Re: [Freeipa-devel] [PATCH] 596 remove ipa-fix-CVE-2008-3274
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/03/2010 06:52 PM, Rob Crittenden wrote: This tool was designed to fix CVE-2008-3274. This configuration is default now in V2 so this isn't needed now. https://fedorahosted.org/freeipa/ticket/331 rob Ack -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzX59EACgkQHsardTLnvCXFNwCdHL+KV4Rl+/u1HwSWCUmpaC4U ZsEAn2VR+VU0Ty1n1fLrpN5GxPuEcI3l =JCQe -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 595 add additional hbac services
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/03/2010 04:52 PM, Rob Crittenden wrote: Add gdm, gdm-password and kdm as default hbac services. ticket https://fedorahosted.org/freeipa/ticket/307 rob Ack -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzYDs8ACgkQHsardTLnvCUftACgs2yahlwDTuvwHuJJjxleTBrP CsMAoIEI1MdKHUuK8ijn56YniWvRX8YS =fc4P -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0073-Clear-fields-after-add.patch
On 11/05/2010 05:25 PM, Endi Sukma Dewata wrote: On 11/3/2010 12:03 PM, Endi Sukma Dewata wrote: On 11/3/2010 8:55 AM, Adam Young wrote: I suspect then that the service add dialog is wrong. This behaviour has been spec'ed and working for a long time. What does it break? The field.setup(dialog, IPA_ADD_UPDATE) should be called before the add operation to allow constructing krbprincipalname from service name and hostname. It wouldn't make any sense to call this function after the add operation is successfully completed. Do you have an update for this patch? The problem I mentioned above is still valid. You can test it by adding a new service on a live server. Thanks. I now see what I broke: I had mistmatched the brackets. From 5d803399af4e2fd01b288741657f2893c020ac2b Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Mon, 1 Nov 2010 13:42:28 -0400 Subject: [PATCH] Clear fields after add This version corrects an error in the oriogianl patch cause by matching the wrong opening brace --- install/static/add.js | 11 +++ 1 files changed, 7 insertions(+), 4 deletions(-) diff --git a/install/static/add.js b/install/static/add.js index fbf9031..671d11f 100644 --- a/install/static/add.js +++ b/install/static/add.js @@ -131,22 +131,25 @@ function ipa_add_dialog(spec) { state[that.entity_name + '-facet'] = 'details'; state[that.entity_name + '-pkey'] = pkey[0]; $.bbq.pushState(state); +}else{ +dialog.find('input').each( function () { +$(this).val(''); +}); } } - for (var i = 0; i that.fields.length; ++i) { var field = that.fields[i]; if (field.setup) { var value = field.setup(dialog, IPA_ADD_UPDATE); if (value != null) { -if (field.name == pkey_name) +if (field.name == pkey_name){ pkey = [value]; -else +} else { options[field.name] = value; +} } } } - dialog.find('input').each(function () { var jobj = $(this); var attr = jobj.attr('name'); -- 1.7.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 605 use diff user for dogtag DS instance
Use a different user for the dogtag DS instance. This prevents an error during uninstall of trying to remove the dirsrv user when the dogtag DS instance is removed. I also added a ipactl stop to the beginning of the uninstall process. We will try to stop each service individually during uninstall but stopping them all first is cleaner. Its how I've been uninstalling for months now anything (ipactl stop ipa-server-install --uninstall -U). ticket https://fedorahosted.org/freeipa/ticket/349 rob From a0a63a231f44570f2f7de09e69c0edd5b2f339d6 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Mon, 8 Nov 2010 11:05:37 -0500 Subject: [PATCH] Use a different user for dogtag DS instance Also shut down all services before starting uninstall. ticket 349 --- install/tools/ipa-server-install |9 - 1 files changed, 8 insertions(+), 1 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index af96dde..282d17a 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -380,6 +380,13 @@ def check_dirsrv(unattended): def uninstall(): +print Shutting down all IPA services +try: +(stdout, stderr, rc) = run([/usr/sbin/ipactl, stop], raiseonerr=False) +except Exception, e: +pass + +print Removing IPA client configuration try: (stdout, stderr, rc) = run([/usr/sbin/ipa-client-install, --on-master, --unattended, --uninstall], raiseonerr=False) if rc not in [0,2]: @@ -678,7 +685,7 @@ def main(): if options.external_cert_file is None: cs = cainstance.CADSInstance() -cs.create_instance(ds_user, realm_name, host_name, domain_name, dm_password) +cs.create_instance(pkisrv, realm_name, host_name, domain_name, dm_password) ca = cainstance.CAInstance() if external == 0: ca.configure_instance(pkiuser, host_name, dm_password, dm_password, subject_base=options.subject) -- 1.7.2.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0073-Clear-fields-after-add.patch
On 11/8/2010 9:13 AM, Adam Young wrote: On 11/05/2010 05:25 PM, Endi Sukma Dewata wrote: On 11/3/2010 12:03 PM, Endi Sukma Dewata wrote: On 11/3/2010 8:55 AM, Adam Young wrote: I suspect then that the service add dialog is wrong. This behaviour has been spec'ed and working for a long time. What does it break? The field.setup(dialog, IPA_ADD_UPDATE) should be called before the add operation to allow constructing krbprincipalname from service name and hostname. It wouldn't make any sense to call this function after the add operation is successfully completed. Do you have an update for this patch? The problem I mentioned above is still valid. You can test it by adding a new service on a live server. Thanks. I now see what I broke: I had mistmatched the brackets. ACKed and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Fields in the tickets
Hi, Please do not forget to check the Affects CLI and newly added Affects DOC checkboxes when closing tickets when the work done changes the signature or output of the CLI or needs to be documented. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] admiyo-0077-Disable-Enable-user
From 321c0afc7d0998ce120c9c68bb20e4f3672c0c68 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Mon, 8 Nov 2010 12:57:16 -0500 Subject: [PATCH] Disable Enable user UI updated to use the enable and disable methods, and to correctly report them Implementation has a few shortcomings: 1. Status is displayed in Browser alert dialog, not JQueryUI themed 2. Upon completion of RPC, navigate back to the Search page. Still, this is much less broken than before. --- install/static/test/data/user_disable.json |9 ++ install/static/test/data/user_enable.json |9 ++ install/static/user.js | 121 ++-- 3 files changed, 61 insertions(+), 78 deletions(-) create mode 100644 install/static/test/data/user_disable.json create mode 100644 install/static/test/data/user_enable.json diff --git a/install/static/test/data/user_disable.json b/install/static/test/data/user_disable.json new file mode 100644 index ..99562db521ce165858fe2a35234c9d9f947c6260 --- /dev/null +++ b/install/static/test/data/user_disable.json @@ -0,0 +1,9 @@ +{ +error: null, +id: 6, +result: { +result: true, +summary: Disabled user account \rfrank\, +value: rfrank +} +} \ No newline at end of file diff --git a/install/static/test/data/user_enable.json b/install/static/test/data/user_enable.json new file mode 100644 index ..c4f9298e5db26c61074c414eb376dd26cf49f5b1 --- /dev/null +++ b/install/static/test/data/user_enable.json @@ -0,0 +1,9 @@ +{ +error: null, +id: 6, +result: { +result: true, +summary: Enabled user account \rfrank\, +value: rfrank +} +} \ No newline at end of file diff --git a/install/static/user.js b/install/static/user.js index 1b6054d7e29b55d810b72a595ebcf5061291aed7..f7cb83db733975d9df7cb4ea33e5855327b91629 100644 --- a/install/static/user.js +++ b/install/static/user.js @@ -48,7 +48,8 @@ ipa_entity_set_details_definition('user', [ input({name:'displayname', label:'Dispaly Name'}). input({name:'initials', label:'Initials'}), ipa_stanza({name:'account', label:'Account Details'}). -input({name:'status', label:'Account Status', load:user_status_load}). +input({name:'nsaccountlock', label:'Account Status', + load:user_status_load}). input({name:'uid', label:'Login'}). input({name:'userpassword', label:'Password', @@ -81,96 +82,60 @@ ipa_entity_set_association_definition('user', { 'taskgroup': { associator: 'serial' } }); -/* Account status Toggle button */ -function toggle_on_click(obj) -{ -var jobj = $(obj); -var val = jobj.attr('title'); -if (val == 'Active') { -ipa_cmd( -'lock', [qs['pkey']], {}, on_lock_win, on_fail, -IPA.metadata['user']['name'] -); -} else { -ipa_cmd( -'unlock', [qs['pkey']], {}, on_lock_win, on_fail, -IPA.metadata['user']['name'] -); -} -return (false); -} -function on_lock_win(data, textStatus, xhr) -{ -if (data['error']) { -alert(data['error']['message']); -return; -} -var jobj = $('a[title=Active]'); -if (jobj.length) { -if (ipa_details_cache) { -var memberof = ipa_details_cache['memberof']; -if (memberof) { -memberof.push( -'cn=inactivated,cn=account inactivation' -); -} else { -memberof = ['cn=inactivated,cn=account inactivation']; -} -ipa_details_cache['memberof'] = memberof; -a_status(jobj.parent().prev(), ipa_details_cache); -jobj.parent().remove() -} -return; -} - -var jobj = $('a[title=Inactive]'); -if (jobj.length) { -if (ipa_details_cache) { -var memberof = ipa_details_cache['memberof']; -if (memberof) { -for (var i = 0; i memberof.length; ++i) { -if (memberof[i].indexOf('cn=inactivated,cn=account inactivation') != -1) { -memberof.splice(i, 1); -break; -} -} -} else { -memberof = []; -} -ipa_details_cache['memberof'] = memberof; -a_status(jobj.parent().prev(), ipa_details_cache); -jobj.parent().remove(); -} -return; -} -} /* ATTRIBUTE CALLBACKS */ -var toggle_temp = 'S a href=jslink onclick=return (toggle_on_click(this)) title=SToggle/a'; + function user_status_load(container, result) { +var lock_field = 'nsaccountlock'; + var dt = $('dt[title='+this.name+']', container); if (!dt.length) return; -var memberof = result['memberof']; -var dd; +var locked = result[lock_field]
Re: [Freeipa-devel] [PATCH] 599 add usercat and hostcat to netgroups
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/04/2010 08:21 PM, Rob Crittenden wrote: The netgroup plugin was missing the usercategory and hostcategory associations. This adds them and fixes displaying membership in netgroup_show. rob The code looks OK and works, but why use enum when there's only one allowed value? A bool switch would be more intuitive, I think.. So we don't have to change the type later. It is expected that at some point these will have additional values. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 606 IPA v1.2.2 binary location fix
Fix for IPA v1.2.2 bug https://bugzilla.redhat.com/show_bug.cgi?id=650725 The problem is in Fedora 14 the kerberos binaries were moved so our tools all fail. This makes the run() call more generic by using PATH to find binaries. rob From 5c26c970f01d9fa5e1f0783d6b3326578c46eb94 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Mon, 8 Nov 2010 14:09:04 -0500 Subject: [PATCH] Use PATH in env when running commands to find binaries. Fedora 14 moved the kerberos binaries from /usr/kerberos/[s]bin to /usr/[s]bin. Pass PATH to the environment in ipautil.run() so we can work universally across distributions. Bug 650725 --- ipa-admintools/ipa-change-master-key|6 +++--- ipa-python/ipautil.py |9 ++--- ipa-radius-server/plugins/radiusinstance.py |2 +- ipa-server/ipa-fix-CVE-2008-3274|6 +++--- ipa-server/ipaserver/installutils.py|2 +- ipa-server/ipaserver/krbinstance.py |2 +- 6 files changed, 15 insertions(+), 12 deletions(-) diff --git a/ipa-admintools/ipa-change-master-key b/ipa-admintools/ipa-change-master-key index a4e9439..0c669cc 100644 --- a/ipa-admintools/ipa-change-master-key +++ b/ipa-admintools/ipa-change-master-key @@ -223,7 +223,7 @@ def main(): os.environ['KRB5_CONFIG'] = ourkrb5conf #Backup the kerberos key material for recovery if needed -args = [/usr/kerberos/sbin/kdb5_util, dump, -verbose, backupfile] +args = [kdb5_util, dump, -verbose, backupfile] print Performing safety backup of the key material try: output = ipa.ipautil.run(args) @@ -239,7 +239,7 @@ def main(): print #Convert the kerberos keys to the new master key -args = [/usr/kerberos/sbin/kdb5_util, dump, -verbose, -new_mkey_file, newstashfile, convertfile] +args = [kdb5_util, dump, -verbose, -new_mkey_file, newstashfile, convertfile] print Converting key material to new master key try: output = ipa.ipautil.run(args) @@ -302,7 +302,7 @@ def main(): print A backup copy of the old stash file should be saved in +bkpstashfile #Finally upload the converted principals -args = [/usr/kerberos/sbin/kdb5_util, load, -verbose, -update, convertfile] +args = [kdb5_util, load, -verbose, -update, convertfile] print Uploading converted key material try: output = ipa.ipautil.run(args) diff --git a/ipa-python/ipautil.py b/ipa-python/ipautil.py index d604225..7682d99 100644 --- a/ipa-python/ipautil.py +++ b/ipa-python/ipautil.py @@ -82,12 +82,15 @@ def write_tmp_file(txt): return fd -def run(args, stdin=None): +def run(args, stdin=None, env=None): +if env is None: +env={PATH: /bin:/sbin:/usr/kerberos/bin:/usr/kerberos/sbin:/usr/bin:/usr/sbin} + if stdin: -p = subprocess.Popen(args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True) +p = subprocess.Popen(args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True, env=env) stdout,stderr = p.communicate(stdin) else: -p = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True) +p = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True, env=env) stdout,stderr = p.communicate() logging.info(stdout) diff --git a/ipa-radius-server/plugins/radiusinstance.py b/ipa-radius-server/plugins/radiusinstance.py index 1dd5e66..385f65f 100644 --- a/ipa-radius-server/plugins/radiusinstance.py +++ b/ipa-radius-server/plugins/radiusinstance.py @@ -125,7 +125,7 @@ class RadiusInstance(service.Service): except os.error: logging.error(Failed to remove %s, radius_util.RADIUS_IPA_KEYTAB_FILEPATH) -(kwrite, kread, kerr) = os.popen3(/usr/kerberos/sbin/kadmin.local) +(kwrite, kread, kerr) = os.popen3(kadmin.local) kwrite.write(addprinc -randkey %s\n % (self.principal)) kwrite.flush() kwrite.write(ktadd -k %s %s\n % (radius_util.RADIUS_IPA_KEYTAB_FILEPATH, self.principal)) diff --git a/ipa-server/ipa-fix-CVE-2008-3274 b/ipa-server/ipa-fix-CVE-2008-3274 index 41d3abc..ce8c5e1 100644 --- a/ipa-server/ipa-fix-CVE-2008-3274 +++ b/ipa-server/ipa-fix-CVE-2008-3274 @@ -236,7 +236,7 @@ def change_mkey(password = None, quiet = False): os.environ['KRB5_CONFIG'] = ourkrb5conf #Backup the kerberos key material for recovery if needed -args = [/usr/kerberos/sbin/kdb5_util, dump, -verbose, backupfile] +args = [kdb5_util, dump, -verbose, backupfile] print Performing safety backup of the key material try: output = ipa.ipautil.run(args) @@ -252,7 +252,7 @@ def change_mkey(password = None, quiet = False): print #Convert the kerberos keys to the new master key -args = [/usr/kerberos/sbin/kdb5_util, dump, -verbose, -new_mkey_file, newstashfile, convertfile] +args =
Re: [Freeipa-devel] [PATCH] 596 remove ipa-fix-CVE-2008-3274
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/03/2010 06:52 PM, Rob Crittenden wrote: This tool was designed to fix CVE-2008-3274. This configuration is default now in V2 so this isn't needed now. https://fedorahosted.org/freeipa/ticket/331 rob Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 595 add additional hbac services
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/03/2010 04:52 PM, Rob Crittenden wrote: Add gdm, gdm-password and kdm as default hbac services. ticket https://fedorahosted.org/freeipa/ticket/307 rob Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 004 Log script options to logfile
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Uses a new subclass IPAOptionParser in scripts instead of OptionParser from the standard python library. IPAOptionParser uses its own IPAOption class to store options, which adds a new 'sensitive' attribute. https://fedorahosted.org/freeipa/ticket/393 This is a good start and does what I requested, I just wasn't clear enough in the request. I think we should log the interactive data as well. This patch is fine as-is so I'll give you a choice: 1. You can update this patch and log those things that will be queried if not provided on the CLI. 2. I can ACK and push this and we can open a new ticket for additional enhancements. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 004 Log script options to logfile
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/08/2010 09:00 PM, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Uses a new subclass IPAOptionParser in scripts instead of OptionParser from the standard python library. IPAOptionParser uses its own IPAOption class to store options, which adds a new 'sensitive' attribute. https://fedorahosted.org/freeipa/ticket/393 This is a good start and does what I requested, I just wasn't clear enough in the request. I think we should log the interactive data as well. Oh, right.. This patch is fine as-is so I'll give you a choice: 1. You can update this patch and log those things that will be queried if not provided on the CLI. I'd prefer this option. The patch really is incomplete. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzYWaMACgkQHsardTLnvCW2owCdEn/QD9LiB0+4vZy/KTW8x1Et CbAAoKoqq3GYGKaTKdwwZAjNuym0p6qq =d3jn -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 599 add usercat and hostcat to netgroups
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/08/2010 07:52 PM, Rob Crittenden wrote: So we don't have to change the type later. It is expected that at some point these will have additional values. rob OK, that's what I thought, but I wanted to have this confirmed before giving an ack.. Ack now. Thanks for the explanation. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzYWfwACgkQHsardTLnvCXxoQCeJ8+r5fybOyXJjpksSHnaGRfi TpgAn2AP/u/fKoSh7Z78v1kwLZhNmMFQ =+jrI -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0002 Rewrite the migration page using WSGI
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 (resending to the list, I accidentally replied to Rob only before..) On 11/02/2010 04:24 AM, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 https://fedorahosted.org/freeipa/ticket/154 The second patch removes the /ipatest section that has been commented out in ipa.conf anyway..plus, we don't ship /usr/share/ipatest anymore :-) Migration doesn't seem to be working. The migration page itself comes up fine and prompts for data but when I enter the password of a migrated user I don't seem to be getting valid kerberos keys. kinit doesn't work in any case. It could also be that I'm tired. Does a migrated account work for you? It does for me -- or at least I think it's working. This is how I tested: 1) migrate users from LDAP using the migrate-ds plugin. 2) try kinit - preauth will fail 3) go to the migration page, enter username/password This redirects me to the ui page if the credentials are correct. 4) kinit for the user works now This is on the current master + the two patches under review, on a F13 host migrating from 389 DS on another F13 machine. I still can't get this to work on my F12 machine. The LDAP password is ok, I confirmed that with ldapsearch. My process is as yours. I get redirected to the UI page which fails because I haven't done a kinit yet. I go do the kinit and that fails. The KDC is logging: Nov 08 15:48:48 panther.example.com krb5kdc[23964](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.166.34: NEEDED_PREAUTH: tus...@example.com for krbtgt/example@example.com, Additional pre-authentication required Nov 08 15:48:50 panther.example.com krb5kdc[23964](info): preauth (timestamp) verify failure: Decrypt integrity check failed Nov 08 15:48:50 panther.example.com krb5kdc[23964](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.166.34: PREAUTH_FAILED: tus...@example.com for krbtgt/example@example.com, Decrypt integrity check failed I think the timestamp part is bogus, I think this just means the password is bad. I noticed that krbPrincipalKey is getting migrated as well. If I delete this before trying the migration the password works. I find it unlikely that this is related to your mod_wsgi conversion so I'm going to open a separate ticket on that and ack your changes. ACK rob This could be related to redoing the 389-ds password plugin as I did all previous testing before we did the file split. I also have two questions: 1) how should exceptions be handled? In the patch, I only explicitly handle exceptions that could happen very easily (like, password being wrong, or the LDAP server down..). Anything else would just trigger 500 Server Error.. I think that's ok as long as we provide enough logging to point the admin in the right direction. 2) When playing with the migration command line plugin, I noticed that it can only handle RFC2307bis groups (member: dn) and has the objectclass for groups hardcoded to (|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)). I think it would be worthwile (and easy, too!) to modify the plugin to accept also RFC2307 schema and allow specifying a different objectclass (posixGroup might come handy..). Thoughts? Yes, that sounds like a good enhancement. Great idea. OK: https://fedorahosted.org/freeipa/ticket/429 (taken, since I was already poking at the plugin anyway) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Use stronmgest enctype for master key
This patch configures IPA to use the currently strongest available enctype for the master key. Fixes #456 Simo. -- Simo Sorce * Red Hat, Inc * New York From c46dd2d57ee59248152f0ab7ef07645fe36af83d Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Mon, 1 Nov 2010 09:33:14 -0400 Subject: [PATCH] Use strongest keytype for master key --- install/share/kdc.conf.template |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 0a5747831671ab2546f4ee0230c7f309b0c3d5be..4a2cca412c7a5a1b8a45f6d114ec844aa02822ea 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -4,7 +4,7 @@ [realms] $REALM = { - master_key_type = des3-hmac-sha1 + master_key_type = aes256-cts supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 max_life = 7d max_renewable_life = 14d -- 1.7.3.2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0077-Disable-Enable-user
On 11/8/2010 12:01 PM, Adam Young wrote: The functionality works, but there are some issues: 1. The JSON files contain some trailing whitespaces. 2. The server seems to be using true and False for nsaccountlock value. So it might be safer to use case-insensitive comparison or normalize the value using toLowerCase(). 3. The title text variables are declared twice: var title = Active; var text = Active: Click to Deactivate; if (locked) { var title = Inactive;// remove var var text = Inactive: Click to Activate; // remove var } 4. As you described on IRC, after enabling/disabling the user the browser goes back to the search page immediately because of several reasons: the update and enable/disable operations aren't likely to be used together, and the server doesn't return the new account status in JSON response. I don't have any objection to this, but the behavior might be unexpected by users. I'd like to see how others think about this. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES] add (initial) anonymous pkinit support
This set of patches implement the first part of ticket #55 The patchset only adds the ability to install pkinit with the selfsigned CA (or with externally provided certs). If you need to use/test dogtag you can pass the --no-pkinit option for the time being as etting up pkinit is performed by default. Patch 0003: change the install tools to use a subject base based on the realm name and not O=IPA for all installs. Patch 0004: Add basic certification creation for selfsigned CA and KDC configuration. opnessl had to be used because the NSS tools cannot deal with the special subjectaltName needed for the KDC certificate. Patch 0005: Always set pkinit_anchors so that all clients are preconfigured to do anonymous pkinit including master. Even if the client does not support pkinit adding the option does not cause any harm so it is a safe default. Patch 0006: Add the wellknown principal need to perform anonymous pkinit AS requests. This principal is *DISABLED* by default. Patch 0007: Ad a new plugin that allows to enable the wellknown account, effectively allowing to get pkinit anonymous tickets. (as a bonus implements disable too :) Patch 0008: Add support for configuring pkinit certs on replicas too. What is still missing is dogtag integration and certmonger tracking. Couldn't work on the dogtag part yet because it won't work on f14 which is the only fedora version that has a kerberos version recent enough to support asking for anonynoums pkinit tickets. Certmonger will need some thinking too as the KDC ticket requires a different code path to be renewd (different commands in selfsign CA and different profile with dogtag). Simo. -- Simo Sorce * Red Hat, Inc * New York From 9787b05a29eb7f0c80b60bf47d8d5acf213ceb8b Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Mon, 1 Nov 2010 13:51:14 -0400 Subject: [PATCH 1/6] Use Realm as certs subject base name Also use the realm name as nickname for the CA certificate --- install/tools/ipa-replica-install |2 +- install/tools/ipa-replica-prepare |6 +++--- install/tools/ipa-server-certinstall |2 +- install/tools/ipa-server-install | 14 -- install/tools/man/ipa-server-install.1|2 +- ipa-client/ipa-install/ipa-client-install |4 ++-- ipapython/certdb.py |4 +++- ipaserver/install/cainstance.py | 16 ++-- ipaserver/install/certs.py| 15 ++- ipaserver/install/dsinstance.py |8 ipaserver/install/httpinstance.py | 14 +++--- ipaserver/plugins/selfsign.py |5 +++-- 12 files changed, 53 insertions(+), 39 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index e54101202553395fab2515a4c67e1e5f0424b0ab..8cf8d84597588f86110958bc95ff4ad9015709da 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -47,7 +47,7 @@ class ReplicaConfig: self.host_name = self.repl_password = self.dir = -self.subject_base = O=IPA +self.subject_base = def parse_options(): from optparse import OptionParser diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index 6e9d649ae6146c850ce6780efa7cccbe1f6100f4..059b011f9f60128ceba171cf5129e8c769e1eaf3 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -103,14 +103,14 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname, subjec try: self_signed = certs.ipa_self_signed() -db = certs.CertDB(dir, subject_base=subject_base) +db = certs.CertDB(dir, realm_name, subject_base=subject_base) db.create_passwd_file() #if self_signed: #ca_db = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))) #db.create_from_cacert(ca_db.cacert_fname) #else: #ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host) -ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host, subject_base=subject_base) +ca_db = certs.CertDB(httpinstance.NSS_DIR, realm_name, host_name=api.env.host, subject_base=subject_base) db.create_from_cacert(ca_db.cacert_fname) db.create_server_cert(Server-Cert, hostname, ca_db) except Exception, e: @@ -148,7 +148,7 @@ def export_ra_pkcs12(dir, dm_password): try: try: -db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host) +db = certs.CertDB(httpinstance.NSS_DIR, api.env.realm, host_name=api.env.host) if db.has_nickname(ipaCert): pkcs12_fname = %s/ra.p12 % dir diff --git a/install/tools/ipa-server-certinstall b/install/tools/ipa-server-certinstall index d853f71889e42d5f9570d153c2b978ef9965..9d69853e51308234cb3330b18e9d5665de62f5ca 100755 ---
Re: [Freeipa-devel] [PATCH] HBAC Access Time
On 11/08/2010 05:01 PM, Endi Sukma Dewata wrote: On 11/7/2010 7:13 PM, Adam Young wrote: The Time Dialog needs a format. I couldn't guess a value that it would accept. The retry/cancel message is really confusing, too. Tried 1200, 12:00 and 1200-1300. 1. Put in text showing the format. 2. Validate using a regex 3. Don't use the standard error handling, show the error inside the dialog box that has the time in it. The rest of the patch looks good. I think we can get away with just a comment on the time formate for this, get it checked in, and do the follow on work in another patch. Please take a look at the updated patch. I've added the same example provided by the CLI for now. We will eventually replace this dialog with a custom widget. Thanks! ACK and pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0077-Disable-Enable-user
On 11/08/2010 06:44 PM, Endi Sukma Dewata wrote: On 11/8/2010 12:01 PM, Adam Young wrote: The functionality works, but there are some issues: 1. The JSON files contain some trailing whitespaces. 2. The server seems to be using true and False for nsaccountlock value. So it might be safer to use case-insensitive comparison or normalize the value using toLowerCase(). 3. The title text variables are declared twice: var title = Active; var text = Active: Click to Deactivate; if (locked) { var title = Inactive;// remove var var text = Inactive: Click to Activate; // remove var } 4. As you described on IRC, after enabling/disabling the user the browser goes back to the search page immediately because of several reasons: the update and enable/disable operations aren't likely to be used together, and the server doesn't return the new account status in JSON response. I don't have any objection to this, but the behavior might be unexpected by users. I'd like to see how others think about this. Fixed issues 1-3. From 3c9fc345c1560c7520cf15621441643f434abd51 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Mon, 8 Nov 2010 12:57:16 -0500 Subject: [PATCH] Disable Enable user UI updated to use the enable and disable methods, and to correctly report them Implementation has a few shortcomings: 1. Status is displayed in Browser alert dialog, not JQueryUI themed 2. Upon completion of RPC, navigate back to the Search page. Still, this is much less broken than before. With whitespace cleanup, using toLowerCase for testing true and removde dual declaration of variables --- install/static/test/data/user_disable.json |9 ++ install/static/test/data/user_enable.json |9 ++ install/static/user.js | 124 ++-- 3 files changed, 63 insertions(+), 79 deletions(-) create mode 100644 install/static/test/data/user_disable.json create mode 100644 install/static/test/data/user_enable.json diff --git a/install/static/test/data/user_disable.json b/install/static/test/data/user_disable.json new file mode 100644 index 000..75a71fd --- /dev/null +++ b/install/static/test/data/user_disable.json @@ -0,0 +1,9 @@ +{ +error: null, +id: 6, +result: { +result: true, +summary: Disabled user account \rfrank\, +value: rfrank +} +} \ No newline at end of file diff --git a/install/static/test/data/user_enable.json b/install/static/test/data/user_enable.json new file mode 100644 index 000..c596c81 --- /dev/null +++ b/install/static/test/data/user_enable.json @@ -0,0 +1,9 @@ +{ +error: null, +id: 6, +result: { +result: true, +summary: Enabled user account \rfrank\, +value: rfrank +} +} \ No newline at end of file diff --git a/install/static/user.js b/install/static/user.js index 1b6054d..7846239 100644 --- a/install/static/user.js +++ b/install/static/user.js @@ -48,7 +48,8 @@ ipa_entity_set_details_definition('user', [ input({name:'displayname', label:'Dispaly Name'}). input({name:'initials', label:'Initials'}), ipa_stanza({name:'account', label:'Account Details'}). -input({name:'status', label:'Account Status', load:user_status_load}). +input({name:'nsaccountlock', label:'Account Status', + load:user_status_load}). input({name:'uid', label:'Login'}). input({name:'userpassword', label:'Password', @@ -81,96 +82,61 @@ ipa_entity_set_association_definition('user', { 'taskgroup': { associator: 'serial' } }); -/* Account status Toggle button */ - -function toggle_on_click(obj) -{ -var jobj = $(obj); -var val = jobj.attr('title'); -if (val == 'Active') { -ipa_cmd( -'lock', [qs['pkey']], {}, on_lock_win, on_fail, -IPA.metadata['user']['name'] -); -} else { -ipa_cmd( -'unlock', [qs['pkey']], {}, on_lock_win, on_fail, -IPA.metadata['user']['name'] -); -} -return (false); -} -function on_lock_win(data, textStatus, xhr) -{ -if (data['error']) { -alert(data['error']['message']); -return; -} -var jobj = $('a[title=Active]'); -if (jobj.length) { -if (ipa_details_cache) { -var memberof = ipa_details_cache['memberof']; -if (memberof) { -memberof.push( -'cn=inactivated,cn=account inactivation' -); -} else { -memberof = ['cn=inactivated,cn=account inactivation']; -} -ipa_details_cache['memberof'] = memberof; -a_status(jobj.parent().prev(), ipa_details_cache); -jobj.parent().remove() -} -return; -} -var jobj = $('a[title=Inactive]'); -if (jobj.length) { -if (ipa_details_cache) { -var memberof =
Re: [Freeipa-devel] [PATCH] admiyo-0077-Disable-Enable-user
On 11/8/2010 5:44 PM, Endi Sukma Dewata wrote: The functionality works, but there are some issues: 1. The JSON files contain some trailing whitespaces. 2. The server seems to be using true and False for nsaccountlock value. So it might be safer to use case-insensitive comparison or normalize the value using toLowerCase(). 3. The title text variables are declared twice: var title = Active; var text = Active: Click to Deactivate; if (locked) { var title = Inactive; // remove var var text = Inactive: Click to Activate; // remove var } 4. As you described on IRC, after enabling/disabling the user the browser goes back to the search page immediately because of several reasons: the update and enable/disable operations aren't likely to be used together, and the server doesn't return the new account status in JSON response. I don't have any objection to this, but the behavior might be unexpected by users. I'd like to see how others think about this. As discussed over IRC, we'll ACK this now and address the issues in follow up as they are not blocking anything. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0077-Disable-Enable-user
On 11/08/2010 09:04 PM, Endi Sukma Dewata wrote: On 11/8/2010 5:44 PM, Endi Sukma Dewata wrote: The functionality works, but there are some issues: 1. The JSON files contain some trailing whitespaces. 2. The server seems to be using true and False for nsaccountlock value. So it might be safer to use case-insensitive comparison or normalize the value using toLowerCase(). 3. The title text variables are declared twice: var title = Active; var text = Active: Click to Deactivate; if (locked) { var title = Inactive; // remove var var text = Inactive: Click to Activate; // remove var } 4. As you described on IRC, after enabling/disabling the user the browser goes back to the search page immediately because of several reasons: the update and enable/disable operations aren't likely to be used together, and the server doesn't return the new account status in JSON response. I don't have any objection to this, but the behavior might be unexpected by users. I'd like to see how others think about this. As discussed over IRC, we'll ACK this now and address the issues in follow up as they are not blocking anything. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0078-link-indications
On 11/8/2010 12:30 PM, Adam Young wrote: ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0079-delete-to-remove
On 11/8/2010 7:41 PM, Adam Young wrote: ACK and pushed to master. I also fixed 2 issues and pushed them using 1-liner rule. 1. Renamed button.deletes to button.remove in widget.js. 2. Renamed button.delete to button.remove in json_metadata.json. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Rename parent LDAPObject pkeys in child LDAPObject methods.
If the parent and child entries have the same attribute as primary key (such as in the DNS schema), we need to rename the parent key to prevent a param name conflict. It has no side effects, because the primary key name is always taken from the LDAPObject params, never from the method params. Pavel From 88e1399e5a1271d95bafef3f83206181b6b7b88b Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Mon, 8 Nov 2010 22:36:04 -0500 Subject: [PATCH] Rename parent LDAPObject pkeys in child LDAPObject methods. If the parent and child entries have the same attribute as primary key (such as in the DNS schema), we need to rename the parent key to prevent a param name conflict. It has no side effects, because the primary key name is always taken from the LDAPObject params, never from the method params. --- ipalib/plugins/baseldap.py |6 +- 1 files changed, 5 insertions(+), 1 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 6bf9b3b..ff5dba9 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -232,7 +232,11 @@ class LDAPObject(Object): for key in parent_obj.get_ancestor_primary_keys(): yield key if parent_obj.primary_key: -yield parent_obj.primary_key.clone(query=True) +pkey = parent_obj.primary_key +yield pkey.__class__( +parent_obj.name + pkey.name, required=True, query=True, +cli_name=parent_obj.name, label=pkey.label +) def convert_attribute_members(self, entry_attrs, *keys, **options): if options.get('raw', False): -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add new version of DNS plugin: complete rework with baseldap + unit tests.
Finally, there it is. :) I redesigned the whole thing to fit the baseldap model. Here's some example on how it's used: # create zone 'example.com' # ipa dnszone-add example.com --name=ns.example.com --admin=ad...@example.com # create a resource in zone 'example.com' named 'machine1' # (machine1.example.com) with A record 10.10.0.1 # ipa dnsres-add example.com machine1 --a-rec=10.10.0.1 # Add another A record to 'machine1' in 'example.com' # ipa dnsres-add-record example.com machine1 --a-rec=10.10.0.2 # Remove one of the A records from 'machine1' in 'example.com' # ipa dnsres-remove-record example.com machine1 --a-rec=10.10.0.1 The plugin is pretty complex and requires my patch number 35 to work. There is a bunch of unit tests, so hopefully it won't be too much pain to review. You can use both dns and dns2 at the same time. When dns2 is tested enough, it should replace the original dns plugin. docstring (ipa help dns2) documentation will follow soon in a separate patch. Pavel From defad70e665a5c126e56032bfc5ed698363eef9f Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Mon, 8 Nov 2010 22:34:14 -0500 Subject: [PATCH] Add new version of DNS plugin: complete rework with baseldap + unit tests. --- ipalib/plugins/dns2.py | 504 ++ tests/test_xmlrpc/test_dns_plugin.py | 360 2 files changed, 864 insertions(+), 0 deletions(-) create mode 100644 ipalib/plugins/dns2.py create mode 100644 tests/test_xmlrpc/test_dns_plugin.py diff --git a/ipalib/plugins/dns2.py b/ipalib/plugins/dns2.py new file mode 100644 index 000..5b36d37 --- /dev/null +++ b/ipalib/plugins/dns2.py @@ -0,0 +1,504 @@ +# Authors: +# Pavel Zuna pz...@redhat.com +# +# Copyright (C) 2010 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +import time + +from ipalib import api, errors, output +from ipalib import Command +from ipalib import Flag, Int, List, Str, StrEnum +from ipalib.plugins.baseldap import * +from ipalib import _, ngettext + +# supported resource record types +_record_types = ( +u'A', u'', u'A6', u'AFSDB', u'CERT', u'CNAME', u'DNAME', +u'DS', u'HINFO', u'KEY', u'KX', u'LOC', u'MD', u'MINFO', u'MX', +u'NAPTR', u'NS', u'NSEC', u'NXT', u'PTR', u'RRSIG', u'SSHFP', +u'SRV', u'TXT', +) + +# attributes derived from record types +_record_attributes = [str('%srecord' % t.lower()) for t in _record_types] + +# supported DNS classes, IN = internet, rest is almost never used +_record_classes = (u'IN', u'CS', u'CH', u'HS') + +# normalizer for admin email +def _rname_normalizer(value): +value = value.replace('@', '.') +if not value.endswith('.'): +value += '.' +return value + +def _create_zone_serial(**kwargs): +Generate serial number for zones. +return int('%s01' % time.strftime('%Y%d%m')) + + +class dnszone(LDAPObject): + +DNS Zone, container for resource records. + +container_dn = api.env.container_dns +object_name = 'DNS zone' +object_name_plural = 'DNS zones' +object_class = ['top', 'idnsrecord', 'idnszone'] +default_attributes = [ +'idnsname', 'idnszoneactive', 'idnssoamname', 'idnssoarname', +'idnssoaserial', 'idnssoarefresh', 'idnssoaretry', 'idnssoaexpire', +'idnssoaminimum' +] + _record_attributes +label = _('DNS zone') + +takes_params = ( +Str('idnsname', +cli_name='name', +label=_('Zone name'), +doc=_('Zone name (FQDN)'), +normalizer=lambda value: value.lower(), +primary_key=True, +), +Str('idnssoamname', +cli_name='name_server', +label=_('Authoritative name server'), +doc=_('Authoritative name server'), +), +Str('idnssoarname', +cli_name='admin_email', +label=_('Administrator e-mail address'), +doc=_('Administrator e-mail address'), +default_from=lambda idnsname: 'root.%s' % idnsname, +normalizer=_rname_normalizer, +), +Int('idnssoaserial?', +cli_name='serial', +label=_('SOA serial'), +doc=_('SOA record serial number'), +create_default=_create_zone_serial, +autofill=True, +), +
[Freeipa-devel] [PATCH] Replace 'Locking' in `ipa help user` with 'Disabling'.
Ticket #452 Pavel From e03d082523a677b1d57e829ba10c31fd7f8d87b5 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Mon, 8 Nov 2010 22:45:27 -0500 Subject: [PATCH] Replace 'Locking' in `ipa help user` with 'Disabling'. Ticket #452 --- ipalib/plugins/user.py |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 536848b..726177c 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -22,7 +22,7 @@ Users Manage user entries. All users are POSIX users. -Locking a user account prevents that user from obtaining new Kerberos +Disabling a user account prevents that user from obtaining new Kerberos credentials. It does not invalidate any credentials that have already been issued. -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add new version of DNS plugin: complete rework with baseldap + unit tests.
On 2010-11-09 05:07, Pavel Zůna wrote: Finally, there it is. :) I redesigned the whole thing to fit the baseldap model. Here's some example on how it's used: # create zone 'example.com' # ipa dnszone-add example.com --name=ns.example.com --admin=ad...@example.com # create a resource in zone 'example.com' named 'machine1' # (machine1.example.com) with A record 10.10.0.1 # ipa dnsres-add example.com machine1 --a-rec=10.10.0.1 # Add another A record to 'machine1' in 'example.com' # ipa dnsres-add-record example.com machine1 --a-rec=10.10.0.2 # Remove one of the A records from 'machine1' in 'example.com' # ipa dnsres-remove-record example.com machine1 --a-rec=10.10.0.1 The plugin is pretty complex and requires my patch number 35 to work. There is a bunch of unit tests, so hopefully it won't be too much pain to review. You can use both dns and dns2 at the same time. When dns2 is tested enough, it should replace the original dns plugin. docstring (ipa help dns2) documentation will follow soon in a separate patch. Pavel Forgot to mention that this solves: Ticket #36 Ticket #450 Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel