[Freeipa-devel] [PATCH] Minor fix in ipa-adtrust-install
If not set, it causes the script to fail with traceback on some machines (for example when resolve_host() couple lines below threw an exception). Jan From b312e4210866a11266d12b56e2be4ca08dc94379 Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Wed, 22 Feb 2012 16:01:37 +0100 Subject: [PATCH] Initialize IP when installing AD trust in case some error occurs --- install/tools/ipa-adtrust-install |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 248ea35eaa86dd59ebbc871b86df780cfd71ccf6..0f3e473f839a0e8e0b387108fc4a6b87b36ba2c1 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -131,6 +131,7 @@ def main(): break # Check we have a public IP that is associated with the hostname +ip = None try: if options.ip_address: ip = ipautil.CheckedIPAddress(options.ip_address, match_local=True) -- 1.7.6.5 signature.asc Description: This is a digitally signed message part. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] OpenSSH integration - known_hosts
Hello everyone, there is a new effort in IPA and SSSD teams and that is SSH key integration in both parts of SSSD-IPA infrastructure. We've put together some basic plans and now we would like to know your opinion. Note that this is just shortened version to make it easier to read. It doesn't contain every bit of information about the design. For full version see https://fedorahosted.org/freeipa/wiki/SSH-FreeIPA-Integration Problems: = * the known_hosts file becomes outdated as machines get new host keys (e.g. re- installed systems in virtualized environment) * the user accepts any host key of the remote host without validating its authenticity Solution: = Instead of checking stale known_hosts file, provide a dynamic mechanism to lookup and deliver the public ssh key of the remote host to the client and use it for validation of the remote host identity. The dynamic mechanism would imply that no action is needed from the user because the source of the retrieved key is trusted. Limitations: It is out of scope of this work to solve the problem in general. We propose a solution for following use case: Client host is a managed host meaning that it has SSSD installed and it is joined an IPA domain. It also has OpenSSH patched to interact with SSSD to get the information about the remote host Other UNIX machines or Windows machines as SSH clients are out of the scope of the current project. For the client hosts that can not be managed but can access IPA via the standard LDAP tools we will provide documentation on how to construct the content of the known_hosts file by querying LDAP server and saving the results. The remote host can be a managed (joined IPA domain via SSSD) or an unmanaged host. IPA server needs to provide a way to create entries for any managed and unmanaged hosts and store public keys for those hosts in that entries. What would change in IPA: = * external host would have entries with the possibility of storing their public keys * new mechanism to work with keys through UI and CLI * host key fingerprints would be stored in SSHFP DNS records for each host joined in IPA domain What would change on the client: * SSSD would fetch and cache host public keys from IPA * joining to IPA domain would upload host public key * ssh client would communicate with SSSD, probably through ssh-agent, to check if the remote host is known It is still a question whether the solution is sufficient enough to address the needs and pains of the real deployments or other technologies outside the proposed should be used later (or instead). -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic signature.asc Description: This is a digitally signed message part. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] OpenSSH integration - authorized_keys
Hello everyone, this is a follow-up on the email on OpenSSH integration - known_host. It describes another scenario we want to address in the process of integrating OpenSSH to SSSD-IPA infrastructure - user public keys and their central management. As in the previous email, we would also like to know your opinion. Note that this is just shortened version to make it easier to read. It doesn't contain every bit of information about the design. For full version see https://fedorahosted.org/freeipa/wiki/SSH-FreeIPA-Integration Problems: = * how to distribute keys for new users / regenerated keys through the domain. The authorized_keys is probably not an option, we also want to cover use case when home directories are remote and not mounted on the server. * user may want to log on to the remote server using different account. We need to determine if he is allowed to impersonate that account Solution: = Similarly to openssh-lpk, the solution is to centrally manage and store user public keys in the IPA server and deliver them to the host for validation when user accesses that host. In the central server provide a way to define which account can do impersonation of which other accounts. Optionally add a way to represent special service accounts that are not full user accounts but can be logged as via ssh (stretch goal). What would change on IPA: = * user entry will have additional multi-valued attribute for storing public keys. Unlike in openssh-lpk, this attribute will store what keys the user has, not who can impersonate him. * user entry would also have a multi-valued attribute containg DNs of users he can impersonate * new mechanisms to work with account public keys and impersonation via UI and CLI * HBAC rules would be extended to cover impersonation * provide an LDAP control to get a list of ssh keys that correspond to accounts that can impersonate a particular account in one operation. On the client side: === * SSSD would fetch (and cache?) user public keys from IPA * new SSSD client would fetch user public keys from SSSD * use SSH agent feature to get user public key from an output of the SSSD client -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic signature.asc Description: This is a digitally signed message part. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Don't load the LDAP schema during startup
Jan Zeleny jzel...@redhat.com wrote: Jan Zelený jzel...@redhat.com wrote: Jan Zelený jzel...@redhat.com wrote: Rob Crittenden rcrit...@redhat.com wrote: Jan Zelený wrote: Rob Crittendenrcrit...@redhat.com wrote: Jan Zelený wrote: Loading of the schema is now performed in the first request that requires it. https://fedorahosted.org/freeipa/ticket/583 Jan We still need to enforce that we get the schema, some low-level functions depend on it. Also, if the UI doesn't get its aciattrs (which are derived from the schema) then nothing will be editable. I'm getting this backtrace if I force no schema by disabling get_schema: Ok, I'm sending new version, it should handle these exceptions better and the operation should fail if it needs the schema and the schema is not available for some reason. This breaks the XML-RPC server. I fixed one problem: --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -253,9 +253,10 @@ class ldap2(CrudBackend, Encoder): def get_syntax(self, attr, value): if not self.schema: -self.schema = get_schema(self.ldap_uri, self.conn) -if not self.schema: +schema = get_schema(self.ldap_uri, self.conn) +if not schema: return None +object.__setattr__(self, 'schema', schema) obj = self.schema.get_obj(_ldap.schema.AttributeType, attr) if obj is not None: return obj.syntax But simply things like get_entry() return an InternalError now. I'm not sure where you were going by adding this. rob Ok, no problem. It's possible that I simply did a mistake thinking I can do something in Python what is not really possible. About that InternalError: I think raising InternalError when we cannot load the schema to do the decoding is the right thing to do. Do you have a better solution? I thought about returning empty result, but that would mean we have to check the result in every funtction that is calling them and raising InternalError there. I'm sending updated patch. I modified the get_syntax() as you suggested and I slightly modified raising that InternalError - currently it isn't raised when results from get_entry() are not required by calling method. Currently I'm running some tests, preliminary results looked ok. self-nack I discovered some issues discovered by internal test suite, I'm working on them Jan Ok, everything is solved, I'm sending final version of the patch in the attachment. But I still think this should go to 2.1, since it's quite extensive patch in the core of IPA server and it has potential to break many things. Jan From 8ce877994e9122d89f842e358f38005eb980b632 Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Tue, 15 Feb 2011 09:37:58 +0100 Subject: [PATCH] Don't load the LDAP schema during startup https://fedorahosted.org/freeipa/ticket/583 --- ipalib/encoder.py | 12 +++-- ipalib/plugins/baseldap.py | 21 - ipalib/plugins/dns.py |2 +- ipalib/plugins/host.py |2 +- ipalib/plugins/permission.py|4 +- ipalib/plugins/sudocmd.py |2 +- ipaserver/install/dsinstance.py |2 +- ipaserver/plugins/ldap2.py | 92 +++--- 8 files changed, 97 insertions(+), 40 deletions(-) diff --git a/ipalib/encoder.py b/ipalib/encoder.py index f23e5659e848d37db1072ff59aa7e11796b0836c..762be9c096a4b7cbea03ecfcc82d03789951c0b5 100644 --- a/ipalib/encoder.py +++ b/ipalib/encoder.py @@ -56,9 +56,10 @@ class Encoder(object): self.encoder_settings = EncoderSettings() def _decode_dict_val(self, key, val): -f = self.encoder_settings.decode_dict_vals_table.get( -self.encoder_settings.decode_dict_vals_table_keygen(key, val) -) +k = self.encoder_settings.decode_dict_vals_table_keygen(key, val) +if k is False: +return False +f = self.encoder_settings.decode_dict_vals_table.get(k) if f: return val return self.decode(val) @@ -154,7 +155,10 @@ class Encoder(object): tmp = self.encoder_settings.decode_postprocessor self.encoder_settings.decode_postprocessor = lambda x: x for (k, v) in dct.iteritems(): -dct[k] = self._decode_dict_val(k, v) +decoded_val = self._decode_dict_val(k, v) +if decoded_val is False: +return False +dct[k] = decoded_val if not self.encoder_settings.decode_dict_vals_postprocess: self.encoder_settings.decode_postprocessor = tmp return dct
Re: [Freeipa-devel] [PATCH] Don't load the LDAP schema during startup
Jan Zelený jzel...@redhat.com wrote: Rob Crittenden rcrit...@redhat.com wrote: Jan Zelený wrote: Rob Crittendenrcrit...@redhat.com wrote: Jan Zelený wrote: Loading of the schema is now performed in the first request that requires it. https://fedorahosted.org/freeipa/ticket/583 Jan We still need to enforce that we get the schema, some low-level functions depend on it. Also, if the UI doesn't get its aciattrs (which are derived from the schema) then nothing will be editable. I'm getting this backtrace if I force no schema by disabling get_schema: Ok, I'm sending new version, it should handle these exceptions better and the operation should fail if it needs the schema and the schema is not available for some reason. This breaks the XML-RPC server. I fixed one problem: --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -253,9 +253,10 @@ class ldap2(CrudBackend, Encoder): def get_syntax(self, attr, value): if not self.schema: -self.schema = get_schema(self.ldap_uri, self.conn) -if not self.schema: +schema = get_schema(self.ldap_uri, self.conn) +if not schema: return None +object.__setattr__(self, 'schema', schema) obj = self.schema.get_obj(_ldap.schema.AttributeType, attr) if obj is not None: return obj.syntax But simply things like get_entry() return an InternalError now. I'm not sure where you were going by adding this. rob Ok, no problem. It's possible that I simply did a mistake thinking I can do something in Python what is not really possible. About that InternalError: I think raising InternalError when we cannot load the schema to do the decoding is the right thing to do. Do you have a better solution? I thought about returning empty result, but that would mean we have to check the result in every funtction that is calling them and raising InternalError there. I'm sending updated patch. I modified the get_syntax() as you suggested and I slightly modified raising that InternalError - currently it isn't raised when results from get_entry() are not required by calling method. Currently I'm running some tests, preliminary results looked ok. -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic From bdab2d3b9b8a7397e13acdad9d2809ae355cd5a7 Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Tue, 15 Feb 2011 09:37:58 +0100 Subject: [PATCH] Don't load the LDAP schema during startup https://fedorahosted.org/freeipa/ticket/583 --- ipalib/encoder.py | 11 +++-- ipalib/plugins/baseldap.py | 21 - ipalib/plugins/dns.py |2 +- ipalib/plugins/host.py |2 +- ipalib/plugins/permission.py|4 +- ipalib/plugins/sudocmd.py |2 +- ipaserver/install/dsinstance.py |2 +- ipaserver/plugins/ldap2.py | 90 --- 8 files changed, 96 insertions(+), 38 deletions(-) diff --git a/ipalib/encoder.py b/ipalib/encoder.py index f23e5659e848d37db1072ff59aa7e11796b0836c..fbcae1739ee6541bdb989d6d01f8a4c9fb614b62 100644 --- a/ipalib/encoder.py +++ b/ipalib/encoder.py @@ -56,11 +56,12 @@ class Encoder(object): self.encoder_settings = EncoderSettings() def _decode_dict_val(self, key, val): -f = self.encoder_settings.decode_dict_vals_table.get( -self.encoder_settings.decode_dict_vals_table_keygen(key, val) -) +k = self.encoder_settings.decode_dict_vals_table_keygen(key, val) +if k is False: +return False +f = self.encoder_settings.decode_dict_vals_table.get(key) if f: -return val +return f(val) return self.decode(val) def encode(self, var): @@ -155,6 +156,8 @@ class Encoder(object): self.encoder_settings.decode_postprocessor = lambda x: x for (k, v) in dct.iteritems(): dct[k] = self._decode_dict_val(k, v) +if dct[k] is False: +return False if not self.encoder_settings.decode_dict_vals_postprocess: self.encoder_settings.decode_postprocessor = tmp return dct diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 3cb72d7b09cc8c8a77bd4e594660ee376d668013..adc19fec8ff96eef2750ad08715e9324c1c536c6 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -189,6 +189,9 @@ def get_effective_rights(ldap, dn, attrs=None): if attrs is None: attrs = ['*', 'nsaccountlock', 'cospriority'] rights = ldap.get_effective_rights(dn, attrs) +if rights[1] in None: +return None + rdict = {} if 'attributelevelrights' in rights[1]: rights = rights[1
Re: [Freeipa-devel] [PATCH] 737 move BuildRequires
Jakub Hrozek jhro...@redhat.com wrote: On Tue, Feb 22, 2011 at 11:21:41AM +0100, Jakub Hrozek wrote: Note the %else. Sorry, %endif. That separates BRs for !ONLY_CLIENT from those that are needed in both cases. Yes I noticed that and I understand that part. I meant the part after the %endif - there is no need to move those dependencies. On the other hand it's definitely not a patch-blocker or something, so I give this patch ACK. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 728 default roles
Rob Crittenden rcrit...@redhat.com wrote: Jakub Hrozek wrote: On Mon, Feb 21, 2011 at 10:11:38AM -0500, Rob Crittenden wrote: Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/17/2011 04:35 AM, Rob Crittenden wrote: Add default roles and permissions for HBAC, SUDO and pw policy Created some default roles as examples. In doing so I realized that we were completely missing default rules for HBAC, SUDO and password policy so I added those as well. I ran into a problem when the updater has a default record and an add at the same time, it should handle it better now. ticket 585 rob I'm not sure about the HBAC rules ACIs. They are specified as: 'target = ldap:///cn=*,cn=hbac,$SUFFIX;' while HBAC rules' DN is: 'ipauniqueid=*,cn=hbac,$SUFFIX'. But HBAC rules do have a cn: attribute, so maybe the ACIs would work? No, you're right, this is wrong. I'll fix it up and resubmit. The patch also needs rebasing on top of recent changes to install/updates/Makefile.am Other than that, looks OK to me. btw when I was reviewing this patch, I noticed we add a DNS Administrators privilege in dns.ldif. Would it make sense to add DNS administration to Security Architect (replication management) and IT Specialist (hosts management)? The DNS stuff is added only if DNS is enabled on the server so I can't add them by default. rob Updated patch. rob Interdiff looks fine, but I'm not able to apply the patch (not even 3-way merge), can you rebase? done The patch now applies ok (just one whitespace warning), ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Don't load the LDAP schema during startup
Rob Crittenden rcrit...@redhat.com wrote: Jan Zelený wrote: Loading of the schema is now performed in the first request that requires it. https://fedorahosted.org/freeipa/ticket/583 Jan We still need to enforce that we get the schema, some low-level functions depend on it. Also, if the UI doesn't get its aciattrs (which are derived from the schema) then nothing will be editable. I'm getting this backtrace if I force no schema by disabling get_schema: Ok, I'm sending new version, it should handle these exceptions better and the operation should fail if it needs the schema and the schema is not available for some reason. -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic From 5ef34748ad1b2d055c86e6674f060d78ad2f8f5f Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Tue, 15 Feb 2011 09:37:58 +0100 Subject: [PATCH] Don't load the LDAP schema during startup https://fedorahosted.org/freeipa/ticket/583 --- ipalib/encoder.py | 11 +++-- ipalib/plugins/baseldap.py |6 ++- ipaserver/install/dsinstance.py |2 +- ipaserver/plugins/ldap2.py | 79 ++ 4 files changed, 67 insertions(+), 31 deletions(-) diff --git a/ipalib/encoder.py b/ipalib/encoder.py index f23e5659e848d37db1072ff59aa7e11796b0836c..1874d903aa0dc2a8c9ee1497164b9d418457c82a 100644 --- a/ipalib/encoder.py +++ b/ipalib/encoder.py @@ -56,11 +56,12 @@ class Encoder(object): self.encoder_settings = EncoderSettings() def _decode_dict_val(self, key, val): -f = self.encoder_settings.decode_dict_vals_table.get( -self.encoder_settings.decode_dict_vals_table_keygen(key, val) -) +key = self.encoder_settings.decode_dict_vals_table_keygen(key, val) +if key is None: +return None +f = self.encoder_settings.decode_dict_vals_table.get(key) if f: -return val +return f(val) return self.decode(val) def encode(self, var): @@ -155,6 +156,8 @@ class Encoder(object): self.encoder_settings.decode_postprocessor = lambda x: x for (k, v) in dct.iteritems(): dct[k] = self._decode_dict_val(k, v) +if dct[k] is None: +return None if not self.encoder_settings.decode_dict_vals_postprocess: self.encoder_settings.decode_postprocessor = tmp return dct diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 3cb72d7b09cc8c8a77bd4e594660ee376d668013..8866c2f6f1c84b9b5b785562db34b82481a52fb9 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -394,7 +394,11 @@ class LDAPObject(Object): objectclasses += self.possible_objectclasses # Get list of available attributes for this object for use # in the ACI UI. -attrs = self.api.Backend.ldap2.schema.attribute_types(objectclasses) +schema = self.api.Backend.ldap2.get_schema() +if not schema: +attrs = [] +else: +attrs = schema.attribute_types(objectclasses) attrlist = [] # Go through the MUST first for (oid, attr) in attrs[0].iteritems(): diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 2544e167bdff28c13201c5371070ab729ca84b67..c2081700bb7348f4db7e3467f64d040effd07cbe 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -133,7 +133,7 @@ def has_managed_entries(host_name, dm_password): conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='cn=config') conn.connect(bind_dn='cn=Directory Manager', bind_pw=dm_password) (dn, attrs) = conn.get_entry('cn=Managed Entries,cn=plugins', - ['*'], time_limit=2, size_limit=3000) + ['*'], time_limit=2, size_limit=3000, override=True) return True except errors.NotFound: return False diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index d1e31f5e6eff20cd162c0a11eb4e4404b43ae4b2..3ef076a3dd0c92422bea8fdd29b01e8e311be8ae 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -184,12 +184,6 @@ def get_schema(url, conn=None): return _ldap.schema.SubSchema(schema_entry[1]) -# cache schema when importing module -try: -_schema = get_schema(api.env.ldap_uri) -except AttributeError: -_schema = None - # The UPG setting will be cached the first time a module checks it _upg = None @@ -229,7 +223,6 @@ class ldap2(CrudBackend, Encoder): def __init__(self, shared_instance=True, ldap_uri=None, base_dn=None, schema=None): -global _schema CrudBackend.__init__(self, shared_instance=shared_instance) Encoder.__init__(self) self.encoder_settings.encode_dict_keys = True @@ -249,7 +242,7
[Freeipa-devel] [PATCH] 48 Document the --rights output format
https://fedorahosted.org/freeipa/ticket/563 https://fedorahosted.org/freeipa/ticket/588 Jan From 5d23b3fad0dd8bc9633e5a69d069d9346f52 Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Thu, 17 Feb 2011 03:55:14 -0500 Subject: [PATCH] Document the --rights output format https://fedorahosted.org/freeipa/ticket/563 https://fedorahosted.org/freeipa/ticket/588 --- ipa.1 | 15 ++- ipalib/plugins/baseldap.py |6 +++--- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/ipa.1 b/ipa.1 index eb8fe8cd085f8ab7c76fbee6a8357965e279d5e6..a322d246f1f74d2bd31796663c1dea1e1d895880 100644 --- a/ipa.1 +++ b/ipa.1 @@ -106,13 +106,26 @@ The above types of commands take the objects primary key as their only positiona For some types of objects, these commands might need to take more than one primary key. This applies to IPA objects organized in hierarchies where the parent object needs to be identified first. Parent primary keys are always aligned to the left (higher in the hierarchy = more to the left). For example the automount IPA plugin enables users to manage automount maps per location, as a result all automount commands take an automountlocation primary key as their first positional argument. -All commands that display objects have two special options for controlling output: +All commands that display objects have three special options for controlling output: .TP \fB\-\-all\fR Dispaly all attributes. Without this option only the most relevant attributes are displayed. .TP \fB\-\-raw\fR Display objects as they are stored in the backing store. Disables formatting and attribute labels. +.TP +\fB\-\-rights\fR +Display effective rights on all attributes of the entry. You also have to specify \fB\-\-all\fR for this to work. User rights are returned as Python dictionary where index is the name of an attribute and value is a string composed of following letters: + +.ad l +r - read\p +s - search\p +w - write\p +o - obliterate (delete)\p +c - compare\p +W - self-write\p +O - self-obliterate + .SH EXAMPLES .TP \fBipa help commands\fR diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index f403990ff86f33140b2a91405f8f0cde2d079644..43183c264884b4db2b9f2f50733d0fe1182082d9 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -180,7 +180,7 @@ def get_effective_rights(ldap, dn, attrs=None): rights = rights[0].split(', ') for r in rights: (k,v) = r.split(':') -rdict[k.strip().lower()] = v +rdict[k.strip().lower()] = str(v) return rdict @@ -666,7 +666,7 @@ class LDAPRetrieve(LDAPQuery): takes_options = ( Flag('rights', label=_('Rights'), -doc=_('Display the access rights to modify this entry (requires --all)'), +doc=_('Display the access rights of this entry (requires --all). See ipa man page for details.'), ), ) @@ -732,7 +732,7 @@ class LDAPUpdate(LDAPQuery, crud.Update): takes_options = _attr_options + ( Flag('rights', label=_('Rights'), -doc=_('Display the access rights to modify this entry (requires --all)'), +doc=_('Display the access rights of this entry (requires --all). See ipa man page for details.'), ), ) -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 059 Use unicode parameters in the host plugin
Jakub Hrozek jhro...@redhat.com wrote: While reviewing Rob's latest patch I found out that we didn't convert to unicode on couple of places in the host plugin. ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install
JR Aquino jr.aqu...@citrix.com wrote: This patch addresses the need to utilize TLS when using the ipa-client-install tool. It addresses ticket: https://fedorahosted.org/freeipa/ticket/974 Nack, running ipa-client-install returned this error: # ipa-client-install Retrieving CA from None failed. Command '/usr/bin/wget -O /etc/ipa/ca.crt http://None/ipa/config/ca.crt' returned non-zero exit status 4 One more question - shouldn't you use ldaps directly to connect to the server? Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 059 Use unicode parameters in the host plugin
Jan Zelený jzel...@redhat.com wrote: Jakub Hrozek jhro...@redhat.com wrote: While reviewing Rob's latest patch I found out that we didn't convert to unicode on couple of places in the host plugin. ack On a second thoughts - maybe the _get_unicode_reverse_zone isn't necessary at all - is it possible to do this change directly at the get_reverse_zone? Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 059 Use unicode parameters in the host plugin
Jakub Hrozek jhro...@redhat.com wrote: On Thu, Feb 17, 2011 at 11:06:35AM +0100, Jan Zelený wrote: Jan Zelený jzel...@redhat.com wrote: Jakub Hrozek jhro...@redhat.com wrote: While reviewing Rob's latest patch I found out that we didn't convert to unicode on couple of places in the host plugin. ack On a second thoughts - maybe the _get_unicode_reverse_zone isn't necessary at all - is it possible to do this change directly at the get_reverse_zone? Jan attached. also removed a line of dead code. Better, thanks. I'd also like to change the code which is using this function, so the conversion doesn't take place twice. On the other hand that would be rather big change, which IMO shouldn't occur in RC. I think filing a cleanup ticket for this is the best option. Ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 49 Fixed user-add help
https://fedorahosted.org/freeipa/ticket/735 Jan From 52fa78ffe70d581125f54ca9138e8afba06aacc8 Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Thu, 17 Feb 2011 07:25:57 -0500 Subject: [PATCH] Fixed user-add help https://fedorahosted.org/freeipa/ticket/735 --- ipalib/plugins/user.py |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 2c9ec1fa99788422e6e3a7e881abb31e886022bf..053c7f36d284f6e0508773b3708121872a78205c 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -38,7 +38,7 @@ about this topic please see: ipa help passwd EXAMPLES: Add a new user: - ipa user-add --first=Tim --last=User --passwd tuser1 + ipa user-add --first=Tim --last=User --password Find all users whose entries include the string Tim: ipa user-find Tim -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 48 Document the --rights output format
Rob Crittenden rcrit...@redhat.com wrote: Jan Zelený wrote: https://fedorahosted.org/freeipa/ticket/563 https://fedorahosted.org/freeipa/ticket/588 Jan This is a good start, I think we need to include some guidance on why this exists and why it exists where it does. It exists so a user interface can know in advance what the current user's rights are for a given entry so that the user experience is better (currently used by the Web UI to disable attributes that are not writable). It appears in the add and mod commands to avoid having to do a show after an entry is added or updated. rob I updated the patch with a note that it is primarily used for internal purposes of CLI and WebUI, I think this should be sufficient description. I also deleted the line converting unicode strings to str because it broke JSON-RPC communication. Jan From ac16208ca8cc25b02b9d17f40b4124d4c084c566 Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Thu, 17 Feb 2011 03:55:14 -0500 Subject: [PATCH] Document the --rights output format https://fedorahosted.org/freeipa/ticket/563 https://fedorahosted.org/freeipa/ticket/588 --- ipa.1 | 15 ++- ipalib/plugins/baseldap.py |4 ++-- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/ipa.1 b/ipa.1 index eb8fe8cd085f8ab7c76fbee6a8357965e279d5e6..e346853877317b19a4904fbbde6baa90aefd028c 100644 --- a/ipa.1 +++ b/ipa.1 @@ -106,13 +106,26 @@ The above types of commands take the objects primary key as their only positiona For some types of objects, these commands might need to take more than one primary key. This applies to IPA objects organized in hierarchies where the parent object needs to be identified first. Parent primary keys are always aligned to the left (higher in the hierarchy = more to the left). For example the automount IPA plugin enables users to manage automount maps per location, as a result all automount commands take an automountlocation primary key as their first positional argument. -All commands that display objects have two special options for controlling output: +All commands that display objects have three special options for controlling output: .TP \fB\-\-all\fR Dispaly all attributes. Without this option only the most relevant attributes are displayed. .TP \fB\-\-raw\fR Display objects as they are stored in the backing store. Disables formatting and attribute labels. +.TP +\fB\-\-rights\fR +Display effective rights on all attributes of the entry. You also have to specify \fB\-\-all\fR for this to work. User rights are returned as Python dictionary where index is the name of an attribute and value is a unicode string composed (hence the u'' format) of letters specified below. Note that user rights are primarily used for internal purposes of CLI and WebUI. + +.ad l +r - read\p +s - search\p +w - write\p +o - obliterate (delete)\p +c - compare\p +W - self-write\p +O - self-obliterate + .SH EXAMPLES .TP \fBipa help commands\fR diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index f403990ff86f33140b2a91405f8f0cde2d079644..2d25219daa2e4a464d650705665aaa6ff33f1a16 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -666,7 +666,7 @@ class LDAPRetrieve(LDAPQuery): takes_options = ( Flag('rights', label=_('Rights'), -doc=_('Display the access rights to modify this entry (requires --all)'), +doc=_('Display the access rights of this entry (requires --all). See ipa man page for details.'), ), ) @@ -732,7 +732,7 @@ class LDAPUpdate(LDAPQuery, crud.Update): takes_options = _attr_options + ( Flag('rights', label=_('Rights'), -doc=_('Display the access rights to modify this entry (requires --all)'), +doc=_('Display the access rights of this entry (requires --all). See ipa man page for details.'), ), ) -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Reword help for the user module
The first part of the ticket has already been solved, hence it is not a part of this patch. https://fedorahosted.org/freeipa/ticket/351 Jan From 0d649884896d67759187a605526fefc31b4ad81c Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Wed, 16 Feb 2011 03:10:14 -0500 Subject: [PATCH] Reword help for the user module https://fedorahosted.org/freeipa/ticket/351 --- ipalib/plugins/user.py |3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index e74b8bed25979ffdd6c29d383e3420ad8c3350a8..343f6883c20bab85e0c00a9863299d50d3952edb 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -32,6 +32,9 @@ Disabling a user account prevents that user from obtaining new Kerberos credentials. It does not invalidate any credentials that have already been issued. +The password management is not a part of this modules. For more information +about this topic please see 'ipa help passwd'. + EXAMPLES: Add a new user: -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fixed in ipa-server-install help and man page
https://fedorahosted.org/freeipa/ticket/831 Jan From 4fc3a69901c893f7e3403378ddf2d3bfa435132f Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Wed, 16 Feb 2011 03:20:00 -0500 Subject: [PATCH] Fixed in ipa-server-install help and man page https://fedorahosted.org/freeipa/ticket/831 --- install/tools/ipa-server-install |2 +- install/tools/man/ipa-server-install.1 |5 - 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 9e7853eb45085f3322cfaa01200964549549f9d1..6ae02d89398baf7795a55424474407b08b128a1d 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -128,7 +128,7 @@ def parse_options(): parser.add_option(--idstart, dest=idstart, default=namespace, type=int, help=The starting value for the IDs range (default random)) parser.add_option(--idmax, dest=idmax, default=0, type=int, - help=The max value value for the IDs range (default random)) + help=The max value value for the IDs range (default: idstart+19)) parser.add_option(--subject, dest=subject, help=The certificate subject base (default O=realm-name)) parser.add_option(--no_hbac_allow, dest=hbac_allow, default=False, diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index f67587a49c62742f3f4898536381ae57efe6e544..b25990cf6ecf6b0889eca73330f8bc024a97b53c 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -72,7 +72,7 @@ the \fB\-\-no\-forwarders\fR option is specified. Do not add any DNS forwarders. Root DNS servers will be used instead. .TP \fB\-\-zonemgr\fR -The e\-mail address of the DNS zone manager. Defaults too root@host.domain +The e\-mail address of the DNS zone manager. Defaults to root@host.domain .TP \fB\-\-no\-host\-dns\fR Do not use DNS for hostname lookup during installation @@ -98,6 +98,9 @@ The password of the Apache Server PKCS#12 file \fB\-\-idstart\fR=\fIIDSTART\fR The starting user and group id number (default random) .TP +\fB\-\-idmax\fR=\fIIDMAX\fR +The maximal user and group id number (default: idstart+19). If set to zero, the default value will be used. +.TP \fB\-\-subject\fR=\fISUBJECT\fR The certificate subject base (default O=REALM.NAME) .TP -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 057 Validate MX records
Jakub Hrozek jhro...@redhat.com wrote: https://fedorahosted.org/freeipa/ticket/967 I'm wondering whether to extend the patch - if the mail server name does not end with a dot, BIND treats it as relative to the zone. So if you do: ipa dnsrecord-add example.com @ --mx-rec=10 mail.example.com dig would then return mail.example.com.example.com The correct way of adding it is (note the trailing dot): ipa dnsrecord-add example.com @ --mx-rec=10 mail.example.com. This is in line with how nsupdate works, so should we just document it? A smarter way might be to check if the hostname ends with the zone name and append a dot, but I'm not sure if that perhaps /too/ smart.. Just a nitpicking here, but shouldn't the second arg of the function be called mx or something like that? Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Reword help for the user module
Martin Kosek mko...@redhat.com wrote: On Wed, 2011-02-16 at 09:13 +0100, Jan Zelený wrote: The first part of the ticket has already been solved, hence it is not a part of this patch. https://fedorahosted.org/freeipa/ticket/351 Jan NACK Just a minor issue - s/this modules/this module/ Thanks, the second version is in attachment. Jan From 0d649884896d67759187a605526fefc31b4ad81c Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Wed, 16 Feb 2011 03:10:14 -0500 Subject: [PATCH] Reword help for the user module https://fedorahosted.org/freeipa/ticket/351 --- ipalib/plugins/user.py |3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index e74b8bed25979ffdd6c29d383e3420ad8c3350a8..343f6883c20bab85e0c00a9863299d50d3952edb 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -32,6 +32,9 @@ Disabling a user account prevents that user from obtaining new Kerberos credentials. It does not invalidate any credentials that have already been issued. +The password management is not a part of this module. For more information +about this topic please see 'ipa help passwd'. + EXAMPLES: Add a new user: -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 47 Validate that the reverse DNS record is correct
This patch ensures that PTR records added by FreeIPA are compliant with RFC. https://fedorahosted.org/freeipa/ticket/839 Jan From 4d2b3200920c90884ddf5a2d5ae784bbe35b41d1 Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Wed, 16 Feb 2011 04:47:36 -0500 Subject: [PATCH] Validate that the reverse DNS record is correct This patch ensures that PTR records added by FreeIPA are compliant with RFC. https://fedorahosted.org/freeipa/ticket/839 --- ipalib/plugins/dns.py | 10 ++ 1 files changed, 10 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index 592945f78c59877fada5fa6c40eee3b1acb564b2..e764d6f558a6ecb0d7b732a1e51b1755beb4f7f4 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -619,6 +619,16 @@ class dnsrecord_add(LDAPCreate, dnsrecord_cmd_w_record_options): is_ns_rec_resolvable(ns) return dn +def _ptrrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options): +components = dn.split(',',2) +addr = components[0].split('=')[1] +zone = components[1].split('=')[1].replace('.in-addr.arpa.','') + +if len(addr.split('.'))+len(zone.split('.')) != 4: +raise errors.ValidationError(name='idnsname', error=u'reversed IP address must have exactly four components') + +return dn + def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): for rtype in options: rtype_cb = '_%s_pre_callback' % rtype -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 42 Add group members to default output of sudorule-show
https://fedorahosted.org/freeipa/ticket/915 Jan From d624fa6db9c652565ce2555abc0f5e915e7fac97 Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Tue, 15 Feb 2011 05:03:41 -0500 Subject: [PATCH] Add group members to default output of sudorule-show https://fedorahosted.org/freeipa/ticket/915 --- ipalib/plugins/sudorule.py |4 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py index 3361ff5d0d7d07894f9d04f66acb7db6bdc88f66..a4eacd1d56b6307782034a65e9b2e7d5b341ed27 100644 --- a/ipalib/plugins/sudorule.py +++ b/ipalib/plugins/sudorule.py @@ -102,6 +102,10 @@ class sudorule(LDAPObject): label=_('Users'), flags=['no_create', 'no_update', 'no_search'], ), +Str('memberuser_group?', +label=_('Groups'), +flags=['no_create', 'no_update', 'no_search'], +), Str('memberhost_host?', label=_('Hosts'), flags=['no_create', 'no_update', 'no_search'], -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix a typo in ipa-client-install man page
https://fedorahosted.org/freeipa/ticket/782 Jan From 14581a1507d846d9147799809aad2d8075eb1cb8 Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Tue, 15 Feb 2011 05:56:10 -0500 Subject: [PATCH] Fix a typo in ipa-client-install man page https://fedorahosted.org/freeipa/ticket/782 --- ipa-client/man/ipa-client-install.1 |1 - 1 files changed, 0 insertions(+), 1 deletions(-) diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index b708496805dcb795e93e8c6d4b34168a315f4adb..3ac567845559c14a2274f79290d53c3bef028e3f 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -57,7 +57,6 @@ Do not configure or enable NTP. .TP \fB\-\-ntp\-server\fR=\fINTP_SERVER\fR Configure ntpd to use this NTP server. -Do not configure or enable NTP. .TP \fB\-S\fR, \fB\-\-no\-sssd\fR Do not configure the client to use SSSD for authentication, use nss_ldap instead. -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Don't load the LDAP schema during startup
Loading of the schema is now performed in the first request that requires it. https://fedorahosted.org/freeipa/ticket/583 Jan From 0b1368442254cb738a95e766539fa030fe2504c8 Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Tue, 15 Feb 2011 09:37:58 +0100 Subject: [PATCH] Don't load the LDAP schema during startup https://fedorahosted.org/freeipa/ticket/583 --- ipalib/plugins/baseldap.py |6 - ipaserver/plugins/ldap2.py | 49 --- 2 files changed, 32 insertions(+), 23 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 6817af413c9c4e4ebf951e933e66449343a7d50a..a3e341172a4cf9c1e861b96b26c2151bcfe93ac0 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -379,7 +379,11 @@ class LDAPObject(Object): objectclasses += self.possible_objectclasses # Get list of available attributes for this object for use # in the ACI UI. -attrs = self.api.Backend.ldap2.schema.attribute_types(objectclasses) +schema = self.api.Backend.ldap2.get_schema() +if not schema: +attrs = [] +else: +attrs = schema.attribute_types(objectclasses) attrlist = [] # Go through the MUST first for (oid, attr) in attrs[0].iteritems(): diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index b03c8def7416780a6dedf2a0d48358ec09ef9da3..9c689633b879072824dbb4729a89dbc5da3575cb 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -183,12 +183,6 @@ def get_schema(url, conn=None): return _ldap.schema.SubSchema(schema_entry[1]) -# cache schema when importing module -try: -_schema = get_schema(api.env.ldap_uri) -except AttributeError: -_schema = None - # The UPG setting will be cached the first time a module checks it _upg = None @@ -228,7 +222,6 @@ class ldap2(CrudBackend, Encoder): def __init__(self, shared_instance=True, ldap_uri=None, base_dn=None, schema=None): -global _schema CrudBackend.__init__(self, shared_instance=shared_instance) Encoder.__init__(self) self.encoder_settings.encode_dict_keys = True @@ -248,7 +241,7 @@ class ldap2(CrudBackend, Encoder): self.base_dn = api.env.basedn except AttributeError: self.base_dn = '' -self.schema = schema or _schema +self.schema = schema def __del__(self): if self.isconnected(): @@ -259,7 +252,9 @@ class ldap2(CrudBackend, Encoder): def get_syntax(self, attr, value): if not self.schema: -return None +self.schema = get_schema(self.ldap_uri, self.conn) +if not self.schema: +return None obj = self.schema.get_obj(_ldap.schema.AttributeType, attr) if obj is not None: return obj.syntax @@ -268,7 +263,9 @@ class ldap2(CrudBackend, Encoder): def get_allowed_attributes(self, objectclasses): if not self.schema: -return [] +self.schema = get_schema(self.ldap_uri, self.conn) +if not self.schema: +return [] allowed_attributes = [] for oc in objectclasses: obj = self.schema.get_obj(_ldap.schema.ObjectClass, oc) @@ -285,10 +282,13 @@ class ldap2(CrudBackend, Encoder): If there is a problem loading the schema or the attribute is not in the schema return None -if self.schema: -obj = self.schema.get_obj(_ldap.schema.AttributeType, attr) -return obj and obj.single_value -return None +if not self.schema: +self.schema = get_schema(self.ldap_uri, self.conn) +if not self.schema: +return None + +obj = self.schema.get_obj(_ldap.schema.AttributeType, attr) +return obj and obj.single_value @encode_args(2, 3, 'bind_dn', 'bind_pw') def create_connection(self, ccache=None, bind_dn='', bind_pw='', @@ -309,7 +309,6 @@ class ldap2(CrudBackend, Encoder): Extends backend.Connectible.create_connection. -global _schema if tls_cacertfile is not None: _ldap.set_option(_ldap.OPT_X_TLS_CACERTFILE, tls_cacertfile) if tls_certfile is not None: @@ -334,10 +333,10 @@ class ldap2(CrudBackend, Encoder): except _ldap.LDAPError, e: _handle_errors(e, **{}) -if self.schema is None and _schema is None: -# explicitly use setattr here so the schema can be set after -# the object is finalized. -object.__setattr__(self, 'schema', get_schema(self.ldap_uri, conn)) +# For now let's say the schema is None (will be loaded later) +# - explicitly use setattr here so the schema can be set after +# the object is finalized. +object.__setattr__(self, 'schema',
[Freeipa-devel] [PATCH] 44 Fixes in ipa-join man page
https://fedorahosted.org/freeipa/ticket/784 https://fedorahosted.org/freeipa/ticket/786 https://fedorahosted.org/freeipa/ticket/787 Jan From d9fed7217b7cb599089f5d3e1d16820c080b2cd6 Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Tue, 15 Feb 2011 08:22:13 -0500 Subject: [PATCH] Fixes in ipa-join man page https://fedorahosted.org/freeipa/ticket/784 https://fedorahosted.org/freeipa/ticket/786 https://fedorahosted.org/freeipa/ticket/787 --- ipa-client/ipa-join.c | 14 +++--- ipa-client/man/ipa-join.1 |8 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c index 86b1bd122064ebe4832225cfa2bc65f80a69da00..1fb544cd21634e6e39c429637d0d7a7eb0b21c3c 100644 --- a/ipa-client/ipa-join.c +++ b/ipa-client/ipa-join.c @@ -1035,19 +1035,19 @@ main(int argc, const char **argv) { int unenroll = 0; struct poptOption options[] = { { debug, 'd', POPT_ARG_NONE, debug, 0, - _(Print the raw XML-RPC output), _(XML-RPC debugging Output) }, + _(Print the raw XML-RPC output in GSSAPI mode), NULL }, { quiet, 'q', POPT_ARG_NONE, quiet, 0, - _(Print as little as possible), _(Output only on errors) }, + _(Quiet mode. Only errors are displayed.), NULL }, { unenroll, 'u', POPT_ARG_NONE, unenroll, 0, - _(Unenroll this host), _(Unenroll this host from IPA server) }, + _(Unenroll this host from IPA server), NULL }, { hostname, 'h', POPT_ARG_STRING, hostname, 0, - _(Use this hostname instead of the node name), _(Host Name) }, + _(Hostname of this server), _(hostname) }, { server, 's', POPT_ARG_STRING, server, 0, - _(IPA Server to use), _(IPA Server Name) }, + _(IPA Server to use), _(hostame) }, { keytab, 'k', POPT_ARG_STRING, keytab, 0, - _(File were to store the keytab information), _(Keytab File Name) }, + _(File were to store the keytab information), _(filename) }, { bindpw, 'w', POPT_ARG_STRING, bindpw, 0, - _(LDAP password), _(password to use if not using kerberos) }, + _(LDAP password (if not using Kerberos)), _(password) }, POPT_AUTOHELP POPT_TABLEEND }; diff --git a/ipa-client/man/ipa-join.1 b/ipa-client/man/ipa-join.1 index 47d5966db48b1e07d2a09fd98d20b553aeaf687f..201a80085a3edcf7ef290850bf2fd1a713b23618 100644 --- a/ipa-client/man/ipa-join.1 +++ b/ipa-client/man/ipa-join.1 @@ -20,7 +20,7 @@ .SH NAME ipa\-join \- Join a machine to an IPA realm and get a keytab for the host service principal .SH SYNOPSIS -ipa\-join [ \fB\-h\fR hostname ] [ \fB\-k\fR keytab\-file ] [ \fB\-s\fR server ] [ \fB\-w\fR bulk\-bind\-password ] [\fB\-u\fR] [ \fB\-d\fR ] [ \fB\-q\fR ] +ipa\-join [\fB\-d\fR|\fB\-\-debug\fR] [\fB\-q\fR|\fB\-\-quiet\fR] [\fB\-u\fR|\fB\-\-unenroll\fR] [\fB\-h\fR|\fB\-\-hostname\fR hostname] [\fB\-s\fR|\fB\-\-server\fR hostame] [\fB\-k\fR|\fB\-\-keytab\fR filename] [\fB\-w\fR|\fB\-\-bindpw\fR password] [\fB\-?\fR|\fB\-\-help\fR] [\fB\-\-usage\fR] .SH DESCRIPTION Joins a host to an IPA realm and retrieves a kerberos \fIkeytab\fR for the host service principal, or unenrolls an enrolled host from an IPA server. @@ -48,13 +48,13 @@ The reverse is unenrollment. Unenrolling a host removes the Kerberos key on the The hostname of this server (FQDN). By default of nodename from uname(2) is used. .TP \fB\-s,\-\-server server\fR -The hostname of this server (FQDN). By default of nodename from uname(2) is used. +The hostname of IPA server (FQDN). By default it is read from /etc/ipa/default.conf. .TP \fB\-k,\-\-keytab keytab\-file\fR The keytab file where to append the new key (will be created if it does not exist). Default: /etc/krb5.keytab .TP \fB\-w,\-\-bindpw password\fR -The password to use if not using kerberos to authenticate +The password to use if not using kerberos to authenticate. Use a password of this particular host (one time password created on IPA server) .TP \fB\-u,\-\-unenroll\fR Unenroll this host from the IPA server @@ -63,7 +63,7 @@ Unenroll this host from the IPA server Quiet mode. Only errors are displayed. .TP \fB\-d,\-\-debug\fR -Debug mode. +Print the raw XML-RPC output in GSSAPI mode. .SH EXAMPLES Join IPA domain and retrieve a keytab with kerberos credentials. -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 44 Fixes in ipa-join man page
David O'Brien dav...@redhat.com wrote: Jan Zelený wrote: https://fedorahosted.org/freeipa/ticket/784 https://fedorahosted.org/freeipa/ticket/786 https://fedorahosted.org/freeipa/ticket/787 Jan nack A few typos and style issues: - _(File were to store the keytab information), _(Keytab File Name) }, + _(File were to store the keytab information), _(filename) }, s/were/where I would actually reword it: Specifies where to store keytab information. s/kerberos/Kerberos/g (unless lowercase is required for some reason.) +The hostname of IPA server (FQDN). The hostname of the IPA server (FQDN). Join IPA domain and retrieve a keytab with kerberos credentials. Join an IPA domain and retrieve a keytab using Kerberos credentials. Ok, here is the second version of the patch. David, not all changes you proposed are in the patch, I believe they are out of its scope. If we go this way, I think a review should be done for all man pages, so we don't fix just a couple of mistakes in this page and leave the same mistakes in other man pages. Jan From d9fed7217b7cb599089f5d3e1d16820c080b2cd6 Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Tue, 15 Feb 2011 08:22:13 -0500 Subject: [PATCH] Fixes in ipa-join man page https://fedorahosted.org/freeipa/ticket/784 https://fedorahosted.org/freeipa/ticket/786 https://fedorahosted.org/freeipa/ticket/787 --- ipa-client/ipa-join.c | 14 +++--- ipa-client/man/ipa-join.1 |8 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c index 86b1bd122064ebe4832225cfa2bc65f80a69da00..1fb544cd21634e6e39c429637d0d7a7eb0b21c3c 100644 --- a/ipa-client/ipa-join.c +++ b/ipa-client/ipa-join.c @@ -1035,19 +1035,19 @@ main(int argc, const char **argv) { int unenroll = 0; struct poptOption options[] = { { debug, 'd', POPT_ARG_NONE, debug, 0, - _(Print the raw XML-RPC output), _(XML-RPC debugging Output) }, + _(Print the raw XML-RPC output in GSSAPI mode), NULL }, { quiet, 'q', POPT_ARG_NONE, quiet, 0, - _(Print as little as possible), _(Output only on errors) }, + _(Quiet mode. Only errors are displayed.), NULL }, { unenroll, 'u', POPT_ARG_NONE, unenroll, 0, - _(Unenroll this host), _(Unenroll this host from IPA server) }, + _(Unenroll this host from IPA server), NULL }, { hostname, 'h', POPT_ARG_STRING, hostname, 0, - _(Use this hostname instead of the node name), _(Host Name) }, + _(Hostname of this server), _(hostname) }, { server, 's', POPT_ARG_STRING, server, 0, - _(IPA Server to use), _(IPA Server Name) }, + _(IPA Server to use), _(hostname) }, { keytab, 'k', POPT_ARG_STRING, keytab, 0, - _(File were to store the keytab information), _(Keytab File Name) }, + _(Specifies where to store keytab information.), _(filename) }, { bindpw, 'w', POPT_ARG_STRING, bindpw, 0, - _(LDAP password), _(password to use if not using kerberos) }, + _(LDAP password (if not using Kerberos)), _(password) }, POPT_AUTOHELP POPT_TABLEEND }; diff --git a/ipa-client/man/ipa-join.1 b/ipa-client/man/ipa-join.1 index 47d5966db48b1e07d2a09fd98d20b553aeaf687f..201a80085a3edcf7ef290850bf2fd1a713b23618 100644 --- a/ipa-client/man/ipa-join.1 +++ b/ipa-client/man/ipa-join.1 @@ -20,7 +20,7 @@ .SH NAME ipa\-join \- Join a machine to an IPA realm and get a keytab for the host service principal .SH SYNOPSIS -ipa\-join [ \fB\-h\fR hostname ] [ \fB\-k\fR keytab\-file ] [ \fB\-s\fR server ] [ \fB\-w\fR bulk\-bind\-password ] [\fB\-u\fR] [ \fB\-d\fR ] [ \fB\-q\fR ] +ipa\-join [\fB\-d\fR|\fB\-\-debug\fR] [\fB\-q\fR|\fB\-\-quiet\fR] [\fB\-u\fR|\fB\-\-unenroll\fR] [\fB\-h\fR|\fB\-\-hostname\fR hostname] [\fB\-s\fR|\fB\-\-server\fR hostame] [\fB\-k\fR|\fB\-\-keytab\fR filename] [\fB\-w\fR|\fB\-\-bindpw\fR password] [\fB\-?\fR|\fB\-\-help\fR] [\fB\-\-usage\fR] .SH DESCRIPTION Joins a host to an IPA realm and retrieves a kerberos \fIkeytab\fR for the host service principal, or unenrolls an enrolled host from an IPA server. @@ -48,13 +48,13 @@ The reverse is unenrollment. Unenrolling a host removes the Kerberos key on the The hostname of this server (FQDN). By default of nodename from uname(2) is used. .TP \fB\-s,\-\-server server\fR -The hostname of this server (FQDN). By default of nodename from uname(2) is used. +The hostname of the IPA server (FQDN). Note that by default there is no /etc/ipa/default.conf, in most cases it needs to be supplied. .TP \fB\-k,\-\-keytab keytab\-file\fR The keytab file where to append the new key (will be created if it does not exist). Default: /etc/krb5.keytab .TP \fB\-w,\-\-bindpw password\fR -The password to use if not using kerberos to authenticate +The password to use if not using Kerberos to authenticate. Use a password of this particular
Re: [Freeipa-devel] [PATCH] Updated default Kerberos password policy
Jan Zeleny jzel...@redhat.com wrote: Rob Crittenden rcrit...@redhat.com wrote: Jan Zelený wrote: https://fedorahosted.org/freeipa/ticket/930 I put there a value Dmitri suggested. Feel free to change it before pushing if you think there should be the originally suggested 10 login attempts. We want to increase krbPwdLockoutDuration too, to 600. rob Sorry, I didn't realize it was in seconds. I just saw 10 and figured it's ok it's already there. Anyway, I'm sending the updated patch. Just a reminder that this patch needs to be re-reviewed. Thanks Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 713 handle failed passwords in tools
Rob Crittenden rcrit...@redhat.com wrote: Handle bad DM password in ipa-host-net-manage ipa-copmat-manage. This was resulting in a traceback because while conn was not None it wasn't connected either. ticket 920 rob ack jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Code cleanup
Hi, I'd like to propose this cleanup patch. I just noticed that the code in these two files is most likely not used any more (at least I didn't find a place where it is used). What do you think? Is it safe to throw it out? Or are there some places which are still using it? I'd be more than happy to move parts that are used somewhere else and delete the rest. -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic From 3c243e529694b5b9c959cbba798fe3121ebb9237 Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Mon, 14 Feb 2011 07:17:10 -0500 Subject: [PATCH] Code cleanup This patch removes two files which seem to be long obsoleted and not used any more. --- ipaserver/plugins/ldapapi.py | 445 - ipaserver/servercore.py | 448 -- 2 files changed, 0 insertions(+), 893 deletions(-) delete mode 100644 ipaserver/plugins/ldapapi.py delete mode 100644 ipaserver/servercore.py diff --git a/ipaserver/plugins/ldapapi.py b/ipaserver/plugins/ldapapi.py deleted file mode 100644 index 1ef84579cd5a5d896f8a259e5c531931339ec3e9.. --- a/ipaserver/plugins/ldapapi.py +++ /dev/null @@ -1,445 +0,0 @@ -# Authors: -# Rob Crittenden rcrit...@redhat.com -# Jason Gerard DeRose jder...@redhat.com -# -# Copyright (C) 2008 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see http://www.gnu.org/licenses/. - - -Backend plugin for LDAP. - -This wraps the python-ldap bindings. - - -import ldap as _ldap -from ipalib import api -from ipalib import errors -from ipalib.crud import CrudBackend -from ipaserver import servercore, ipaldap -import krbV - - -class ldap(CrudBackend): - -LDAP backend plugin. - - -def __init__(self): -self.dn = _ldap.dn -super(ldap, self).__init__() - -def create_connection(self, ccache): -if ccache is None: -raise errors.CCacheError() -conn = ipaldap.IPAdmin(self.env.ldap_host, self.env.ldap_port) -principal = krbV.CCache( -name=ccache, context=krbV.default_context() -).principal().name -conn.set_krbccache(ccache, principal) -return conn - -def destroy_connection(self): -self.conn.unbind_s() - -def make_user_dn(self, uid): - -Construct user dn from uid. - -return 'uid=%s,%s,%s' % ( -self.dn.escape_dn_chars(uid), -self.api.env.container_user, -self.api.env.basedn, -) - -def make_group_dn(self, cn): - -Construct group dn from cn. - -return 'cn=%s,%s,%s' % ( -self.dn.escape_dn_chars(cn), -self.api.env.container_group, -self.api.env.basedn, -) - -def make_hostgroup_dn(self, cn): - -Construct group of hosts dn from cn. - -return 'cn=%s,%s,%s' % ( -self.dn.escape_dn_chars(cn), -self.api.env.container_hostgroup, -self.api.env.basedn, -) - -def make_taskgroup_dn(self, cn): - -Construct group of tasks dn from cn. - -return 'cn=%s,%s,%s' % ( -self.dn.escape_dn_chars(cn), -self.api.env.container_taskgroup, -self.api.env.basedn, -) - -def make_service_dn(self, principal): - -Construct service principal dn from principal name - -return 'krbprincipalname=%s,%s,%s' % ( -self.dn.escape_dn_chars(principal), -self.api.env.container_service, -self.api.env.basedn, -) - -def make_host_dn(self, hostname): - -Construct host dn from hostname - -return 'fqdn=%s,%s,%s' % ( -self.dn.escape_dn_chars(hostname), -self.api.env.container_host, -self.api.env.basedn, -) - -def make_application_dn(self, appname): - -Construct application dn from cn. - -return 'cn=%s,%s,%s' % ( -self.dn.escape_dn_chars(appname), -self.api.env.container_applications, -self.api.env.basedn, -) - -def make_policytemplate_dn(self, appname, uuid): - -Construct policytemplate dn from appname - -
Re: [Freeipa-devel] [PATCH] 715 ensure required variables are required
Rob Crittenden rcrit...@redhat.com wrote: Yi found a tricky way to remove required attributes that aren't required in the schema. The problem was we weren't enforcing parameter.required in mods (because it was enforcing that every variable with required be provided). I added a new check routine that is executed after setattr/addattr does its work and verifies that no required parameters get skipped. ticket 852 rob Looks fine, works as expected. ACK I'm just not sure whether is is necessary to call the function twice - once on self.params and once on self.obj.params (I get the latter one, but I'm not sure whether the former one is necessary). Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 715 ensure required variables are required
Jan Zelený jzel...@redhat.com wrote: Rob Crittenden rcrit...@redhat.com wrote: Yi found a tricky way to remove required attributes that aren't required in the schema. The problem was we weren't enforcing parameter.required in mods (because it was enforcing that every variable with required be provided). I added a new check routine that is executed after setattr/addattr does its work and verifies that no required parameters get skipped. ticket 852 rob Looks fine, works as expected. ACK I'm just not sure whether is is necessary to call the function twice - once on self.params and once on self.obj.params (I get the latter one, but I'm not sure whether the former one is necessary). Jan One more thing - I'm not sure whether it is necessary to add the check to LDAPCreate - I tried to create role with empty description and it failed as expected. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 051 Remove obsolete record types from DNS
Jakub Hrozek jhro...@redhat.com wrote: https://fedorahosted.org/freeipa/ticket/923 Patch looks good. I'm running some test. Unless they fail, ACK Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 718 move files in packages
Rob Crittenden rcrit...@redhat.com wrote: Move a bunch of utilities that really only make sense to be run on the server from the admintools package to the server package. ticket 947 rob ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 719 permission for cn=ipaconfig
Rob Crittenden rcrit...@redhat.com wrote: Add permission and privilege for updating the IPA configuration in cn=ipaconfig. ticket 950 rob I'm not quite sure how does the patch work. In particular, I wonder about these two blocks: +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:cn: Write IPA Configuration + +dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: ipapermission +default:cn: Write IPA Configuration +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX Can't they be specified in one block like: +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:objectClass: ipapermission +default:cn: Write IPA Configuration +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX Thanks in advance Otherwise the patch looks good, so if this is not an issue, I give it ACK. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 716 ignore case when removing members
Rob Crittenden rcrit...@redhat.com wrote: Ignore case when removing members from a group. ticket 944 rob ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 719 permission for cn=ipaconfig
Martin Kosek mko...@redhat.com wrote: On Mon, 2011-02-14 at 14:37 +0100, Jan Zelený wrote: Rob Crittenden rcrit...@redhat.com wrote: Add permission and privilege for updating the IPA configuration in cn=ipaconfig. ticket 950 rob I'm not quite sure how does the patch work. In particular, I wonder about these two blocks: +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:cn: Write IPA Configuration + +dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: ipapermission +default:cn: Write IPA Configuration +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX Can't they be specified in one block like: +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:objectClass: ipapermission +default:cn: Write IPA Configuration +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX Thanks in advance Otherwise the patch looks good, so if this is not an issue, I give it ACK. Jan I think this is OK. We are adding 2 objects - one permission called Write IPA Configuration (with an underlying ACI) and one priviledge also called Write IPA Configuration. Therefore they cannot be merged to one LDAP object. Oh, sorry, I didn't see that one object is privilege and another one is permission. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 75 Display error messages for failed manageby in service-add/remove-host.
Pavel Zuna pz...@redhat.com wrote: Fix #830 Pavel ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 76 Fallback to default locale (en_US) if env. setting is corrupt.
Pavel Zuna pz...@redhat.com wrote: This is a follow-up to my patches 69 and 71 (70 is garbage). It prevents a crash when user misconfigures his locale settings. Pavel ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
Pavel Zuna pz...@redhat.com wrote: On 02/08/2011 01:06 PM, Pavel Zuna wrote: The patch also corrects exception handling in some of the tools. Fix #874 Pavel Updated patch attached. Forgot to rename an identifier in exception handling. Pavel ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Updated default Kerberos password policy
https://fedorahosted.org/freeipa/ticket/930 I put there a value Dmitri suggested. Feel free to change it before pushing if you think there should be the originally suggested 10 login attempts. -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic From bc08a4bc646ca7947fad4b91762af98f19cc259f Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Thu, 10 Feb 2011 08:02:27 -0500 Subject: [PATCH] Updated default Kerberos password policy https://fedorahosted.org/freeipa/ticket/930 --- install/share/default-pwpolicy.ldif |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/install/share/default-pwpolicy.ldif b/install/share/default-pwpolicy.ldif index 9d3d8a755f38ee2db9ad0eb6df32dff3dea187db..8c4f8199c0a770b84b4133da5a0d71be2ffebe55 100644 --- a/install/share/default-pwpolicy.ldif +++ b/install/share/default-pwpolicy.ldif @@ -8,7 +8,7 @@ krbPwdMinDiffChars: 0 krbPwdMinLength: 8 krbPwdHistoryLength: 0 krbMaxPwdLife: 7776000 -krbPwdMaxFailure: 3 +krbPwdMaxFailure: 6 krbPwdFailureCountInterval: 60 krbPwdLockoutDuration: 10 -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 049 Make nsslib IPv6 aware
Jakub Hrozek jhro...@redhat.com wrote: On Thu, Feb 03, 2011 at 02:23:11PM +0100, Jan Zelený wrote: Jakub Hrozek jhro...@redhat.com wrote: Hi, attached is a patch to nsslib.py that changes its semantics so it is able to work with different address families. It is the last piece of IPv6 support. Aside from the hunks in the patch, I still need to set Requires: in the patch (don't know the exact version yet). Also, the attached patch always tries IPv4 first and only falls back to IPv6. I think there should be a config option that tells IPA to prefer one of the address families or use it exclusively for performance reasons. Please note that the patch requires the latest changes to python-nss in order to work correctly. Since John is still working on python-nss packages, this patch should be treated as a preview and not pushed even if it is deemed OK. At this stage, I'd like to get at least the general approach and code reviewed so I can fix it tomorrow. Thank you, Jakub The patch looks ok, all my questions answered off-list. Also tested with IPv4 (latest python-nss installed) and IPv6, both work fine. ACK Jan Thanks for the review. But attached is a new version of the patch that changes the semantics a little based on what's recommended by the new version of python-nss: don't construct the NetworkAddress object manually, but rather resolve the hostname using the AddrInfo object and then try connecting to the list of of NetworkAddress object manually. Changes consulted off-list, the patch looks good. Will do some more testing on RHEL6. Unless I find some issues, this patch is ACKed. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 026 HBAC plugin inconsistent output
Martin Kosek mko...@redhat.com wrote: On Mon, 2011-02-07 at 10:38 +0100, Jan Zelený wrote: Martin Kosek mko...@redhat.com wrote: This patch adds a proper summary text to HBAC command which is then printed out in CLI. Now, HBAC plugin output is consistent with other plugins. https://fedorahosted.org/freeipa/ticket/596 I believe API.txt should be updated (you change hbacrule_enable and hbacrule_disable return values), so NACK for now. Jan Patch has been rebased, API.txt updated along with some minor changes to achieve consistency between HBAC plugins. All tests pass. Martin Looks good now, ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 74 Fix crash in DNS installer.
Pavel Zuna pz...@redhat.com wrote: Fix #927 Pavel Ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 705 make main selfservice aci visible
Rob Crittenden rcrit...@redhat.com wrote: The main aci that grants user's the ability to manage themselves wasn't visible to the selfservice plugin. Move the location of the aci and fix the description. ticket 934 rob ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 702 add entitlement API
Rob Crittenden rcrit...@redhat.com wrote: The entitlement plugin was being skipped completely if the python-rhsm package wasn't installed. We want to let it limp through if the package isn't installed but we're doing API validation. ticket 919 rob Patch looks and applies ok, installation and subsequent behavior works as expected (both with and without python-rhsm package), validation as well. ACK Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 026 HBAC plugin inconsistent output
Martin Kosek mko...@redhat.com wrote: This patch adds a proper summary text to HBAC command which is then printed out in CLI. Now, HBAC plugin output is consistent with other plugins. https://fedorahosted.org/freeipa/ticket/596 I believe API.txt should be updated (you change hbacrule_enable and hbacrule_disable return values), so NACK for now. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fixed command delegation-show
Jakub Hrozek jhro...@redhat.com wrote: On Fri, Feb 04, 2011 at 06:40:54PM +0100, Jan Zeleny wrote: Recent changes in permission prefixes influenced also delegations. The plugin has been updated accordingly, but this one line has been forgotten. Jan I think it is not needed, the only command preceding return from the function is is_delegation() that has the value of aciprefix hardcoded. Jakub Sorry, withdrawing the patch. I originally made it because delegation-show didn't work for me, but it was probably only typo on the command line or something. The code is indeed ok. Thanks for catching that. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 022 Inconsistent error message for ipa group-detach
Martin Kosek mko...@redhat.com wrote: When attempting to detach a private group that doesn't exist, the error message returned is not consistent with the error returned by the other topic commands. This patch adds a standard message. https://fedorahosted.org/freeipa/ticket/291 ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 700 update some minimum versions
Rob Crittenden rcrit...@redhat.com wrote: Update min version of 389-ds-base, mod_nss and selinux-policy. As of this writing the selinux-policy update hasn't actually gone out to updates-testing so I'm going to hold onto this even if I get an ack. The selinux-policy update is needed to fix slapi-nis working as an nis responder. rob Seems good, build and installation on F14 works. ACK Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 049 Make nsslib IPv6 aware
Jakub Hrozek jhro...@redhat.com wrote: Hi, attached is a patch to nsslib.py that changes its semantics so it is able to work with different address families. It is the last piece of IPv6 support. Aside from the hunks in the patch, I still need to set Requires: in the patch (don't know the exact version yet). Also, the attached patch always tries IPv4 first and only falls back to IPv6. I think there should be a config option that tells IPA to prefer one of the address families or use it exclusively for performance reasons. Please note that the patch requires the latest changes to python-nss in order to work correctly. Since John is still working on python-nss packages, this patch should be treated as a preview and not pushed even if it is deemed OK. At this stage, I'd like to get at least the general approach and code reviewed so I can fix it tomorrow. Thank you, Jakub The patch looks ok, all my questions answered off-list. Also tested with IPv4 (latest python-nss installed) and IPv6, both work fine. ACK Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix crash in ipa help for NO_CLI plugins.
Pavel Zuna pz...@redhat.com wrote: Fix #854 Pavel ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix minor bug in host-add logic.
Pavel Zuna pz...@redhat.com wrote: Fix #798 Pavel ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changed dns permission types
Rob Crittenden rcrit...@redhat.com wrote: Jan Zelený wrote: Jan Zelenýjzel...@redhat.com wrote: Rob Crittendenrcrit...@redhat.com wrote: Jan Zelený wrote: Rob Crittendenrcrit...@redhat.com wrote: Jan Zelený wrote: Recent change of DNS module to version caused that dns object type was replaced by dnszone and dnsrecord. This patch corrects dns types in permissions class. https://fedorahosted.org/freeipa/ticket/646 Nack. These values need to be added as valid types to the aci plugin and the _type_map needs to be updated. rob I'm sending an updated patch. Jan Since dnszone and dnsrecord point to the same kind of entry what is the point of having two separate names for them? When we read the entry we aren't going to be able to differentiate between the two. I didn't take a look how the type thing works, so I'm kinda guessing here (please ignore the comment if it is wrong): Sure, object with idnszone class is always also in dnsrecord class, but that's not the case backwards (idnsrecord object isn't always idnszone) - so I think it is possible to set different ACIs for these two types. Can the type be made more specific? If the mapping doesn't distinguish object classes and it can, maybe that's the answer. Will investagate further. But if not, I still think this is the way to go considering the underline issue which we tried to solve by this change. From what I found I think that making changes necessary to distinguish dnsrecord and dnszone are not worth it, especially that user can use filter for that purpose. Since having both of them doesn't have any additional value, I'm sending new version of the patch, which is only adding dnsrecord type. Jan Ack but this patch needs a rebase. rob Rebased patch in attachment Jan From 0b7c6ddbc5e40e802357c01fb4d568965b77165e Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Thu, 13 Jan 2011 17:32:57 +0100 Subject: [PATCH] Changed dns permission types Recent change of DNS module to version caused that dns object type was replaced by dnszone and dnsrecord. This patch corrects dns types in permissions class. https://fedorahosted.org/freeipa/ticket/646 --- ipalib/plugins/aci.py|5 +++-- ipalib/plugins/permission.py |2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py index 939fe535ab01bec9be0caa1952b4a36123bcc2db..d7765488fa1c48d618030564d652a90143bd0123 100644 --- a/ipalib/plugins/aci.py +++ b/ipalib/plugins/aci.py @@ -135,7 +135,7 @@ _type_map = { 'hostgroup': 'ldap:///cn=*,%s,%s' % (api.env.container_hostgroup, api.env.basedn), 'service': 'ldap:///krbprincipalname=*,%s,%s' % (api.env.container_service, api.env.basedn), 'netgroup': 'ldap:///ipauniqueid=*,%s,%s' % (api.env.container_netgroup, api.env.basedn), -'dns': 'ldap:///idnsname=*,%s,%s' % (api.env.container_dns, api.env.basedn), +'dnsrecord': 'ldap:///idnsname=*,%s,%s' % (api.env.container_dns, api.env.basedn), } _valid_permissions_values = [ @@ -382,7 +382,7 @@ class aci(Object): cli_name='type', label=_('Type'), doc=_('type of IPA object (user, group, host, hostgroup, service, netgroup)'), -values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dns',), +values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dnsrecord'), ), Str('memberof?', cli_name='memberof', diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index 43bb2634d34cab8d2bb8ecbce883df8008c34645..182a02cc389c970962e93c4e1653cbbfeee3f30b 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -128,7 +128,7 @@ class permission(LDAPObject): cli_name='type', label=_('Type'), doc=_('Type of IPA object (user, group, host, hostgroup, service, netgroup, dns)'), -values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dns',), +values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dnsrecord',), flags=('ask_create', 'ask_update'), ), Str('memberof?', -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Provide a way to display CLI-LDAP attribute relation
Ok, I'm sending updated patch in attachment Should I change it in class help then? That's where I copied this from. I think so. Ok, I'll send another patch, so me don't mix it together with this patch. I'll do a review of the code in cli.py, maybe the same issue is elsewhere as well. This will blow up as expected in the FIXME if an unknown command is passed in. Fixed, thanks. Not to be pedantic but I think it should return a non-zero error code too on error. Yep, replaced this with exception. ipa show-mappings user-show returns just 'rights' If it was the acting correctly, it shouldn't be displayed at all, because it is not LDAP based (and user-show doesn't take any other LDAP-based arguments/options). I'm just not sure how to do this with minimal changes. One option is to create new flag denoting whether parameter is LDAP based or not and for each parameter set it appropriately, but that is just too much effort for something that is not that important. That's why I use the 'webui' flag to filter things at least a little bit. You should have the object Params list available, right? Can you use that to show at least some attributes? I already thought of that, but that would add only primary key, since Params is a concatenation of Options and Args - in args there are usually only mandatory arguments (i.e. primary keys, uid in case of user-show) and options are already iterated over and printed out. I think adding this is too much effort. For one thing user-show takes no other options than --rights (and the purpose of the patch is to show mapping between CLI options and LDAP attributes) and user can always see real LDAP attributes of user object by using --raw. Jan From 5abec649ec6d9bfc82bc29290961cbcf9e8c94cb Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Wed, 26 Jan 2011 13:09:26 +0100 Subject: [PATCH] Provide a way to display CLI-LDAP relation Since some LDAP attributes have their cli_name value defined, so they can be more user friendly, it can be difficult for user to find out which attributes do the parameteres given to CLI really represent. This patch provides new command, which will take another IPA command as and argument and display attributes which given command takes and what LDAP attributes are they mapped to. https://fedorahosted.org/freeipa/ticket/447 --- ipalib/cli.py | 23 ++- 1 files changed, 22 insertions(+), 1 deletions(-) diff --git a/ipalib/cli.py b/ipalib/cli.py index 5543301c0c9039dc67b159c06526a0bdb3581c88..fa8d36d356076103c3310b7a30f5834ec23350bd 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -47,7 +47,7 @@ import plugable import util from errors import PublicError, CommandError, HelpError, InternalError, NoSuchNamespaceError, ValidationError, NotFound, NotConfiguredError from constants import CLI_TAB -from parameters import Password, Bytes, File +from parameters import Password, Bytes, File, Str from text import _ from ipapython.version import API_VERSION @@ -779,6 +779,26 @@ class help(frontend.Local): print ' %s %s' % (to_cli(c.name).ljust(mcl), c.summary) print \n +class show_mappings(frontend.Command): +takes_args = (Str('command_name'),) +has_output = tuple() + +def run(self, command_name): +command_name = from_cli(command_name) +if command_name not in self.Command: +raise CommandError(name=command_name) +params = self.Command[command_name].options +out = [('Parameter','LDAP attribute'), + ('=','==')] +mcl = len(out[0][0]) +for param in params(): +if param.exclude and 'webui' in param.exclude: +continue +out.append((param.cli_name, param.param_spec)) +mcl = max(mcl,len(param.cli_name)) +for item in out: +print to_cli(item[0]).ljust(mcl)+' : '+item[1] + class console(frontend.Command): Start the IPA interactive Python console. @@ -1047,6 +1067,7 @@ cli_plugins = ( textui, console, help, +show_mappings, ) -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fixed type of argument in class help
At Rob's suggestion I changed the argument type in class help, this is only oneliner, I think it can be pushed directly. Jan From f7ca20a79bf06832c20262582f5ca83ec48ff056 Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Wed, 2 Feb 2011 02:49:57 -0500 Subject: [PATCH] Fixed type of argument in class help --- ipalib/cli.py |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/ipalib/cli.py b/ipalib/cli.py index fa8d36d356076103c3310b7a30f5834ec23350bd..1e61f667913472e26dd138d885cea113919cd04e 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -609,7 +609,7 @@ class help(frontend.Local): Display help for a command or topic. -takes_args = (Bytes('command?'),) +takes_args = (Str('command?'),) has_output = tuple() -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Provide a way to display CLI-LDAP attribute relation
Rob Crittenden rcrit...@redhat.com wrote: Jan Zelený wrote: Since some LDAP attributes have their cli_name value defined, so they can be more user friendly, it can be difficult for user to find out which attributes do the parameteres given to CLI really represent. This patch provides new command, which will take another IPA command as and argument and display attributes which given command takes and what LDAP attributes are they mapped to. https://fedorahosted.org/freeipa/ticket/447 When reviewing, please pay attention to line 39 of the patch (detection of the 'webui' in param.excludes). I think this is the right approach, but I'm not 100% sure. Thanks Jan nack. I'm sending updated patch. Few comments: The argument should be a Str, not Bytes. Should I change it in class help then? That's where I copied this from. This will blow up as expected in the FIXME if an unknown command is passed in. Fixed, thanks. ipa show-mappings user-show returns just 'rights' If it was the acting correctly, it shouldn't be displayed at all, because it is not LDAP based (and user-show doesn't take any other LDAP-based arguments/options). I'm just not sure how to do this with minimal changes. One option is to create new flag denoting whether parameter is LDAP based or not and for each parameter set it appropriately, but that is just too much effort for something that is not that important. That's why I use the 'webui' flag to filter things at least a little bit. Should it take a second arg or an option to lookup a specific attribute/option pair? Frankly I don't see any real benefit. I thought about it when Dmitri suggested it, but commands don't take that many options - IMO it's not a problem to find one in a list of ten. Jan From 2db9043eb65006890b7e500502647a5a4d8e3fb5 Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Wed, 26 Jan 2011 13:09:26 +0100 Subject: [PATCH] Provide a way to display CLI-LDAP relation Since some LDAP attributes have their cli_name value defined, so they can be more user friendly, it can be difficult for user to find out which attributes do the parameteres given to CLI really represent. This patch provides new command, which will take another IPA command as and argument and display attributes which given command takes and what LDAP attributes are they mapped to. https://fedorahosted.org/freeipa/ticket/447 --- ipalib/cli.py | 24 +++- 1 files changed, 23 insertions(+), 1 deletions(-) diff --git a/ipalib/cli.py b/ipalib/cli.py index 5543301c0c9039dc67b159c06526a0bdb3581c88..411abc6ba6792da1791b0d9450f709ce6cedfd4d 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -47,7 +47,7 @@ import plugable import util from errors import PublicError, CommandError, HelpError, InternalError, NoSuchNamespaceError, ValidationError, NotFound, NotConfiguredError from constants import CLI_TAB -from parameters import Password, Bytes, File +from parameters import Password, Bytes, File, Str from text import _ from ipapython.version import API_VERSION @@ -779,6 +779,27 @@ class help(frontend.Local): print ' %s %s' % (to_cli(c.name).ljust(mcl), c.summary) print \n +class show_mappings(frontend.Command): +takes_args = (Str('command_name'),) +has_output = tuple() + +def run(self, command_name): +command_name = from_cli(command_name) +if command_name not in self.Command: +print 'ERROR: unknown command \''+command_name+'\'' +return +params = self.Command[command_name].options +out = [('Parameter','LDAP attribute'), + ('=','==')] +mcl = len(out[0][0]) +for param in params(): +if param.exclude and 'webui' in param.exclude: +continue +out.append((param.cli_name, param.param_spec)) +mcl = max(mcl,len(param.cli_name)) +for item in out: +print to_cli(item[0]).ljust(mcl)+' : '+item[1] + class console(frontend.Command): Start the IPA interactive Python console. @@ -1047,6 +1068,7 @@ cli_plugins = ( textui, console, help, +show_mappings, ) -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Allow pkinit functionality to be hidden in production version
This patch adds python config file ipaconfig.py, which can contain various configuration directives for ipalib and other python code. These directives can be detected at build time. The first config directive in use is enable_pkinit, which can be set by running (in 'install' subdirectory) ./configure --enable-pkinit or ./configure --disable-pkinit When pkinit is disabled, classes in pkinit plugin are not registered to API and the whole functionality is hidden in installation scripts. https://fedorahosted.org/freeipa/ticket/616 I'm primarily interested about the concept. This is the best one I came up with. If you have any suggestion how to make this differently, let me know. -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic From fb8a3ffc2fe9cf1c2e6da3861001ac8e959465a4 Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Mon, 31 Jan 2011 03:02:28 -0500 Subject: [PATCH] Allow pkinit functionality to be hidden in production version This patch adds python config file ipaconfig.py, which can contain various configuration directives for ipalib and other python code. These directives can be detected at build time. The first config directive in use is enable_pkinit, which can be set by running (in 'install' subdirectory) ./configure --enable-pkinit or ./configure --disable-pkinit When pkinit is disabled, classes in pkinit plugin are not registered to API and the whole functionality is hidden in installation scripts. https://fedorahosted.org/freeipa/ticket/616 --- freeipa.spec.in |3 ++- install/conf/Makefile.am |2 ++ install/conf/ipaconfig.py.in |3 +++ install/configure.ac | 13 + install/tools/ipa-replica-install | 11 +-- install/tools/ipa-replica-prepare | 21 +++-- install/tools/ipa-server-install | 21 +++-- ipalib/plugins/pkinit.py | 12 ++-- ipaserver/install/krbinstance.py | 10 -- 9 files changed, 77 insertions(+), 19 deletions(-) create mode 100644 install/conf/ipaconfig.py.in diff --git a/freeipa.spec.in b/freeipa.spec.in index e35f3370bca7936a96d87eab9049b10e01904e1e..949c67ca1b08555ced400d521d41621ec1d69673 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -202,7 +202,7 @@ make version-update cd ipa-client; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd .. %if ! %{ONLY_CLIENT} cd daemons; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir} --with-openldap; cd .. -cd install; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd .. +cd install; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir} --disable-pkinit; cd .. %endif %if ! %{ONLY_CLIENT} @@ -463,6 +463,7 @@ fi %{python_sitelib}/ipapython/*.py* %dir %{python_sitelib}/ipalib %{python_sitelib}/ipalib/* +%{python_sitelib}/ipaconfig.py* %{python_sitearch}/default_encoding_utf8.so %if 0%{?fedora} = 12 || 0%{?rhel} = 6 %{python_sitelib}/ipapython-*.egg-info diff --git a/install/conf/Makefile.am b/install/conf/Makefile.am index e00ad618f47b704d3fb6451545fe3fbfaa1b31a9..33e1fd94aab7e35c52efcd90710a090662793a3a 100644 --- a/install/conf/Makefile.am +++ b/install/conf/Makefile.am @@ -1,5 +1,7 @@ NULL = +python_PYTHON = ipaconfig.py + appdir = $(IPA_DATA_DIR) app_DATA = \ ipa.conf \ diff --git a/install/conf/ipaconfig.py.in b/install/conf/ipaconfig.py.in new file mode 100644 index ..3a20c4734d942a4658af41a67c5866c153bfcc1b --- /dev/null +++ b/install/conf/ipaconfig.py.in @@ -0,0 +1,3 @@ +#!/usr/bin/python + +enable_pkinit=@IPA_ENABLE_PKINIT@ diff --git a/install/configure.ac b/install/configure.ac index 88bf9f805f71e62d0f98bef97a7ea4fc2ddec114..6f653df0169e492f4ffe5efee2a3401d94d8ac9e 100644 --- a/install/configure.ac +++ b/install/configure.ac @@ -6,8 +6,10 @@ AC_INIT([ipa-server], #AC_CONFIG_SRCDIR([ipaserver/ipaldap.py]) AC_CONFIG_HEADERS([config.h]) +AC_CONFIG_FILES([conf/ipaconfig.py]) AM_INIT_AUTOMAKE([foreign]) +AM_PATH_PYTHON([2.7]) AM_MAINTAINER_MODE #AC_PROG_CC @@ -48,6 +50,16 @@ if test x$MSGCMP = xno; then AC_MSG_ERROR([msgcmp not found, install gettext]) fi +AC_ARG_ENABLE([pkinit], + [AS_HELP_STRING([--enable-pkinit], +[enable pkinit features])], + [if test x$enableval = xyes ; then + enable_pkinit=True + else + enable_pkinit=False + fi], + [enable_pkinit=True]) + AC_ARG_WITH([gettext_domain], [AS_HELP_STRING([--with-gettext-domain=name], [set the name of the i18n message catalog])], @@ -63,6 +75,7 @@ IPA_DATA_DIR=$datadir/ipa IPA_SYSCONF_DIR=$sysconfdir/ipa
Re: [Freeipa-devel] [PATCH] Fixed permission lookup
Rob Crittenden rcrit...@redhat.com wrote: Jan Zelený wrote: Martin Kosekmko...@redhat.com wrote: On Fri, 2011-01-28 at 09:21 +0100, Martin Kosek wrote: On Thu, 2011-01-27 at 15:41 +0100, Jan Zelený wrote: Rob Crittendenrcrit...@redhat.com wrote: Jan Zelený wrote: Martin Kosekmko...@redhat.com wrote: On Thu, 2011-01-27 at 11:15 +0100, Jan Zelený wrote: Lookup based on --filter wasn't implemented at all. It did't show until now, because of bug sitting on top of it which was resulting in internal error. This patch fixes the bug and adds the filtering functionality. https://fedorahosted.org/freeipa/ticket/818 NACK Did you build this patch on current master? Because in your patch, you removed changes in permission-find from my previous patch 017 ACI plugin supports prefixes. After your patch, permission-find fails: $ ipa permission-find ipa: ERROR: 'aciprefix' is required Martin Sorry, I accidentaly mixed the code with a part of the older one. Sending corrected patch. Jan I think the more stuff in baseldap.py:LDAPSearch() was there because adding entries in a post_callback wasn't working. It only let you reduce the number or modify what was already there IIRC. From what I know, lists should allow you to expand them without any problems (not sure how is the concept called in Python, Pavel told me about it). Also I didn't encounter any problems with this approach (and the post callback actually adds some entries), that's why I changed it the way I did. Jan ACK I think the concept of adding new items to list 'entries' is right. Martin Second-thought-NACK After some thoughts about permissions and ACIs I think the ACI filtering should be moved to ACI plugin - aci_find command. So that it is available to other commands built over ACI plugin that would need searching by filter. A good place to move the filtering by 'filter' would be instead of the following comment in aci.py: # TODO: searching by: filter, subtree Martin Good catch. I'm sending another version of the patch in attachment. Jan This only does filter exact matches, is that adequate or should we return any filter that has the query as a substring? rob I thought about that as well. If you think it is more appropriate, I'll update the patch. But IMO this behavior is what users will expect. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add support for account unlocking
Rob Crittenden rcrit...@redhat.com wrote: Jan Zelený wrote: Jan Zelenyjzel...@redhat.com wrote: This patch adds command ipa user-unlock and some LDAP modifications which are required by Kerberos for unlocking to work. Ticket: https://fedorahosted.org/freeipa/ticket/344 Jan Just a reminder that this patch needs a review. Thanks Jan This doesn't apply against master due to some changes to delegations. Can you rebase and set the aci name to 'permission:Unlock user accounts. I did manage to test this and it works as expected, I just don't want to mangle the rebase. rob The patch is rebased, I also added the change to API.txt Jan From 3844e0d8fba330948e150e5938b72758ee252207 Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Fri, 21 Jan 2011 03:07:53 -0500 Subject: [PATCH] Add support for account unlocking This patch adds command ipa user-unlock and some LDAP modifications which are required by Kerberos for unlocking to work. Ticket: https://fedorahosted.org/freeipa/ticket/344 --- API.txt|6 ++ install/share/60kerberos.ldif |4 +++- install/share/default-aci.ldif |2 +- install/share/delegation.ldif | 10 ++ ipalib/plugins/user.py | 24 5 files changed, 44 insertions(+), 2 deletions(-) diff --git a/API.txt b/API.txt index 42ba61f48dad4bdcaaa8e28c84e62c2607017ed6..703978f576986eed868e4eb4b3956938cd58b470 100644 --- a/API.txt +++ b/API.txt @@ -2614,3 +2614,9 @@ option: Str('version?', exclude='webui', flags=['no_option', 'no_output']) output: Output('summary', (type 'unicode', type 'NoneType'), 'User-friendly description of action performed') output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', type 'unicode', The primary_key value of the entry, e.g. 'jdoe' for a user) +command: user_unlock +args: 1,0,3 +arg: Str('uid', attribute=True, cli_name='login', default_from=DefaultFrom(lambda, 'givenname', 'sn'), label=Gettext('User login', domain='ipa', localedir=None), maxlength=255, multivalue=False, normalizer=lambda, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', pattern_errmsg='may only include letters, numbers, _, -, . and $', primary_key=True, query=True, required=True) +output: Output('summary', (type 'unicode', type 'NoneType'), 'User-friendly description of action performed') +output: Output('result', type 'bool', 'True means the operation was successful') +output: Output('value', type 'unicode', The primary_key value of the entry, e.g. 'jdoe' for a user) diff --git a/install/share/60kerberos.ldif b/install/share/60kerberos.ldif index f08329c48cbcd00ce9641582a13e8c6c118dac7c..72800d2426b776f2db119159187cad688eb9 100644 --- a/install/share/60kerberos.ldif +++ b/install/share/60kerberos.ldif @@ -254,6 +254,8 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.52.1 NAME 'krbObjectReferences' EQUA # the additional principal objects and stand alone principal # objects (krbPrincipal) can be created. attributetypes: ( 2.16.840.1.113719.1.301.4.53.1 NAME 'krbPrincContainerRef' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) +# The time at which administrator unlocked the account +attributetypes: ( 1.3.6.1.4.1.5322.21.2.5 NAME 'krbLastAdminUnlock' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE) # Object Class Definitions # @@ -282,7 +284,7 @@ objectClasses: ( 2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SUP ( krbSer objectClasses: ( 2.16.840.1.113719.1.301.6.5.1 NAME 'krbPwdService' SUP ( krbService ) ) ## The principal data auxiliary class. Holds principal information ## and is used to store principal information for Person, Service objects. -objectClasses: ( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux' AUXILIARY MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) ) +objectClasses: ( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux' AUXILIARY MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData $ krbLastAdminUnlock ) ) ## This class is used to create additional principals and stand alone principals. objectClasses
Re: [Freeipa-devel] [PATCH] Fixed permission lookup
Martin Kosek mko...@redhat.com wrote: On Fri, 2011-01-28 at 09:21 +0100, Martin Kosek wrote: On Thu, 2011-01-27 at 15:41 +0100, Jan Zelený wrote: Rob Crittenden rcrit...@redhat.com wrote: Jan Zelený wrote: Martin Kosekmko...@redhat.com wrote: On Thu, 2011-01-27 at 11:15 +0100, Jan Zelený wrote: Lookup based on --filter wasn't implemented at all. It did't show until now, because of bug sitting on top of it which was resulting in internal error. This patch fixes the bug and adds the filtering functionality. https://fedorahosted.org/freeipa/ticket/818 NACK Did you build this patch on current master? Because in your patch, you removed changes in permission-find from my previous patch 017 ACI plugin supports prefixes. After your patch, permission-find fails: $ ipa permission-find ipa: ERROR: 'aciprefix' is required Martin Sorry, I accidentaly mixed the code with a part of the older one. Sending corrected patch. Jan I think the more stuff in baseldap.py:LDAPSearch() was there because adding entries in a post_callback wasn't working. It only let you reduce the number or modify what was already there IIRC. From what I know, lists should allow you to expand them without any problems (not sure how is the concept called in Python, Pavel told me about it). Also I didn't encounter any problems with this approach (and the post callback actually adds some entries), that's why I changed it the way I did. Jan ACK I think the concept of adding new items to list 'entries' is right. Martin Second-thought-NACK After some thoughts about permissions and ACIs I think the ACI filtering should be moved to ACI plugin - aci_find command. So that it is available to other commands built over ACI plugin that would need searching by filter. A good place to move the filtering by 'filter' would be instead of the following comment in aci.py: # TODO: searching by: filter, subtree Martin Good catch. I'm sending another version of the patch in attachment. Jan From 1c4af3408b15fc933370de95940300920cad0260 Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Thu, 27 Jan 2011 05:11:28 -0500 Subject: [PATCH] Fixed permission lookup Lookup based on --filter wasn't implemented at all. It did't show until now, because of bug sitting on top of it which was resulting in internal error. This patch fixes the bug and adds the filtering functionality. https://fedorahosted.org/freeipa/ticket/818 --- ipalib/plugins/aci.py| 11 ++- ipalib/plugins/baseldap.py | 12 +--- ipalib/plugins/permission.py |5 + 3 files changed, 16 insertions(+), 12 deletions(-) diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py index 648f5111fcfd23975fe317d6b89b6163508a15a3..4ddaf98ab8f4ca3cb9235021912afbd7987fed13 100644 --- a/ipalib/plugins/aci.py +++ b/ipalib/plugins/aci.py @@ -780,7 +780,16 @@ class aci_find(crud.Search): except ValueError: pass -# TODO: searching by: filter, subtree +if 'filter' in kw: +if not kw['filter'].startswith('('): +kw['filter'] = unicode('('+kw['filter']+')') +for a in acis: +if 'targetfilter' not in a.target or\ +not a.target['targetfilter']['expression'] or\ +a.target['targetfilter']['expression'] != kw['filter']: +results.remove(a) + +# TODO: searching by: subtree acis = [] for result in results: diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index b20d96012e0dc7f91209a3623d8ad90cd023e006..d25deb5270ee2b79c2229e9265fa11c3ccca8b17 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -1372,11 +1372,9 @@ class LDAPSearch(CallbackInterface, crud.Search): for callback in self.POST_CALLBACKS: if hasattr(callback, 'im_self'): -more = callback(ldap, entries, truncated, *args, **options) +callback(ldap, entries, truncated, *args, **options) else: -more = callback(self, ldap, entries, truncated, *args, **options) -if more: -entries = entries + more +callback(self, ldap, entries, truncated, *args, **options) if not options.get('raw', False): for e in entries: @@ -1392,11 +1390,11 @@ class LDAPSearch(CallbackInterface, crud.Search): truncated=truncated, ) -def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options): -return (filter, base_dn, scope) +def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options): +return (filters, base_dn, scope) def post_callback(self, ldap
[Freeipa-devel] [PATCH] Fixed permission lookup
Lookup based on --filter wasn't implemented at all. It did't show until now, because of bug sitting on top of it which was resulting in internal error. This patch fixes the bug and adds the filtering functionality. https://fedorahosted.org/freeipa/ticket/818 -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic From 4e5cea38d40d75dea0042701a28d235ec60c878b Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Thu, 27 Jan 2011 05:11:28 -0500 Subject: [PATCH] Fixed permission lookup Lookup based on --filter wasn't implemented at all. It did't show until now, because of bug sitting on top of it which was resulting in internal error. This patch fixes the bug and adds the filtering functionality. https://fedorahosted.org/freeipa/ticket/818 --- ipalib/plugins/baseldap.py | 10 -- ipalib/plugins/permission.py | 22 ++ 2 files changed, 14 insertions(+), 18 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index b20d96012e0dc7f91209a3623d8ad90cd023e006..6d58eb97742a29a584d97913fc26c4ccf5d4c349 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -1372,11 +1372,9 @@ class LDAPSearch(CallbackInterface, crud.Search): for callback in self.POST_CALLBACKS: if hasattr(callback, 'im_self'): -more = callback(ldap, entries, truncated, *args, **options) +callback(ldap, entries, truncated, *args, **options) else: -more = callback(self, ldap, entries, truncated, *args, **options) -if more: -entries = entries + more +callback(self, ldap, entries, truncated, *args, **options) if not options.get('raw', False): for e in entries: @@ -1392,8 +1390,8 @@ class LDAPSearch(CallbackInterface, crud.Search): truncated=truncated, ) -def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options): -return (filter, base_dn, scope) +def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options): +return (filters, base_dn, scope) def post_callback(self, ldap, entries, truncated, *args, **options): return [] diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index 0c2855ff5c181a56455bb9b180b6f22472ce8fa4..1cbdd449763d8fafee0c5bd94669f5a7bb11f3bb 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -319,33 +319,33 @@ class permission_find(LDAPSearch): ) def post_callback(self, ldap, entries, truncated, *args, **options): -newentries = [] for entry in entries: (dn, attrs) = entry try: -aci = self.api.Command.aci_show(attrs['cn'][0], aciprefix=ACI_PREFIX)['result'] - -# copy information from respective ACI to permission entry +aci = self.api.Command.aci_show(attrs['description'][0])['result'] for attr in self.obj.aci_attributes: if attr in aci: attrs[attr] = aci[attr] except errors.NotFound: -self.debug('ACI not found for %s' % attrs['cn'][0]) +self.debug('ACI not found for %s' % attrs['description'][0]) # Now find all the ACIs that match. Once we find them, add any that # aren't already in the list along with their permission info. -options['aciprefix'] = ACI_PREFIX - aciresults = self.api.Command.aci_find(*args, **options) truncated = truncated or aciresults['truncated'] results = aciresults['result'] - +if 'filter' in options and not options['filter'].startswith('('): +options['filter'] = unicode('('+options['filter']+')') for aci in results: +if 'filter' in options: +if 'filter' not in aci or not aci['filter'] or\ +aci['filter'] != options['filter']: +continue found = False if 'permission' in aci: for entry in entries: (dn, attrs) = entry -if aci['permission'] == attrs['cn'][0]: +if aci['permission'] == attrs['cn']: found = True break if not found: @@ -357,9 +357,7 @@ class permission_find(LDAPSearch): dn = attrs['dn'] del attrs['dn'] if (dn, attrs) not in entries: -newentries.append((dn, attrs)) - -return newentries +entries.append((dn, attrs)) api.register(permission_find) -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0074 Add requires
Simo Sorce sso...@redhat.com wrote: First part of ticket #855 Add the requires we will need on F15, tested against jdennis ipa-devel repo, works as expected. Simo. The patch is obviously ok, so ack from this point of view. But I would just like to know if it is necessary. I just inspected F15 pki-ca package from nightly repo - it does Require pki-ca-theme = 9.0.0 (which is provided by dogtag-pki-ca-theme) and we will be requiring pki-ca. I suspect similar situation will be for dogtag-pki-common-theme. So I don't see why we should explicitly Require both packages ourselves. Thanks in advance for explanation Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0075 handle weird values in nolog
Simo Sorce sso...@redhat.com wrote: When using ipa-replica-manage re-initialize with GSSAPI credentials it turns out that the DN password may be set to None and this can end up in the nolog list. Add a check to skip any non-string object in the log substitution list, so that the code doesn't freak out on None objects. Ticket #856 Simo. Ack, but only a code inspection performed, since I'm not sure how to test it exactly. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changed dns permission types
Jan Zelený jzel...@redhat.com wrote: Jan Zelený jzel...@redhat.com wrote: Rob Crittenden rcrit...@redhat.com wrote: Jan Zelený wrote: Rob Crittendenrcrit...@redhat.com wrote: Jan Zelený wrote: Recent change of DNS module to version caused that dns object type was replaced by dnszone and dnsrecord. This patch corrects dns types in permissions class. https://fedorahosted.org/freeipa/ticket/646 Nack. These values need to be added as valid types to the aci plugin and the _type_map needs to be updated. rob I'm sending an updated patch. Jan Since dnszone and dnsrecord point to the same kind of entry what is the point of having two separate names for them? When we read the entry we aren't going to be able to differentiate between the two. I didn't take a look how the type thing works, so I'm kinda guessing here (please ignore the comment if it is wrong): Sure, object with idnszone class is always also in dnsrecord class, but that's not the case backwards (idnsrecord object isn't always idnszone) - so I think it is possible to set different ACIs for these two types. Can the type be made more specific? If the mapping doesn't distinguish object classes and it can, maybe that's the answer. Will investagate further. But if not, I still think this is the way to go considering the underline issue which we tried to solve by this change. From what I found I think that making changes necessary to distinguish dnsrecord and dnszone are not worth it, especially that user can use filter for that purpose. Since having both of them doesn't have any additional value, I'm sending new version of the patch, which is only adding dnsrecord type. Jan Just a small reminder that this patch is ready to be re-reviewed. Thanks Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fixed permission lookup
Martin Kosek mko...@redhat.com wrote: On Thu, 2011-01-27 at 11:15 +0100, Jan Zelený wrote: Lookup based on --filter wasn't implemented at all. It did't show until now, because of bug sitting on top of it which was resulting in internal error. This patch fixes the bug and adds the filtering functionality. https://fedorahosted.org/freeipa/ticket/818 NACK Did you build this patch on current master? Because in your patch, you removed changes in permission-find from my previous patch 017 ACI plugin supports prefixes. After your patch, permission-find fails: $ ipa permission-find ipa: ERROR: 'aciprefix' is required Martin Sorry, I accidentaly mixed the code with a part of the older one. Sending corrected patch. Jan From 717e995250193667cc98b5f16d347dbbeff2802c Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Thu, 27 Jan 2011 05:11:28 -0500 Subject: [PATCH] Fixed permission lookup Lookup based on --filter wasn't implemented at all. It did't show until now, because of bug sitting on top of it which was resulting in internal error. This patch fixes the bug and adds the filtering functionality. https://fedorahosted.org/freeipa/ticket/818 --- ipalib/plugins/baseldap.py | 12 +--- ipalib/plugins/permission.py | 11 +++ 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index b20d96012e0dc7f91209a3623d8ad90cd023e006..d25deb5270ee2b79c2229e9265fa11c3ccca8b17 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -1372,11 +1372,9 @@ class LDAPSearch(CallbackInterface, crud.Search): for callback in self.POST_CALLBACKS: if hasattr(callback, 'im_self'): -more = callback(ldap, entries, truncated, *args, **options) +callback(ldap, entries, truncated, *args, **options) else: -more = callback(self, ldap, entries, truncated, *args, **options) -if more: -entries = entries + more +callback(self, ldap, entries, truncated, *args, **options) if not options.get('raw', False): for e in entries: @@ -1392,11 +1390,11 @@ class LDAPSearch(CallbackInterface, crud.Search): truncated=truncated, ) -def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options): -return (filter, base_dn, scope) +def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options): +return (filters, base_dn, scope) def post_callback(self, ldap, entries, truncated, *args, **options): -return [] +pass def exc_callback(self, args, options, exc, call_func, *call_args, **call_kwargs): raise exc diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index 0c2855ff5c181a56455bb9b180b6f22472ce8fa4..212a0469b55d19d76030f6384458943d5b8a19a6 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -319,7 +319,6 @@ class permission_find(LDAPSearch): ) def post_callback(self, ldap, entries, truncated, *args, **options): -newentries = [] for entry in entries: (dn, attrs) = entry try: @@ -340,7 +339,13 @@ class permission_find(LDAPSearch): truncated = truncated or aciresults['truncated'] results = aciresults['result'] +if 'filter' in options and not options['filter'].startswith('('): +options['filter'] = unicode('('+options['filter']+')') for aci in results: +if 'filter' in options: +if 'filter' not in aci or not aci['filter'] or\ +aci['filter'] != options['filter']: +continue found = False if 'permission' in aci: for entry in entries: @@ -357,9 +362,7 @@ class permission_find(LDAPSearch): dn = attrs['dn'] del attrs['dn'] if (dn, attrs) not in entries: -newentries.append((dn, attrs)) - -return newentries +entries.append((dn, attrs)) api.register(permission_find) -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fixed permission lookup
Rob Crittenden rcrit...@redhat.com wrote: Jan Zelený wrote: Martin Kosekmko...@redhat.com wrote: On Thu, 2011-01-27 at 11:15 +0100, Jan Zelený wrote: Lookup based on --filter wasn't implemented at all. It did't show until now, because of bug sitting on top of it which was resulting in internal error. This patch fixes the bug and adds the filtering functionality. https://fedorahosted.org/freeipa/ticket/818 NACK Did you build this patch on current master? Because in your patch, you removed changes in permission-find from my previous patch 017 ACI plugin supports prefixes. After your patch, permission-find fails: $ ipa permission-find ipa: ERROR: 'aciprefix' is required Martin Sorry, I accidentaly mixed the code with a part of the older one. Sending corrected patch. Jan I think the more stuff in baseldap.py:LDAPSearch() was there because adding entries in a post_callback wasn't working. It only let you reduce the number or modify what was already there IIRC. From what I know, lists should allow you to expand them without any problems (not sure how is the concept called in Python, Pavel told me about it). Also I didn't encounter any problems with this approach (and the post callback actually adds some entries), that's why I changed it the way I did. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0074 Add requires
Dmitri Pal d...@redhat.com wrote: On 01/27/2011 05:27 AM, Jan Zelený wrote: Simo Sorcesso...@redhat.com wrote: First part of ticket #855 Add the requires we will need on F15, tested against jdennis ipa-devel repo, works as expected. Simo. The patch is obviously ok, so ack from this point of view. But I would just like to know if it is necessary. I just inspected F15 pki-ca package from nightly repo - it does Require pki-ca-theme= 9.0.0 (which is provided by dogtag-pki-ca-theme) and we will be requiring pki-ca. I suspect similar situation will be for dogtag-pki-common-theme. So I don't see why we should explicitly Require both packages ourselves. Have you seen the explanation that Matthew Harmsen put together about all the theme packages? I do not know if this would make things cleaner. I will send it off list. Yes, I've read it and I understand now. Thanks for the info. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Raise ValidationError when adding unallowed attribute to search fields.
Pavel Zuna pz...@redhat.com wrote: Depends on my previous patch number 64 (posted on the list 2 minutes ago). Ticket #845 Pavel ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add ldap2 method to retrieve allowed attributes for specified objectClasses.
Pavel Zuna pz...@redhat.com wrote: ldap2.get_allowed_attributes(['posixuser']) returns a list of unicode all lower case attribute names allowed for the object class 'posixuser' You can enter as many object classes as you want. Pavel ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add support for account unlocking
Jan Zeleny jzel...@redhat.com wrote: This patch adds command ipa user-unlock and some LDAP modifications which are required by Kerberos for unlocking to work. Ticket: https://fedorahosted.org/freeipa/ticket/344 Jan Just a reminder that this patch needs a review. Thanks Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Provide a way to display CLI-LDAP attribute relation
Since some LDAP attributes have their cli_name value defined, so they can be more user friendly, it can be difficult for user to find out which attributes do the parameteres given to CLI really represent. This patch provides new command, which will take another IPA command as and argument and display attributes which given command takes and what LDAP attributes are they mapped to. https://fedorahosted.org/freeipa/ticket/447 When reviewing, please pay attention to line 39 of the patch (detection of the 'webui' in param.excludes). I think this is the right approach, but I'm not 100% sure. Thanks Jan From 6021801d788893ae467facd79379a8dfcf5842f7 Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Wed, 26 Jan 2011 13:09:26 +0100 Subject: [PATCH] Provide a way to display CLI-LDAP relation Since some LDAP attributes have their cli_name value defined, so they can be more user friendly, it can be difficult for user to find out which attributes do the parameteres given to CLI really represent. This patch provides new command, which will take another IPA command as and argument and display attributes which given command takes and what LDAP attributes are they mapped to. https://fedorahosted.org/freeipa/ticket/447 --- ipalib/cli.py | 21 + 1 files changed, 21 insertions(+), 0 deletions(-) diff --git a/ipalib/cli.py b/ipalib/cli.py index 2d219b71bd1a17b0dc2977b3b7048d8318203c63..c2e8bdcf646d7f2c1a06de5053c1c82ee61695af 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -786,6 +786,26 @@ class help(frontend.Local): print ' %s %s' % (to_cli(c.name).ljust(mcl), c.summary) print \n +class show_mappings(frontend.Command): +takes_args = (Bytes('command_name'),) +has_output = tuple() + +def run(self, command_name): +command_name = from_cli(command_name) +if command_name not in self.Command: +print 'error: TODO fill in the text' +params = self.Command[command_name].options +out = [('Parameter','LDAP attribute'), + ('=','==')] +mcl = len(out[0][0]) +for param in params(): +if param.exclude and 'webui' in param.exclude: +continue +out.append((param.cli_name, param.param_spec)) +mcl = max(mcl,len(param.cli_name)) +for item in out: +print to_cli(item[0]).ljust(mcl)+' : '+item[1] + class console(frontend.Command): Start the IPA interactive Python console. @@ -1054,6 +1074,7 @@ cli_plugins = ( textui, console, help, +show_mappings, ) -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 041 Add example of DNS SRV record and a simple validator
Jakub Hrozek jhro...@redhat.com wrote: On 01/26/2011 03:38 PM, Jakub Hrozek wrote: https://fedorahosted.org/freeipa/ticket/846 This version contains a better example (consistent zone name). ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 041 Add example of DNS SRV record and a simple validator
Rob Crittenden rcrit...@redhat.com wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/26/2011 03:38 PM, Jakub Hrozek wrote: https://fedorahosted.org/freeipa/ticket/846 This version contains a better example (consistent zone name). This requires a change to API.txt too, otherwise the patch looks good. Sorry for not catching that. I have problems with API.txt on a regular basis, so I call makeapi before each compilation. I'm not sure why I have these problems, happens on a clean master. I recall seeing some information about it somewhere, but I don't know exactly what it was. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changed dns permission types
Rob Crittenden rcrit...@redhat.com wrote: Jan Zelený wrote: Rob Crittendenrcrit...@redhat.com wrote: Jan Zelený wrote: Recent change of DNS module to version caused that dns object type was replaced by dnszone and dnsrecord. This patch corrects dns types in permissions class. https://fedorahosted.org/freeipa/ticket/646 Nack. These values need to be added as valid types to the aci plugin and the _type_map needs to be updated. rob I'm sending an updated patch. Jan Since dnszone and dnsrecord point to the same kind of entry what is the point of having two separate names for them? When we read the entry we aren't going to be able to differentiate between the two. I didn't take a look how the type thing works, so I'm kinda guessing here (please ignore the comment if it is wrong): Sure, object with idnszone class is always also in dnsrecord class, but that's not the case backwards (idnsrecord object isn't always idnszone) - so I think it is possible to set different ACIs for these two types. Can the type be made more specific? If the mapping doesn't distinguish object classes and it can, maybe that's the answer. Will investagate further. But if not, I still think this is the way to go considering the underline issue which we tried to solve by this change. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changed dns permission types
Jan Zelený jzel...@redhat.com wrote: Rob Crittenden rcrit...@redhat.com wrote: Jan Zelený wrote: Rob Crittendenrcrit...@redhat.com wrote: Jan Zelený wrote: Recent change of DNS module to version caused that dns object type was replaced by dnszone and dnsrecord. This patch corrects dns types in permissions class. https://fedorahosted.org/freeipa/ticket/646 Nack. These values need to be added as valid types to the aci plugin and the _type_map needs to be updated. rob I'm sending an updated patch. Jan Since dnszone and dnsrecord point to the same kind of entry what is the point of having two separate names for them? When we read the entry we aren't going to be able to differentiate between the two. I didn't take a look how the type thing works, so I'm kinda guessing here (please ignore the comment if it is wrong): Sure, object with idnszone class is always also in dnsrecord class, but that's not the case backwards (idnsrecord object isn't always idnszone) - so I think it is possible to set different ACIs for these two types. Can the type be made more specific? If the mapping doesn't distinguish object classes and it can, maybe that's the answer. Will investagate further. But if not, I still think this is the way to go considering the underline issue which we tried to solve by this change. From what I found I think that making changes necessary to distinguish dnsrecord and dnszone are not worth it, especially that user can use filter for that purpose. Since having both of them doesn't have any additional value, I'm sending new version of the patch, which is only adding dnsrecord type. Jan From 0b7c6ddbc5e40e802357c01fb4d568965b77165e Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Thu, 13 Jan 2011 17:32:57 +0100 Subject: [PATCH] Changed dns permission types Recent change of DNS module to version caused that dns object type was replaced by dnszone and dnsrecord. This patch corrects dns types in permissions class. https://fedorahosted.org/freeipa/ticket/646 --- ipalib/plugins/aci.py|5 +++-- ipalib/plugins/permission.py |2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py index 939fe535ab01bec9be0caa1952b4a36123bcc2db..d7765488fa1c48d618030564d652a90143bd0123 100644 --- a/ipalib/plugins/aci.py +++ b/ipalib/plugins/aci.py @@ -135,7 +135,7 @@ _type_map = { 'hostgroup': 'ldap:///cn=*,%s,%s' % (api.env.container_hostgroup, api.env.basedn), 'service': 'ldap:///krbprincipalname=*,%s,%s' % (api.env.container_service, api.env.basedn), 'netgroup': 'ldap:///ipauniqueid=*,%s,%s' % (api.env.container_netgroup, api.env.basedn), -'dns': 'ldap:///idnsname=*,%s,%s' % (api.env.container_dns, api.env.basedn), +'dnsrecord': 'ldap:///idnsname=*,%s,%s' % (api.env.container_dns, api.env.basedn), } _valid_permissions_values = [ @@ -382,7 +382,7 @@ class aci(Object): cli_name='type', label=_('Type'), doc=_('type of IPA object (user, group, host, hostgroup, service, netgroup)'), -values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dns',), +values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dnsrecord'), ), Str('memberof?', cli_name='memberof', diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index 43bb2634d34cab8d2bb8ecbce883df8008c34645..182a02cc389c970962e93c4e1653cbbfeee3f30b 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -121,7 +121,7 @@ class permission(LDAPObject): cli_name='type', label=_('Type'), doc=_('Type of IPA object (user, group, host, hostgroup, service, netgroup, dns)'), -values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dns',), +values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dnsrecord',), ), Str('memberof?', cli_name='memberof', -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 690 add brackets around optional prompts
Rob Crittenden rcrit...@redhat.com wrote: When prompting for arguments in the cli there is no way to tell what is optional and what is required. This sticks brackets around optional arguments. Ticket 832 rob Ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add flags to enforce asking for object attribute
So far the only way to enforce asking for parameter in interactive mode was the alwaysask attribute, which is not sufficient any more. This patch adds the ability to control during which actions the atrribute shall be asked for. Jan From 96a8b94e877f6f6bc2d5cbd274d46aa66df85b88 Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Tue, 25 Jan 2011 09:06:19 -0500 Subject: [PATCH] Add flags to enforce asking for object attribute So far the only flag to enforce asking in interactive mode was the alwaysask attribute, which is not sufficient any more. This patch adds the ability to control for which actions the atrribute shall be asked for. --- ipalib/crud.py | 23 --- ipalib/plugins/permission.py | 12 ++-- 2 files changed, 26 insertions(+), 9 deletions(-) diff --git a/ipalib/crud.py b/ipalib/crud.py index 76d57daef68128bafab923ce00c7afe0e290966d..b7a665361804b853da4f00de5ab2b2030c9de86c 100644 --- a/ipalib/crud.py +++ b/ipalib/crud.py @@ -141,7 +141,13 @@ class Create(Method): for option in self.obj.params_minus(self.args): if 'no_create' in option.flags: continue -yield option.clone(attribute=True) +if 'ask_create' in option.flags: +yield option.clone( +attribute=True, query=True, required=False, +autofill=False, alwaysask=True +) +else: +yield option.clone(attribute=True) if not self.extra_options_first: for option in super(Create, self).get_options(): yield option @@ -179,7 +185,13 @@ class Update(PKQuery): for option in self.obj.params_minus_pk(): if 'no_update' in option.flags: continue -yield option.clone(attribute=True, required=False, autofill=False) +if 'ask_update' in option.flags: +yield option.clone( +attribute=True, query=True, required=False, +autofill=False, alwaysask=True +) +else: +yield option.clone(attribute=True, required=False, autofill=False) if not self.extra_options_first: for option in super(Update, self).get_options(): yield option @@ -210,7 +222,12 @@ class Search(Method): for option in self.obj.params_minus(self.args): if 'no_search' in option.flags: continue -if isinstance(option, parameters.Flag): +if 'ask_search' in option.flags: +yield option.clone( +attribute=True, query=True, required=False, +autofill=False, alwaysask=True +) +elif isinstance(option, parameters.Flag): yield option.clone_retype( option.name, parameters.Bool, attribute=True, query=True, required=False, autofill=False diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index e97174abfaa855a36552dcfdc55049c58cb5c312..14d7b96569cc9e228bebaac37d67d6709039e164 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -116,38 +116,38 @@ class permission(LDAPObject): label=_('Attributes'), doc=_('Comma-separated list of attributes'), normalizer=lambda value: value.lower(), -alwaysask=True, +flags=('ask_create', 'ask_update'), ), StrEnum('type?', cli_name='type', label=_('Type'), doc=_('Type of IPA object (user, group, host, hostgroup, service, netgroup, dns)'), values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dns',), -alwaysask=True, +flags=('ask_create', 'ask_update'), ), Str('memberof?', cli_name='memberof', label=_('Member of group'), # FIXME: Does this label make sense? doc=_('Target members of a group'), -alwaysask=True, +flags=('ask_create', 'ask_update'), ), Str('filter?', cli_name='filter', label=_('Filter'), doc=_('Legal LDAP filter (e.g. ou=Engineering)'), -alwaysask=True, +flags=('ask_create', 'ask_update'), ), Str('subtree?', cli_name='subtree', label=_('Subtree'), doc=_('Subtree to apply permissions to'), -alwaysask=True, +flags=('ask_create', 'ask_update'), ), Str('targetgroup?', cli_name='targetgroup', label=_('Target group'), doc=_('User group to apply permissions to'), -alwaysask=True, +flags=('ask_create', 'ask_update'), ), ) -- 1.7.3.4
Re: [Freeipa-devel] [PATCH] Add flags to enforce asking for object attribute
Rob Crittenden rcrit...@redhat.com wrote: Jan Zelený wrote: So far the only way to enforce asking for parameter in interactive mode was the alwaysask attribute, which is not sufficient any more. This patch adds the ability to control during which actions the atrribute shall be asked for. Jan nack, this doesn't address the interactive part in ipalib/cli.py. rob I'm afraid I don't know what do you mean. Can you please give me a quick guidance what are you referring to? Thanks Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Disable renaming to empty string
So far it was possible to rename any object using LDAPUpdate to a name with empty primary key. Since this can cause nasty problems, this patch disables empty string in --rename argument. https://fedorahosted.org/freeipa/ticket/827 Jan From 5d2eb85af1df7c20049e7fdc05e6a529a2b2839b Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Mon, 24 Jan 2011 03:24:05 -0500 Subject: [PATCH] Disable renaming to empty string So far it was possible to rename any object using LDAPUpdate to a name with empty primary key. Since this can cause nasty problems, this patch disables empty string in --rename argument. https://fedorahosted.org/freeipa/ticket/827 --- ipalib/plugins/baseldap.py |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index e7ccb7724ff39a115c8931c7829d4352c3e0c691..1ef1af56947c5d0f90088b9ba2be98b8acb0278c 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -799,6 +799,8 @@ class LDAPUpdate(LDAPQuery, crud.Update): rdnupdate = False try: if self.obj.rdnattr and 'rename' in options: +if not options['rename']: +raise errors.ValidationError(name='rename', error=u'can\'t be empty') entry_attrs[self.obj.rdnattr] = options['rename'] if self.obj.rdnattr and self.obj.rdnattr in entry_attrs: -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Make ipa permission-add ask for optional attributes
Rob Crittenden rcrit...@redhat.com wrote: Jan Zeleny wrote: Either one of type, filter, subtree, targetgroup, attrs or memberof is required. https://fedorahosted.org/freeipa/ticket/819 Jan Do you think the prompt should be annotated somehow to indicate that the optional attributes are optional? I've been wondering about this since I added alwaysask for managing permissions, it isn't very clear that you don't have to enter something. I'm not sure how we would do it, a *, or some other indicator? rob That's definitely a good idea, but if we will use *, I think it should be present for required arguments, otherwise it might be confusing - on the web * usually marks required fields. From this point of view square brackets are used to indicate something is optional, so about something like [Subtree]:? Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 680 ldap lockout
Rob Crittenden rcrit...@redhat.com wrote: Rob Crittenden wrote: Jan Zeleny wrote: Rob Crittendenrcrit...@redhat.com wrote: Update kerberos password policy values on LDAP binds. This is so locked-out accounts in kerberos don't try things using LDAP instead. On a failed bind this will update krbLoginFailedCount and krbLastFailedAuth and will potentially fail the bind altogether. On a successful bind it will zero krbLoginFailedCount and set krbLastSuccessfulAuth. This will also enforce locked-out accounts. See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on kerberos lockout. ticket 343 Ack, good job Jan Simo and Nathan pointed out that the update model I'm using is vulnerable to multi-threaded attack and suggested that rather than using REPLACE I do a DELETE/ADD to be sure that I'm updating the counter appropriately. I've got the basics done, need to re-run through valgrind. Will submit another patch shortly. rob Updated patch attached. Be more careful when updating the failed count. rob The patch looks good and it works fine, if Simo doesn't have any more security comments: ACK. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Mapping of CLI attributes to LDAP attributes
Hi, I've been thinking about the concept of mapping CLI attributes to LDAP attributes (ticket #447) and I'd like to get a second opinion. The most simple solution would be to add this functionality to existing help. For the sake of lucidity, it should be hidden by default. To achieve this a new parameter (e.g. --fullhelp) would be created. The question now is if this approach is suitable for WebUI and whether it is even needed for WebUI. Another approach might be to create new command, e.g. mapping-show, which would take one argument - either name of LDAP object for which we want to show all mappings or (better) directly a command. Here are examples how it could be invoked: ipa mapping-show user/ ipa mapping-show user-add ipa mapping-show hbacrule / ipa mapping-show hbacrule-add So these are my ideas. Some questions? Comments? Other ideas? I welcome any input. -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel