Re: [Freeipa-devel] [PATCH] 713 handle failed passwords in tools
Rob Crittenden rcrit...@redhat.com wrote: Handle bad DM password in ipa-host-net-manage ipa-copmat-manage. This was resulting in a traceback because while conn was not None it wasn't connected either. ticket 920 rob ack jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Code cleanup
Hi, I'd like to propose this cleanup patch. I just noticed that the code in these two files is most likely not used any more (at least I didn't find a place where it is used). What do you think? Is it safe to throw it out? Or are there some places which are still using it? I'd be more than happy to move parts that are used somewhere else and delete the rest. -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic From 3c243e529694b5b9c959cbba798fe3121ebb9237 Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Mon, 14 Feb 2011 07:17:10 -0500 Subject: [PATCH] Code cleanup This patch removes two files which seem to be long obsoleted and not used any more. --- ipaserver/plugins/ldapapi.py | 445 - ipaserver/servercore.py | 448 -- 2 files changed, 0 insertions(+), 893 deletions(-) delete mode 100644 ipaserver/plugins/ldapapi.py delete mode 100644 ipaserver/servercore.py diff --git a/ipaserver/plugins/ldapapi.py b/ipaserver/plugins/ldapapi.py deleted file mode 100644 index 1ef84579cd5a5d896f8a259e5c531931339ec3e9.. --- a/ipaserver/plugins/ldapapi.py +++ /dev/null @@ -1,445 +0,0 @@ -# Authors: -# Rob Crittenden rcrit...@redhat.com -# Jason Gerard DeRose jder...@redhat.com -# -# Copyright (C) 2008 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see http://www.gnu.org/licenses/. - - -Backend plugin for LDAP. - -This wraps the python-ldap bindings. - - -import ldap as _ldap -from ipalib import api -from ipalib import errors -from ipalib.crud import CrudBackend -from ipaserver import servercore, ipaldap -import krbV - - -class ldap(CrudBackend): - -LDAP backend plugin. - - -def __init__(self): -self.dn = _ldap.dn -super(ldap, self).__init__() - -def create_connection(self, ccache): -if ccache is None: -raise errors.CCacheError() -conn = ipaldap.IPAdmin(self.env.ldap_host, self.env.ldap_port) -principal = krbV.CCache( -name=ccache, context=krbV.default_context() -).principal().name -conn.set_krbccache(ccache, principal) -return conn - -def destroy_connection(self): -self.conn.unbind_s() - -def make_user_dn(self, uid): - -Construct user dn from uid. - -return 'uid=%s,%s,%s' % ( -self.dn.escape_dn_chars(uid), -self.api.env.container_user, -self.api.env.basedn, -) - -def make_group_dn(self, cn): - -Construct group dn from cn. - -return 'cn=%s,%s,%s' % ( -self.dn.escape_dn_chars(cn), -self.api.env.container_group, -self.api.env.basedn, -) - -def make_hostgroup_dn(self, cn): - -Construct group of hosts dn from cn. - -return 'cn=%s,%s,%s' % ( -self.dn.escape_dn_chars(cn), -self.api.env.container_hostgroup, -self.api.env.basedn, -) - -def make_taskgroup_dn(self, cn): - -Construct group of tasks dn from cn. - -return 'cn=%s,%s,%s' % ( -self.dn.escape_dn_chars(cn), -self.api.env.container_taskgroup, -self.api.env.basedn, -) - -def make_service_dn(self, principal): - -Construct service principal dn from principal name - -return 'krbprincipalname=%s,%s,%s' % ( -self.dn.escape_dn_chars(principal), -self.api.env.container_service, -self.api.env.basedn, -) - -def make_host_dn(self, hostname): - -Construct host dn from hostname - -return 'fqdn=%s,%s,%s' % ( -self.dn.escape_dn_chars(hostname), -self.api.env.container_host, -self.api.env.basedn, -) - -def make_application_dn(self, appname): - -Construct application dn from cn. - -return 'cn=%s,%s,%s' % ( -self.dn.escape_dn_chars(appname), -self.api.env.container_applications, -self.api.env.basedn, -) - -def make_policytemplate_dn(self, appname, uuid): - -Construct policytemplate dn from appname - -
Re: [Freeipa-devel] [PATCH] 715 ensure required variables are required
Rob Crittenden rcrit...@redhat.com wrote: Yi found a tricky way to remove required attributes that aren't required in the schema. The problem was we weren't enforcing parameter.required in mods (because it was enforcing that every variable with required be provided). I added a new check routine that is executed after setattr/addattr does its work and verifies that no required parameters get skipped. ticket 852 rob Looks fine, works as expected. ACK I'm just not sure whether is is necessary to call the function twice - once on self.params and once on self.obj.params (I get the latter one, but I'm not sure whether the former one is necessary). Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 715 ensure required variables are required
Jan Zelený jzel...@redhat.com wrote: Rob Crittenden rcrit...@redhat.com wrote: Yi found a tricky way to remove required attributes that aren't required in the schema. The problem was we weren't enforcing parameter.required in mods (because it was enforcing that every variable with required be provided). I added a new check routine that is executed after setattr/addattr does its work and verifies that no required parameters get skipped. ticket 852 rob Looks fine, works as expected. ACK I'm just not sure whether is is necessary to call the function twice - once on self.params and once on self.obj.params (I get the latter one, but I'm not sure whether the former one is necessary). Jan One more thing - I'm not sure whether it is necessary to add the check to LDAPCreate - I tried to create role with empty description and it failed as expected. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 051 Remove obsolete record types from DNS
Jakub Hrozek jhro...@redhat.com wrote: https://fedorahosted.org/freeipa/ticket/923 Patch looks good. I'm running some test. Unless they fail, ACK Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 718 move files in packages
Rob Crittenden rcrit...@redhat.com wrote: Move a bunch of utilities that really only make sense to be run on the server from the admintools package to the server package. ticket 947 rob ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 719 permission for cn=ipaconfig
Rob Crittenden rcrit...@redhat.com wrote: Add permission and privilege for updating the IPA configuration in cn=ipaconfig. ticket 950 rob I'm not quite sure how does the patch work. In particular, I wonder about these two blocks: +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:cn: Write IPA Configuration + +dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: ipapermission +default:cn: Write IPA Configuration +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX Can't they be specified in one block like: +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:objectClass: ipapermission +default:cn: Write IPA Configuration +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX Thanks in advance Otherwise the patch looks good, so if this is not an issue, I give it ACK. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 716 ignore case when removing members
Rob Crittenden rcrit...@redhat.com wrote: Ignore case when removing members from a group. ticket 944 rob ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 719 permission for cn=ipaconfig
Martin Kosek mko...@redhat.com wrote: On Mon, 2011-02-14 at 14:37 +0100, Jan Zelený wrote: Rob Crittenden rcrit...@redhat.com wrote: Add permission and privilege for updating the IPA configuration in cn=ipaconfig. ticket 950 rob I'm not quite sure how does the patch work. In particular, I wonder about these two blocks: +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:cn: Write IPA Configuration + +dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: ipapermission +default:cn: Write IPA Configuration +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX Can't they be specified in one block like: +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:objectClass: ipapermission +default:cn: Write IPA Configuration +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX Thanks in advance Otherwise the patch looks good, so if this is not an issue, I give it ACK. Jan I think this is OK. We are adding 2 objects - one permission called Write IPA Configuration (with an underlying ACI) and one priviledge also called Write IPA Configuration. Therefore they cannot be merged to one LDAP object. Oh, sorry, I didn't see that one object is privilege and another one is permission. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 712 drop kw from JSON error
Adam Young wrote: On 02/11/2011 10:37 AM, Rob Crittenden wrote: Jakub Hrozek wrote: On Thu, Feb 10, 2011 at 01:39:40PM -0500, Rob Crittenden wrote: The kw could contain another exception which was blowing up the marshalling. It doesn't seem to be used anywhere and contains information we've already saved in error as far as I can tell. ticket 905 rob Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel This might have been premature. See ticket https://fedorahosted.org/freeipa/ticket/956 Looks unrelated. Did you actually get the TypeError exception in the UI? That would be a recent improvement if you did. This looks like a bug in the dns plugin at first glance to me. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 719 permission for cn=ipaconfig
Jan Zelený wrote: Rob Crittendenrcrit...@redhat.com wrote: Add permission and privilege for updating the IPA configuration in cn=ipaconfig. ticket 950 rob I'm not quite sure how does the patch work. In particular, I wonder about these two blocks: +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:cn: Write IPA Configuration + +dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: ipapermission +default:cn: Write IPA Configuration +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX Can't they be specified in one block like: +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:objectClass: ipapermission +default:cn: Write IPA Configuration +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX Thanks in advance Otherwise the patch looks good, so if this is not an issue, I give it ACK. Jan Yeah, I know it's redundant looking but these need to be 2 separate records. Privileges are for the most part a 1-1 relationship to permissions but not always. We wanted to have this intermediate object to make things easier for the end-user when assigning them to roles. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 16 Bugfix for ipa-client-install echo's password in cleartext to stdout
During the ipa-client-install, when prompted for the principal password, it is possible to start typing and have the password echoed back. This patch corrects this behavior and addresses bug #959 https://fedorahosted.org/freeipa/ticket/959 binegPaWpIOK0.bin Description: freeipa-jraquino-0016-Bugfix-for-ipa-client-install-echo-s-password-in-cle.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 715 ensure required variables are required
Jan Zelený wrote: Jan Zelenýjzel...@redhat.com wrote: Rob Crittendenrcrit...@redhat.com wrote: Yi found a tricky way to remove required attributes that aren't required in the schema. The problem was we weren't enforcing parameter.required in mods (because it was enforcing that every variable with required be provided). I added a new check routine that is executed after setattr/addattr does its work and verifies that no required parameters get skipped. ticket 852 rob Looks fine, works as expected. ACK I'm just not sure whether is is necessary to call the function twice - once on self.params and once on self.obj.params (I get the latter one, but I'm not sure whether the former one is necessary). Hmm, you may be right. I did it in case any of self.params had a requires on it, but since this is a mod operation then I think by definition it can't. Jan One more thing - I'm not sure whether it is necessary to add the check to LDAPCreate - I tried to create role with empty description and it failed as expected. I think you're. I did it to prevent something like this: # ipa group-add --desc='foo' --setattr description='' foo but it is already handled. I'll work up a new patch. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 713 handle failed passwords in tools
Jan Zelený wrote: Rob Crittendenrcrit...@redhat.com wrote: Handle bad DM password in ipa-host-net-manage ipa-copmat-manage. This was resulting in a traceback because while conn was not None it wasn't connected either. ticket 920 rob ack jan pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 054 Fix checking for arguments in DNS plugins
On 02/12/2011 03:45 PM, Jakub Hrozek wrote: I couldn't reproduce the traceback, but the code shows where the error most probably is. http://fedorahosted.org/freeipa/ticket/956 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 715 ensure required variables are required
Rob Crittenden wrote: Jan Zelený wrote: Jan Zelenýjzel...@redhat.com wrote: Rob Crittendenrcrit...@redhat.com wrote: Yi found a tricky way to remove required attributes that aren't required in the schema. The problem was we weren't enforcing parameter.required in mods (because it was enforcing that every variable with required be provided). I added a new check routine that is executed after setattr/addattr does its work and verifies that no required parameters get skipped. ticket 852 rob Looks fine, works as expected. ACK I'm just not sure whether is is necessary to call the function twice - once on self.params and once on self.obj.params (I get the latter one, but I'm not sure whether the former one is necessary). Hmm, you may be right. I did it in case any of self.params had a requires on it, but since this is a mod operation then I think by definition it can't. Jan One more thing - I'm not sure whether it is necessary to add the check to LDAPCreate - I tried to create role with empty description and it failed as expected. I think you're. I did it to prevent something like this: # ipa group-add --desc='foo' --setattr description='' foo but it is already handled. I'll work up a new patch. rob Updated patch attached. rob freeipa-rcrit-715-2-required.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 716 ignore case when removing members
Jan Zelený wrote: Rob Crittendenrcrit...@redhat.com wrote: Ignore case when removing members from a group. ticket 944 rob ack Jan pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 718 move files in packages
Jan Zelený wrote: Rob Crittendenrcrit...@redhat.com wrote: Move a bunch of utilities that really only make sense to be run on the server from the admintools package to the server package. ticket 947 rob ack Jan pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 719 permission for cn=ipaconfig
Jan Zelený wrote: Martin Kosekmko...@redhat.com wrote: On Mon, 2011-02-14 at 14:37 +0100, Jan Zelený wrote: Rob Crittendenrcrit...@redhat.com wrote: Add permission and privilege for updating the IPA configuration in cn=ipaconfig. ticket 950 rob I'm not quite sure how does the patch work. In particular, I wonder about these two blocks: +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:cn: Write IPA Configuration + +dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: ipapermission +default:cn: Write IPA Configuration +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX Can't they be specified in one block like: +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:objectClass: ipapermission +default:cn: Write IPA Configuration +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX Thanks in advance Otherwise the patch looks good, so if this is not an issue, I give it ACK. Jan I think this is OK. We are adding 2 objects - one permission called Write IPA Configuration (with an underlying ACI) and one priviledge also called Write IPA Configuration. Therefore they cannot be merged to one LDAP object. Oh, sorry, I didn't see that one object is privilege and another one is permission. Jan pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 720 provide some logging by default
JR Aquino wrote: On 2/11/11 2:26 PM, Rob Crittendenrcrit...@redhat.com wrote: If neither verbose nor debug were set (and they aren't by default) then we logged absolutely nothing about framework requests. This adds a default of who, what, result in the Apache error log. This is a first-step for ticket 873 just to get something logged by default. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 027 Support of user default email domain
Jakub Hrozek wrote: On Fri, Feb 04, 2011 at 03:20:55PM +0100, Martin Kosek wrote: This patch fixes the default domain functionality for user email(s). This setting may be configured via: ipa config-mod --emaildomain=example.com Then, when user is added/modified and --mail option is passed, the default domain is appended if the passed attribute does not contain another domain already. https://fedorahosted.org/freeipa/ticket/598 Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fixed type of argument in class help
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/07/2011 10:54 AM, Jan Zelený wrote: Jakub Hrozekjhro...@redhat.com wrote: On Wed, Feb 02, 2011 at 08:54:47AM +0100, Jan Zelený wrote: At Rob's suggestion I changed the argument type in class help, this is only oneliner, I think it can be pushed directly. Jan -takes_args = (Bytes('command?'),) +takes_args = (Str('command?'),) Nack, you also need to import Str from parameters. Sorry, could have give you headsup: this patch should be pushed along with my 30-3 patch from last wednesday which still waits to be re-reviewed. The import is in that patch. Jan OK, in that case ack on top of patch #30 (or simply squash the change into 30-4, there's no separate ticket anyway) Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 026 HBAC plugin inconsistent output
Jan Zelený wrote: Martin Kosekmko...@redhat.com wrote: On Mon, 2011-02-07 at 10:38 +0100, Jan Zelený wrote: Martin Kosekmko...@redhat.com wrote: This patch adds a proper summary text to HBAC command which is then printed out in CLI. Now, HBAC plugin output is consistent with other plugins. https://fedorahosted.org/freeipa/ticket/596 I believe API.txt should be updated (you change hbacrule_enable and hbacrule_disable return values), so NACK for now. Jan Patch has been rebased, API.txt updated along with some minor changes to achieve consistency between HBAC plugins. All tests pass. Martin Looks good now, ack Jan pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Append realm name to service principal name.
Endi Sukma Dewata wrote: The realm name is necessary to create the correct service. This was fixed by ticket 941, right? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 707 fix wrapping prompt
Jakub Hrozek wrote: On Wed, Feb 09, 2011 at 01:53:00PM -0500, Rob Crittenden wrote: At least in my xterm the prompt for Do you want to proceed and configure the system with fixed values with no DNS discovery? wraps around over itself. This patch shortens the message. ticket 940 rob Ack I pushed this to master last week. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 053 Make sure only root can run ipa-client-install
Jakub Hrozek wrote: https://fedorahosted.org/freeipa/ticket/957 ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 706 remove certificate from service-find
Jan Zelený wrote: Rob Crittendenrcrit...@redhat.com wrote: Remove certificate as service a search option. There is no point on searching on binary objects. ticket 912 rob ack Jan I pushed this to master last week. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
Pavel Zuna wrote: On 02/08/2011 01:06 PM, Pavel Zuna wrote: The patch also corrects exception handling in some of the tools. Fix #874 Pavel Updated patch attached. Forgot to rename an identifier in exception handling. Pavel This isn't applying cleanly to master, can you rebase it? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On 2/10/11 2:42 AM, Pavel Zuna pz...@redhat.com wrote: On 02/08/2011 01:06 PM, Pavel Zuna wrote: The patch also corrects exception handling in some of the tools. Fix #874 Pavel Updated patch attached. Forgot to rename an identifier in exception handling. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel NACK It looks like LDAPUpdate calls may want to include ldapi=True? -=- # ipa-nis-manage enable Directory Manager password: Enabling plugin Traceback (most recent call last): File /usr/sbin/ipa-nis-manage, line 211, in module sys.exit(main()) File /usr/sbin/ipa-nis-manage, line 151, in main ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}) File /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py, line 101, in __init__ conn.do_simple_bind(bindpw=self.dm_password) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 350, in do_simple_bind self.simple_bind_s(binddn, bindpw) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204, in inner return f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 207, in simple_bind_s return self.result(msgid,all=1,timeout=self.timeout) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 181, in inner objtype, data = f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 436, in result res_type,res_data,res_msgid = self.result2(msgid,all,timeout) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204, in inner return f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 440, in result2 res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204, in inner return f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 446, in result3 ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204, in inner return f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 96, in _ldap_call result = func(*args,**kwargs) ldap.UNWILLING_TO_PERFORM: {'info': 'Minimum SSF not met.', 'desc': 'Server is unwilling to perform'} ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 698 Translate exception messages
Pavel Zuna wrote: On 02/01/2011 11:36 PM, Rob Crittenden wrote: Pavel mentioned this morning that translations didn't seem to be working. I remembered that I did some things on the cli so I re-tested. Turned out that exceptions aren't being translated. I'm not at all sure this patch does the right thing, so take it with a grain of salt. What it does is translates the message before stuffing it into the exception. Note that this will also translate messages returned via XML-RPC so I wonder if we need to force LANG to en_US.UTF-8 there. In any case, this seems to fix the client side anyway. I'm open to criticism on this one. To test do something like: $ kinit admin $ export LANG=es_US.UTF-8 $ ipa user-add --first=Kermit --last=Frog kfrog $ ipa user-add --first=Kermit --last=Frog kfrog You should get a DuplicateEntry() response in Spanish. rob nack. While this patch works, it doesn't solve the problem at its root. After some investigation I figured out, that functions initializing translations in ipalib/request.py are not called from anywhere. All the translation code in ipalib/request.py is currently deprecated in favor of ipalib/text.py. I'm preparing a patch, that removes the unused code and replaces references to it. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Patch withdrawn, Pavel is working on a better approach. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changed dns permission types
Jan Zelený wrote: Rob Crittendenrcrit...@redhat.com wrote: Jan Zelený wrote: Jan Zelenýjzel...@redhat.com wrote: Rob Crittendenrcrit...@redhat.com wrote: Jan Zelený wrote: Rob Crittendenrcrit...@redhat.comwrote: Jan Zelený wrote: Recent change of DNS module to version caused that dns object type was replaced by dnszone and dnsrecord. This patch corrects dns types in permissions class. https://fedorahosted.org/freeipa/ticket/646 Nack. These values need to be added as valid types to the aci plugin and the _type_map needs to be updated. rob I'm sending an updated patch. Jan Since dnszone and dnsrecord point to the same kind of entry what is the point of having two separate names for them? When we read the entry we aren't going to be able to differentiate between the two. I didn't take a look how the type thing works, so I'm kinda guessing here (please ignore the comment if it is wrong): Sure, object with idnszone class is always also in dnsrecord class, but that's not the case backwards (idnsrecord object isn't always idnszone) - so I think it is possible to set different ACIs for these two types. Can the type be made more specific? If the mapping doesn't distinguish object classes and it can, maybe that's the answer. Will investagate further. But if not, I still think this is the way to go considering the underline issue which we tried to solve by this change. From what I found I think that making changes necessary to distinguish dnsrecord and dnszone are not worth it, especially that user can use filter for that purpose. Since having both of them doesn't have any additional value, I'm sending new version of the patch, which is only adding dnsrecord type. Jan Ack but this patch needs a rebase. rob Rebased patch in attachment Jan pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] drop the group.upg NIS map
Nalin Dahyabhai wrote: The group.upg NIS map was an experiment in providing UPG groups dynamically, and is not one of the maps that I'd ever expect a NIS client to know to search. We should probably just drop it. --- install/share/nis.uldif | 12 1 files changed, 0 insertions(+), 12 deletions(-) diff --git a/install/share/nis.uldif b/install/share/nis.uldif index f23b49e..639c88a 100644 --- a/install/share/nis.uldif +++ b/install/share/nis.uldif @@ -45,18 +45,6 @@ default:nis-map: group.bygid default:nis-base: cn=groups, cn=accounts, $SUFFIX default:nis-secure: no -dn: nis-domain=$DOMAIN+nis-map=group.upg, cn=NIS Server, cn=plugins, cn=config -default:objectclass: top -default:objectclass: extensibleObject -default:nis-domain: $DOMAIN -default:nis-map: group.upg -default:nis-base: cn=users, cn=accounts, $SUFFIX -default:nis-filter: (objectclass=posixAccount) -default:nis-key-format: %{uid} -default:nis-value-format: %{uid}:*:%{gidNumber}:%{uid} -default:nis-secure: no -default:nis-disallowed-chars: :, - dn: nis-domain=$DOMAIN+nis-map=netid.byname, cn=NIS Server, cn=plugins, cn=config default:objectclass: top default:objectclass: extensibleObject ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 025 Detection of v1 server during ipa-client-install
Martin Kosek wrote: On Fri, 2011-02-04 at 09:05 +0100, Jan Zelený wrote: Martin Kosekmko...@redhat.com wrote: When v2 IPA client is trying to join an IPA v1 server a strange exception is printed out to the user. This patch detects this by catching an XML-RPC error reported by ipa-join binary called in the process which fails on unexisting IPA server 'join' method. wget call had to be changed so that IPA client may get to the ipa-join step. --no-check-certificate had to be added as V1 server automatically redirects the request to self-signed secure connection. https://fedorahosted.org/freeipa/ticket/553 The patch is ok and applies correctly. My only thought was to download the certificate directly from https:///ca.crt instead of plain http, but there is probably no real benefit. ack Jan Jan, thanks for the review. And yes, I could not see a benefit too. Since the IPA sever certificate is not a confidential information the secure connection is not needed. And since we do not trust the server's certificate in this step of installation and --no-check-certificate is used, a secure connection would be used for server identity validation either. Therefore, I would ask for the patch to be pushed. Martin I can't duplicate the behavior of it redirecting to the SSL port. The /ipa/config directory is purposely excluded from the SSL redirect for this purpose, even on v1 servers. Can we drop that part of the patch? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 703 389-ds startup with krb config
On Thu, Feb 10, 2011 at 10:27:43PM -0500, Rob Crittenden wrote: Rob Crittenden wrote: Jakub Hrozek wrote: On Tue, Feb 08, 2011 at 10:12:27AM -0500, Rob Crittenden wrote: If /etc/krb5.conf doesn't exist or contains no default kerberos realm then 389-ds won't start at all. This is a problem during installation because we configure 389 first. This patch will let the server come up, you just won't be able to do any joins or password changes until you configure kerberos. ticket 606 rob I wasn't able to install with this patch when I had no /etc/krb5.conf at all. Here's what the DS error log said: --- 10/Feb/2011:07:30:35 -0500] ipaenrollment_start - [file ipa_enrollment.c, line 389]: Failed to get default realm?! [10/Feb/2011:07:30:35 -0500] - Failed to start extendedop plugin ipa_enrollment_extop [10/Feb/2011:07:30:35 -0500] ipaenrollment_start - [file ipa_enrollment.c, line 389]: Failed to get default realm?! [10/Feb/2011:07:30:35 -0500] - Failed to start extendedop plugin ipa_enrollment_extop [10/Feb/2011:07:30:36 -0500] ipaenrollment_start - [file ipa_enrollment.c, line 389]: Failed to get default realm?! [10/Feb/2011:07:30:36 -0500] - Failed to start extendedop plugin ipa_enrollment_extop --- Looking at ipaenrollment_start(), it looks like the culprit is that when krb5_get_default_realm() fails, ret is set to an error code and returned. It should be either reset to LDAP_SUCCESS or maybe rc should be used instead. Also one nitpick. This: -static char *realm; -static const char *ipa_realm_dn; +static char *realm = NULL; +static const char *ipa_realm_dn = NULL; Is not neccessary, global variables are initialized to NULL automatically. Updated patch attached. I was able to do full install with this one. rob Found another problem, new patch. rob Ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0196-DNS-record-search.
On 2/11/2011 8:21 PM, Adam Young wrote: ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0081 Set KrbExtraData when changing passwords
Simo Sorce wrote: Fixes ticket #937 Simo. ack, pushed to master rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 717 Add replace to ipa-ldap-updater
On Fri, Feb 11, 2011 at 01:34:39PM -0500, Rob Crittenden wrote: Add a replace verb to ipa-ldap-updater so an existing value can be replaced, but only if the value matches the old value in the update. This would be used for us to replace default values that the end-user hasn't already updated. The first one of these would be for the kerberos password policy where our default values are on the low side. We don't want to interfere with anything already set. The update file would look like: dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX replace:krbPwdLockoutDuration: 10: 600 dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX replace:krbPwdMaxFailure: 3: 6 This patch would obsolete Jan's patch titled 'Updated default Kerberos password policy. Simo and I had discussed doing something like this in IRC and hadn't communicated our intentions to the rest of the team, sorry about that. rob Ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0082 - fix per/post operation with krb password change
Simo Sorce wrote: We weren't setting the kerberos metadata when modifying userPassword for a kerberos enabled record. Fixes #949 Simo. ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 717 Add replace to ipa-ldap-updater
Jakub Hrozek wrote: On Fri, Feb 11, 2011 at 01:34:39PM -0500, Rob Crittenden wrote: Add a replace verb to ipa-ldap-updater so an existing value can be replaced, but only if the value matches the old value in the update. This would be used for us to replace default values that the end-user hasn't already updated. The first one of these would be for the kerberos password policy where our default values are on the low side. We don't want to interfere with anything already set. The update file would look like: dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX replace:krbPwdLockoutDuration: 10: 600 dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX replace:krbPwdMaxFailure: 3: 6 This patch would obsolete Jan's patch titled 'Updated default Kerberos password policy. Simo and I had discussed doing something like this in IRC and hadn't communicated our intentions to the rest of the team, sorry about that. rob Ack pushe to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 703 389-ds startup with krb config
Jakub Hrozek wrote: On Thu, Feb 10, 2011 at 10:27:43PM -0500, Rob Crittenden wrote: Rob Crittenden wrote: Jakub Hrozek wrote: On Tue, Feb 08, 2011 at 10:12:27AM -0500, Rob Crittenden wrote: If /etc/krb5.conf doesn't exist or contains no default kerberos realm then 389-ds won't start at all. This is a problem during installation because we configure 389 first. This patch will let the server come up, you just won't be able to do any joins or password changes until you configure kerberos. ticket 606 rob I wasn't able to install with this patch when I had no /etc/krb5.conf at all. Here's what the DS error log said: --- 10/Feb/2011:07:30:35 -0500] ipaenrollment_start - [file ipa_enrollment.c, line 389]: Failed to get default realm?! [10/Feb/2011:07:30:35 -0500] - Failed to start extendedop plugin ipa_enrollment_extop [10/Feb/2011:07:30:35 -0500] ipaenrollment_start - [file ipa_enrollment.c, line 389]: Failed to get default realm?! [10/Feb/2011:07:30:35 -0500] - Failed to start extendedop plugin ipa_enrollment_extop [10/Feb/2011:07:30:36 -0500] ipaenrollment_start - [file ipa_enrollment.c, line 389]: Failed to get default realm?! [10/Feb/2011:07:30:36 -0500] - Failed to start extendedop plugin ipa_enrollment_extop --- Looking at ipaenrollment_start(), it looks like the culprit is that when krb5_get_default_realm() fails, ret is set to an error code and returned. It should be either reset to LDAP_SUCCESS or maybe rc should be used instead. Also one nitpick. This: -static char *realm; -static const char *ipa_realm_dn; +static char *realm = NULL; +static const char *ipa_realm_dn = NULL; Is not neccessary, global variables are initialized to NULL automatically. Updated patch attached. I was able to do full install with this one. rob Found another problem, new patch. rob Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 025 Detection of v1 server during ipa-client-install
On Mon, 2011-02-14 at 12:00 -0500, Rob Crittenden wrote: Martin Kosek wrote: On Fri, 2011-02-04 at 09:05 +0100, Jan Zelený wrote: Martin Kosekmko...@redhat.com wrote: When v2 IPA client is trying to join an IPA v1 server a strange exception is printed out to the user. This patch detects this by catching an XML-RPC error reported by ipa-join binary called in the process which fails on unexisting IPA server 'join' method. wget call had to be changed so that IPA client may get to the ipa-join step. --no-check-certificate had to be added as V1 server automatically redirects the request to self-signed secure connection. https://fedorahosted.org/freeipa/ticket/553 The patch is ok and applies correctly. My only thought was to download the certificate directly from https:///ca.crt instead of plain http, but there is probably no real benefit. ack Jan Jan, thanks for the review. And yes, I could not see a benefit too. Since the IPA sever certificate is not a confidential information the secure connection is not needed. And since we do not trust the server's certificate in this step of installation and --no-check-certificate is used, a secure connection would be used for server identity validation either. Therefore, I would ask for the patch to be pushed. Martin I can't duplicate the behavior of it redirecting to the SSL port. The /ipa/config directory is purposely excluded from the SSL redirect for this purpose, even on v1 servers. Can we drop that part of the patch? rob I experience this behavior on IPA v1 running on RHEL 5.5 with the following IPA version: $ rpm -q ipa-server ipa-server-1.0.0-15.el5ipa It may have been changed in higher IPA v1 version, like 1.2x. In this case you may drop this part of the patch. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 052 Fine tuning DNS options
Jakub Hrozek wrote: Simo did a nice writeup of the changes in https://fedorahosted.org/freeipa/ticket/931 ack. Simo also acked this in irc. pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 715 ensure required variables are required
Jan Zeleny wrote: Rob Crittendenrcrit...@redhat.com wrote: Rob Crittenden wrote: Jan Zelený wrote: Jan Zelenýjzel...@redhat.com wrote: Rob Crittendenrcrit...@redhat.com wrote: Yi found a tricky way to remove required attributes that aren't required in the schema. The problem was we weren't enforcing parameter.required in mods (because it was enforcing that every variable with required be provided). I added a new check routine that is executed after setattr/addattr does its work and verifies that no required parameters get skipped. ticket 852 rob Looks fine, works as expected. ACK I'm just not sure whether is is necessary to call the function twice - once on self.params and once on self.obj.params (I get the latter one, but I'm not sure whether the former one is necessary). Hmm, you may be right. I did it in case any of self.params had a requires on it, but since this is a mod operation then I think by definition it can't. Jan One more thing - I'm not sure whether it is necessary to add the check to LDAPCreate - I tried to create role with empty description and it failed as expected. I think you're. I did it to prevent something like this: # ipa group-add --desc='foo' --setattr description='' foo but it is already handled. I'll work up a new patch. rob Updated patch attached. rob ack Jan pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 051 Remove obsolete record types from DNS
Jan Zelený wrote: Jakub Hrozekjhro...@redhat.com wrote: https://fedorahosted.org/freeipa/ticket/923 Patch looks good. I'm running some test. Unless they fail, ACK Jan pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 055 Set ldap_netgroup_search_base for in ipa-client-install
Jakub Hrozek jhro...@redhat.com wrote: https://fedorahosted.org/freeipa/ticket/932 ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 025 Detection of v1 server during ipa-client-install
Martin Kosek wrote: On Mon, 2011-02-14 at 12:00 -0500, Rob Crittenden wrote: Martin Kosek wrote: On Fri, 2011-02-04 at 09:05 +0100, Jan Zelený wrote: Martin Kosekmko...@redhat.com wrote: When v2 IPA client is trying to join an IPA v1 server a strange exception is printed out to the user. This patch detects this by catching an XML-RPC error reported by ipa-join binary called in the process which fails on unexisting IPA server 'join' method. wget call had to be changed so that IPA client may get to the ipa-join step. --no-check-certificate had to be added as V1 server automatically redirects the request to self-signed secure connection. https://fedorahosted.org/freeipa/ticket/553 The patch is ok and applies correctly. My only thought was to download the certificate directly from https:///ca.crt instead of plain http, but there is probably no real benefit. ack Jan Jan, thanks for the review. And yes, I could not see a benefit too. Since the IPA sever certificate is not a confidential information the secure connection is not needed. And since we do not trust the server's certificate in this step of installation and --no-check-certificate is used, a secure connection would be used for server identity validation either. Therefore, I would ask for the patch to be pushed. Martin I can't duplicate the behavior of it redirecting to the SSL port. The /ipa/config directory is purposely excluded from the SSL redirect for this purpose, even on v1 servers. Can we drop that part of the patch? rob I experience this behavior on IPA v1 running on RHEL 5.5 with the following IPA version: $ rpm -q ipa-server ipa-server-1.0.0-15.el5ipa It may have been changed in higher IPA v1 version, like 1.2x. In this case you may drop this part of the patch. Martin Ok, pushed to master without the wget change. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 16 Bugfix for ipa-client-install echo's password in cleartext to stdout
JR Aquino wrote: During the ipa-client-install, when prompted for the principal password, it is possible to start typing and have the password echoed back. This patch corrects this behavior and addresses bug #959 https://fedorahosted.org/freeipa/ticket/959 It works well if you provide a password but if you just hit ENTER you end up in no-man's land waiting for something to happen. What is happening under the hood is kinit has also prompted but stdout/stderr is not being displayed. So nack, we should catch that empty password and error out or re-prompt or something. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 16-1 Bugfix for ipa-client-install echo's password in cleartext to stdout
Patch 16-1 submitted to exit if no password is given. On 2/14/11 12:06 PM, Rob Crittenden rcrit...@redhat.com wrote: JR Aquino wrote: During the ipa-client-install, when prompted for the principal password, it is possible to start typing and have the password echoed back. This patch corrects this behavior and addresses bug #959 https://fedorahosted.org/freeipa/ticket/959 It works well if you provide a password but if you just hit ENTER you end up in no-man's land waiting for something to happen. What is happening under the hood is kinit has also prompted but stdout/stderr is not being displayed. So nack, we should catch that empty password and error out or re-prompt or something. rob binjjQXYrvoSS.bin Description: freeipa-jraquino-0016-2-Bugfix-for-ipa-client-install-echo-s-password-in-cle.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 16-1 Bugfix for ipa-client-install echo's password in cleartext to stdout
JR Aquino wrote: Patch 16-1 submitted to exit if no password is given. On 2/14/11 12:06 PM, Rob Crittendenrcrit...@redhat.com wrote: JR Aquino wrote: During the ipa-client-install, when prompted for the principal password, it is possible to start typing and have the password echoed back. This patch corrects this behavior and addresses bug #959 https://fedorahosted.org/freeipa/ticket/959 It works well if you provide a password but if you just hit ENTER you end up in no-man's land waiting for something to happen. What is happening under the hood is kinit has also prompted but stdout/stderr is not being displayed. So nack, we should catch that empty password and error out or re-prompt or something. rob Pushed to master rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 721 fix cert-show
On 02/12/2011 12:13 AM, Rob Crittenden wrote: The --out option wasn't working at all with cert-show. Also fix some related problems in write_certificate(), handle either a DER or base64-formatted incoming certificate and don't explode if the filename is None. ticket 954 rob --out now works fine. Ack. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 722 add missing import to host.py
host.py was missing an import for netaddr. Pushed under the 1-liner rule. ticket 964 rob freeipa-rcrit-722-netaddr.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 721 fix cert-show
Jakub Hrozek wrote: On 02/12/2011 12:13 AM, Rob Crittenden wrote: The --out option wasn't working at all with cert-show. Also fix some related problems in write_certificate(), handle either a DER or base64-formatted incoming certificate and don't explode if the filename is None. ticket 954 rob --out now works fine. Ack. pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 723 fix ipa-replica-prepare
Pushed under a liberal view of the 1-liner rule. ipa-replica-prepare was failing due to a unicode problem creating the DNS entries. This is the first one-liner. The second related to pre-generating the server certificates for dogtag. It was failing in python-nss when trying to shut down the NSS database. It failed whether we had initialized it or not so I basically am passing on errrors right now. I opened ticket 965 for further investigate. rob freeipa-rcrit-723-replica.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Announcing FreeIPA v2 Server Release Candidate 1 Release
To all freeipa-interest, freeipa-users and freeipa-devel list members, The FreeIPA project team is pleased to announce the availability of the Release Candidate 1 release of freeIPA 2.0 server [1]. * Binaries are available for F-14 and F-15 [2]. * Please do not hesitate to share feedback, criticism or bugs with us on our mailing list: freeipa-us...@redhat.com Main Highlights of the Release Candidate. This release consists primarily of bug fixes and polish across all areas ofthe project. Modifications include but are not limited to: * Installation fixes. * DNS improvements. * WebUI improvements. Focus of the Release Candidate Testing * There is a Fedora test day for FreeIPA on Feb 15th [3]. Please join us in testing FreeIPA. The exact instructions will be provided later and will be available off the link on the page. * The following section outlines the areas that we are mostly interested to test [4]. Significant Changes Since Beta 2 To see all the tickets addressed since the beta 2 release see [6]. Repositories and Installation * Use the following link to install the beta 2 packages [5]. * On Fedora-14 FreeIPA relies on the latest versions of the packages currently available from the updates-testing repository. Please make sure to enable this repository before you proceed with installation. Known Issues: * There are known issues that currently prevent FreeIPA from successfully installing with dogtag on F-15 [2]. We will send a separate message when this issue is resolved. The FreeIPA server is installable with the --selfsign option on F-15, or with dogtag on F-14. * Server-generated error messages are not translated yet. * IPv6 support is not complete. * The 'ipa help' command does not support localization. We plan to address all the outstanding tickets before the final 2.0 release. For the complete list see [7]. Thank you, The FreeIPA development team [1] http://www.freeipa.org/page/Downloads [2] dogtag is having issues with systemd: https://bugzilla.redhat.com/show_bug.cgi?id=676330 [3] https://fedoraproject.org/wiki/QA/Fedora_15_test_days [4] https://fedoraproject.org/wiki/Features/FreeIPAv2#How_To_Test [5] http://freeipa.org/downloads/freeipa-devel.repo [6] https://fedorahosted.org/freeipa/query?status=closedmilestone=2.0.1+Bug+fixing+(RC) [7] https://fedorahosted.org/freeipa/milestone/2.0.2%20Bug%20fixing%20%28RC2%29 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel