Re: [Freeipa-users] AD permissions needed for setting up AD trusts

2013-01-11 Thread David Juran 
On fre, 2013-01-04 at 19:04 +0100, Ana Krivokapic wrote:
> On 01/03/2013 12:28 PM, Petr Spacek wrote:
> > On 12/21/2012 01:19 PM, Sumit Bose wrote:
> >> On Fri, Dec 21, 2012 at 12:30:33PM +0100, James Findley wrote:
> >>> Hi
> >>>
> >>> What permission level is needed for the AD user when creating an AD 
> >>> trust?  Can a regular domain user account do it, or is a domain 
> >>> admin needed?
> >>
> >> The account used here must be a member of the Domain Admins group.
> >>
> >>>
> >>> If write access to the AD server is needed, then could someone 
> >>> please tell me what the command will actually change in the AD server?
> >>>
> >>
> >> 'ipa trust-add' will only use LSA calls on the AD server. The most
> >> important one is CreateTrustedDomainEx2
> >> (http://msdn.microsoft.com/en-us/library/cc234380.aspx) to create the
> >> trust between the two domains. Additionally QueryTrustedDomainInfoByName
> >> (http://msdn.microsoft.com/en-us/library/cc234376.aspx) to check if the
> >> trust is already added and SetInformationTrustedDomain
> >> (http://msdn.microsoft.com/en-us/library/cc234385.aspx) to tell the AD
> >> server that the IPA server can handled AES encryption are used.
> >
> > Should we add this information to AD trusts documentation?
> >
> >>> The windows team at my place of work will want to know exactly what 
> >>> the tool will do before they grant permission.
> >
> I have added this information to the AD trusts wiki page:
> http://www.freeipa.org/page/IPAv3_AD_trust_setup#Add_trust_with_AD_domain

That link only gets me to an empty wiki page...


-- 
David Juran
Sr. Consultant
Red Hat
+46-725-345801


signature.asc
Description: This is a digitally signed message part
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] AD permissions needed for setting up AD trusts

2013-01-11 Thread Alexander Bokovoy 

On Fri, 11 Jan 2013, David Juran wrote:

On fre, 2013-01-04 at 19:04 +0100, Ana Krivokapic wrote:

On 01/03/2013 12:28 PM, Petr Spacek wrote:
> On 12/21/2012 01:19 PM, Sumit Bose wrote:
>> On Fri, Dec 21, 2012 at 12:30:33PM +0100, James Findley wrote:
>>> Hi
>>>
>>> What permission level is needed for the AD user when creating an AD
>>> trust?  Can a regular domain user account do it, or is a domain
>>> admin needed?
>>
>> The account used here must be a member of the Domain Admins group.
>>
>>>
>>> If write access to the AD server is needed, then could someone
>>> please tell me what the command will actually change in the AD server?
>>>
>>
>> 'ipa trust-add' will only use LSA calls on the AD server. The most
>> important one is CreateTrustedDomainEx2
>> (http://msdn.microsoft.com/en-us/library/cc234380.aspx) to create the
>> trust between the two domains. Additionally QueryTrustedDomainInfoByName
>> (http://msdn.microsoft.com/en-us/library/cc234376.aspx) to check if the
>> trust is already added and SetInformationTrustedDomain
>> (http://msdn.microsoft.com/en-us/library/cc234385.aspx) to tell the AD
>> server that the IPA server can handled AES encryption are used.
>
> Should we add this information to AD trusts documentation?
>
>>> The windows team at my place of work will want to know exactly what
>>> the tool will do before they grant permission.
>
I have added this information to the AD trusts wiki page:
http://www.freeipa.org/page/IPAv3_AD_trust_setup#Add_trust_with_AD_domain


That link only gets me to an empty wiki page...

It is moved to HOWTOs:
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Add_trust_with_AD_domain

--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] AD permissions needed for setting up AD trusts

2013-01-11 Thread Petr Spacek 

On 11.1.2013 10:19, Alexander Bokovoy wrote:

On Fri, 11 Jan 2013, David Juran wrote:

On fre, 2013-01-04 at 19:04 +0100, Ana Krivokapic wrote:

On 01/03/2013 12:28 PM, Petr Spacek wrote:
> On 12/21/2012 01:19 PM, Sumit Bose wrote:
>> On Fri, Dec 21, 2012 at 12:30:33PM +0100, James Findley wrote:
>>> Hi
>>>
>>> What permission level is needed for the AD user when creating an AD
>>> trust?  Can a regular domain user account do it, or is a domain
>>> admin needed?
>>
>> The account used here must be a member of the Domain Admins group.
>>
>>>
>>> If write access to the AD server is needed, then could someone
>>> please tell me what the command will actually change in the AD server?
>>>
>>
>> 'ipa trust-add' will only use LSA calls on the AD server. The most
>> important one is CreateTrustedDomainEx2
>> (http://msdn.microsoft.com/en-us/library/cc234380.aspx) to create the
>> trust between the two domains. Additionally QueryTrustedDomainInfoByName
>> (http://msdn.microsoft.com/en-us/library/cc234376.aspx) to check if the
>> trust is already added and SetInformationTrustedDomain
>> (http://msdn.microsoft.com/en-us/library/cc234385.aspx) to tell the AD
>> server that the IPA server can handled AES encryption are used.
>
> Should we add this information to AD trusts documentation?
>
>>> The windows team at my place of work will want to know exactly what
>>> the tool will do before they grant permission.
>
I have added this information to the AD trusts wiki page:
http://www.freeipa.org/page/IPAv3_AD_trust_setup#Add_trust_with_AD_domain


That link only gets me to an empty wiki page...

It is moved to HOWTOs:
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Add_trust_with_AD_domain


Should we create a redirection? At least for users digging in archives?

--
Petr^2 Spacek

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] AD permissions needed for setting up AD trusts

2013-01-11 Thread Alexander Bokovoy 

On Fri, 11 Jan 2013, Petr Spacek wrote:

On 11.1.2013 10:19, Alexander Bokovoy wrote:

On Fri, 11 Jan 2013, David Juran wrote:

On fre, 2013-01-04 at 19:04 +0100, Ana Krivokapic wrote:

On 01/03/2013 12:28 PM, Petr Spacek wrote:

On 12/21/2012 01:19 PM, Sumit Bose wrote:

On Fri, Dec 21, 2012 at 12:30:33PM +0100, James Findley wrote:

Hi

What permission level is needed for the AD user when creating an AD
trust?  Can a regular domain user account do it, or is a domain
admin needed?


The account used here must be a member of the Domain Admins group.



If write access to the AD server is needed, then could someone
please tell me what the command will actually change in the AD server?



'ipa trust-add' will only use LSA calls on the AD server. The most
important one is CreateTrustedDomainEx2
(http://msdn.microsoft.com/en-us/library/cc234380.aspx) to create the
trust between the two domains. Additionally QueryTrustedDomainInfoByName
(http://msdn.microsoft.com/en-us/library/cc234376.aspx) to check if the
trust is already added and SetInformationTrustedDomain
(http://msdn.microsoft.com/en-us/library/cc234385.aspx) to tell the AD
server that the IPA server can handled AES encryption are used.


Should we add this information to AD trusts documentation?


The windows team at my place of work will want to know exactly what
the tool will do before they grant permission.



I have added this information to the AD trusts wiki page:
http://www.freeipa.org/page/IPAv3_AD_trust_setup#Add_trust_with_AD_domain


That link only gets me to an empty wiki page...

It is moved to HOWTOs:
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Add_trust_with_AD_domain


Should we create a redirection? At least for users digging in archives?

Yes, please do that.

--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] AD permissions needed for setting up AD trusts

2013-01-11 Thread Simo Sorce 
On Fri, 2013-01-11 at 10:52 +0100, Petr Spacek wrote:
> On 11.1.2013 10:19, Alexander Bokovoy wrote:
> > On Fri, 11 Jan 2013, David Juran wrote:
> >> On fre, 2013-01-04 at 19:04 +0100, Ana Krivokapic wrote:
> >>> On 01/03/2013 12:28 PM, Petr Spacek wrote:
> >>> > On 12/21/2012 01:19 PM, Sumit Bose wrote:
> >>> >> On Fri, Dec 21, 2012 at 12:30:33PM +0100, James Findley wrote:
> >>> >>> Hi
> >>> >>>
> >>> >>> What permission level is needed for the AD user when creating an AD
> >>> >>> trust?  Can a regular domain user account do it, or is a domain
> >>> >>> admin needed?
> >>> >>
> >>> >> The account used here must be a member of the Domain Admins group.
> >>> >>
> >>> >>>
> >>> >>> If write access to the AD server is needed, then could someone
> >>> >>> please tell me what the command will actually change in the AD server?
> >>> >>>
> >>> >>
> >>> >> 'ipa trust-add' will only use LSA calls on the AD server. The most
> >>> >> important one is CreateTrustedDomainEx2
> >>> >> (http://msdn.microsoft.com/en-us/library/cc234380.aspx) to create the
> >>> >> trust between the two domains. Additionally 
> >>> >> QueryTrustedDomainInfoByName
> >>> >> (http://msdn.microsoft.com/en-us/library/cc234376.aspx) to check if the
> >>> >> trust is already added and SetInformationTrustedDomain
> >>> >> (http://msdn.microsoft.com/en-us/library/cc234385.aspx) to tell the AD
> >>> >> server that the IPA server can handled AES encryption are used.
> >>> >
> >>> > Should we add this information to AD trusts documentation?
> >>> >
> >>> >>> The windows team at my place of work will want to know exactly what
> >>> >>> the tool will do before they grant permission.
> >>> >
> >>> I have added this information to the AD trusts wiki page:
> >>> http://www.freeipa.org/page/IPAv3_AD_trust_setup#Add_trust_with_AD_domain
> >>
> >> That link only gets me to an empty wiki page...
> > It is moved to HOWTOs:
> > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Add_trust_with_AD_domain
> 
> Should we create a redirection? At least for users digging in archives?

I actually explicitly removed it to avoid clutter in the root :)

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] error adding replica

2013-01-11 Thread Natxo Asenjo 
On Fri, Dec 14, 2012 at 1:36 AM, Dmitri Pal  wrote:
> On 12/13/2012 03:48 AM, Natxo Asenjo wrote:
>> hi,
>>
>> On Thu, Dec 13, 2012 at 1:46 AM, Dmitri Pal  wrote:
>>> The holidays are coming. It is unlikely that we would be able to look
>>> into it till Jan.
>> that is no problem at all, we have the same issues ;-)
>>
>> Do you want me to keep the vm's around for troubleshooting the issue
>> when there is time?
>>
> Would be great if you would be able to start this thread over after the
> holidays to draw our attention.
> So at that time every detail would be handy.

hi,

I just tried again to create a replica and had exactly the same error
as on the thread's first post.

in ipareplica-install.log I get "The pkcs12 file is not correct." error.

-- 
groet,
natxo

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] error adding replica

2013-01-11 Thread Rob Crittenden 

Natxo Asenjo wrote:

On Fri, Dec 14, 2012 at 1:36 AM, Dmitri Pal  wrote:

On 12/13/2012 03:48 AM, Natxo Asenjo wrote:

hi,

On Thu, Dec 13, 2012 at 1:46 AM, Dmitri Pal  wrote:

The holidays are coming. It is unlikely that we would be able to look
into it till Jan.

that is no problem at all, we have the same issues ;-)

Do you want me to keep the vm's around for troubleshooting the issue
when there is time?


Would be great if you would be able to start this thread over after the
holidays to draw our attention.
So at that time every detail would be handy.


hi,

I just tried again to create a replica and had exactly the same error
as on the thread's first post.

in ipareplica-install.log I get "The pkcs12 file is not correct." error.



Can you send me the log file /var/log/pki-ca/debug out-of-band? I'll 
pass that long to the dogtag guys who can hopefully tell us what is 
going on. I'd need the log from both the IPA Master that you are 
installing and the one that generated the replica file.


The files can be big, gzipping is appreciate :-)

thanks

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] openldap to ipa

2013-01-11 Thread Johnathan Phan 
Hi There,

This is driving me up the wall.

I have two servers. 1 is a live openldap/kerberous AAA server running on
RHEL6. The LDAP service has SSL/TS support. The second server is a test
environment running on fedora and has 3.1 IPA installed.

As a last step of my POC I need to migrate the users and passwords from the
LDAP server to IPA server.

I ran this command perfectly fine.

ipa config-mod --enable-migration=TRUE

However the next step was where my issues began.

In the end after a lot of IRC communication and troubleshooting I now run
the following command.

ipa migrate-ds --bind-dn="cn=admin,dc=example,dc=com"
--user-container="ou=users,ou=live,dc=example,dc=com"
--group-container="ou=groups,ou=live,dc=example,dc=com" ldaps://
ldap1.live.example.com

I get the following error.

ipa: DEBUG: Caught fault 4203 from server
http://fedoraipaserver.test.example.com/ipa/xml: Can't contact LDAP server:
TLS error -8179:Peer's Certificate issuer is not recognized.
ipa: DEBUG: Destroyed connection context.xmlclient
ipa: ERROR: Can't contact LDAP server: TLS error -8179:Peer's Certificate
issuer is not recognized.

I have summarized that the IPA server does not trust the cert served by the
openldap or the other way around. Does anyone know how to get around this?
Or allow me to finish the migration of user data.

Regards

John

-- 
Johnathan Phan

T: +44 (0)784 118 7080
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] how do i apply patch?

2013-01-11 Thread Umarzuki Mochlis 
2013/1/10 Martin Kosek :

> If you want to do a custom build, you can either use a fedpkg and create a
> scratch build of IPA with the patches applied or do a custom build from git
> tree. Using the fedpkg tool + build in koji may be the safest way to build
> such rpm that contain only the official build + chosen patches.
>
> Martin

Hi, what I want to do is simply patch free ipa with that patch from
ipa-server 2.2.0 on my centos 6

any method that would retain current configuration?

-- 
Regards,

Umarzuki Mochlis
http://debmal.my

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] how do i apply patch?

2013-01-11 Thread John Dennis 

On 01/11/2013 11:25 AM, Umarzuki Mochlis wrote:

2013/1/10 Martin Kosek :


If you want to do a custom build, you can either use a fedpkg and create a
scratch build of IPA with the patches applied or do a custom build from git
tree. Using the fedpkg tool + build in koji may be the safest way to build
such rpm that contain only the official build + chosen patches.

Martin


Hi, what I want to do is simply patch free ipa with that patch from
ipa-server 2.2.0 on my centos 6

any method that would retain current configuration?



You can do one of two things.

1) Download the source rpm matching the version you have installed, add 
the patch, rebuild the rpm locally, install the locally built rpm.


2) Apply the patch to the installed code, this is manual, there are 
opportunities to mess up a running system unless you're careful and it's 
not reproducible. But it can be faster and more expedient, most IPA devs 
do this all the time to try out potential fixes because it's so easy to 
edit installed Python code. However, if the patch in question depends on 
post install update run by the RPM install this won't (easily) work. The 
safest thing is option 1, build a patched RPM.


--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] openldap to ipa

2013-01-11 Thread JR Aquino 
Try editing /etc/openldap/ldap.conf:

TLS_CACERT  /etc/ipa/ca.crt
TLS_REQCERT allow


See if that helps

"Keeping your head in the cloud"
~
Jr Aquino | Sr. Information Security Specialist
GIAC Exploit Researcher and Advanced Penetration Tester |
GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
Citrix Online | 7408 Hollister Avenue | Goleta, CA 
93117
T:  +1 805.690.3478
C: +1 805.717.0365
jr.aqu...@citrix.com
http://www.citrixonline.com

On Jan 11, 2013, at 8:05 AM, Johnathan Phan 
mailto:j...@ox-consulting.com>> wrote:

Hi There,

This is driving me up the wall.

I have two servers. 1 is a live openldap/kerberous AAA server running on RHEL6. 
The LDAP service has SSL/TS support. The second server is a test environment 
running on fedora and has 3.1 IPA installed.

As a last step of my POC I need to migrate the users and passwords from the 
LDAP server to IPA server.

I ran this command perfectly fine.

ipa config-mod --enable-migration=TRUE

However the next step was where my issues began.

In the end after a lot of IRC communication and troubleshooting I now run the 
following command.

ipa migrate-ds --bind-dn="cn=admin,dc=example,dc=com" 
--user-container="ou=users,ou=live,dc=example,dc=com" 
--group-container="ou=groups,ou=live,dc=example,dc=com" 
ldaps://ldap1.live.example.com

I get the following error.

ipa: DEBUG: Caught fault 4203 from server 
http://fedoraipaserver.test.example.com/ipa/xml: Can't contact LDAP server: TLS 
error -8179:Peer's Certificate issuer is not recognized.
ipa: DEBUG: Destroyed connection context.xmlclient
ipa: ERROR: Can't contact LDAP server: TLS error -8179:Peer's Certificate 
issuer is not recognized.

I have summarized that the IPA server does not trust the cert served by the 
openldap or the other way around. Does anyone know how to get around this? Or 
allow me to finish the migration of user data.

Regards

John

--
Johnathan Phan

T: +44 (0)784 118 7080



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] CSV support in IPA administration tools - to be, or not to be?

2013-01-11 Thread Dmitri Pal 
On 01/10/2013 11:00 AM, John Dennis wrote:
> On 01/10/2013 08:15 AM, Petr Spacek wrote:
>> Hello,
>>
>> is there any user of CSV support built-in to IPA administration tools
>> ("ipa"
>> command)? Do you consider it sane or even useful? Please reply.
>
> I've always disliked our use of CSV values on both the command line
> and internally. They're just weird, nothing else in Unix works like
> this and as you point out below there are easier better alternatives.
> Plus with the use of CSV's there is a lot of awkward quoting in a
> variety of places.
>
> On the command line I always thought multiple values should be
> specified multiple times and internally they should be encapsulated in
> lists rather than parsing a CSV string (if it's logically a list then
> why isn't it a list?)
>
> However at this juncture I'm not sure we can make such a change, we
> have a published API that we would be violating. But perhaps we're not
> so far down the road we can't make such a change and we're better off
> doing it now while there is even a chance. It's not clear to me how
> much the command line is being used and specifically with CSV values.
>
> Do I think CSV's are sane and useful? No. Can we change that? That's a
> whole other story.
>
>
>> I wanted to add single TXT record with double quotation marks (")
>> inside the
>> TXT data.
>>
>> I spent some time figuring out how it is supposed to work ... and
>> with help of
>> Petr^3 I managed to write the command.
>>
>> The resulting command (for BASH) is absolutely crazy:
>> ipa dnsrecord-add example.test. newrec --txt-rec='"""created on
>> 13:01:23"""'
>>
>> Do we really need support for this piece of insanity? Shells can do
>> the same
>> thing with much less pain :-)
>>
>> IPA with CSV support can add multiple attributes at once, e.g.
>> ipa dnsrecord-add example.test. newrec --txt-rec=1,2,3,4,5,6,7,8,9
>> will add TXT records with value 1, 2, 3 etc.
>>
>> BASH can do the same thing (without the escaping hell):
>> ipa dnsrecord-add example.test. newrec --txt-rec={1,2,3,4,5,6,7,8,9}
>> and
>> ipa dnsrecord-add example.test. newrec --txt-rec={1..9}
>> BASH would expand to
>> ipa dnsrecord-add example.test. newrec --txt-rec=1 --txt-rec=2
>> --txt-rec=3
>> --txt-rec=4 --txt-rec=5 --txt-rec=6 --txt-rec=7 --txt-rec=8 --txt-rec=9
>>
>
>
Do we already have CSV support?
Where is it used?
It is not clear to me if BASH example above requires the CSV support or
it does expansion on its own. Please explain.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] CSV support in IPA administration tools - to be, or not to be?

2013-01-11 Thread John Dennis 

On 01/11/2013 03:10 PM, Dmitri Pal wrote:

On 01/10/2013 11:00 AM, John Dennis wrote:

On 01/10/2013 08:15 AM, Petr Spacek wrote:

Hello,

is there any user of CSV support built-in to IPA administration tools
("ipa"
command)? Do you consider it sane or even useful? Please reply.


I've always disliked our use of CSV values on both the command line
and internally. They're just weird, nothing else in Unix works like
this and as you point out below there are easier better alternatives.
Plus with the use of CSV's there is a lot of awkward quoting in a
variety of places.

On the command line I always thought multiple values should be
specified multiple times and internally they should be encapsulated in
lists rather than parsing a CSV string (if it's logically a list then
why isn't it a list?)

However at this juncture I'm not sure we can make such a change, we
have a published API that we would be violating. But perhaps we're not
so far down the road we can't make such a change and we're better off
doing it now while there is even a chance. It's not clear to me how
much the command line is being used and specifically with CSV values.

Do I think CSV's are sane and useful? No. Can we change that? That's a
whole other story.



I wanted to add single TXT record with double quotation marks (")
inside the
TXT data.

I spent some time figuring out how it is supposed to work ... and
with help of
Petr^3 I managed to write the command.

The resulting command (for BASH) is absolutely crazy:
ipa dnsrecord-add example.test. newrec --txt-rec='"""created on
13:01:23"""'

Do we really need support for this piece of insanity? Shells can do
the same
thing with much less pain :-)

IPA with CSV support can add multiple attributes at once, e.g.
ipa dnsrecord-add example.test. newrec --txt-rec=1,2,3,4,5,6,7,8,9
will add TXT records with value 1, 2, 3 etc.

BASH can do the same thing (without the escaping hell):
ipa dnsrecord-add example.test. newrec --txt-rec={1,2,3,4,5,6,7,8,9}
and
ipa dnsrecord-add example.test. newrec --txt-rec={1..9}
BASH would expand to
ipa dnsrecord-add example.test. newrec --txt-rec=1 --txt-rec=2
--txt-rec=3
--txt-rec=4 --txt-rec=5 --txt-rec=6 --txt-rec=7 --txt-rec=8 --txt-rec=9





Do we already have CSV support?
Where is it used?
It is not clear to me if BASH example above requires the CSV support or
it does expansion on its own. Please explain.



We already have CSV support. It's a mechanism that allows multiple 
values to be passed for one command line argument. The alternate 
approach is rather than having one command line arg that takes multiple 
values is to allow multiple command line args, each one taking a single 
value. This is the UNIX methodology. I believe the original thinking was 
who would want to type out multiple command line args, it's too verbose. 
However the shell expansion illustrated above shows how with simple 
shell syntax one can have succicent args and allow the shell to expand 
them into the preferred verbose form.


--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] CSV support in IPA administration tools - to be, or not to be?

2013-01-11 Thread Dmitri Pal 
On 01/11/2013 03:27 PM, John Dennis wrote:
> On 01/11/2013 03:10 PM, Dmitri Pal wrote:
>> On 01/10/2013 11:00 AM, John Dennis wrote:
>>> On 01/10/2013 08:15 AM, Petr Spacek wrote:
 Hello,

 is there any user of CSV support built-in to IPA administration tools
 ("ipa"
 command)? Do you consider it sane or even useful? Please reply.
>>>
>>> I've always disliked our use of CSV values on both the command line
>>> and internally. They're just weird, nothing else in Unix works like
>>> this and as you point out below there are easier better alternatives.
>>> Plus with the use of CSV's there is a lot of awkward quoting in a
>>> variety of places.
>>>
>>> On the command line I always thought multiple values should be
>>> specified multiple times and internally they should be encapsulated in
>>> lists rather than parsing a CSV string (if it's logically a list then
>>> why isn't it a list?)
>>>
>>> However at this juncture I'm not sure we can make such a change, we
>>> have a published API that we would be violating. But perhaps we're not
>>> so far down the road we can't make such a change and we're better off
>>> doing it now while there is even a chance. It's not clear to me how
>>> much the command line is being used and specifically with CSV values.
>>>
>>> Do I think CSV's are sane and useful? No. Can we change that? That's a
>>> whole other story.
>>>
>>>
 I wanted to add single TXT record with double quotation marks (")
 inside the
 TXT data.

 I spent some time figuring out how it is supposed to work ... and
 with help of
 Petr^3 I managed to write the command.

 The resulting command (for BASH) is absolutely crazy:
 ipa dnsrecord-add example.test. newrec --txt-rec='"""created on
 13:01:23"""'

 Do we really need support for this piece of insanity? Shells can do
 the same
 thing with much less pain :-)

 IPA with CSV support can add multiple attributes at once, e.g.
 ipa dnsrecord-add example.test. newrec --txt-rec=1,2,3,4,5,6,7,8,9
 will add TXT records with value 1, 2, 3 etc.

 BASH can do the same thing (without the escaping hell):
 ipa dnsrecord-add example.test. newrec --txt-rec={1,2,3,4,5,6,7,8,9}
 and
 ipa dnsrecord-add example.test. newrec --txt-rec={1..9}
 BASH would expand to
 ipa dnsrecord-add example.test. newrec --txt-rec=1 --txt-rec=2
 --txt-rec=3
 --txt-rec=4 --txt-rec=5 --txt-rec=6 --txt-rec=7 --txt-rec=8
 --txt-rec=9

>>>
>>>
>> Do we already have CSV support?
>> Where is it used?
>> It is not clear to me if BASH example above requires the CSV support or
>> it does expansion on its own. Please explain.
>>
>
> We already have CSV support. It's a mechanism that allows multiple
> values to be passed for one command line argument. The alternate
> approach is rather than having one command line arg that takes
> multiple values is to allow multiple command line args, each one
> taking a single value. This is the UNIX methodology. I believe the
> original thinking was who would want to type out multiple command line
> args, it's too verbose. However the shell expansion illustrated above
> shows how with simple shell syntax one can have succicent args and
> allow the shell to expand them into the preferred verbose form.
>

So both are already supported and we want to stop using CSV and
deprecate it over time?
This makes sense if there are good examples of how to use bash expansion.
I suggest we create a page and describe preferred method of dealing with
the lists and document it.
Also do the same with the manual, i.e. review it to make sure we do not
show CSV syntax in the docs, same with the man pages.
On the project page we will say that CSV will not be added to the new
and existing commands and will be deprecated over time (probably by IPA
version 4).
Do I get it right?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] CSV support in IPA administration tools - to be, or not to be?

2013-01-11 Thread John Dennis 

On 01/11/2013 03:52 PM, Dmitri Pal wrote:

On 01/11/2013 03:27 PM, John Dennis wrote:

On 01/11/2013 03:10 PM, Dmitri Pal wrote:

On 01/10/2013 11:00 AM, John Dennis wrote:

On 01/10/2013 08:15 AM, Petr Spacek wrote:

Hello,

is there any user of CSV support built-in to IPA administration tools
("ipa"
command)? Do you consider it sane or even useful? Please reply.


I've always disliked our use of CSV values on both the command line
and internally. They're just weird, nothing else in Unix works like
this and as you point out below there are easier better alternatives.
Plus with the use of CSV's there is a lot of awkward quoting in a
variety of places.

On the command line I always thought multiple values should be
specified multiple times and internally they should be encapsulated in
lists rather than parsing a CSV string (if it's logically a list then
why isn't it a list?)

However at this juncture I'm not sure we can make such a change, we
have a published API that we would be violating. But perhaps we're not
so far down the road we can't make such a change and we're better off
doing it now while there is even a chance. It's not clear to me how
much the command line is being used and specifically with CSV values.

Do I think CSV's are sane and useful? No. Can we change that? That's a
whole other story.



I wanted to add single TXT record with double quotation marks (")
inside the
TXT data.

I spent some time figuring out how it is supposed to work ... and
with help of
Petr^3 I managed to write the command.

The resulting command (for BASH) is absolutely crazy:
ipa dnsrecord-add example.test. newrec --txt-rec='"""created on
13:01:23"""'

Do we really need support for this piece of insanity? Shells can do
the same
thing with much less pain :-)

IPA with CSV support can add multiple attributes at once, e.g.
ipa dnsrecord-add example.test. newrec --txt-rec=1,2,3,4,5,6,7,8,9
will add TXT records with value 1, 2, 3 etc.

BASH can do the same thing (without the escaping hell):
ipa dnsrecord-add example.test. newrec --txt-rec={1,2,3,4,5,6,7,8,9}
and
ipa dnsrecord-add example.test. newrec --txt-rec={1..9}
BASH would expand to
ipa dnsrecord-add example.test. newrec --txt-rec=1 --txt-rec=2
--txt-rec=3
--txt-rec=4 --txt-rec=5 --txt-rec=6 --txt-rec=7 --txt-rec=8
--txt-rec=9





Do we already have CSV support?
Where is it used?
It is not clear to me if BASH example above requires the CSV support or
it does expansion on its own. Please explain.



We already have CSV support. It's a mechanism that allows multiple
values to be passed for one command line argument. The alternate
approach is rather than having one command line arg that takes
multiple values is to allow multiple command line args, each one
taking a single value. This is the UNIX methodology. I believe the
original thinking was who would want to type out multiple command line
args, it's too verbose. However the shell expansion illustrated above
shows how with simple shell syntax one can have succicent args and
allow the shell to expand them into the preferred verbose form.



So both are already supported and we want to stop using CSV and
deprecate it over time?
This makes sense if there are good examples of how to use bash expansion.
I suggest we create a page and describe preferred method of dealing with
the lists and document it.
Also do the same with the manual, i.e. review it to make sure we do not
show CSV syntax in the docs, same with the man pages.
On the project page we will say that CSV will not be added to the new
and existing commands and will be deprecated over time (probably by IPA
version 4).
Do I get it right?



I'm not sure both are currently supported. I'm not sure we permit 
multiple args with the same name and aggregate them, I thought that was 
part of the proposal.


--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users