Re: [Freeipa-devel] [PATCH] 0024 - Better random ranges
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/06/2010 06:51 PM, Simo Sorce wrote: This patch reduced the size of the default range (from 1 million to 200.000) and also changes the way the range is selected. Instead of starting at a completely random number, it selects 1 out of 1 random 200k ranges so that the range starts at multiples of 200k. This makes it so that 2 different installs either do not overlap at all or overlap completely (once in 10k times) instead of potentially partially overlapping. Instead of using a random number here, why don't we do something more predictable (so installing FreeIPA on the same machine will hit the same range). Something we used to do at my old job was base it on the IPv4 address of the primary network adapter in the machine. Basically, we could take the integer representation of the IP address, take the modulus 1 of it, and choose the range from that. This would also provide a guarantee that replicas on the same network would get unique ranges (instead of a 1 in 10,000 chance of doubling up). These are just suggestions. The patch as it exists right now looks fine to me (though I haven't tested it). - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz+Kz8ACgkQeiVVYja6o6PqdQCePglfhYZRDYJXhOuawrCuarCt SOwAn3g/kl7zvWWRRC7QegTWdb5Asjsm =eT2Z -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 020 Fix kwargs usage in automount plugin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 https://fedorahosted.org/freeipa/ticket/580 To test, simply run: ipa automountlocation-add baltimore ipa automountmap-add baltimore auto.share ipa automountkey-add baltimore auto.master /share --info=auto.share ipa automountkey-add baltimore auto.share man - --info=-ro,soft,rsize=8192,wsize=8192 ipa.example.com:/shared/man ipa automountlocation-tofiles baltimore Also the -import command was fixed: ipa automountlocation-add testimport ipa automountlocation-import testimport /etc/auto.master Without this patch, the -tofiles or -import calls would blow up with something like ipa: ERROR: 'automountlocation' is required -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz+McwACgkQHsardTLnvCWD7gCfd9Xlplv52VTqr2qaO0YM3CPb Ov8An2OdWukIunZh3nK1jmOE4irXvq9o =hO0Y -END PGP SIGNATURE- From eaaa45eff8684e7f51654227ad80ce04b1a7fa4d Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date: Tue, 7 Dec 2010 08:02:42 -0500 Subject: [PATCH] Fix kwargs usage in automount plugin https://fedorahosted.org/freeipa/ticket/580 --- ipalib/plugins/automount.py | 27 --- 1 files changed, 12 insertions(+), 15 deletions(-) diff --git a/ipalib/plugins/automount.py b/ipalib/plugins/automount.py index df9b341..c3e7f94 100644 --- a/ipalib/plugins/automount.py +++ b/ipalib/plugins/automount.py @@ -247,9 +247,7 @@ class automountlocation_tofiles(LDAPQuery): location = self.api.Command['automountlocation_show'](args[0]) maps = [] -result = self.api.Command['automountkey_find']( -cn=args[0], automountmapname=u'auto.master' -) +result = self.api.Command['automountkey_find'](args[0], u'auto.master') truncated = result['truncated'] maps = result['result'] @@ -261,9 +259,7 @@ class automountlocation_tofiles(LDAPQuery): for m in maps: info = m['automountinformation'][0] key = info.split(None) -result = self.api.Command['automountkey_find']( -cn=args[0], automountmapname=key[0] -) +result = self.api.Command['automountkey_find'](args[0], key[0]) truncated = result['truncated'] keys[info] = result['result'] # TODO: handle truncated results, same as above @@ -363,7 +359,7 @@ class automountlocation_import(LDAPQuery): # Add a new key to the auto.master map for the new map file try: -api.Command['automountkey_add'](cn=args[0], automountmapname=u'auto.master', automountkey=unicode(am[0]), automountinformation=unicode(' '.join(am[1:]))) +api.Command['automountkey_add'](args[0], u'auto.master', unicode(am[0]), automountinformation=unicode(' '.join(am[1:]))) result['keys'].append([am[0], u'auto.master']) except errors.DuplicateEntry, e: if options.get('continue', False): @@ -374,7 +370,7 @@ class automountlocation_import(LDAPQuery): # Add the new map if not am[1].startswith('-'): try: -api.Command['automountmap_add'](cn=args[0], automountmapname=unicode(am[1])) +api.Command['automountmap_add'](args[0], unicode(am[1])) result['maps'].append(am[1]) except errors.DuplicateEntry, e: if options.get('continue', False): @@ -411,7 +407,7 @@ class automountlocation_import(LDAPQuery): am = x.split(None) key = unicode(am[0].replace('','')) try: -api.Command['automountkey_add'](cn=args[0], automountmapname=unicode(m), automountkey=key, automountinformation=unicode(' '.join(am[1:]))) +api.Command['automountkey_add'](args[0], unicode(m), key, automountinformation=unicode(' '.join(am[1:]))) result['keys'].append([key,m]) except errors.DuplicateEntry, e: if options.get('continue', False): @@ -445,13 +441,14 @@ class automountlocation_import(LDAPQuery): ) textui.print_plain('') -textui.print_plain('Ignored keys:') -for k in keys: -textui.print_plain( -'Ignored %s to %s' % ( -k[0], k[1] +if len(skipped) 0: +textui.print_plain('Ignored keys:') +for k in skipped: +textui.print_plain( +'Ignored %s to %s' % ( +k[0], k[1] +) ) -) if options.get('continue', False) and len(duplicatemaps) 0: -- 1.7.3.2 freeipa-jhrozek-020-Fix-kwargs-usage-in-automount-plugin.patch.sig Description: PGP signature ___ Freeipa-devel mailing
[Freeipa-devel] [PATCH] Fix default attributes in config plugin (ipadefaultemaildomain).
Fixes an attribute name mismatch in the config plugin. Ticket #573 Pavel From d98843a980331e9b8173a6eba228fa393b04e350 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Sun, 5 Dec 2010 03:26:52 -0500 Subject: [PATCH] Fix default attributes in config plugin (ipadefaultemaildomain). Ticket #573 --- ipalib/plugins/config.py |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py index 79db77e..a56b667 100644 --- a/ipalib/plugins/config.py +++ b/ipalib/plugins/config.py @@ -66,7 +66,7 @@ class config(LDAPObject): object_name = 'configuration options' default_attributes = [ 'ipamaxusernamelength', 'ipahomesrootdir', 'ipadefaultloginshell', -'ipadefaultprimarygroup', 'ipadefaultdomain', 'ipasearchtimelimit', +'ipadefaultprimarygroup', 'ipadefaultemaildomain', 'ipasearchtimelimit', 'ipasearchrecordslimit', 'ipausersearchfields', 'ipagroupsearchfields', 'ipamigrationenabled', 'ipacertificatesubjectbase', ] -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0024 - Better random ranges
On Tue, 07 Dec 2010 07:40:36 -0500 Stephen Gallagher sgall...@redhat.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/06/2010 06:51 PM, Simo Sorce wrote: This patch reduced the size of the default range (from 1 million to 200.000) and also changes the way the range is selected. Instead of starting at a completely random number, it selects 1 out of 1 random 200k ranges so that the range starts at multiples of 200k. This makes it so that 2 different installs either do not overlap at all or overlap completely (once in 10k times) instead of potentially partially overlapping. Instead of using a random number here, why don't we do something more predictable (so installing FreeIPA on the same machine will hit the same range). Something we used to do at my old job was base it on the IPv4 address of the primary network adapter in the machine. Basically, we could take the integer representation of the IP address, take the modulus 1 of it, and choose the range from that. That's not needed, if you want to force a specific range you can simply pass an option to the installer. This would also provide a guarantee that replicas on the same network would get unique ranges (instead of a 1 in 10,000 chance of doubling up). Replicas take a cut of the range from the first master, sharing the assigned initial range between them (see the DNA plugin[1] Shared config to understand how it works) These are just suggestions. The patch as it exists right now looks fine to me (though I haven't tested it). I have tested it :) Simo. [1] http://directory.fedoraproject.org/wiki/DNA_Plugin -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0024 - Better random ranges
On Tue, 7 Dec 2010 13:53:53 +0100 Jan Zelený jzel...@redhat.com wrote: Simo Sorce sso...@redhat.com wrote: This patch reduced the size of the default range (from 1 million to 200.000) and also changes the way the range is selected. Instead of starting at a completely random number, it selects 1 out of 1 random 200k ranges so that the range starts at multiples of 200k. This makes it so that 2 different installs either do not overlap at all or overlap completely (once in 10k times) instead of potentially partially overlapping. Simo. Do I understand correctly that this change is just to make IDs more readable? I don't get why two installs need to have either complete overlapping or no overlapping at all. So that normally 2 installations have completely separate IDs, and a third at most overlap with one of them but not partially with both. Makes it easier to deal with conflicts IMO. It also makes it somewhat easier to build tests that look at specific patterns and aid the admin understanding the id numbers at first. Also, you have a typo in Rob's name ;-) Ouch! Sorry Rob. attached corrected version Simo. -- Simo Sorce * Red Hat, Inc * New York From 0d4ae2790f1913e32ae45ef8227110ecf1e17fc2 Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Mon, 6 Dec 2010 16:16:49 -0500 Subject: [PATCH] Give back smaller and more readable ranges by default. Instead of allocating a completely random start between 1M and 2G and a range of 1M values, give 1 possible 200k ranges. They all start at a 200k boundary so they generate more readable IDs, at least until there arent't too many users/replicas involved. --- install/tools/ipa-server-install | 11 ++- 1 files changed, 6 insertions(+), 5 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 020fc8ff8aa7b627ba9cb7366635c6ed4f864a79..bed9add9cbfc1634cce333d810a5dfa6d1df26c9 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -1,7 +1,9 @@ #! /usr/bin/python -E # Authors: Karl MacMillan kmacmil...@mentalrootkit.com +# Simo Sorce sso...@redhat.com +# Rob Crittenden rcrit...@redhat.com # -# Copyright (C) 2007 Red Hat +# Copyright (C) 2007-2010 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or @@ -60,11 +62,10 @@ from ipapython.config import IPAOptionParser pw_name = None uninstalling = False -# Used to determine the the highest possible uid/gid -MAXINT_32BIT = 2147483648 def parse_options(): -namespace = random.randint(100, (MAXINT_32BIT - 100)) +# Guaranteed to give a random 200k range below the 2G mark (uint32_t limit) +namespace = random.randint(1, 1) * 20 parser = IPAOptionParser(version=version.VERSION) parser.add_option(-u, --user, dest=ds_user, help=ds user) @@ -177,7 +178,7 @@ def parse_options(): parser.error(--external-cert-file must use an absolute path) if options.idmax == 0: -options.idmax = int(options.idstart) + 100 - 1 +options.idmax = int(options.idstart) + 20 - 1 if options.idmax options.idstart: parse.error(idmax (%u) cannot be smaller than idstart (%u) % -- 1.7.3.2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0024 - Better random ranges
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/07/2010 08:13 AM, Simo Sorce wrote: On Tue, 07 Dec 2010 07:40:36 -0500 Stephen Gallagher sgall...@redhat.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/06/2010 06:51 PM, Simo Sorce wrote: This patch reduced the size of the default range (from 1 million to 200.000) and also changes the way the range is selected. Instead of starting at a completely random number, it selects 1 out of 1 random 200k ranges so that the range starts at multiples of 200k. This makes it so that 2 different installs either do not overlap at all or overlap completely (once in 10k times) instead of potentially partially overlapping. Instead of using a random number here, why don't we do something more predictable (so installing FreeIPA on the same machine will hit the same range). Something we used to do at my old job was base it on the IPv4 address of the primary network adapter in the machine. Basically, we could take the integer representation of the IP address, take the modulus 1 of it, and choose the range from that. That's not needed, if you want to force a specific range you can simply pass an option to the installer. This would also provide a guarantee that replicas on the same network would get unique ranges (instead of a 1 in 10,000 chance of doubling up). Replicas take a cut of the range from the first master, sharing the assigned initial range between them (see the DNA plugin[1] Shared config to understand how it works) These are just suggestions. The patch as it exists right now looks fine to me (though I haven't tested it). I have tested it :) Simo. [1] http://directory.fedoraproject.org/wiki/DNA_Plugin In that case: ack. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz+NNAACgkQeiVVYja6o6ODEgCgnsbBx5gGBNU8Jrb8IfnaaXhv LVAAoKU7aCwJ5Uut7hmoLxeOMEJyb4I1 =avc3 -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix default attributes in config plugin (ipadefaultemaildomain).
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/07/2010 02:08 PM, Pavel Zuna wrote: Fixes an attribute name mismatch in the config plugin. Ticket #573 Pavel Ack -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz+NYYACgkQHsardTLnvCX5agCguBo49SALkHD5mV+A1wNOK7Bi ifcAnR2mcVCJRwde07/rHm5CaSIhsslr =C7Wj -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0024 - Better random ranges
On Tue, 07 Dec 2010 08:21:20 -0500 Stephen Gallagher sgall...@redhat.com wrote: Something we used to do at my old job was base it on the IPv4 address of the primary network adapter in the machine. Basically, we could take the integer representation of the IP address, take the modulus 1 of it, and choose the range from that. That's not needed, if you want to force a specific range you can simply pass an option to the installer. This would also provide a guarantee that replicas on the same network would get unique ranges (instead of a 1 in 10,000 chance of doubling up). Replicas take a cut of the range from the first master, sharing the assigned initial range between them (see the DNA plugin[1] Shared config to understand how it works) These are just suggestions. The patch as it exists right now looks fine to me (though I haven't tested it). I have tested it :) Simo. [1] http://directory.fedoraproject.org/wiki/DNA_Plugin In that case: ack. Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Make the migration plugin more configurable
Jakub Hrozek wrote: On Wed, Nov 24, 2010 at 04:54:19PM -0500, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/22/2010 04:21 PM, Jakub Hrozek wrote: On 11/22/2010 04:16 PM, Jakub Hrozek wrote: The code handles it (I just ran a quick test with --schema=RFC2307bis). It just iterates through all members of a group -- be it user member of group member, it's just a DN for the plugin. Jakub Sorry, I found another bug in the plugin. I'll send a new patch shortly, so please don't waste time reviewing this one. New patch is attached. It fixes two more bugs of the original plugin - determines whether a group member is a user or a nested group by checking the DN, not just the RDN attribute name and does not hardcode primary keys. Will this blow up in convert_members_rfc2307bis() if a member isn't contained in the users and groups containers? Should there be a failsafe to skip over things that don't match (along with appropriate reporting)? It wouldn't blow up but add the original DN into the member attribute which is probably worse. Thanks for catching this. I modified the patch to log all migrated users and groups with info() and skip those that don't match any of the containers while logging these entries with error(). Or if one of users or groups search bases isn't provided? If one of them isn't provided, a default would be used. It definitely doesn't like this: # ipa migrate-ds --user-container='' --group-container='cn=groups,cn=accounts' ldap://ds.example.com:389 When passed the right set of options it does seem to do the right thing. Sorry, but I don't quite understand the --user-container='' switch. Does it mean the users are rooted at the Base DN? Can you post the error or relevant log info? Please note that the default objectclass is person. The empty user-container isn't related to this patch so ACK, pushed to master. The error I'm seeing in the Apache error log is: [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] Traceback (most recent call last): [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File /usr/share/ipa/wsgi.py, line 27, in application [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] return api.Backend.session(environ, start_response) [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File /usr/lib/python2.6/site-packages/ipaserver/rpcserver.py, line 142, in __call__ [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] return self.route(environ, start_response) [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File /usr/lib/python2.6/site-packages/ipaserver/rpcserver.py, line 154, in route [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] return app(environ, start_response) [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File /usr/lib/python2.6/site-packages/ipaserver/rpcserver.py, line 234, in __call__ [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] response = self.wsgi_execute(environ) [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File /usr/lib/python2.6/site-packages/ipaserver/rpcserver.py, line 211, in wsgi_execute [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] result = self.Command[name](*args, **options) [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 417, in __call__ [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] ret = self.run(*args, **options) [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 690, in run [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] return self.execute(*args, **options) [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File /usr/lib/python2.6/site-packages/ipalib/plugins/migration.py, line 380, in execute [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] ldap, config, ds_ldap, ds_base_dn, options [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File /usr/lib/python2.6/site-packages/ipalib/plugins/migration.py, line 300, in migrate [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] search_filter, ['*'], search_base, ds_ldap.SCOPE_ONELEVEL#, [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File /usr/lib/python2.6/site-packages/ipalib/encoder.py, line 188, in new_f [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] return f(*new_args, **kwargs) [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File /usr/lib/python2.6/site-packages/ipalib/encoder.py, line 199, in new_f [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] return args[0].decode(f(*args, **kwargs)) [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File /usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py, line 516, in find_entries [Tue Dec 07 10:38:10 2010] [error]
Re: [Freeipa-devel] [PATCH] 019 Do not migrate krbPrincipalKey
Jakub Hrozek wrote: https://fedorahosted.org/freeipa/ticket/455 This patch depends on my patch 015 (in thread Make the migration plugin more configurable) ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0025 Restructure startup code for IPA servers
With this patch we stop relying on the system to init single ipa components and instead introduce a ipa init script that takes care of properly starting/stopping all relevant components. Components are listed with a generic label in LDAP, per server. At startup the ipa init script will always start drisrv, then use the local socket to query it anonymously[*] and get the list of service to start with a ordering paramater. And it will then proceed to start each single service. On failure it will shut them all down. On stoppping ti shuts them down in inverse order. Only the ipa service is enabled with chkconfig, all other handled services are off in chkconfig and started by the ipa service instead. [*] We can create an account if we think this is not good enough, but I would ask to have a separate ticket and handle this change as an additional patch if we feel the need to do that. Simo. -- Simo Sorce * Red Hat, Inc * New York From e8cefac3044bfa7351cef44fc37943bffb077125 Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Sat, 4 Dec 2010 15:42:14 -0500 Subject: [PATCH] Introduce ipa control script that reads configuration off ldap This replace the former ipactl script, as well as replace the current way ipa components are started. Instead of enabling each service in the system init scripts, enable only the ipa script, and then let it start all components based on the configuration read from the LDAP tree. resolves: https://fedorahosted.org/freeipa/ticket/294 --- install/tools/ipa-server-install |4 + install/tools/ipactl | 314 - ipa.init | 45 ++ ipa.spec.in | 14 ++- ipaserver/install/bindinstance.py |5 +- ipaserver/install/cainstance.py | 14 +- ipaserver/install/dsinstance.py |5 +- ipaserver/install/httpinstance.py |5 +- ipaserver/install/krbinstance.py | 10 +- ipaserver/install/service.py | 51 ++- 10 files changed, 338 insertions(+), 129 deletions(-) create mode 100755 ipa.init diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index bed9add9cbfc1634cce333d810a5dfa6d1df26c9..2c7ae0d888d3e92a4b9e267c674db493c607431d 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -841,6 +841,10 @@ def main(): except Exception, e: sys.exit(Configuration of client side components failed!\nipa-client-install returned: + str(e)) + +#Everything installed properly, activate ipa service. +service.chkconfig_on('ipa') + print == print Setup complete print diff --git a/install/tools/ipactl b/install/tools/ipactl index 596f07ff4ccc2586c8e16fae4a4f48ed0a34a8cf..6c4db9bf45e3101a4a9dd2835609adb0620e4cdc 100755 --- a/install/tools/ipactl +++ b/install/tools/ipactl @@ -1,6 +1,7 @@ -#!/bin/sh +#!/usr/bin/env python +# Authors: Simo Sorce sso...@redhat.com # -# Copyright (C) 2008 Red Hat +# Copyright (C) 2008-2010 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or @@ -16,108 +17,207 @@ # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # -# -# IPA control to start/stop the various services required for IPA in the -# proper order -# - -# Set IFS so we can do space-embedded lists of services -IFS=; - -# start and stop are basically a reverse of each other -services_stop=ipa_kpasswd;httpd;krb5kdc;dirsrv;ntpd;named;pki-cad pki-ca -services_start=dirsrv;ntpd;krb5kdc;named;ipa_kpasswd;httpd;pki-cad pki-ca - -function is_running() { -# $1 = service to check on -# $2 = optional instance to check on, for dirsrv and pki-cad - -# Returns -# 0 - running -# 1 - pid but dead service -# 2 - dead but locked subsys -# 3 - stopped -# 4 - no such service -if [ $# = 2 ] ; then -/sbin/service $1 status $2 /dev/null 21 -else -out=`/sbin/service $1 status 21` -fi -case $? in -0) -return 0;; -1) -x=`echo $out | grep -c exists` -if [ $x -eq 1 ] ; then -return 1 -else -return 4 -fi -;; -2) -return 2;; -3) -return 3;; -esac -} - -function start() { -for service in $services_start ; do -is_running $service -case $? in -0) # running -;; -4) # no such service -;; -*) # otherwise not running -/sbin/service $service start -;; -esac -done -} - -function stop() { -for service in $services_stop ; do -is_running $service -case $? in -0) # running -
Re: [Freeipa-devel] [PATCH] admiyo-0113-nested-entity-navigation
On 12/7/2010 1:01 PM, Adam Young wrote: ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Updated SUDO spec
Changes were made to the command section of the details screen. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 633 add selfservice aci plugin
Add plugin for manage self-service ACIs This is just a thin wrapper around the aci plugin, controlling what types of ACIs can be added. Right now only ACIs in the basedn can be managed with this plugin. I've got an e-mail into the UI folks to see if we can enhance this and ask the type of object we're creating a selfservice entry for. This way we can put the aci into the proper container. Otherwise I'm going to need to follow up to this and move a couple of self-service ACI's that are now in containers into the basedn. ticket 531 rob From b497133a497f2feaf81dd8e70efe3ca0ff7d947b Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Tue, 7 Dec 2010 16:30:37 -0500 Subject: [PATCH] Add plugin for manage self-service ACIs This is just a thin wrapper around the aci plugin, controlling what types of ACIs can be added. Right now only ACIs in the basedn can be managed with this plugin. ticket 531 --- ipalib/plugins/aci.py| 37 +++-- ipalib/plugins/selfservice.py| 192 ++ tests/test_xmlrpc/test_selfservice_plugin.py | 183 3 files changed, 398 insertions(+), 14 deletions(-) create mode 100644 ipalib/plugins/selfservice.py create mode 100644 tests/test_xmlrpc/test_selfservice_plugin.py diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py index 3636ddd..d5f7d99 100644 --- a/ipalib/plugins/aci.py +++ b/ipalib/plugins/aci.py @@ -656,21 +656,30 @@ class aci_find(crud.Search): # acis = list(results) for a in acis: -if 'target' in a.target: -target = a.target['target']['expression'] -else: -results.remove(a) -continue -found = False -for k in _type_map.keys(): -if _type_map[k] == target and 'type' in kw and kw['type'] == k: -found = True -break; -if not found: -try: +if 'type' in kw: +if 'target' in a.target: +target = a.target['target']['expression'] +else: results.remove(a) -except ValueError: -pass +continue +found = False +for k in _type_map.keys(): +if _type_map[k] == target and kw['type'] == k: +found = True +break; +if not found: +try: +results.remove(a) +except ValueError: +pass + +if 'selfaci' in kw and kw['selfaci'] == True: +for a in acis: +if a.bindrule['expression'] != u'ldap:///self': +try: +results.remove(a) +except ValueError: +pass # TODO: searching by: filter, subtree diff --git a/ipalib/plugins/selfservice.py b/ipalib/plugins/selfservice.py new file mode 100644 index 000..aee07ab --- /dev/null +++ b/ipalib/plugins/selfservice.py @@ -0,0 +1,192 @@ +# Authors: +# Rob Crittenden rcrit...@redhat.com +# +# Copyright (C) 2010 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +Self-Service Permissions + +A permission enables fine-grained delegation of permissions. Access Control +Rules, or instructions (ACIs), grant permission to permissions to perform +given tasks such as adding a user, modifying a group, etc. + +A Self-Service permission defines what an object can change in its own entry. + + +EXAMPLES: + + Add a self-service rule to allow users to manage their address: + ipa selfservice-add --permissions=write --attrs=street,postalCode,l,c,st User's manage their own address + + When managing the list of attributes you need to include all attributes + in the list, including existing ones. Add telephoneNumber to the list: + ipa selfservice-mod --attrs=street,postalCode,l,c,st,telephoneNumber User's manage their own address + + Display our updated rule: + ipa selfservice-show User's manage their own address + + Delete a rule: + ipa selfservice-del User's manage their own address + + +import copy +from ipalib import api, _,
Re: [Freeipa-devel] [PATCH] Fix default attributes in config plugin (ipadefaultemaildomain).
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/07/2010 02:08 PM, Pavel Zuna wrote: Fixes an attribute name mismatch in the config plugin. Ticket #573 Pavel Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 020 Fix kwargs usage in automount plugin
Jakub Hrozek wrote: ipa automountlocation-add baltimore ipa automountmap-add baltimore auto.share ipa automountkey-add baltimore auto.master /share --info=auto.share ipa automountkey-add baltimore auto.share man - --info=-ro,soft,rsize=8192,wsize=8192 ipa.example.com:/shared/man ipa automountlocation-tofiles baltimore Ack, pushed to master. Note that the tests are pretty badly broken for automount. I'll have a patch out to fix them shortly. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 634 fix automount tests
While testing Jakub's patch I discovered that the automount tests were pretty badly broken (not related to his changes). This should fix things. rob From d24569e45cd51d70f704e5e9c911b82d7d8c9a01 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Tue, 7 Dec 2010 17:18:04 -0500 Subject: [PATCH] Fix automount tests --- tests/test_xmlrpc/test_automount_plugin.py | 51 +-- 1 files changed, 25 insertions(+), 26 deletions(-) diff --git a/tests/test_xmlrpc/test_automount_plugin.py b/tests/test_xmlrpc/test_automount_plugin.py index 355f9f8..138a03b 100644 --- a/tests/test_xmlrpc/test_automount_plugin.py +++ b/tests/test_xmlrpc/test_automount_plugin.py @@ -37,10 +37,9 @@ class test_automount(XMLRPC_test): keyname2 = u'testkey2' description = u'description of map' info = u'ro' -loc_kw = {'cn': locname} -map_kw = {'cn': locname, 'automountmapname': mapname, 'description': description, 'raw': True} -key_kw = {'cn': locname, 'automountmapname': mapname, 'automountkey': keyname, 'automountinformation': info, 'raw': True} -key_kw2 = {'cn': locname, 'automountmapname': mapname, 'automountkey': keyname2, 'automountinformation': info, 'raw': True} +map_kw = {'automountmapname': mapname, 'description': description, 'raw': True} +key_kw = {'automountkey': keyname, 'automountinformation': info, 'raw': True} +key_kw2 = {'automountkey': keyname2, 'automountinformation': info, 'raw': True} def test_0_automountlocation_add(self): @@ -56,7 +55,7 @@ class test_automount(XMLRPC_test): Test adding a map `xmlrpc.automountmap_add` method. -res = api.Command['automountmap_add'](**self.map_kw)['result'] +res = api.Command['automountmap_add'](self.locname, **self.map_kw)['result'] assert res assert_attr_equal(res, 'automountmapname', self.mapname) @@ -64,7 +63,7 @@ class test_automount(XMLRPC_test): Test adding a key using `xmlrpc.automountkey_add` method. -res = api.Command['automountkey_add'](**self.key_kw2)['result'] +res = api.Command['automountkey_add'](self.locname, self.mapname, **self.key_kw2)['result'] assert res assert_attr_equal(res, 'automountkey', self.keyname2) @@ -72,7 +71,7 @@ class test_automount(XMLRPC_test): Test adding a key using `xmlrpc.automountkey_add` method. -res = api.Command['automountkey_add'](**self.key_kw)['result'] +res = api.Command['automountkey_add'](self.locname, self.mapname, **self.key_kw)['result'] assert res assert_attr_equal(res, 'automountkey', self.keyname) @@ -81,7 +80,7 @@ class test_automount(XMLRPC_test): Test adding a duplicate key using `xmlrpc.automountkey_add` method. try: -api.Command['automountkey_add'](**self.key_kw) +api.Command['automountkey_add'](self.locname, self.mapname, **self.key_kw) except errors.DuplicateEntry: pass else: @@ -106,8 +105,8 @@ class test_automount(XMLRPC_test): Test the `xmlrpc.automountkey_show` method. -showkey_kw={'cn': self.locname, 'automountmapname': self.mapname, 'automountkey': self.keyname, 'raw': True} -res = api.Command['automountkey_show'](**showkey_kw)['result'] +showkey_kw={'automountkey': self.keyname, 'raw': True} +res = api.Command['automountkey_show'](self.locname, self.mapname, **showkey_kw)['result'] assert res assert_attr_equal(res, 'automountkey', self.keyname) assert_attr_equal(res, 'automountinformation', self.info) @@ -128,7 +127,7 @@ class test_automount(XMLRPC_test): self.key_kw['automountinformation'] = u'rw' self.key_kw['description'] = u'new description' -res = api.Command['automountkey_mod'](**self.key_kw)['result'] +res = api.Command['automountkey_mod'](self.locname, self.mapname, **self.key_kw)['result'] assert res assert_attr_equal(res, 'automountinformation', 'rw') assert_attr_equal(res, 'description', 'new description') @@ -137,8 +136,8 @@ class test_automount(XMLRPC_test): Test the `xmlrpc.automountmap_mod` method. -self.map_kw['description'] = u'new description' -res = api.Command['automountmap_mod'](**self.map_kw)['result'] +mod_kw = {'description': u'new description'} +res = api.Command['automountmap_mod'](self.locname, self.mapname, **mod_kw)['result'] assert res assert_attr_equal(res, 'description', 'new description') @@ -146,13 +145,13 @@ class test_automount(XMLRPC_test): Test the `xmlrpc.automountkey_del` method. -delkey_kw={'cn': self.locname, 'automountmapname': self.mapname, 'automountkey': self.keyname, 'raw': True} -res =
[Freeipa-devel] [PATCH 2] Adding user/host category and ipaenabledflag
This patch is for ticket: https://fedorahosted.org/freeipa/ticket/570 This patch Addresses items: 1. The UI needs a rule status with values active inactive. The CLI doesn't have this attribute. HBAC has ipaenabledflag attribute which can be managed using hbac-enable/disable operations. 2. The UI needs a user category for the Who section. The CLI doesn't have this attribute. HBAC has usercategory attribute which can be managed using hbac-add/mod operations. 3. The UI needs a host category for the Access this host section. The CLI doesn't have this attribute. HBAC has hostcategory attribute which can be managed using hbac-add/mod operations. Please review. -Jr 0002-Adding-user-host-category-and-ipaenabledflag.patch Description: 0002-Adding-user-host-category-and-ipaenabledflag.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0026 Split replica installation in dsinstance
This patch allows patch 0025 to work properly for replica installation so it is a prereq for it now. It split installation so that certain steps can be done after the tree has been replicated without having them wiped out, like the creation of the replica master entry under cn=masters,cn=ipa,cn=etc It also introduce a dependency on the replica file having the ca.crt in it. And installs it by default under /etc/ipa/ca.crt (the httpinstance later on also stores it also under /usr/share/ipa/html/ca.crt) This patch also makes sure the memberof fixup task is run *after* initial replication, just to make sure. Technically the memberof plugin is already activated so memberof entries should be properly created while replication goes through. But better be thorough. replication is now started within dsinstance.py and not after ds is setup as one of the dsinstance creation steps. Initial testing gave no issues to me. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 633 add selfservice aci plugin
Adam Young wrote: On 12/07/2010 04:33 PM, Rob Crittenden wrote: Add plugin for manage self-service ACIs This is just a thin wrapper around the aci plugin, controlling what types of ACIs can be added. Right now only ACIs in the basedn can be managed with this plugin. I've got an e-mail into the UI folks to see if we can enhance this and ask the type of object we're creating a selfservice entry for. This way we can put the aci into the proper container. Otherwise I'm going to need to follow up to this and move a couple of self-service ACI's that are now in containers into the basedn. ticket 531 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Probably related to the failure above, after that, doin ipa permission-find gave an error with the following in the log: Sun Dec 05 20:09:51 2010] [error] ipa: ERROR: non-public: TypeError: tuple indices must be integers, not str [Sun Dec 05 20:09:51 2010] [error] Traceback (most recent call last): [Sun Dec 05 20:09:51 2010] [error] File /usr/lib/python2.6/site-packages/ipaserver/rpcserver.py, line 211, in wsgi_execute [Sun Dec 05 20:09:51 2010] [error] result = self.Command[name](*args, **options) [Sun Dec 05 20:09:51 2010] [error] File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 417, in __call__ [Sun Dec 05 20:09:51 2010] [error] ret = self.run(*args, **options) [Sun Dec 05 20:09:51 2010] [error] File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 690, in run [Sun Dec 05 20:09:51 2010] [error] return self.execute(*args, **options) [Sun Dec 05 20:09:51 2010] [error] File /usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py, line 1228, in execute [Sun Dec 05 20:09:51 2010] [error] more = callback(ldap, entries, truncated, *args, **options) [Sun Dec 05 20:09:51 2010] [error] File /usr/lib/python2.6/site-packages/ipalib/plugins/permission.py, line 313, in post_callback [Sun Dec 05 20:09:51 2010] [error] if aci['permission'] == entry['cn']: [Sun Dec 05 20:09:51 2010] [error] TypeError: tuple indices must be integers, not str This would be a separate problem, can you file a ticket on it? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel