Re: [Freeipa-devel] [PATCH] Fix script tags in index.xhtml. End tag is required.
On 08/19/2010 08:26 PM, Adam Young wrote: On 08/19/2010 06:51 PM, Pavel Zůna wrote: On 2010-08-20 00:48, Pavel Zůna wrote: The paste server had some issues with it and end tags are required by the standard anyway. Pavel I forgot to mention that this applies after Adam's 0009 patch (updated Hash Params). Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Is this only a problem on the javascript tags, or are we going to see a problem on all of the xhtml that doesn't use closing tags? Either way, it should be filed as an upstream bug. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Hash Params Redux
On 08/19/2010 06:41 PM, Pavel Zůna wrote: On 2010-08-18 22:59, Adam Young wrote: The patch replaces the earlier Hash Params patch. It fixs the build issues, and fixes the group details page as well. Git still reports white space errors, but that's hardly a show stopper. ACK. Pavel Removed white space errors and pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo 0012 ldap_initialize
On 08/19/2010 08:31 PM, Adam Young wrote:
On 08/19/2010 05:45 PM, Rob Crittenden wrote:
Adam Young wrote:
Gets rid of the last of our compiler warnings by removing a deprecated
function call :ldap_init should be replaced with ldap_initialize.
https://fedorahosted.org/freeipa/attachment/ticket/151/admiyo-freeipa-0012-ldap_initialize.patch
I think the scheme should be ldaps and not ldap in the port 636 case.
I'm not sure you need/want to set errno either.
rob
I think you are right on "ldaps". I'm guesiing we don't havea test
case for that/ As for errno, malloc will set it to ENOMEM, so we
should probably leave it.
I'll post an updated patch.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
ldaps.
Not setting errno
>From f1ba1a7071bd32aa84e494e7c61f0e124967fb07 Mon Sep 17 00:00:00 2001
From: Adam Young
Date: Thu, 19 Aug 2010 16:49:50 -0400
Subject: [PATCH] ldap_initialize
the code was calling ldap_init, which is a deprecated function, and getting a compilation warning. This version uses the recommended function ldap_initilaize.
---
ipa-client/ipa-getkeytab.c | 27 ---
1 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c
index 4bbbf1c..b8701c5 100644
--- a/ipa-client/ipa-getkeytab.c
+++ b/ipa-client/ipa-getkeytab.c
@@ -481,6 +481,23 @@ int filter_keys(krb5_context krbctx, struct keys_container *keys,
return n;
}
+static int ipa_ldap_init(LDAP ** ld, const char * scheme, const char * servername, const int port)
+{
+ char* url = NULL;
+ int url_len = snprintf(url,0,"%s://%s:%d",scheme,servername,port) +1;
+
+ url = (char *)malloc (url_len);
+ if (!url){
+ fprintf(stderr, "Out of memory \n");
+ return LDAP_NO_MEMORY;
+ }
+ sprintf(url,"%s://%s:%d",scheme,servername,port);
+ int rc = ldap_initialize(ld, url);
+
+ free(url);
+ return rc;
+}
+
static int ldap_set_keytab(krb5_context krbctx,
const char *servername,
const char *principal_name,
@@ -526,13 +543,17 @@ static int ldap_set_keytab(krb5_context krbctx,
if (ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, "/etc/ipa/ca.crt") != LDAP_OPT_SUCCESS) {
goto error_out;
}
-
- ld = ldap_init(servername, 636);
+
+ if ( ipa_ldap_init(&ld, "ldaps",servername, 636) != LDAP_SUCCESS){
+ goto error_out;
+ }
if (ldap_set_option(ld, LDAP_OPT_X_TLS, &ssl) != LDAP_OPT_SUCCESS) {
goto error_out;
}
} else {
- ld = ldap_init(servername, 389);
+ if (ipa_ldap_init(&ld, "ldap",servername, 389) != LDAP_SUCCESS){
+ goto error_out;
+ }
}
if(ld == NULL) {
--
1.7.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo 0012 ldap_initialize
On 08/19/2010 05:45 PM, Rob Crittenden wrote: Adam Young wrote: Gets rid of the last of our compiler warnings by removing a deprecated function call :ldap_init should be replaced with ldap_initialize. https://fedorahosted.org/freeipa/attachment/ticket/151/admiyo-freeipa-0012-ldap_initialize.patch I think the scheme should be ldaps and not ldap in the port 636 case. I'm not sure you need/want to set errno either. rob I think you are right on "ldaps". I'm guesiing we don't havea test case for that/ As for errno, malloc will set it to ENOMEM, so we should probably leave it. I'll post an updated patch. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix script tags in index.xhtml. End tag is required.
On 08/19/2010 06:51 PM, Pavel Zůna wrote: On 2010-08-20 00:48, Pavel Zůna wrote: The paste server had some issues with it and end tags are required by the standard anyway. Pavel I forgot to mention that this applies after Adam's 0009 patch (updated Hash Params). Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Is this only a problem on the javascript tags, or are we going to see a problem on all of the xhtml that doesn't use closing tags? Either way, it should be filed as an upstream bug. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Sample Metadata
On 08/19/2010 05:48 PM, Rob Crittenden wrote: Adam Young wrote: This is a trivial patch (despite its length) which is a snapshot of the output of the metadata plugin. This is required to do serverless development, but does not impact the deployed code. ACK I removed a slew of trailing whitespace and pushed this to master rob Git white space errors are propbably worth ignoring for stuff like this. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix script tags in index.xhtml. End tag is required.
On 2010-08-20 00:48, Pavel Zůna wrote: The paste server had some issues with it and end tags are required by the standard anyway. Pavel I forgot to mention that this applies after Adam's 0009 patch (updated Hash Params). Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Hash Params Redux
On 2010-08-18 22:59, Adam Young wrote: The patch replaces the earlier Hash Params patch. It fixs the build issues, and fixes the group details page as well. Git still reports white space errors, but that's hardly a show stopper. ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Sample Metadata
Adam Young wrote: This is a trivial patch (despite its length) which is a snapshot of the output of the metadata plugin. This is required to do serverless development, but does not impact the deployed code. ACK I removed a slew of trailing whitespace and pushed this to master rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo 0012 ldap_initialize
Adam Young wrote: Gets rid of the last of our compiler warnings by removing a deprecated function call :ldap_init should be replaced with ldap_initialize. https://fedorahosted.org/freeipa/attachment/ticket/151/admiyo-freeipa-0012-ldap_initialize.patch I think the scheme should be ldaps and not ldap in the port 636 case. I'm not sure you need/want to set errno either. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] admiyo 0012 ldap_initialize
Gets rid of the last of our compiler warnings by removing a deprecated
function call :ldap_init should be replaced with ldap_initialize.
https://fedorahosted.org/freeipa/attachment/ticket/151/admiyo-freeipa-0012-ldap_initialize.patch
>From 348947c5bd240395f5e9295fe5c8d4d4d097fde1 Mon Sep 17 00:00:00 2001
From: Adam Young
Date: Thu, 19 Aug 2010 16:49:50 -0400
Subject: [PATCH] ldap_initialize
the code was calling ldap_init, which is a deprecated function, and getting a compilation warning. This version uses the recommended function ldap_initilaize.
---
ipa-client/ipa-getkeytab.c | 26 --
1 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c
index 4bbbf1c..90b7bbc 100644
--- a/ipa-client/ipa-getkeytab.c
+++ b/ipa-client/ipa-getkeytab.c
@@ -481,6 +481,24 @@ int filter_keys(krb5_context krbctx, struct keys_container *keys,
return n;
}
+static int ipa_ldap_init(LDAP ** ld, const char * scheme, const char * servername, const int port)
+{
+ char* url = NULL;
+ int url_len = snprintf(url,0,"%s://%s:%d",scheme,servername,port) +1;
+
+ url = (char *)malloc (url_len);
+ if (!url){
+ fprintf(stderr, "Out of memory \n");
+ errno = LDAP_NO_MEMORY;
+ return LDAP_NO_MEMORY;
+ }
+ sprintf(url,"%s://%s:%d",scheme,servername,port);
+ int rc = ldap_initialize(ld, url);
+
+ free(url);
+ return rc;
+}
+
static int ldap_set_keytab(krb5_context krbctx,
const char *servername,
const char *principal_name,
@@ -527,12 +545,16 @@ static int ldap_set_keytab(krb5_context krbctx,
goto error_out;
}
- ld = ldap_init(servername, 636);
+ if ( ipa_ldap_init(&ld, "ldap",servername, 636) != LDAP_SUCCESS){
+ goto error_out;
+ }
if (ldap_set_option(ld, LDAP_OPT_X_TLS, &ssl) != LDAP_OPT_SUCCESS) {
goto error_out;
}
} else {
- ld = ldap_init(servername, 389);
+ if (ipa_ldap_init(&ld, "ldap",servername, 389) != LDAP_SUCCESS){
+ goto error_out;
+ }
}
if(ld == NULL) {
--
1.7.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Sudoers schema
On Thu, Aug 19, 2010 at 02:47:33PM -0400, Rob Crittenden wrote: > Dmitri Pal wrote: > >Hello, > > > >It occurred to me that we can have a compromise. We can have two ways > >and let the admins to decide which model to follow. > >So the schema will look like this: > >The sudo rule entry will have a string attribute to put a command > >verbatim as it is designed now and an attribute that contains a DN of a > >group of the commands (or points to commands individually). > > > >It seems though that instead of having separate objects for a command > >with just one attribute (the command itself) and then have an group of > >commands object with pointer to individual commands we can have just a > >command group object with a multi value attribute for commands entered > >verbatim. > >This way we probably even do not need to have two attributes as I > >proposed above. > > A creative solution but I'd almost rather go with the complex way > than this. If you wanted to change a command-line you'd have to > manually go through all the groups and change them one at a time. > > I'm not 100% opposed to the command and group-of-commands interface > I just wonder if in the typical case it isn't overkill. For those > with thousands of sudo rules it may make a lot of sense. My initial > objection was it seemed to be over-engineered, a Bentley when a > Pinto would do :-) > > > > >Sorry for designing on the fly. > >So options are: > >1) Leave as designed - does not provide a good role management (Nack) > >2) Revert to original - too complex and limiting (Nack) > >3) Have a hybrid of 1)& 2) represented by two attributes > >4) Make the rule reference an object named command group. The command > >group object will have a mv attribute with the commands > > > >IMO the last one is the simple compromise that addresses both concerns. > > Let me tell you how this would work on the command line. We'd likely > have 3 plugins (I'm not married to these names, they are just > illustrative): > > - sudo_cmds: CRUD for managing the individual commands > - sudo_group: CRUD for grouping sudo_cmds into groups of commands > - sudo_rules: CRUD for managing the rules themselves, the core of > which assigning sudo_groups and/or sudo_cmds to it. +1 if we want to have groups we should use this design, because this is the way other objects like hosts or services are handled in IPA. > > I gather that a sudo command would use the memberOf plugin to be a > member of a sudo group, right? Could that be skipped? It does help > us know what groups use a given command but we can run a query to > find that if necessary. That might alleviate Simo's concern that > memberOf isn't free. As Jakub mentioned earlier sudo creates search filters based on the user and his group memberships. So I think the memberOf plugin is not needed. bye, Sumit > > The other problem with multi-value commands is we don't yet have a > nice way on the command-line to manage them. You'd want to be able > to do things like "delete the 3rd of these 5" or "modify the 7th one > to this", etc. > > rob > > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Sudoers schema
Dmitri Pal wrote: Hello, It occurred to me that we can have a compromise. We can have two ways and let the admins to decide which model to follow. So the schema will look like this: The sudo rule entry will have a string attribute to put a command verbatim as it is designed now and an attribute that contains a DN of a group of the commands (or points to commands individually). It seems though that instead of having separate objects for a command with just one attribute (the command itself) and then have an group of commands object with pointer to individual commands we can have just a command group object with a multi value attribute for commands entered verbatim. This way we probably even do not need to have two attributes as I proposed above. A creative solution but I'd almost rather go with the complex way than this. If you wanted to change a command-line you'd have to manually go through all the groups and change them one at a time. I'm not 100% opposed to the command and group-of-commands interface I just wonder if in the typical case it isn't overkill. For those with thousands of sudo rules it may make a lot of sense. My initial objection was it seemed to be over-engineered, a Bentley when a Pinto would do :-) Sorry for designing on the fly. So options are: 1) Leave as designed - does not provide a good role management (Nack) 2) Revert to original - too complex and limiting (Nack) 3) Have a hybrid of 1)& 2) represented by two attributes 4) Make the rule reference an object named command group. The command group object will have a mv attribute with the commands IMO the last one is the simple compromise that addresses both concerns. Let me tell you how this would work on the command line. We'd likely have 3 plugins (I'm not married to these names, they are just illustrative): - sudo_cmds: CRUD for managing the individual commands - sudo_group: CRUD for grouping sudo_cmds into groups of commands - sudo_rules: CRUD for managing the rules themselves, the core of which assigning sudo_groups and/or sudo_cmds to it. I gather that a sudo command would use the memberOf plugin to be a member of a sudo group, right? Could that be skipped? It does help us know what groups use a given command but we can run a query to find that if necessary. That might alleviate Simo's concern that memberOf isn't free. The other problem with multi-value commands is we don't yet have a nice way on the command-line to manage them. You'd want to be able to do things like "delete the 3rd of these 5" or "modify the 7th one to this", etc. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] admiyo-freeipa-0011 const correctness in ipa-client
https://fedorahosted.org/freeipa/attachment/ticket/148/admiyo-freeipa-0011-const-correctness.patch
made the data type for server consistent and correct across its usage.
>From 30d494247a84b96f78183225c6fdd67be0d2827d Mon Sep 17 00:00:00 2001
From: Adam Young
Date: Thu, 19 Aug 2010 08:01:09 -0400
Subject: [PATCH] const correctness
made the data type for server consistant and correct across its usage
---
ipa-client/ipa-join.c |6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c
index 217ebce..d18461f 100644
--- a/ipa-client/ipa-join.c
+++ b/ipa-client/ipa-join.c
@@ -265,7 +265,7 @@ done:
}
static int
-get_subject(const char *ipaserver, char *ldap_base, char **subject)
+get_subject(const char *ipaserver, char *ldap_base, const char **subject)
{
LDAP *ld = NULL;
char *attrs[] = {"ipaCertificateSubjectBase", NULL};
@@ -358,7 +358,7 @@ join_ldap(const char *ipaserver, const char *hostname, const char ** binddn, con
goto done;
}
-if (get_subject(ipaserver, ldap_base, &subject) != 0) {
+if (get_subject(ipaserver, ldap_base, subject) != 0) {
fprintf(stderr, "Unable to determine certificate subject of %s\n", ipaserver);
/* Not a critical failure */
}
@@ -441,7 +441,7 @@ ldap_done:
free(filter);
free(search_base);
free(ldap_base);
-free(subject);
+free((void *)*subject);
if (ld != NULL) {
ldap_unbind_ext(ld, NULL, NULL);
}
--
1.7.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 505 make logging more configurable
Adam Young wrote: On 08/10/2010 10:03 AM, Rob Crittenden wrote: Make the server log level more configurable, not defaulting to debug. This disables debug output in the Apache log by default. If you want increased output create /etc/ipa/server.conf and set it to: [global] debug=True If this is too much output you can select verbose output instead: [global] debug=False verbose=True ticket 60 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 513 global size and time limit patch
Adam Young wrote: On 08/18/2010 02:18 PM, Rob Crittenden wrote: Use the global time and size limits on searches if not user-provided. This removes the default settings for searching but the option is still there. I also added a test to ensure that the limit is properly enforced and the truncated flag is set. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 507 add support for ldap:///self bind rules in the aci plugin
Adam Young wrote: On 08/10/2010 01:24 PM, Rob Crittenden wrote: Add support for ldap:///self bind rules This is added mainly so the self service rules can be updated without resorting to ldapmodify. ticket 80 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Fwd: [Freeipa-users] [PATCH] 511 improve dogtag install feedback and add arg to pkisilent
Adam Young wrote: On 08/16/2010 05:56 PM, Rob Crittenden wrote: Rob Crittenden wrote: Ok, this time forward the e-mail with the patch. Updated patch. There was a merge failure in ipa.spec.in. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
