.
LDAPSearch base class has now the ability to generate additional options for objects with member attributes. These options are used to filter search results - search only for objects without the specified members. Any class that extends LDAPSearch can benefit from this functionality. This patch enables it for the following objects: group, netgroup, rolegroup, hostgroup, taskgroup Example: ipa group-find --no-users=admin Only direct members are taken into account, but if we need indirect members as well - it's not a problem. Ticket #288 Pavel pzuna-freeipa-0042-filterenroll.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add new version of DNS plugin: complete rework with baseldap + unit tests.
On 2010-11-24 16:21, Adam Young wrote:
On 11/24/2010 03:46 AM, Pavel Zuna wrote:
On 11/24/2010 03:26 AM, Adam Young wrote:
On 11/23/2010 09:37 AM, Pavel Zuna wrote:
Finally managed to rewrite the DNS plugin again. Sorry, it took so
long, we had training in the office and I also had a nasty bug in
baseldap.py I couldn't find.
Anyway, this version has it all:
- changes we agreed on meeting, the "resource" abstraction is gone and
we now only have zones and records = adding new record automatically
updates and existing entry or creates it if it wasn't there and
deleting the last record deletes the whole entry - all of it
transparent to the user
- unit tests
- ipa help documentation
Fixes tickets:
#36
#450
I also closed bug #654412.
It has a new patch sequence number, because it depends on another
patch with a higher number and didn't want to create forward
dependencies.
Depends on my patches number:
35 (will repost if needed)
38 (posted a while ago on freeipa-devel)
Pavel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
I keep getting an error when doing simple things like install and ipa
help:
[ayo...@ipa freeipa]$ ./ipa help dns2
ipa: ERROR: AttributeError: cannot override NameSpace.idnsname value
Str('idnsname', cli_name='name', doc=Gettext('Zone name (FQDN)',
domain='ipa', localedir=None), label=Gettext('Zone name', domain='ipa',
localedir=None), multivalue=False, normalizer=,
primary_key=True, query=True, required=True) with Str('idnsname',
attribute=True, cli_name='name', doc=Gettext('Record name',
domain='ipa', localedir=None), label=Gettext('Record name',
domain='ipa', localedir=None), multivalue=False, primary_key=True,
query=True, required=True)
Traceback (most recent call last):
File "/home/ayoung/devel/freeipa/ipalib/cli.py", line 962, in run
api.finalize()
File "/home/ayoung/devel/freeipa/ipalib/plugable.py", line 615, in
finalize
p.instance.finalize()
File "/home/ayoung/devel/freeipa/ipalib/frontend.py", line 724, in
finalize
self._create_param_namespace('args')
File "/home/ayoung/devel/freeipa/ipalib/frontend.py", line 350, in
_create_param_namespace
sort=False
File "/home/ayoung/devel/freeipa/ipalib/base.py", line 407, in __init__
(self.__class__.__name__, name, self.__map[name], member)
AttributeError: cannot override NameSpace.idnsname value Str('idnsname',
cli_name='name', doc=Gettext('Zone name (FQDN)', domain='ipa',
localedir=None), label=Gettext('Zone name', domain='ipa',
localedir=None), multivalue=False, normalizer=,
primary_key=True, query=True, required=True) with Str('idnsname',
attribute=True, cli_name='name', doc=Gettext('Record name',
domain='ipa', localedir=None), label=Gettext('Record name',
domain='ipa', localedir=None), multivalue=False, primary_key=True,
query=True, required=True)
ipa: ERROR: an internal error has occurred
That's because you need my patch number 35 for it to work...
Pavel
OK, with that change, the patch applies and works.
I've tested: creating a zone
Creating an a record
Adding an a record entry to an existing entry (calling ipa dnsrecord-add
a second time with just a different ip address)
Adding an record.
Deleting one and multiple records
One thing that is a little counter intuitive is that you have to specify
which records to delete: just running
ipa dnsrecord-del ayoung.test.ipa.redhat.com hiphop doesn't delete all
records with the A name of hiphop. I think this is the right behavior,
but it should be better documented.
Ok, I'm going to add a few lines about it in the docstring (ipa help).
Maybe we should have an option to delete all records associated with a
resource name. For example when someone is deleting a host from DNS and
wants all of its records gone.
Have to hold off on pushing it due to F14: python-netaddr Isn't in F14,
so we are adding a new python package with this plugin, too.
Pavel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add new version of DNS plugin: complete rework with baseldap + unit tests.
On 2010-11-09 05:07, Pavel Zůna wrote: Finally, there it is. :) I redesigned the whole thing to fit the baseldap model. Here's some example on how it's used: # create zone 'example.com' # ipa dnszone-add example.com --name=ns.example.com --admin=ad...@example.com # create a resource in zone 'example.com' named 'machine1' # (machine1.example.com) with A record 10.10.0.1 # ipa dnsres-add example.com machine1 --a-rec=10.10.0.1 # Add another A record to 'machine1' in 'example.com' # ipa dnsres-add-record example.com machine1 --a-rec=10.10.0.2 # Remove one of the A records from 'machine1' in 'example.com' # ipa dnsres-remove-record example.com machine1 --a-rec=10.10.0.1 The plugin is pretty complex and requires my patch number 35 to work. There is a bunch of unit tests, so hopefully it won't be too much pain to review. You can use both dns and dns2 at the same time. When dns2 is tested enough, it should replace the original dns plugin. docstring (ipa help dns2) documentation will follow soon in a separate patch. Pavel Forgot to mention that this solves: Ticket #36 Ticket #450 Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Replace 'Locking' in `ipa help user` with 'Disabling'.
Ticket #452 Pavel >From e03d082523a677b1d57e829ba10c31fd7f8d87b5 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Mon, 8 Nov 2010 22:45:27 -0500 Subject: [PATCH] Replace 'Locking' in `ipa help user` with 'Disabling'. Ticket #452 --- ipalib/plugins/user.py |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 536848b..726177c 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -22,7 +22,7 @@ Users Manage user entries. All users are POSIX users. -Locking a user account prevents that user from obtaining new Kerberos +Disabling a user account prevents that user from obtaining new Kerberos credentials. It does not invalidate any credentials that have already been issued. -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add new version of DNS plugin: complete rework with baseldap + unit tests.
Finally, there it is. :)
I redesigned the whole thing to fit the baseldap model.
Here's some example on how it's used:
# create zone 'example.com'
# ipa dnszone-add example.com --name=ns.example.com
--admin=ad...@example.com
# create a resource in zone 'example.com' named 'machine1'
# (machine1.example.com) with A record 10.10.0.1
# ipa dnsres-add example.com machine1 --a-rec=10.10.0.1
# Add another A record to 'machine1' in 'example.com'
# ipa dnsres-add-record example.com machine1 --a-rec=10.10.0.2
# Remove one of the A records from 'machine1' in 'example.com'
# ipa dnsres-remove-record example.com machine1 --a-rec=10.10.0.1
The plugin is pretty complex and requires my patch number 35 to work.
There is a bunch of unit tests, so hopefully it won't be too much pain
to review.
You can use both dns and dns2 at the same time.
When dns2 is tested enough, it should replace the original dns plugin.
docstring (ipa help dns2) documentation will follow soon in a separate
patch.
Pavel
>From defad70e665a5c126e56032bfc5ed698363eef9f Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Mon, 8 Nov 2010 22:34:14 -0500
Subject: [PATCH] Add new version of DNS plugin: complete rework with baseldap + unit tests.
---
ipalib/plugins/dns2.py | 504 ++
tests/test_xmlrpc/test_dns_plugin.py | 360
2 files changed, 864 insertions(+), 0 deletions(-)
create mode 100644 ipalib/plugins/dns2.py
create mode 100644 tests/test_xmlrpc/test_dns_plugin.py
diff --git a/ipalib/plugins/dns2.py b/ipalib/plugins/dns2.py
new file mode 100644
index 000..5b36d37
--- /dev/null
+++ b/ipalib/plugins/dns2.py
@@ -0,0 +1,504 @@
+# Authors:
+# Pavel Zuna
+#
+# Copyright (C) 2010 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+import time
+
+from ipalib import api, errors, output
+from ipalib import Command
+from ipalib import Flag, Int, List, Str, StrEnum
+from ipalib.plugins.baseldap import *
+from ipalib import _, ngettext
+
+# supported resource record types
+_record_types = (
+u'A', u'', u'A6', u'AFSDB', u'CERT', u'CNAME', u'DNAME',
+u'DS', u'HINFO', u'KEY', u'KX', u'LOC', u'MD', u'MINFO', u'MX',
+u'NAPTR', u'NS', u'NSEC', u'NXT', u'PTR', u'RRSIG', u'SSHFP',
+u'SRV', u'TXT',
+)
+
+# attributes derived from record types
+_record_attributes = [str('%srecord' % t.lower()) for t in _record_types]
+
+# supported DNS classes, IN = internet, rest is almost never used
+_record_classes = (u'IN', u'CS', u'CH', u'HS')
+
+# normalizer for admin email
+def _rname_normalizer(value):
+value = value.replace('@', '.')
+if not value.endswith('.'):
+value += '.'
+return value
+
+def _create_zone_serial(**kwargs):
+"""Generate serial number for zones."""
+return int('%s01' % time.strftime('%Y%d%m'))
+
+
+class dnszone(LDAPObject):
+"""
+DNS Zone, container for resource records.
+"""
+container_dn = api.env.container_dns
+object_name = 'DNS zone'
+object_name_plural = 'DNS zones'
+object_class = ['top', 'idnsrecord', 'idnszone']
+default_attributes = [
+'idnsname', 'idnszoneactive', 'idnssoamname', 'idnssoarname',
+'idnssoaserial', 'idnssoarefresh', 'idnssoaretry', 'idnssoaexpire',
+'idnssoaminimum'
+] + _record_attributes
+label = _('DNS zone')
+
+takes_params = (
+Str('idnsname',
+cli_name='name',
+label=_('Zone name'),
+doc=_('Zone name (FQDN)'),
+normalizer=lambda value: value.lower(),
+primary_key=True,
+),
+Str('idnssoamname',
+cli_name='name_server',
+label=_('Authoritative name server'),
+doc=_('Authoritative name server'),
+),
+Str('idnssoarname',
+cli_name='admin_email',
+label=_('Administrator e-mail address'),
+doc=_('Administrator e-mail address'),
+default_from=lambda idnsname: 'root.%s' % idnsname,
+normalizer=_rname_normalizer,
+),
+Int('idnssoaserial?',
+cli_name='serial',
+label=_('SOA serial'),
+doc=_('SOA record serial number'),
+create_default=_create_zone_serial,
+autofill=True,
+),
+Int('idnssoa
[Freeipa-devel] [PATCH] Rename parent LDAPObject pkeys in child LDAPObject methods.
If the parent and child entries have the same attribute as primary
key (such as in the DNS schema), we need to rename the parent key
to prevent a param name conflict. It has no side effects, because
the primary key name is always taken from the LDAPObject params,
never from the method params.
Pavel
>From 88e1399e5a1271d95bafef3f83206181b6b7b88b Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Mon, 8 Nov 2010 22:36:04 -0500
Subject: [PATCH] Rename parent LDAPObject pkeys in child LDAPObject methods.
If the parent and child entries have the same attribute as primary
key (such as in the DNS schema), we need to rename the parent key
to prevent a param name conflict. It has no side effects, because
the primary key name is always taken from the LDAPObject params,
never from the method params.
---
ipalib/plugins/baseldap.py |6 +-
1 files changed, 5 insertions(+), 1 deletions(-)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 6bf9b3b..ff5dba9 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -232,7 +232,11 @@ class LDAPObject(Object):
for key in parent_obj.get_ancestor_primary_keys():
yield key
if parent_obj.primary_key:
-yield parent_obj.primary_key.clone(query=True)
+pkey = parent_obj.primary_key
+yield pkey.__class__(
+parent_obj.name + pkey.name, required=True, query=True,
+cli_name=parent_obj.name, label=pkey.label
+)
def convert_attribute_members(self, entry_attrs, *keys, **options):
if options.get('raw', False):
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Check if attribute is single-value before trying to add values to it.
On 2010-10-14 19:20, Rob Crittenden wrote:
Pavel Zuna wrote:
On 10/14/2010 12:01 AM, Rob Crittenden wrote:
Pavel Zuna wrote:
This patch adds a check in ldap2 for single-value attributes. DS
doesn't
seem to care much about attributes being defined as SINGLE-VALUE except
for things like uidNumber and gidNumber (I suspect this is handled by
the DNA plugin).
Ticket #246
Pavel
This is similar to ticket 220 which I have a pending patch for (patch
552). I think both patches are valid but we should test them together to
be sure. Can you do that?
rob
I had to NACK your patch number 552, because the check was in the wrong
place.
Both patches overlap in functionality, so I decided to merge them into a
new version of my original patch.
I split the single-value check into two parts:
First part is in baseldap classes (LDAPCreate, LDAPUpdate) and it checks
if we're not trying to add more values to a Param defined attribute,
that is not flagged as multivalue.
Second part is in the ldap2 backend. It checks if we're not trying to
add more values to an attribute, that is defined as SINGLE-VALUE in the
schema. Unfortunately, it seems that python-ldap isn't capable of
reporting the SINGLE-VALUE flag reliably and DS doesn't enforce it at
all. In other words, this check is a bit weak, but still better than
nothing.
I hope you don't mind I merged both patches, but it seemed simpler and
we can knock out 2 tickets in one commit. :)
Ticket #230
Ticket #246
Pavel
Ack if you fix 2 things:
1. Change the error message of the exception to match the exception
name, 'only one value allowed' instead of 'attribute is single-value'
Ok.
2. You added a space between desc and info in the DatabaseError
exception. The example fails because there is no space after the colon
(at least for me, since my editor wipes out trailing white space
automatically). Can we either drop the space or add something for info
to the example?
I choose to add something for info, because other exceptions make use of
a space after colon in their formats.
rob
Version 3 attached.
Pavel
>From dc610f88397d9e88a0376ef91702dfbae8a87e89 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Thu, 14 Oct 2010 13:05:43 -0400
Subject: [PATCH] Disallow RDN change and single-value bypass using setattr/addattr.
Merge of my original patch number 32 and Rob's patch number 552.
Ticket #230
Ticket #246
---
ipalib/errors.py | 37 ++---
ipalib/frontend.py |2 +-
ipalib/plugins/baseldap.py | 14 +-
ipaserver/plugins/ldap2.py | 44 +++-
4 files changed, 79 insertions(+), 18 deletions(-)
diff --git a/ipalib/errors.py b/ipalib/errors.py
index 42d43ce..697ae06 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -1155,14 +1155,14 @@ class DatabaseError(ExecutionError):
For example:
->>> raise DatabaseError(desc="Can't contact LDAP server", info='')
+>>> raise DatabaseError(desc="Can't contact LDAP server", info='Info goes here')
Traceback (most recent call last):
...
-DatabaseError: Can't contact LDAP server:
+DatabaseError: Can't contact LDAP server: Info goes here
"""
errno = 4203
-format = _('%(desc)s:%(info)s')
+format = _('%(desc)s: %(info)s')
class LimitsExceeded(ExecutionError):
@@ -1195,6 +1195,37 @@ class ObjectclassViolation(ExecutionError):
errno = 4205
format = _('%(info)s')
+class NotAllowedOnRDN(ExecutionError):
+"""
+**4206** Raised when an RDN value is modified.
+
+For example:
+
+>>> raise NotAllowedOnRDN()
+Traceback (most recent call last):
+ ...
+NotAllowedOnRDN: modifying primary key is not allowed
+"""
+
+errno = 4206
+format = _('modifying primary key is not allowed')
+
+
+class OnlyOneValueAllowed(ExecutionError):
+"""
+**4207** Raised when trying to set more than one value to single-value attributes
+
+For example:
+
+>> raise OnlyOneValueAllowed(attr='ipasearchtimelimit')
+Traceback (most recent call last):
+ ...
+OnlyOneValueAllowed: ipasearchtimelimit: attribute is single-value
+"""
+
+errno = 4207
+format = _('%(attr)s: Only one value allowed.')
+
class CertificateError(ExecutionError):
"""
diff --git a/ipalib/frontend.py b/ipalib/frontend.py
index 5486a19..473e233 100644
--- a/ipalib/frontend.py
+++ b/ipalib/frontend.py
@@ -504,7 +504,7 @@ class Command(HasParam):
a dictionary. The incoming attribute may be a string or
a list.
-Any attribute found that is also a param is silently dropped.
+Any attribute found that is also a param is validated.
append controls whether this returns a list of values or a single
value.
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 2335a7a..caa616a 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -157,6 +157,14 @@ _attr_opt
Re: [Freeipa-devel] Proposed Javascript coding standards
On 2010-09-13 23:46, Simo Sorce wrote:
On Mon, 13 Sep 2010 17:02:19 -0400
Adam Young wrote:
The is a really nasty bug that the "same line" policy avoids.
Javascript often attempts to guess where you meant to put semicolons,
and puts the in for you, without telling you.
return
{
status: true;
};
actually returns undefined. I fully acknowledge that this is brain
dead. There are some really brain-dead "features" in JavaScript.
It is easier to be consistent here, hence the rule "always put it on
the opening statement line.
Ok, in that case please note the rationale in the coding style.
Also though in that case I think function() { (with the space) is
better than function(){, unless the sapce is what causes javascript to
put in the automatic ';'. If that's the case I hate it :)
For functions I also prefer:
func()
{
}
but only use it for file scope (thus global) functions in Javascript.
For nested functions and every other compound statement:
func() {
}
I wouldn't mind switching to the second variant for everything for
consistency.
We also banned C++ style comments in C code, /* */ is preferred and
should never be added on the same line of code but only on the
previous line.
I'm OK with that rule. C++ style comments are only to be used for
commenting out code, which probably shouldn't get checked in anyway.
Given space matters in javascript I say that the git history is where
you put unused code, not in comments :)
Simo.
I don't like the 'spec' object to be used instead of naming each
variable separately for parameter lists of functions. I think it's very
artificial. I do agree, that being able to do this:
function some_func(spec) {
return (spec.param1 + spec.param2);
}
var some_var = some_func({'param1': 'value1', 'param2': 'value2'})
is nice, but it makes the code less readable. You can't tell directly
what parameters the function takes.
The rest is almost 100% compatible with my coding style, so naturally I
agree. :D
Pavel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-freeipa-0016-sampledata.patch
On 2010-08-30 16:01, Adam Young wrote: THis patch usese the protocol part of the URL to decide whether or not to use sample data. Thus, file: -> use sample data http:, https: -> Don't. This will prevent the use of sample data in the lite-server. It also reduces by one the number of page requests back to the server upon page load. ACK for now, but read comment below. I would rather see the useSampleData assignment outside of ipa.js. Same argument as I used with DetailsForm in details.js on IRC last week. It's a project specific thing and files, that implement interfaces starting with "ipa_", are meant to be independent of everything except the core library (ipalib). I'm going to start a new discussion on the list about this. Acking for now, because we can always move the code later, and I don't want to slow things down. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 517 updated command documentation
On 2010-08-25 05:52, Rob Crittenden wrote: David O'Brien reviewed all the per-command documentation last month and provided a ton of great feedback. I've applied all his changes. rob ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add 'hint' kwarg to Param. Used for context help in webUI.
On 2010-08-25 15:52, Rob Crittenden wrote:
Pavel Zůna wrote:
Used like this:
Str('someparam',
cli_name='sp',
label='Some Param',
hint='Use at own risk!',
),
After the following patch (pzuna-freeipa-0021-details), it will show up
in the webUI as (details page):
Some Param: [ ] Hint: Use at own risk!
How will hint vary from the doc attribute we already have in a Param?
rob
Hint is what is displayed in the webUI as context help, it should give
the user a basic idea about HOW to enter values. Doc on the other hand
is more general and should say WHAT does the attribute represent.
Pavel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Make changes to details.js. See commit message.
On 2010-08-25 13:54, Pavel Zůna wrote:
First off: I know I promised this patch yesterday, but I just didn't
make it - I felt asleep on the keyboard and there were still some things
to fix. :)
This patch has some of the most important things, that we discussed on
Tuesday last week, namely:
- Add/Remove links are now only available for multivalue
attributes (Param.multivalue = true) and attributes with param
types, that are multivalue by definition (as of now only List).
Single-value attributes with no value are displayed as empty
input elements.
- When updating an attribute, leading and trailing spaces are
stripped
- Context help available in the form of hints, that are extracted
form Param.hint.
I know there was more, but the rest of it is related to specific
attribute (it doesn't affect details pages for all objects) and will be
in another patch.
Most of this won't show at the moment, because meta-data is still
missing for a lot of attributes, that we display in the webUI.
For testing on the user page, you can add the title attribute to
takes_params in the user class, e.g.:
takes_params = (
Str('title',
cli_name='title',
label=_('Title'),
hint=_('Enter job or academic title.'),
multivalue=true, # just to test the multivalue functionality
),
# ...
)
For testing in using the lite-server, I suggest you modify
install/static/sampledata/metadata.js.
By the way, the patch modifies details.js and ipa.css, so it should go
smoothly with Adam's patch n.0015.
Pavel
One more thing I forgot to mention:
The patch is a bit inflated, because it fixes quite a lot of places were
tabs and spaces got mixed together.
Pavel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add 'hint' kwarg to Param. Used for context help in webUI.
Used like this:
Str('someparam',
cli_name='sp',
label='Some Param',
hint='Use at own risk!',
),
After the following patch (pzuna-freeipa-0021-details), it will show up
in the webUI as (details page):
Some Param: [ ] Hint: Use at own risk!
Pavel
pzuna-freeipa-0020-hint.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Make changes to details.js. See commit message.
First off: I know I promised this patch yesterday, but I just didn't
make it - I felt asleep on the keyboard and there were still some things
to fix. :)
This patch has some of the most important things, that we discussed on
Tuesday last week, namely:
- Add/Remove links are now only available for multivalue
attributes (Param.multivalue = true) and attributes with param
types, that are multivalue by definition (as of now only List).
Single-value attributes with no value are displayed as empty
input elements.
- When updating an attribute, leading and trailing spaces are
stripped
- Context help available in the form of hints, that are extracted
form Param.hint.
I know there was more, but the rest of it is related to specific
attribute (it doesn't affect details pages for all objects) and will be
in another patch.
Most of this won't show at the moment, because meta-data is still
missing for a lot of attributes, that we display in the webUI.
For testing on the user page, you can add the title attribute to
takes_params in the user class, e.g.:
takes_params = (
Str('title',
cli_name='title',
label=_('Title'),
hint=_('Enter job or academic title.'),
multivalue=true, # just to test the multivalue functionality
),
# ...
)
For testing in using the lite-server, I suggest you modify
install/static/sampledata/metadata.js.
By the way, the patch modifies details.js and ipa.css, so it should go
smoothly with Adam's patch n.0015.
Pavel
pzuna-freeipa-0021-details.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-freeipa-0015 hashchange
On 2010-08-24 23:57, Adam Young wrote: This is a fairly substantial patch that makes use of the hashchange event to drive the site. It affcets just about all places where click events are triggered. Just started reviewing the patch a few moments ago. Just 2 notes in advance: 1) It doesn't apply after the
Re: [Freeipa-devel] [PATCH] Fix script tags in index.xhtml. End tag is required.
On 2010-08-20 02:26, Adam Young wrote: On 08/19/2010 06:51 PM, Pavel Zůna wrote: On 2010-08-20 00:48, Pavel Zůna wrote: The paste server had some issues with it and end tags are required by the standard anyway. Pavel I forgot to mention that this applies after Adam's 0009 patch (updated Hash Params). Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Is this only a problem on the javascript tags, or are we going to see a problem on all of the xhtml that doesn't use closing tags? Either way, it should be filed as an upstream bug. I think it's just the script tags. From wiki (http://en.wikipedia.org/wiki/XHTML): The format , rather than the more concise , is required for HTML compatibility when served as MIME type text/html. I know we were using application/xhtml+json at some point in the old UI. text/html seems to have better support though. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] BA-BBQ
On 2010-08-23 16:41, Adam Young wrote:
On 08/23/2010 07:51 AM, Pavel Zuna wrote:
On 08/23/2010 04:12 AM, Adam Young wrote:
Pavel,
Thoughts of jquery.ba-bbq have been marinating in the back of my brain.
I know that the Back button doesn't work so well with hjashparams, and
that BBQ purports to fix this, but I had some sort of mental shift I had
to make. I think I have it now.
BBQ, and in fact the whole AJAX approach works off of client side code,
which means the whole hash params approach. What I didn't get was that
the best approach to dealing with this was to drive the site off of the
event that happens when the url hash changes. We need to do this.
Bascially, navigation.js registers:
$(window).bind( 'hashchange', function(e) {
...
}
This function gets called each time the URL hash changes, which happens
on either a tab click or on a back button (lets start with those two,
there will be more)
So bascially, this function is our dispatach. Instead of having to
register the onclick functions for each of the tabs, we know that they
will all end up in this function, and then we let it parse the params
for us.
BBQ has the concept of a stack, where we can push and pop state. Thyis
might be useful for pushing a query, going to the details page, and then
popping the query afterwards. I'm still mulling this over.
Note, we will want to replace the custom hash param working we are doing
with JQuery.deparam and JQuery.param calls, as they are much more
mature, and it is less code we have to debug.
Sure, from what I've read in jQuery docs, it looks more powerful than
what we currently have.
The thing I have to figure out now is what this will do to navigation on
the details, add and groups pages.
I don't think it will be a problem. Functional links (such as Reset,
Update, Add, Remove) are only used to run javascript functions - the
URL, query string or hash doesn't change. Most of these action are
also "one way" only. We don't want the user to be able to go Back
after he updated an entry. (Going back in this case should probably
bring him back to the search page).
Pavel
I notice he uses JQuery.ui Tabs for his demo. I wonder if we want to
move to that as well?
http://benalman.com/code/projects/jquery-bbq/examples/fragment-jquery-ui-tabs/
You mean this example, right? It looks good and if it can simplify our
code, why not. I'll take a look at the API a maybe play around with it a
little.
Pavel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix script tags in index.xhtml. End tag is required.
On 2010-08-20 00:48, Pavel Zůna wrote: The paste server had some issues with it and end tags are required by the standard anyway. Pavel I forgot to mention that this applies after Adam's 0009 patch (updated Hash Params). Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Hash Params Redux
On 2010-08-18 22:59, Adam Young wrote: The patch replaces the earlier Hash Params patch. It fixs the build issues, and fixes the group details page as well. Git still reports white space errors, but that's hardly a show stopper. ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Change the behaviour of addattr/setattr parameters
On 2010-08-12 14:38, Rob Crittenden wrote: Pavel Zůna wrote: On 2010-08-12 04:46, Rob Crittenden wrote: Pavel Zůna wrote: setattr and addattr can now be used both to set all values of ANY attribute. the last setattr always resets the attribute to the specified value and all addattr append to it. Examples: user-mod testuser --setattr=title=msc title: msc user-mod testuser --setattr=title=msb title: msb user-mod testuser --addattr=title=msc title: msb, msc user-mod testuser --setattr=title= title: user-mod testuser --setattr=title=msc --addattr=msb title: msc, msb user-mod testuser --setattr=title=ing --addattr=bc title: ing, bc user-mod testuser --setattr=title=doc title: doc It's not very user friendly, but it's going to be used very very rarely in special conditions in the CLI and we can use it to save lots of JSON-RPC roundtrips in the webUI. Pavel It was my intention when I added addattr and setattr that one couldn't set already-defined params this way. They were silently ignored. So you couldn't do: user-mod testuser --setattr=givenname=Jeff This would be possible with this patch. Was that intentional? BTW I have the start of a test suite for this functionality. rob Yes, it is intentional. I forgot to mention it in the description. I'm using setattr/addattr for everything in the webUI - it makes the code a lot simpler. Doesn't that invalidate all the validators we have in the plugins? This is why I disallowed it. rob It does, but I see these options as something only experienced users, who need to set something we don't support directly, will use. Sometimes they might want to disable the validators, if they know what they're doing. We could also make the setattr/addattr handler in frontend.py detect if a there's a validator available and use it. Validators in the webUI is still something we need to figure out. Adam was proposing having validators in the form of regex strings, which is not a bad idea as it's easy to implement on any platform/language. On the other hand, I don't know if it's good enough for all parameters we have. Hmm. There's a lot to think about here actually. I'll make it my homework for the weekend. :) Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Change the behaviour of addattr/setattr parameters
On 2010-08-12 04:46, Rob Crittenden wrote: Pavel Zůna wrote: setattr and addattr can now be used both to set all values of ANY attribute. the last setattr always resets the attribute to the specified value and all addattr append to it. Examples: user-mod testuser --setattr=title=msc title: msc user-mod testuser --setattr=title=msb title: msb user-mod testuser --addattr=title=msc title: msb, msc user-mod testuser --setattr=title= title: user-mod testuser --setattr=title=msc --addattr=msb title: msc, msb user-mod testuser --setattr=title=ing --addattr=bc title: ing, bc user-mod testuser --setattr=title=doc title: doc It's not very user friendly, but it's going to be used very very rarely in special conditions in the CLI and we can use it to save lots of JSON-RPC roundtrips in the webUI. Pavel It was my intention when I added addattr and setattr that one couldn't set already-defined params this way. They were silently ignored. So you couldn't do: user-mod testuser --setattr=givenname=Jeff This would be possible with this patch. Was that intentional? BTW I have the start of a test suite for this functionality. rob Yes, it is intentional. I forgot to mention it in the description. I'm using setattr/addattr for everything in the webUI - it makes the code a lot simpler. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Improve serialization to JSON.
On 2010-08-11 22:55, Rob Crittenden wrote: Pavel Zůna wrote: On 2010-08-10 21:45, Rob Crittenden wrote: Pavel Zuna wrote: - Make it recursive. - Make Param classes serializable. - Take python native data types into account. Pavel Oops, sorry, commented on wrong patch. This looks ok but you have a serious whitespace issue in the def __json__ method. ack if you fix that before pushing. rob Version with fixed whitespace attached. Pavel This isn't applying. I'm assuming there is some other patch I haven't pushed but I wasn't able to find it. rob It depends on: [PATCH] Make LDAPObject classes JSON serializable (posted 2010-08-09) (pzuna-freeipa-0006-json.patch) Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 509 add BuildRequries for authconfig
On 2010-08-10 22:41, Rob Crittenden wrote: In ipapython/dnsclient.py we import acutil which is provided by authconfig. This can get invoked by setup.py so we need to have it at build time. rob ack. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add a new INTERNAL plugin that exports plugin meta-data into JSON.
On 2010-08-10 21:47, Rob Crittenden wrote:
Pavel Zuna wrote:
This is required for the webUI, since we're dropping Genshi. *ehm* :)
You can't use this command on the CLI. It takes one optional argument:
the name of an IPA object. If not specified, meta-data for all objects
are returned.
Note: If you want to try it out on the CLI, just comment out the
INTERNAL = True line.
Pavel
The code looks ok but export.py doesn't seem like it matches the
functions the plugin provides (and is rather generic in nature). Can we
rename this json.py or something?
rob
I thought that we might use the file for other plugins that export data,
but there probably won't be any for a while.
Renamed it to internal.py as I'm sure we'll see more internal commands
as we progress with the webUI. Patch attached.
Pavel
From c0c862db3b8fad97902d3cec378d06bfa1e03e7c Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Tue, 10 Aug 2010 16:41:28 -0400
Subject: [PATCH 2/6] Add a new INTERNAL plugin that exports plugin meta-data
into JSON.
This is required for the webUI, since we're dropping Genshi. *ehm* :)
You can't use this command on the CLI. It takes one optional argument:
the name of an IPA object. If not specified, meta-data for all objects
are returned.
---
ipalib/plugins/internal.py | 65
1 files changed, 65 insertions(+), 0 deletions(-)
create mode 100644 ipalib/plugins/internal.py
diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py
new file mode 100644
index 000..6f0c2cf
--- /dev/null
+++ b/ipalib/plugins/internal.py
@@ -0,0 +1,65 @@
+# Authors:
+# Pavel Zuna
+#
+# Copyright (c) 2010 Red Hat
+# See file 'copying' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the gnu general public license as
+# published by the free software foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but without any warranty; without even the implied warranty of
+# merchantability or fitness for a particular purpose. See the
+# gnu general public license for more details.
+#
+# You should have received a copy of the gnu general public license
+# along with this program; if not, write to the Free Software
+# Foundation, inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+"""
+Plugins not accessible directly through the CLI, commands used internally
+"""
+
+import json
+
+from ipalib import api, errors
+from ipalib import Command
+from ipalib import Str
+from ipalib.output import Output
+from ipalib.text import _
+from ipalib.util import json_serialize
+
+class json_metadata(Command):
+"""
+Export plugin meta-data for the webUI.
+"""
+INTERNAL = True
+
+takes_args = (
+Str('objname?',
+doc=_('Name of object to export'),
+),
+)
+
+has_output = (
+Output('result', dict, doc=_('Dict of JSON encoded IPA Objects')),
+)
+
+def execute(self, objname):
+if objname and objname in self.api.Object:
+return dict(
+result=dict(
+((objname, json_serialize(self.api.Object[objname])), )
+)
+)
+return dict(
+result=dict(
+(o.name, json_serialize(o)) for o in self.api.Object()
+)
+)
+
+def output_for_cli(self, textui, result, *args, **options):
+print json.dumps(result, default=json_serialize)
+
+api.register(json_metadata)
+
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Improve serialization to JSON.
On 2010-08-10 21:45, Rob Crittenden wrote:
Pavel Zuna wrote:
- Make it recursive.
- Make Param classes serializable.
- Take python native data types into account.
Pavel
Oops, sorry, commented on wrong patch.
This looks ok but you have a serious whitespace issue in the def
__json__ method.
ack if you fix that before pushing.
rob
Version with fixed whitespace attached.
Pavel
From 654dea5b85815951a6ff90933f827b26c23a94fd Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Tue, 10 Aug 2010 16:40:00 -0400
Subject: [PATCH 1/6] Improve serialization to JSON.
- Make it recursive.
- Make Param classes serializable.
- Take python native data types into account.
---
ipalib/parameters.py | 14 ++
ipalib/plugins/baseldap.py |3 ++-
ipalib/util.py | 12 +++-
3 files changed, 27 insertions(+), 2 deletions(-)
diff --git a/ipalib/parameters.py b/ipalib/parameters.py
index c86db75..7d89f4e 100644
--- a/ipalib/parameters.py
+++ b/ipalib/parameters.py
@@ -852,6 +852,20 @@ class Param(ReadOnly):
pass
return self.default
+def __json__(self):
+json_dict = {}
+for (a, k, d) in self.kwargs:
+if k in (callable, DefaultFrom):
+continue
+elif isinstance(getattr(self, a), frozenset):
+json_dict[a] = [k for k in getattr(self, a, [])]
+else:
+json_dict[a] = getattr(self, a, '')
+json_dict['class'] = self.__class__.__name__
+json_dict['name'] = self.name
+json_dict['type'] = self.type.__name__
+return json_dict
+
class Bool(Param):
"""
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 7e2fd4f..f3e5b0f 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -137,7 +137,8 @@ class LDAPObject(Object):
json_dict = dict(
(a, getattr(self, a)) for a in self.json_friendly_attributes
)
-json_dict['primary_key'] = self.primary_key.name
+if self.primary_key:
+json_dict['primary_key'] = self.primary_key.name
json_dict['methods'] = [m for m in self.methods]
return json_dict
diff --git a/ipalib/util.py b/ipalib/util.py
index ba111d4..4aff88f 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -27,15 +27,25 @@ import logging
import time
import krbV
import socket
+from types import NoneType
+
from ipalib import errors
from ipapython import dnsclient
def json_serialize(obj):
+if isinstance(obj, (list, tuple)):
+return [json_serialize(o) for o in obj]
+if isinstance(obj, dict):
+return dict((k, json_serialize(v)) for (k, v) in obj.iteritems())
+if isinstance(obj, (bool, float, int, unicode, NoneType)):
+return obj
+if isinstance(obj, str):
+return obj.decode('utf-8')
if not callable(getattr(obj, '__json__', None)):
# raise TypeError('%r is not JSON serializable')
return ''
-return obj.__json__()
+return json_serialize(obj.__json__())
def get_current_principal():
try:
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix bug: not found exc. handler was failing for singleton objects
On 2010-08-09 23:00, Rob Crittenden wrote: Pavel Zůna wrote: Very minor bug, that would probably never happen in production anyway, but why not fix it. Can you describe the situation this could occur in? How useful would the error be if the key isn't available? rob Well, I caught the bug thanks to a bad config file. The basedn was set to dc=example,dc=com and all searches were failing. The key isn't available on for singleton objects such as config, example: # ipa config-show ipa: ERROR: : configuration options not found Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [Patch] Changes to the python infrastructure-supporting-the-web ui
On 2010-08-06 17:57, Adam Young wrote: On 08/06/2010 11:51 AM, Rob Crittenden wrote: Adam Young wrote: This code contains the changes to the python code necessary to support the new web ui. It handles the changes to the baseldap code necessary to expose the meta data to the front end, as well as the installation support. nack. About 75 tests are failing with this patch. I didn't investigate them in detail but it looks like memberof isn't being removed after a member attribute is converted. wsgi.py has a ton of imports added that aren't being used. There is an indention change in ipalib/frontend.py that doesn't seem necessary. The timelimit patch is gonig to conflict with a timelimit patch I had submitted previously (patch titled 'use time and search limit values from cn=ipaconfig'). Not even in terms of code but in forcing a default that does not tie into the global config. I think I'd rather have this as an optional argument do no default and autofill is needed. rob I'm going to fob this work off on pzuna, as these are his changes that I just merged in. I split the baseldap.py changes into 4 patches and posted them on the list a few minutes ago. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add new parameters to LDAPSearch: timelimit and sizelimit.
Doesn't include Robs loading of default values from cn=ipaConfig.
Pavel
From a81e2b42d16473b0102969246dcf81820b1930f0 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Mon, 9 Aug 2010 19:56:14 -0400
Subject: [PATCH 4/4] Add new parameters to LDAPSearch: timelimit and sizelimit.
---
ipalib/plugins/baseldap.py | 25 +++--
1 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index abc1180..7e2fd4f 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -25,7 +25,7 @@ import json
from ipalib import crud, errors, uuid
from ipalib import Method, Object
-from ipalib import Flag, List, Str
+from ipalib import Flag, Int, List, Str
from ipalib.base import NameSpace
from ipalib.cli import to_cli, from_cli
from ipalib import output
@@ -827,6 +827,25 @@ class LDAPSearch(CallbackInterface, crud.Search):
"""
Retrieve all LDAP entries matching the given criteria.
"""
+takes_options = (
+Int('timelimit',
+label=_('Time Limit'),
+doc=_('Time limit of search in seconds (default 1)'),
+flags=['no_dispaly'],
+minvalue=0,
+default=1,
+autofill=True,
+),
+Int('sizelimit',
+label=_('Size Limit'),
+doc=_('Maximum number of entries returned (default 3000)'),
+flags=['no_dispaly'],
+minvalue=0,
+default=3000,
+autofill=True,
+),
+)
+
def get_args(self):
for key in self.obj.get_ancestor_primary_keys():
yield key
@@ -890,7 +909,9 @@ class LDAPSearch(CallbackInterface, crud.Search):
try:
(entries, truncated) = ldap.find_entries(
-filter, attrs_list, base_dn, scope=ldap.SCOPE_ONELEVEL
+filter, attrs_list, base_dn, scope=ldap.SCOPE_ONELEVEL,
+time_limit=options.get('timelimit', 1),
+size_limit=options.get('sizelimit', 3000)
)
except errors.ExecutionError, e:
try:
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix bug: not found exc. handler was failing for singleton objects
Very minor bug, that would probably never happen in production anyway,
but why not fix it.
Pavel
From 1492f14a59f0e0a1a818b6b920c77ede3f5e2a36 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Mon, 9 Aug 2010 19:50:15 -0400
Subject: [PATCH 3/4] Fix bug: not found exc. handler was failing for singleton
objects
---
ipalib/plugins/baseldap.py |5 -
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index c995a61..abc1180 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -117,9 +117,12 @@ class LDAPObject(Object):
del entry_attrs[attr]
def handle_not_found(self, *keys):
+pkey = ''
+if self.primary_key:
+pkey = keys[-1]
raise errors.NotFound(
reason=self.object_not_found_msg % {
-'pkey': keys[-1], 'oname': self.object_name,
+'pkey': pkey, 'oname': self.object_name,
}
)
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Change the behaviour of addattr/setattr parameters
setattr and addattr can now be used both to set all values of
ANY attribute. the last setattr always resets the attribute to
the specified value and all addattr append to it.
Examples:
user-mod testuser --setattr=title=msc
title: msc
user-mod testuser --setattr=title=msb
title: msb
user-mod testuser --addattr=title=msc
title: msb, msc
user-mod testuser --setattr=title=
title:
user-mod testuser --setattr=title=msc --addattr=msb
title: msc, msb
user-mod testuser --setattr=title=ing --addattr=bc
title: ing, bc
user-mod testuser --setattr=title=doc
title: doc
It's not very user friendly, but it's going to be used very very
rarely in special conditions in the CLI and we can use it to save
lots of JSON-RPC roundtrips in the webUI.
Pavel
From 5467a93dc7e4e24e82ba3559b333ac5e55814127 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Mon, 9 Aug 2010 19:43:00 -0400
Subject: [PATCH 2/4] Change the behaviour of addattr/setattr parameters.
setattr and addattr can now be used both to set all values of
ANY attribute. the last setattr always resets the attribute to
the specified value and all addattr append to it.
Examples:
user-mod testuser --setattr=title=msc
title: msc
user-mod testuser --setattr=title=msb
title: msb
user-mod testuser --addattr=title=msc
title: msb, msc
user-mod testuser --setattr=title=
title:
user-mod testuser --setattr=title=msc --addattr=msb
title: msc, msb
user-mod testuser --setattr=title=ing --addattr=bc
title: ing, bc
user-mod testuser --setattr=title=doc
title: doc
It's not very user friendly, but it's going to be used very very
rarely in special conditions in the CLI and we can use it to save
lots of JSON-RPC roundtrips in the webUI.
---
ipalib/frontend.py | 15 +++
ipalib/plugins/baseldap.py | 58 ++--
2 files changed, 38 insertions(+), 35 deletions(-)
diff --git a/ipalib/frontend.py b/ipalib/frontend.py
index d320f02..950fa7b 100644
--- a/ipalib/frontend.py
+++ b/ipalib/frontend.py
@@ -519,11 +519,10 @@ class Command(HasParam):
if len(value) == 0:
# None means "delete this attribute"
value = None
-if attr not in self.params:
-if append and attr in newdict:
-newdict[attr].append(value)
-else:
-newdict[attr] = [value]
+if append and attr in newdict:
+newdict[attr].append(value)
+else:
+newdict[attr] = [value]
return newdict
def __attributes_2_entry(self, kw):
@@ -540,7 +539,11 @@ class Command(HasParam):
adddict = self.__convert_2_dict(kw['setattr'], append=False)
if kw.get('addattr'):
-adddict.update(self.__convert_2_dict(kw['addattr']))
+for (k, v) in self.__convert_2_dict(kw['addattr']).iteritems():
+if k in adddict:
+adddict[k] += v
+else:
+adddict[k] = v
for name in adddict:
value = adddict[name]
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 52f32e3..c995a61 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -415,6 +415,35 @@ class LDAPUpdate(LDAPQuery, crud.Update):
entry_attrs = self.args_options_2_entry(**options)
+"""
+Some special handling is needed because we need to update the
+values here rather than letting ldap.update_entry() do the work. We
+have to do the work of adding new values to an existing attribute
+because if we pass just what is addded only the new values get
+set.
+"""
+if 'addattr' in options:
+setset = set(get_attributes(options.get('setattr', [])))
+addset = set(get_attributes(options.get('addattr', [])))
+difflist = list(addset.difference(setset))
+if difflist:
+try:
+(dn, old_entry) = ldap.get_entry(
+dn, difflist, normalize=self.obj.normalize_dn
+)
+except errors.ExecutionError, e:
+try:
+(dn, old_entry) = self._call_exc_callbacks(
+keys, options, e, ldap.get_entry, dn, attrs_list,
+normalize=self.obj.normalize_dn
+)
+except errors.NotFound:
+self.obj.handle_not_found(*keys)
+for a in old_entry:
+if not isinstance(entry_attrs[a], (list, tuple)):
+entry_attrs[a] = [entry_attrs[a]]
+entry_attrs[a] += old_entry[a]
+
if options.get('all', False):
attrs_list = ['*']
else:
@@ -432,35 +461,6 @@ class LDAPUpdate(LDAPQuery, crud.Update):
self, ldap, dn, entry_attrs, attr
[Freeipa-devel] [PATCH] Make LDAPObject classes JSON serializable
Allow LDAPObject classes (and sub-classes) to be serialized into a JSON
string using:
json.dumps(obj, default=ipalib.util.json_serialize)
Pavel
From 209162028b58ba8cc59e8c90409082eb8478a0dd Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Mon, 9 Aug 2010 16:45:26 -0400
Subject: [PATCH 1/4] Make LDAPObject classes JSON serializable.
---
ipalib/plugins/baseldap.py | 17 +
ipalib/util.py |6 ++
2 files changed, 23 insertions(+), 0 deletions(-)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 11fd18e..52f32e3 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -21,6 +21,7 @@ Base classes for LDAP plugins.
"""
import re
+import json
from ipalib import crud, errors, uuid
from ipalib import Method, Object
@@ -29,6 +30,7 @@ from ipalib.base import NameSpace
from ipalib.cli import to_cli, from_cli
from ipalib import output
from ipalib.text import _
+from ipalib.util import json_serialize
def validate_add_attribute(ugettext, attr):
@@ -121,6 +123,21 @@ class LDAPObject(Object):
}
)
+# list of attributes we want exported to JSON
+json_friendly_attributes = (
+'parent_object', 'container_dn', 'object_name', 'object_name_plural',
+'object_class', 'object_class_config', 'default_attributes', 'label',
+'hidden_attributes', 'uuid_attribute', 'attribute_members', 'name',
+'takes_params',
+)
+def __json__(self):
+json_dict = dict(
+(a, getattr(self, a)) for a in self.json_friendly_attributes
+)
+json_dict['primary_key'] = self.primary_key.name
+json_dict['methods'] = [m for m in self.methods]
+return json_dict
+
# Options used by create and update.
_attr_options = (
diff --git a/ipalib/util.py b/ipalib/util.py
index 570d66e..ba111d4 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -31,6 +31,12 @@ from ipalib import errors
from ipapython import dnsclient
+def json_serialize(obj):
+if not callable(getattr(obj, '__json__', None)):
+# raise TypeError('%r is not JSON serializable')
+return ''
+return obj.__json__()
+
def get_current_principal():
try:
return
unicode(krbV.default_context().default_ccache().principal().name)
--
1.7.1.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 502 hosts can fetch keytabs
On 2010-08-06 04:50, Rob Crittenden wrote: Enable a host to retrieve a keytab for all its services. Using the host service principal one should be able to retrieve a keytab for other services for the host using ipa-getkeytab. This required a number of changes: - allow hosts in the service's managedby to write krbPrincipalKey - automatically add the host to managedby when a service is created - fix ipa-getkeytab to return the entire prinicpal and not just the first data element. It was returning "host" from the service tgt and not host/ipa.example.com - fix the display of the managedby attribute in the service plugin This led to a number of changes in the service unit tests. I took the opportunity to switch to the Declarative scheme and tripled the number of tests we were doing. This shed some light on a few bugs in the plugin: - if a service had a bad usercertificate it was impossible to delete the service. I made it a bit more flexible. - I added a summary for the mod and find commands - has_keytab wasn't being set in the find output This is for ticket 68 rob ack. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [Patch] Simple-plugin-for-reflecting-user-principal
On 2010-08-04 01:49, Adam Young wrote: This is a required patch for the UI code. Basically, the Kerberos authentication method does not provide any way for the web ui to know who logged in. With this patch, we can do the equivalent of 'ipa whoami' that returns the user principal in the summary field. There are some unnecessary imports, but that's a very minor remark, so ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 451 fix i18n test
On 2010-06-02 21:01, Rob Crittenden wrote: Pavel Zuna wrote: On 05/21/2010 11:35 PM, Rob Crittenden wrote: Fix this test to work from source tree root It would work if you ran the test from its location in tests/test_ipalib but this isn't the most common method. If you want to run it individually you can do: $ ./make-test tests/test_ipalib/test_text.py rob Maybe I'm doing something wrong, but I'm still getting this one error: == ERROR: Test gettext translation -- Traceback (most recent call last): File "/usr/lib/python2.6/site-packages/nose/case.py", line 183, in runTest self.test(*self.arg) File "/root/freeipa/tests/test_ipalib/test_text.py", line 89, in test_gettext msgid = get_msgid(test_file) File "/root/freeipa/tests/test_ipalib/test_text.py", line 43, in get_msgid f = open(po_file) IOError: [Errno 2] No such file or directory: 'install/po/test.po' Pavel I finally got around to figuring this out. The problem is that your test language hasn't been built yet. Try this: $ make -C install/po test_lang $ ./make-test tests/test_ipalib/test_text.py Normally one executes this via 'make test' which will ensure that this dependency exists, I was using the 'run one test' option to demonstrate that it works. rob ack. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 439 spec file cleanups
On 2010-05-10 20:11, Rob Crittenden wrote: Remove references to Fedora < 10 and add some tests for RHEL 6. rob ack. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Correctly handle EmptyModlist exception in pwpolicy2-mod.
On 2010-05-10 15:44, Pavel Zuna wrote:
EmptyModlist exception was generated by pwpolicy2-mod when modifying
policy priority only. It was because the priority attribute is stored
outside of the policy entry (in a CoS entry) and there was nothing left
to be changed in the policy entry.
This patch uses the new exception callbacks in baseldap.py classes
(introduced in my recent patch no. 0004) to catch the EmptyModlist
exception and checks if there was really nothing to be modified before
reraising the exception.
Pavel
Improved version attached:
- there a bug that Rob pointed out in another thread - exceptions other
than EmptyModlist were suppressed unintentionally
- the GLOBAL password policy was always displayed in searches using
pwpolicy2-find, now it's only displayed if searching without criteria
Pavel
From 57b217e508846a633a66dcfab60c7d322c2722fc Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Mon, 10 May 2010 14:48:48 +0200
Subject: [PATCH 2/2] Correctly handle EmptyModlist exception in pwpolicy2-mod.
EmptyModlist exception was generated by pwpolicy2-mod when modifying
policy priority only. It was because the priority attribute is stored
outside of the policy entry (in a CoS entry) and there was nothing
left to be changed in the policy entry.
This patch uses the new exception callbacks in baseldap.py classes
to catch the EmptyModlist exception and checks if there was really
nothing to be modified before reraising the exception.
---
ipalib/plugins/pwpolicy2.py | 22 +++---
1 files changed, 15 insertions(+), 7 deletions(-)
diff --git a/ipalib/plugins/pwpolicy2.py b/ipalib/plugins/pwpolicy2.py
index 797c081..d672292 100644
--- a/ipalib/plugins/pwpolicy2.py
+++ b/ipalib/plugins/pwpolicy2.py
@@ -276,12 +276,19 @@ class pwpolicy2_mod(LDAPUpdate):
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
if not options.get('raw', False):
if options.get('cospriority') is not None:
-entry_attrs['cospriority'] = [unicode(options['copriority'])]
+entry_attrs['cospriority'] = [unicode(options['cospriority'])]
if keys[-1] is None:
entry_attrs['cn'] = GLOBAL_POLICY_NAME
self.obj.convert_time_for_output(entry_attrs, **options)
return dn
+def exc_callback(self, keys, options, exc, call_func, *call_args,
**call_kwargs):
+if isinstance(exc, errors.EmptyModlist):
+entry_attrs = call_args[1]
+if not entry_attrs and 'cospriority' in options:
+return
+raise exc
+
api.register(pwpolicy2_mod)
@@ -340,12 +347,13 @@ class pwpolicy2_find(LDAPSearch):
except errors.NotFound:
pass
self.obj.convert_time_for_output(e[1], **options)
-global_entry = self.api.Command.pwpolicy2_show(
-all=options.get('all', False), raw=options.get('raw', False)
-)['result']
-dn = global_entry['dn']
-del global_entry['dn']
-entries.insert(0, (dn, global_entry))
+if not args[-1]:
+global_entry = self.api.Command.pwpolicy2_show(
+all=options.get('all', False), raw=options.get('raw', False)
+)['result']
+dn = global_entry['dn']
+del global_entry['dn']
+entries.insert(0, (dn, global_entry))
api.register(pwpolicy2_find)
--
1.6.6.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add exception callback (exc_callback) to baseldap.py classes.
On 2010-05-10 20:38, Rob Crittenden wrote:
Pavel Zuna wrote:
The new callback enables plugin authors to supply their own handler
for ExecutionError exceptions generated by calls to ldap2 made from
the execute method of baseldap.py classes that extend CallbackInterface.
Pavel
I don't see any reference to EXC_CALLBACKS other than in registration.
It looks like this provides a registration system then just calls the
top exc_callback call.
My mistake, fixed patch attached.
I see the default exc_callback() is just a raise. I think this should
always be called last to raise the exception if things get that far.
This way the plugin author doesn't have to remember to raise themselves
if whatever condition they're looking for isn't met (which your second
patch doesn't do).
We can't always call the default callback last, because all registered
callbacks are called in a row and therefore the exception would always
be raised. We want to be able to suppress exceptions.
Just to make things a little more clear: The default callbacks (the
{pre,post,exc}_callback methods) are there to be overridden by plugin
authors. Registering new callbacks is a way to extend existing plugins.
I also modified the way we call exception callbacks in this version of
the patch, so that we can simulate that nothing went wrong even for
ldap2 calls that return values. Also if a callback raises an
ExecutionError, the callbacks called next have a chance to handle it.
I like where this is going, just needs a little more work.
rob
Pavel
From 3ff35b30be65f50e32e6373f76a038b0483efa28 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Mon, 10 May 2010 14:26:51 +0200
Subject: [PATCH 1/2] Add exception callback (exc_callback) to baseldap.py
classes.
It enables plugin authors to supply their own handlers for
ExecutionError exceptions generated by calls to ldap2 made from
the execute method of baseldap.py classes that extend CallbackInterface.
---
ipalib/plugins/baseldap.py | 177 +++
1 files changed, 144 insertions(+), 33 deletions(-)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index e484137..19390e9 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -144,10 +144,14 @@ class CallbackInterface(Method):
self.__class__.PRE_CALLBACKS = []
if not hasattr(self.__class__, 'POST_CALLBACKS'):
self.__class__.POST_CALLBACKS = []
+if not hasattr(self.__class__, 'EXC_CALLBACKS'):
+self.__class__.EXC_CALLBACKS = []
if hasattr(self, 'pre_callback'):
self.register_pre_callback(self.pre_callback, True)
if hasattr(self, 'post_callback'):
self.register_post_callback(self.post_callback, True)
+if hasattr(self, 'exc_callback'):
+self.register_exc_callback(self.exc_callback, True)
super(Method, self).__init__()
@classmethod
@@ -170,6 +174,31 @@ class CallbackInterface(Method):
else:
klass.POST_CALLBACKS.append(callback)
+@classmethod
+def register_exc_callback(klass, callback, first=False):
+assert callable(callback)
+if not hasattr(klass, 'EXC_CALLBACKS'):
+klass.EXC_CALLBACKS = []
+if first:
+klass.EXC_CALLBACKS.insert(0, callback)
+else:
+klass.EXC_CALLBACKS.append(callback)
+
+def _call_exc_callbacks(self, *args, **kwargs):
+rv = None
+for i in xrange(len(getattr(self, 'EXC_CALLBACKS', []))):
+callback = self.EXC_CALLBACKS[i]
+try:
+if hasattr(callback, 'im_self'):
+rv = callback(*args, **kwargs)
+else:
+rv = callback(self, *args, **kwargs)
+except errors.ExecutionError, e:
+if (i + 1) < len(self.EXC_CALLBACKS):
+continue
+raise e
+return rv
+
class LDAPCreate(CallbackInterface, crud.Create):
"""
@@ -219,27 +248,39 @@ class LDAPCreate(CallbackInterface, crud.Create):
try:
ldap.add_entry(dn, entry_attrs, normalize=self.obj.normalize_dn)
-except errors.NotFound:
-parent = self.obj.parent_object
-if parent:
+except errors.ExecutionError, e:
+try:
+self._call_exc_callbacks(
+keys, options, e, ldap.add_entry, dn, entry_attrs,
+normalize=self.obj.normalize_dn
+)
+except errors.NotFound:
+parent = self.obj.parent_object
+if parent:
+raise errors.NotFound(
+reason=self.obj.parent_not_found_msg % {
+'parent': keys[-2],
+'oname': self.api.Object[parent].object_name,
+}
+)
raise errors.NotFound(
-
Re: [Freeipa-devel] [PATCH] 433 improve hbac output
On 2010-05-04 21:31, Rob Crittenden wrote: This patch adds more attributes to the default output and fixes up some labels. rob ack. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 432 add default open HBAC on install
On 2010-05-04 21:30, Rob Crittenden wrote: Create an HBAC that allows all users to access all hosts from any host. This should make initial installation and testing easier. It is expected that this rule (allow_all) will be removed before deployment. In case you know you don't want this you can pass --no_hbac_allow to ipa-server-install and the rule won't be added. rob ack. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add file with example plugins/tutorial.
Note that this is still work in progress and will be finished
in another patch. Specifically, it currently doesn't cover baseldap.py
classes.
Pavel
From b0e269d1616cc5283866b9d830f76d20c223e94b Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Tue, 20 Apr 2010 18:32:11 +0200
Subject: [PATCH] Add file with example plugins/tutorial.
Note that this is still work in progress and will be finished
in another patch. Specifically, it currently doesn't cover baseldap.py
classes.
---
ipalib/plugins/examples.py | 437
1 files changed, 437 insertions(+), 0 deletions(-)
create mode 100644 ipalib/plugins/examples.py
diff --git a/ipalib/plugins/examples.py b/ipalib/plugins/examples.py
new file mode 100644
index 000..1ac1163
--- /dev/null
+++ b/ipalib/plugins/examples.py
@@ -0,0 +1,437 @@
+# Authors:
+# Pavel Zuna
+#
+# Copyright (C) 2010 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+"""
+Example plugins
+"""
+
+# Hey guys, so you're interested in writing plugins for IPA? Great!
+# We compiled this small file with examples on how to extend IPA to suit
+# your needs. We'll be going from very simple to pretty complex plugins
+# hopefully covering most of what our framework has to offer.
+
+# First, let's import some stuff.
+
+# api is an object containing references to all plugins and useful classes.
+# errors is a module containing all IPA specific exceptions.
+from ipalib import api, errors
+# Command is the base class for command plugin.
+from ipalib import Command
+# Str is a subclass of Param, it is used to define string parameters for
+# command. We'll go through all other subclasses of Param supported by IPA
+# later in this file
+from ipalib import Str
+# output is a module containing the most common output patterns.
+# Command plugin do output validation based on these patterns.
+# You can define your own as we're going to show you later.
+from ipalib import output
+
+
+# We're going to create an example command plugin, that takes a name as its
+# only argument. Commands in IPA support input validation by defining
+# functions we're going to call 'validators'. This is an example of such
+# function:
+def validate_name(ugettext, name):
+"""
+Validate names for the exhelloworld command. Names starting with 'Y'
+(picked at random) are considered invalid.
+"""
+if name.startswith('Y'):
+raise errors.ValidationError(
+name='name',
+error='Names starting with \'Y\' are invalid!'
+)
+# If the validator doesn't return anything (i.e. it returns None),
+# the parameter passes validation.
+
+
+class exhelloworld(Command):
+"""
+Example commnad: Hello world!
+"""
+# takes_args is an attribute of Command. It's a tuple containing
+# instances of Param (or its subclasses such as Str) that define
+# what position arguments are accepted by the command.
+takes_args = (
+# The first argument of Param constructor is the name that will be
+# used to identify this parameter. It can be followed by validator
+# functions. The constructor can also take a bunch of keyword
+# arguments. Here we use default, to set the parameters default value
+# and autofill, that fills the default value if the parameter isn't
+# present.
+# Note the ? at the end of the parameter name. It makes the parameter
+# optional.
+Str('name?', validate_name,
+default=u'anonymous coward',
+autofill=True,
+),
+)
+
+# has_output is an attribute of Command, it is a tuple containing
+# output.Output instances that define its output pattern.
+# Commands in IPA return dicts with keys corresponding to items
+# in the has_output tuple.
+has_output = (
+# output.summary is one of the basic patterns.
+# It's a string that should be filled with a user-friendly
+# decription of the action performed by the command.
+output.summary,
+)
+
+# Every command needs to override the execute method.
+# This is where the command functionality should go.
+# It is always executed on the server-side, so don't rely
+# on client-side stuff in here!
+def execute(self, name):
+return dict(summary='
[Freeipa-devel] [PATCH] Add new pwpolicy plugin based on baseldap classes
Don't mind the numbering. This is a completely independent patch. It adds a new pwpolicy plugin based on baseldap.py classes. It has the same functionality as the current pwpolicy plugin, but a more clean and consistent interface, fine grained search capabilities, etc. This is actually an updated version of a patch I released some time ago, but it never got fully reviewed. Pavel 0002-Add-new-pwpolicy-plugin-based-on-baseldap-classes.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Use escapes in DNs instead of quoting.
On 4/16/2010 5:09 PM, Rob Crittenden wrote: Pavel Zuna wrote: This patch effectively removes all LDAPv2 style quoted DNs and makes sure we don't use them anymore. KDC doesn't seem to have any problems with LDAPv3 style DNs, but I kept the option to disable DN normalization for now. I also had to add a new dollar variable for LDIF files: $ESCAPED_SUFFIX. We need it to create entries that contain the DN of another entry in their own, like the account activated/inactivated CoS entries. what I tested: - playing around with password policies and CoS entries using both pwpolicy and pwpolicy2 - changing user passwords to see if the policies apply - re-installing IPA to see if the activated/inactived CoS entries where OK - user-lock/user-unlock The patch depends on the pwpolicy2 plugin. Well, it doesn't depend on it, but won't apply without. I didn't realize before committing and couldn't get it back by re-basing, so... Pavel This fails to apply because the pwpolicy2 plugin hasn't been committed yet. You had suggested that this patch shouldn't be applied yet. Should I remove the pwpolicy2 part of this patch and push, rebase it, or what? rob I rebased the patch - attached. It no longer depends on pwpolicy2. I'm going to release an updated pwpolicy2 patch with quoting gone along with this one. Pavel 0001-Use-escapes-in-DNs-instead-of-quoting.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Use ldap2 instead of legacy LDAP code from v1 in installer scripts.
On 4/15/2010 8:18 PM, Rob Crittenden wrote:
Pavel Zůna wrote:
On 4/14/2010 4:35 PM, Rob Crittenden wrote:
Pavel Zuna wrote:
On 03/30/2010 10:27 PM, Rob Crittenden wrote:
Pavel Zuna wrote:
On 03/23/2010 09:40 PM, Rob Crittenden wrote:
Pavel Zuna wrote:
This is the first in a series of patches, that replace all the
legacy
code from v1 related to LDAP. I did some limited testing of the
installer after this patch and nothing seems to break, but I
didn't do
replicas etc...
Pavel
nack. This breaks at least ipa-replica-manage, ipa-replica-prepare,
ipa-server-certinstall and ipa-replica-install.
rob
Fixed patch attached.
Pavel
I'm not sure if you attached the wrong patch or not (it's dated 3/24)
but things are still not working:
# ipa-replica-install replica-info-tiger.example.com.gpg
Directory Manager (existing master) password:
creation of replica failed: 'Env' object has no attribute 'basedn'
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
rob
Sorry for a late reply. Here's a patch that should finally work. I did
a lot more testing and setting up a replica went smoothly every time.
Pavel
Lots better. I was able to create and manage replicas but
ipa-dns-install isn't working:
# ipa-dns-install
The log file for this installation can be found in
/var/log/ipaserver-install.log
==
This program will setup DNS for the FreeIPA Server.
This includes:
* Configure DNS (bind)
To accept the default shown in brackets, press the Enter key.
Existing BIND configuration detected, overwrite? [no]: y
Do you wish to configure DNS forwarders? [no]:
No DNS forwarders configured
Directory Manager password:
Unexpected error - see ipaserver-install.log for details:
'API' object has no attribute 'env_host'
Ouch, sorry about that. New patch attached.
Pavel
Still not working:
root : CRITICAL Could not modify principal's
krbprincipalname=DNS/lion.greyoak@greyoak.com,cn=services,cn=accounts,dc=greyoak,dc=com
entry
Unexpected error - see ipaserver-install.log for details:
The backtrace is:
File "/usr/sbin/ipa-dns-install", line 172, in
sys.exit(main())
File "/usr/sbin/ipa-dns-install", line 158, in main
bind.create_instance()
File
"/usr/lib/python2.6/site-packages/ipaserver/install/bindinstance.py",
line 195, in create_instance
self.start_creation("Configuring named:")
File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py",
line 237, in start_creation
method()
File
"/usr/lib/python2.6/site-packages/ipaserver/install/bindinstance.py",
line 293, in __setup_principal
raise e
('expected a string in the list', u'k')
rob
This is fixed in the ipa-dns-install patch I posted yesterday. I thought
this wasn't caused by the changes made by the "Use ldap2..." patch.
The problem here is that we call python-ldap with a unicode string. The
string is generated from api.env constants that have become unicode a
month or two ago.
Anyway, I can always move the fix to this problem from the
ipa-dns-install patch into this one. However I need to talk to Martin
about the bindinstance.py file - I'll make sure to resolve this by the
end of today.
Pavel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix ipa-dns-install. It was failing when DNS was reinstalling.
I noticed a few bugs when DNS was reinstalling:
- Service.move_service returned None, because the service entry was
already in the right place - BindInstance didn't expect that.
- We were passing a unicode string to python-ldap although we know it
hates that.
- We were catching all exception alike when modifying the "dnsserver"
role group. It's no longer an error if the DNS principal is already present.
I think Martin has some work in progess on the bindinstance.py file, so
please don't push until he acks it. He might want to included these
changes in his own patch. I had to fix these to test my own code in the
installer and posted the patch to point out the bugs.
Pavel
From 2deba7ac45bb8dc2c52afb9fa7ecedb1d867fcbf Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Wed, 14 Apr 2010 18:52:12 +0200
Subject: [PATCH] Fix ipa-dns-install. It was failing when DNS was reinstalling.
---
ipaserver/install/bindinstance.py | 11 +--
1 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/bindinstance.py
b/ipaserver/install/bindinstance.py
index 105cf4e..ff1e4e4 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -263,7 +263,12 @@ class BindInstance(service.Service):
# Store the keytab on disk
self.fstore.backup_file("/etc/named.keytab")
installutils.create_keytab("/etc/named.keytab", dns_principal)
-dns_principal = self.move_service(dns_principal)
+p = self.move_service(dns_principal)
+if p is None:
+# the service has already been moved, perhaps we're doing a DNS
reinstall
+dns_principal = "krbprincipalname=%s,cn=services,cn=accounts,%s" %
(dns_principal, self.suffix)
+else:
+dns_principal = p
# Make sure access is strictly reserved to the named user
pent = pwd.getpwnam(self.named_user)
@@ -284,10 +289,12 @@ class BindInstance(service.Service):
raise e
dns_group = "cn=dnsserver,cn=rolegroups,cn=accounts,%s" % self.suffix
-mod = [(ldap.MOD_ADD, 'member', dns_principal)]
+mod = [(ldap.MOD_ADD, 'member', str(dns_principal))]
try:
conn.modify_s(dns_group, mod)
+except ldap.TYPE_OR_VALUE_EXISTS:
+pass
except Exception, e:
logging.critical("Could not modify principal's %s entry" %
dns_principal)
raise e
--
1.6.6
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Use ldap2 instead of legacy LDAP code from v1 in installer scripts.
On 4/14/2010 4:35 PM, Rob Crittenden wrote:
Pavel Zuna wrote:
On 03/30/2010 10:27 PM, Rob Crittenden wrote:
Pavel Zuna wrote:
On 03/23/2010 09:40 PM, Rob Crittenden wrote:
Pavel Zuna wrote:
This is the first in a series of patches, that replace all the legacy
code from v1 related to LDAP. I did some limited testing of the
installer after this patch and nothing seems to break, but I
didn't do
replicas etc...
Pavel
nack. This breaks at least ipa-replica-manage, ipa-replica-prepare,
ipa-server-certinstall and ipa-replica-install.
rob
Fixed patch attached.
Pavel
I'm not sure if you attached the wrong patch or not (it's dated 3/24)
but things are still not working:
# ipa-replica-install replica-info-tiger.example.com.gpg
Directory Manager (existing master) password:
creation of replica failed: 'Env' object has no attribute 'basedn'
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
rob
Sorry for a late reply. Here's a patch that should finally work. I did
a lot more testing and setting up a replica went smoothly every time.
Pavel
Lots better. I was able to create and manage replicas but
ipa-dns-install isn't working:
# ipa-dns-install
The log file for this installation can be found in
/var/log/ipaserver-install.log
==
This program will setup DNS for the FreeIPA Server.
This includes:
* Configure DNS (bind)
To accept the default shown in brackets, press the Enter key.
Existing BIND configuration detected, overwrite? [no]: y
Do you wish to configure DNS forwarders? [no]:
No DNS forwarders configured
Directory Manager password:
Unexpected error - see ipaserver-install.log for details:
'API' object has no attribute 'env_host'
Ouch, sorry about that. New patch attached.
Pavel
From 6f1e71d1ad926b827d43c4dbcab768ecaa675389 Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Wed, 24 Mar 2010 15:51:31 +0100
Subject: [PATCH] Use ldap2 instead of legacy LDAP code from v1 in installer
scripts.
---
install/tools/ipa-compat-manage | 38 ++--
install/tools/ipa-dns-install| 18 +-
install/tools/ipa-fix-CVE-2008-3274 | 63 +++--
install/tools/ipa-ldap-updater |2 -
install/tools/ipa-nis-manage | 44 +++
install/tools/ipa-replica-install| 22 ++--
install/tools/ipa-replica-manage |8 ++--
install/tools/ipa-replica-prepare| 33 -
install/tools/ipa-server-certinstall | 18 -
install/tools/ipa-server-install | 24 ++---
ipaserver/plugins/ldap2.py | 22 +---
11 files changed, 144 insertions(+), 148 deletions(-)
diff --git a/install/tools/ipa-compat-manage b/install/tools/ipa-compat-manage
index 09a06ca..b22ce77 100755
--- a/install/tools/ipa-compat-manage
+++ b/install/tools/ipa-compat-manage
@@ -22,12 +22,11 @@
import sys
try:
from optparse import OptionParser
-from ipaserver import ipaldap
from ipapython import entity, ipautil, config
from ipaserver.install import installutils
from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax, UPDATES_DIR
+from ipaserver.plugins.ldap2 import ldap2
from ipalib import errors
-import ldap
import logging
import re
import krbV
@@ -95,26 +94,29 @@ def main():
else:
dirman_password = get_dirman_password()
+conn = None
try:
+ldapuri = 'ldap://%s' % installutils.get_fqdn()
try:
-conn = ipaldap.IPAdmin(installutils.get_fqdn())
-conn.do_simple_bind(bindpw=dirman_password)
-except ldap.LDAPError, e:
+conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
+conn.connect(
+bind_dn='cn=directory manager', bind_pw=dirman_password
+)
+except errors.LDAPError, e:
print "An error occurred while connecting to the server."
-print "%s" % e[0]['desc']
+print e
return 1
if args[0] == "enable":
try:
-conn.getEntry("cn=Schema Compatibility,cn=plugins,cn=config",
- ldap.SCOPE_BASE, "(objectclass=*)")
+conn.get_entry('cn=Schema Compatibility,cn=plugins,cn=config')
print "Plugin already Enabled"
retval = 2
except errors.NotFound:
print "Enabling plugin"
-except ldap.LDAPError, e:
+except errors.LDAPError, e:
print "An error occurred while talking to the server."
-print "%s" % e[0]['desc']
+print e
retval = 1
if retval == 0:
@@ -127,17 +129,15 @@ def main():
# Make a quick hack foir now, directly delete the entries by name,
# In future we should add
Re: [Freeipa-devel] [PATCH] Fix DNS plugin: proper output definitions, --all, dns-add-rr overwritting
On 4/14/2010 5:36 PM, Rob Crittenden wrote:
Pavel Zůna wrote:
On 4/13/2010 10:51 PM, Rob Crittenden wrote:
Pavel Zuna wrote:
The DNS plugin is getting old, tired and already looking forward to his
pension in the Carribean. It will be replaced soon by a younger,
faster,
safer, shorter (in terms of code) and more maintainable version.
Until that happens, here's some medicine for the old guy:
- proper output definitions: the DNS plugin was created before we
had the has_output attribute in place
- --all: this is related to the output definitions as
Command.get_options() adds the --all and --raw options automatically
if has_output contains entries
- dns-add-rr overwritting: missing .lower() caused records to be
overwritten every time a new one was added from the CLI
Pavel
This looks ok but I wonder why you are defining your own Output
definition instead of using the standard? The only difference seems to
be that your custom one doesn't have a summary.
rob
Because the standard output definitions with entries make Command
plugins automatically add the --all and --raw options. dns-*-rr
commands aren't comfortable with it.
Can you be more specific? What doesn't work?
rob
There were conflicts with --all being defined explicitly by some of the
commands. Also, dns-del-rr didn't expect any options and raised an
exception when it received the automatically added --all/--raw.
Anyway, I fixed those issues, so that we can use the standard
definitions from ipalib/output.py. I guess I got lazy before or just
wasn't thinking about it too much. :) Modified patch attached.
Pavel
From 6073a12c78c4702916c7de4c5115a7ea1c62cdca Mon Sep 17 00:00:00 2001
From: Pavel Zuna
Date: Tue, 30 Mar 2010 18:56:02 +0200
Subject: [PATCH] Fix DNS plugin: proper output definitions, --all, dns-add-rr
overwritting
The DNS plugin is getting old, tired and already looking forward to his
pension in the Carribean. It will be replaced soon by a younger, faster,
safer, shorter (in terms of code) and more maintainable version.
Until that happens, here's some medicine for the old guy:
- proper output definitions: the DNS plugin was created before we
had the has_output attribute in place
- --all: this is related to the output definitions as
Command.get_options() adds the --all and --raw options automatically
if has_output contains entries
- dns-add-rr overwritting: missing .lower() caused records to be
overwritten everytime a new one was added from the CLI
---
ipalib/plugins/dns.py | 29 +++--
1 files changed, 15 insertions(+), 14 deletions(-)
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index 5f6949a..4c81a8e 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -67,6 +67,7 @@ from ipalib import api, crud, errors, output
from ipalib import Object, Command
from ipalib import Flag, Int, Str, StrEnum
from ipalib import _, ngettext
+from ipalib.output import Output, standard_entry, standard_list_of_entries
# parent DN
_zone_container_dn = api.env.container_dns
@@ -310,7 +311,7 @@ class dns_find(crud.Search):
filter = ldap.make_filter_from_attr('idnsname', term, exact=False)
# select attributes we want to retrieve
-if options['all']:
+if options.get('all', False):
attrs_list = ['*']
else:
attrs_list = _zone_default_attributes
@@ -362,7 +363,7 @@ class dns_show(crud.Retrieve):
dn = _get_zone_dn(ldap, idnsname)
# select attributes we want to retrieve
-if options['all']:
+if options.get('all', False):
attrs_list = ['*']
else:
attrs_list = _zone_default_attributes
@@ -492,11 +493,11 @@ class dns_add_rr(Command):
),
)
-has_output = output.standard_entry
+has_output = standard_entry
def execute(self, zone, idnsname, type, data, **options):
ldap = self.api.Backend.ldap2
-attr = '%srecord' % type
+attr = ('%srecord' % type).lower()
# build entry DN
dn = _get_record_dn(ldap, zone, idnsname)
@@ -593,11 +594,11 @@ class dns_del_rr(Command):
),
)
-has_output = output.standard_entry
+has_output = standard_entry
-def execute(self, zone, idnsname, type, data):
+def execute(self, zone, idnsname, type, data, **options):
ldap = self.api.Backend.ldap2
-attr = '%srecord' % type
+attr = ('%srecord' % type).lower()
# build entry DN
dn = _get_record_dn(ldap, zone, idnsname)
@@ -635,9 +636,9 @@ class dns_del_rr(Command):
(dn, entry_attrs) = ldap.get_entry(dn, ['idnsname', attr])
entry_attrs['dn'] = dn
-return dict(result=result, value=idnsname)
+return dict(result=entry_attrs, value=idnsna
Re: [Freeipa-devel] [PATCH] Fix DNS plugin: proper output definitions, --all, dns-add-rr overwritting
On 4/13/2010 10:51 PM, Rob Crittenden wrote: Pavel Zuna wrote: The DNS plugin is getting old, tired and already looking forward to his pension in the Carribean. It will be replaced soon by a younger, faster, safer, shorter (in terms of code) and more maintainable version. Until that happens, here's some medicine for the old guy: - proper output definitions: the DNS plugin was created before we had the has_output attribute in place - --all: this is related to the output definitions as Command.get_options() adds the --all and --raw options automatically if has_output contains entries - dns-add-rr overwritting: missing .lower() caused records to be overwritten every time a new one was added from the CLI Pavel This looks ok but I wonder why you are defining your own Output definition instead of using the standard? The only difference seems to be that your custom one doesn't have a summary. rob Because the standard output definitions with entries make Command plugins automatically add the --all and --raw options. dns-*-rr commands aren't comfortable with it. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix output of commands, that do not return entries.
Rob Crittenden wrote: Pavel Zůna wrote: Pavel Zůna wrote: This patch fixes Command.output_for_cli for the env plugin. Before we assumed, that a list/tuple is always a list of entries and a dict is always an entry. Still, this solution isn't perfect. I think, that in the future, we should allow Output subclasses to control the way we output values instead of doing type-based output in Command.output_for_cli. Pavel Before anyone asks... :) I also changed the default value of the print_all argument in textui.print_entry from False to True. It think it makes more sense this way, because: 1) if order is None, it will still print something 2) if order is not None, it will print what's in order first and then the rest 3) commands that care about the print_all argument have to set it in any case, those that don't care usually want to print everything Why not set the default for print_all in print_entries() to True as well? That's just a mistake I made. Fixed. Seems like this reasoning should be documented in the function as well. Particularly how print_all gets handled when one returns Entries or a ListOfEntries vs just returning a dict/tuple (where --all controls whether everything is printed in the former and defaults to everything in the later assuming print_entries also ends up defaulting to True). Added docstring for Command.output_for_cli and also updated the docstring for Command.get_options with info about --all/--raw. rob New patch attached. Pavel 0001-Fix-output-for-commands-that-do-not-return-entries.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix output of env plugin. It displayed more than it should.
Some outputs were missing the 'no_display' flag. Pavel 0001-Fix-output-of-env-plugin.-It-displayed-more-than-it-.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix output of commands, that do not return entries.
Pavel Zůna wrote: This patch fixes Command.output_for_cli for the env plugin. Before we assumed, that a list/tuple is always a list of entries and a dict is always an entry. Still, this solution isn't perfect. I think, that in the future, we should allow Output subclasses to control the way we output values instead of doing type-based output in Command.output_for_cli. Pavel Before anyone asks... :) I also changed the default value of the print_all argument in textui.print_entry from False to True. It think it makes more sense this way, because: 1) if order is None, it will still print something 2) if order is not None, it will print what's in order first and then the rest 3) commands that care about the print_all argument have to set it in any case, those that don't care usually want to print everything Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix output of commands, that do not return entries.
This patch fixes Command.output_for_cli for the env plugin. Before we assumed, that a list/tuple is always a list of entries and a dict is always an entry. Still, this solution isn't perfect. I think, that in the future, we should allow Output subclasses to control the way we output values instead of doing type-based output in Command.output_for_cli. Pavel 0001-Fix-output-for-commands-that-do-not-return-entries.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] about DNs
Hi, I didn't want to quote the already over-quoted e-mail about DNs from Rich, so I'm "starting a new thread". :) Anyway, if I understand correctly, we should stop using quoted strings in DNs and use escapes instead, so: This: cn="dc=example,dc=com",dc=example,dc=com Becomes this: cn=dc\=example\,dc\=com,dc=example,dc=com ldap2 was designed to produces DNs like this, but we still use the old LDAPv2 style in a lot of places, so we made it possible to disable DN normalization and stopped escaping characters in quoted attribute values. This introduced the recent problems with python-ldap functions blowing up in our faces, when a plugin author didn't check his DNs manually. With your approval, I would like to make sure we switch to the new LDAPv3 style DNs everywhere, because: 1) it's going to prevent future problems if strict DN syntax checking is turned on (Rich was talking about this) 2) we'll be able to use ldap2 methods to build DNs everywhere, preventing python-ldap calls from blowing up 3) we'll be able to remove the ability to disable DN normalization as it won't be needed anymore, thus simplifying our LDAP API When this is done, we should encourage plugin authors to use our framework to build DNs instead of doing it manually, because it's fail-safe and will work even if the location where the entries are stored changes. Example: building DNs for CoS entries of password policies: group = 'some_group_name' container_cos = 'cn=cosTemplates,%s' % api.env.container_accounts group_dn = api.Object.group.get_dn(group) cos_dn = ldap2.make_dn_from_attr( 'cn', group_dn, container_costemplates ) Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 404 ensure priority is unique
Rob Crittenden wrote: Pavel Zuna wrote: Jason Gerard DeRose wrote: On Fri, 2010-03-12 at 18:01 -0500, Rob Crittenden wrote: Ensure that the group policy priority is unique. We use CoS to determine the order in which group policy is applied. The behavior in CoS is undefined for multiple entries with the same cospriority. This likely relies on some other outstanding pwpolicy patches. rob ack. pushed to master. The patch works, but I find the way it checks for priority uniqueness highly ineffective. It pulls out all policies and then retrieves their CoS entries one by one to do the checking. Instead it should just make a search for a CoS entry with the given priority. Pavel Well, we may need to store the group policy entries in a subtree then. All CoS policies are currently dumped into the same place making this impossible. Not necessarily. It's just a matter of tweaking the search filter. We can search only for CoS entries, that have the krbContainer object class and their krbPwdReference attribute contains a group DN. rob Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Enable LDAPObject subclasses to disable DN normalization in their methods.
Rob Crittenden wrote: Pavel Zuna wrote: New attribute in LDAPObject: normalize_dn Defaults to True. If False, LDAP* methods won't normalize DNs before passing them to python-ldap. Pavel This also makes entries returned by LDAPSearch a list instead of a tuple. What is the purpose of that? It enables *-find plugins to easily add/remove entries in post_callback. rob Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add interface for baseldap plugins to register additional callbacks.
Rob Crittenden wrote:
Pavel Zůna wrote:
This is somewhat of a tech-preview patch. It works, but the whole
concept might need some more work/thinking done.
It adds another way to extend plugins without resorting to the
versioning system.
Until now, every baseldap command had two callbacks. The pre-callback
called before data was passed to python-ldap and the post-callback
called after.
This patch introduces class methods, that enable the registration of
new pre/post callbacks. It supports top level functions as well, so
you don't have to touch the original class at all.
It works likes this:
from ipalib.plugins.user import user_show
def test_callback(inst, ldap, dn, attrs_list, *keys, **options):
inst.log.info('hello callback world!')
attrs_list = ['uid'] # only retrieve the user name
return dn
user_show.register_pre_callback(test_callback)
The original callbacks defined in the class are always called first.
Pavel
I think I'd like another registration argument, sort of a hint on where
you'd like this plugin registered: first or last (defaulting to last).
We wouldn't necessarily guarantee where the plugin would get registered
but we could easily handle prepending or appending the new registration.
The argument is already there, but as you said, it doesn't guarantee a
specific order. The "in-class" callback is added when the plugin
instance is created and is inserted at the beginning of the list. More
callbacks could be theoretically added later before this one, but that
probably won't happen.
Not sure how complicated we want this to be but we could also add a
dependency system, so that if some other callback is registered, then
this one comes first (or registration fails), etc.
A priority system might be better and easier to implement in this case.
I'm also thinking of making the callback signature common for all
commands (even though they have different "needs") and adding a context
variable callbacks could use to pass data to each other.
rob
By the way, the approach with class methods and class attributes I'm
using is 100% compatible with the versioning system I proposed before.
You can do this for example:
class user_show(...):
VERSION = (1, 0)
...
user_show.register_pre_callback(some_callback)
user.show_register_pre_callback(some_other_callback)
class user_show(user_show):
VERSION = (1, 1)
...
And the new user_show class will have all the callbacks for the previous
version. Isn't that cool? Man, I love python. It's the hackers holy
grail. :D
Pavel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add interface for baseldap plugins to register additional callbacks.
This is somewhat of a tech-preview patch. It works, but the whole
concept might need some more work/thinking done.
It adds another way to extend plugins without resorting to the
versioning system.
Until now, every baseldap command had two callbacks. The pre-callback
called before data was passed to python-ldap and the post-callback
called after.
This patch introduces class methods, that enable the registration of new
pre/post callbacks. It supports top level functions as well, so you
don't have to touch the original class at all.
It works likes this:
from ipalib.plugins.user import user_show
def test_callback(inst, ldap, dn, attrs_list, *keys, **options):
inst.log.info('hello callback world!')
attrs_list = ['uid'] # only retrieve the user name
return dn
user_show.register_pre_callback(test_callback)
The original callbacks defined in the class are always called first.
Pavel
0001-Add-interface-for-baseldap-plugins-to-register-addit.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add plugin versioning and dependency checking
Rob Crittenden wrote: Pavel Zůna wrote: Since there weren't any comments on my proposal about plugin versioning and dependencies, I decided to make a first implementation, that shows what I had in mind. Sorry, I had looked at it and never responded. Seeing an implementation does help though :-) This patch adds two class variables to plugable.Plugin: VERSION and DEPENDENCIES. VERSION is supposed to be a tuple with 2 ints specifying the plugin major and minor version number. DEPENDENCIES is supposed to be a tuple of tuples. The inner tuples will contain the plugin class name (as a string) and a major version number. The plugable.Registrar class has changed a bit. I decided to remove the 'override' keyword argument. It wasn't used anywhere. Overriding is now automatic based on the plugin class VERSION. Higher version overrides lower. This way, we can have several versions of the same plugin living in IPA directory (not in API!) at the same time. It allows higher versions to easily build on top (extend) older ones. So to override a plugin you need to have a higher version? What if you want two separate plugins to extend a plugin, there can be only one? For example, you have one extension that adds some Samba attributes to a user and another that adds some Solaris-specific attributes. Not everyone would want both of these but some might, I think this would throw a DuplicateError. Overriding only applies to plugins with exactly the same name. If users want to have two different plugins available, they can't have the same name anyway. If they want two plugins in the tree, but only one active at the same time - then I would suggest using the SkipPluginModule exception based on configuration as we do with cert plugins. rob Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add plugin versioning and dependency checking
Since there weren't any comments on my proposal about plugin versioning
and dependencies, I decided to make a first implementation, that shows
what I had in mind.
This patch adds two class variables to plugable.Plugin: VERSION and
DEPENDENCIES. VERSION is supposed to be a tuple with 2 ints specifying
the plugin major and minor version number. DEPENDENCIES is supposed to
be a tuple of tuples. The inner tuples will contain the plugin class
name (as a string) and a major version number.
The plugable.Registrar class has changed a bit. I decided to remove the
'override' keyword argument. It wasn't used anywhere. Overriding is now
automatic based on the plugin class VERSION. Higher version overrides
lower. This way, we can have several versions of the same plugin living
in IPA directory (not in API!) at the same time. It allows higher
versions to easily build on top (extend) older ones.
There's also a new exception:
PluginMissingDependencyError: Plugin 'service' is missing dependency
plugin 'host' (version 1)
Plugin dependencies are checked when all plugin have been loaded, that
is when API is finalizing.
An example of what we can do with this approach:
Let's say a customer needs to extend users and groups by storing some
additional computed information in the entries.
indentity_ex.py:
from ipalib.plugins.user import user, user_add
from ipalib.plugins.group import group, group_add
class user(user):
VERSION = (2, 0)
DEPENDENCIES = (('group', 2), )
takes_params = user.takes_params + (
# some new params here
)
api.register(user)
class user_add(user_add):
VERSION = (2, 0)
def pre_callback( # I don't feel like writing all the args :)
dn = super(user_add, self).pre_callback( # and again
# do some new stuff here
return dn
api.register(user_add)
# same analogous thing for groups comes here...
Pavel
0001-Add-plugin-versioning-and-dependency-checking.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [DOC] about netgroups
I was asked to complete the documentation of IPA commands on the internal wiki. Unfortunatly, I currently don't have access to it and have decided to put some of the information I've been gathering here on freeipa-devel. It's not a secret after all and is easier to review by other team members. I'm going to put this on the wiki as soon as I can. So, in the first (and possibly last) issue of CommandDocs(tm), we're going to look at netgroups and commands related to them. What are netgroups? === Netgroups are a concept introduced in the directory service NIS. They are supposed to contain users, hosts (machines) and other netgroups. Here are a few examples of why such groups can be useful: http://directory.fedoraproject.org/wiki/Howto:Netgroups#What_are_NIS_netgroups_good_for.3F Don't continue reading after the "What are NIS netgroups good for?" part. Netgroup entries are different in IPA. Some more info about netgroups (optional reading; I'll explain most of the important stuff): http://www.softpanorama.org/Net/Application_layer/NIS/nis_netgroups.shtml How do we store netgroups in the IPA backend (LDAP)? NIS groups traditionally contain a so called netgroup triple of the format: (machine, user, domain) machine - machine name, a host name user - user name domain - NIS domain of the machine and user Note that there is no necessary relationship between the machine and the user. Only one of those fields is usually used at a time to avoid confusion. In IPA, we don't use the triple anymore. It's ugly and unclear. Instead we use the membership relationship between LDAP entries. You simple add users, host and even their groups as members of a netgroup. The domain field is constant for each netgroup and defaults to the current IPA domain. Example of a netgroup displayed using the IPA CLI: # ipa netgroup-show net1 Netgroup name: net1 Description: test netgroup NIS domain name: pzuna Member User: admin Member Host: testbox.pzuna What commands are available in IPA for handling netgroups? == The management plugin for netgroups in IPA conforms to the CRUD command naming conventions used in all other plugins, that come with the default IPA installation. Creating new netgroups -- ipa netgroup-add NAME [--desc=DESCRIPTION] [--nisdomain=NISDOMAIN] NAME is the name of the netgroup (can be anything, but must be unique) DESCRIPTION is the netgroup description (required) NISDOMAIN is the NIS domain name, defaults to the current IPA domain Deleting netgroups -- ipa netgroup-del NAME Displaying netgroups ipa netgroup-show NAME Modifying netgroups --- ipa netgroup-mod NAME [--desc=DESCRIPTION] [--nisdomain=NISDOMAIN] Same as `ipa netgroup-add`, except modifying description is required and NISDOMAIN doesn't default to anything. Searching for netgroups --- ipa netgroup-find [CRITERIA] [--name=NAME] [--desc=DESCRIPTION] [--nisdomain=NISDOMAIN] [--uuid=UUID] CRITERIA is an optional substring, that has to appear in either the name, the description or the NIS domain of the groups you're looking for Other options are the same as `ipa netgroup-add`, except nothing is required and doesn't default to anything. There's a new UUID option, that allows searching netgroups by ipaUniqueID. If one of these options is set, the command returns only exact matches of this option. Adding users and hosts to netgroups --- ipa netgroup-add-member NAME [--users=USERS] [--groups=GROUPS] [--hosts=HOSTS] [--hostgroups=HOSTGROUPS] [--netgroups=NETGROUPS] USERS,GROUPS,HOSTS,HOSTGROUPS,NETGROUPS are comma-separated lists of names of the appropriate objects. Removing users and hosts from netgroups --- ipa netgroup-remove-member NAME [--users=USERS] [--groups=GROUPS] [--hosts=HOSTS] [--hostgroups=HOSTGROUPS] [--netgroups=NETGROUPS] Same as `netgroup-add-member`. Examples # ipa netgroup-add net0 --desc="test netgroup" Netgroup name: net0 Description: test netgroup NIS domain name: pzuna IPA unique ID: 9e6e089c-2089-11df-b677-5452004c033a # ipa netgroup-mod net0 --desc="description change" Netgroup name: net0 Description: description change NIS domain name: pzuna # ipa netgroup-add-member net0 --users=admin --hosts=testbox.pzuna Netgroup name: net0 Description: description change NIS domain name: pzuna Member User: admin Member Host: testbox.pzuna - Number of members added 2 - # ipa netgroup-remove-member net0 --users=admin Netgroup name: net0
[Freeipa-devel] [PATCH] Make the --all option work in Add/Remove Member commands.
Add/Remove Member commands didn't work with the --all option. They do now. Pavel 0001-Make-the-all-option-work-in-Add-Remove-Member-comman.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Complete netgroup attributes.
Add missing attributes to the netgroup plugin. The plugin will now correctly display membership information and allow searching for netgroups by UUID. Pavel 0003-Complete-netgroup-attributes.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Replace incorrect use of str.index with str.find in host plugin.
index was used as if it was find in the validation function. Pavel 0002-Replace-incorrect-use-of-str.index-with-str.find-in-.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix bug where parameter cloning didn't clone validating rules.
I thought we had validation fixed, but this little bit was still missing. Pavel 0001-Fix-bug-where-parameter-cloning-didn-t-clone-validat.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 387 fix test failures
Rob Crittenden wrote: This fixes the failures in the Env due to switching to unicode internally. Now that --all works this also adds the dn to the output in the XML-RPC tests. rob ack. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] Bring back old outputting functionality
Jason Gerard DeRose wrote: On Wed, 2010-02-10 at 10:30 -0500, Rob Crittenden wrote: Pavel Zuna wrote: What I'm saying is that the Env object stores all strings as str and the env command uses the same output_for_cli as LDAP commands, that only use str for binary. So, we either need to override output_for_cli or switch to unicode in Env. Not exactly sure what to do here though using unicode seems like the best route. Yes, we should store the env as `unicode`... this is something I've been meaning to do. I originally left them as `str` because I was having problems using `unicode` somewhere (maybe it was python-ldap), but we should just fix this special case in the appropriate place. That's possible, python-ldap seems to hate everything except str and list. As I wrote the latest Env version (using Martins work as a starting point), I can make this change. Actually, if you didn't start on it yet. I would take this task onto myself as I already did some experiments to see if it would work and I should be able to have a patch by tomorrow. Should this be post-alpha? Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] Bring back old outputting functionality
Rob Crittenden wrote: Pavel Zuna wrote: Rob Crittenden wrote: Pavel Zuna wrote: I compiled 3 patches, that effectively bring back all the functionality we had before Jasons big patch (i.e. before introducing output validation and the common output interface). --all and --raw are back, but this time as global options replacing DNs with primary keys is back clever attribute printing (word-wrapping etc.) is back too To implement --all and --raw as global options, we had to find a way to propagate additional information (apart from command name and parameters) from client to server. We extended the XML-RPC signature from: (arg0, arg1, ..., options) to: (args, options, extras) The extras dict is currently only filled with the 'print_all_attrs' and 'print_raw_attrs' settings when forwarding a call. The server saves the extras dict into the thread specific context variable. I also replaced the decoding table in Encoder, because it didn't really work as expected in special cases. It now uses a dont-decode function. In the case of ldap2, this function checks attribute type OIDs and returns False for binary types. This patch introduces a little problem with the env command, because it fixes a bug/feature, that made it work before. Before outputting an attribute, we check if it isn't of type str. If it is, we assume it is binary and decode it. All values in Env are str. I propose we either write a specific output_for_cli for the env command or think about switching from str to unicode. I tried the later and it didn't cause any problems so far. How it's supposed to work: # ./ipa user-show admin User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash # ./ipa --all user-show admin dn: uid=admin,cn=users,cn=accounts,dc=pzuna User login: admin Last name: Administrator Full name: Administrator Home directory: /home/admin GECOS field: Administrator Login shell: /bin/bash Kerberos principal: ad...@pzuna UID: 1083719807 GID: 1083719807 Last password change date: 20100208132706Z Password expiration date: 20100509132706Z Member of groups: admins objectclass: top, person, posixaccount, krbprincipalaux, krbticketpolicyaux, inetuser # ./ipa --raw user-show admin uid: admin sn: Administrator homedirectory: /home/admin loginshell: /bin/bash # ./ipa --all --raw user-show admin dn: uid=admin,cn=users,cn=accounts,dc=pzuna uid: admin sn: Administrator cn: Administrator homedirectory: /home/admin gecos: Administrator loginshell: /bin/bash krbprincipalname: ad...@pzuna uidnumber: 1083719807 gidnumber: 1083719807 krblastpwdchange: 20100208132706Z krbpasswordexpiration: 20100509132706Z memberof: cn=admins,cn=groups,cn=accounts,dc=pzuna objectclass: top objectclass: person objectclass: posixaccount objectclass: krbprincipalaux objectclass: krbticketpolicyaux objectclass: inetuser Pavel Generally looks ok, have some questions though: - We currently rely on the fact that binary objects are encoded as python str, it's how we determine what to base64-encode. What mechanism will we have to do that now? I didn't (and I'm not planning to) make any changes in this matter. My point is that for binary objects we were explicitly setting their type to str. We don't seem to be doing that any more, so are we relying on python-ldap to default to the str type? It's ok if we do I'd just like to see a comment to that effect in case something changes in the future. Yeah, we do rely on python-ldap in this case. It returns everything as str. I didn't realize you were referring to the changes in the Encoder class. Some background information about Encoder: When I started working on the ldap2 backend, I realized that around every call to python-ldap, we had to encode/decode both compound and scalar values. With scalar values, it wasn't a problem to just choose what to encode/decode and what not. With compound values likes entries, it was more difficult, because all attributes are returned as str, but have different types. I implemented a feature in the Encoder class, that enabled its consumers to define a decoding table for dicts and a function of the dict key, that would return a key in the decoding table. The decoding table was supposed to contain callables (mostly python types), that would be used to decode the dict value. If the returned key was not in the table, default decoding (to unicode) would take place. The idea was, that we would convert boolean strings to bool, integer values to int and leave binary values as str. Unfortunatly, there were some difficulties with boolean types, then Simo chimed in about integers in LDAP not having the same range as int in python and you can't argue with Simo. Plus I didn't really feel like doing anything about the booleans, so the decoding table in ldap2 was just used to leave binary attributes as str. With the latest Encoder pat
Re: [Freeipa-devel] [PATCH] jderose 034 Enable WebUI CRUDS using wehjit 0.2.0
Jason Gerard DeRose wrote: This patch enables webUI Create-Retrieve-Updated-Delete-Search operations for all api.Object plugins that: 1. implement all the required CRUDS methods 2. have a primary_key Last night I realized that the upgrade to wehjit 0.2.0 broke the installer, so I hurried this patch a bit, left out some niceties that still need a bit more testing and tweaking. Just what I needed - had to switch all my test VMs to F12, because of dependencies and was about to bug someone about the broken installer. :) Looks fine and fixes the installer, so ACK from me. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 354 removing bogus code
Rob Crittenden wrote: Somehow the same block of code got added twice to ipa-rmkeytab causing, not surprisingly, a double-free. This resolves it. rob ack Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Re: [PATCHES] Migration wrap-up.
Pavel Zůna wrote: Oups, I forgot to change the spec file. Patch attached. Pavel There was a missing * to handle .pyc/.pyo files. Updated patch attached. Pavel 0001-Add-password-migration-page-files-to-the-spec-file.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Re: [PATCHES] Migration wrap-up.
Pavel Zůna wrote: Okey, I think my migration patches are ready for submission. What's new? - No more forced password change after migration, unless the password doesn't meet IPA password policy. Expiration time sets correctly (hooray!). - Migration mode (adding entries with pre-hashed passwords) can now be turned ON/OFF using the ipaMigrationEnabled attribute in ipaConfig entry. - New fancy password migration page using HTML form based authentication. (CSS and looks in general will probably have to change to visually go with the rest of the webUI.) - Better error/log messages and some general code clean up. I didn't change the migration plugin to use IPA commands. Believe me, I tried. There's just too much overhead and additional work: - We need to sanitize data from DS before we feed it to the IPA commands and it's not just converting them to unicode. - There are attributes our commands do not accept as parameters and setattr/addattr doesn't really help that much there. It's going to be even worst when custom schemas kick in. Our commands also make some assumptions about attributes - like givenName/sn being required etc. It's just too hard to do it properly in a generic way. - Using IPA commands generates at least 4 times more LDAP requests. - The code is also longer. The migration plugin might still need some work and I'm thinking of ways to make it better, more readable and maintainable, but if the other patches pass and there's no big problems with it, I say we should push it, so that QE can do some testing. I'm currently writing a wiki page with step by step migration guide, but I left it open at the office and I'm sick at home at the moment, so I'm going to resume when back. I will also setup a testing environment on the blades for DS to IPA migration. Pavel Oups, I forgot to change the spec file. Patch attached. Pavel 0001-Add-password-migration-page-files-to-the-spec-file.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] jderose 027 Extensible return values
Rob Crittenden wrote:
Jason Gerard DeRose wrote:
On Wed, 2009-11-25 at 12:05 -0500, Rob Crittenden wrote:
This is purely from reading the patch, I haven't applied and tested
it yet.
ipalib/output.py:
+primary_key = Output('primary_key', unicode,
+'The primary key of the deleted entry'
+)
This isn't only for deleted entries, right?
Ah, yeah, that should be made more generic. This doc message is only
used by developers, though.
This import doesn't seem to be used:
from inspect import getdoc
What is dont_output_for_cli()? Is this an effort to make things work
while we're in transition?
Yeah, I just renamed some methods so we can reference how they were
implemented. Temporary.
You seem to have disabled the raw option in LDAPSearch, was that
intentional?
Originally I got the impression we weren't going to keep both --raw and
--all, but this can be changed.
Is cli_name being dropped for label? I'm ok with that but should we
remove it from all the plugins?
No, here is how they work:
`cli_name` is used for the optparse names and defaults to Param.name,
like:
--first
`label` is a human readable, translatable string. It's used in the
webUI, and to prompt show entries on cli, like:
First name: John Doe
`doc` is human readable help passed to optparse.make_option(help=doc).
It default to the value of the label. It's used like this:
--uid=INTUID (use this option to set it manually)
In the above case the `label` is "UID" (not shown) but the `doc` is this
longer string.
The user plugins provide good examples of how I think these should be
used.
I'll submit a patch later documented these different string uses.
rob
We'll also need to determine what we'll do about all the plugins. The
cert plugin, for example, isn't ported to this new return value system
and blows up in many places.
There are also some labels missing, such as for fqdn in the host plugin.
These are both quite easy to fix, I think we just need to coordinate
things. Perhaps if Pavel and I split up the plugins and fix anything
that needs fixing and commit all the patches at one time to avoid any
period of breakage.
rob
Just did a fast forward through the big patch. It looks mostly OK, but
as Rob said - it breaks a few things. I don't mind fixing all the
plugins - it shouldn't be too hard, because at this point most of them
are just extensions of baseldap.py classes. I'm going to apply the patch
on my tree and see what I can do in the second half of this week.
One thing I noticed:
+return dict(
+result=entry_attrs,
+primary_key=keys[0],
+)
This will work on most plugins, but you should use keys[-1], because
keys might contain parent object keys as well. The last key is always
the primary key of the object in question.
Pavel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Change object_class of group object.
Rob Crittenden wrote: Pavel Zuna wrote: Some groups created by default don't have ipaUserGroup and won't show up in searches. Pavel nack, isn't the better approach to fix up the groups that are created by default without the ipaUserGroup objectclass? It is. Fixed patch attached. rob Pavel 0014-Add-ipaUserGroup-objectClass-to-default-groups-where.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add {user, host, sourcehost}Category to HBAC and make accessTime multivalue.
Rob Crittenden wrote: Pavel Zuna wrote: Rob Crittenden wrote: Pavel Zuna wrote: Due to the format of accessTime (it has commas and spaces in it), we can't use the List parameter type. I made it so that accessTime values have to be entered one by one using new commands. We also agreed, that we're going to rename GeneralizedTime parameter to AccessTime to prevent confusion with RFC 4517 standard. I attached a separate patch for clarity. Pavel A couple of questions: - Would it make sense to leave time in as an option that takes a singular value? If someone wants multiple times they can use the new add interface, right? It would and I think it's a good idea, updated patch attached. - What are these new enums for? If there is only one choice do you really have a choice? Well for now, we only have the 'all' in categories, but the list is expected to grow. At first I didn't include categories in the plugin, because of this, but Sumit wanted it to be complete. - We still need some tests for GeneralizedTime/AccessTime. Ok, added to my TODO list. The patch isn't applying for me: $ patch -p1 --dry-run < 0003-Fix-takes_options-in-automount-plugin.patch patching file ipalib/plugins/hbac.py patching file tests/test_xmlrpc/test_hbac_plugin.py Hunk #1 FAILED at 52. Hunk #2 FAILED at 84. 2 out of 3 hunks FAILED -- saving rejects to file tests/test_xmlrpc/test_hbac_plugin.py.rej Since you have to mess with this anyway, can you: - add another test to also test adding the access time on the add. You added back the capability but the tests are still removed AFAICT. - add a FUTURE or FIXME comment indicating that the enumerators are future-proofing things by making them a 1-option enumerator for now? rob Fixed patch attached. Pavel 0001-Add-user-host-sourcehost-Category-to-HBAC-and-make.patch Description: application/mbox 0002-Rename-GeneralizedTime-to-AccessTime.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 285 CRL publishing
Rob Crittenden wrote: This enables CRL publishing by dogtag to a place where Apache can get the files. I have to do a couple of tricks here because dogtag is an optional component. This is why in the installer I first see if the dogtag SELinux policy is installed and if not add it. Similarly the installer will remove it upon uninstall. The policy itself just lets dogtag write to some Apache-labeled directories. dogtag uses symlinks to mark the latest CRL hence the permissions for links. rob The patch looks fine, except that it doesn't apply on the current tree. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Change checks in List.normalize to filter out illegal values.
Pavel Zůna wrote: As we started converting NULL values to None a while back, List.normalize blows up if we set an empty tuple default value. Pavel nack! This actually introduces a bigger problem than it solves, my mistake. Fixed version attached. To demonstrate the bug this (was) is supposed to solve, try this before applying the patch: ipa group-add-member ipausers --users="" Pavel 0001-Change-checks-in-List.normalize-to-filter-out-illega.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Change checks in List.normalize to filter out illegal values.
As we started converting NULL values to None a while back, List.normalize blows up if we set an empty tuple default value. Pavel 0001-Change-checks-in-List.normalize-to-filter-out-illega.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
