[Freeipa-devel] [PATCH] Add support for account unlocking
This patch adds command ipa user-unlock and some LDAP modifications which are required by Kerberos for unlocking to work. Ticket: https://fedorahosted.org/freeipa/ticket/344 Jan From 930409cc86c7ae9d15b03396d3a3078ff1255859 Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Fri, 21 Jan 2011 03:07:53 -0500 Subject: [PATCH] Add support for account unlocking This patch adds command ipa user-unlock and some LDAP modifications which are required by Kerberos for unlocking to work. Ticket: https://fedorahosted.org/freeipa/ticket/344 --- install/share/60kerberos.ldif |4 +++- install/share/default-aci.ldif |2 +- install/share/delegation.ldif | 10 ++ ipalib/plugins/user.py | 24 4 files changed, 38 insertions(+), 2 deletions(-) diff --git a/install/share/60kerberos.ldif b/install/share/60kerberos.ldif index f08329c48cbcd00ce9641582a13e8c6c118dac7c..72800d2426b776f2db119159187cad688eb9 100644 --- a/install/share/60kerberos.ldif +++ b/install/share/60kerberos.ldif @@ -254,6 +254,8 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.52.1 NAME 'krbObjectReferences' EQUA # the additional principal objects and stand alone principal # objects (krbPrincipal) can be created. attributetypes: ( 2.16.840.1.113719.1.301.4.53.1 NAME 'krbPrincContainerRef' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) +# The time at which administrator unlocked the account +attributetypes: ( 1.3.6.1.4.1.5322.21.2.5 NAME 'krbLastAdminUnlock' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE) # Object Class Definitions # @@ -282,7 +284,7 @@ objectClasses: ( 2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SUP ( krbSer objectClasses: ( 2.16.840.1.113719.1.301.6.5.1 NAME 'krbPwdService' SUP ( krbService ) ) ## The principal data auxiliary class. Holds principal information ## and is used to store principal information for Person, Service objects. -objectClasses: ( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux' AUXILIARY MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) ) +objectClasses: ( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux' AUXILIARY MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData $ krbLastAdminUnlock ) ) ## This class is used to create additional principals and stand alone principals. objectClasses: ( 2.16.840.1.113719.1.301.6.9.1 NAME 'krbPrincipal' SUP ( top ) MUST ( krbPrincipalName ) MAY ( krbObjectReferences ) ) ## The principal references auxiliary class. Holds all principals referred diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index ff0e5aec0af551a34f53e46c85c95bb97a509dc2..35665154fbc29f9f60874adf45f3052010659bba 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -9,7 +9,7 @@ aci: (targetattr = userpassword || krbprincipalkey || sambalmpassword || samban aci: (targetattr = userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory)(version 3.0; acl Admins can write passwords; allow (add,delete,write) groupdn=ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;) aci: (targetattr = userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory)(version 3.0; acl Password change service can read/write passwords; allow (read, write) userdn=ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX;;) aci: (targetattr = userPassword || krbPrincipalKey || krbPasswordExpiration || sambaLMPassword || sambaNTPassword || passwordHistory || krbExtraData)(version 3.0; acl KDC System Account can access passwords; allow (all) userdn=ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX;;) -aci: (targetattr = krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount)(version 3.0; acl KDC System Account can update some fields; allow (write) userdn=ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX;;) +aci: (targetattr = krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbLastAdminUnlock)(version 3.0; acl KDC System Account can update some fields; allow (read,write) userdn=ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX;;) aci: (targetattr = krbPrincipalName || krbCanonicalName ||
[Freeipa-devel] [PATCH] Fix crash when displaying values composed of white chars only in CLI.
Fix #825 Pavel From 8a7e6119399aa974457eda41b998cb765186d4eb Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Fri, 21 Jan 2011 09:30:23 -0500 Subject: [PATCH] Fix crash when displaying values composed of white-space chars only in CLI. Ticket #825 --- ipalib/cli.py |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/ipalib/cli.py b/ipalib/cli.py index 54ab1c4..a30375f 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -302,6 +302,8 @@ class textui(backend.Backend): text = textwrap.wrap( text, line_len, break_long_words=False ) +if len(text) == 0: +text = [u''] else: text = [text] self.print_indented(format % (attr, text[0]), indent) -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 040 Assorted bugs found by pylint
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 https://fedorahosted.org/freeipa/ticket/358 Another part of this effort is running pylint during build. I have started on this, but because we use python's dynamic features quite a lot, pylint produces a big number of false positives. I wrote a small pylint plugin that helps (so it allowed me to review the pylint results sanely), but it's still not complete - I'd like to resume that work during the 2.0.1 bug fixing as there are more pressing issues right now, I think. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk05YzYACgkQHsardTLnvCWB/wCeJ6iGxvPFf723ZkvIwklgTD00 47kAoJGxQdAVDdU2ezPC28pnd8+xVLlo =DnHR -END PGP SIGNATURE- From f514849ff08c2f7c8ab4823546703bf5793ef912 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date: Thu, 20 Jan 2011 18:25:20 +0100 Subject: [PATCH] Assorted bugs found by pylint https://fedorahosted.org/freeipa/ticket/358 --- ipalib/cli.py | 11 --- ipalib/frontend.py|2 +- ipalib/parameters.py |7 +++ ipalib/pkcs10.py |2 -- ipalib/plugins/dns.py |2 +- ipalib/plugins/group.py |2 +- ipalib/plugins/host.py|1 - ipapython/ipautil.py |4 +--- ipaserver/install/certs.py|2 +- ipaserver/install/installutils.py |4 ++-- ipaserver/install/replication.py |5 ++--- ipaserver/ipaldap.py |2 -- ipaserver/plugins/dogtag.py |4 +--- ipaserver/plugins/ldap2.py|2 +- ipaserver/plugins/ldapapi.py |6 -- ipaserver/servercore.py |8 16 files changed, 18 insertions(+), 46 deletions(-) diff --git a/ipalib/cli.py b/ipalib/cli.py index c634d49..1c1ef07 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -618,17 +618,6 @@ class help(frontend.Local): if module == __name__: return return module.split('.')[-1] -# get representation in the form of 'base_module.bare_module.command()' -r = repr(cmd_plugin_proxy) -# skip base module part and the following dot -start = r.find(self._PLUGIN_BASE_MODULE) -if start == -1: -# command module isn't a plugin module, it's a builtin -return None -start += len(self._PLUGIN_BASE_MODULE) + 1 -# parse bare module name -end = r.find('.', start) -return r[start:end] def _get_module_topic(self, module_name): if not sys.modules[module_name]: diff --git a/ipalib/frontend.py b/ipalib/frontend.py index eeed398..96f268b 100644 --- a/ipalib/frontend.py +++ b/ipalib/frontend.py @@ -693,13 +693,13 @@ class Command(HasParam): If the client minor version is less than or equal to the server then let the request proceed. +server_ver = version.LooseVersion(API_VERSION) ver = version.LooseVersion(client_version) if len(ver.version) 2: raise VersionError(cver=ver.version, sver=server_ver.version, server= self.env.xmlrpc_uri) client_major = ver.version[0] client_minor = ver.version[1] -server_ver = version.LooseVersion(API_VERSION) server_major = server_ver.version[0] server_minor = server_ver.version[1] diff --git a/ipalib/parameters.py b/ipalib/parameters.py index 0d6c690..22b0321 100644 --- a/ipalib/parameters.py +++ b/ipalib/parameters.py @@ -1532,6 +1532,13 @@ class AccessTime(Str): if value 1 or value 52: raise ValueError('week of the year out of range') +def _check_doty(self, t): +if not t.isnumeric(): +raise ValueError('day of the year non-numeric') +value = int(t) +if value 1 or value 365: +raise ValueError('day of the year out of range') + def _check_month_num(self, t): if not t.isnumeric(): raise ValueError('month number non-numeric') diff --git a/ipalib/pkcs10.py b/ipalib/pkcs10.py index 2565827..29f9b35 100644 --- a/ipalib/pkcs10.py +++ b/ipalib/pkcs10.py @@ -83,8 +83,6 @@ if __name__ == '__main__': # Read PEM request from stdin and print out its components csrlines = sys.stdin.readlines() -csrlines = fp.readlines() -fp.close() csr = ''.join(csrlines) csr = load_certificate_request(csr) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index 6d21097..5b7eb55 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -369,7 +369,7 @@ class dnsrecord(LDAPObject): ), ) -def is_pkey_zone_record(*keys): +def is_pkey_zone_record(self, *keys): idnsname = keys[-1] if idnsname == '@' or idnsname == ('%s.' % keys[-2]): return True diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index ecf5453..078d535 100644
Re: [Freeipa-devel] [PATCH] 039 Delete the whole DNS record with no parameters
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/20/2011 11:53 PM, Simo Sorce wrote: On Thu, 20 Jan 2011 17:27:37 -0500 Dmitri Pal d...@redhat.com wrote: Michael Gregg wrote: Jakub Hrozek wrote: Hi, as discussed in https://bugzilla.redhat.com/show_bug.cgi?id=671019 to delete a DNS RR one has to remove its record types one by one. This patch modifies the behaviour so that if the user runs dnsrecord-del zone record-name with no other parameters, the whole record is removed. Alternative solutions might be to expose the internal command that is able to delete the record (although I think it is counterintuitive to have one command to remove record types and one for the whole record) or have a special flag (--del-all?) to remove the whole record. The patch also fixes the unit tests as they didn't reflect all the recent changes. Going with this patch sounds good, but to make sure, I polled several people here, and they all seemed to think that having to add a --del-all or --del-record flag at the end would be better as it would be less prone to failure where admins would accidentally delete a entire record because they didn't specify anything after the zone record So, maybe we do need a --del-all or --del-record operator. Agree. +1 Someone may simply push enter accidentally while checking what to write after the command. It would be rather unfortunate. Simo. Attached is a new version of the patch that implements --del-all. It also reports failure when deleting a nonexistent RR (new ticket 829). -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk05oPgACgkQHsardTLnvCUqNwCfQ1BOTgx7L2lVcG5a7a6oP8lW sX4AoIDw5xVidcKblzWueO5OwlzkZ6kZ =YkBR -END PGP SIGNATURE- From b34a673c3015dd562a96d7f30973fa10a91b7d8d Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date: Thu, 20 Jan 2011 07:54:14 -0500 Subject: [PATCH] Delete the whole DNS record with no parameters Error out when deleting a nonexistent DNS record Also fixes the DNS unit tests. https://fedorahosted.org/freeipa/ticket/816 https://fedorahosted.org/freeipa/ticket/829 --- ipalib/plugins/dns.py| 22 +- tests/test_xmlrpc/test_dns_plugin.py | 32 ++-- 2 files changed, 39 insertions(+), 15 deletions(-) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index 5b7eb55..900db0e 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -380,6 +380,13 @@ class dnsrecord(LDAPObject): return self.api.Object[self.parent_object].get_dn(*keys[:-1], **options) return super(dnsrecord, self).get_dn(*keys, **options) +def attr_to_cli(self, attr): +try: +cliname = attr[:-len('record')].upper() +except IndexError: +cliname = attr +return cliname + api.register(dnsrecord) @@ -518,6 +525,18 @@ class dnsrecord_del(dnsrecord_mod_record): Delete DNS resource record. +takes_options = ( +Flag('del_all', +default=False, +label=_('Delete all associated records'), +), +) + +def execute(self, *keys, **options): +if options.get('del_all', False): +return self.obj.methods.delentry(*keys) +return super(dnsrecord_del, self).execute(*keys, **options) + def update_old_entry_callback(self, entry_attrs, old_entry_attrs): for (a, v) in entry_attrs.iteritems(): if not isinstance(v, (list, tuple)): @@ -526,7 +545,8 @@ class dnsrecord_del(dnsrecord_mod_record): try: old_entry_attrs[a].remove(val) except (KeyError, ValueError): -pass +raise errors.NotFound(reason='%s record with value %s not found' % + (self.obj.attr_to_cli(a), val)) def post_callback(self, keys, entry_attrs): if not self.obj.is_pkey_zone_record(*keys): diff --git a/tests/test_xmlrpc/test_dns_plugin.py b/tests/test_xmlrpc/test_dns_plugin.py index 5fb08fd..6282e95 100644 --- a/tests/test_xmlrpc/test_dns_plugin.py +++ b/tests/test_xmlrpc/test_dns_plugin.py @@ -86,7 +86,8 @@ class test_dns(Declarative): 'dn': u'idnsname=%s,cn=dns,%s' % (dnszone1, api.env.basedn), 'idnsname': [dnszone1], 'idnszoneactive': [u'TRUE'], -'idnssoamname': [u'ns1.%s' % dnszone1], +'idnssoamname': [u'ns1.%s.' % dnszone1], +'nsrecord': [u'ns1.%s.' % dnszone1], 'idnssoarname': [u'root.%s.' % dnszone1], 'idnssoaserial': [fuzzy_digits], 'idnssoarefresh': [fuzzy_digits], @@ -122,7 +123,8 @@ class test_dns(Declarative): 'dn': u'idnsname=%s,cn=dns,%s' %
Re: [Freeipa-devel] [PATCH] 684 rename INTERNAL to NO_CLI
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/20/2011 09:10 PM, Rob Crittenden wrote: If we don't want a command to be available on the command-line we need to set a flag in the command. The original was INTERNAL but this was a bit misleading because the command is still available to the XML-RPC listener. Rename it to NO_CLI instead. Also make i18n_messages and json_metadata NO_CLI. ticket 821 rob There's still dns_is_enabled() marked as INTERNAL. Other that that, the patch is fine, so feel free to push after fixing that one place. Jakub -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk05o7IACgkQHsardTLnvCUn9wCghjAPjl2fCpX9CV/Q9ROtETbq vDgAoLYKvYTiAdYJg6qRIn0Izk2v4c3Q =90sl -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix crash when displaying values composed of white chars only in CLI.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/21/2011 10:35 AM, Pavel Zůna wrote: Fix #825 Pavel Ack -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk05pDIACgkQHsardTLnvCUnmgCdEXblfAXHIj99KZByEhyRGzwC tuIAoIzn7eAWQyrCy6dZkmJGDTFuN8Vb =lGQ+ -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 685 basic filter tests for acis
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/20/2011 10:53 PM, Rob Crittenden wrote: An aci can take a filter as a target. This adds some bare minimum validation to it. It disallows empty filters and executes a search with the filter to see if it is at least well-formed (doesn't mean it will do what the user expects). Note that some odd looking things are actually valid search filters such as 'cn' and 'cn='. ticket 808 rob Ack -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk05pr8ACgkQHsardTLnvCWIiwCfY2UJ6Q9Qudu7RE/t5sZwft9j Cq8An167bXK2oPQ8D+BgcHlz63mYgpKW =L1U5 -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 686 ipa-client-install output
When running ipa-client-install in unattended mode there were some cases where there was no or not very helpful output describing what is missing. ticket 828 rob From 84ee8b5ffd4a4c909769b94160e3b5a3c890c444 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Fri, 21 Jan 2011 10:40:09 -0500 Subject: [PATCH] Improve output when options are not found in non-interactive client install We should still give some feedback when things go wrong when in non-interactive mode. ticket 828 --- ipa-client/ipa-install/ipa-client-install |4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index c95b828..b233097 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -542,6 +542,7 @@ def main(): if options.domain: cli_domain = options.domain elif options.unattended: +print sys.stderr, Unable to discover domain, not provided on command line return ret else: print DNS discovery failed to determine your DNS domain @@ -561,6 +562,7 @@ def main(): if options.server: cli_server = options.server elif options.unattended: +print sys.stderr, Unable to find IPA Server to join return ret else: print DNS discovery failed to find the IPA Server @@ -654,7 +656,7 @@ def main(): sys.stdout.flush() else: if sys.stdin.isatty(): -sys.exit(Password must be provided in non-interactive mode) +sys.exit(Password must be provided in non-interactive mode.\nThis can be done via echo password | ipa-client-install ... or\nwith the -w option.) else: stdin = sys.stdin.readline() -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 685 basic filter tests for acis
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/20/2011 10:53 PM, Rob Crittenden wrote: An aci can take a filter as a target. This adds some bare minimum validation to it. It disallows empty filters and executes a search with the filter to see if it is at least well-formed (doesn't mean it will do what the user expects). Note that some odd looking things are actually valid search filters such as 'cn' and 'cn='. ticket 808 rob Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Make command syntax less confusing in help
Jan Zeleny wrote: The patch adds [options] to the syntax line of ipa helpcommand https://fedorahosted.org/freeipa/ticket/733 Jan ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 039 Delete the whole DNS record with no parameters
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/20/2011 11:53 PM, Simo Sorce wrote: On Thu, 20 Jan 2011 17:27:37 -0500 Dmitri Pald...@redhat.com wrote: Michael Gregg wrote: Jakub Hrozek wrote: Hi, as discussed in https://bugzilla.redhat.com/show_bug.cgi?id=671019 to delete a DNS RR one has to remove its record types one by one. This patch modifies the behaviour so that if the user runs dnsrecord-delzone record-name with no other parameters, the whole record is removed. Alternative solutions might be to expose the internal command that is able to delete the record (although I think it is counterintuitive to have one command to remove record types and one for the whole record) or have a special flag (--del-all?) to remove the whole record. The patch also fixes the unit tests as they didn't reflect all the recent changes. Going with this patch sounds good, but to make sure, I polled several people here, and they all seemed to think that having to add a --del-all or --del-record flag at the end would be better as it would be less prone to failure where admins would accidentally delete a entire record because they didn't specify anything after the zone record So, maybe we do need a --del-all or --del-record operator. Agree. +1 Someone may simply push enter accidentally while checking what to write after the command. It would be rather unfortunate. Simo. Attached is a new version of the patch that implements --del-all. It also reports failure when deleting a nonexistent RR (new ticket 829). nack, this isn't working properly for me. Here is how I tested: - add a new zone, newzone1 - ipa dnsrecord-add newzone1 as --a-rec 3.4.5.6 - ipa dnsrecord-add newzone1 as Record name: as A record: 3.4.5.6 - ipa dnsrecord-show newzone1 as Record name: as A record: 3.4.5.6 - ipa dnsrecord-del newzone1 as --del-all [ no output ] - ipa dnsrecord-show newzone1 as ipa: ERROR: as: DNS resource record not found So a couple of problems: 1. An error should have been thrown when I tried a delete without a specific record type. 2. Some output should be displayed when I delete all records, at least a summary. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 686 ipa-client-install output
On Fri, 21 Jan 2011 10:42:52 -0500 Rob Crittenden rcrit...@redhat.com wrote: When running ipa-client-install in unattended mode there were some cases where there was no or not very helpful output describing what is missing. ticket 828 rob ACK Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 684 rename INTERNAL to NO_CLI
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/20/2011 09:10 PM, Rob Crittenden wrote: If we don't want a command to be available on the command-line we need to set a flag in the command. The original was INTERNAL but this was a bit misleading because the command is still available to the XML-RPC listener. Rename it to NO_CLI instead. Also make i18n_messages and json_metadata NO_CLI. ticket 821 rob There's still dns_is_enabled() marked as INTERNAL. Other that that, the patch is fine, so feel free to push after fixing that one place. Jakub re-based and pushed to master rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 680 ldap lockout
Simo Sorce wrote: On Wed, 19 Jan 2011 14:15:05 +0100 Jan Zelenýjzel...@redhat.com wrote: Rob Crittendenrcrit...@redhat.com wrote: Rob Crittenden wrote: Jan Zeleny wrote: Rob Crittendenrcrit...@redhat.com wrote: Update kerberos password policy values on LDAP binds. This is so locked-out accounts in kerberos don't try things using LDAP instead. On a failed bind this will update krbLoginFailedCount and krbLastFailedAuth and will potentially fail the bind altogether. On a successful bind it will zero krbLoginFailedCount and set krbLastSuccessfulAuth. This will also enforce locked-out accounts. See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on kerberos lockout. ticket 343 Ack, good job Jan Simo and Nathan pointed out that the update model I'm using is vulnerable to multi-threaded attack and suggested that rather than using REPLACE I do a DELETE/ADD to be sure that I'm updating the counter appropriately. I've got the basics done, need to re-run through valgrind. Will submit another patch shortly. rob Updated patch attached. Be more careful when updating the failed count. rob The patch looks good and it works fine, if Simo doesn't have any more security comments: ACK. Patch looks good to me. I only wonder if it would make sense to try to cache the entry between the pre-op and the post-op, but given it is just fetched I guess DS caches it in memory anyways, so probably not a big deal in any case. Simo. pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix crash when displaying values composed of white chars only in CLI.
Pavel Zůna wrote: Fix #825 Pavel Should we instead prevent storing white space instead? On the cli someone would have to go through the trouble of quoting the space but in the UI I think it would be pretty easy to accidentally hit a space on a field and save it. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix crash when displaying values composed of white chars only in CLI.
On Fri, 21 Jan 2011 14:31:11 -0500 Rob Crittenden rcrit...@redhat.com wrote: Pavel Zůna wrote: Fix #825 Pavel Should we instead prevent storing white space instead? On the cli someone would have to go through the trouble of quoting the space but in the UI I think it would be pretty easy to accidentally hit a space on a field and save it. Someone may want to store a space on purpose, or have some other program do it underneath the UI. So fixing the crash is necessary. Whether we also want to prevent storing whitespace is a separate question IMHO. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] fix API.txt
A couple of recent patches missed changes to API.txt. I pushed the attached under the 1-liner rule. rob From 5d27ba4f637e45320c46f7c9112aa88d450b8215 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Fri, 21 Jan 2011 15:12:34 -0500 Subject: [PATCH] Add new option to dns_del and always ask permission options --- API.txt | 39 --- 1 files changed, 20 insertions(+), 19 deletions(-) diff --git a/API.txt b/API.txt index 650c47a..b9e4636 100644 --- a/API.txt +++ b/API.txt @@ -579,9 +579,10 @@ output: Output('summary', (type 'unicode', type 'NoneType'), 'User-friendly output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', type 'unicode', The primary_key value of the entry, e.g. 'jdoe' for a user) command: dnsrecord_del -args: 2,41,3 +args: 2,42,3 arg: Str('dnszoneidnsname', cli_name='dnszone', label=Gettext('Zone name', domain='ipa', localedir=None), query=True, required=True) arg: Str('idnsname', attribute=True, cli_name='name', label=Gettext('Record name', domain='ipa', localedir=None), multivalue=False, primary_key=True, query=True, required=True) +option: Flag('del_all', autofill=True, default=False, label=Gettext('Delete all associated records', domain='ipa', localedir=None)) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui', flags=['no_output']) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui', flags=['no_output']) option: Str('version?', exclude='webui', flags=['no_option', 'no_output']) @@ -1580,12 +1581,12 @@ args: 1,13,3 arg: Str('cn', attribute=True, cli_name='name', label=Gettext('Permission name', domain='ipa', localedir=None), multivalue=False, normalizer=lambda, primary_key=True, required=True) option: Str('description', attribute=True, cli_name='desc', label=Gettext('Description', domain='ipa', localedir=None), multivalue=False, required=True) option: List('permissions', attribute=True, cli_name='permissions', label=Gettext('Permissions', domain='ipa', localedir=None), multivalue=True, required=True) -option: List('attrs', attribute=True, cli_name='attrs', label=Gettext('Attributes', domain='ipa', localedir=None), multivalue=True, normalizer=lambda, required=False) -option: StrEnum('type', attribute=True, cli_name='type', label=Gettext('Type', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dns')) -option: Str('memberof', attribute=True, cli_name='memberof', label=Gettext('Member of group', domain='ipa', localedir=None), multivalue=False, required=False) -option: Str('filter', attribute=True, cli_name='filter', label=Gettext('Filter', domain='ipa', localedir=None), multivalue=False, required=False) -option: Str('subtree', attribute=True, cli_name='subtree', label=Gettext('Subtree', domain='ipa', localedir=None), multivalue=False, required=False) -option: Str('targetgroup', attribute=True, cli_name='targetgroup', label=Gettext('Target group', domain='ipa', localedir=None), multivalue=False, required=False) +option: List('attrs', alwaysask=True, attribute=True, cli_name='attrs', label=Gettext('Attributes', domain='ipa', localedir=None), multivalue=True, normalizer=lambda, required=False) +option: StrEnum('type', alwaysask=True, attribute=True, cli_name='type', label=Gettext('Type', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dns')) +option: Str('memberof', alwaysask=True, attribute=True, cli_name='memberof', label=Gettext('Member of group', domain='ipa', localedir=None), multivalue=False, required=False) +option: Str('filter', alwaysask=True, attribute=True, cli_name='filter', label=Gettext('Filter', domain='ipa', localedir=None), multivalue=False, required=False) +option: Str('subtree', alwaysask=True, attribute=True, cli_name='subtree', label=Gettext('Subtree', domain='ipa', localedir=None), multivalue=False, required=False) +option: Str('targetgroup', alwaysask=True, attribute=True, cli_name='targetgroup', label=Gettext('Target group', domain='ipa', localedir=None), multivalue=False, required=False) option: Str('addattr*', validate_add_attribute, cli_name='addattr', exclude='webui') option: Str('setattr*', validate_set_attribute, cli_name='setattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui', flags=['no_output']) @@ -1617,12 +1618,12 @@ arg: Str('criteria?') option: Str('cn', attribute=True, autofill=False, cli_name='name', label=Gettext('Permission name', domain='ipa', localedir=None), multivalue=False, normalizer=lambda, primary_key=True, query=True, required=False) option: Str('description', attribute=True, autofill=False, cli_name='desc', label=Gettext('Description', domain='ipa', localedir=None), multivalue=False,
Re: [Freeipa-devel] [PATCH] fix API.txt
On Fri, 21 Jan 2011 15:14:52 -0500 Rob Crittenden rcrit...@redhat.com wrote: A couple of recent patches missed changes to API.txt. I pushed the attached under the 1-liner rule. rob This begs the question: how were they tested? why both the submitter and the reviewer didn't see the build failing ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] fix API.txt
On 01/21/2011 09:14 PM, Rob Crittenden wrote: +option: Flag('del_all', autofill=True, default=False, label=Gettext('Delete all associated records', domain='ipa', localedir=None)) I think you accidentally generated API.txt while still having my Nacked DNS patch in tree. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] fix API.txt
On 01/21/2011 09:48 PM, Simo Sorce wrote: On Fri, 21 Jan 2011 15:14:52 -0500 Rob Crittendenrcrit...@redhat.com wrote: A couple of recent patches missed changes to API.txt. I pushed the attached under the 1-liner rule. rob This begs the question: how were they tested? why both the submitter and the reviewer didn't see the build failing ? Simo. This is weird - my recent DNS plugin patch should have broken the API (it adds a new parameter --del-all) but I'm able to run make rpms just fine even without Rob's API additions. Also running ./makeapi --validate is OK. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 039 Delete the whole DNS record with no parameters
On 01/21/2011 11:54 AM, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/20/2011 11:53 PM, Simo Sorce wrote: On Thu, 20 Jan 2011 17:27:37 -0500 Dmitri Pald...@redhat.com wrote: Michael Gregg wrote: Jakub Hrozek wrote: Hi, as discussed in https://bugzilla.redhat.com/show_bug.cgi?id=671019 to delete a DNS RR one has to remove its record types one by one. This patch modifies the behaviour so that if the user runs dnsrecord-delzone record-name with no other parameters, the whole record is removed. Alternative solutions might be to expose the internal command that is able to delete the record (although I think it is counterintuitive to have one command to remove record types and one for the whole record) or have a special flag (--del-all?) to remove the whole record. The patch also fixes the unit tests as they didn't reflect all the recent changes. Going with this patch sounds good, but to make sure, I polled several people here, and they all seemed to think that having to add a --del-all or --del-record flag at the end would be better as it would be less prone to failure where admins would accidentally delete a entire record because they didn't specify anything after the zone record So, maybe we do need a --del-all or --del-record operator. Agree. +1 Someone may simply push enter accidentally while checking what to write after the command. It would be rather unfortunate. Simo. Attached is a new version of the patch that implements --del-all. It also reports failure when deleting a nonexistent RR (new ticket 829). Does any of this imply that we shopuld change the WebUI handling of Zone or Record deletes? nack, this isn't working properly for me. Here is how I tested: - add a new zone, newzone1 - ipa dnsrecord-add newzone1 as --a-rec 3.4.5.6 - ipa dnsrecord-add newzone1 as Record name: as A record: 3.4.5.6 - ipa dnsrecord-show newzone1 as Record name: as A record: 3.4.5.6 - ipa dnsrecord-del newzone1 as --del-all [ no output ] - ipa dnsrecord-show newzone1 as ipa: ERROR: as: DNS resource record not found So a couple of problems: 1. An error should have been thrown when I tried a delete without a specific record type. 2. Some output should be displayed when I delete all records, at least a summary. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel