[Freeipa-devel] [PATCH] import NSPRError in host.py
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The host plugin references NSPRError on couple of places but never imports it. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0PGGkACgkQHsardTLnvCW6rACg6LetC6RilUSTpvRWBs1CDFJd H40AoJC7KWGNIYMyHvh9Kmd8EGZ0ZUyH =2U5v -END PGP SIGNATURE- From d578f9cd964fb147c4394ca3f2e122f9baebbaf1 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date: Sun, 19 Dec 2010 23:18:29 +0100 Subject: [PATCH] import NSPRError in host.py --- ipalib/plugins/host.py |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 91aa651..161eddb 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -73,6 +73,7 @@ EXAMPLES: import platform import os import sys +from nss.error import NSPRError from ipalib import api, errors, util from ipalib import Str, Flag, Bytes -- 1.7.3.3 freeipa-jhrozek-026-import-NSPRError-in-host.py.patch.sig Description: PGP signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Modified ipa help behavior
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/09/2010 09:54 AM, Jan Zelený wrote:
Jan Zelený jzel...@redhat.com wrote:
Jan Zelený jzel...@redhat.com wrote:
Now each plugin can define its topic as a 2-tuple, where the first
item is the name of topic it belongs to and the second item is
a description of such topic. Topic descriptions must be the same
for all modules belonging to the topic.
By using this topics, it is possible to group plugins as we see fit.
When asking for help for a particular topic, help for all modules
in given topic is written.
ipa help - show all topics (until now it showed all plugins)
ipa help topic - show details to given topic
https://fedorahosted.org/freeipa/ticket/410
So here it is: I'm sending couple patches which resolve the ticket and
implement grouping the way we previously discussed. Please feel free to
send me any recommendations if anything should be modified.
Here's updated version of 0014 (changed type detection from type(var) is
type({}) to type(var) is dict)
Jan
The first patch in the series does not apply cleanly anymore, can you
rebase?
Also, ipa help gives me a traceback now:
ipa: ERROR: UnboundLocalError: local variable 'mod_name' referenced
before assignment
Traceback (most recent call last):
File /usr/lib/python2.7/site-packages/ipalib/cli.py, line 1049, in run
api.finalize()
File /usr/lib/python2.7/site-packages/ipalib/plugable.py, line 615,
in finalize
p.instance.finalize()
File /usr/lib/python2.7/site-packages/ipalib/cli.py, line 662, in
finalize
self._count_topic_mcl(topic_name, mod_name)
UnboundLocalError: local variable 'mod_name' referenced before assignment
ipa: ERROR: an internal error has occurred
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0PLA8ACgkQHsardTLnvCWgIwCeIlMoGGZhbmr0t9aD19L4pBHP
rf4AoNrX+TkHlSDfT0BmR3J1MEz7bU5+
=XzUE
-END PGP SIGNATURE-
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Added option --no-reverse to add-host
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/14/2010 07:05 PM, Jan Zelený wrote: When adding a host with specific IP address, the operation would fail in case we don't own the reverse DNS. This new option overrides the check for reverse DNS zone and falls back to different IP address existence check. https://fedorahosted.org/freeipa/ticket/417 I was considering deleting the reverse zone detection entirely and check the IP address directly by querying for A records containing it, but I think this way it is more efficient. Ack -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0PMikACgkQHsardTLnvCW8kACeIiYZGg1s32dXU0lvErxcpbro KRQAoNGHYok29j+xj6MeOiLqYJ2DnisA =YW3x -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Allow renaming of object that have a parent
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
When performing an RDN change, we would construct the new DN from the
RDN attribute only. This doesn't work when the object needs has a parent.
There's currently no testcase, I hit that when working on automount - so
this patch will be testable with the automount patch and also a
dependency for it. But I think the code is pretty clear..
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0PSNwACgkQHsardTLnvCWVNwCg2R+eiK2KoM6GlIuSrsYJZKzw
zOcAnihrRg63h72zzhCzjg4WjPeuguP/
=SNXO
-END PGP SIGNATURE-
From d6520b9d391a1541d18b73bd00a5a05a304f667e Mon Sep 17 00:00:00 2001
From: Jakub Hrozek jhro...@redhat.com
Date: Wed, 15 Dec 2010 10:07:46 +0100
Subject: [PATCH] Allow renaming of object that have a parent
Allow renaming of object that have a parent
---
ipalib/plugins/baseldap.py |3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 9ef5f37..69682dc 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -772,7 +772,8 @@ class LDAPUpdate(LDAPQuery, crud.Update):
# RDN change
ldap.update_entry_rdn(dn, unicode('%s=%s' % (self.obj.rdnattr,
entry_attrs[self.obj.rdnattr])))
-dn = self.obj.get_dn(entry_attrs[self.obj.rdnattr])
+rdnkeys = keys[:-1] + (entry_attrs[self.obj.rdnattr], )
+dn = self.obj.get_dn(*rdnkeys)
del entry_attrs[self.obj.rdnattr]
options['rdnupdate'] = True
rdnupdate = True
--
1.7.3.3
freeipa-jhrozek-027-rename-with-parent.patch.sig
Description: PGP signature
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Make pkey always iterable when deleting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 When deleting multiple objects, the code tries to enforce that the primary key is always iterable by doing: keys = keys[:-1] + (keys[-1], ) But this doesn't work, the line only concatenates two tuples effectively returning the original one. See the attached patch for a fix. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0PSOgACgkQHsardTLnvCWaYwCgxLGN09ZAjApMevLaQqlSM0hZ NnIAoLFkL2o2eBbQhDyEEJ7URz9NkFvo =Z2cP -END PGP SIGNATURE- From 0438ac08fbfbc6e06cded529b6021f3c5b5255fe Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date: Tue, 14 Dec 2010 18:02:41 +0100 Subject: [PATCH] Make pkey always iterable when deleting --- ipalib/plugins/baseldap.py |8 +--- 1 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 69682dc..3adf351 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -889,12 +889,14 @@ class LDAPDelete(LDAPMultiQuery): return result if not self.obj.primary_key or not isinstance(keys[-1], (list, tuple)): -keys = keys[:-1] + (keys[-1], ) +pkeyiter = (keys[-1], ) +else: +pkeyiter = keys[-1] deleted = [] failed = [] result = True -for pkey in keys[-1]: +for pkey in pkeyiter: try: if not delete_entry(pkey): result = False @@ -905,7 +907,7 @@ class LDAPDelete(LDAPMultiQuery): else: deleted.append(pkey) -if self.obj.primary_key and keys[-1] is not None: +if self.obj.primary_key and pkeyiter is not None: return dict(result=result, value=u','.join(deleted)) return dict(result=result, value=u'') -- 1.7.3.3 freeipa-jhrozek-028-pkey-iterable.patch.sig Description: PGP signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 029 Enforce uniqueness on (key, info) pairs in automount keys
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Attached is a patch that changes the uniqueness constraint of automount
keys from (key) to (key,info) pairs. The patch is not really standard
baseldap style. The reason is that during development, I found that
baseldap is really dependent on having a single primary key and also
during many operations accessing it as keys[-1].
Please note that the ipa automountkey-* commands used to have three
args, now its two args and two required options (that compose the tuple
that is primary key). I know next to nothing about UI, but I assume this
has consequences as the JSON marshalled call needs to be different now.
Can someone point me to the place in code that I need to fix now?
Fixes:
https://fedorahosted.org/freeipa/ticket/293
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0PXtgACgkQHsardTLnvCUSkACfS010sMTUgl2Oi7x2eKvL9cVV
DtUAoNuqMZFwV9MypFvJ4Oe8VTBVVqx0
=ChvW
-END PGP SIGNATURE-
From 4cfcbbd2e28a6e4a4b4d272136c6b3d92f34b3ac Mon Sep 17 00:00:00 2001
From: Jakub Hrozek jhro...@redhat.com
Date: Sun, 19 Dec 2010 21:23:16 +0100
Subject: [PATCH] Enforce uniqueness on (key,info) pairs in automount keys
https://fedorahosted.org/freeipa/ticket/293
---
install/share/bootstrap-template.ldif |3 +-
ipalib/plugins/automount.py| 179 ++--
tests/test_xmlrpc/test_automount_plugin.py | 82 ++---
3 files changed, 236 insertions(+), 28 deletions(-)
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index 69dbe3d..cfa8ec2 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -64,11 +64,12 @@ changetype: add
objectClass: automountMap
automountMapName: auto.direct
-dn: automountkey=/-,automountmapname=auto.master,cn=default,cn=automount,$SUFFIX
+dn: description=/- auto.direct,automountmapname=auto.master,cn=default,cn=automount,$SUFFIX
changetype: add
objectClass: automount
automountKey: /-
automountInformation: auto.direct
+description: /- auto.direct
dn: cn=hbacservices,cn=accounts,$SUFFIX
changetype: add
diff --git a/ipalib/plugins/automount.py b/ipalib/plugins/automount.py
index 39605d4..d2df07b 100644
--- a/ipalib/plugins/automount.py
+++ b/ipalib/plugins/automount.py
@@ -88,16 +88,19 @@ Keys:
Create a new key for the auto.share map in location baltimore. This ties
the map we previously created to auto.master:
- ipa automountkey-add baltimore auto.master /share --info=auto.share
+ipa automountkey-add baltimore auto.master --key=/share --info=auto.share
Create a new key for our auto.share map, an NFS mount for man pages:
-ipa automountkey-add baltimore auto.share man --info=-ro,soft,rsize=8192,wsize=8192 ipa.example.com:/shared/man
+ipa automountkey-add baltimore auto.share --key=man --info=-ro,soft,rsize=8192,wsize=8192 ipa.example.com:/shared/man
Find all keys for the auto.share map:
-ipa automountkey-find baltimore auto.share
+ipa automountkey-find baltimore --info=auto.share
+
+ Find all direct automount keys:
+ipa automountkey-find baltimore --key=/-
Remove the man key from the auto.share map:
-ipa automountkey-del baltimore auto.share man
+ipa automountkey-del baltimore auto.share --key=man
@@ -362,7 +365,11 @@ class automountlocation_import(LDAPQuery):
# Add a new key to the auto.master map for the new map file
try:
-api.Command['automountkey_add'](args[0], u'auto.master', unicode(am[0]), automountinformation=unicode(' '.join(am[1:])))
+api.Command['automountkey_add'](
+args[0],
+u'auto.master',
+automountkey=unicode(am[0]),
+automountinformation=unicode(' '.join(am[1:])))
result['keys'].append([am[0], u'auto.master'])
except errors.DuplicateEntry, e:
if options.get('continue', False):
@@ -410,7 +417,11 @@ class automountlocation_import(LDAPQuery):
am = x.split(None)
key = unicode(am[0].replace('',''))
try:
-api.Command['automountkey_add'](args[0], unicode(m), key, automountinformation=unicode(' '.join(am[1:])))
+api.Command['automountkey_add'](
+args[0],
+unicode(m),
+automountkey=key,
+automountinformation=unicode(' '.join(am[1:])))
result['keys'].append([key,m])
except errors.DuplicateEntry, e:
if options.get('continue', False):
@@ -566,25 +577,88 @@ class automountkey(LDAPObject):
default_attributes = [
'automountkey', 'automountinformation', 'description'
]
Re: [Freeipa-devel] [PATCH] Make pkey always iterable when deleting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/20/2010 03:07 PM, Jan Zelený wrote: Jakub Hrozek jhro...@redhat.com wrote: When deleting multiple objects, the code tries to enforce that the primary key is always iterable by doing: keys = keys[:-1] + (keys[-1], ) But this doesn't work, the line only concatenates two tuples effectively returning the original one. See the attached patch for a fix. nack: you have the condition in chunk #2 wrong - pkeyiter will be never None Jan Thanks, attached is a new patch. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0PaBYACgkQHsardTLnvCVszQCeJLpRnhTlTE4sfXEsOGYHxTuM XNMAoOPT5ha6jlNRFlcg86GLAcElsRI8 =P15o -END PGP SIGNATURE- From f187c602390f369c290bddb99ba74df491335701 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date: Tue, 14 Dec 2010 18:02:41 +0100 Subject: [PATCH] Make pkey always iterable when deleting --- ipalib/plugins/baseldap.py |8 +--- 1 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 69682dc..ea974f9 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -889,12 +889,14 @@ class LDAPDelete(LDAPMultiQuery): return result if not self.obj.primary_key or not isinstance(keys[-1], (list, tuple)): -keys = keys[:-1] + (keys[-1], ) +pkeyiter = (keys[-1], ) +else: +pkeyiter = keys[-1] deleted = [] failed = [] result = True -for pkey in keys[-1]: +for pkey in pkeyiter: try: if not delete_entry(pkey): result = False @@ -905,7 +907,7 @@ class LDAPDelete(LDAPMultiQuery): else: deleted.append(pkey) -if self.obj.primary_key and keys[-1] is not None: +if self.obj.primary_key and pkeyiter[0] is not None: return dict(result=result, value=u','.join(deleted)) return dict(result=result, value=u'') -- 1.7.3.3 freeipa-jhrozek-028-02-pkey-iterable.patch.sig Description: PGP signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 029 Enforce uniqueness on (key, info) pairs in automount keys
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/20/2010 02:49 PM, Jakub Hrozek wrote:
Attached is a patch that changes the uniqueness constraint of automount
keys from (key) to (key,info) pairs. The patch is not really standard
baseldap style. The reason is that during development, I found that
baseldap is really dependent on having a single primary key and also
during many operations accessing it as keys[-1].
Please note that the ipa automountkey-* commands used to have three
args, now its two args and two required options (that compose the tuple
that is primary key). I know next to nothing about UI, but I assume this
has consequences as the JSON marshalled call needs to be different now.
Can someone point me to the place in code that I need to fix now?
Fixes:
https://fedorahosted.org/freeipa/ticket/293
Sorry, I left some debugging statements in. Attached is a new patch.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0PaUkACgkQHsardTLnvCXYsgCePRyuu2yz6yQ+Pw1dhf3P61eW
VFUAoL9RDDDOSolHA0dg35lSwitp/mNE
=tsL7
-END PGP SIGNATURE-
From 03b1b94e4cec479a139e1d20640f8900337c0419 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek jhro...@redhat.com
Date: Sun, 19 Dec 2010 21:23:16 +0100
Subject: [PATCH] Enforce uniqueness on (key,info) pairs in automount keys
https://fedorahosted.org/freeipa/ticket/293
---
install/share/bootstrap-template.ldif |3 +-
ipalib/plugins/automount.py| 177 ++--
tests/test_xmlrpc/test_automount_plugin.py | 82 ++---
3 files changed, 234 insertions(+), 28 deletions(-)
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index 69dbe3d..cfa8ec2 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -64,11 +64,12 @@ changetype: add
objectClass: automountMap
automountMapName: auto.direct
-dn: automountkey=/-,automountmapname=auto.master,cn=default,cn=automount,$SUFFIX
+dn: description=/- auto.direct,automountmapname=auto.master,cn=default,cn=automount,$SUFFIX
changetype: add
objectClass: automount
automountKey: /-
automountInformation: auto.direct
+description: /- auto.direct
dn: cn=hbacservices,cn=accounts,$SUFFIX
changetype: add
diff --git a/ipalib/plugins/automount.py b/ipalib/plugins/automount.py
index 39605d4..a568908 100644
--- a/ipalib/plugins/automount.py
+++ b/ipalib/plugins/automount.py
@@ -88,16 +88,19 @@ Keys:
Create a new key for the auto.share map in location baltimore. This ties
the map we previously created to auto.master:
- ipa automountkey-add baltimore auto.master /share --info=auto.share
+ipa automountkey-add baltimore auto.master --key=/share --info=auto.share
Create a new key for our auto.share map, an NFS mount for man pages:
-ipa automountkey-add baltimore auto.share man --info=-ro,soft,rsize=8192,wsize=8192 ipa.example.com:/shared/man
+ipa automountkey-add baltimore auto.share --key=man --info=-ro,soft,rsize=8192,wsize=8192 ipa.example.com:/shared/man
Find all keys for the auto.share map:
-ipa automountkey-find baltimore auto.share
+ipa automountkey-find baltimore --info=auto.share
+
+ Find all direct automount keys:
+ipa automountkey-find baltimore --key=/-
Remove the man key from the auto.share map:
-ipa automountkey-del baltimore auto.share man
+ipa automountkey-del baltimore auto.share --key=man
@@ -362,7 +365,11 @@ class automountlocation_import(LDAPQuery):
# Add a new key to the auto.master map for the new map file
try:
-api.Command['automountkey_add'](args[0], u'auto.master', unicode(am[0]), automountinformation=unicode(' '.join(am[1:])))
+api.Command['automountkey_add'](
+args[0],
+u'auto.master',
+automountkey=unicode(am[0]),
+automountinformation=unicode(' '.join(am[1:])))
result['keys'].append([am[0], u'auto.master'])
except errors.DuplicateEntry, e:
if options.get('continue', False):
@@ -410,7 +417,11 @@ class automountlocation_import(LDAPQuery):
am = x.split(None)
key = unicode(am[0].replace('',''))
try:
-api.Command['automountkey_add'](args[0], unicode(m), key, automountinformation=unicode(' '.join(am[1:])))
+api.Command['automountkey_add'](
+args[0],
+unicode(m),
+automountkey=key,
+automountinformation=unicode(' '.join(am[1:])))
result['keys'].append([key,m])
except errors.DuplicateEntry, e:
if options.get('continue', False):
@@ -566,25 +577,86 @@
[Freeipa-devel] [PATCH] 030 Fix delegation.ldif
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 There was a typo in the delagation LDIF file that caused the LDIF to fail to load during installation. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0PbbQACgkQHsardTLnvCXGpgCg5dHyih4G+btRmMdc9OU84Q8p qjQAoNwwGuatbAP7vNkIzOYFch+CSbMQ =iQII -END PGP SIGNATURE- From dff2a30dc88cce7fe287ceba175a49650e68674b Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date: Mon, 20 Dec 2010 15:44:21 +0100 Subject: [PATCH] Fix delegation.ldif typo --- install/share/delegation.ldif |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 235f59b..abd2aae 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -581,7 +581,7 @@ aci: (targetattr = krbprincipalkey || krblastpwdchange)(target = ldap:///fqdn dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = krblrincipalkey || krblastpwdchange)(target = ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX;)(version 3.0;acl Manage service keytab;allow (write) groupdn = ldap:///cn=manage_service_keytab,cn=permissions,cn=accounts,$SUFFIX;;) +aci: (targetattr = krbprincipalkey || krblastpwdchange)(target = ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX;)(version 3.0;acl Manage service keytab;allow (write) groupdn = ldap:///cn=manage_service_keytab,cn=permissions,cn=accounts,$SUFFIX;;) # Add the ACI needed to do host enrollment. When this occurs we # set the krbPrincipalName, add krbPrincipalAux to objectClass and -- 1.7.3.3 freeipa-jhrozek-030-delegation-typo.patch.sig Description: PGP signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 030 Fix delegation.ldif
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 There was a typo in the delagation LDIF file that caused the LDIF to fail to load during installation. ack, pushed to master rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 030 Fix delegation.ldif
On Mon, 20 Dec 2010 15:52:36 +0100 Jakub Hrozek jhro...@redhat.com wrote: There was a typo in the delagation LDIF file that caused the LDIF to fail to load during installation. Obviously correct, ACK and pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Make pkey always iterable when deleting
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/20/2010 03:07 PM, Jan Zelený wrote: Jakub Hrozekjhro...@redhat.com wrote: When deleting multiple objects, the code tries to enforce that the primary key is always iterable by doing: keys = keys[:-1] + (keys[-1], ) But this doesn't work, the line only concatenates two tuples effectively returning the original one. See the attached patch for a fix. nack: you have the condition in chunk #2 wrong - pkeyiter will be never None Jan Thanks, attached is a new patch. pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Allow renaming of object that have a parent
Jan Zelený wrote: Jakub Hrozekjhro...@redhat.com wrote: When performing an RDN change, we would construct the new DN from the RDN attribute only. This doesn't work when the object needs has a parent. There's currently no testcase, I hit that when working on automount - so this patch will be testable with the automount patch and also a dependency for it. But I think the code is pretty clear.. ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Added option --no-reverse to add-host
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/14/2010 07:05 PM, Jan Zelený wrote: When adding a host with specific IP address, the operation would fail in case we don't own the reverse DNS. This new option overrides the check for reverse DNS zone and falls back to different IP address existence check. https://fedorahosted.org/freeipa/ticket/417 I was considering deleting the reverse zone detection entirely and check the IP address directly by querying for A records containing it, but I think this way it is more efficient. Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] import NSPRError in host.py
Jan Zelený wrote: Jakub Hrozekjhro...@redhat.com wrote: The host plugin references NSPRError on couple of places but never imports it. Obviously ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fixed typos in man page of ipa-getkeytab.
David O'Brien wrote: Gowrishankar Rajaiyan wrote: Hi All, Fixed typos in the man page of ipa-getkeytab and corrected my name in Contributors.txt. Regards /Shanks ACK pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 023 Clarify ipa-replica-install error message
Jan Zelený wrote: Jakub Hrozekjhro...@redhat.com wrote: Just a cosmetic fix to the replica installation error message, there's no ticket for this. ack Jan pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 025 Allow RDN changes from CLI
Jan Zelený wrote: Jakub Hrozekjhro...@redhat.com wrote: Adds a new parameter 'rename' to all objects with 'rdnattr' attribute. This parameter is a clone of the rdnattr attribute, except for name and docs, so normalizer, default_from and also the type are the same as the original attribute. https://fedorahosted.org/freeipa/ticket/397 ack Jan pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 022 Check the number of fields when importing automount maps
Jan Zelený wrote: Jakub Hrozekjhro...@redhat.com wrote: https://fedorahosted.org/freeipa/ticket/359 Sending this separately from the other automount changes since those are more intrusive and may be under review for a while. ack Jan pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0032 Cleanup when deleting a replica
On Wed, Dec 15, 2010 at 08:01:10PM -0500, Simo Sorce wrote: Clean up records related to the master being deleted in the shared tree. This also avoid issues later on if you want to rejoin the server as a master. It is also needed in order to give back valid information for patch 0035 Simo. -- Simo Sorce * Red Hat, Inc * New York def del_master(replman, hostname, force=False): +has_repl_agreement = True try: t = replman.get_agreement_type(hostname) except ldap.NO_SUCH_OBJECT: print No replication agreement found for '%s' % hostname -return +if force: +has_repl_agreement = False +else: +return except errors.NotFound: print No replication agreement found for '%s' % hostname -return +if force: +has_repl_agreement = False +else: +return This is just a nitpick but the above except: blocks are exactly the same. One could remove the redundancy by just using: except (errors.NotFound, ldap.NO_SUCH_OBJECT): + +def replica_cleanup(self, replica, realm, force=False): + +err = None + +if replica == self.hostname: +raise RuntimeError(Can't cleanup self) + +if not self.suffix or self.suffix == : +self.suffix = util.realm_to_suffix(realm) +self.suffix = ipaldap.IPAdmin.normalizeDN(self.suffix) This looks suspicious. Should one of these be in else: perhaps? The rest of the code looks OK, but I'm currently not able to test as the deletion fails with Insufficient access. In my setup, vm-061 is the master and vm-038 is the replica: [r...@vm-061 ~]# ipa-replica-manage list vm-061.idm.lab.bos.redhat.com vm-038.idm.lab.bos.redhat.com [r...@vm-061 ~]# ipa-replica-manage del vm-038.idm.lab.bos.redhat.com Unable to remove agreement on vm-038.idm.lab.bos.redhat.com: Insufficient access: ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Enable filtering search results by member attributes.
On 12/20/2010 11:20 AM, Jan Zelený wrote: Pavel Zunapz...@redhat.com wrote: On 12/08/2010 08:30 PM, Rob Crittenden wrote: Pavel Zůna wrote: On 2010-11-30 04:06, Rob Crittenden wrote: Pavel Zůna wrote: LDAPSearch base class has now the ability to generate additional options for objects with member attributes. These options are used to filter search results - search only for objects without the specified members. Any class that extends LDAPSearch can benefit from this functionality. This patch enables it for the following objects: group, netgroup, rolegroup, hostgroup, taskgroup Example: ipa group-find --no-users=admin Only direct members are taken into account, but if we need indirect members as well - it's not a problem. Ticket #288 Pavel This works as advertised but I wonder what would happen if a huge list of members was passed in to ignore. Is there a limit on the search filter size (remember that the member will be translated into a full dn so will quickly grow in size). Should we impose a cofigurable limit on the # of members to be excluded? Is there a max search filter size and should we check that we haven't exceeded that before doing a search? rob I tried it out with more than a 1000 users and was getting an unwilling to perform error (search filter nested too deep). After a little bit of investigation, I figured the filter was being generated like this: (((!(a=v))(!(a2=v2 We were going deeper with each additional DN! I updated the patch to generate the filter like this instead: (!(|(a=v)(a2=v2))) Tried it again with more than 1000 users (~55Kb) - it worked and wasn't even slow. Updated patch attached. I also had to fix a bug in ldap2 filter generator, as a result this patch depends on my patch number 43. Pavel You'll need to rebase this against master but otherwise ACK. It might be a small optimization to de-dupe the no-users list but it isn't a priority. rob Re-based patch attached. Pavel This hasn't been already pushed and the patch still applies against master. Can someone push it so the ticket can be closed? Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Added option --no-reverse to add-host
On 12/20/2010 10:45 AM, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/14/2010 07:05 PM, Jan Zelený wrote: When adding a host with specific IP address, the operation would fail in case we don't own the reverse DNS. This new option overrides the check for reverse DNS zone and falls back to different IP address existence check. https://fedorahosted.org/freeipa/ticket/417 I was considering deleting the reverse zone detection entirely and check the IP address directly by querying for A records containing it, but I think this way it is more efficient. Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I think that this is going to make the CLI capable of doing something that the CLI can't. Do we need a UI field to add in this flag? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Bugfixes for bind-dyndb-ldap
On Wed, 15 Dec 2010 12:29:01 -0500 Simo Sorce sso...@redhat.com wrote: On Wed, 15 Dec 2010 18:21:20 +0100 Adam Tkac at...@redhat.com wrote: Hello, those four patches for bind-dyndb-ldap fix following issues: 0001-Bugfix-Improve-LDAP-schema-to-be-loadable-by-OpenLDA.patch: - Current schema is not loadable by OpenLDAP - https://bugzilla.redhat.com/show_bug.cgi?id=622604 0002-Change-bug-reporting-address-to-freeipa-devel-redhat.patch - fix bug reporting address 0003-Fail-and-emit-error-when-BIND9-or-OpenLDAP-devel-fil.patch - ./configure should fail if bind-devel or openldap-devel is not installed 0004-Bugfix-Fix-loading-of-child-zones-from-LDAP.patch - child zones aren't currently loaded well - https://bugzilla.redhat.com/show_bug.cgi?id=622617 If noone has objections I will push patches till end of the week. ACK to all four. These have been pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0032 Cleanup when deleting a replica
On Mon, 20 Dec 2010 18:02:02 +0100 Jakub Hrozek jhro...@redhat.com wrote: On Wed, Dec 15, 2010 at 08:01:10PM -0500, Simo Sorce wrote: Clean up records related to the master being deleted in the shared tree. This also avoid issues later on if you want to rejoin the server as a master. It is also needed in order to give back valid information for patch 0035 Simo. -- Simo Sorce * Red Hat, Inc * New York def del_master(replman, hostname, force=False): +has_repl_agreement = True try: t = replman.get_agreement_type(hostname) except ldap.NO_SUCH_OBJECT: print No replication agreement found for '%s' % hostname -return +if force: +has_repl_agreement = False +else: +return except errors.NotFound: print No replication agreement found for '%s' % hostname -return +if force: +has_repl_agreement = False +else: +return This is just a nitpick but the above except: blocks are exactly the same. One could remove the redundancy by just using: except (errors.NotFound, ldap.NO_SUCH_OBJECT): + +def replica_cleanup(self, replica, realm, force=False): + +err = None + +if replica == self.hostname: +raise RuntimeError(Can't cleanup self) + +if not self.suffix or self.suffix == : +self.suffix = util.realm_to_suffix(realm) +self.suffix = ipaldap.IPAdmin.normalizeDN(self.suffix) This looks suspicious. Should one of these be in else: perhaps? No, I just reused the same var to keep a temporary value, instead of having a long line. not pretty but it is correct. I can use a temp var if you think it makes for more readable code though. The rest of the code looks OK, but I'm currently not able to test as the deletion fails with Insufficient access. In my setup, vm-061 is the master and vm-038 is the replica: [r...@vm-061 ~]# ipa-replica-manage list vm-061.idm.lab.bos.redhat.com vm-038.idm.lab.bos.redhat.com [r...@vm-061 ~]# ipa-replica-manage del vm-038.idm.lab.bos.redhat.com Unable to remove agreement on vm-038.idm.lab.bos.redhat.com: Insufficient access: Do you have a ticket as admin when you try this ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0033 Add disconnect command to change topology
On Mon, 20 Dec 2010 18:22:48 +0100 Jakub Hrozek jhro...@redhat.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/16/2010 02:02 AM, Simo Sorce wrote: This command will delete a replication agreement unless it is the last one on either server. It is used to change replication topology without actually removing any single master for the domain (the del command must be used if that the intent). Simo. Please document the new action in the manpage. As the actions are not printed when one specifies --help, there's no way to discover it short of reading the code. I have a separate ticket to add all the changes to the man page. It requires some deep review and I preferred to split it from the rest of the changes. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Remove referrals to removed replicas/links
When a replication agreement is removed also make sure to remove
referrals to the replicas to avoid dangling referrals.
This patch also fixes acis related to replica as the fix is also
required to be able to change the referrals attributes.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
From 7a7436a36b618f4364f7220f3d532fa901ce660a Mon Sep 17 00:00:00 2001
From: Simo Sorce sso...@redhat.com
Date: Mon, 20 Dec 2010 10:05:17 -0500
Subject: [PATCH] Remove referrals when removing agreements
Part of this fix requires also giving proper permission to change the
replication agreements root.
While there also fix replica-related permissions to have the classic
add/modify/remove triplet of permissions.
Fixes: https://fedorahosted.org/freeipa/ticket/630
---
install/share/delegation.ldif| 20 ++--
install/share/replica-acis.ldif |9 +++--
install/tools/ipa-replica-manage |2 ++
ipaserver/install/replication.py | 13 +
4 files changed, 36 insertions(+), 8 deletions(-)
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index 7a634821cd43558f3846649862a5a5c1b81d9f5b..79533fda7c245cbbcec0eb2fb08fb6b4b853ea34 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -441,20 +441,28 @@ member: cn=enrollhost,cn=privileges,cn=accounts,$SUFFIX
# Replica administration
-dn: cn=managereplica,cn=permissions,cn=accounts,$SUFFIX
+dn: cn=addreplica,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: managereplica
-description: Manage Replication Agreements
+cn: addreplica
+description: Add Replication Agreements
member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=deletereplica,cn=permissions,cn=accounts,$SUFFIX
+dn: cn=modifyreplica,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: deletereplica
-description: Delete Replication Agreements
+cn: modifyreplica
+description: Modify Replication Agreements
+member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: cn=removereplica,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: removereplica
+description: Remove Replication Agreements
member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX
# Entitlement management
diff --git a/install/share/replica-acis.ldif b/install/share/replica-acis.ldif
index 931163cfe8b5cf9ba5250bdfaa33097b1fc79590..feda1d9b74962447f2d909923097d6d69dcae88f 100644
--- a/install/share/replica-acis.ldif
+++ b/install/share/replica-acis.ldif
@@ -3,10 +3,15 @@
dn: cn=$SUFFIX,cn=mapping tree,cn=config
changetype: modify
add: aci
-aci: (targetattr=*)(targetfilter=(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)))(version 3.0; acl Manage Replication Agreements; allow (read, write, search) groupdn = ldap:///cn=managereplica,cn=permissions,cn=accounts,$SUFFIX;;)
+aci: (targetattr=*)(targetfilter=(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)))(version 3.0;acl Add Replication Agreements;allow (add) groupdn = ldap:///cn=addreplica,cn=permissions,cn=accounts,$SUFFIX;;)
dn: cn=$SUFFIX,cn=mapping tree,cn=config
changetype: modify
add: aci
-aci: (targetattr=*)(targetfilter=(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)))(version 3.0;acl Delete Replication Agreements;allow (delete) groupdn = ldap:///cn=deletereplica,cn=permissions,cn=accounts,$SUFFIX;;)
+aci: (targetattr=*)(targetfilter=(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree)))(version 3.0; acl Modify Replication Agreements; allow (read, write, search) groupdn = ldap:///cn=modifyreplica,cn=permissions,cn=accounts,$SUFFIX;;)
+
+dn: cn=$SUFFIX,cn=mapping tree,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(targetfilter=(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)))(version 3.0;acl Remove Replication Agreements;allow (delete) groupdn = ldap:///cn=removereplica,cn=permissions,cn=accounts,$SUFFIX;;)
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index cbb2cad1db4692e3f861bc0762798a8d3e372d5e..17089e614454f712a17a6275209ce37df53ee1a0 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -219,6 +219,7 @@ def del_link(replica1, replica2, dirman_passwd, force=False):
failed = False
try:
repl2.delete_agreement(replica1)
+repl2.delete_referral(replica1)
except ldap.LDAPError, e:
desc = e.args[0]['desc'].strip()
info = e.args[0].get('info', '').strip()
@@ -238,6 +239,7 @@ def del_link(replica1, replica2, dirman_passwd, force=False):
print Forcing removal on '%s' % replica1
Re: [Freeipa-devel] [PATCH] 655 translation delegation group dns to names
On 12/20/2010 02:06 PM, Rob Crittenden wrote: Translate the membergroup dn into a group name. Drop filter from the output, it is superfluous. ticket 634 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 656 move permissions and privileges
Move permissions and privileges to their own container. They don't really belong in cn=accounts any more. This leaves just roles there. ticket 638 rob From fd0716e92fa90f726f226e1c705d4f22b3742923 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Mon, 20 Dec 2010 15:54:00 -0500 Subject: [PATCH] Move permissions and privileges to their own container, cn=pbac,$SUFFIX ticket 638 --- install/share/delegation.ldif | 317 install/share/dns.ldif | 28 ++-- install/static/test/data/ipa_init.json | 10 +- ipalib/constants.py|4 +- ipaserver/install/bindinstance.py |2 +- 5 files changed, 184 insertions(+), 177 deletions(-) diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index abd2aae..94b0fd3 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -7,13 +7,20 @@ objectClass: top objectClass: nsContainer cn: roles -dn: cn=privileges,cn=accounts,$SUFFIX +# Permissions-based Access Control +dn: cn=pbac,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: pbac + +dn: cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: nsContainer cn: privileges -dn: cn=permissions,cn=accounts,$SUFFIX +dn: cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: nsContainer @@ -33,7 +40,7 @@ description: Helpdesk # Add the default privileges -dn: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -41,7 +48,7 @@ objectClass: nestedgroup cn: useradmin description: User Administrators -dn: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -49,7 +56,7 @@ objectClass: nestedgroup cn: groupadmin description: Group Administrators -dn: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -57,7 +64,7 @@ objectClass: nestedgroup cn: hostadmin description: Host Administrators -dn: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -65,7 +72,7 @@ objectClass: nestedgroup cn: hostgroupadmin description: Host Group Administrators -dn: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -73,7 +80,7 @@ objectClass: nestedgroup cn: delegationadmin description: Role administration -dn: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -81,7 +88,7 @@ objectClass: nestedgroup cn: serviceadmin description: Service Administrators -dn: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -89,7 +96,7 @@ objectClass: nestedgroup cn: automountadmin description: Automount Administrators -dn: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -97,7 +104,7 @@ objectClass: nestedgroup cn: netgroupadmin description: Netgroups Administrators -dn: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -105,7 +112,7 @@ objectClass: nestedgroup cn: certadmin description: Certificate Administrators -dn: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=replicaadmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -114,7 +121,7 @@ cn: replicaadmin description: Replication Administrators member: cn=admins,cn=groups,cn=accounts,$SUFFIX -dn: cn=enrollhost,cn=privileges,cn=accounts,$SUFFIX +dn: cn=enrollhost,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -122,7 +129,7 @@ objectClass: nestedgroup cn: enrollhost description: Host Enrollment -dn: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -136,352 +143,352 @@ description: Entitlement Administrators # User administration -dn: cn=addusers,cn=permissions,cn=accounts,$SUFFIX +dn: cn=addusers,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: addusers description:
Re: [Freeipa-devel] [PATCH] Added option --no-reverse to add-host
Adam Young wrote: On 12/20/2010 10:45 AM, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/14/2010 07:05 PM, Jan Zelený wrote: When adding a host with specific IP address, the operation would fail in case we don't own the reverse DNS. This new option overrides the check for reverse DNS zone and falls back to different IP address existence check. https://fedorahosted.org/freeipa/ticket/417 I was considering deleting the reverse zone detection entirely and check the IP address directly by querying for A records containing it, but I think this way it is more efficient. Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I think that this is going to make the CLI capable of doing something that the CLI can't. Do we need a UI field to add in this flag? Yes, I think we'd need a check-box or equivalent for it. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0032 Cleanup when deleting a replica
On 12/20/2010 09:02 PM, Simo Sorce wrote: On Mon, 20 Dec 2010 18:02:02 +0100 Jakub Hrozekjhro...@redhat.com wrote: On Wed, Dec 15, 2010 at 08:01:10PM -0500, Simo Sorce wrote: Clean up records related to the master being deleted in the shared tree. This also avoid issues later on if you want to rejoin the server as a master. It is also needed in order to give back valid information for patch 0035 Simo. -- Simo Sorce * Red Hat, Inc * New York def del_master(replman, hostname, force=False): +has_repl_agreement = True try: t = replman.get_agreement_type(hostname) except ldap.NO_SUCH_OBJECT: print No replication agreement found for '%s' % hostname -return +if force: +has_repl_agreement = False +else: +return except errors.NotFound: print No replication agreement found for '%s' % hostname -return +if force: +has_repl_agreement = False +else: +return This is just a nitpick but the above except: blocks are exactly the same. One could remove the redundancy by just using: except (errors.NotFound, ldap.NO_SUCH_OBJECT): + +def replica_cleanup(self, replica, realm, force=False): + +err = None + +if replica == self.hostname: +raise RuntimeError(Can't cleanup self) + +if not self.suffix or self.suffix == : +self.suffix = util.realm_to_suffix(realm) +self.suffix = ipaldap.IPAdmin.normalizeDN(self.suffix) This looks suspicious. Should one of these be in else: perhaps? No, I just reused the same var to keep a temporary value, instead of having a long line. not pretty but it is correct. I can use a temp var if you think it makes for more readable code though. Oh, that's OK, I was just too lazy to read the methods before. It makes sense now, thanks. The rest of the code looks OK, but I'm currently not able to test as the deletion fails with Insufficient access. In my setup, vm-061 is the master and vm-038 is the replica: [r...@vm-061 ~]# ipa-replica-manage list vm-061.idm.lab.bos.redhat.com vm-038.idm.lab.bos.redhat.com [r...@vm-061 ~]# ipa-replica-manage del vm-038.idm.lab.bos.redhat.com Unable to remove agreement on vm-038.idm.lab.bos.redhat.com: Insufficient access: Do you have a ticket as admin when you try this ? Simo. I do. The traceback looks like this (I inserted and extra traceback.print_exc() call to get it): Traceback (most recent call last): File /usr/sbin/ipa-replica-manage, line 269, in del_master other_replman.delete_agreement(replman.conn.host) File /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line 408, in delete_agreement return self.conn.deleteEntry(dn) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 563, in deleteEntry self.__handle_errors(e, **kw) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 316, in __handle_errors raise errors.ACIError(info=info) ACIError: Insufficient access: So this seems to be an ACI problem. I have your 4 patches applied on top of the current origin/master and was calling ipa-replica-manage del slave-fqdn. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH]admiyo-0119-cusor-pointer-for-undo-link
From 14cefe3790baa167dba2b4fa6342bcb680abdea0 Mon Sep 17 00:00:00 2001
From: Adam Young ayo...@redhat.com
Date: Mon, 20 Dec 2010 16:56:14 -0500
Subject: [PATCH] cusor pointer for undo link
---
install/static/details.js |2 +-
install/static/ipa.css|4
2 files changed, 5 insertions(+), 1 deletions(-)
diff --git a/install/static/details.js b/install/static/details.js
index 013f4c9eeb0732c724d7ba0481db048fd9d14002..3f5f95e31ee9c435d0fc4d39d7f8d2ee3dbac114 100644
--- a/install/static/details.js
+++ b/install/static/details.js
@@ -835,7 +835,7 @@ function _ipa_create_text_input(value, param_info, rights, index)
span.append($(a/,{
html:undo,
-class:ui-state-highlight ui-corner-all,
+class:ui-state-highlight ui-corner-all undo,
style:display:none,
click: function(){
var previous_value = that.values || '';
diff --git a/install/static/ipa.css b/install/static/ipa.css
index 82019ff5421f83bd3dd35aded6d1128fa629b599..f5c4ee742e18bdb3672f30e66c005b757f33f5f1 100644
--- a/install/static/ipa.css
+++ b/install/static/ipa.css
@@ -170,6 +170,10 @@ hr {
padding-right: 18px;
}
+.undo {
+cursor:pointer;
+}
+
dl.entryattrs {
clear: both;
margin-left: 15px;
--
1.7.2.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH]admiyo-0119-cusor-pointer-for-undo-link
On 12/20/2010 04:57 PM, Adam Young wrote: ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Graphical diff is here: https://fedorahosted.org/freeipa/attachment/ticket/489/freeipa-admiyo-0119-cusor-pointer-for-undo-link.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 024 Change FreeIPA license to GPLv3+
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, attached is a patch that replaces all GPLv2 license blobs with GPLv3+ blobs. The new blobs also tell users to see a website for the complete license text (the old ones advised to write to a snail mail address..). The SLAPI plugins use a different wording as they need the GPL exception. When this patch is pushed, I think we should send a note at least to freeipa-devel but probably even -users and -interest. Also, I'll keep an eye on all patches that people are sending..those that add some new files will need to include the new blobs. The patch is compressed, as the original had 480 kB.. double-ack from me and Simo. pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH]admiyo-0119-cusor-pointer-for-undo-link
On Mon, 20 Dec 2010 16:58:49 -0500 Adam Young ayo...@redhat.com wrote: On 12/20/2010 04:57 PM, Adam Young wrote: ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Graphical diff is here: https://fedorahosted.org/freeipa/attachment/ticket/489/freeipa-admiyo-0119-cusor-pointer-for-undo-link.patch ACK Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0037 Fix race condition in install
This seem to fix a long-standing bug that was mitigated by a workaround, but was still present after all. Simo. -- Simo Sorce * Red Hat, Inc * New York From 04777b8938d929e0464d3953cbfce76f243e04c8 Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Mon, 20 Dec 2010 21:19:36 -0500 Subject: [PATCH] Fix race condition in installation due to use of asynchronous search. Fixes: https://fedorahosted.org/freeipa/ticket/640 --- ipaserver/install/krbinstance.py | 31 --- 1 files changed, 12 insertions(+), 19 deletions(-) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index c1e5a3f0a10596d8a28774dd791a3bf4f44aaa8c..63903ef48e273b880670c2bbb9fa510705a0e7a1 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -268,28 +268,21 @@ class KrbInstance(service.Service): def __configure_sasl_mappings(self): # we need to remove any existing SASL mappings in the directory as otherwise they -# they may conflict. There is no way to define the order they are used in atm. +# they may conflict. -# FIXME: for some reason IPAdmin dies here, so we switch -# it out for a regular ldapobject. -conn = self.conn -self.conn = ldapobject.SimpleLDAPObject(ldap://127.0.0.1/;) -self.conn.bind(cn=directory manager, self.admin_password) try: -msgid = self.conn.search(cn=mapping,cn=sasl,cn=config, ldap.SCOPE_ONELEVEL, (objectclass=nsSaslMapping)) -res = self.conn.result(msgid) -for r in res[1]: -self.conn.delete_s(r[0]) -#except LDAPError, e: -#logging.critical(Error during SASL mapping removal: %s % str(e)) -except Exception, e: -logging.critical(Could not connect to the Directory Server on %s % self.fqdn) +res = self.conn.search_s(cn=mapping,cn=sasl,cn=config, + ldap.SCOPE_ONELEVEL, + (objectclass=nsSaslMapping)) +for r in res: +try: +self.conn.delete_s(r.dn) +except LDAPError, e: +logging.critical(Error during SASL mapping removal: %s % str(e)) +raise e +except LDAPError, e: +logging.critical(Error while enumerating SASL mappings %s % str(e)) raise e -print type(e) -print dir(e) -raise e - -self.conn = conn entry = ipaldap.Entry(cn=Full Principal,cn=mapping,cn=sasl,cn=config) entry.setValues(objectclass, top, nsSaslMapping) -- 1.7.3.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH]admiyo-0119-cusor-pointer-for-undo-link
On 12/20/2010 08:47 PM, Simo Sorce wrote: On Mon, 20 Dec 2010 16:58:49 -0500 Adam Youngayo...@redhat.com wrote: On 12/20/2010 04:57 PM, Adam Young wrote: ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Graphical diff is here: https://fedorahosted.org/freeipa/attachment/ticket/489/freeipa-admiyo-0119-cusor-pointer-for-undo-link.patch ACK Simo. pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0118-aci-ui
Adam Young wrote: ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ack. Adam, I'm going to let you push this. There were a couple of trivial merge errors but I figure you're best to work them out. I will have a follow-on patch shortly to fix a few problems on my end I discovered while poking around with this. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0037 Fix race condition in install
On 12/20/2010 09:23 PM, Simo Sorce wrote: This seem to fix a long-standing bug that was mitigated by a workaround, but was still present after all. Simo. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Applied and ran the install successfully. ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 657 fix a few ACI problems found
This depends on Adam's patch 0118. In meta data make ACI attributes lower-case, sorted. Add possible attributes. The metadata contains a list of possible attributes that an ACI for that object might need. Add a new variable to hold possible objectclasses for optional elements (like posixGroup for groups). To make the list easier to handle sort it and make it all lower-case. Fix a couple of missed camel-case attributes in the default ACI list. ticket 641 rob From 5e38eed733b1e45c9d1819a9c746c1008df98686 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Mon, 20 Dec 2010 23:28:33 -0500 Subject: [PATCH] In meta data make ACI attributes lower-case, sorted. Add possible attributes. The metadata contains a list of possible attributes that an ACI for that object might need. Add a new variable to hold possible objectclasses for optional elements (like posixGroup for groups). To make the list easier to handle sort it and make it all lower-case. Fix a couple of missed camel-case attributes in the default ACI list. ticket 641 --- install/share/delegation.ldif |4 ++-- ipalib/plugins/baseldap.py|9 +++-- ipalib/plugins/group.py |1 + ipalib/plugins/user.py|1 + 4 files changed, 11 insertions(+), 4 deletions(-) diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index abd2aae..69050df 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -496,7 +496,7 @@ aci: (target = ldap:///uid=*,cn=users,cn=accounts,$SUFFIX;)(version 3.0;acl Ad aci: (target = ldap:///uid=*,cn=users,cn=accounts,$SUFFIX;)(targetattr = userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory)(version 3.0;acl Change a user password;allow (write) groupdn = ldap:///cn=change_password,cn=permissions,cn=accounts,$SUFFIX;;) aci: (targetattr = member)(target = ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX;)(version 3.0;acl Add user to default group;allow (write) groupdn = ldap:///cn=add_user_to_default_group,cn=permissions,cn=accounts,$SUFFIX;;) aci: (target = ldap:///uid=*,cn=users,cn=accounts,$SUFFIX;)(version 3.0;acl Remove Users;allow (delete) groupdn = ldap:///cn=removeusers,cn=permissions,cn=accounts,$SUFFIX;;) -aci: (targetattr = givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedEntry || objectclass)(target = ldap:///uid=*,cn=users,cn=accounts,$SUFFIX;)(version 3.0;acl Modify Users;allow (write) groupdn = ldap:///cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX;;) +aci: (targetattr = givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass)(target = ldap:///uid=*,cn=users,cn=accounts,$SUFFIX;)(version 3.0;acl Modify Users;allow (write) groupdn = ldap:///cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX;;) # Group administration @@ -508,7 +508,7 @@ aci: (targetattr = member)(target = ldap:///cn=*,cn=groups,cn=accounts,$SUFFI aci: (target = ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX;)(version 3.0;acl Remove Groups;allow (delete) groupdn = ldap:///cn=removegroups,cn=permissions,cn=accounts,$SUFFIX;;) # We need objectclass and gidnumber in modify so a non-posix group can be # promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached. -aci: (targetattr = cn || description || gidnumber || objectclass || mepmanagedby || ipaUniqueId)(target = ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX;)(version 3.0;acl Modify Groups;allow (write) groupdn = ldap:///cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX;;) +aci: (targetattr = cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid)(target = ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX;)(version 3.0;acl Modify Groups;allow (write) groupdn = ldap:///cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX;;) # Host administration diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index f8e5445..1a8f10a 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -233,6 +233,9 @@ class LDAPObject(Object): object_name_plural = 'entries' object_class = [] object_class_config = None +# If an objectclass is possible but not default in an entry. Needed for +# collecting attributes for ACI UI. +possible_objectclasses = [] search_attributes = [] search_attributes_config = None default_attributes = [] @@ -356,17 +359,19
Re: [Freeipa-devel] [PATCH] admiyo-0118-aci-ui
On 12/20/2010 11:23 PM, Rob Crittenden wrote: Adam Young wrote: ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ack. Adam, I'm going to let you push this. There were a couple of trivial merge errors but I figure you're best to work them out. I will have a follow-on patch shortly to fix a few problems on my end I discovered while poking around with this. rob rebased and pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Issues with ACI UI
1. Can't add an ACI. Before, I was able to get away with a blank filter, but that doesn't seem to work anymore. 2. Delegation-add : the group-find for the combo boxes isn't getting executed. 3. Some edits are broken for Permissions: For certain, update dns entries 4. adding self service permission, attrs is required, even if the user just wants to do an 'add' permission. 5. Modifying the self service permission just added gives an internal error. I removed the 'delete' and 'write' permission ( which I did not set in the add dialog) as well as the 'audio' permission. Log is below: [Tue Dec 21 00:18:03 2010] [error] File /usr/lib/python2.6/site-packages/ipaserver/rpcserver.py, line 211, in wsgi_execute [Tue Dec 21 00:18:03 2010] [error] result = self.Command[name](*args, **options) [Tue Dec 21 00:18:03 2010] [error] File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 417, in __call__ [Tue Dec 21 00:18:03 2010] [error] ret = self.run(*args, **options) [Tue Dec 21 00:18:03 2010] [error] File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 696, in run [Tue Dec 21 00:18:03 2010] [error] return self.execute(*args, **options) [Tue Dec 21 00:18:03 2010] [error] File /usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py, line 160, in execute [Tue Dec 21 00:18:03 2010] [error] result = api.Command['aci_mod'](aciname, **kw)['result'] [Tue Dec 21 00:18:03 2010] [error] File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 417, in __call__ [Tue Dec 21 00:18:03 2010] [error] ret = self.run(*args, **options) [Tue Dec 21 00:18:03 2010] [error] File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 696, in run [Tue Dec 21 00:18:03 2010] [error] return self.execute(*args, **options) [Tue Dec 21 00:18:03 2010] [error] File /usr/lib/python2.6/site-packages/ipalib/plugins/aci.py, line 550, in execute [Tue Dec 21 00:18:03 2010] [error] result = self.api.Command['aci_add'](aciname, **newkw)['result'] [Tue Dec 21 00:18:03 2010] [error] File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 417, in __call__ [Tue Dec 21 00:18:03 2010] [error] ret = self.run(*args, **options) [Tue Dec 21 00:18:03 2010] [error] File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 696, in run [Tue Dec 21 00:18:03 2010] [error] return self.execute(*args, **options) [Tue Dec 21 00:18:03 2010] [error] File /usr/lib/python2.6/site-packages/ipalib/plugins/aci.py, line 450, in execute [Tue Dec 21 00:18:03 2010] [error] newaci_str = unicode(newaci) [Tue Dec 21 00:18:03 2010] [error] File /usr/lib/python2.6/site-packages/ipalib/aci.py, line 68, in __repr__ [Tue Dec 21 00:18:03 2010] [error] return self.export_to_string() [Tue Dec 21 00:18:03 2010] [error] File /usr/lib/python2.6/site-packages/ipalib/aci.py, line 79, in export_to_string [Tue Dec 21 00:18:03 2010] [error] target = target + l + || [Tue Dec 21 00:18:03 2010] [error] TypeError: cannot concatenate 'str' and 'NoneType' objects Some of these are on the UI side, and some are on the server side. We'll need to sort out which is which. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0037 Fix race condition in install
On 12/20/2010 11:31 PM, Adam Young wrote: On 12/20/2010 09:23 PM, Simo Sorce wrote: This seem to fix a long-standing bug that was mitigated by a workaround, but was still present after all. Simo. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Applied and ran the install successfully. ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0038 Rework init and sync commands of ipa-replica-prepare
These commands had a very confusing syntax as well as issues (init was
running the memberof task on the wrong server).
The commands has been renamed to make it clearer what they do.
init - re-initialize
synch - force-sync
both commands now require a --from hostname as the server they get
their data from and can only be run on the replica that needs to be
re-initialized or re-synced. This is to make it was confusing to
understand what server was used so now the server you are operating on
is the one you are sitting on.
As a bonus the whole thing now works with just admin credentials (or
any kerb credentials of a user with the managereplica permission).
The init command also does not return until the re-initialization is
done (giving out the status once a second) and properly runs the
memberof task only once all the entries have been received.
The only thing that I am a bit unconfortable with is the new aci on the
cn=tasks,cn=config object. I tried to add the task on the cn=memberof
task,cn=tasks,cn=config object to restrict pwer only on that task, but
DS refused to allow me to set an aci on that entry for some reason.
Fixes: #626
Simo.
--
Simo Sorce * Red Hat, Inc * New York
From b40bb7f36b2f119300f1abf5bc91da9413fec71d Mon Sep 17 00:00:00 2001
From: Simo Sorce sso...@redhat.com
Date: Mon, 20 Dec 2010 23:34:00 -0500
Subject: [PATCH] Rework old init and synch commands and use better names.
These commands can now be run exclusively o the replica that needs to be
resynced or reinitialized and the --from command must be used to tell from
which other replica it can will pull data.
Fixes: https://fedorahosted.org/freeipa/ticket/626
---
install/share/replica-acis.ldif |5 +++
install/tools/ipa-replica-manage | 70 +
ipaserver/install/service.py | 21 +++
3 files changed, 66 insertions(+), 30 deletions(-)
diff --git a/install/share/replica-acis.ldif b/install/share/replica-acis.ldif
index feda1d9b74962447f2d909923097d6d69dcae88f..df91b5a5a86ae6880c9924dd39708d7b413aac9e 100644
--- a/install/share/replica-acis.ldif
+++ b/install/share/replica-acis.ldif
@@ -15,3 +15,8 @@ changetype: modify
add: aci
aci: (targetattr=*)(targetfilter=(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)))(version 3.0;acl Remove Replication Agreements;allow (delete) groupdn = ldap:///cn=removereplica,cn=permissions,cn=accounts,$SUFFIX;;)
+dn: cn=tasks,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(version 3.0; acl Run tasks after replica re-initialization; allow (add) groupdn = ldap:///cn=modifyreplica,cn=permissions,cn=accounts,$SUFFIX;;)
+
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index 2ff1f11f2a8cf4d610bb9a15bef01ef219f3588e..0e1f37a00553fc82879c7769a0f2777d3ac81557 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -39,10 +39,8 @@ commands = {
must provide the name of the server to disconnect),
del:(1, 1, master fqdn,
must provide hostname of master to delete),
-init:(1, 1, master fqdn,
-hostname of master to initialize is required),
-synch:(1, 1, master fqdn,
-must provide hostname of supplier to synchronize with)
+re-initialize:(0, 0, , ),
+force-sync:(0, 0, , )
}
def parse_options():
@@ -69,6 +67,7 @@ def parse_options():
help=DN of Windows subtree containing the users you want to sync (default cn=Users,domain suffix))
parser.add_option(--passsync, dest=passsync,
help=Password for the Windows PassSync user)
+parser.add_option(--from, dest=fromhost, help=Host to get data from)
options, args = parser.parse_args()
@@ -340,27 +339,50 @@ def add_link(replica1, replica2, dirman_passwd, options):
repl1.setup_replication(replica2, get_realm_name(), **other_args)
print Connected '%s' to '%s' % (replica1, replica2)
-def init_master(replman, dirman_passwd, hostname):
-filter = ((nsDS5ReplicaHost=%s)(|(objectclass=nsDSWindowsReplicationAgreement)(objectclass=nsds5ReplicationAgreement))) % hostname
-entry = replman.conn.search_s(cn=config, ldap.SCOPE_SUBTREE, filter)
+def re_initialize(options):
+
+if not options.fromhost:
+print re-initialize requires the option --from host name
+sys.exit(1)
+
+repl = replication.ReplicationManager(options.fromhost, options.dirman_passwd)
+repl.suffix = get_suffix()
+
+thishost = installutils.get_fqdn()
+
+filter = ((nsDS5ReplicaHost=%s)(|(objectclass=nsDSWindowsReplicationAgreement)(objectclass=nsds5ReplicationAgreement))) % thishost
+entry = repl.conn.search_s(cn=config, ldap.SCOPE_SUBTREE, filter)
if len(entry) == 0:
-logging.error(Unable to find replication agreement for %s % hostname)
+logging.error(Unable to find %s - %s replication agreement %
