Re: [Freeipa-devel] [PATCH 21/21] fixes CA install problem in trac ticket 682
On Mon, 2011-01-03 at 12:23 -0500, Dmitri Pal wrote: Rob Crittenden wrote: Simo Sorce wrote: - Original Message - Do not call status after pkisilent, it will return non-zero. Instead restart server after pkisilent so configuration changes take effect, the check the status. Ack. Simo. My question is: will this still work on F-13 (I don't think it will) and does it matter? I think we need to drop F13 since: * Kerberos 1.9 will not be ported back to F13. * Dogtag relies on tomcat6. * The entitlements library is only in F14 AFAIU. All components seem to align cleanly on F14. I doubt we would be able to do the same on F13 without a significant effort. I agree, besides F13 will be obsoleted as soon as F15 is out, so we would make a significant effort for less than a couple of months worth. Simo. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 659 drop CoS for activation
On Mon, 2011-01-03 at 15:07 -0500, Rob Crittenden wrote: Drop using a Class of Service for account activation. It added a lot of unnecessary complexity. Instead just update the nsaccountlock attribute directly. ticket 568 ACK, glad to see this one to go, although we spent a lot of time getting it right... Simo. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 662 start messagebus service
On Mon, 2011-01-03 at 16:43 -0500, Rob Crittenden wrote: Always start the messagebus service so that certmonger will work properly. There have been reports from some very minimal install that this service isn't started. ticket 528 ACK! Simo. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0042 Fix dns install on replicas
DNS installation on replicas was broken. This patch fixes both the --setup-dns switch of ipa-replica-install as well as running ipa-dns-install on an existing replica. Simo. bin9azuR7b3kC.bin Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [Freeipa-users] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release
We return to this discussion once in a while... Samba 4 tries to do it and still struggles after many years of development. We definitely would look at Samba 4 again when we see it Sufficiently ready but this is not a priority for 2011. Maybe this is the reason why freeipa has that less users and nearly no echo in the linux community. Samba 4 is intended to be a duplicate of AD this is how it is designed and implemented. The problem here is that samba 4 is still alpha. I would like to be able to use Linux as the IT backbone without having to resort to Microsoft. This also our most implemented scenario. Only in last year we migrated a half a dozend companies away from microsoft and AD (on the server side). This year a lot of companies are already planned for migration. Specially with the knowledge in mind that (based on the change of microsofts licensing model for hosters) around 1000 companies only in switzerland will switch their abacus (www.abacus.ch, large erp for switzerland) platform to linux so its REALLY, REALLY (I cannot write how much I would like to accentuate this) important to have a network wide authentication and identity management software to build up large linux server environments with windows frontents. So, having windows clients in the network is the reality we cannot close our eyes to this only because its challenge to implement it. Linux is lacking a complete solution that acts as a central authentication and identity management platform I think also this is the only huge area in linux which is really missing. Just think about the huge potential of users and implementations if freeipa acts also as authentication instance for windows environments. Just we only (as small company with 8 persons) whould have the possibility for around 20 migrations this year. It just wage to dream a bit but from my point of view the authentication lack is the only remaining one which prevents the rest of the world (or even europe and switzerland) to massivly migrate to linux and opensource (at least on the server side). Regards Roland - Ursprüngliche Mail - Von: Dmitri Pal d...@redhat.com An: Benjamin Vogt benjamin.v...@serv24.biz CC: Roland Kaeser roland.kae...@intersoft-networks.ch, freeipa-devel@redhat.com, freeipa-us...@redhat.com Gesendet: Montag, 3. Januar 2011 22:42:59 Betreff: Re: [Freeipa-devel] [Freeipa-users] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release Benjamin Vogt wrote: I have to agree with Roland. Linux is lacking a complete solution that acts as a central authentication and identity management platform. I would like to be able to use Linux as the IT backbone without having to resort to Microsoft. The reality is that Windows clients are too widespread in most enterprises. So far, I don't see the benefits in upgrading from FreeIPA 1.2. As for reimplementing AD, is there any reason we could not use Samba 4 as a backend? There are other interesting projects that build on it, such as openchange which could be a viable Exchange replacement. We return to this discussion once in a while... Samba 4 is intended to be a duplicate of AD this is how it is designed and implemented. It is not nice to UNIX/Linux in the same way as AD is not. This was one of the reasons we decided not to use Samba 4 as our back end though we did a lot of research and analysis. You can search archives from 2007/2008 for more details. What you are asking for is a very appealing goal but unfortunately not something that can be easily accomplished. Serving Windows clients by a non Windows server is a challenge. Samba 4 tries to do it and still struggles after many years of development. We definitely would look at Samba 4 again when we see it sufficiently ready but this is not a priority for 2011. Thanks Dmitri Regards, - Ben -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Roland Kaeser Sent: Monday, January 03, 2011 19:38 To: freeipa-devel@redhat.com; freeipa-us...@redhat.com Subject: Re: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release Strange, even in the v2 outline (http://www.freeipa.org/page/V2Outline) is excplicitly written that ad integration and samba 3 support will be one of the features of v2. If not its completly unusable to me, and verisimilar also to the most other potential users. Its sad, but in the most cases, sysadmins have to deal with windows machines in their network. So at the moment they have only the choice between a AD and a samba domain (with LDAP). FreeIPA whould have so much potential if it acts as a central authentication and identity management plaform which connects all the diffrent network systems together Specially in a rhev environment with vdi infrastructures could it be the central point for authentification, authorization and auditing. But if
[Freeipa-devel] [PATCH] Improve filtering of enrollments search results.
This is required for effective filtering of enrollments search results in the webUI and also gives an edge to the CLI. After this patch, each LDAPObject can define its relationships to other LDAPObjects. For now, this is used only for filtering search results by enrollments, but there are probably more benefits to come. You can do this for example: # search for all users not enrolled in group admins ipa user-find --not-in-groups=admins # search for all groups not enrolled in group global with user Pavel ipa group-find --users=Pavel --not-in-groups=global # more examples: ipa group-find --users=Pavel,Jakub --no-users=Honza ipa hostgroup-find --hosts=webui.pzuna Pavel From 19975e5e2ceb3a3f9fd18be0f3fafe8f42aa626c Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Tue, 4 Jan 2011 15:15:54 -0500 Subject: [PATCH 1/2] Improve filtering of enrollments search results. This is required for effective filtering of enrollments search results in the webUI and also gives an edge to the CLI. After this patch, each LDAPObject can define its relationships to other LDAPObjects. For now, this is used only for filtering search results by enrollments, but there are probably more benefits to come. You can do this for example: # search for all users not enrolled in group admins ipa user-find --not-in-groups=admins # search for all groups not enrolled in group global with user Pavel ipa group-find --users=Pavel --not-in-groups=global # more examples: ipa group-find --users=Pavel,Jakub --no-users=Honza ipa hostgroup-find --hosts=webui.pzuna --- ipalib/plugins/baseldap.py | 57 --- ipalib/plugins/group.py |2 +- ipalib/plugins/host.py |7 - ipalib/plugins/hostgroup.py |2 +- ipalib/plugins/netgroup.py | 11 +++- ipalib/plugins/user.py |2 + 6 files changed, 68 insertions(+), 13 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 1cd181c..d38da89 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -234,6 +234,15 @@ class LDAPObject(Object): rdnattr = None # Can bind as this entry (has userPassword or krbPrincipalKey) bindable = False +relationships = { +# attribute: (label, inclusive param prefix, exclusive param prefix) +'member': ('Member', '', 'no_'), +'memberof': ('Parent', 'in_', 'not_in_'), +'memberindirect': ( +'Indirect Member', None, 'no_indirect_' +), +} +label = _('Entry') container_not_found_msg = _('container entry (%(container)s) not found') parent_not_found_msg = _('%(parent)s: %(oname)s not found') @@ -343,7 +352,7 @@ class LDAPObject(Object): 'parent_object', 'container_dn', 'object_name', 'object_name_plural', 'object_class', 'object_class_config', 'default_attributes', 'label', 'hidden_attributes', 'uuid_attribute', 'attribute_members', 'name', -'takes_params', 'rdn_attribute', 'bindable', +'takes_params', 'rdn_attribute', 'bindable', 'relationships', ) def __json__(self): @@ -1195,7 +1204,8 @@ class LDAPSearch(CallbackInterface, crud.Search): Retrieve all LDAP entries matching the given criteria. member_attributes = [] -member_param_doc = 'exclude %s with member %s (comma-separated list)' +member_param_incl_doc = 'only %s with %s %s' +member_param_excl_doc = 'only %s with no %s %s' takes_options = ( Int('timelimit?', @@ -1227,21 +1237,50 @@ class LDAPSearch(CallbackInterface, crud.Search): for attr in self.member_attributes: for ldap_obj_name in self.obj.attribute_members[attr]: ldap_obj = self.api.Object[ldap_obj_name] -name = to_cli(ldap_obj_name) -doc = self.member_param_doc % ( -self.obj.object_name_plural, ldap_obj.object_name_plural +relationship = self.obj.relationships.get( +attr, ['member', '', 'no_'] +) +doc = self.member_param_incl_doc % ( +self.obj.object_name_plural, relationship[0].lower(), +ldap_obj.object_name_plural +) +name = '%s%s' % (relationship[1], to_cli(ldap_obj_name)) +yield List( +'%s?' % name, cli_name='%ss' % name, doc=doc, +label=ldap_obj.object_name +) +doc = self.member_param_excl_doc % ( +self.obj.object_name_plural, relationship[0].lower(), +ldap_obj.object_name_plural +) +name = '%s%s' % (relationship[2], to_cli(ldap_obj_name)) +yield List( +'%s?' % name, cli_name='%ss' % name, doc=doc, +label=ldap_obj.object_name ) -yield List('no_%s?' % name,
[Freeipa-devel] [PATCH] Improvements to enrollments in the webUI.
The patch is a bit bigger and more complex, so I expect this to be the first shot at it. There are some places where we need to handle localization better and be more generic when it comes to non-standard relationships like 'enrolledby' etc., but that can be done later. (I put a few TODOs in the code.) Anyway, here's the changelog for this patch: - Enrollement links in the action panel are now sorted by relationships. - You can only enroll members. (The webUI made the impression you can enroll parents as well, but it was broken.) - When enrolling new members, you can choose not to display already enrolled ones. (On by default.) - Couple cosmetic changes. IT DEPENDS ON MY PATCH NUMBER 54 (Improve filtering of enrollments search results.) Pavel From 830c2c5f2780b461f62509ae044c82da76607dc3 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Tue, 4 Jan 2011 15:21:18 -0500 Subject: [PATCH 2/2] Improvements to enrollments in the webUI. TAKE 1 - Enrollement links in the action panel are now sorted by relationships. - You can only enroll members. (The webUI made the impression you can enroll parents as well, but it was broken.) - When enrolling new members, you can choose not to display already enrolled ones. (On by default.) - Couple cosmetic changes. --- install/static/associate.js | 72 +++ install/static/entity.js| 45 -- install/static/group.js |9 +- install/static/ipa.css | 10 +- install/static/widget.js| 21 5 files changed, 124 insertions(+), 33 deletions(-) diff --git a/install/static/associate.js b/install/static/associate.js index 66db171..6517cca 100644 --- a/install/static/associate.js +++ b/install/static/associate.js @@ -140,6 +140,7 @@ function ipa_association_adder_dialog(spec) { that.entity_name = spec.entity_name; that.pkey = spec.pkey; that.other_entity = spec.other_entity; +that.attribute_member = spec.attribute_member; that.init = function() { if (!that.columns.length) { @@ -152,6 +153,9 @@ function ipa_association_adder_dialog(spec) { }); } +/* FIXME: event not firing? */ +$('input[name=hidememb]', that.container).click(that.search); + that.adder_dialog_init(); }; @@ -166,7 +170,31 @@ function ipa_association_adder_dialog(spec) { } } -ipa_cmd('find', [that.get_filter()], {'all': true}, on_success, null, that.other_entity); +var hide_checkbox = $('input[name=hidememb]', that.container); + +var options = {'all': true}; +if (hide_checkbox.attr('checked')) { +var relationships = IPA.metadata[that.other_entity].relationships; + +/* TODO: better generic handling of different relationships! */ +var other_attribute_member = ''; +if (that.attribute_member == 'member') +other_attribute_member = 'memberof'; +else if (that.attribute_member == 'memberuser') +other_attribute_member = 'memberof'; +else if (that.attribute_member == 'memberhost') +other_attribute_member = 'memberof'; +else if (that.attribute_member == 'memberof') +other_attribute_member = 'member'; + +var relationship = relationships[other_attribute_member]; +if (relationship) { +var param_name = relationship[2] + that.entity_name; +options[param_name] = that.pkey; +} +} + +ipa_cmd('find', [that.get_filter()], options, on_success, null, that.other_entity); }; that.association_adder_dialog_init = that.init; @@ -234,6 +262,7 @@ function ipa_association_table_widget(spec) { var that = ipa_table_widget(spec); that.other_entity = spec.other_entity; +that.attribute_member = spec.attribute_member; that.associator = spec.associator || bulk_associator; that.add_method = spec.add_method || 'add_member'; @@ -398,7 +427,8 @@ function ipa_association_table_widget(spec) { 'title': title, 'entity_name': that.entity_name, 'pkey': pkey, -'other_entity': that.other_entity +'other_entity': that.other_entity, +'attribute_member': that.attribute_member, }); }; @@ -513,6 +543,8 @@ function ipa_association_facet(spec) { var that = ipa_facet(spec); that.other_entity = spec.other_entity; +that.facet_group = spec.facet_group; +that.attribute_member = spec.attribute_member; that.associator = spec.associator || bulk_associator; that.add_method = spec.add_method || 'add_member'; @@ -636,9 +668,20 @@ function ipa_association_facet(spec) { that.pkey = $.bbq.getState(that.entity_name + '-pkey', true) || ''; -//TODO I18N -var header_message =
Re: [Freeipa-devel] [Freeipa-users] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release
On 1/4/11 1:04 AM, Roland Kaeser roland.kae...@intersoft-networks.ch wrote: We return to this discussion once in a while... Samba 4 tries to do it and still struggles after many years of development. We definitely would look at Samba 4 again when we see it Sufficiently ready but this is not a priority for 2011. Maybe this is the reason why freeipa has that less users and nearly no echo in the linux community. I disagree Roland. The linux community at large, is generally living in the dark ages of authorization management. There are no comparative comprehensive linux solutions in the community thus far which actually address scalable authentication and authorization from linux systems by a linux solution. My observation of the quiet in the community is due to lack of solutions out there. /etc/access.conf, pam_ldap, Certify, hosts.allow are very primitive means to control access with to linux client. Regardless of how complex you make your authentication database, to this day, you are still limited to: pam_ldap, access.conf, Certify, hosts.allow... These are very primitive means to control access with to linux client. With FreeIPA and SSSD, the first means of providing real RBAC/HBAC is available to the Open Source community. We cannot and should not attempt to explain the quiet with answers of disinterest or lack of Microsoft support. The fact is, there has not yet been a competent linux solution and as a result the utilization of pure Linux environments has been stunted with people settling for things like, /etc/passwd, /etc/access.conf, pam_ldap, and NIS... What you are describing is the reinventing of the wheel. Which has previously been answered: If the goal is to provide an alternative linux authentication/authorization method for Microsoft Windows, then there are already existing solutions out there: Samba4, Novell eDirectory + Directory Services for Windows... FreeIPA serves to facilitate some of the most basic authentication/authorization interactions that other OS's have taken for granted for years. Samba 4 is intended to be a duplicate of AD this is how it is designed and implemented. The problem here is that samba 4 is still alpha. I would like to be able to use Linux as the IT backbone without having to resort to Microsoft. This also our most implemented scenario. Only in last year we migrated a half a dozend companies away from microsoft and AD (on the server side). This year a lot of companies are already planned for migration. Specially with the knowledge in mind that (based on the change of microsofts licensing model for hosters) around 1000 companies only in switzerland will switch their abacus (www.abacus.ch, large erp for switzerland) platform to linux so its REALLY, REALLY (I cannot write how much I would like to accentuate this) important to have a network wide authentication and identity management software to build up large linux server environments with windows frontents. So, having windows clients in the network is the reality we cannot close our eyes to this only because its challenge to implement it. Microsoft has designed a complete ecosystem to surround its client, server, email, and productivity solutions. It's not just a challenge to implement a successful means of replacing the backend, it is directly opposed to the goals of its creator: Microsoft. The various components within Microsoft's (and most commercial) solutions are designed at their core to be proprietary with the effort of drawing in consumers to more pieces of their puzzle. It is entirely likely that it will be necessary to have both solutions in place and working together, rather than attempting to circumvent Microsoft's solution. Linux is lacking a complete solution that acts as a central authentication and identity management platform I think also this is the only huge area in linux which is really missing. Just think about the huge potential of users and implementations if freeipa acts also as authentication instance for windows environments. Just we only (as small company with 8 persons) whould have the possibility for around 20 migrations this year. It just wage to dream a bit but from my point of view the authentication lack is the only remaining one which prevents the rest of the world (or even europe and switzerland) to massivly migrate to linux and opensource (at least on the server side). While I agree that a truly unified solution which answers all clients authentication needs is a worthwhile concept, in practice, throughout my entire career, I've learned that the commercial design of this ecosystem conflicts with this ambitious ideal. I have had a great deal of experience in highly dense and distributed (world wide) native Linux installations which service Windows Clients. All tools are best used by their intended design. If the only tool you have is a Hammer, you may approach all of your problems as if they are nails. ~~ Jr Aquino Information
Re: [Freeipa-devel] [PATCH] Improvements to enrollments in the webUI.
On 01/04/2011 10:34 AM, Pavel Zuna wrote: The patch is a bit bigger and more complex, so I expect this to be the first shot at it. There are some places where we need to handle localization better and be more generic when it comes to non-standard relationships like 'enrolledby' etc., but that can be done later. (I put a few TODOs in the code.) Anyway, here's the changelog for this patch: - Enrollement links in the action panel are now sorted by relationships. - You can only enroll members. (The webUI made the impression you can enroll parents as well, but it was broken.) - When enrolling new members, you can choose not to display already enrolled ones. (On by default.) - Couple cosmetic changes. IT DEPENDS ON MY PATCH NUMBER 54 (Improve filtering of enrollments search results.) Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Nack, Make sure you fiter out the object itselt, so you can't enroll, for example, a group in itself. For verbage, Use Members for ojects enrolled in this object, and Member of: inplace of parent. Other than that, it looks good. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 663 better keytab detection
Make sure the file we're operating on is really a keytab in ipa-rmkeytab. Do this by creating a cursor into the keytab. The krb lib will return a failure if this can't be done. ticket 654 rob From f43e584b8c2667a608912b4f83b515be62d78d55 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Tue, 4 Jan 2011 14:54:41 -0500 Subject: [PATCH] Better detection when not working with a real keytab in ipa-rmkeytab. Resolving the keytab isn't enough, this just creates a name. Try to create a cursor into the keytab to see if it is a valid keytab. ticket 654 --- ipa-client/ipa-rmkeytab.c | 12 +++- 1 files changed, 11 insertions(+), 1 deletions(-) diff --git a/ipa-client/ipa-rmkeytab.c b/ipa-client/ipa-rmkeytab.c index 833d025..0320045 100644 --- a/ipa-client/ipa-rmkeytab.c +++ b/ipa-client/ipa-rmkeytab.c @@ -147,6 +147,7 @@ main(int argc, const char **argv) krb5_context context; krb5_error_code krberr; krb5_keytab ktid; +krb5_kt_cursor cursor; char * ktname; char * atrealm; poptContext pc; @@ -212,10 +213,19 @@ main(int argc, const char **argv) krberr = krb5_kt_resolve(context, ktname, ktid); if (krberr) { -fprintf(stderr, _(Failed to open keytab '%s'\n), keytab); +fprintf(stderr, _(Failed to open keytab '%s': %s\n), keytab, +error_message(krberr)); rval = 3; goto cleanup; } +krberr = krb5_kt_start_seq_get(context, ktid, cursor); +if (krberr) { +fprintf(stderr, _(Failed to open keytab '%s': %s\n), keytab, +error_message(krberr)); +rval = 3; +goto cleanup; +} +krb5_kt_end_seq_get(context, ktid, cursor); if (principal) rval = remove_principal(context, ktid, principal, debug); -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Improve filtering of enrollments search results.
On 01/04/2011 12:41 PM, Adam Young wrote: On 01/04/2011 10:30 AM, Pavel Zuna wrote: This is required for effective filtering of enrollments search results in the webUI and also gives an edge to the CLI. After this patch, each LDAPObject can define its relationships to other LDAPObjects. For now, this is used only for filtering search results by enrollments, but there are probably more benefits to come. You can do this for example: # search for all users not enrolled in group admins ipa user-find --not-in-groups=admins # search for all groups not enrolled in group global with user Pavel ipa group-find --users=Pavel --not-in-groups=global # more examples: ipa group-find --users=Pavel,Jakub --no-users=Honza ipa hostgroup-find --hosts=webui.pzuna Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Nack, as is we lose all of the associations for users. I suspect the changes to baseldap are safe, but can you explain why that is the case? Haven't noticed any other shortcomings. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel OK, Looks like this patch is not responsible for the missing associations.So ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES] [bind-dyndb-ldap] Two patches for minor Coverity issues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Patch 0001: Fix missing varargs cleanup The CHECK() macro may cause execution to skip down to the cleanup tag. If this happens, it would mean that we never called va_end() on backup. This patch reorganizes the code slightly to ensure that va_end() is always called. Patch 0002: Fix potential out-of-bounds write If there are exactly LD_MAX_SPLITS entries resulting from this split, the mandatory trailing NULL entry will be written to one entry past the end of the static arrayof LD_MAX_SPLITS size. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0jhegACgkQeiVVYja6o6PGlwCgnO1jSmW1VhO3kJh3C818655M DaEAoK5b0f4VLiRkkKgMaJnGrjRoHv9+ =XJeu -END PGP SIGNATURE- From 4cc3a923c1e26ac4c286afd47df1d823920ef56b Mon Sep 17 00:00:00 2001 From: Stephen Gallagher sgall...@redhat.com Date: Tue, 4 Jan 2011 15:28:46 -0500 Subject: [PATCH 1/2] Fix missing varargs cleanup The CHECK() macro may cause execution to skip down to the cleanup tag. If this happens, it would mean that we never called va_end() on backup. This patch reorganizes the code slightly to ensure that va_end() is always called. --- src/str.c |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/str.c b/src/str.c index b975aac7ba8c1028a71ac499dfe39530aba4e61f..611ae2028ec06d2e8e9e270eb6a6e0eaa37adcae 100644 --- a/src/str.c +++ b/src/str.c @@ -431,16 +431,16 @@ str_vsprintf(ld_string_t *dest, const char *format, va_list ap) CHECK(str_alloc(dest, len)); len = vsnprintf(dest-data, dest-allocated, format, backup); } - va_end(backup); if (len 0) { result = ISC_R_FAILURE; goto cleanup; } - return ISC_R_SUCCESS; + result = ISC_R_SUCCESS; cleanup: + va_end(backup); return result; } -- 1.7.3.4 From 93d709e47444ba38c314b4cece980a829c4f23b9 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher sgall...@redhat.com Date: Tue, 4 Jan 2011 15:33:02 -0500 Subject: [PATCH 2/2] Fix potential out-of-bounds write If there are exactly LD_MAX_SPLITS entries resulting from this split, the mandatory trailing NULL entry will be written to one entry past the end of the static arrayof LD_MAX_SPLITS size. --- src/str.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/str.c b/src/str.c index 611ae2028ec06d2e8e9e270eb6a6e0eaa37adcae..56faa12dce3c7c7bde59d947b69907b9f63d315d 100644 --- a/src/str.c +++ b/src/str.c @@ -570,7 +570,7 @@ str_split(const ld_string_t *src, const char delimiter, ld_split_t *split) current_pos = 0; save = 1; for (unsigned int i = 0; - i split-allocated current_pos LD_MAX_SPLITS; + i split-allocated current_pos LD_MAX_SPLITS - 1; i++) { if (save split-data[i] != '\0') { split-splits[current_pos] = split-data + i; -- 1.7.3.4 0001-Fix-missing-varargs-cleanup.patch.sig Description: PGP signature 0002-Fix-potential-out-of-bounds-write.patch.sig Description: PGP signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 660 set minimum uidnumber to 1
Adam Young wrote: On 01/03/2011 03:13 PM, Rob Crittenden wrote: Don't allow a user's uid (uidnumber) be set to 0. The set/addattr routines call the validator rules so this is sufficient to cover both: ipa user-add --first=tim --last=user --uid=0 tuser1 and ipa user-mod --setattr uidnumber=0 tuser1 ticket 578 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 662 start messagebus service
Simo Sorce wrote: On Mon, 2011-01-03 at 16:43 -0500, Rob Crittenden wrote: Always start the messagebus service so that certmonger will work properly. There have been reports from some very minimal install that this service isn't started. ticket 528 ACK! Simo. pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 659 drop CoS for activation
Simo Sorce wrote: On Mon, 2011-01-03 at 15:07 -0500, Rob Crittenden wrote: Drop using a Class of Service for account activation. It added a lot of unnecessary complexity. Instead just update the nsaccountlock attribute directly. ticket 568 ACK, glad to see this one to go, although we spent a lot of time getting it right... Simo. pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Improvements to enrollments in the webUI.
On 01/04/2011 12:45 PM, Adam Young wrote: On 01/04/2011 10:34 AM, Pavel Zuna wrote: The patch is a bit bigger and more complex, so I expect this to be the first shot at it. There are some places where we need to handle localization better and be more generic when it comes to non-standard relationships like 'enrolledby' etc., but that can be done later. (I put a few TODOs in the code.) Anyway, here's the changelog for this patch: - Enrollement links in the action panel are now sorted by relationships. - You can only enroll members. (The webUI made the impression you can enroll parents as well, but it was broken.) - When enrolling new members, you can choose not to display already enrolled ones. (On by default.) - Couple cosmetic changes. IT DEPENDS ON MY PATCH NUMBER 54 (Improve filtering of enrollments search results.) Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Nack, Make sure you fiter out the object itselt, so you can't enroll, for example, a group in itself. For verbage, Use Members for ojects enrolled in this object, and Member of: inplace of parent. Other than that, it looks good. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Improvements to enrollments in the webUI.
On 01/04/2011 12:45 PM, Adam Young wrote: On 01/04/2011 10:34 AM, Pavel Zuna wrote: The patch is a bit bigger and more complex, so I expect this to be the first shot at it. There are some places where we need to handle localization better and be more generic when it comes to non-standard relationships like 'enrolledby' etc., but that can be done later. (I put a few TODOs in the code.) Anyway, here's the changelog for this patch: - Enrollement links in the action panel are now sorted by relationships. - You can only enroll members. (The webUI made the impression you can enroll parents as well, but it was broken.) - When enrolling new members, you can choose not to display already enrolled ones. (On by default.) - Couple cosmetic changes. IT DEPENDS ON MY PATCH NUMBER 54 (Improve filtering of enrollments search results.) Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Nack, Make sure you fiter out the object itselt, so you can't enroll, for example, a group in itself. For verbage, Use Members fo Actually, we can do those as follow on work. I think this should be pushed, as it is a significant improvement over what we have now. r ojects enrolled in this object, and Member of: inplace of parent. Other than that, it looks good. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Improve filtering of enrollments search results.
On 01/04/2011 03:24 PM, Adam Young wrote: On 01/04/2011 12:41 PM, Adam Young wrote: On 01/04/2011 10:30 AM, Pavel Zuna wrote: This is required for effective filtering of enrollments search results in the webUI and also gives an edge to the CLI. After this patch, each LDAPObject can define its relationships to other LDAPObjects. For now, this is used only for filtering search results by enrollments, but there are probably more benefits to come. You can do this for example: # search for all users not enrolled in group admins ipa user-find --not-in-groups=admins # search for all groups not enrolled in group global with user Pavel ipa group-find --users=Pavel --not-in-groups=global # more examples: ipa group-find --users=Pavel,Jakub --no-users=Honza ipa hostgroup-find --hosts=webui.pzuna Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Nack, as is we lose all of the associations for users. I suspect the changes to baseldap are safe, but can you explain why that is the case? Haven't noticed any other shortcomings. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel OK, Looks like this patch is not responsible for the missing associations.So ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] one liner to re-add in user associations
commit 3390319f4c79564ab579bfbc1e341defb5299e50 Author: Adam Young ayo...@redhat.com Date: Tue Jan 4 22:58:27 2011 -0500 user associations user associations had been removed. This adds them back in. diff --git a/install/static/user.js b/install/static/user.js index 1a2ab44..c0e6fae 100644 --- a/install/static/user.js +++ b/install/static/user.js @@ -69,7 +69,7 @@ function ipa_user(){ entity.create_association_facets(); but we are currently defining the associator using the global function after the registration of the entity */ - + that.create_association_facets(); that.entity_init(); }; ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel