[Freeipa-devel] [PATCH] 42 Add group members to default output of sudorule-show
https://fedorahosted.org/freeipa/ticket/915 Jan From d624fa6db9c652565ce2555abc0f5e915e7fac97 Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Tue, 15 Feb 2011 05:03:41 -0500 Subject: [PATCH] Add group members to default output of sudorule-show https://fedorahosted.org/freeipa/ticket/915 --- ipalib/plugins/sudorule.py |4 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py index 3361ff5d0d7d07894f9d04f66acb7db6bdc88f66..a4eacd1d56b6307782034a65e9b2e7d5b341ed27 100644 --- a/ipalib/plugins/sudorule.py +++ b/ipalib/plugins/sudorule.py @@ -102,6 +102,10 @@ class sudorule(LDAPObject): label=_('Users'), flags=['no_create', 'no_update', 'no_search'], ), +Str('memberuser_group?', +label=_('Groups'), +flags=['no_create', 'no_update', 'no_search'], +), Str('memberhost_host?', label=_('Hosts'), flags=['no_create', 'no_update', 'no_search'], -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix a typo in ipa-client-install man page
https://fedorahosted.org/freeipa/ticket/782 Jan From 14581a1507d846d9147799809aad2d8075eb1cb8 Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Tue, 15 Feb 2011 05:56:10 -0500 Subject: [PATCH] Fix a typo in ipa-client-install man page https://fedorahosted.org/freeipa/ticket/782 --- ipa-client/man/ipa-client-install.1 |1 - 1 files changed, 0 insertions(+), 1 deletions(-) diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index b708496805dcb795e93e8c6d4b34168a315f4adb..3ac567845559c14a2274f79290d53c3bef028e3f 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -57,7 +57,6 @@ Do not configure or enable NTP. .TP \fB\-\-ntp\-server\fR=\fINTP_SERVER\fR Configure ntpd to use this NTP server. -Do not configure or enable NTP. .TP \fB\-S\fR, \fB\-\-no\-sssd\fR Do not configure the client to use SSSD for authentication, use nss_ldap instead. -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 056 Note --ip-address parameter of ipa-replica-prepare in man page
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 https://fedorahosted.org/freeipa/ticket/615 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1aXbkACgkQHsardTLnvCVNgACZAYcYdlDnLXxzdjmbZRf70cgt 4J0An2OtxBPcUaTXZ/4/ZugkyQk/gvDx =JE8k -END PGP SIGNATURE- From 9576ac5fb07bc0ec799becf8aadd4e51e4901c49 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date: Sun, 13 Feb 2011 18:30:18 +0100 Subject: [PATCH] Note --ip-address parameter of ipa-replica-prepare in man page https://fedorahosted.org/freeipa/ticket/615 --- install/tools/man/ipa-replica-prepare.1 |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/install/tools/man/ipa-replica-prepare.1 b/install/tools/man/ipa-replica-prepare.1 index 31e74b6..115c102 100644 --- a/install/tools/man/ipa-replica-prepare.1 +++ b/install/tools/man/ipa-replica-prepare.1 @@ -28,6 +28,8 @@ A replica can only be created on an IPA server installed with ipa\-server\-insta You must provide the fully\-qualified hostname of the machine you want to install the replica on and a host\-specific replica_file will be created. It is host\-specific because SSL server certificates are generated as part of the process and they are specific to a particular hostname. +If IPA manages the DNS for your domain, you should either use the \fB\-\-ip-address\fR option or add the forward and reverse records manually using IPA plugins. + Once the file has been created it will be named replica\-hostname. This file can then be moved across the network to the target machine and a new IPA replica setup by running ipa\-replica\-install replica\-hostname. .SH OPTIONS .TP -- 1.7.4 jhrozek-freeipa-056-replica-prepare-man.patch.sig Description: PGP signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 057 Validate MX records
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 https://fedorahosted.org/freeipa/ticket/967 I'm wondering whether to extend the patch - if the mail server name does not end with a dot, BIND treats it as relative to the zone. So if you do: ipa dnsrecord-add example.com @ --mx-rec=10 mail.example.com dig would then return mail.example.com.example.com The correct way of adding it is (note the trailing dot): ipa dnsrecord-add example.com @ --mx-rec=10 mail.example.com. This is in line with how nsupdate works, so should we just document it? A smarter way might be to check if the hostname ends with the zone name and append a dot, but I'm not sure if that perhaps /too/ smart.. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1aXtcACgkQHsardTLnvCXY0wCgtkc0kBdPorCgd9oyh4AazDy0 8hoAn0vgX5xQYJv2D9gjjTgnu0mgUMbp =nzLT -END PGP SIGNATURE- From 9b76991ba0dae19c84a2cad2b60775f8ffa3cc9a Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date: Tue, 15 Feb 2011 10:40:27 +0100 Subject: [PATCH] Validate MX records https://fedorahosted.org/freeipa/ticket/967 --- API.txt |8 ipalib/plugins/dns.py | 17 + 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/API.txt b/API.txt index fab2241..2ee7fa1 100644 --- a/API.txt +++ b/API.txt @@ -514,7 +514,7 @@ option: List('ipseckeyrecord?', attribute=True, cli_name='ipseckey_rec',ist('ips option: List('keyrecord?', attribute=True, cli_name='key_rec',ist('keyrecord?', attribute=True, cli_name='key_rec', doc='comma-separated list of KEY records', label='KEY record', multivalue=True) option: List('kxrecord?', attribute=True, cli_name='kx_rec',ist('kxrecord?', attribute=True, cli_name='kx_rec', doc='comma-separated list of KX records', label='KX record', multivalue=True) option: List('locrecord?', attribute=True, cli_name='loc_rec',ist('locrecord?', attribute=True, cli_name='loc_rec', doc='comma-separated list of LOC records', label='LOC record', multivalue=True) -option: List('mxrecord?', attribute=True, cli_name='mx_rec',ist('mxrecord?', attribute=True, cli_name='mx_rec', doc='comma-separated list of MX records', label='MX record', multivalue=True) +option: List('mxrecord?', _validate_mx, attribute=True, cli_name='mx_rec',ist('mxrecord?', _validate_mx, attribute=True, cli_name='mx_rec', doc='comma-separated list of MX records', label='MX record', multivalue=True) option: List('naptrrecord?', attribute=True, cli_name='naptr_rec',ist('naptrrecord?', attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True) option: List('nsrecord?', attribute=True, cli_name='ns_rec',ist('nsrecord?', attribute=True, cli_name='ns_rec', doc='comma-separated list of NS records', label='NS record', multivalue=True) option: List('nsecrecord?', attribute=True, cli_name='nsec_rec',ist('nsecrecord?', attribute=True, cli_name='nsec_rec', doc='comma-separated list of NSEC records', label='NSEC record', multivalue=True) @@ -558,7 +558,7 @@ option: List('ipseckeyrecord?', attribute=True, cli_name='ipseckey_rec',ist('ips option: List('keyrecord?', attribute=True, cli_name='key_rec',ist('keyrecord?', attribute=True, cli_name='key_rec', doc='comma-separated list of KEY records', label='KEY record', multivalue=True) option: List('kxrecord?', attribute=True, cli_name='kx_rec',ist('kxrecord?', attribute=True, cli_name='kx_rec', doc='comma-separated list of KX records', label='KX record', multivalue=True) option: List('locrecord?', attribute=True, cli_name='loc_rec',ist('locrecord?', attribute=True, cli_name='loc_rec', doc='comma-separated list of LOC records', label='LOC record', multivalue=True) -option: List('mxrecord?', attribute=True, cli_name='mx_rec',ist('mxrecord?', attribute=True, cli_name='mx_rec', doc='comma-separated list of MX records', label='MX record', multivalue=True) +option: List('mxrecord?', _validate_mx, attribute=True, cli_name='mx_rec',ist('mxrecord?', _validate_mx, attribute=True, cli_name='mx_rec', doc='comma-separated list of MX records', label='MX record', multivalue=True) option: List('naptrrecord?', attribute=True, cli_name='naptr_rec',ist('naptrrecord?', attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True) option: List('nsrecord?', attribute=True, cli_name='ns_rec',ist('nsrecord?', attribute=True, cli_name='ns_rec', doc='comma-separated list of NS records', label='NS record', multivalue=True) option: List('nsecrecord?', attribute=True, cli_name='nsec_rec',ist('nsecrecord?', attribute=True, cli_name='nsec_rec', doc='comma-separated list of NSEC records', label='NSEC record', multivalue=True) @@ -603,7 +603,7 @@ option: List('ipseckeyrecord?', attribute=True, cli_name='ipseckey_rec',ist('ips option: List('keyrecord?', attribute=True, cli_name='key_rec',ist('keyrecord?',
[Freeipa-devel] [PATCH] 031 Remove WebUI identifiers from global namespace
Many WebUI identifiers were defined in a global namespace. This is not a good programming practice and may result in name clashes, for example with other libraries. This patch moves these variables to IPA namespace or its sub-namespaces, if required. https://fedorahosted.org/freeipa/ticket/212 From e22a16fe897bcd61d231091a05c87dd77e8c349d Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Mon, 14 Feb 2011 16:43:19 +0100 Subject: [PATCH] Remove WebUI identifiers from global namespace Many WebUI identifiers were defined in a global namespace. This is not a good programming practice and may result in name clashes, for example with other libraries. This patch moves these variables to IPA namespace or its sub-namespaces, if required. https://fedorahosted.org/freeipa/ticket/212 --- install/ui/associate.js | 12 ++-- install/ui/certificate.js| 88 +- install/ui/entity.js |6 +-- install/ui/host.js | 10 ++-- install/ui/ipa.js|1 + install/ui/navigation.js | 46 +- install/ui/policy.js |2 +- install/ui/search.js | 18 install/ui/serverconfig.js |2 +- install/ui/service.js| 10 ++-- install/ui/test/association_tests.js |4 +- install/ui/test/certificate_tests.js | 18 install/ui/test/navigation_tests.js | 54 ++-- install/ui/webui.js |6 +- 14 files changed, 137 insertions(+), 140 deletions(-) diff --git a/install/ui/associate.js b/install/ui/associate.js index 2d416f0fd7482bb53ffa80addec5e92c2299cdb8..359c29d7c407c25981d4b85b6325484b19d88fab 100644 --- a/install/ui/associate.js +++ b/install/ui/associate.js @@ -51,7 +51,7 @@ IPA.associator = function (spec) { /** *This associator is built for the case where each association requires a separate rpc */ -function serial_associator(spec) { +IPA.serial_associator = function (spec) { spec = spec || {}; @@ -90,7 +90,7 @@ function serial_associator(spec) { *This associator is for the common case where all the asociations can be sent in a single rpc */ -function bulk_associator(spec) { +IPA.bulk_associator = function (spec) { spec = spec || {}; @@ -271,7 +271,7 @@ IPA.association_table_widget = function (spec) { that.other_entity = spec.other_entity; that.attribute_member = spec.attribute_member; -that.associator = spec.associator || bulk_associator; +that.associator = spec.associator || IPA.bulk_associator; that.add_method = spec.add_method || 'add_member'; that.remove_method = spec.remove_method || 'remove_member'; @@ -300,7 +300,7 @@ IPA.association_table_widget = function (spec) { var column; if (association) { if (association.associator) { -that.associator = association.associator == 'serial' ? serial_associator : bulk_associator; +that.associator = association.associator == 'serial' ? IPA.serial_associator : IPA.bulk_associator; } if (association.add_method) that.add_method = association.add_method; @@ -575,7 +575,7 @@ IPA.association_facet = function (spec) { that.facet_group = spec.facet_group; that.attribute_member = spec.attribute_member; -that.associator = spec.associator || bulk_associator; +that.associator = spec.associator || IPA.bulk_associator; that.add_method = spec.add_method || 'add_member'; that.remove_method = spec.remove_method || 'remove_member'; @@ -626,7 +626,7 @@ IPA.association_facet = function (spec) { if (association) { if (association.associator) { -that.associator = association.associator == 'serial' ? serial_associator : bulk_associator; +that.associator = association.associator == 'serial' ? IPA.serial_associator : IPA.bulk_associator; } if (association.add_method) that.add_method = association.add_method; diff --git a/install/ui/certificate.js b/install/ui/certificate.js index 3158d04883af8cb7eb1f9a0f02e936801f0ea358..d01443ce5f88429364c2e59552ac43c750ad24fa 100755 --- a/install/ui/certificate.js +++ b/install/ui/certificate.js @@ -20,13 +20,13 @@ * along with this program. If not, see http://www.gnu.org/licenses/. */ -var BEGIN_CERTIFICATE = '-BEGIN CERTIFICATE-'; -var END_CERTIFICATE = '-END CERTIFICATE-'; +IPA.certificates.BEGIN_CERTIFICATE = '-BEGIN CERTIFICATE-'; +IPA.certificates.END_CERTIFICATE = '-END CERTIFICATE-'; -var BEGIN_CERTIFICATE_REQUEST = '-BEGIN CERTIFICATE REQUEST-'; -var END_CERTIFICATE_REQUEST = '-END CERTIFICATE REQUEST-'; +IPA.certificates.BEGIN_CERTIFICATE_REQUEST = '-BEGIN CERTIFICATE REQUEST-'; +IPA.certificates.END_CERTIFICATE_REQUEST = '-END CERTIFICATE
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On 02/14/2011 04:53 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 02/08/2011 01:06 PM, Pavel Zuna wrote: The patch also corrects exception handling in some of the tools. Fix #874 Pavel Updated patch attached. Forgot to rename an identifier in exception handling. Pavel This isn't applying cleanly to master, can you rebase it? rob Rebased patch attached. Pavel freeipa-pzuna-78-3-toolsldapi.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On 02/14/2011 04:56 PM, JR Aquino wrote: On 2/10/11 2:42 AM, Pavel Zunapz...@redhat.com wrote: On 02/08/2011 01:06 PM, Pavel Zuna wrote: The patch also corrects exception handling in some of the tools. Fix #874 Pavel Updated patch attached. Forgot to rename an identifier in exception handling. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel NACK It looks like LDAPUpdate calls may want to include ldapi=True? -=- # ipa-nis-manage enable Directory Manager password: Enabling plugin Traceback (most recent call last): File /usr/sbin/ipa-nis-manage, line 211, inmodule sys.exit(main()) File /usr/sbin/ipa-nis-manage, line 151, in main ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}) File /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py, line 101, in __init__ conn.do_simple_bind(bindpw=self.dm_password) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 350, in do_simple_bind self.simple_bind_s(binddn, bindpw) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204, in inner return f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 207, in simple_bind_s return self.result(msgid,all=1,timeout=self.timeout) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 181, in inner objtype, data = f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 436, in result res_type,res_data,res_msgid = self.result2(msgid,all,timeout) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204, in inner return f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 440, in result2 res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204, in inner return f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 446, in result3 ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204, in inner return f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 96, in _ldap_call result = func(*args,**kwargs) ldap.UNWILLING_TO_PERFORM: {'info': 'Minimum SSF not met.', 'desc': 'Server is unwilling to perform'} I can't reproduce this. :-/ For me it goes fine: [root@ipadev tools]# ./ipa-nis-manage enable Directory Manager password: Enabling plugin This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Don't load the LDAP schema during startup
Loading of the schema is now performed in the first request that requires it. https://fedorahosted.org/freeipa/ticket/583 Jan From 0b1368442254cb738a95e766539fa030fe2504c8 Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Tue, 15 Feb 2011 09:37:58 +0100 Subject: [PATCH] Don't load the LDAP schema during startup https://fedorahosted.org/freeipa/ticket/583 --- ipalib/plugins/baseldap.py |6 - ipaserver/plugins/ldap2.py | 49 --- 2 files changed, 32 insertions(+), 23 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 6817af413c9c4e4ebf951e933e66449343a7d50a..a3e341172a4cf9c1e861b96b26c2151bcfe93ac0 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -379,7 +379,11 @@ class LDAPObject(Object): objectclasses += self.possible_objectclasses # Get list of available attributes for this object for use # in the ACI UI. -attrs = self.api.Backend.ldap2.schema.attribute_types(objectclasses) +schema = self.api.Backend.ldap2.get_schema() +if not schema: +attrs = [] +else: +attrs = schema.attribute_types(objectclasses) attrlist = [] # Go through the MUST first for (oid, attr) in attrs[0].iteritems(): diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index b03c8def7416780a6dedf2a0d48358ec09ef9da3..9c689633b879072824dbb4729a89dbc5da3575cb 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -183,12 +183,6 @@ def get_schema(url, conn=None): return _ldap.schema.SubSchema(schema_entry[1]) -# cache schema when importing module -try: -_schema = get_schema(api.env.ldap_uri) -except AttributeError: -_schema = None - # The UPG setting will be cached the first time a module checks it _upg = None @@ -228,7 +222,6 @@ class ldap2(CrudBackend, Encoder): def __init__(self, shared_instance=True, ldap_uri=None, base_dn=None, schema=None): -global _schema CrudBackend.__init__(self, shared_instance=shared_instance) Encoder.__init__(self) self.encoder_settings.encode_dict_keys = True @@ -248,7 +241,7 @@ class ldap2(CrudBackend, Encoder): self.base_dn = api.env.basedn except AttributeError: self.base_dn = '' -self.schema = schema or _schema +self.schema = schema def __del__(self): if self.isconnected(): @@ -259,7 +252,9 @@ class ldap2(CrudBackend, Encoder): def get_syntax(self, attr, value): if not self.schema: -return None +self.schema = get_schema(self.ldap_uri, self.conn) +if not self.schema: +return None obj = self.schema.get_obj(_ldap.schema.AttributeType, attr) if obj is not None: return obj.syntax @@ -268,7 +263,9 @@ class ldap2(CrudBackend, Encoder): def get_allowed_attributes(self, objectclasses): if not self.schema: -return [] +self.schema = get_schema(self.ldap_uri, self.conn) +if not self.schema: +return [] allowed_attributes = [] for oc in objectclasses: obj = self.schema.get_obj(_ldap.schema.ObjectClass, oc) @@ -285,10 +282,13 @@ class ldap2(CrudBackend, Encoder): If there is a problem loading the schema or the attribute is not in the schema return None -if self.schema: -obj = self.schema.get_obj(_ldap.schema.AttributeType, attr) -return obj and obj.single_value -return None +if not self.schema: +self.schema = get_schema(self.ldap_uri, self.conn) +if not self.schema: +return None + +obj = self.schema.get_obj(_ldap.schema.AttributeType, attr) +return obj and obj.single_value @encode_args(2, 3, 'bind_dn', 'bind_pw') def create_connection(self, ccache=None, bind_dn='', bind_pw='', @@ -309,7 +309,6 @@ class ldap2(CrudBackend, Encoder): Extends backend.Connectible.create_connection. -global _schema if tls_cacertfile is not None: _ldap.set_option(_ldap.OPT_X_TLS_CACERTFILE, tls_cacertfile) if tls_certfile is not None: @@ -334,10 +333,10 @@ class ldap2(CrudBackend, Encoder): except _ldap.LDAPError, e: _handle_errors(e, **{}) -if self.schema is None and _schema is None: -# explicitly use setattr here so the schema can be set after -# the object is finalized. -object.__setattr__(self, 'schema', get_schema(self.ldap_uri, conn)) +# For now let's say the schema is None (will be loaded later) +# - explicitly use setattr here so the schema can be set after +# the object is finalized. +object.__setattr__(self, 'schema',
Re: [Freeipa-devel] [PATCH] 42 Add group members to default output of sudorule-show
On 2/15/11 2:06 AM, Jan Zelený jzel...@redhat.com wrote: https://fedorahosted.org/freeipa/ticket/915 Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK I don't know how I missed that! Thank you for cleaning that up Jan! ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix setattr mail bug in user plugin.
ACK. Martin On Tue, 2011-02-15 at 16:18 +0100, Pavel Zuna wrote: The email normalizer expects a list or tuple, but when using setattr it gets a string and interates on it as if it was a list/tuple. Before patch: [root@ipadev freeipa]# ./ipa user-mod testuser --setattr mail=testu...@example.com Modified user testuser User login: testuser First name: f Last name: l Home directory: /home/testuser Login shell: /bin/sh Email address: c@pzuna, @, x@pzuna, o@pzuna, .@pzuna, t@pzuna, e@pzuna, s@pzuna, r@pzuna, a@pzuna, m@pzuna, p@pzuna, u@pzuna, l@pzuna Account disabled: False Member of groups: ipausers Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 44 Fixes in ipa-join man page
https://fedorahosted.org/freeipa/ticket/784 https://fedorahosted.org/freeipa/ticket/786 https://fedorahosted.org/freeipa/ticket/787 Jan From d9fed7217b7cb599089f5d3e1d16820c080b2cd6 Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Tue, 15 Feb 2011 08:22:13 -0500 Subject: [PATCH] Fixes in ipa-join man page https://fedorahosted.org/freeipa/ticket/784 https://fedorahosted.org/freeipa/ticket/786 https://fedorahosted.org/freeipa/ticket/787 --- ipa-client/ipa-join.c | 14 +++--- ipa-client/man/ipa-join.1 |8 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c index 86b1bd122064ebe4832225cfa2bc65f80a69da00..1fb544cd21634e6e39c429637d0d7a7eb0b21c3c 100644 --- a/ipa-client/ipa-join.c +++ b/ipa-client/ipa-join.c @@ -1035,19 +1035,19 @@ main(int argc, const char **argv) { int unenroll = 0; struct poptOption options[] = { { debug, 'd', POPT_ARG_NONE, debug, 0, - _(Print the raw XML-RPC output), _(XML-RPC debugging Output) }, + _(Print the raw XML-RPC output in GSSAPI mode), NULL }, { quiet, 'q', POPT_ARG_NONE, quiet, 0, - _(Print as little as possible), _(Output only on errors) }, + _(Quiet mode. Only errors are displayed.), NULL }, { unenroll, 'u', POPT_ARG_NONE, unenroll, 0, - _(Unenroll this host), _(Unenroll this host from IPA server) }, + _(Unenroll this host from IPA server), NULL }, { hostname, 'h', POPT_ARG_STRING, hostname, 0, - _(Use this hostname instead of the node name), _(Host Name) }, + _(Hostname of this server), _(hostname) }, { server, 's', POPT_ARG_STRING, server, 0, - _(IPA Server to use), _(IPA Server Name) }, + _(IPA Server to use), _(hostame) }, { keytab, 'k', POPT_ARG_STRING, keytab, 0, - _(File were to store the keytab information), _(Keytab File Name) }, + _(File were to store the keytab information), _(filename) }, { bindpw, 'w', POPT_ARG_STRING, bindpw, 0, - _(LDAP password), _(password to use if not using kerberos) }, + _(LDAP password (if not using Kerberos)), _(password) }, POPT_AUTOHELP POPT_TABLEEND }; diff --git a/ipa-client/man/ipa-join.1 b/ipa-client/man/ipa-join.1 index 47d5966db48b1e07d2a09fd98d20b553aeaf687f..201a80085a3edcf7ef290850bf2fd1a713b23618 100644 --- a/ipa-client/man/ipa-join.1 +++ b/ipa-client/man/ipa-join.1 @@ -20,7 +20,7 @@ .SH NAME ipa\-join \- Join a machine to an IPA realm and get a keytab for the host service principal .SH SYNOPSIS -ipa\-join [ \fB\-h\fR hostname ] [ \fB\-k\fR keytab\-file ] [ \fB\-s\fR server ] [ \fB\-w\fR bulk\-bind\-password ] [\fB\-u\fR] [ \fB\-d\fR ] [ \fB\-q\fR ] +ipa\-join [\fB\-d\fR|\fB\-\-debug\fR] [\fB\-q\fR|\fB\-\-quiet\fR] [\fB\-u\fR|\fB\-\-unenroll\fR] [\fB\-h\fR|\fB\-\-hostname\fR hostname] [\fB\-s\fR|\fB\-\-server\fR hostame] [\fB\-k\fR|\fB\-\-keytab\fR filename] [\fB\-w\fR|\fB\-\-bindpw\fR password] [\fB\-?\fR|\fB\-\-help\fR] [\fB\-\-usage\fR] .SH DESCRIPTION Joins a host to an IPA realm and retrieves a kerberos \fIkeytab\fR for the host service principal, or unenrolls an enrolled host from an IPA server. @@ -48,13 +48,13 @@ The reverse is unenrollment. Unenrolling a host removes the Kerberos key on the The hostname of this server (FQDN). By default of nodename from uname(2) is used. .TP \fB\-s,\-\-server server\fR -The hostname of this server (FQDN). By default of nodename from uname(2) is used. +The hostname of IPA server (FQDN). By default it is read from /etc/ipa/default.conf. .TP \fB\-k,\-\-keytab keytab\-file\fR The keytab file where to append the new key (will be created if it does not exist). Default: /etc/krb5.keytab .TP \fB\-w,\-\-bindpw password\fR -The password to use if not using kerberos to authenticate +The password to use if not using kerberos to authenticate. Use a password of this particular host (one time password created on IPA server) .TP \fB\-u,\-\-unenroll\fR Unenroll this host from the IPA server @@ -63,7 +63,7 @@ Unenroll this host from the IPA server Quiet mode. Only errors are displayed. .TP \fB\-d,\-\-debug\fR -Debug mode. +Print the raw XML-RPC output in GSSAPI mode. .SH EXAMPLES Join IPA domain and retrieve a keytab with kerberos credentials. -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 2 Fix handling of /etc/hosts
Fixes handling of empty lines, erroneous lines and comments in /etc/hosts. https://fedorahosted.org/freeipa/ticket/971 Honza From 1313015b03fb9174a0d911cf81bf4968cb3f693f Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Tue, 15 Feb 2011 17:51:18 +0100 Subject: [PATCH] Fix handling of /etc/hosts ticket 971 --- ipaserver/install/installutils.py | 21 - 1 files changed, 16 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 56b..63e6019 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -159,13 +159,24 @@ def verify_ip_address(ip): def record_in_hosts(ip, host_name, file=/etc/hosts): hosts = open(file, 'r').readlines() for line in hosts: -hosts_ip = line.split()[0] -if hosts_ip != ip: +if line[-1] == '\n': +line = line[:-1] + +fields = line.partition('#')[0].split() +if len(fields) == 0: continue -names = line.split()[1:] -if host_name in names: -return True +try: +hosts_ip = fields[0] +names = fields[1:] + +if hosts_ip != ip: +continue +if host_name in names: +return True +except IndexError: +print Warning: Erroneous line '{}' in {}.format(line, file) +continue return False -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 2 Fix handling of /etc/hosts
Jan Cholasta wrote: Fixes handling of empty lines, erroneous lines and comments in /etc/hosts. https://fedorahosted.org/freeipa/ticket/971 nack. Would using line.rstrip() be better than the conditional checking explicitly for \n? I don't think we can use format this way, isn't it new to python 2.7? I think you have to use {0} and {1}. We need to support python 2.6 as well. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 724 remove permission as possible member of privilege
A permission can't be a member of a privilege, remove the attribute from metadata. ticket 970 rob freeipa-rcrit-724-privilege.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 725 fix service validator
The kerberos service validator wasn't enforcing that the server name be not blank. ticket 961. rob freeipa-rcrit-725-service.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 2 Fix handling of /etc/hosts
D'oh! Fixed. Honza Dne 15.2.2011 18:14, Rob Crittenden napsal(a): Jan Cholasta wrote: Fixes handling of empty lines, erroneous lines and comments in /etc/hosts. https://fedorahosted.org/freeipa/ticket/971 nack. Would using line.rstrip() be better than the conditional checking explicitly for \n? I don't think we can use format this way, isn't it new to python 2.7? I think you have to use {0} and {1}. We need to support python 2.6 as well. rob From 786079981d60c341de821ab9061eefa6b36333e4 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Tue, 15 Feb 2011 17:51:18 +0100 Subject: [PATCH] Fix handling of /etc/hosts ticket 971 --- ipaserver/install/installutils.py | 19 ++- 1 files changed, 14 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 56b..21c0d78 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -159,13 +159,22 @@ def verify_ip_address(ip): def record_in_hosts(ip, host_name, file=/etc/hosts): hosts = open(file, 'r').readlines() for line in hosts: -hosts_ip = line.split()[0] -if hosts_ip != ip: +line = line.rstrip('\n') +fields = line.partition('#')[0].split() +if len(fields) == 0: continue -names = line.split()[1:] -if host_name in names: -return True +try: +hosts_ip = fields[0] +names = fields[1:] + +if hosts_ip != ip: +continue +if host_name in names: +return True +except IndexError: +print Warning: Erroneous line '%s' in %s % (line, file) +continue return False -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 031 Remove WebUI identifiers from global namespace
On 02/15/2011 08:25 AM, Martin Kosek wrote: Many WebUI identifiers were defined in a global namespace. This is not a good programming practice and may result in name clashes, for example with other libraries. This patch moves these variables to IPA namespace or its sub-namespaces, if required. https://fedorahosted.org/freeipa/ticket/212 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Martin, he is the patch I did for the cert portion. I'll toss it, but you can see what I was thinking as far as hoe to shorten the names: BTW, you should reverse the names of your patch so that they start with freeipa, and then your user id. From f7f1007a60938f98156ca5ab73a713c315f288a4 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Mon, 14 Feb 2011 11:17:10 -0500 Subject: [PATCH] certificate into IPA namespace Cleans up the certificate handling code such that all the identifiers fall within the IPA namespace --- install/ui/certificate.js| 725 +- install/ui/host.js |2 +- install/ui/service.js|2 +- install/ui/test/certificate_tests.js | 36 +- 4 files changed, 383 insertions(+), 382 deletions(-) diff --git a/install/ui/certificate.js b/install/ui/certificate.js index 3158d04883af8cb7eb1f9a0f02e936801f0ea358..c286231a8dc1d1adb68fb61e209f257161187cb1 100755 --- a/install/ui/certificate.js +++ b/install/ui/certificate.js @@ -20,377 +20,378 @@ * along with this program. If not, see http://www.gnu.org/licenses/. */ -var BEGIN_CERTIFICATE = '-BEGIN CERTIFICATE-'; -var END_CERTIFICATE = '-END CERTIFICATE-'; - -var BEGIN_CERTIFICATE_REQUEST = '-BEGIN CERTIFICATE REQUEST-'; -var END_CERTIFICATE_REQUEST = '-END CERTIFICATE REQUEST-'; - -var CRL_REASON = [ -'Unspecified', -'Key Compromise', -'CA Compromise', -'Affiliation Changed', -'Superseded', -'Cessation of Operation', -'Certificate Hold', -null, -'Remove from CRL', -'Privilege Withdrawn', -'AA Compromise' -]; - -var CERTIFICATE_STATUS_MISSING = 0; -var CERTIFICATE_STATUS_VALID = 1; -var CERTIFICATE_STATUS_REVOKED = 2; - -function certificate_parse_dn(dn) { - -var result = {}; -if (!dn) return result; - -// TODO: Use proper LDAP DN parser -var rdns = dn.split(','); -for (var i=0; irdns.length; i++) { -var rdn = rdns[i]; -if (!rdn) continue; - -var parts = rdn.split('='); -var name = $.trim(parts[0].toLowerCase()); -var value = $.trim(parts[1]); - -var old_value = result[name]; -if (!old_value) { -result[name] = value; -} else if (typeof old_value == string) { -result[name] = [old_value, value]; -} else { -result[name].push(value); -} -} -return result; -} - -function certificate_get_dialog(spec) { -var that = {}; -spec = spec || {}; - -that.title = spec.title || ''; -that.usercertificate = spec.usercertificate || ''; - -var dialog = $('div/', { -'title': that.title -}); - -var textarea = $('textarea/', { -readonly: 'yes', -style: 'width: 100%; height: 275px;' -}).appendTo(dialog); - -textarea.val( -BEGIN_CERTIFICATE+'\n'+ -that.usercertificate+'\n'+ -END_CERTIFICATE ); - -that.open = function() { -dialog.dialog({ -modal: true, -width: 500, -height: 400, -buttons: { -'Close': function() { -dialog.dialog('destroy'); -} +IPA.cert = { +BEGIN_CERTIFICATE : '-BEGIN CERTIFICATE-', +END_CERTIFICATE : '-END CERTIFICATE-', +BEGIN_CERTIFICATE_REQUEST : '-BEGIN CERTIFICATE REQUEST-', +END_CERTIFICATE_REQUEST : '-END CERTIFICATE REQUEST-', +CRL_REASON : [ +'Unspecified', +'Key Compromise', +'CA Compromise', +'Affiliation Changed', +'Superseded', +'Cessation of Operation', +'Certificate Hold', +null, +'Remove from CRL', +'Privilege Withdrawn', +'AA Compromise' +], +CERTIFICATE_STATUS_MISSING : 0, +CERTIFICATE_STATUS_VALID : 1, +CERTIFICATE_STATUS_REVOKED : 2, + +parse_dn : function (dn) { + +var result = {}; +if (!dn) return result; + +// TODO: Use proper LDAP DN parser +var rdns = dn.split(','); +for (var i=0; irdns.length; i++) { +var rdn = rdns[i]; +if (!rdn) continue; + +var parts = rdn.split('='); +var name = $.trim(parts[0].toLowerCase()); +var value = $.trim(parts[1]); + +var old_value = result[name]; +if (!old_value) { +result[name]
[Freeipa-devel] [PATCH] 726 require root to run ipactl
Trying to run ipactl as non-root results in a slew of bogus error messages, some of which come because dirsrv can't read certain files as the wrong user, some based on our handling of that fact. ticket 936 rob freeipa-rcrit-726-ipactl.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 724 remove permission as possible member of privilege
On 02/15/2011 12:19 PM, Rob Crittenden wrote: A permission can't be a member of a privilege, remove the attribute from metadata. ticket 970 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 726 require root to run ipactl
On 02/15/2011 02:05 PM, Rob Crittenden wrote: Trying to run ipactl as non-root results in a slew of bogus error messages, some of which come because dirsrv can't read certain files as the wrong user, some based on our handling of that fact. ticket 936 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 102 Fixed association facets.
The association config has been removed because it incorrectly assumes there is only one association between two entities. Now each association is defined separately using association facets. The service.py has been modified to specify the correct relationships. The API.txt has been updated. https://fedorahosted.org/freeipa/ticket/960 -- Endi S. Dewata From 7e69325296f112b398f0cfb737e91c12ec11c7a4 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Fri, 11 Feb 2011 18:04:04 -0600 Subject: [PATCH] Fixed association facets. The association config has been removed because it incorrectly assumes there is only one association between two entities. Now each association is defined separately using association facets. The service.py has been modified to specify the correct relationships. The API.txt has been updated. https://fedorahosted.org/freeipa/ticket/960 --- API.txt|4 +- install/ui/aci.js | 71 ++ install/ui/associate.js| 128 install/ui/dialog.js |3 +- install/ui/entity.js | 70 +- install/ui/group.js| 33 +--- install/ui/hbacrule.js |2 +- install/ui/hbacsvcgroup.js |6 -- install/ui/host.js | 35 ++--- install/ui/hostgroup.js| 22 ++ install/ui/netgroup.js | 43 +++ install/ui/search.js |2 +- install/ui/service.js | 16 ++--- install/ui/sudocmdgroup.js |6 -- install/ui/test/association_tests.html |2 + install/ui/test/association_tests.js | 22 ++ install/ui/test/data/ipa_init.json | 21 + install/ui/user.js | 29 +-- ipalib/plugins/service.py |3 + 19 files changed, 281 insertions(+), 237 deletions(-) diff --git a/API.txt b/API.txt index fab224134343f789680050a5d04fea6560d44816..f4f312675e274b33c3763c26a407e459feff8c0e 100644 --- a/API.txt +++ b/API.txt @@ -2118,8 +2118,8 @@ option: Int('sizelimit?', autofill=False, flags=['no_display'], label=Gettext('S option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui', flags=['no_output']) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui', flags=['no_output']) option: Str('version?', exclude='webui', flags=['no_option', 'no_output']) -option: List('host?', cli_name='hosts',ist('host?', cli_name='hosts', doc='only services with member hosts', label='host', multivalue=True) -option: List('no_host?', cli_name='no_hosts',ist('no_host?', cli_name='no_hosts', doc='only services with no member hosts', label='host', multivalue=True) +option: List('man_by_host?', cli_name='man_by_hosts',ist('man_by_host?', cli_name='man_by_hosts', doc='only services with managed by hosts', label='host', multivalue=True) +option: List('not_man_by_host?', cli_name='not_man_by_hosts',ist('not_man_by_host?', cli_name='not_man_by_hosts', doc='only services with no managed by hosts', label='host', multivalue=True) output: Output('summary', (type 'unicode', type 'NoneType'), 'User-friendly description of action performed') output: ListOfEntries('result', (type 'list', type 'tuple'), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) output: Output('count', type 'int', 'Number of entries returned') diff --git a/install/ui/aci.js b/install/ui/aci.js index 89caec040ea28e97406f336832bb4c4f26793b7b..c72037605497212798f68f9bcf3efaa40875a9e7 100644 --- a/install/ui/aci.js +++ b/install/ui/aci.js @@ -559,8 +559,13 @@ IPA.entity_factories.permission = function() { IPA.stanza({name:'identity', label:'Identity'}). input({name: 'cn', 'read_only': true})). section(IPA.rights_section()). -section(IPA.target_section({name: 'target', label: 'Target'}))); - +section(IPA.target_section({name: 'target', label: 'Target'}))). +facet( +IPA.association_facet({ +name: 'member_privilege', +attribute_member: 'member', +other_entity: 'privilege'})). +standard_associations(); }; @@ -586,14 +591,25 @@ IPA.entity_factories.privilege = function() { IPA.stanza({name:'identity', label:'Privilege Settings'}). input({name:'cn'}). input({name: 'description'}))). -association({ -name: 'permission', -other_entity: 'privilege', -add_method: 'add_permission', -remove_method: 'remove_permission' -}). +facet( +IPA.association_facet({ +name: 'member_role', +attribute_member: 'member', +other_entity: 'role', +add_method:
Re: [Freeipa-devel] [PATCH] Fix setattr mail bug in user plugin.
On 02/15/2011 10:56 AM, Martin Kosek wrote: ACK. Martin On Tue, 2011-02-15 at 16:18 +0100, Pavel Zuna wrote: The email normalizer expects a list or tuple, but when using setattr it gets a string and interates on it as if it was a list/tuple. Before patch: [root@ipadev freeipa]# ./ipa user-mod testuser --setattr mail=testu...@example.com Modified user testuser User login: testuser First name: f Last name: l Home directory: /home/testuser Login shell: /bin/sh Email address: c@pzuna, @, x@pzuna, o@pzuna, .@pzuna, t@pzuna, e@pzuna, s@pzuna, r@pzuna, a@pzuna, m@pzuna, p@pzuna, u@pzuna, l@pzuna Account disabled: False Member of groups: ipausers Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 42 Add group members to default output of sudorule-show
On 02/15/2011 09:51 AM, JR Aquino wrote: On 2/15/11 2:06 AM, Jan Zelenýjzel...@redhat.com wrote: https://fedorahosted.org/freeipa/ticket/915 Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK I don't know how I missed that! Thank you for cleaning that up Jan! ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 725 fix service validator
On Tue, 2011-02-15 at 12:39 -0500, Rob Crittenden wrote: The kerberos service validator wasn't enforcing that the server name be not blank. ticket 961. rob ACK. All service tests pass. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 2 Fix handling of /etc/hosts
Jan Cholasta wrote: D'oh! Fixed. Honza Dne 15.2.2011 18:14, Rob Crittenden napsal(a): Jan Cholasta wrote: Fixes handling of empty lines, erroneous lines and comments in /etc/hosts. https://fedorahosted.org/freeipa/ticket/971 nack. Would using line.rstrip() be better than the conditional checking explicitly for \n? I don't think we can use format this way, isn't it new to python 2.7? I think you have to use {0} and {1}. We need to support python 2.6 as well. rob ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 056 Note --ip-address parameter of ipa-replica-prepare in man page
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 https://fedorahosted.org/freeipa/ticket/615 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1aXbkACgkQHsardTLnvCVNgACZAYcYdlDnLXxzdjmbZRf70cgt 4J0An2OtxBPcUaTXZ/4/ZugkyQk/gvDx =JE8k -END PGP SIGNATURE- ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 057 Validate MX records
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 https://fedorahosted.org/freeipa/ticket/967 I'm wondering whether to extend the patch - if the mail server name does not end with a dot, BIND treats it as relative to the zone. So if you do: ipa dnsrecord-add example.com @ --mx-rec=10 mail.example.com dig would then return mail.example.com.example.com The correct way of adding it is (note the trailing dot): ipa dnsrecord-add example.com @ --mx-rec=10 mail.example.com. This is in line with how nsupdate works, so should we just document it? A smarter way might be to check if the hostname ends with the zone name and append a dot, but I'm not sure if that perhaps /too/ smart.. While we're at this should we enforce that prio is = 0 and MAXINT ? You can import MAXINT with: from xmlrpclib import MAXINT rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Code cleanup
Jan Zelený wrote: Hi, I'd like to propose this cleanup patch. I just noticed that the code in these two files is most likely not used any more (at least I didn't find a place where it is used). What do you think? Is it safe to throw it out? Or are there some places which are still using it? I'd be more than happy to move parts that are used somewhere else and delete the rest. I can't find uses of it either, ack, pushed to master. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 727 don't allow host cn to be updated
We are required by LDAP schema to have a cn value in a host record. Don't let a user modify it, it will just cause confusion. tickets 706 and 707 rob freeipa-rcrit-727-host.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 44 Fixes in ipa-join man page
Jan Zelený wrote: https://fedorahosted.org/freeipa/ticket/784 https://fedorahosted.org/freeipa/ticket/786 https://fedorahosted.org/freeipa/ticket/787 Jan nack, there are a couple of minor problems. - _(IPA Server to use), _(IPA Server Name) }, + _(IPA Server to use), _(hostame) }, Typo in hostname. -The hostname of this server (FQDN). By default of nodename from uname(2) is used. +The hostname of IPA server (FQDN). By default it is read from /etc/ipa/default.conf. I think this should be: The hostname of the IPA server (FQDN). Note that by default there is no /etc/ipa/default.conf, in most cases it needs to be supplied. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 725 fix service validator
Martin Kosek wrote: On Tue, 2011-02-15 at 12:39 -0500, Rob Crittenden wrote: The kerberos service validator wasn't enforcing that the server name be not blank. ticket 961. rob ACK. All service tests pass. Martin pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix a typo in ipa-client-install man page
Jan Zelený wrote: https://fedorahosted.org/freeipa/ticket/782 Jan ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 17 Managed netgroups should be invisible
This patch provides ipa netgroup-find a default filter which prevents the displaying of mepManageEntry Netgroups by default. It also introduces a —private flag similar to the group.py to allow for displaying them if necessary. freeipa-jraquino-0017-Managed-netgroups-should-be-invisible.patch Description: freeipa-jraquino-0017-Managed-netgroups-should-be-invisible.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 102 Fixed association facets.
On 2/15/2011 1:39 PM, Endi Sukma Dewata wrote: The association config has been removed because it incorrectly assumes there is only one association between two entities. Now each association is defined separately using association facets. The service.py has been modified to specify the correct relationships. The API.txt has been updated. https://fedorahosted.org/freeipa/ticket/960 Attached is an updated patch. Redundant facet definitions have been removed. -- Endi S. Dewata From f1c8da3fa439e78f2ea5fe35445c3bc28d8b04fe Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Fri, 11 Feb 2011 18:04:04 -0600 Subject: [PATCH] Fixed association facets. The association config has been removed because it incorrectly assumes there is only one association between two entities. Now each association is defined separately using association facets. The service.py has been modified to specify the correct relationships. The API.txt has been updated. https://fedorahosted.org/freeipa/ticket/960 --- API.txt|4 +- install/ui/aci.js | 38 ++ install/ui/associate.js| 134 install/ui/dialog.js |3 +- install/ui/entity.js | 93 +++ install/ui/group.js| 31 install/ui/hbacrule.js |2 +- install/ui/hbacsvcgroup.js |6 -- install/ui/host.js | 32 +--- install/ui/hostgroup.js|6 ++ install/ui/netgroup.js |6 ++ install/ui/search.js |2 +- install/ui/service.js | 15 +--- install/ui/sudocmdgroup.js |6 -- install/ui/test/association_tests.html |2 + install/ui/test/association_tests.js | 22 ++ install/ui/test/data/ipa_init.json | 21 + install/ui/user.js | 23 -- ipalib/plugins/service.py |3 + 19 files changed, 188 insertions(+), 261 deletions(-) diff --git a/API.txt b/API.txt index fab224134343f789680050a5d04fea6560d44816..f4f312675e274b33c3763c26a407e459feff8c0e 100644 --- a/API.txt +++ b/API.txt @@ -2118,8 +2118,8 @@ option: Int('sizelimit?', autofill=False, flags=['no_display'], label=Gettext('S option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui', flags=['no_output']) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui', flags=['no_output']) option: Str('version?', exclude='webui', flags=['no_option', 'no_output']) -option: List('host?', cli_name='hosts',ist('host?', cli_name='hosts', doc='only services with member hosts', label='host', multivalue=True) -option: List('no_host?', cli_name='no_hosts',ist('no_host?', cli_name='no_hosts', doc='only services with no member hosts', label='host', multivalue=True) +option: List('man_by_host?', cli_name='man_by_hosts',ist('man_by_host?', cli_name='man_by_hosts', doc='only services with managed by hosts', label='host', multivalue=True) +option: List('not_man_by_host?', cli_name='not_man_by_hosts',ist('not_man_by_host?', cli_name='not_man_by_hosts', doc='only services with no managed by hosts', label='host', multivalue=True) output: Output('summary', (type 'unicode', type 'NoneType'), 'User-friendly description of action performed') output: ListOfEntries('result', (type 'list', type 'tuple'), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) output: Output('count', type 'int', 'Number of entries returned') diff --git a/install/ui/aci.js b/install/ui/aci.js index 89caec040ea28e97406f336832bb4c4f26793b7b..4df65f3ffc345c3a11eccea895bbe9c3715f375c 100644 --- a/install/ui/aci.js +++ b/install/ui/aci.js @@ -559,8 +559,8 @@ IPA.entity_factories.permission = function() { IPA.stanza({name:'identity', label:'Identity'}). input({name: 'cn', 'read_only': true})). section(IPA.rights_section()). -section(IPA.target_section({name: 'target', label: 'Target'}))); - +section(IPA.target_section({name: 'target', label: 'Target'}))). +standard_associations(); }; @@ -586,15 +586,21 @@ IPA.entity_factories.privilege = function() { IPA.stanza({name:'identity', label:'Privilege Settings'}). input({name:'cn'}). input({name: 'description'}))). -association({ -name: 'permission', -other_entity: 'privilege', -add_method: 'add_permission', -remove_method: 'remove_permission' -}). - -standard_associations(); +facet( +IPA.association_facet({ +name: 'member_role', +add_method: 'add_privilege', +remove_method: 'remove_privilege', +associator: IPA.serial_associator +})). +
[Freeipa-devel] [PATCH] temp fix for init script on f15
This fixes a hangup issue when a init script calls another within systemctl, by preventing calling systemctl on initscripts. Will need to work with fedora folks to find an appropriate long term solution, but this will make things work for now. Simo. -- Simo Sorce * Red Hat, Inc * New York From 4169f768308d89943b8258be2169f8415a962bed Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Tue, 15 Feb 2011 16:50:27 -0500 Subject: [PATCH] Temporary workaround for systemd brokeness on fedora 15 --- ipa.init |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/ipa.init b/ipa.init index b5a43c31942596c99ee4ef2d00385536cacb9052..ead7df00864df01481a4d81e82e1d1f1cce1e3a3 100755 --- a/ipa.init +++ b/ipa.init @@ -7,6 +7,8 @@ # configdir: /etc/ipa/ # +export SYSTEMCTL_SKIP_REDIRECT=1 + # Source function library. if [ -f /etc/rc.d/init.d/functions ] ; then . /etc/rc.d/init.d/functions -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 102 Fixed association facets.
On 02/15/2011 04:23 PM, Endi Sukma Dewata wrote: On 2/15/2011 1:39 PM, Endi Sukma Dewata wrote: The association config has been removed because it incorrectly assumes there is only one association between two entities. Now each association is defined separately using association facets. The service.py has been modified to specify the correct relationships. The API.txt has been updated. https://fedorahosted.org/freeipa/ticket/960 Attached is an updated patch. Redundant facet definitions have been removed. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] temp fix for init script on f15
Simo Sorce wrote: This fixes a hangup issue when a init script calls another within systemctl, by preventing calling systemctl on initscripts. Will need to work with fedora folks to find an appropriate long term solution, but this will make things work for now. Simo. ack, tested on F-14 and F-15 and works fine. pushed to master rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 44 Fixes in ipa-join man page
Jan Zelený wrote: https://fedorahosted.org/freeipa/ticket/784 https://fedorahosted.org/freeipa/ticket/786 https://fedorahosted.org/freeipa/ticket/787 Jan nack A few typos and style issues: - _(File were to store the keytab information), _(Keytab File Name) }, + _(File were to store the keytab information), _(filename) }, s/were/where I would actually reword it: Specifies where to store keytab information. s/kerberos/Kerberos/g (unless lowercase is required for some reason.) +The hostname of IPA server (FQDN). The hostname of the IPA server (FQDN). Join IPA domain and retrieve a keytab with kerberos credentials. Join an IPA domain and retrieve a keytab using Kerberos credentials. -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 He who asks is a fool for five minutes, but he who does not ask remains a fool forever. ~ Chinese proverb ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 44 Fixes in ipa-join man page
David O'Brien dav...@redhat.com wrote: Jan Zelený wrote: https://fedorahosted.org/freeipa/ticket/784 https://fedorahosted.org/freeipa/ticket/786 https://fedorahosted.org/freeipa/ticket/787 Jan nack A few typos and style issues: - _(File were to store the keytab information), _(Keytab File Name) }, + _(File were to store the keytab information), _(filename) }, s/were/where I would actually reword it: Specifies where to store keytab information. s/kerberos/Kerberos/g (unless lowercase is required for some reason.) +The hostname of IPA server (FQDN). The hostname of the IPA server (FQDN). Join IPA domain and retrieve a keytab with kerberos credentials. Join an IPA domain and retrieve a keytab using Kerberos credentials. Ok, here is the second version of the patch. David, not all changes you proposed are in the patch, I believe they are out of its scope. If we go this way, I think a review should be done for all man pages, so we don't fix just a couple of mistakes in this page and leave the same mistakes in other man pages. Jan From d9fed7217b7cb599089f5d3e1d16820c080b2cd6 Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Tue, 15 Feb 2011 08:22:13 -0500 Subject: [PATCH] Fixes in ipa-join man page https://fedorahosted.org/freeipa/ticket/784 https://fedorahosted.org/freeipa/ticket/786 https://fedorahosted.org/freeipa/ticket/787 --- ipa-client/ipa-join.c | 14 +++--- ipa-client/man/ipa-join.1 |8 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c index 86b1bd122064ebe4832225cfa2bc65f80a69da00..1fb544cd21634e6e39c429637d0d7a7eb0b21c3c 100644 --- a/ipa-client/ipa-join.c +++ b/ipa-client/ipa-join.c @@ -1035,19 +1035,19 @@ main(int argc, const char **argv) { int unenroll = 0; struct poptOption options[] = { { debug, 'd', POPT_ARG_NONE, debug, 0, - _(Print the raw XML-RPC output), _(XML-RPC debugging Output) }, + _(Print the raw XML-RPC output in GSSAPI mode), NULL }, { quiet, 'q', POPT_ARG_NONE, quiet, 0, - _(Print as little as possible), _(Output only on errors) }, + _(Quiet mode. Only errors are displayed.), NULL }, { unenroll, 'u', POPT_ARG_NONE, unenroll, 0, - _(Unenroll this host), _(Unenroll this host from IPA server) }, + _(Unenroll this host from IPA server), NULL }, { hostname, 'h', POPT_ARG_STRING, hostname, 0, - _(Use this hostname instead of the node name), _(Host Name) }, + _(Hostname of this server), _(hostname) }, { server, 's', POPT_ARG_STRING, server, 0, - _(IPA Server to use), _(IPA Server Name) }, + _(IPA Server to use), _(hostname) }, { keytab, 'k', POPT_ARG_STRING, keytab, 0, - _(File were to store the keytab information), _(Keytab File Name) }, + _(Specifies where to store keytab information.), _(filename) }, { bindpw, 'w', POPT_ARG_STRING, bindpw, 0, - _(LDAP password), _(password to use if not using kerberos) }, + _(LDAP password (if not using Kerberos)), _(password) }, POPT_AUTOHELP POPT_TABLEEND }; diff --git a/ipa-client/man/ipa-join.1 b/ipa-client/man/ipa-join.1 index 47d5966db48b1e07d2a09fd98d20b553aeaf687f..201a80085a3edcf7ef290850bf2fd1a713b23618 100644 --- a/ipa-client/man/ipa-join.1 +++ b/ipa-client/man/ipa-join.1 @@ -20,7 +20,7 @@ .SH NAME ipa\-join \- Join a machine to an IPA realm and get a keytab for the host service principal .SH SYNOPSIS -ipa\-join [ \fB\-h\fR hostname ] [ \fB\-k\fR keytab\-file ] [ \fB\-s\fR server ] [ \fB\-w\fR bulk\-bind\-password ] [\fB\-u\fR] [ \fB\-d\fR ] [ \fB\-q\fR ] +ipa\-join [\fB\-d\fR|\fB\-\-debug\fR] [\fB\-q\fR|\fB\-\-quiet\fR] [\fB\-u\fR|\fB\-\-unenroll\fR] [\fB\-h\fR|\fB\-\-hostname\fR hostname] [\fB\-s\fR|\fB\-\-server\fR hostame] [\fB\-k\fR|\fB\-\-keytab\fR filename] [\fB\-w\fR|\fB\-\-bindpw\fR password] [\fB\-?\fR|\fB\-\-help\fR] [\fB\-\-usage\fR] .SH DESCRIPTION Joins a host to an IPA realm and retrieves a kerberos \fIkeytab\fR for the host service principal, or unenrolls an enrolled host from an IPA server. @@ -48,13 +48,13 @@ The reverse is unenrollment. Unenrolling a host removes the Kerberos key on the The hostname of this server (FQDN). By default of nodename from uname(2) is used. .TP \fB\-s,\-\-server server\fR -The hostname of this server (FQDN). By default of nodename from uname(2) is used. +The hostname of the IPA server (FQDN). Note that by default there is no /etc/ipa/default.conf, in most cases it needs to be supplied. .TP \fB\-k,\-\-keytab keytab\-file\fR The keytab file where to append the new key (will be created if it does not exist). Default: /etc/krb5.keytab .TP \fB\-w,\-\-bindpw password\fR -The password to use if not using kerberos to authenticate +The password to use if not using Kerberos to authenticate. Use a password of this particular
Re: [Freeipa-devel] [PATCH] Updated default Kerberos password policy
Jan Zeleny jzel...@redhat.com wrote: Rob Crittenden rcrit...@redhat.com wrote: Jan Zelený wrote: https://fedorahosted.org/freeipa/ticket/930 I put there a value Dmitri suggested. Feel free to change it before pushing if you think there should be the originally suggested 10 login attempts. We want to increase krbPwdLockoutDuration too, to 600. rob Sorry, I didn't realize it was in seconds. I just saw 10 and figured it's ok it's already there. Anyway, I'm sending the updated patch. Just a reminder that this patch needs to be re-reviewed. Thanks Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel