Re: [Freeipa-devel] bind-dyndb-ldap: [PATCH] Handle termination of SyncRepl watcher thread

Hi Tomas, The patch looks good to me. Just a minor remark. ldap_inst->exiting=TRUE and signaling the watcher thread is the same action. Ideally the signal handler would set 'existing=TRUE', but there is no nice way for the signal handler to retrieve/set the 'existing' flag. Do you think we cou

Re: [Freeipa-devel] GetEffectiveRights and add ACIs

Hi Fraser, I failed to reproduce you test case, I mean the aci granted the add right to a group member to ADD an entry with the filtered attribute. Now I have a doubt to test attribute valule on an entry that does not yet exist. Would you run /usr/lib64/mozldap/ldapsearch -D "cn=directory m

Re: [Freeipa-devel] GetEffectiveRights and add ACIs

ke you can provide GER a bit of information eg objectclass of the new entry, so that the existing aci would be selected. Maybe can_add can be extended. Ludwig On 01/13/2017 09:12 AM, thierry bordaz wrote: Hi Fraser, I failed to reproduce you test case, I mean the aci granted the add right

[Freeipa-devel] Asking for help to add new options

Hello, Quite beginner in freeipa land, I am trying to add options to 'user-add' sub-command but desperately failing to make it work. I did the following modification: diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 9b21200..0c36e35 100644 --- a/ip

Re: [Freeipa-devel] Asking for help to add new options

On 05/14/2014 12:01 PM, Petr Viktorin wrote: On 05/14/2014 11:21 AM, thierry bordaz wrote: Hello, Quite beginner in freeipa land, I am trying to add options to 'user-add' sub-command but desperately failing to make it work. I did the following modification: di

Re: [Freeipa-devel] Asking for help to add new options

On 05/14/2014 12:32 PM, Petr Viktorin wrote: On 05/14/2014 12:27 PM, thierry bordaz wrote: On 05/14/2014 12:01 PM, Petr Viktorin wrote: On 05/14/2014 11:21 AM, thierry bordaz wrote: Hello, Quite beginner in freeipa land, I am trying to add options to 'user-add' sub-c

Re: [Freeipa-devel] Status/Question about User life cycle

rtin Kosek wrote: On 05/19/2014 08:24 AM, Martin Kosek wrote: On 05/16/2014 04:48 PM, thierry bordaz wrote: Hello Martin, I am getting familiar with the freeipa CLI code and started implemented '--to-stage' and '--from-stage'. This really an impressive set of

Re: [Freeipa-devel] Status/Question about User life cycle

On 05/19/2014 04:22 PM, Jan Cholasta wrote: On 19.5.2014 16:03, thierry bordaz wrote: On 05/19/2014 03:54 PM, Jan Cholasta wrote: On 19.5.2014 15:19, Petr Viktorin wrote: Hello list, Here's a conversation that started internally. I'm making it public. On 05/19/2014 01:00 PM, Ma

Re: [Freeipa-devel] Status/Question about User life cycle

On 05/19/2014 04:44 PM, Jan Cholasta wrote: On 19.5.2014 16:34, thierry bordaz wrote: On 05/19/2014 04:22 PM, Jan Cholasta wrote: On 19.5.2014 16:03, thierry bordaz wrote: On 05/19/2014 03:54 PM, Jan Cholasta wrote: On 19.5.2014 15:19, Petr Viktorin wrote: Hello list, Here's a convers

Re: [Freeipa-devel] User life cycle: question regarding the design

On 05/20/2014 10:30 PM, Martin Kosek wrote: I am sharing the question below with the list as I think the information is useful and relevant for everyone interested in this feature. See answers in the text. On 05/20/2014 06:26 PM, thierry bordaz wrote: Hello Martin, Petr, I implemented

Re: [Freeipa-devel] User life cycle: question regarding the design

On 05/21/2014 09:06 PM, Martin Kosek wrote: On 05/21/2014 08:14 PM, Simo Sorce wrote: On Wed, 2014-05-21 at 16:01 +0200, thierry bordaz wrote: Hello, Thanks for all these detailed descriptions. Just to be sure to be on the same page, here is my understanding of the

[Freeipa-devel] User life cycle: plugins scope for staged users

Hello, In order to provision staged users (account inactivated) with there initial values: /usr/bin/ipa user-add tb20 --to-stage --first=tb20 --last=tb20 - Added user "tb20" - User login: tb20 First name: tb20

Re: [Freeipa-devel] Status/Question about User life cycle

On 05/22/2014 04:38 PM, Martin Kosek wrote: On 05/22/2014 10:47 AM, Petr Viktorin wrote: On 05/21/2014 10:00 PM, Dmitri Pal wrote: On 05/19/2014 10:45 AM, thierry bordaz wrote: On 05/19/2014 04:44 PM, Jan Cholasta wrote: On 19.5.2014 16:34, thierry bordaz wrote: On 05/19/2014 04:22 PM, Jan

Re: [Freeipa-devel] Status/Question about User life cycle

On 05/23/2014 08:29 AM, Martin Kosek wrote: On 05/22/2014 05:52 PM, thierry bordaz wrote: On 05/22/2014 04:38 PM, Martin Kosek wrote: On 05/22/2014 10:47 AM, Petr Viktorin wrote: On 05/21/2014 10:00 PM, Dmitri Pal wrote: On 05/19/2014 10:45 AM, thierry bordaz wrote: On 05/19/2014 04:44 PM

Re: [Freeipa-devel] Status/Question about User life cycle

On 05/22/2014 07:21 PM, Simo Sorce wrote: On Thu, 2014-05-22 at 17:52 +0200, thierry bordaz wrote: On 05/22/2014 04:38 PM, Martin Kosek wrote: On 05/22/2014 10:47 AM, Petr Viktorin wrote: On 05/21/2014 10:00 PM, Dmitri Pal wrote: On 05/19/2014 10:45 AM, thierry bordaz wrote: On 05/19/2014

Re: [Freeipa-devel] Status/Question about User life cycle

On 05/23/2014 10:04 AM, Martin Kosek wrote: On 05/23/2014 09:34 AM, thierry bordaz wrote: On 05/23/2014 08:29 AM, Martin Kosek wrote: On 05/22/2014 05:52 PM, thierry bordaz wrote: On 05/22/2014 04:38 PM, Martin Kosek wrote: On 05/22/2014 10:47 AM, Petr Viktorin wrote: On 05/21/2014 10:00 PM

Re: [Freeipa-devel] Status/Question about User life cycle

On 05/23/2014 10:55 AM, Martin Kosek wrote: On 05/23/2014 10:22 AM, thierry bordaz wrote: On 05/23/2014 10:04 AM, Martin Kosek wrote: On 05/23/2014 09:34 AM, thierry bordaz wrote: ... 3) inactivate the user (active to inactive) ipa user-inactivate# (after the command

Re: [Freeipa-devel] Status/Question about User life cycle

On 05/23/2014 05:03 PM, Simo Sorce wrote: On Fri, 2014-05-23 at 10:07 +0200, thierry bordaz wrote: On 05/22/2014 07:21 PM, Simo Sorce wrote: On Thu, 2014-05-22 at 17:52 +0200, thierry bordaz wrote: On 05/22/2014 04:38 PM, Martin Kosek wrote: On 05/22/2014 10:47 AM, Petr Viktorin wrote: On

Re: [Freeipa-devel] User life cycle: question regarding the design

, Martin Kosek wrote: On 05/21/2014 08:14 PM, Simo Sorce wrote: On Wed, 2014-05-21 at 16:01 +0200, thierry bordaz wrote: Hello, Thanks for all these detailed descriptions. Just to be sure to be on the same page, here is my understanding of the provisioning templates and

Re: [Freeipa-devel] User life cycle: question regarding the design

On 05/26/2014 07:49 AM, Martin Kosek wrote: On 05/23/2014 04:55 PM, Simo Sorce wrote: On Fri, 2014-05-23 at 10:13 -0400, Rob Crittenden wrote: This, I believe, has already been covered, but I'm concerned with the (over)use of active/inactive in this discussion. I think use of "inactive" and "a

Re: [Freeipa-devel] User life cycle: question regarding the design

On 05/26/2014 10:18 AM, Martin Kosek wrote: On 05/26/2014 09:33 AM, Jan Cholasta wrote: On 26.5.2014 07:49, Martin Kosek wrote: ... > 5) modifying > (in active) ipa user-mod tuser ... Ok. > (in stage)ipa user-mod tuser --staged ... Simo did not like this command, I would persona

[Freeipa-devel] Supported Staged entries

Hello, Me again !!! Thanks to all your inputs, the discussion about User_life_cycle clarified a lot workflow/command verbs. Now I have a doubt about what would be an entry in staging (objectclass/attribute). Also I wonder if ipa CLI (ipa user-add --stage), would be the only su

Re: [Freeipa-devel] Supported Staged entries

11:14, thierry bordaz wrote: Hello, Me again !!! Thanks to all your inputs, the discussion about User_life_cycle clarified a lot workflow/command verbs. Now I have a doubt about what would be an entry in staging (objectclass/attribute). Also I wonder if ipa CLI (ipa

Re: [Freeipa-devel] Supported Staged entries

On 05/27/2014 02:19 PM, Martin Kosek wrote: On 05/27/2014 02:16 PM, Simo Sorce wrote: On Tue, 2014-05-27 at 13:01 +0200, Martin Kosek wrote: On 05/27/2014 11:53 AM, Jan Cholasta wrote: On 27.5.2014 11:14, thierry bordaz wrote: Hello, Me again !!! Thanks to all your inputs, the

Re: [Freeipa-devel] Supported Staged entries

On 05/27/2014 03:10 PM, Simo Sorce wrote: On Tue, 2014-05-27 at 14:59 +0200, thierry bordaz wrote: Now if an entry was not created by FreeIPA CLI ('ipa user-add --stage') it could be impossible to update/unstage the entry with FreeIPA CLI . For example with those two entries. &#x

Re: [Freeipa-devel] Supported Staged entries

On 05/27/2014 03:08 PM, Simo Sorce wrote: On Tue, 2014-05-27 at 14:40 +0200, thierry bordaz wrote: On 05/27/2014 02:32 PM, Jan Cholasta wrote: On 27.5.2014 14:22, Simo Sorce wrote: On Tue, 2014-05-27 at 14:19 +0200, Martin Kosek wrote: On 05/27/2014 02:16 PM, Simo Sorce wrote: On Tue, 2014

Re: [Freeipa-devel] Supported Staged entries

On 05/27/2014 04:35 PM, Martin Kosek wrote: On 05/27/2014 04:27 PM, Simo Sorce wrote: On Tue, 2014-05-27 at 15:21 +0200, Martin Kosek wrote: This topic was already discussed in the past, see following part of the design: http://www.freeipa.org/page/V4/User_Life-Cycle_Management#Renaming_vs._Mo

Re: [Freeipa-devel] Supported Staged entries

On 05/27/2014 06:06 PM, Simo Sorce wrote: On Tue, 2014-05-27 at 17:55 +0200, thierry bordaz wrote: On 05/27/2014 04:35 PM, Martin Kosek wrote: On 05/27/2014 04:27 PM, Simo Sorce wrote: On Tue, 2014-05-27 at 15:21 +0200, Martin Kosek wrote: This topic was already discussed in the past, see

Re: [Freeipa-devel] Supported Staged entries

On 05/27/2014 06:56 PM, Simo Sorce wrote: On Tue, 2014-05-27 at 18:39 +0200, thierry bordaz wrote: On 05/27/2014 06:06 PM, Simo Sorce wrote: We just need to care about the 'uid' attribute in the staged entry, and pick that to generate the RDN of the user in the active tree. If

Re: [Freeipa-devel] Supported Staged entries

On 05/28/2014 08:22 AM, Martin Kosek wrote: On 05/27/2014 08:18 PM, Simo Sorce wrote: On Tue, 2014-05-27 at 21:14 +0300, Alexander Bokovoy wrote: On Tue, 27 May 2014, Simo Sorce wrote: On Tue, 2014-05-27 at 19:59 +0200, thierry bordaz wrote: On 05/27/2014 06:56 PM, Simo Sorce wrote: On Tue

Re: [Freeipa-devel] Supported Staged entries

On 05/28/2014 02:55 PM, Rob Crittenden wrote: Simo Sorce wrote: On Wed, 2014-05-28 at 09:38 +0200, thierry bordaz wrote: On 05/28/2014 08:22 AM, Martin Kosek wrote: On 05/27/2014 08:18 PM, Simo Sorce wrote: On Tue, 2014-05-27 at 21:14 +0300, Alexander Bokovoy wrote: On Tue, 27 May 2014

Re: [Freeipa-devel] User life cycle: plugins scope for staged users

On 05/29/2014 08:17 AM, Martin Kosek wrote: On 05/29/2014 04:09 AM, Dmitri Pal wrote: On 05/22/2014 10:33 AM, thierry bordaz wrote: Hello, In order to provision staged users (account inactivated) with there initial values: /usr/bin/ipa user-add tb20 --to-stage --first=tb20

Re: [Freeipa-devel] User life cycle: question regarding the design

On 05/30/2014 03:32 PM, Jan Cholasta wrote: On 30.5.2014 15:24, Petr Viktorin wrote: On 05/30/2014 08:37 AM, Martin Kosek wrote: On 05/29/2014 08:14 PM, Dmitri Pal wrote: On 05/29/2014 08:39 AM, Simo Sorce wrote: On Thu, 2014-05-29 at 09:43 +0200, Martin Kosek wrote: On 05/29/2014 05:31 AM,

Re: [Freeipa-devel] Move replication topology to the shared tree

On 06/02/2014 10:46 AM, Ludwig Krispenz wrote: Ticket 4302 is a request for an enhancement: Move replication topology to the shared tree There has been some discussion in comments in the ticket, but I'd like to open the discussion to a wider audience to get an agreement on what should be imp

Re: [Freeipa-devel] Move replication topology to the shared tree

On 06/02/2014 10:46 AM, Ludwig Krispenz wrote: Ticket 4302 is a request for an enhancement: Move replication topology to the shared tree There has been some discussion in comments in the ticket, but I'd like to open the discussion to a wider audience to get an agreement on what should be imp

[Freeipa-devel] User life Cycle: referential integrity

Hello, I am looking at the appropriate way to configure DS referential integrity and I am hitting some issues about its scoping and which attributes need to be preserved. User A and B are both Active. User A refers user B for example 'owner: '. If entry A is deleted (user-de

Re: [Freeipa-devel] Move replication topology to the shared tree

On 06/04/2014 05:41 PM, Simo Sorce wrote: On Wed, 2014-06-04 at 13:46 +0200, Ludwig Krispenz wrote: On 06/04/2014 10:43 AM, thierry bordaz wrote: So my proposal would contain the following components 1] Store replication configuration in the shared tree in a combination of server and

Re: [Freeipa-devel] User life Cycle: referential integrity

On 06/04/2014 06:02 PM, Simo Sorce wrote: On Wed, 2014-06-04 at 17:46 +0200, thierry bordaz wrote: Hello, I am looking at the appropriate way to configure DS referential integrity and I am hitting some issues about its scoping and which attributes need to be

Re: [Freeipa-devel] User life Cycle: referential integrity

On 06/04/2014 07:04 PM, Simo Sorce wrote: On Wed, 2014-06-04 at 18:46 +0200, thierry bordaz wrote: On 06/04/2014 06:02 PM, Simo Sorce wrote: On Wed, 2014-06-04 at 17:46 +0200, thierry bordaz wrote: Hello, I am looking at the appropriate way to configure DS referential

[Freeipa-devel] [PATCH] 0001 - User Life Cycle (stageuser workflow)

001 From: "Thierry bordaz (tbordaz)" Date: Wed, 11 Jun 2014 17:19:18 +0200 Subject: [PATCH] Ticket 3813 - User Life Cycle: introduction of stageuser plugin Bug Description: User Life Cycle is designed http://www.freeipa.org/page/V4/User_Life-Cycle_Management It manages 3 containers (St

[Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server

Hello, When a stage user is activate (ipa stageuse-activate), UUID plugin (DS) checks that the ipaUniqueID value of the new active user is 'autogenerate'. This is useful to prevent a provisioning systems to create Active user with invalid ipaUniqueID. Now one of the workflow st

Re: [Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server

On 06/16/2014 03:04 PM, Rob Crittenden wrote: thierry bordaz wrote: Hello, When a stage user is activate (ipa stageuse-activate), UUID plugin (DS) checks that the ipaUniqueID value of the new active user is 'autogenerate'. This is useful to prevent a provisioni

Re: [Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server

On 06/17/2014 07:35 PM, Rob Crittenden wrote: thierry bordaz wrote: On 06/16/2014 03:04 PM, Rob Crittenden wrote: thierry bordaz wrote: Hello, When a stage user is activate (ipa stageuse-activate), UUID plugin (DS) checks that the ipaUniqueID value of the new active user is

Re: [Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server

On 06/17/2014 08:39 PM, Simo Sorce wrote: On Tue, 2014-06-17 at 17:59 +0200, thierry bordaz wrote: * ipa stageuser-add --from-delete It moves a deleted entry to staging container where uidNumber: gidNumber

Re: [Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server

On 06/17/2014 09:29 PM, Simo Sorce wrote: On Tue, 2014-06-17 at 15:23 -0400, Rob Crittenden wrote: Simo Sorce wrote: On Tue, 2014-06-17 at 17:59 +0200, thierry bordaz wrote: * ipa stageuser-add --from-delete It moves a deleted entry to staging container where

Re: [Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server

On 06/17/2014 09:42 PM, Simo Sorce wrote: On Tue, 2014-06-17 at 21:36 +0200, thierry bordaz wrote: On 06/17/2014 09:29 PM, Simo Sorce wrote: On Tue, 2014-06-17 at 15:23 -0400, Rob Crittenden wrote: Simo Sorce wrote: On Tue, 2014-06-17 at 17:59 +0200, thierry bordaz wrote: * ipa

Re: [Freeipa-devel] User life-cycle: nsAccountLock

On 06/18/2014 12:47 PM, Martin Kosek wrote: On 06/17/2014 05:59 PM, thierry bordaz wrote: On 06/16/2014 03:04 PM, Rob Crittenden wrote: ... Thanks for your precise feedback and sorry for my late answer. So if I try to consolidate my understandings, the workflow would be: 1

Re: [Freeipa-devel] User life-cycle: nsAccountLock

On 06/18/2014 03:40 PM, Simo Sorce wrote: On Wed, 2014-06-18 at 15:22 +0200, thierry bordaz wrote: On 06/18/2014 12:47 PM, Martin Kosek wrote: On 06/17/2014 05:59 PM, thierry bordaz wrote: On 06/16/2014 03:04 PM, Rob Crittenden wrote: ... Thanks for your precise feedback and sorry for

Re: [Freeipa-devel] User life-cycle: nsAccountLock

On 06/18/2014 03:31 PM, Simo Sorce wrote: On Wed, 2014-06-18 at 12:47 +0200, Martin Kosek wrote: On 06/17/2014 05:59 PM, thierry bordaz wrote: On 06/16/2014 03:04 PM, Rob Crittenden wrote: ... Thanks for your precise feedback and sorry for my late answer. So if I try to consolidate

Re: [Freeipa-devel] User life-cycle: nsAccountLock

On 06/18/2014 04:45 PM, Simo Sorce wrote: On Wed, 2014-06-18 at 16:20 +0200, thierry bordaz wrote: On 06/18/2014 03:31 PM, Simo Sorce wrote: On Wed, 2014-06-18 at 12:47 +0200, Martin Kosek wrote: On 06/17/2014 05:59 PM, thierry bordaz wrote: On 06/16/2014 03:04 PM, Rob Crittenden wrote

Re: [Freeipa-devel] User life-cycle: nsAccountLock

On 06/19/2014 09:06 AM, Martin Kosek wrote: On 06/18/2014 06:09 PM, Simo Sorce wrote: On Wed, 2014-06-18 at 17:49 +0200, thierry bordaz wrote: On 06/18/2014 04:45 PM, Simo Sorce wrote: On Wed, 2014-06-18 at 16:20 +0200, thierry bordaz wrote: On 06/18/2014 03:31 PM, Simo Sorce wrote: On Wed

Re: [Freeipa-devel] User life-cycle: nsAccountLock

On 06/19/2014 02:33 PM, Simo Sorce wrote: On Thu, 2014-06-19 at 09:06 +0200, Martin Kosek wrote: On 06/18/2014 06:09 PM, Simo Sorce wrote: On Wed, 2014-06-18 at 17:49 +0200, thierry bordaz wrote: On 06/18/2014 04:45 PM, Simo Sorce wrote: On Wed, 2014-06-18 at 16:20 +0200, thierry bordaz

[Freeipa-devel] User life cycle: authentication and preserved attributes

Hello, Thanks for all you feedbacks and help about which attributes to preserved and how to limit authentication (simple and krb) to Active accounts, here are my understandings: 1. Staging (container: cn=staged users,cn=accounts,cn=provisioning,SUFFIX) plugins scoping

Re: [Freeipa-devel] User life cycle: authentication and preserved attributes

On 06/19/2014 03:41 PM, Simo Sorce wrote: On Thu, 2014-06-19 at 15:32 +0200, thierry bordaz wrote: (those values must be active DN entries) userPassword/krb keys: copied from source entry if they exists Uhmm this may actually fail, as we

Re: [Freeipa-devel] [PATCH 0019] Clarify LDAPClient docstrings about get_entry, get_entries and find_entrie

On 06/20/2014 11:06 AM, Martin Basti wrote: On Wed, 2014-06-18 at 17:36 +0200, Petr Spacek wrote: Hello, Clarify LDAPClient docstrings about get_entry, get_entries and find_entries. BTW what is the purpose of size_limit in LDAPClient.get_entry()? def get_entry(self, dn, attrs_list=None, time

[Freeipa-devel] User Life Cycle: scoping of referential integrity, memberof, IPA UUID plugins

Hello, User life cycle "assigns" a status to user entries depending where they are in the DIT. 'Active' user will be under 'cn=accounts,SUFFIX' while 'Stage' and 'Delete' users are somewhere under 'cn=provisioning,SUFFIX'. Only 'Active' users have valid membership attributes: A St

Re: [Freeipa-devel] User Life Cycle: scoping of referential integrity, memberof, IPA UUID plugins

On 06/25/2014 10:52 AM, Martin Kosek wrote: On 06/24/2014 06:31 PM, thierry bordaz wrote: Hello, User life cycle "assigns" a status to user entries depending where they are in the DIT. 'Active' user will be under 'cn=accounts,SUFFIX' while 

[Freeipa-devel] [PATCH] 0002 - User Life Cycle (create containers and scoping DS plugins)

all backends with https://fedorahosted.org/389/ticket/47823 * ipa UUID will exclude Stage/Delete container with a change in ipa-uuid (patch 0003) Thanks thierry >From 63241abc1dbb291745ad18c73ae5da415661d022 Mon Sep 17 00:00:00 2001 From: "Thierry bordaz (tbordaz)"

[Freeipa-devel] [PATCH] 0003 - User Life Cycle (prevent ipaUniqueID generation in provisioning)

This fix is to prevent IPA UUID DS plugin to generate a ipaUniqueID for users in provisioning container (Stage/Delete). thanks thierry >From c06af590b11a3692dcd1afc4a52e724aab59173d Mon Sep 17 00:00:00 2001 From: "Thierry bordaz (tbordaz)" Date: Wed, 25 Jun 2014 12:49:45 +0200 Su

[Freeipa-devel] [PATCH] 0001 User Life Cycle: create containers and scoping DS plugins

e 'Stage'/'Delete' Thanks thierry From 61673280bcd96be638e1ceb86aa93d1b568bea02 Mon Sep 17 00:00:00 2001 From: "Thierry bordaz (tbordaz)" Date: Thu, 7 Aug 2014 16:29:02 +0200 Subject: [PATCH] User Life Cycle: create containers and scoping DS plugins Bug Description: User Life Cycle is

[Freeipa-devel] [PATCH] 0002 User Life Cycle: Exclude subtree for ipaUniqueID generation

UID_plugin) Thanks thierry From 1a93acc98fdd584514d65751a7058b6395d58494 Mon Sep 17 00:00:00 2001 From: "Thierry bordaz (tbordaz)" Date: Fri, 8 Aug 2014 09:37:23 +0200 Subject: [PATCH] User Life Cycle: Exclude subtree for ipaUniqueID generation Bug Description: IPA UUID should not generate

[Freeipa-devel] [PATCH] 0003 User life cycle: new stageuser plugin with add verb

e, cli_name='command', multivalue=False, primary_key=True, required=True) diff --git a/ipalib/constants.py b/ipalib/constants.py index 8ae545526f3533253791ae629db469a002ea9ef0..52bb543063b8d65f3b30e340fa80d5c3cb246ee7 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -78,6 +78,

Re: [Freeipa-devel] [PATCH] 0001 User Life Cycle: create containers and scoping DS plugins

On 08/13/2014 04:48 PM, Petr Viktorin wrote: On 08/08/2014 09:24 AM, thierry bordaz wrote: Hi, The attached patch is a first patch related to 'User Life Cycle' (https://fedorahosted.org/freeipa/ticket/3813) It creates 'Stage' and 'Delete' containers and con

[Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins

Hello, Following Petr remarks from the previous review, I modified the original fix to move it only in '.update' files. Thanks thierry From d45e78dfeb7761348c464b3bb3956656bb115ce0 Mon Sep 17 00:00:00 2001 From: "Thierry bordaz (tbordaz)" Date: Thu, 7 Aug

Re: [Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins

On 08/18/2014 04:06 PM, Petr Viktorin wrote: On 08/14/2014 07:18 PM, thierry bordaz wrote: Hello, Following Petr remarks from the previous review, I modified the original fix to move it only in '.update' files. Thanks thierry Looks better, thanks! I've tes

Re: [Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins

On 08/18/2014 05:10 PM, Petr Viktorin wrote: On 08/18/2014 05:03 PM, thierry bordaz wrote: On 08/18/2014 04:06 PM, Petr Viktorin wrote: On 08/14/2014 07:18 PM, thierry bordaz wrote: Hello, Following Petr remarks from the previous review, I modified the original fix to move it only in

Re: [Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins

On 08/19/2014 09:38 AM, Martin Kosek wrote: On 08/18/2014 05:17 PM, thierry bordaz wrote: On 08/18/2014 05:10 PM, Petr Viktorin wrote: On 08/18/2014 05:03 PM, thierry bordaz wrote: ... Simply reply to this mail with the revised patch attached. As for attaching patches to the tickets, I&#x

Re: [Freeipa-devel] [PATCH 0061] Ensure ipaUserAuthTypeClass when needed on user creation

On 08/19/2014 10:46 PM, Nathaniel McCallum wrote: Also, remove the attempt to load the objectClasses when absent. This never makes sense during an add operation. https://fedorahosted.org/freeipa/ticket/4455 ___ Freeipa-devel mailing list Freeipa-deve

Re: [Freeipa-devel] [PATCH 0061] Ensure ipaUserAuthTypeClass when needed on user creation

On 08/20/2014 03:48 PM, Nathaniel McCallum wrote: On Wed, 2014-08-20 at 14:35 +0200, thierry bordaz wrote: On 08/19/2014 10:46 PM, Nathaniel McCallum wrote: Also, remove the attempt to load the objectClasses when absent. This never makes sense during an add operation. https

Re: [Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins

On 08/28/2014 06:51 PM, Sumit Bose wrote: On Thu, Aug 14, 2014 at 07:18:40PM +0200, thierry bordaz wrote: Hello, Following Petr remarks from the previous review, I modified the original fix to move it only in '.update' files. Thanks thie

Re: [Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins

On 08/28/2014 08:30 PM, Sumit Bose wrote: On Thu, Aug 28, 2014 at 07:26:51PM +0200, thierry bordaz wrote: On 08/28/2014 06:51 PM, Sumit Bose wrote: On Thu, Aug 14, 2014 at 07:18:40PM +0200, thierry bordaz wrote: Hello, Following Petr remarks from the previous review, I modified the

Re: [Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins

On 08/28/2014 08:58 PM, Sumit Bose wrote: On Thu, Aug 28, 2014 at 08:41:57PM +0200, thierry bordaz wrote: On 08/28/2014 08:30 PM, Sumit Bose wrote: On Thu, Aug 28, 2014 at 07:26:51PM +0200, thierry bordaz wrote: On 08/28/2014 06:51 PM, Sumit Bose wrote: On Thu, Aug 14, 2014 at 07:18:40PM

Re: [Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins

hanks Sumit for this catch. The new patch revert the change in dna update. thierry On 08/28/2014 08:58 PM, Sumit Bose wrote: On Thu, Aug 28, 2014 at 08:41:57PM +0200, thierry bordaz wrote: On 08/28/2014 08:30 PM, Sumit Bose wrote: On Thu, Aug 28, 2014 at 07:26:51PM +0200, thierry bordaz wrot

Re: [Freeipa-devel] [PATCH] 0003 User life cycle: new stageuser plugin with add verb

On 09/01/2014 01:08 PM, Petr Viktorin wrote: On 08/08/2014 03:54 PM, thierry bordaz wrote: Hi, The attached patch is related to 'User Life Cycle' (https://fedorahosted.org/freeipa/ticket/3813) It creates a stageuser plugin with a first function stageuser-add. Stage user e

Re: [Freeipa-devel] FreeIPA 4.0.3?

On 09/11/2014 04:46 PM, Martin Kosek wrote: On 09/11/2014 04:43 PM, Nathaniel McCallum wrote: On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote: On 09/11/2014 04:38 PM, Ludwig Krispenz wrote: On 09/11/2014 04:31 PM, Petr Viktorin wrote: On 09/11/2014 04:26 PM, Martin Kosek wrote: ... A

Re: [Freeipa-devel] #4534: SSSD deref processing fail when entryusn can be read and objectclass doesn't

On 09/11/2014 10:24 PM, Martin Kosek wrote: On 09/11/2014 08:49 PM, Simo Sorce wrote: On Thu, 2014-09-11 at 20:28 +0200, Martin Kosek wrote: On 09/11/2014 05:37 PM, Simo Sorce wrote: On Thu, 2014-09-11 at 17:03 +0200, Martin Kosek wrote: Hello, We have another important issue to resolve. Cur

Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin

On 09/15/2014 09:05 PM, Nathaniel McCallum wrote: This plugin ensures that all counter/watermark operations are atomic and never decrement. Also, deletion is not permitted. https://fedorahosted.org/freeipa/ticket/4494 ___ Freeipa-devel mailing list F

Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin

On 09/16/2014 07:25 PM, Nathaniel McCallum wrote: On Tue, 2014-09-16 at 19:24 +0200, thierry bordaz wrote: On 09/15/2014 09:05 PM, Nathaniel McCallum wrote: This plugin ensures that all counter/watermark operations are atomic and never decrement. Also, deletion is not permitted. https

Re: [Freeipa-devel] [PATCH] 0003-2 User life cycle: new stageuser plugin with add verb

On 09/01/2014 01:08 PM, Petr Viktorin wrote: On 08/08/2014 03:54 PM, thierry bordaz wrote: Hi, The attached patch is related to 'User Life Cycle' (https://fedorahosted.org/freeipa/ticket/3813) It creates a stageuser plugin with a first function stageuser-add. Stage user e

Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin

On 09/15/2014 09:05 PM, Nathaniel McCallum wrote: This plugin ensures that all counter/watermark operations are atomic and never decrement. Also, deletion is not permitted. https://fedorahosted.org/freeipa/ticket/4494 ___ Freeipa-devel mailing list F

Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin

all of these issues. It should also be more performant and use less memory. Nathaniel On Wed, 2014-09-17 at 15:33 +0200, thierry bordaz wrote: On 09/15/2014 09:05 PM, Nathaniel McCallum wrote: This plugin ensures that all counter/watermark operations are atomic and never decrement. Also

Re: [Freeipa-devel] [PATCH 0069] Adds 389DS plugin to enforce UUID token IDs

Hello Nathaniel, Just a remark, in is_token if the entry is objectclass=ipaToken it returns without freeing the 'objectclass' char array. thanks thierry On 09/21/2014 09:07 PM, Nathaniel McCallum wrote: Users that can rename the token (such as admins) can also create non-UUID token

Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin

On 09/20/2014 09:39 PM, Nathaniel McCallum wrote: On Sat, 2014-09-20 at 00:25 +0200, thierry bordaz wrote: Hello Nathaniel, sanitize_input translates MOD/REPLACE into MOD/DEL+MOD/ADD. It looks good but difficult to think to all possible cases. I think to the

Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin

these issues. It should also be more performant and use less memory. Nathaniel On Wed, 2014-09-17 at 15:33 +0200, thierry bordaz wrote: On 09/15/2014 09:05 PM, Nathaniel McCallum wrote: This plugin ensures that all counter/watermark operations are atomic and never decrement. Also, deletion

Re: [Freeipa-devel] [PATCH 0065] Don't allow users to create tokens with a specified ID

On 09/22/2014 05:37 PM, Martin Kosek wrote: On 09/20/2014 10:22 PM, Nathaniel McCallum wrote: On Wed, 2014-09-17 at 12:31 +0200, Martin Kosek wrote: On 09/17/2014 08:51 AM, Jan Cholasta wrote: Hi, Dne 16.9.2014 v 19:32 Nathaniel McCallum napsal(a): We perform this enforcement at the API leve

Re: [Freeipa-devel] [PATCH 0069] Adds 389DS plugin to enforce UUID token IDs

Martin Kosek wrote: On 09/22/2014 09:33 AM, thierry bordaz wrote: Hello Nathaniel, Just a remark, in is_token if the entry is objectclass=ipaToken it returns without freeing the 'objectclass' char array. thanks thierry On 09/21/2014 09:07 PM, Nathaniel McCallum wro

Re: [Freeipa-devel] [PATCHES] 0633-0634 Move setting SELinux booleans to platform code; Set SELinux booleans when restoring

On 08/15/2014 10:40 PM, Petr Viktorin wrote: A fix for https://fedorahosted.org/freeipa/ticket/4157 This depends on my patches 0631-0632 (for backup/restore integration tests). Our setsebool code was repeated a few times. Instead of adding another copy, I refactored what we have into a plat

Re: [Freeipa-devel] [PATCHES] 0633-0634 Move setting SELinux booleans to platform code; Set SELinux booleans when restoring

On 09/25/2014 10:58 AM, Petr Viktorin wrote: On 09/24/2014 06:02 PM, thierry bordaz wrote: On 08/15/2014 10:40 PM, Petr Viktorin wrote: A fix for https://fedorahosted.org/freeipa/ticket/4157 This depends on my patches 0631-0632 (for backup/restore integration tests). Our setsebool code was

Re: [Freeipa-devel] [PATCH 0067] Use stack allocation when writing values during otp auth

On 09/19/2014 07:49 PM, Nathaniel McCallum wrote: This is an optimization from patch 0062 (rescinded) which I think is worth keeping. There is no ticket for this. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/l

Re: [Freeipa-devel] [PATCH 0068] Move OTP synchronization step to after counter writeback

On 09/19/2014 07:53 PM, Nathaniel McCallum wrote: This prevents synchronization when an authentication collision occurs. https://fedorahosted.org/freeipa/ticket/4493 NOTE: this patch is related to the above ticket, but does not solve it. For the solution, please see patch 0064. This behavior fi

Re: [Freeipa-devel] [PATCHES] 0633-0634 Move setting SELinux booleans to platform code; Set SELinux booleans when restoring

On 09/26/2014 11:23 AM, Martin Kosek wrote: On 09/25/2014 11:34 AM, thierry bordaz wrote: On 09/25/2014 10:58 AM, Petr Viktorin wrote: On 09/24/2014 06:02 PM, thierry bordaz wrote: On 08/15/2014 10:40 PM, Petr Viktorin wrote: A fix for https://fedorahosted.org/freeipa/ticket/4157 This

Re: [Freeipa-devel] [PATCH] 0001 Refactor selinuxenabled check

On 09/26/2014 03:35 PM, Francesco Marella wrote: ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Hello, I think that if we want to keep the same previous behaviour, then if 'self.c

Re: [Freeipa-devel] [PATCH] 0001 Refactor selinuxenabled check

Hello, When called from set_selinux_booleans, if not selinux_enabled, you may want to 'return False' rather than 'return'. Now it looks like callers of set_selinux_booleans do not check the returned value :-) thanks thierry On 09/26/2014 05:26 PM, Francesco Marella wrote: Thi

Re: [Freeipa-devel] [PATCH] 0001 Refactor selinuxenabled check

On 09/26/2014 05:53 PM, Francesco Marella wrote: On 26/09/2014 17:43, thierry bordaz wrote: Hello, When called from set_selinux_booleans, if not selinux_enabled, you may want to 'return False' rather than 'return'. Now it looks like callers of set_selinux_b

Re: [Freeipa-devel] [PATCH 0067] Use stack allocation when writing values during otp auth

On 09/29/2014 05:45 PM, Nathaniel McCallum wrote: On Thu, 2014-09-25 at 13:45 +0200, thierry bordaz wrote: On 09/19/2014 07:49 PM, Nathaniel McCallum wrote: This is an optimization from patch 0062 (rescinded) which I think is worth keeping. There is no ticket for this

Re: [Freeipa-devel] [PATCH 0068] Move OTP synchronization step to after counter writeback

On 09/29/2014 08:38 PM, Nathaniel McCallum wrote: On Thu, 2014-09-25 at 15:15 +0200, thierry bordaz wrote: On 09/19/2014 07:53 PM, Nathaniel McCallum wrote: This prevents synchronization when an authentication collision occurs. https://fedorahosted.org/freeipa/ticket/4493 NOTE: this patch

Re: [Freeipa-devel] [PATCH 0068] Move OTP synchronization step to after counter writeback

On 09/30/2014 02:41 PM, Nathaniel McCallum wrote: On Tue, 2014-09-30 at 13:42 +0200, thierry bordaz wrote: On 09/29/2014 08:38 PM, Nathaniel McCallum wrote: On Thu, 2014-09-25 at 15:15 +0200, thierry bordaz wrote: On 09/19/2014 07:53 PM, Nathaniel McCallum wrote: This prevents

Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin

On 09/29/2014 08:30 PM, Nathaniel McCallum wrote: On Mon, 2014-09-22 at 09:32 -0400, Simo Sorce wrote: On Sun, 21 Sep 2014 22:33:47 -0400 Nathaniel McCallum wrote: Comments inline. + +#define ch_malloc(type) \ +(type*) slapi_ch_malloc(sizeof(type)) +#define ch_calloc(count, type) \ +

Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin

On 09/30/2014 10:49 PM, Nathaniel McCallum wrote: On Tue, 2014-09-30 at 18:30 +0200, thierry bordaz wrote: On 09/29/2014 08:30 PM, Nathaniel McCallum wrote: On Mon, 2014-09-22 at 09:32 -0400, Simo Sorce wrote: On Sun, 21 Sep 2014 22:33:47 -0400 Nathaniel McCallum wrote: Comments inline

Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin

Hello Nathaniel, An additional comment about the patch. When the new value is detected to be invalid, it is fixed by a repair operation (trigger_replication). I did test it and it is fine to update, with an internal operation, the same entry that is currently updated. Now if y

  1   2   3   4   >