Re: [Freeipa-devel] [PATCH 0064] Do not check userPassword with 7-bit plugin
On 06/03/2013 03:07 PM, Tomas Babej wrote: > On 06/03/2013 01:10 PM, Tomas Babej wrote: >> Hi, >> >> Default list of attributes that are checked with 7-bit plugin >> for being 7-bit clean includes userPassword. Consecutively, one >> is unable to set passwords that contain non-ascii characters. >> >> https://fedorahosted.org/freeipa/ticket/3640 >> >> Tomas > > Proper explanation and missing newline added. > > Updated patch attached. > > Tomas > Works for me. ACK, pushed to master, ipa-3-2. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0064] Do not check userPassword with 7-bit plugin
On 06/03/2013 01:10 PM, Tomas Babej wrote: Hi, Default list of attributes that are checked with 7-bit plugin for being 7-bit clean includes userPassword. Consecutively, one is unable to set passwords that contain non-ascii characters. https://fedorahosted.org/freeipa/ticket/3640 Tomas Proper explanation and missing newline added. Updated patch attached. Tomas From 11ae96664836427010d62c89e83a89480f02cca3 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Mon, 3 Jun 2013 09:56:08 +0200 Subject: [PATCH] Do not check userPassword with 7-bit plugin Default list of attributes that are checked with 7-bit plugin for being 7-bit clean includes userPassword. Consecutively, one is unable to set passwords that contain non-ascii characters. https://fedorahosted.org/freeipa/ticket/3640 --- install/updates/50-7_bit_check.update | 6 ++ install/updates/Makefile.am | 1 + 2 files changed, 7 insertions(+) create mode 100644 install/updates/50-7_bit_check.update diff --git a/install/updates/50-7_bit_check.update b/install/updates/50-7_bit_check.update new file mode 100644 index ..b9ea8a97d570e37b6337284358d40c05e32196b6 --- /dev/null +++ b/install/updates/50-7_bit_check.update @@ -0,0 +1,6 @@ +# Remove userPassword from the list of attributes checked by 7-bit plugin +# Replace argument value 'userPassword' with 'mail' to avoid the need to +# shift the whole argument array. Attribute 'mail' is already listed +# in pluginarg1, so it is conveniently used as valid value placeholder. +dn: cn=7-bit check,cn=plugins,cn=config +replace:nsslapd-pluginarg2:userpassword::mail diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 787a51cfcc574b8d4e0a11b749c1c8aee76e7977..5336f62ed97aba125ca8f1ae7c3e3505bb7ff3ea 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -35,6 +35,7 @@ app_DATA =\ 40-automember.update \ 40-otp.update \ 45-roles.update \ + 50-7_bit_check.update \ 50-lockout-policy.update \ 50-groupuuid.update \ 50-hbacservice.update \ -- 1.8.1.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0064] Do not check userPassword with 7-bit plugin
On 3.6.2013 14:55, Martin Kosek wrote: On 06/03/2013 01:32 PM, Jan Cholasta wrote: Hi, On 3.6.2013 13:10, Tomas Babej wrote: Hi, Default list of attributes that are checked with 7-bit plugin for being 7-bit clean includes userPassword. Consecutively, one is unable to set passwords that contain non-ascii characters. https://fedorahosted.org/freeipa/ticket/3640 Tomas what is the idea behind this: +replace:nsslapd-pluginarg2:userpassword::mail why not use remove instead of replace? Because of https://fedorahosted.org/389/ticket/47370, I found - DS would crash. In this update, I would like to operate only with this one attribute to avoid shifting the whole nsslapd-pluginargX array if we chose to remove nsslapd-pluginarg2. I thought that the safest approach would be to simply replace nsslapd-pluginarg2 with an already checked value, thus creating a safe NOOP. But I am open to other values leading to not checking userPassword attribute + changing nsslapd-pluginarg2 only. Martin I see. Anyway, I think there should be a comment in the update file explaining why replace is necessary. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0064] Do not check userPassword with 7-bit plugin
On 06/03/2013 01:32 PM, Jan Cholasta wrote: > Hi, > > On 3.6.2013 13:10, Tomas Babej wrote: >> Hi, >> >> Default list of attributes that are checked with 7-bit plugin >> for being 7-bit clean includes userPassword. Consecutively, one >> is unable to set passwords that contain non-ascii characters. >> >> https://fedorahosted.org/freeipa/ticket/3640 >> >> Tomas >> > > what is the idea behind this: > > +replace:nsslapd-pluginarg2:userpassword::mail > > why not use remove instead of replace? Because of https://fedorahosted.org/389/ticket/47370, I found - DS would crash. In this update, I would like to operate only with this one attribute to avoid shifting the whole nsslapd-pluginargX array if we chose to remove nsslapd-pluginarg2. I thought that the safest approach would be to simply replace nsslapd-pluginarg2 with an already checked value, thus creating a safe NOOP. But I am open to other values leading to not checking userPassword attribute + changing nsslapd-pluginarg2 only. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0064] Do not check userPassword with 7-bit plugin
Hi, On 3.6.2013 13:10, Tomas Babej wrote: Hi, Default list of attributes that are checked with 7-bit plugin for being 7-bit clean includes userPassword. Consecutively, one is unable to set passwords that contain non-ascii characters. https://fedorahosted.org/freeipa/ticket/3640 Tomas what is the idea behind this: +replace:nsslapd-pluginarg2:userpassword::mail why not use remove instead of replace? Also please add the missing newline at the end of the update file. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0064] Do not check userPassword with 7-bit plugin
Hi, Default list of attributes that are checked with 7-bit plugin for being 7-bit clean includes userPassword. Consecutively, one is unable to set passwords that contain non-ascii characters. https://fedorahosted.org/freeipa/ticket/3640 Tomas From 0ad7f3ee2c20f668bc64a2856ce444d31df65c3f Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Mon, 3 Jun 2013 09:56:08 +0200 Subject: [PATCH] Do not check userPassword with 7-bit plugin Default list of attributes that are checked with 7-bit plugin for being 7-bit clean includes userPassword. Consecutively, one is unable to set passwords that contain non-ascii characters. https://fedorahosted.org/freeipa/ticket/3640 --- install/updates/50-7_bit_check.update | 3 +++ install/updates/Makefile.am | 1 + 2 files changed, 4 insertions(+) create mode 100644 install/updates/50-7_bit_check.update diff --git a/install/updates/50-7_bit_check.update b/install/updates/50-7_bit_check.update new file mode 100644 index ..cef3159b6ac2586bbac42112d3e86b073b8faa3d --- /dev/null +++ b/install/updates/50-7_bit_check.update @@ -0,0 +1,3 @@ +# Remove userPassword from the list of attributes checked by 7-bit plugin +dn: cn=7-bit check,cn=plugins,cn=config +replace:nsslapd-pluginarg2:userpassword::mail \ No newline at end of file diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 787a51cfcc574b8d4e0a11b749c1c8aee76e7977..5336f62ed97aba125ca8f1ae7c3e3505bb7ff3ea 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -35,6 +35,7 @@ app_DATA =\ 40-automember.update \ 40-otp.update \ 45-roles.update \ + 50-7_bit_check.update \ 50-lockout-policy.update \ 50-groupuuid.update \ 50-hbacservice.update \ -- 1.8.1.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
