Re: [Freeipa-devel] [PATCH] Fixed in ipa-server-install help and man page

[David O'Brien]

Jan Zelený wrote:

Rob Crittenden  wrote:

Jan Zelený wrote:

https://fedorahosted.org/freeipa/ticket/831

Jan

I think I'd like David's take on this, but my initial reaction is I'd
prefer the word maximum to maximal.

rob


The second patch is in attachment. Based on David's recommendation you can 
pick and push the right one one.


Jan

Yes, pick "maximum"

--

David O'Brien
Red Hat Asia Pacific Pty Ltd
+61 7 3514 8189


"He who asks is a fool for five minutes, but he who does not ask remains 
a fool forever."

 ~ Chinese proverb

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 44 Fixes in ipa-join man page

[David O'Brien]

Jan Zelený wrote:

"David O'Brien"  wrote:

Jan Zelený wrote:

https://fedorahosted.org/freeipa/ticket/784
https://fedorahosted.org/freeipa/ticket/786
https://fedorahosted.org/freeipa/ticket/787

Jan

nack

A few typos and style issues:

- _("File were to store the keytab information"), _("Keytab File Name") },
+ _("File were to store the keytab information"), _("filename") },

s/were/where
I would actually reword it:
"Specifies where to store keytab information."

s/kerberos/Kerberos/g
(unless lowercase is required for some reason.)

+The hostname of IPA server (FQDN).
"The hostname of the IPA server (FQDN)."

Join IPA domain and retrieve a keytab with kerberos credentials.
"Join an IPA domain and retrieve a keytab using Kerberos credentials."


Ok, here is the second version of the patch. David, not all changes you 
proposed are in the patch, I believe they are out of its scope. If we go this 
way, I think a review should be done for all man pages, so we don't fix just a 
couple of mistakes in this page and leave the same mistakes in other man 
pages.


Jan
Yes, this topic of "global fixes" has come up elsewhere, and resources 
are unavailable for a review of all man pages.


ack

--

David O'Brien
Red Hat Asia Pacific Pty Ltd
+61 7 3514 8189


"He who asks is a fool for five minutes, but he who does not ask remains 
a fool forever."

 ~ Chinese proverb

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Scripting the SUDO setup for a client

[JR Aquino]

On Feb 17, 2011, at 8:38 PM, "Adam Young"  wrote:

> I tried to follow the steps to setup Sudo on a client here: 
> https://fedoraproject.org/wiki/QA:Testcase_freeipav2_sudo
> 
> Of course, since my serve wasn't example.com, I had to modify the LDAP 
> fitlers.  I got something wrong.
> 
> What would I use to script this in keeping with the ipa server technoliges we 
> use?  I need to modify a bunch of config files.  This seems like a task for 
> something like augeas, and I know we use some library to do it.

I believe authconfig is used to populate ldap.conf and maybe even nsswitch.conf.

Be aware though that Sudo needs to have an unprivileged binddn User and 
password configured in the ldap.conf file...  That's the piece that I've been 
thinking most about.  I'm not sure what to do except prompt the user during the 
install script.

> 
> 
> ___
> Freeipa-devel mailing list
> Freeipa-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] Scripting the SUDO setup for a client

[Adam Young]

I tried to follow the steps to setup Sudo on a client here: 
https://fedoraproject.org/wiki/QA:Testcase_freeipav2_sudo


Of course, since my serve wasn't example.com, I had to modify the LDAP 
fitlers.  I got something wrong.


What would I use to script this in keeping with the ipa server 
technoliges we use?  I need to modify a bunch of config files.  This 
seems like a task for something like augeas, and I know we use some 
library to do it.



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 732 don't ignore nss_shutdown errors

[Rob Crittenden]

Right before rc1 I discovered a problem in ipa-replica-prepare. It was 
crashign when trying to generate the SSL certificates. The first time it 
failed on nss_shutdown() claiming that NSS wasn't initialized. The 
second time because some object was still in use.


I tracked this down to a change that enables replication. This happens 
using an SSL connection to the server. I'm thinking this is some 
interaction the openldap NSS connection.


The fix is to use an ldapi connection instead.

ticket 965

rob
>From 02c91465d361c88cc901e5f97e0c9ef1f1e4656e Mon Sep 17 00:00:00 2001
From: Rob Crittenden 
Date: Thu, 17 Feb 2011 22:53:53 -0500
Subject: [PATCH] Fix NSS initialization errors during ipa-replica-prepare

When enabling replication we make an SSL connection. I think the way
this goes is python-ldap -> openldap -> NSS. It may be a problem in
the openldap SSL client, maybe it isn't calling NSS_Shutdown(). In any
case if we use ldapi instead the problem goes away.

Back out the temporary code to ignore nss_shutdown errors.

ticket 965
---
 ipapython/nsslib.py  |6 +-
 ipaserver/install/replication.py |2 +-
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
index fad65a3..129f1a0 100644
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@@ -126,11 +126,7 @@ class NSSConnection(httplib.HTTPConnection):
 if nss.nss_is_initialized():
 # close any open NSS database and use the new one
 ssl.clear_session_cache()
-try:
-nss.nss_shutdown()
-except NSPRError, e:
-# FIXME: errors shouldn't be raised here
-logging.debug('nss_shutdown: %s', str(e))
+nss.nss_shutdown()
 nss.nss_init(dbdir)
 ssl.set_domestic_policy()
 nss.set_password_callback(self.password_callback)
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 0bf0e21..8158197 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -60,7 +60,7 @@ def enable_replication_version_checking(hostname, realm, dirman_passwd):
 enabled then enable it and restart 389-ds. If it is enabled
 the do nothing.
 """
-conn = ipaldap.IPAdmin(hostname, port=PORT, cacert=CACERT)
+conn = ipaldap.IPAdmin(hostname, realm=realm, ldapi=True)
 if dirman_passwd:
 conn.do_simple_bind(bindpw=dirman_passwd)
 else:
-- 
1.7.3.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Reset target DN when generated UUID is used as RDN

[Nathan Kinder]

>From 402ab3d26b67066a5230527130740a8a329064e7 Mon Sep 17 00:00:00 2001
From: Nathan Kinder 
Date: Thu, 17 Feb 2011 16:37:39 -0800
Subject: [PATCH] Reset target DN when generated UUID is used as RDN

When the UUID plug-in generates a value that is used in the RDN
of the entry being added, the old DN is free'd and replaced with
the new DN.  The problem is that the operation in the pblock holds
a pointer to the old DN address.  This can cause other plug-ins to
reference garbage, leading to incorrect results or crashes.  This
was causing the attribute uniqueness plug-in to not work correctly,
resulting in duplicate netgroup entries.

The fix is to have the UUID plug-in reset the target DN after
changing the DN of the entry to be added.

ticket 963
---
 daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c |4 
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c 
b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
index c6353ae..5cd65b3 100644
--- a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
+++ b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
@@ -1109,6 +1109,10 @@ static int ipauuid_pre_op(Slapi_PBlock *pb, int modtype)
 slapi_ch_free_string(&nrdn);
 slapi_sdn_set_rdn(sdn, rdn);
 slapi_entry_set_sdn(e, sdn);
+
+/* reset the target DN since we've changed it. */
+slapi_pblock_set(pb, SLAPI_ADD_TARGET,
+ 
(char*)slapi_sdn_get_ndn(slapi_entry_get_sdn_const(e)));
 }
 slapi_rdn_free(&rdn);
 slapi_sdn_free(&sdn);
-- 
1.7.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0085 Register client into DNS on install

[Simo Sorce]

On Thu, 17 Feb 2011 18:12:56 -0500
Rob Crittenden  wrote:

> Simo Sorce wrote:
> > On Thu, 17 Feb 2011 11:53:52 -0500
> > Simo Sorce  wrote:
> >
> >> On Thu, 17 Feb 2011 11:34:30 -0500
> >> Simo Sorce  wrote:
> >>
> >>>
> >>> If DNS Updates are available then try to register the ip address
> >>> as determined by connecting to the ipa server.
> >>>
> >>> This allows also the creation of the DNS A record if none was
> >>> available before, which means you can add clients without having
> >>> to pre-register them in the DNS.
> >>>
> >>> Fixes #935
> >>>
> >>> Simo.
> >>>
> >>
> >> Forgot to add rpm dependency on bind-utils for the client package.
> >>
> >> New patch attached.
> >
> > After discussing a bit dns updates with Rob and Stephen on IRC here
> > it is a third patch that adds a --enable-dns-updates option.
> >
> > Dns updates are performed only if this options is enabled or no
> > entry exists in DNS at all for the host.
> >
> > If the option is enabled sssd is also configured to keep updating
> > the DNS during the life of the machine so that IP changes (laptops,
> > dhcp, etc..) are recorded in DNS properly.
> >
> > Simo.
> 
> Ack, works for me.

Thanks,
pushed to master.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install

[JR Aquino]

On 2/17/11 9:46 AM, "Jan Zeleny"  wrote:

>JR Aquino  wrote:
>> Lets try now. Attached is the corrected patch.
>> 
>> There were several spots in ipa-client-install where the server could be
>> defined and it was getting missed.
>> I have omitted any change to ipa-client-install and instead just focused
>> on ipadiscovery.py
>> 
>> ipadiscovery.py now performs its own fetch of the CACert just to be
>>sure.
>> 
>> Regarding TLS vs LDAPS.
>> 
>> LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never
>> standardized in any formal specification. This usage has been deprecated
>> along with LDAPv2, which was officially retired in 2003.
>> 
>> LDAPS is still supported, but considered deprecated in favor of TLS as
>> defined in RFC2830.
>> 
>> On 2/17/11 2:01 AM, "Jan Zelený"  wrote:
>> >JR Aquino  wrote:
>> >> This patch addresses the need to utilize TLS when using the
>> >> ipa-client-install tool. It addresses ticket:
>> >> https://fedorahosted.org/freeipa/ticket/974
>> >
>> >Nack, running ipa-client-install returned this error:
>> >
>> ># ipa-client-install
>> >Retrieving CA from None failed.
>> >Command '/usr/bin/wget -O /etc/ipa/ca.crt
>>http://None/ipa/config/ca.crt'
>> >returned non-zero exit status 4
>> >
>> >
>> >One more question - shouldn't you use ldaps directly to connect to the
>> >server?
>> >Jan
>
>
>Sorry, I have to Nack it again, the patch seems incoplete, since it is
>only 
>adding some cacert fetching code to IPADiscovery.
>
>Jan

Please ignore previous patches for #18. Attached is the replacement all
inclusive patch for this ticket.


Per Rob:
ipadiscovery should not attempt to create the /etc/ipa/ca.crt rather, it
should populate a tempdir with the temp cert for the initial discovery
bind.

Attached is the full patch to provide both TLS and the safer wget of the
ca.crt to a temporary directory created by tempfile.mkdtemp()

Please verify that ipa-client-install from a separate machine functions as
expected against a FreeIPA server who is set to "nsslapd-minssf: 56"




binAmi8FXfTBQ.bin
Description: freeipa-jraquino-0018-Use-TLS-for-ipadiscovery-during-ipa-client-install.patch
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0085 Register client into DNS on install

[Rob Crittenden]

Simo Sorce wrote:

On Thu, 17 Feb 2011 11:53:52 -0500
Simo Sorce  wrote:


On Thu, 17 Feb 2011 11:34:30 -0500
Simo Sorce  wrote:



If DNS Updates are available then try to register the ip address as
determined by connecting to the ipa server.

This allows also the creation of the DNS A record if none was
available before, which means you can add clients without having to
pre-register them in the DNS.

Fixes #935

Simo.



Forgot to add rpm dependency on bind-utils for the client package.

New patch attached.


After discussing a bit dns updates with Rob and Stephen on IRC here it
is a third patch that adds a --enable-dns-updates option.

Dns updates are performed only if this options is enabled or no entry
exists in DNS at all for the host.

If the option is enabled sssd is also configured to keep updating the
DNS during the life of the machine so that IP changes (laptops, dhcp,
etc..) are recorded in DNS properly.

Simo.


Ack, works for me.

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 060 Raise NotImplementedError for selfsigned cert-remove-hold

[Rob Crittenden]

Jakub Hrozek wrote:

To test, try running "ipa cert-remove-hold 11" with a selfsigned install



ack, pushed to master

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 731 configure sssd w/failover

[Rob Crittenden]

Jakub Hrozek wrote:

On Thu, Feb 17, 2011 at 03:23:18PM -0500, Rob Crittenden wrote:

Configure SSSD to look in DNS for the IPA servers first, then fall
back to the server we configured against.

ticket 980

rob


Works fine (tested both service discovery and failover), ack


pushed to master

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 730 managed netgroups immutable

[Rob Crittenden]

JR Aquino wrote:

On 2/17/11 11:02 AM, "Rob Crittenden"  wrote:


Make managed netgroups (those created as a result of creating a
hostgroup) should be immutable. This aci will deny writes to a managed
netgroup.

ticket 962

rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


nack
Rebase?
Patch does not apply cleanly.

# git apply freeipa-rcrit-730-netgroup.patch
freeipa-rcrit-730-netgroup.patch:18: new blank line at EOF.
+
error: patch failed: install/updates/Makefile.am:5
error: install/updates/Makefile.am: patch does not apply



Updated patch attached.

rob


freeipa-rcrit-730-2-netgroup.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 729 special handling for nsaccountlock

[Rob Crittenden]

Jakub Hrozek wrote:

On Thu, Feb 17, 2011 at 12:01:05PM -0500, Rob Crittenden wrote:

nsaccountlock doesn't have a visible Param but we want do so some
basic validation to be sure garbage doesn't get in there so do it in
the pre_callback of add and mod.

ticket 968

rob


Ack


pushed to master

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Localization patches.

[Rob Crittenden]

Pavel Zůna wrote:

On 2011-02-17 05:09, Rob Crittenden wrote:

Pavel Zůna wrote:

My efforts in fixing localization all around the framework and preparing
it for localizing docstrings have resulted in a lot of patches. Because
I understand they have become a bit hard to track, I decided to post
them all together in this thread to make review easier.

After this is committed, there will be one more patch that switches
xgettext for pygettext. Then hopefully, we'll be pretty much set when it
comes to i18n.

Pavel


Patch 81 isn't applying for me.

Help is not working for me either, this is due to patch 80.

$ ipa help user
ipa: ERROR: NameError: global name '_' is not defined
Traceback (most recent call last):
File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1087, in
run
api.finalize()
File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 619,
in finalize
plugin_iter(base, (magic[k] for k in magic))
File "/home/rcrit/redhat/freeipa-version/ipalib/base.py", line 397, in
__init__
sorted(members, key=lambda m: getattr(m, name_attr))
File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 608,
in plugin_iter
plugins[klass] = PluginInstance(klass)
File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 585,
in __init__
self.instance = klass()
File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 184,
in __init__
self.doc = _(inspect.getdoc(cls))
NameError: global name '_' is not defined
ipa: ERROR: an internal error has occurred

Patches 69, 71 and 73 are still working fine.

What is switching from xgettext to pygettext going to do?


This was answered by John Dennis: xgettext doesn't parse python docstrings.



rob


Rebased version of 81 attached. It should also fix the traceback you're
getting.

Pavel


Something is still not working. I'm having a hard time reproducing how I 
got this but with LANG=es_US.UTF-8 for a while I was getting this with 
every ipa user-* request:


ipa: ERROR: UnicodeEncodeError: 'ascii' codec can't encode character 
u'\xf1' in position 20: ordinal not in range(128)

Traceback (most recent call last):
  File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1090, 
in run

sys.exit(api.Backend.cli.run(argv))
  File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 917, in run
rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, 
**options)
  File "/home/rcrit/redhat/freeipa-version/ipalib/frontend.py", line 
953, in output_for_cli

textui.print_entries(result, order, labels, flags, print_all)
  File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 346, in 
print_entries
self.print_entry(entry, order, labels, flags, print_all, format, 
indent)
  File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 378, in 
print_entry

label, value, format, indent, one_value_per_line
  File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 309, in 
print_attribute

self.print_indented(format % (attr, text[0]), indent)
  File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 232, in 
print_indented

print (CLI_TAB * indent + text)
UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in 
position 20: ordinal not in range(128)

ipa: ERROR: ha ocurrido un error interno

I think it is blowing up on this user:

  User login: jose
  First name: Jose
  Last name: contraseñas
  Home directory: /home/jose
  Login shell: /bin/sh
  Account disabled: TRUE
  Member of groups: ipausers

Then all of a sudden things started working fine, so I'm not sure what's 
going on.


Is this traceback meaningful to you?

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 47 Validate that the reverse DNS record is correct

[Rob Crittenden]

Adam Tkac wrote:

On Wed, Feb 16, 2011 at 05:26:55PM +0100, Jan Zeleny wrote:

Adam Tkac  wrote:

On Wed, Feb 16, 2011 at 10:53:14AM +0100, Jan Zelený wrote:

This patch ensures that PTR records added by FreeIPA are compliant with
RFC.


Nack.

In my opinion the _ptrrecord_pre_callback should also handle PTR records
for IPv6 addresses.

You can check validity of IPv6 PTR record this way (pseudocode):

zone.replace(.ip6.arpa., '')
if (len(addr.split('.')) + len(zone.split('.')) != 32)
raise_error

Regards, Adam


Thanks for the review, I made the changes you suggested. Second patch is in
attachment.


Thanks for improvement, now it looks fine for me. Ack.

Regards, Adam


 From a01180772ab9ce9409532892e81f03ea7fc2582a Mon Sep 17 00:00:00 2001
From: Jan Zeleny
Date: Wed, 16 Feb 2011 04:47:36 -0500
Subject: [PATCH] Validate that the reverse DNS record is correct

This patch ensures that PTR records added by FreeIPA are compliant with
RFC.

https://fedorahosted.org/freeipa/ticket/839
---
  ipalib/plugins/dns.py |   16 
  1 files changed, 16 insertions(+), 0 deletions(-)

diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index 
592945f78c59877fada5fa6c40eee3b1acb564b2..f50dd51f28f0ff59c8d1fe84730de302d9855467
 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -619,6 +619,22 @@ class dnsrecord_add(LDAPCreate, 
dnsrecord_cmd_w_record_options):
  is_ns_rec_resolvable(ns)
  return dn

+def _ptrrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options):
+components = dn.split(',',2)
+addr = components[0].split('=')[1]
+zone = components[1].split('=')[1]
+if zone.find('ip6') != -1:
+zone = zone.replace('.ip6.arpa.','')
+zone_len = 32
+else:
+zone = zone.replace('.in-addr.arpa.','')
+zone_len = 4
+
+if len(addr.split('.'))+len(zone.split('.')) != zone_len:
+raise errors.ValidationError(name='cn', error=unicode('IP address 
must have exactly '+str(zone_len)+' components'))
+
+return dn
+
  def pre_callback(self, ldap, dn, entry_attrs, *keys, **options):
  for rtype in options:
  rtype_cb = '_%s_pre_callback' % rtype
--
1.7.4






ack as well

pushed to master

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 48 Document the --rights output format

[Rob Crittenden]

Jan Zelený wrote:

Rob Crittenden  wrote:

Jan Zelený wrote:

https://fedorahosted.org/freeipa/ticket/563
https://fedorahosted.org/freeipa/ticket/588

Jan


This is a good start, I think we need to include some guidance on why
this exists and why it exists where it does.

It exists so a user interface can know in advance what the current
user's rights are for a given entry so that the user experience is
better (currently used by the Web UI to disable attributes that are not
writable).

It appears in the add and mod commands to avoid having to do a show
after an entry is added or updated.

rob


I updated the patch with a note that it is primarily used for internal
purposes of CLI and WebUI, I think this should be sufficient description.

I also deleted the line converting unicode strings to str because it broke
JSON-RPC communication.

Jan


ack, pushed to master

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 731 configure sssd w/failover

[Jakub Hrozek]

On Thu, Feb 17, 2011 at 03:23:18PM -0500, Rob Crittenden wrote:
> Configure SSSD to look in DNS for the IPA servers first, then fall
> back to the server we configured against.
> 
> ticket 980
> 
> rob

Works fine (tested both service discovery and failover), ack

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0085 Register client into DNS on install

[Simo Sorce]

On Thu, 17 Feb 2011 11:53:52 -0500
Simo Sorce  wrote:

> On Thu, 17 Feb 2011 11:34:30 -0500
> Simo Sorce  wrote:
> 
> > 
> > If DNS Updates are available then try to register the ip address as
> > determined by connecting to the ipa server.
> > 
> > This allows also the creation of the DNS A record if none was
> > available before, which means you can add clients without having to
> > pre-register them in the DNS.
> > 
> > Fixes #935
> > 
> > Simo.
> > 
> 
> Forgot to add rpm dependency on bind-utils for the client package.
> 
> New patch attached.

After discussing a bit dns updates with Rob and Stephen on IRC here it
is a third patch that adds a --enable-dns-updates option.

Dns updates are performed only if this options is enabled or no entry
exists in DNS at all for the host.

If the option is enabled sssd is also configured to keep updating the
DNS during the life of the machine so that IP changes (laptops, dhcp,
etc..) are recorded in DNS properly.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
>From d51f06ccd9e1c6a9d051850dcdac06ba0361d05f Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Thu, 17 Feb 2011 08:30:36 -0500
Subject: [PATCH] Try to register DNS name through a DNS Update on install.

Fixes: https://fedorahosted.org/freeipa/ticket/935
---
 freeipa.spec.in   |1 +
 ipa-client/ipa-install/ipa-client-install |  111 +
 ipaserver/plugins/join.py |2 +-
 3 files changed, 113 insertions(+), 1 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index f301aa26a66eb305369f4a4fe72e5c311ba86606..4def47598ec6fce5a7ce5e1dd80c029c9e46478a 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -138,6 +138,7 @@ Requires: xmlrpc-c
 Requires: sssd >= 1.5.1
 Requires: certmonger >= 0.26
 Requires: nss-tools
+Requires: bind-utils
 
 Obsoletes: ipa-client >= 1.0
 
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 20c327d492c28e0fdf2f5fec98e2d3d5d651e9fc..c4b0458d448a8d2d8dca2bc56b6b5024f192a7ee 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -32,6 +32,8 @@ try:
 import ipaclient.ipachangeconf
 import ipaclient.ntpconf
 from ipapython.ipautil import run, user_input, CalledProcessError, file_exists
+from ipapython import ipautil
+from ipapython import dnsclient
 from ipapython import sysrestore
 from ipapython import version
 from ipapython import certmonger
@@ -83,6 +85,8 @@ def parse_options():
   default=False, help="uninstall an existing installation")
 parser.add_option("", "--hostname", dest="hostname",
   help="The hostname of this server (FQDN). By default of nodename from uname(2) is used.")
+parser.add_option("", "--enable-dns-updates", dest="dns_updates", action="store_true", default=False,
+  help="Configures the machine to attempt dns updates when the ip address changes.")
 
 options, args = parser.parse_args()
 safe_opts = parser.get_safe_opts(options)
@@ -496,6 +500,9 @@ def configure_sssd_conf(fstore, cli_domain, cli_server, options):
 
 domain.set_option('cache_credentials', True)
 
+if options.dns_updates:
+domain.set_option('ipa_dyndns_update', True)
+
 domain.set_active(True)
 
 sssdconfig.save_domain(domain)
@@ -503,6 +510,101 @@ def configure_sssd_conf(fstore, cli_domain, cli_server, options):
 
 return 0
 
+def resolve_ipaddress(server):
+""" Connect to the server's ldap port in order to determine what ip
+address this machine uses as "public" ip (relative to the server).
+"""
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP)
+s.connect((server, 389))
+addr, port = s.getsockname()
+s.close()
+
+return addr
+
+UPDATE_TEMPLATE_A = """
+zone $ZONE.
+update delete $HOSTNAME. IN A
+send
+update add $HOSTNAME. $TTL IN A $IPADDRESS
+send
+"""
+
+UPDATE_TEMPLATE_ = """
+zone $ZONE.
+update delete $HOSTNAME. IN 
+send
+update add $HOSTNAME. $TTL IN  $IPADDRESS
+send
+"""
+
+UPDATE_FILE = "/etc/ipa/.dns_update.txt"
+CCACHE_FILE = "/etc/ipa/.dns_ccache"
+
+def update_dns(server, hostname):
+
+ip = resolve_ipaddress(server)
+
+sub_dict = dict(HOSTNAME=hostname,
+IPADDRESS=ip,
+TTL=1200,
+ZONE='.'.join(hostname.split('.')[1:])
+)
+
+template = None
+if len(ip.split('.')) == 4:
+template = UPDATE_TEMPLATE_A
+elif len(ip.split(':')) > 1:
+template = UPDATE_TEMPLATE_
+
+if template is None:
+print >>sys.stderr, "Failed to determine machine's ip address."
+print >>sys.stderr, "Failed to update DNS A record."
+return
+
+update_txt = ipautil.template_str(template, sub_dict)
+update_fd = file(UPDATE_FILE, "w")
+update_fd.write(update_txt)
+update_fd.flus

Re: [Freeipa-devel] [PATCH] 729 managed netgroups immutable

[JR Aquino]

On 2/17/11 11:02 AM, "Rob Crittenden"  wrote:

>Make managed netgroups (those created as a result of creating a
>hostgroup) should be immutable. This aci will deny writes to a managed
>netgroup.
>
>ticket 962
>
>rob
>___
>Freeipa-devel mailing list
>Freeipa-devel@redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-devel

nack
Rebase?
Patch does not apply cleanly.

# git apply freeipa-rcrit-730-netgroup.patch
freeipa-rcrit-730-netgroup.patch:18: new blank line at EOF.
+
error: patch failed: install/updates/Makefile.am:5
error: install/updates/Makefile.am: patch does not apply


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 731 configure sssd w/failover

[Rob Crittenden]

Configure SSSD to look in DNS for the IPA servers first, then fall back 
to the server we configured against.


ticket 980

rob
>From 3b47206b22417dad843bac1934b7cfd4b1ba15e4 Mon Sep 17 00:00:00 2001
From: Rob Crittenden 
Date: Thu, 17 Feb 2011 15:19:24 -0500
Subject: [PATCH] Configure SSSD to use DNS to find the IPA server by default.

Add the server we registered with as a fallback.

ticket 980
---
 ipa-client/ipa-install/ipa-client-install |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 20c327d..dc49622 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -481,7 +481,7 @@ def configure_sssd_conf(fstore, cli_domain, cli_server, options):
 domain = sssdconfig.new_domain(cli_domain)
 domain.add_provider('ipa', 'id')
 
-domain.set_option('ipa_server', cli_server)
+domain.set_option('ipa_server', '_srv_, %s' % cli_server)
 domain.set_option('ipa_domain', cli_domain)
 
 # Might need this if /bin/hostname doesn't return a FQDN
-- 
1.7.3.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 729 special handling for nsaccountlock

[Jakub Hrozek]

On Thu, Feb 17, 2011 at 12:01:05PM -0500, Rob Crittenden wrote:
> nsaccountlock doesn't have a visible Param but we want do so some
> basic validation to be sure garbage doesn't get in there so do it in
> the pre_callback of add and mod.
> 
> ticket 968
> 
> rob

Ack

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] One liner to fix broken build

[Adam Young]

Removed an image that is no longer used.

Pushed under the one line rule.


diff --git a/install/ui/Makefile.am b/install/ui/Makefile.am
index 327225e..e6ffed1 100644
--- a/install/ui/Makefile.am
+++ b/install/ui/Makefile.am
@@ -52,7 +52,6 @@ app_DATA =  \
Mainnav-background.png  \
Mainnav-offtab.png  \
Mainnav-ontab.png   \
-   modal-background.png\
 outer-bg.png   \
panel-background.png\
Subnav-background.png   \

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Localization patches.

[Pavel Zůna]

On 2011-02-17 05:09, Rob Crittenden wrote:

Pavel Zůna wrote:

My efforts in fixing localization all around the framework and preparing
it for localizing docstrings have resulted in a lot of patches. Because
I understand they have become a bit hard to track, I decided to post
them all together in this thread to make review easier.

After this is committed, there will be one more patch that switches
xgettext for pygettext. Then hopefully, we'll be pretty much set when it
comes to i18n.

Pavel


Patch 81 isn't applying for me.

Help is not working for me either, this is due to patch 80.

$ ipa help user
ipa: ERROR: NameError: global name '_' is not defined
Traceback (most recent call last):
File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1087, in run
api.finalize()
File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 619,
in finalize
plugin_iter(base, (magic[k] for k in magic))
File "/home/rcrit/redhat/freeipa-version/ipalib/base.py", line 397, in
__init__
sorted(members, key=lambda m: getattr(m, name_attr))
File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 608,
in plugin_iter
plugins[klass] = PluginInstance(klass)
File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 585,
in __init__
self.instance = klass()
File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 184,
in __init__
self.doc = _(inspect.getdoc(cls))
NameError: global name '_' is not defined
ipa: ERROR: an internal error has occurred

Patches 69, 71 and 73 are still working fine.

What is switching from xgettext to pygettext going to do?


This was answered by John Dennis: xgettext doesn't parse python docstrings.



rob


Rebased version of 81 attached. It should also fix the traceback you're 
getting.


Pavel


freeipa-pzuna-81-2-fixlocstrings.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Fix translatable strings in ipalib plugins.

[Pavel Zůna]

On 2011-02-16 16:25, Pavel Zůna wrote:

Some translatable strings were in a wrong format a there were some more
related issues. This patch tries to fix all of them.

Needed for xgettext/pygettext processing.

Pavel


Rebased version attached.

Pavel


freeipa-pzuna-81-2-fixlocstrings.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 060 Raise NotImplementedError for selfsigned cert-remove-hold

[Jakub Hrozek]

To test, try running "ipa cert-remove-hold 11" with a selfsigned install
>From f06c082f00d2b6506a796cc6a4317a77ba16f2f4 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Thu, 17 Feb 2011 20:35:50 +0100
Subject: [PATCH] Raise NotImplementedError for selfsigned cert-remove-hold

---
 ipaserver/plugins/rabase.py |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/ipaserver/plugins/rabase.py b/ipaserver/plugins/rabase.py
index 5f9ec77..369027b 100644
--- a/ipaserver/plugins/rabase.py
+++ b/ipaserver/plugins/rabase.py
@@ -109,5 +109,5 @@ class rabase(Backend):
 
 :param serial_number: Certificate serial number.
 """
-raise errors.NotImplementedError('%s.take_certificate_off_hold' % 
self.name)
+raise errors.NotImplementedError(name='%s.take_certificate_off_hold' % 
self.name)
 
-- 
1.7.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] Fwd: 0013-Under-shadow-on-h1-and-removed-images.patch

[Adam Young]

ACK and pushed to master

 Original Message 
Subject:0013-Under-shadow-on-h1-and-removed-images.patch
Date:   Thu, 17 Feb 2011 13:39:39 -0500 (EST)
From:   Kyle Baker 
To: Adam Young 



From 882750cf20aee245a94d689fcf0f28a464e975e6 Mon Sep 17 00:00:00 2001
From: Kyle Baker 
Date: Thu, 17 Feb 2011 13:37:56 -0500
Subject: [PATCH] Under shadow on h1 and removed images

---
 install/ui/ipa.css  |1 +
 install/ui/modal-background.png |  Bin 642 -> 0 bytes
 2 files changed, 1 insertions(+), 0 deletions(-)
 delete mode 100644 install/ui/modal-background.png

diff --git a/install/ui/ipa.css b/install/ui/ipa.css
index 4a2d837..289f19c 100644
--- a/install/ui/ipa.css
+++ b/install/ui/ipa.css
@@ -167,6 +167,7 @@ h1 {
 font-weight: normal;
 color: #55;
 text-transform: uppercase;
+	text-shadow: 1px 1px 0 #FF;
 }
 
 .entity-container h1{
diff --git a/install/ui/modal-background.png b/install/ui/modal-background.png
deleted file mode 100644
index 605d82207e2b81ea843c83c31a43796fb7293cc3..
GIT binary patch
literal 0
HcmV?d1

literal 642
zcmV-|0)737P)P000>X0ssI2ON$aTPbVXQnQ*UN;
zcVTj606}DLVr3vnZDD6+Qe|Oed2z{QJOBU!BuPX;RCwBKRnc|rFbD(cq23%Fu*-Cj
z{&$92wUNNi?aMj$#)*vpA&9?!{Ihkz%+Jl;0DHOI9P4fF=gI5Zb{?pMym>DE0LjnB
z6VN%aZPq(S_|xct;)N|sxbFijM{3x`qc
z77)&fgxD#_IvI%gU#1t`o2?;Ry;C6P@lM!sj&wkta)a!KC|
zVeuck0u8htQHR!BSK@xFgkh0r`b58C?^1kDWt$(Rh2E{=(j&Ba5dk7@`
z_QW)YQ!+@7<=G0U%H2ePZHM++8Ej8u7b4H@_n6itcl*!f6;;+*xmV|n2>JJy*1RR$
z308X-_eDs?IGoRs4xvWs_*2i0IdNrsR3Q~+Z~DrSIZxa}N&6aP7Yf<5>MFJuHMZj-
zM5tJ2^4z=y4WhNiw>_bhQuYXATM

-- 
1.7.3.2

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0012-Remove-images-and-replace-with-css-color-in-dialogs.patch

[Adam Young]

On 02/17/2011 12:03 PM, Adam Young wrote:

On 02/17/2011 11:13 AM, Kyle Baker wrote:

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel



If we are going to make this change, please remove (git rm) the icons 
that are no longer used as part of the patch.


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

DOne in additional patch. ACK and pushed to master

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Remove-bright-green-from-the-tabs-and-subnav

[Adam Young]

On 02/17/2011 12:09 PM, Adam Young wrote:
Several of the subtab text items are no longer visible:  user, host, 
netgroups on the Identity tab, self service permissions on the Server TAb.



On 02/16/2011 10:33 AM, Kyle Baker wrote:

Ayoung, check it out.


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

OK, found the problem, fixed, and pushed:

commit 1ea463eced90e25d353f8ff7c0012d9d0fc510b1
Author: Adam Young 
Date:   Thu Feb 17 14:29:09 2011 -0500

tabs2 color from white

diff --git a/install/ui/ipa.css b/install/ui/ipa.css
index 289f19c..44643f7 100644
--- a/install/ui/ipa.css
+++ b/install/ui/ipa.css
@@ -566,7 +566,7 @@ span.ui-icon-search {
 -moz-border-radius: 2em !important;
-webkit-border-radius: 2em !important;
 border-radius: 2em !important;
-color: white;
+color: #33;
 font-size: 1em;
 font-family: "Liberation Sans", Arial, Sans;
margin: 0 0.3em;

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 049 Make nsslib IPv6 aware

[Jakub Hrozek]

On Thu, Feb 17, 2011 at 08:25:37PM +0100, Jakub Hrozek wrote:
> On Wed, Feb 09, 2011 at 10:23:27AM +0100, Jan Zelený wrote:
> > Jakub Hrozek  wrote:
> > > On Thu, Feb 03, 2011 at 02:23:11PM +0100, Jan Zelený wrote:
> > > > Jakub Hrozek  wrote:
> > > > > Hi,
> > > > > 
> > > > > attached is a patch to nsslib.py that changes its semantics so
> > > > > it is able to work with different address families. It is the last
> > > > > piece of IPv6 support.
> > > > > 
> > > > > Aside from the hunks in the patch, I still need to set Requires: in 
> > > > > the
> > > > > patch (don't know the exact version yet). Also, the attached patch
> > > > > always tries IPv4 first and only falls back to IPv6. I think there
> > > > > should be a config option that tells IPA to prefer one of the address
> > > > > families or use it exclusively for performance reasons.
> > > > > 
> > > > > Please note that the patch requires the latest changes to python-nss
> > > > > in order to work correctly. Since John is still working on python-nss
> > > > > packages, this patch should be treated as a preview and not pushed 
> > > > > even
> > > > > if it is deemed OK. At this stage, I'd like to get at least the 
> > > > > general
> > > > > approach and code reviewed so I can fix it tomorrow.
> > > > > 
> > > > > Thank you,
> > > > > 
> > > > > Jakub
> > > > 
> > > > The patch looks ok, all my questions answered off-list. Also tested with
> > > > IPv4 (latest python-nss installed) and IPv6, both work fine.
> > > > 
> > > > ACK
> > > > 
> > > > Jan
> > > 
> > > Thanks for the review. But attached is a new version of the patch that
> > > changes the semantics a little based on what's recommended by the new
> > > version of python-nss: don't construct the NetworkAddress object
> > > manually, but rather resolve the hostname using the AddrInfo object and
> > > then try connecting to the list of of NetworkAddress object manually.
> > 
> > Changes consulted off-list, the patch looks good. Will do some more testing 
> > on 
> > RHEL6. Unless I find some issues, this patch is ACKed.
> > 
> > Jan
> > 
> 
> One more change - bumped the minimum required version of python-nss to
> 0.11 which is in the nightly devel repo now.
> 

and now with the patch attached.
>From fd089113524c250c502eb2e4028affd29754dd77 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Wed, 2 Feb 2011 13:57:16 +0100
Subject: [PATCH] Make nsslib IPv6 aware

---
 freeipa.spec.in |5 ++-
 ipapython/nsslib.py |  108 +++
 2 files changed, 96 insertions(+), 17 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index f301aa2..0e54caf 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -177,7 +177,7 @@ Requires: python-kerberos >= 1.1-3
 Requires: authconfig
 Requires: gnupg
 Requires: pyOpenSSL
-Requires: python-nss >= 0.9-8
+Requires: python-nss >= 0.11
 Requires: python-lxml
 Requires: python-netaddr
 
@@ -476,6 +476,9 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) 
%{_sysconfdir}/ipa/default.conf
 
 %changelog
+* Thu Feb  17 2011 Jakub Hrozek  - 1.99-45
+- Set minimum version of python-nss to 0.11 to make sure IPv6 support is in
+
 * Wed Feb  9 2011 Rob Crittenden  - 1.99-44
 - Set minimum version of sssd to 1.5.1
 
diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
index fad65a3..8d77863 100644
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@@ -21,12 +21,14 @@
 import sys
 import httplib
 import getpass
+import socket
 import logging
 
 from nss.error import NSPRError
 import nss.io as io
 import nss.nss as nss
 import nss.ssl as ssl
+import nss.error as error
 
 def auth_certificate_callback(sock, check_sig, is_server, certdb):
 cert_is_valid = False
@@ -113,11 +115,84 @@ def client_auth_data_callback(ca_names, chosen_nickname, 
password, certdb):
 return False
 return False
 
-class NSSConnection(httplib.HTTPConnection):
+class NSSAddressFamilyFallback(object):
+def __init__(self, family):
+self.sock_family = family
+self.family = self._get_nss_family(self.sock_family)
+
+def _get_nss_family(self, sock_family):
+"""
+Translate a family from python socket module to nss family.
+"""
+if sock_family in [ socket.AF_INET, socket.AF_UNSPEC ]:
+return io.PR_AF_INET
+elif sock_family == socket.AF_INET6:
+return io.PR_AF_INET6
+else:
+raise ValueError('Uknown socket family %d\n', sock_family)
+
+def _get_next_family(self):
+if self.sock_family == socket.AF_UNSPEC and \
+   self.family == io.PR_AF_INET:
+return io.PR_AF_INET6
+
+return None
+
+def _create_socket(self):
+self.sock = io.Socket(family=self.family)
+
+def _connect_socket_family(self, host, port, family):
+logging.debug("connect_socket_family: host=%s port=%s family=%s",
+  host, port, io.addr_family_name(family))
+try:
+

Re: [Freeipa-devel] [PATCH] 049 Make nsslib IPv6 aware

[Jakub Hrozek]

On Wed, Feb 09, 2011 at 10:23:27AM +0100, Jan Zelený wrote:
> Jakub Hrozek  wrote:
> > On Thu, Feb 03, 2011 at 02:23:11PM +0100, Jan Zelený wrote:
> > > Jakub Hrozek  wrote:
> > > > Hi,
> > > > 
> > > > attached is a patch to nsslib.py that changes its semantics so
> > > > it is able to work with different address families. It is the last
> > > > piece of IPv6 support.
> > > > 
> > > > Aside from the hunks in the patch, I still need to set Requires: in the
> > > > patch (don't know the exact version yet). Also, the attached patch
> > > > always tries IPv4 first and only falls back to IPv6. I think there
> > > > should be a config option that tells IPA to prefer one of the address
> > > > families or use it exclusively for performance reasons.
> > > > 
> > > > Please note that the patch requires the latest changes to python-nss
> > > > in order to work correctly. Since John is still working on python-nss
> > > > packages, this patch should be treated as a preview and not pushed even
> > > > if it is deemed OK. At this stage, I'd like to get at least the general
> > > > approach and code reviewed so I can fix it tomorrow.
> > > > 
> > > > Thank you,
> > > > 
> > > > Jakub
> > > 
> > > The patch looks ok, all my questions answered off-list. Also tested with
> > > IPv4 (latest python-nss installed) and IPv6, both work fine.
> > > 
> > > ACK
> > > 
> > > Jan
> > 
> > Thanks for the review. But attached is a new version of the patch that
> > changes the semantics a little based on what's recommended by the new
> > version of python-nss: don't construct the NetworkAddress object
> > manually, but rather resolve the hostname using the AddrInfo object and
> > then try connecting to the list of of NetworkAddress object manually.
> 
> Changes consulted off-list, the patch looks good. Will do some more testing 
> on 
> RHEL6. Unless I find some issues, this patch is ACKed.
> 
> Jan
> 

One more change - bumped the minimum required version of python-nss to
0.11 which is in the nightly devel repo now.

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 729 managed netgroups immutable

[Rob Crittenden]

Make managed netgroups (those created as a result of creating a 
hostgroup) should be immutable. This aci will deny writes to a managed 
netgroup.


ticket 962

rob
>From 3032abc7900b619a8dde5219d8b0c53cf667e865 Mon Sep 17 00:00:00 2001
From: Rob Crittenden 
Date: Thu, 17 Feb 2011 13:53:22 -0500
Subject: [PATCH] Add aci to make managed netgroups immutable.

ticket 962
---
 install/updates/20-aci.update |4 
 install/updates/Makefile.am   |3 ++-
 2 files changed, 6 insertions(+), 1 deletions(-)
 create mode 100644 install/updates/20-aci.update

diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
new file mode 100644
index 000..42f1e9f
--- /dev/null
+++ b/install/updates/20-aci.update
@@ -0,0 +1,4 @@
+# Don't allow managed netgroups to be modified
+dn: cn=ng,cn=alt,$SUFFIX
+add:aci: '(targetfilter = "(objectClass=mepManagedEntry)")(targetattr = "*")(version 3.0; acl "Managed netgroups cannot be modified"; deny (write) userdn = "ldap:///all";;)'
+
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 6dcdc04..8835259 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -5,12 +5,13 @@ app_DATA =\
 	10-RFC2307bis.update		\
 	10-RFC4876.update		\
 	20-dna.update			\
+	20-aci.update			\
 	20-indices.update		\
 	20-nss_ldap.update		\
 	20-replication.update		\
 	20-winsync_index.update		\
 	40-delegation.update		\
-	50-lockout-policy.update		\
+	50-lockout-policy.update	\
 	45-roles.update			\
 	$(NULL)
 
-- 
1.7.3.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 19 Cleanup for netgroup search

[Jan Zeleny]

JR Aquino  wrote:
> On 2/17/11 3:23 AM, "Jan Zelený"  wrote:
> >JR Aquino  wrote:
> >> This patch fixes the netgroup plugin's behavior of adding duplicate
> >>
> >>entries
> >>
> >> when the managed entry plugin creates a netgroup with a mepManagedEntry
> >> This problem is documented in ticket:
> >> https://fedorahosted.org/freeipa/ticket/963
> >> 
> >> As noted by Endi for issue #3 in the History:
> >> "3. Just out of curiosity, I tried adding a netgroup with the same name
> >>
> >>as
> >>
> >> the hostgroup. I expected it to conflict with the managed netgroup, but
> >>
> >>it
> >>
> >> actually worked. Searching the directory will return 2 netgroups with
> >>
> >>the
> >>
> >> same name:"
> >>
> >> Historically the netgroup plugin had inappropriately defined:
> >>rdn_attribute
> >>
> >> = 'ipauniqueid' This caused the ability of duplication with the creation
> >> of native netgroups using the ipaUniqueId as the DN and as the Managed
> >> Entry netgroups utilizing the cn as the DN.
> >> 
> >> Patch includes adjustments for the netgroup plugin and corresponding
> >> test_netgroup_plugin
> >> 
> >> Please verify that the items requested in #963 are now complete and
> >>
> >>please
> >>
> >> confirm that the corresponding tests all pass.
> >
> >One test fails:
> >FAIL: test_netgroup[30]: netgroup_remove_member: Remove netgroup
> >u'netgroup2'
> >from netgroup u'netgroup1'
> >
> >Command ipa host-show still shows:
> >Member of netgroups: testhostgroup
> >
> >Also a little bit of nitpicking, I think the changed code in chunk 2
> >would
> >better look something like this:
> >
> >search_kw = {}
> >search_kw['objectclass'] = ['mepManagedEntry']
> >
> >if not options['private']:
> >local_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_NONE)
> >
> >else:
> >local_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_ALL)
> >
> >filter = ldap.combine_filters((local_filter, filter),
> >rules=ldap.MATCH_ALL)
> >
> >--
> >Jan
> 
> It was determined that the ipauniqueid is required for the DN on these
> objects.
> It's an ipaAssociation which uses it as the rdn, if we change the problems
> cascade
> 
> This patch has now changed to reflect the optimization in the netgroup
> search instead.
> It provides a cleaner method of performing a netgroup search for native
> netgroups and allows for the --private search to only display the
> mepManagedEntry netgroups, rather than ALL netgroups. Previously --private
> would return ALL netgroups.
> 
> This means there is no need to modify test_netgroup_plugin.
> 
> Please verify that the optimization / bugfix passes the standard
> test_netgroup_plugin.

Ack

Jan

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 19 Cleanup for netgroup search

[JR Aquino]

On 2/17/11 3:23 AM, "Jan Zelený"  wrote:

>JR Aquino  wrote:
>> This patch fixes the netgroup plugin's behavior of adding duplicate
>>entries
>> when the managed entry plugin creates a netgroup with a mepManagedEntry
>> This problem is documented in ticket:
>> https://fedorahosted.org/freeipa/ticket/963
>> 
>> As noted by Endi for issue #3 in the History:
>> "3. Just out of curiosity, I tried adding a netgroup with the same name
>>as
>> the hostgroup. I expected it to conflict with the managed netgroup, but
>>it
>> actually worked. Searching the directory will return 2 netgroups with
>>the
>> same name:"
>> 
>> Historically the netgroup plugin had inappropriately defined:
>>rdn_attribute
>> = 'ipauniqueid' This caused the ability of duplication with the creation
>> of native netgroups using the ipaUniqueId as the DN and as the Managed
>> Entry netgroups utilizing the cn as the DN.
>> 
>> Patch includes adjustments for the netgroup plugin and corresponding
>> test_netgroup_plugin
>> 
>> Please verify that the items requested in #963 are now complete and
>>please
>> confirm that the corresponding tests all pass.
>
>One test fails:
>FAIL: test_netgroup[30]: netgroup_remove_member: Remove netgroup
>u'netgroup2' 
>from netgroup u'netgroup1'
>
>Command ipa host-show still shows:
>Member of netgroups: testhostgroup
>
>Also a little bit of nitpicking, I think the changed code in chunk 2
>would 
>better look something like this:
>
>search_kw = {}
>search_kw['objectclass'] = ['mepManagedEntry']
>if not options['private']:
>local_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_NONE)
>else:
>local_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_ALL)
>filter = ldap.combine_filters((local_filter, filter),
>rules=ldap.MATCH_ALL)
>
>--
>Jan

It was determined that the ipauniqueid is required for the DN on these
objects.
It's an ipaAssociation which uses it as the rdn, if we change the problems
cascade

This patch has now changed to reflect the optimization in the netgroup
search instead.
It provides a cleaner method of performing a netgroup search for native
netgroups and allows for the --private search to only display the
mepManagedEntry netgroups, rather than ALL netgroups. Previously --private
would return ALL netgroups.

This means there is no need to modify test_netgroup_plugin.

Please verify that the optimization / bugfix passes the standard
test_netgroup_plugin.



freeipa-jraquino-0019-Cleanup-for-netgroup-search.patch
Description: freeipa-jraquino-0019-Cleanup-for-netgroup-search.patch
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install

[Jan Zeleny]

JR Aquino  wrote:
> Lets try now. Attached is the corrected patch.
> 
> There were several spots in ipa-client-install where the server could be
> defined and it was getting missed.
> I have omitted any change to ipa-client-install and instead just focused
> on ipadiscovery.py
> 
> ipadiscovery.py now performs its own fetch of the CACert just to be sure.
> 
> Regarding TLS vs LDAPS.
> 
> LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never
> standardized in any formal specification. This usage has been deprecated
> along with LDAPv2, which was officially retired in 2003.
> 
> LDAPS is still supported, but considered deprecated in favor of TLS as
> defined in RFC2830.
> 
> On 2/17/11 2:01 AM, "Jan Zelený"  wrote:
> >JR Aquino  wrote:
> >> This patch addresses the need to utilize TLS when using the
> >> ipa-client-install tool. It addresses ticket:
> >> https://fedorahosted.org/freeipa/ticket/974
> >
> >Nack, running ipa-client-install returned this error:
> >
> ># ipa-client-install
> >Retrieving CA from None failed.
> >Command '/usr/bin/wget -O /etc/ipa/ca.crt http://None/ipa/config/ca.crt'
> >returned non-zero exit status 4
> >
> >
> >One more question - shouldn't you use ldaps directly to connect to the
> >server?
> >Jan


Sorry, I have to Nack it again, the patch seems incoplete, since it is only 
adding some cacert fetching code to IPADiscovery.

Jan

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 031 Remove WebUI identifiers from global namespace

[Adam Young]

On 02/17/2011 05:21 AM, Martin Kosek wrote:

On Wed, 2011-02-16 at 10:46 -0500, Adam Young wrote:

Almost there.

I'd like to pull the sudo namespace out of ipa.js and put it into
sudorule.js, then indicate  that the other sudo files depend on sudo
rule.


I guess I should have been clearer:  stuff like facets and widgets
don't need to go into a sub, namespace, just custom code called by
them.  I'm thinking that widgets and facets in the long term should
become a sub-namespace of IPA themselseves:  so IPA.widget.text,
IPA.facet.details, and then the more specific ones.  While I don't
want to do that in this patch, keep that in mind when deciding which
namespace to put something into.  A good rul of thumb is that an
entity name should not be repeated in a function name, so something
like IPA.sudo.sudorule_details_facet should be
IPA.sudorule_details_facet  but any custom functions it calls should
be in IPA.sudo.

I have prepared a next version of patch with the above comments applied.
Facets and widgets are in IPA namespace now. Still, I cannot do much of
a renaming with sub-namespace custom methods that are called by *_widget
or *_facet functions - they would collide. E.g.
IPA.sudo.sudorule_add_dialog cannot be renamed to IPA.sudo.add_dialog
because it would collide with renamed IPA.sudo.sudocmd_add_dialog.


I'm being a bit picky here as this is probably the last major cleanup
we'll get to do before GA, and this is the code that people will look
at.  I want it to be as understandable as possible.


I know that since you have worked on WebUI for a long time, you have a
pretty clear picture what it should look like. I hope this patch version
is consistent with the plan.

Martin


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Looks good.  Only problem is on braces.  we have a code standard that is 
like this



IPA.something = function () {


not


IPA.something = function ()
{


This is due to Javascript being ambiguous in certain circumstances about 
where it puts an implicit end of statement.



https://fedorahosted.org/freeipa/wiki/Javascript_Coding_Standards


For name shortening,   sudo.sudorule_ should be sudo.rule_


On the patch I sent you as an  example,  I broke the "View Cert" 
button.  I didn't test that here.  Did you make sure that still works?




___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 033 Browser configuration support for Firefox 4

[Adam Young]

On 02/17/2011 11:56 AM, Martin Kosek wrote:

Support of navigator.preferences that is used to access browser
configuration was dropped in Firefox 4. This disables automatic
configuration of user preferences in this browser that is needed
to use Kerberos single sign-on.

This patch detectes a lack of this interface and tries to
configure the browser using new Services module introduced in
Gecko 2 (used in Firefox 4, SeaMonkey 2.1).

https://fedorahosted.org/freeipa/ticket/975



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK.  Pushed to master
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 729 special handling for nsaccountlock

[Rob Crittenden]

nsaccountlock doesn't have a visible Param but we want do so some basic 
validation to be sure garbage doesn't get in there so do it in the 
pre_callback of add and mod.


ticket 968

rob


freeipa-rcrit-729-nsaccountlock.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Remove-bright-green-from-the-tabs-and-subnav

[Adam Young]

Several of the subtab text items are no longer visible:  user, host, 
netgroups on the Identity tab, self service permissions on the Server TAb.



On 02/16/2011 10:33 AM, Kyle Baker wrote:

Ayoung, check it out.


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0012-Remove-images-and-replace-with-css-color-in-dialogs.patch

[Adam Young]

On 02/17/2011 11:13 AM, Kyle Baker wrote:

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel



If we are going to make this change, please remove (git rm) the icons 
that are no longer used as part of the patch.


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0085 Register client into DNS on install

[Simo Sorce]

On Thu, 17 Feb 2011 11:34:30 -0500
Simo Sorce  wrote:

> 
> If DNS Updates are available then try to register the ip address as
> determined by connecting to the ipa server.
> 
> This allows also the creation of the DNS A record if none was
> available before, which means you can add clients without having to
> pre-register them in the DNS.
> 
> Fixes #935
> 
> Simo.
> 

Forgot to add rpm dependency on bind-utils for the client package.

New patch attached.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
>From 5d18f15b735f81fb6cbfaced7b492eeae21283ca Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Thu, 17 Feb 2011 08:30:36 -0500
Subject: [PATCH] Try to register DNS name through a DNS Update on install.

Fixes: https://fedorahosted.org/freeipa/ticket/935
---
 freeipa.spec.in   |1 +
 ipa-client/ipa-install/ipa-client-install |   86 +
 ipaserver/plugins/join.py |2 +-
 3 files changed, 88 insertions(+), 1 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index f301aa26a66eb305369f4a4fe72e5c311ba86606..4def47598ec6fce5a7ce5e1dd80c029c9e46478a 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -138,6 +138,7 @@ Requires: xmlrpc-c
 Requires: sssd >= 1.5.1
 Requires: certmonger >= 0.26
 Requires: nss-tools
+Requires: bind-utils
 
 Obsoletes: ipa-client >= 1.0
 
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 20c327d492c28e0fdf2f5fec98e2d3d5d651e9fc..c3b579ac4d27b32d05647a5b503100f4a97f5d0c 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -32,6 +32,7 @@ try:
 import ipaclient.ipachangeconf
 import ipaclient.ntpconf
 from ipapython.ipautil import run, user_input, CalledProcessError, file_exists
+from ipapython import ipautil
 from ipapython import sysrestore
 from ipapython import version
 from ipapython import certmonger
@@ -503,6 +504,82 @@ def configure_sssd_conf(fstore, cli_domain, cli_server, options):
 
 return 0
 
+def resolve_ipaddress(server):
+""" Connect to the server's ldap port in order to determine what ip
+address this machine uses as "public" ip (relative to the server).
+"""
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP)
+s.connect((server, 389))
+addr, port = s.getsockname()
+s.close()
+
+return addr
+
+UPDATE_TEMPLATE_A = """
+zone $ZONE.
+update delete $HOSTNAME. IN A
+send
+update add $HOSTNAME. $TTL IN A $IPADDRESS
+send
+"""
+
+UPDATE_TEMPLATE_ = """
+zone $ZONE.
+update delete $HOSTNAME. IN 
+send
+update add $HOSTNAME. $TTL IN  $IPADDRESS
+send
+"""
+
+UPDATE_FILE = "/etc/ipa/.dns_update.txt"
+CCACHE_FILE = "/etc/ipa/.dns_ccache"
+
+def update_dns(server, hostname):
+
+ip = resolve_ipaddress(server)
+
+sub_dict = dict(HOSTNAME=hostname,
+IPADDRESS=ip,
+TTL=1200,
+ZONE='.'.join(hostname.split('.')[1:])
+)
+
+template = None
+if len(ip.split('.')) == 4:
+template = UPDATE_TEMPLATE_A
+elif len(ip.split(':')) > 1:
+template = UPDATE_TEMPLATE_
+
+if template is None:
+print >>sys.stderr, "Failed to determine machine's ip address."
+print >>sys.stderr, "Failed to update DNS A record."
+return
+
+update_txt = ipautil.template_str(template, sub_dict)
+update_fd = file(UPDATE_FILE, "w")
+update_fd.write(update_txt)
+update_fd.flush()
+update_fd.close()
+
+try:
+ipautil.run(['/usr/bin/kinit', '-k', '-t', '/etc/krb5.keytab'],
+env={'KRB5CCNAME':CCACHE_FILE})
+except CalledProcessError, e:
+print >>sys.stderr, "Failed to obtain host TGT."
+
+try:
+ipautil.run(['/usr/bin/nsupdate', '-g', "/etc/ipa/.dns_update.txt"],
+env={'KRB5CCNAME':CCACHE_FILE})
+except CalledProcessError, e:
+print >>sys.stderr, "Failed to update DNS A record. (%s)" % str(e)
+
+try:
+os.remove(UPDATE_FILE)
+os.remove(CCACHE_FILE)
+except:
+pass
+
 def main():
 safe_options, options = parse_options()
 logging_setup(options)
@@ -740,6 +817,15 @@ def main():
 
 configure_certmonger(fstore, subject_base, cli_realm, options)
 
+#Try to update the DNS records, failure is not fatal
+if not options.on_master:
+if options.hostname:
+hostname = options.hostname
+else:
+hostname = socket.gethostname()
+
+update_dns(cli_server, hostname)
+
 if options.sssd:
 nscd_action = "stop"
 nscd_status = "off"
diff --git a/ipaserver/plugins/join.py b/ipaserver/plugins/join.py
index 992c6868eab12087f8439f29ab1e3a01ece3106a..81c336b27ae4be6800b97e397238205e30d96534 100644
--- a/ipaserver/plugins/join.py
+++ b/ipaserver/plugins/join.py
@@ -110,7 +110,7 @@ class join(Command):
 

[Freeipa-devel] [PATCH] 0085 Register client into DNS on install

[Simo Sorce]

If DNS Updates are available then try to register the ip address as
determined by connecting to the ipa server.

This allows also the creation of the DNS A record if none was available
before, which means you can add clients without having to pre-register
them in the DNS.

Fixes #935

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 0012-Remove-images-and-replace-with-css-color-in-dialogs.patch

[Kyle Baker]

From a1cc75603556cd43f2f9ea465bbea965d6f869ac Mon Sep 17 00:00:00 2001
From: Kyle Baker 
Date: Thu, 17 Feb 2011 11:11:42 -0500
Subject: [PATCH] Remove images and replace with css color in  dialogs

---
 install/ui/ipa.css |   10 +++---
 1 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/install/ui/ipa.css b/install/ui/ipa.css
index 2c0af2e..4a2d837 100644
--- a/install/ui/ipa.css
+++ b/install/ui/ipa.css
@@ -400,6 +400,10 @@ span.attrhint {
 .ui-widget-content {
 }
 
+.ui-dialog .ui-dialog-titlebar {
+	padding: 0.5em 1em;
+	position: relative;
+}
 
 .ui-widget-content a {
 text-decoration: none;
@@ -409,9 +413,9 @@ span.attrhint {
 }
 
 .ui-widget-header {
-background: url("modal-background.png") repeat scroll 50% 50% #1f9123;
-border: 1px solid #244c16;
-color: #EE;
+background: -moz-linear-gradient(center top , #225314, #1c400a) repeat scroll 0 0 transparent;
+background: -webkit-gradient(linear, left top, left bottom, from(#225314), to(#1c400a));
+	border: 1px solid #319016;
 font-weight: bold;
 }
 
-- 
1.7.3.2

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 48 Document the --rights output format

[Jan Zelený]

Rob Crittenden  wrote:
> Jan Zelený wrote:
> > https://fedorahosted.org/freeipa/ticket/563
> > https://fedorahosted.org/freeipa/ticket/588
> > 
> > Jan
> 
> This is a good start, I think we need to include some guidance on why
> this exists and why it exists where it does.
> 
> It exists so a user interface can know in advance what the current
> user's rights are for a given entry so that the user experience is
> better (currently used by the Web UI to disable attributes that are not
> writable).
> 
> It appears in the add and mod commands to avoid having to do a show
> after an entry is added or updated.
> 
> rob

I updated the patch with a note that it is primarily used for internal 
purposes of CLI and WebUI, I think this should be sufficient description.

I also deleted the line converting unicode strings to str because it broke 
JSON-RPC communication.

Jan
From ac16208ca8cc25b02b9d17f40b4124d4c084c566 Mon Sep 17 00:00:00 2001
From: Jan Zeleny 
Date: Thu, 17 Feb 2011 03:55:14 -0500
Subject: [PATCH] Document the --rights output format

https://fedorahosted.org/freeipa/ticket/563
https://fedorahosted.org/freeipa/ticket/588
---
 ipa.1  |   15 ++-
 ipalib/plugins/baseldap.py |4 ++--
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/ipa.1 b/ipa.1
index eb8fe8cd085f8ab7c76fbee6a8357965e279d5e6..e346853877317b19a4904fbbde6baa90aefd028c 100644
--- a/ipa.1
+++ b/ipa.1
@@ -106,13 +106,26 @@ The above types of commands take the objects primary key as their only positiona
 
 For some types of objects, these commands might need to take more than one primary key. This applies to IPA objects organized in hierarchies where the parent object needs to be identified first. Parent primary keys are always aligned to the left (higher in the hierarchy = more to the left). For example the automount IPA plugin enables users to manage automount maps per location, as a result all automount commands take an automountlocation primary key as their first positional argument.
 
-All commands that display objects have two special options for controlling output:
+All commands that display objects have three special options for controlling output:
 .TP
 \fB\-\-all\fR
 Dispaly all attributes. Without this option only the most relevant attributes are displayed.
 .TP
 \fB\-\-raw\fR
 Display objects as they are stored in the backing store. Disables formatting and attribute labels.
+.TP
+\fB\-\-rights\fR
+Display effective rights on all attributes of the entry. You also have to specify \fB\-\-all\fR for this to work. User rights are returned as Python dictionary where index is the name of an attribute and value is a unicode string composed (hence the u'' format) of letters specified below. Note that user rights are primarily used for internal purposes of CLI and WebUI.
+
+.ad l
+r - read\p
+s - search\p
+w - write\p
+o - obliterate (delete)\p
+c - compare\p
+W - self-write\p
+O - self-obliterate
+
 .SH "EXAMPLES"
 .TP
 \fBipa help commands\fR
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index f403990ff86f33140b2a91405f8f0cde2d079644..2d25219daa2e4a464d650705665aaa6ff33f1a16 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -666,7 +666,7 @@ class LDAPRetrieve(LDAPQuery):
 takes_options = (
 Flag('rights',
 label=_('Rights'),
-doc=_('Display the access rights to modify this entry (requires --all)'),
+doc=_('Display the access rights of this entry (requires --all). See ipa man page for details.'),
 ),
 )
 
@@ -732,7 +732,7 @@ class LDAPUpdate(LDAPQuery, crud.Update):
 takes_options = _attr_options + (
 Flag('rights',
 label=_('Rights'),
-doc=_('Display the access rights to modify this entry (requires --all)'),
+doc=_('Display the access rights of this entry (requires --all). See ipa man page for details.'),
 ),
 )
 
-- 
1.7.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 49 Fixed user-add help

[Rob Crittenden]

Martin Kosek wrote:

On Thu, 2011-02-17 at 08:55 -0500, Jan Zeleny wrote:

Sending updated patch

Jan

- Original Message -
From: "Jan Zelený"
To: freeipa-devel@redhat.com
Sent: Thursday, February 17, 2011 1:29:28 PM
Subject: [Freeipa-devel] [PATCH] 49 Fixed user-add help

https://fedorahosted.org/freeipa/ticket/735

Jan


ACK.

So extensive BZ description for such a short patch :-)

Martin


pushed to master

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install

[JR Aquino]

Lets try now. Attached is the corrected patch.

There were several spots in ipa-client-install where the server could be
defined and it was getting missed.
I have omitted any change to ipa-client-install and instead just focused
on ipadiscovery.py

ipadiscovery.py now performs its own fetch of the CACert just to be sure.

Regarding TLS vs LDAPS.

LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never
standardized in any formal specification. This usage has been deprecated
along with LDAPv2, which was officially retired in 2003.

LDAPS is still supported, but considered deprecated in favor of TLS as
defined in RFC2830.

On 2/17/11 2:01 AM, "Jan Zelený"  wrote:

>JR Aquino  wrote:
>> This patch addresses the need to utilize TLS when using the
>> ipa-client-install tool. It addresses ticket:
>> https://fedorahosted.org/freeipa/ticket/974
>
>Nack, running ipa-client-install returned this error:
>
># ipa-client-install
>Retrieving CA from None failed.
>Command '/usr/bin/wget -O /etc/ipa/ca.crt http://None/ipa/config/ca.crt'
>returned non-zero exit status 4
>
>
>One more question - shouldn't you use ldaps directly to connect to the
>server?
>Jan



binRzo02LE4jS.bin
Description: freeipa-jraquino-0018-2-Use-TLS-for-ipadiscovery-during-ipa-client-inst.patch
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 49 Fixed user-add help

[Martin Kosek]

On Thu, 2011-02-17 at 08:55 -0500, Jan Zeleny wrote:
> Sending updated patch
> 
> Jan
> 
> - Original Message -
> From: "Jan Zelený" 
> To: freeipa-devel@redhat.com
> Sent: Thursday, February 17, 2011 1:29:28 PM
> Subject: [Freeipa-devel] [PATCH] 49 Fixed user-add help
> 
> https://fedorahosted.org/freeipa/ticket/735
> 
> Jan

ACK.

So extensive BZ description for such a short patch :-)

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 48 Document the --rights output format

[Rob Crittenden]

Jan Zelený wrote:

https://fedorahosted.org/freeipa/ticket/563
https://fedorahosted.org/freeipa/ticket/588

Jan


This is a good start, I think we need to include some guidance on why 
this exists and why it exists where it does.


It exists so a user interface can know in advance what the current 
user's rights are for a given entry so that the user experience is 
better (currently used by the Web UI to disable attributes that are not 
writable).


It appears in the add and mod commands to avoid having to do a show 
after an entry is added or updated.


rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 49 Fixed user-add help

[Jan Zeleny]

Sending updated patch

Jan

- Original Message -
From: "Jan Zelený" 
To: freeipa-devel@redhat.com
Sent: Thursday, February 17, 2011 1:29:28 PM
Subject: [Freeipa-devel] [PATCH] 49 Fixed user-add help

https://fedorahosted.org/freeipa/ticket/735

JanFrom 52fa78ffe70d581125f54ca9138e8afba06aacc8 Mon Sep 17 00:00:00 2001
From: Jan Zeleny 
Date: Thu, 17 Feb 2011 07:25:57 -0500
Subject: [PATCH] Fixed user-add help

https://fedorahosted.org/freeipa/ticket/735
---
 ipalib/plugins/user.py |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 2c9ec1fa99788422e6e3a7e881abb31e886022bf..053c7f36d284f6e0508773b3708121872a78205c 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -38,7 +38,7 @@ about this topic please see: ipa help passwd
 EXAMPLES:
 
  Add a new user:
-   ipa user-add --first=Tim --last=User --passwd tuser1
+   ipa user-add --first=Tim --last=User --password tuser1
 
  Find all users whose entries include the string "Tim":
ipa user-find Tim
-- 
1.7.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Localization patches.

[John Dennis]

On 02/16/2011 11:09 PM, Rob Crittenden wrote:

What is switching from xgettext to pygettext going to do?


It allows supports extracting Python doc strings in addition to strings 
marked with _(). We use doc strings for our help messages. You can't 
wrap a doc string in _(). Think of pygetext as a smarter version of 
xgettext tailored to Python.

--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0084 Fix duplicate OIDs

[Simo Sorce]

On Wed, 16 Feb 2011 22:30:24 -0500
Rob Crittenden  wrote:

> Simo Sorce wrote:
> >
> > Apparently we forgot to check OID consistency between the schema and
> > the extensions, and we got duplicates.
> >
> > Technically the schema was done later but it is easier to change the
> > extensions OIDs then to change the schema of current beta2/rc1
> > installations.
> >
> > The only side effect is that older ipa-getkeytab and ipa-join
> > binaries will fail. So the admin/client tools must be upgraded as
> > well at the same time as well all the masters (as otherwise some
> > will show/accept the new OID while others won't).
> >
> > Simo.
> >
> 
> ack. Simo, when you push it can you include this description in the
> git commit message, it makes things very clear.
> 
> rob

Ok, added text and pushed to master.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 49 Fixed user-add help

[Jan Zelený]

https://fedorahosted.org/freeipa/ticket/735

Jan
From 52fa78ffe70d581125f54ca9138e8afba06aacc8 Mon Sep 17 00:00:00 2001
From: Jan Zeleny 
Date: Thu, 17 Feb 2011 07:25:57 -0500
Subject: [PATCH] Fixed user-add help

https://fedorahosted.org/freeipa/ticket/735
---
 ipalib/plugins/user.py |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 2c9ec1fa99788422e6e3a7e881abb31e886022bf..053c7f36d284f6e0508773b3708121872a78205c 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -38,7 +38,7 @@ about this topic please see: ipa help passwd
 EXAMPLES:
 
  Add a new user:
-   ipa user-add --first=Tim --last=User --passwd tuser1
+   ipa user-add --first=Tim --last=User --password
 
  Find all users whose entries include the string "Tim":
ipa user-find Tim
-- 
1.7.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 19 prevent duplicate netgroup entries

[Jan Zelený]

JR Aquino  wrote:
> This patch fixes the netgroup plugin's behavior of adding duplicate entries
> when the managed entry plugin creates a netgroup with a mepManagedEntry
> This problem is documented in ticket:
> https://fedorahosted.org/freeipa/ticket/963
> 
> As noted by Endi for issue #3 in the History:
> "3. Just out of curiosity, I tried adding a netgroup with the same name as
> the hostgroup. I expected it to conflict with the managed netgroup, but it
> actually worked. Searching the directory will return 2 netgroups with the
> same name:"
> 
> Historically the netgroup plugin had inappropriately defined: rdn_attribute
> = 'ipauniqueid' This caused the ability of duplication with the creation
> of native netgroups using the ipaUniqueId as the DN and as the Managed
> Entry netgroups utilizing the cn as the DN.
> 
> Patch includes adjustments for the netgroup plugin and corresponding
> test_netgroup_plugin
> 
> Please verify that the items requested in #963 are now complete and please
> confirm that the corresponding tests all pass.

One test fails:
FAIL: test_netgroup[30]: netgroup_remove_member: Remove netgroup u'netgroup2' 
from netgroup u'netgroup1'

Command ipa host-show still shows:
Member of netgroups: testhostgroup

Also a little bit of nitpicking, I think the changed code in chunk 2 would 
better look something like this:

search_kw = {}
search_kw['objectclass'] = ['mepManagedEntry']
if not options['private']:
local_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_NONE)
else:
local_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_ALL)
filter = ldap.combine_filters((local_filter, filter), rules=ldap.MATCH_ALL)

--
Jan

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 059 Use unicode parameters in the host plugin

[Jakub Hrozek]

On Thu, Feb 17, 2011 at 11:30:03AM +0100, Jan Zelený wrote:
> Better, thanks. I'd also like to change the code which is using this function,
> so the conversion doesn't take place twice. 

I think it's safe. The documentation on unicode() says:

---
More precisely, if object is a Unicode string or subclass it
will return that Unicode string without any additional decoding applied.


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 059 Use unicode parameters in the host plugin

[Jan Zelený]

Jakub Hrozek  wrote:
> On Thu, Feb 17, 2011 at 11:06:35AM +0100, Jan Zelený wrote:
> > Jan Zelený  wrote:
> > > Jakub Hrozek  wrote:
> > > > While reviewing Rob's latest patch I found out that we didn't convert
> > > > to unicode on couple of places in the host plugin.
> > > 
> > > ack
> > 
> > On a second thoughts - maybe the _get_unicode_reverse_zone isn't
> > necessary at all - is it possible to do this change directly at the
> > get_reverse_zone?
> > 
> > Jan
> 
> attached.
> 
> also removed a line of dead code.

Better, thanks. I'd also like to change the code which is using this function, 
so the conversion doesn't take place twice. On the other hand that would be 
rather big change, which IMO shouldn't occur in RC. I think filing a cleanup 
ticket for this is the best option.

Ack

Jan

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 031 Remove WebUI identifiers from global namespace

[Martin Kosek]

On Wed, 2011-02-16 at 10:46 -0500, Adam Young wrote:
> 
> Almost there.
> 
> I'd like to pull the sudo namespace out of ipa.js and put it into
> sudorule.js, then indicate  that the other sudo files depend on sudo
> rule.
> 
> 
> I guess I should have been clearer:  stuff like facets and widgets
> don't need to go into a sub, namespace, just custom code called by
> them.  I'm thinking that widgets and facets in the long term should
> become a sub-namespace of IPA themselseves:  so IPA.widget.text,
> IPA.facet.details, and then the more specific ones.  While I don't
> want to do that in this patch, keep that in mind when deciding which
> namespace to put something into.  A good rul of thumb is that an
> entity name should not be repeated in a function name, so something
> like IPA.sudo.sudorule_details_facet should be
> IPA.sudorule_details_facet  but any custom functions it calls should
> be in IPA.sudo.

I have prepared a next version of patch with the above comments applied.
Facets and widgets are in IPA namespace now. Still, I cannot do much of
a renaming with sub-namespace custom methods that are called by *_widget
or *_facet functions - they would collide. E.g.
IPA.sudo.sudorule_add_dialog cannot be renamed to IPA.sudo.add_dialog
because it would collide with renamed IPA.sudo.sudocmd_add_dialog.

> 
> I'm being a bit picky here as this is probably the last major cleanup
> we'll get to do before GA, and this is the code that people will look
> at.  I want it to be as understandable as possible.
> 

I know that since you have worked on WebUI for a long time, you have a
pretty clear picture what it should look like. I hope this patch version
is consistent with the plan.

Martin
>From 90fbbcbf5d5eeaad317666f2c347b90c21786b54 Mon Sep 17 00:00:00 2001
From: Martin Kosek 
Date: Wed, 16 Feb 2011 14:26:35 +0100
Subject: [PATCH] Remove WebUI identifiers from global namespace

Many WebUI identifiers were defined in a global namespace. This is
not a good programming practice and may result in name clashes,
for example with other libraries.

This patch moves these variables to IPA namespace or its
sub-namespaces, when meaningful.

https://fedorahosted.org/freeipa/ticket/212
---
 install/ui/certificate.js|  726 +-
 install/ui/entity.js |5 +-
 install/ui/host.js   |   14 +-
 install/ui/ipa.js|1 -
 install/ui/navigation.js |  259 ++--
 install/ui/policy.js |   16 +-
 install/ui/search.js |   71 
 install/ui/service.js|   14 +-
 install/ui/sudocmd.js|6 +-
 install/ui/sudocmdgroup.js   |6 +-
 install/ui/sudorule.js   |   22 +-
 install/ui/test/certificate_tests.js |   36 +-
 install/ui/test/navigation_tests.js  |   60 ++--
 install/ui/webui.js  |6 +-
 14 files changed, 592 insertions(+), 650 deletions(-)

diff --git a/install/ui/certificate.js b/install/ui/certificate.js
index 3158d04883af8cb7eb1f9a0f02e936801f0ea358..56995282f29e36c3999535b811abed37225f589f 100755
--- a/install/ui/certificate.js
+++ b/install/ui/certificate.js
@@ -20,377 +20,379 @@
  * along with this program.  If not, see .
  */
 
-var BEGIN_CERTIFICATE = '-BEGIN CERTIFICATE-';
-var END_CERTIFICATE   = '-END CERTIFICATE-';
-
-var BEGIN_CERTIFICATE_REQUEST = '-BEGIN CERTIFICATE REQUEST-';
-var END_CERTIFICATE_REQUEST   = '-END CERTIFICATE REQUEST-';
-
-var CRL_REASON = [
-'Unspecified',
-'Key Compromise',
-'CA Compromise',
-'Affiliation Changed',
-'Superseded',
-'Cessation of Operation',
-'Certificate Hold',
-null,
-'Remove from CRL',
-'Privilege Withdrawn',
-'AA Compromise'
-];
-
-var CERTIFICATE_STATUS_MISSING = 0;
-var CERTIFICATE_STATUS_VALID   = 1;
-var CERTIFICATE_STATUS_REVOKED = 2;
-
-function certificate_parse_dn(dn) {
-
-var result = {};
-if (!dn) return result;
-
-// TODO: Use proper LDAP DN parser
-var rdns = dn.split(',');
-for (var i=0; i', {
-'title': that.title
-});
-
-var textarea = $('', {
-readonly: 'yes',
-style: 'width: 100%; height: 275px;'
-}).appendTo(dialog);
-
-textarea.val(
-BEGIN_CERTIFICATE+'\n'+
-that.usercertificate+'\n'+
-END_CERTIFICATE  );
-
-that.open = function() {
-dialog.dialog({
-modal: true,
-width: 500,
-height: 400,
-buttons: {
-'Close': function() {
-dialog.dialog('destroy');
-}
+IPA.cert = {
+BEGIN_CERTIFICATE : '-BEGIN CERTIFICATE-',
+END_CERTIFICATE   : '-END CERTIFICATE-',
+BEGIN_CERTIFICATE_REQUEST : '-BEGIN CERTIFICATE REQUEST-',
+END_CERTIFICATE_REQUEST   : '-END CERTIFICATE REQUEST-',
+CRL_REASON : [
+'Unspecif

Re: [Freeipa-devel] [PATCH] 059 Use unicode parameters in the host plugin

[Jakub Hrozek]

On Thu, Feb 17, 2011 at 11:06:35AM +0100, Jan Zelený wrote:
> Jan Zelený  wrote:
> > Jakub Hrozek  wrote:
> > > While reviewing Rob's latest patch I found out that we didn't convert to
> > > unicode on couple of places in the host plugin.
> > 
> > ack
> 
> On a second thoughts - maybe the _get_unicode_reverse_zone isn't necessary at 
> all - is it possible to do this change directly at the get_reverse_zone?
> 
> Jan
> 

attached.

also removed a line of dead code.
>From 96b1342c815435d505be246478f22f902cab6250 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Wed, 16 Feb 2011 10:33:24 -0500
Subject: [PATCH] Use unicode parameters in the host plugin

https://fedorahosted.org/freeipa/ticket/977
---
 ipaserver/install/bindinstance.py |4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/bindinstance.py 
b/ipaserver/install/bindinstance.py
index ea9280b..e005653 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -108,7 +108,7 @@ def get_reverse_zone(ip_address_str):
 else:
 raise ValueError('Bad address format?')
 
-return zone, name
+return unicode(zone), unicode(name)
 
 def dns_zone_exists(name):
 try:
@@ -276,8 +276,6 @@ class BindInstance(service.Service):
 else:
 self.zonemgr = 'root.%s.%s' % (self.host, self.domain)
 
-self.reverse_subnet, self.reverse_host = get_reverse_zone(ip_address)
-
 self.__setup_sub_dict()
 
 def create_sample_bind_zone(self):
-- 
1.7.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 059 Use unicode parameters in the host plugin

[Jan Zelený]

Jan Zelený  wrote:
> Jakub Hrozek  wrote:
> > While reviewing Rob's latest patch I found out that we didn't convert to
> > unicode on couple of places in the host plugin.
> 
> ack

On a second thoughts - maybe the _get_unicode_reverse_zone isn't necessary at 
all - is it possible to do this change directly at the get_reverse_zone?

Jan

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install

[Jan Zelený]

JR Aquino  wrote:
> This patch addresses the need to utilize TLS when using the
> ipa-client-install tool. It addresses ticket:
> https://fedorahosted.org/freeipa/ticket/974

Nack, running ipa-client-install returned this error:

# ipa-client-install
Retrieving CA from None failed.
Command '/usr/bin/wget -O /etc/ipa/ca.crt http://None/ipa/config/ca.crt' 
returned non-zero exit status 4


One more question - shouldn't you use ldaps directly to connect to the server?
Jan

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 059 Use unicode parameters in the host plugin

[Jan Zelený]

Jakub Hrozek  wrote:
> While reviewing Rob's latest patch I found out that we didn't convert to
> unicode on couple of places in the host plugin.

ack

Jan

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 47 Validate that the reverse DNS record is correct

[Adam Tkac]

On Wed, Feb 16, 2011 at 05:26:55PM +0100, Jan Zeleny wrote:
> Adam Tkac  wrote:
> > On Wed, Feb 16, 2011 at 10:53:14AM +0100, Jan Zelený wrote:
> > > This patch ensures that PTR records added by FreeIPA are compliant with
> > > RFC.
> > 
> > Nack.
> > 
> > In my opinion the _ptrrecord_pre_callback should also handle PTR records
> > for IPv6 addresses.
> > 
> > You can check validity of IPv6 PTR record this way (pseudocode):
> > 
> > zone.replace(.ip6.arpa., '')
> > if (len(addr.split('.')) + len(zone.split('.')) != 32)
> > raise_error
> > 
> > Regards, Adam
> 
> Thanks for the review, I made the changes you suggested. Second patch is in 
> attachment.

Thanks for improvement, now it looks fine for me. Ack.

Regards, Adam

> From a01180772ab9ce9409532892e81f03ea7fc2582a Mon Sep 17 00:00:00 2001
> From: Jan Zeleny 
> Date: Wed, 16 Feb 2011 04:47:36 -0500
> Subject: [PATCH] Validate that the reverse DNS record is correct
> 
> This patch ensures that PTR records added by FreeIPA are compliant with
> RFC.
> 
> https://fedorahosted.org/freeipa/ticket/839
> ---
>  ipalib/plugins/dns.py |   16 
>  1 files changed, 16 insertions(+), 0 deletions(-)
> 
> diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
> index 
> 592945f78c59877fada5fa6c40eee3b1acb564b2..f50dd51f28f0ff59c8d1fe84730de302d9855467
>  100644
> --- a/ipalib/plugins/dns.py
> +++ b/ipalib/plugins/dns.py
> @@ -619,6 +619,22 @@ class dnsrecord_add(LDAPCreate, 
> dnsrecord_cmd_w_record_options):
>  is_ns_rec_resolvable(ns)
>  return dn
>  
> +def _ptrrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, 
> **options):
> +components = dn.split(',',2)
> +addr = components[0].split('=')[1]
> +zone = components[1].split('=')[1]
> +if zone.find('ip6') != -1:
> +zone = zone.replace('.ip6.arpa.','')
> +zone_len = 32
> +else:
> +zone = zone.replace('.in-addr.arpa.','')
> +zone_len = 4
> +
> +if len(addr.split('.'))+len(zone.split('.')) != zone_len:
> +raise errors.ValidationError(name='cn', error=unicode('IP 
> address must have exactly '+str(zone_len)+' components'))
> +
> +return dn
> +
>  def pre_callback(self, ldap, dn, entry_attrs, *keys, **options):
>  for rtype in options:
>  rtype_cb = '_%s_pre_callback' % rtype
> -- 
> 1.7.4
> 


-- 
Adam Tkac, Red Hat, Inc.

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 48 Document the --rights output format

[Jan Zelený]

https://fedorahosted.org/freeipa/ticket/563
https://fedorahosted.org/freeipa/ticket/588

Jan
From 5d23b3fad0dd8bc9633e5a69d069d9346f52 Mon Sep 17 00:00:00 2001
From: Jan Zeleny 
Date: Thu, 17 Feb 2011 03:55:14 -0500
Subject: [PATCH] Document the --rights output format

https://fedorahosted.org/freeipa/ticket/563
https://fedorahosted.org/freeipa/ticket/588
---
 ipa.1  |   15 ++-
 ipalib/plugins/baseldap.py |6 +++---
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/ipa.1 b/ipa.1
index eb8fe8cd085f8ab7c76fbee6a8357965e279d5e6..a322d246f1f74d2bd31796663c1dea1e1d895880 100644
--- a/ipa.1
+++ b/ipa.1
@@ -106,13 +106,26 @@ The above types of commands take the objects primary key as their only positiona
 
 For some types of objects, these commands might need to take more than one primary key. This applies to IPA objects organized in hierarchies where the parent object needs to be identified first. Parent primary keys are always aligned to the left (higher in the hierarchy = more to the left). For example the automount IPA plugin enables users to manage automount maps per location, as a result all automount commands take an automountlocation primary key as their first positional argument.
 
-All commands that display objects have two special options for controlling output:
+All commands that display objects have three special options for controlling output:
 .TP
 \fB\-\-all\fR
 Dispaly all attributes. Without this option only the most relevant attributes are displayed.
 .TP
 \fB\-\-raw\fR
 Display objects as they are stored in the backing store. Disables formatting and attribute labels.
+.TP
+\fB\-\-rights\fR
+Display effective rights on all attributes of the entry. You also have to specify \fB\-\-all\fR for this to work. User rights are returned as Python dictionary where index is the name of an attribute and value is a string composed of following letters:
+
+.ad l
+r - read\p
+s - search\p
+w - write\p
+o - obliterate (delete)\p
+c - compare\p
+W - self-write\p
+O - self-obliterate
+
 .SH "EXAMPLES"
 .TP
 \fBipa help commands\fR
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index f403990ff86f33140b2a91405f8f0cde2d079644..43183c264884b4db2b9f2f50733d0fe1182082d9 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -180,7 +180,7 @@ def get_effective_rights(ldap, dn, attrs=None):
 rights = rights[0].split(', ')
 for r in rights:
 (k,v) = r.split(':')
-rdict[k.strip().lower()] = v
+rdict[k.strip().lower()] = str(v)
 
 return rdict
 
@@ -666,7 +666,7 @@ class LDAPRetrieve(LDAPQuery):
 takes_options = (
 Flag('rights',
 label=_('Rights'),
-doc=_('Display the access rights to modify this entry (requires --all)'),
+doc=_('Display the access rights of this entry (requires --all). See ipa man page for details.'),
 ),
 )
 
@@ -732,7 +732,7 @@ class LDAPUpdate(LDAPQuery, crud.Update):
 takes_options = _attr_options + (
 Flag('rights',
 label=_('Rights'),
-doc=_('Display the access rights to modify this entry (requires --all)'),
+doc=_('Display the access rights of this entry (requires --all). See ipa man page for details.'),
 ),
 )
 
-- 
1.7.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel