Re: [Freeipa-devel] [PATCH] 734 Add handling for indirect memberof other entries.
On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote: This creates a new custom attribute, memberofindirect_[plugin]. Using this you can tell the difference between being an actual memberof another entry and being a memberof as the result if inheritence. This is particularly useful when trying to remove members of an entry, you can only remove direct members. I had to add a couple of short sleep calls to make things work a little better. The memberof plugin runs as a postop and we have no way of knowing when it has done its work. If we don't pause we may show some stale data that memberof hasn't updated yet. .3 seconds is an arbitrary choice. I don't know the DS plugin architecture good enough but there's no callback or anything we can hook to? If the machine swaps or something, we might get incorrect data with the sleep anyway.. The ticket has an excellent test case for this. Similar tests can be done for users/groups and hosts/hostgroups. ticket 966 rob The testcase is failing for me: test_group[13]: hostgroup_add: Create u'testhostgroup1' ... FAIL test_group[14]: hostgroup_add: Create u'testhostgroup2' ... FAIL It seems that the objectlasses should be updated: expected = [u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', u'top'] got = [u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', u'top', u'mepOriginEntry'] ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 734 Add handling for indirect memberof other entries.
On Mon, 21 Feb 2011 11:56:39 +0100 Jakub Hrozek jhro...@redhat.com wrote: On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote: I had to add a couple of short sleep calls to make things work a little better. The memberof plugin runs as a postop and we have no way of knowing when it has done its work. If we don't pause we may show some stale data that memberof hasn't updated yet. .3 seconds is an arbitrary choice. I don't know the DS plugin architecture good enough but there's no callback or anything we can hook to? If the machine swaps or something, we might get incorrect data with the sleep anyway.. Unfortunately the way plugins are done, post-ops are pretty much impossible to catch from the outside. And I really don't like this either. I would definitely prefer for the reply to the modifying client to wait until the memberof plugin is done, even if this means the operations will be slow. But I don't know if this can be done easily with the current DS architecture ... The problem is that we cannot even enter a read loop to wait smaller amounts of time until we get back the right answer because a competing client may change the membership while we are waiting and causing us to loop forever ... Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 734 Add handling for indirect memberof other entries.
Simo Sorce wrote: On Mon, 21 Feb 2011 11:56:39 +0100 Jakub Hrozekjhro...@redhat.com wrote: On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote: I had to add a couple of short sleep calls to make things work a little better. The memberof plugin runs as a postop and we have no way of knowing when it has done its work. If we don't pause we may show some stale data that memberof hasn't updated yet. .3 seconds is an arbitrary choice. I don't know the DS plugin architecture good enough but there's no callback or anything we can hook to? If the machine swaps or something, we might get incorrect data with the sleep anyway.. Unfortunately the way plugins are done, post-ops are pretty much impossible to catch from the outside. And I really don't like this either. I would definitely prefer for the reply to the modifying client to wait until the memberof plugin is done, even if this means the operations will be slow. But I don't know if this can be done easily with the current DS architecture ... The problem is that we cannot even enter a read loop to wait smaller amounts of time until we get back the right answer because a competing client may change the membership while we are waiting and causing us to loop forever ... Simo. This is the same conclusion I came too and decided that a brief sleep is the lesser of evils. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 734 Add handling for indirect memberof other entries.
Jakub Hrozek wrote: On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote: This creates a new custom attribute, memberofindirect_[plugin]. Using this you can tell the difference between being an actual memberof another entry and being a memberof as the result if inheritence. This is particularly useful when trying to remove members of an entry, you can only remove direct members. I had to add a couple of short sleep calls to make things work a little better. The memberof plugin runs as a postop and we have no way of knowing when it has done its work. If we don't pause we may show some stale data that memberof hasn't updated yet. .3 seconds is an arbitrary choice. I don't know the DS plugin architecture good enough but there's no callback or anything we can hook to? If the machine swaps or something, we might get incorrect data with the sleep anyway.. The ticket has an excellent test case for this. Similar tests can be done for users/groups and hosts/hostgroups. ticket 966 rob The testcase is failing for me: test_group[13]: hostgroup_add: Create u'testhostgroup1' ... FAIL test_group[14]: hostgroup_add: Create u'testhostgroup2' ... FAIL It seems that the objectlasses should be updated: expected = [u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', u'top'] got = [u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', u'top', u'mepOriginEntry'] Oh, that's because we create the netgroup now. Strange that I didn't see that, I just redid my base install on Thursday. I'll update that and give it another go. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 734 Add handling for indirect memberof other entries.
On 02/21/2011 08:52 AM, Rob Crittenden wrote: Simo Sorce wrote: On Mon, 21 Feb 2011 11:56:39 +0100 Jakub Hrozekjhro...@redhat.com wrote: On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote: I had to add a couple of short sleep calls to make things work a little better. The memberof plugin runs as a postop and we have no way of knowing when it has done its work. If we don't pause we may show some stale data that memberof hasn't updated yet. .3 seconds is an arbitrary choice. I don't know the DS plugin architecture good enough but there's no callback or anything we can hook to? If the machine swaps or something, we might get incorrect data with the sleep anyway.. Unfortunately the way plugins are done, post-ops are pretty much impossible to catch from the outside. And I really don't like this either. I would definitely prefer for the reply to the modifying client to wait until the memberof plugin is done, even if this means the operations will be slow. But I don't know if this can be done easily with the current DS architecture ... The problem is that we cannot even enter a read loop to wait smaller amounts of time until we get back the right answer because a competing client may change the membership while we are waiting and causing us to loop forever ... Simo. This is the same conclusion I came too and decided that a brief sleep is the lesser of evils. Can this be fixed by the memberOf plugin? If the memberOf plugin is modified to also change/set the attribute there should not be a race condition. What is the recommendation from Rich and Nathan? I am fine with the temp fix but should we have a ticket to fix it in a better way in 2.1? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0085 Register client into DNS on install
On 02/17/2011 03:46 PM, Simo Sorce wrote: On Thu, 17 Feb 2011 11:53:52 -0500 Simo Sorce sso...@redhat.com wrote: On Thu, 17 Feb 2011 11:34:30 -0500 Simo Sorce sso...@redhat.com wrote: If DNS Updates are available then try to register the ip address as determined by connecting to the ipa server. This allows also the creation of the DNS A record if none was available before, which means you can add clients without having to pre-register them in the DNS. Fixes #935 Simo. Forgot to add rpm dependency on bind-utils for the client package. New patch attached. After discussing a bit dns updates with Rob and Stephen on IRC here it is a third patch that adds a --enable-dns-updates option. Dns updates are performed only if this options is enabled or no entry exists in DNS at all for the host. If the option is enabled sssd is also configured to keep updating the DNS during the life of the machine so that IP changes (laptops, dhcp, etc..) are recorded in DNS properly. Simo. I do not see a man page updated with the newly added flag. Please open a separate ticket for this effort since the patch has already been pushed. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 734 Add handling for indirect memberof other entries.
Dmitri Pal wrote: On 02/21/2011 08:52 AM, Rob Crittenden wrote: Simo Sorce wrote: On Mon, 21 Feb 2011 11:56:39 +0100 Jakub Hrozekjhro...@redhat.com wrote: On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote: I had to add a couple of short sleep calls to make things work a little better. The memberof plugin runs as a postop and we have no way of knowing when it has done its work. If we don't pause we may show some stale data that memberof hasn't updated yet. .3 seconds is an arbitrary choice. I don't know the DS plugin architecture good enough but there's no callback or anything we can hook to? If the machine swaps or something, we might get incorrect data with the sleep anyway.. Unfortunately the way plugins are done, post-ops are pretty much impossible to catch from the outside. And I really don't like this either. I would definitely prefer for the reply to the modifying client to wait until the memberof plugin is done, even if this means the operations will be slow. But I don't know if this can be done easily with the current DS architecture ... The problem is that we cannot even enter a read loop to wait smaller amounts of time until we get back the right answer because a competing client may change the membership while we are waiting and causing us to loop forever ... Simo. This is the same conclusion I came too and decided that a brief sleep is the lesser of evils. Can this be fixed by the memberOf plugin? If the memberOf plugin is modified to also change/set the attribute there should not be a race condition. What is the recommendation from Rich and Nathan? I am fine with the temp fix but should we have a ticket to fix it in a better way in 2.1? This is a race condition only in that we're racing against the memberOf plugin. Take the case of a group the a member user: If you remove the member attribute from the group then immediately do an ldap search for (member=cn=group,...) you may very well get the user if the memberOf operation isn't completed yet. In this case it makes the user look like an indirect member of the group (because they are no long in the group's member attribute). I talked to Nathan about this on Friday. memberOf runs as a postop so only runs once the modification results have been sent. So from the IPA perspective the work is complete and we move along. We don't get any sort of ID that we can query on to see if memberOf is done, and at the point of our operation we have no idea what scope of work memberOf has to do, it could be extensive (think about a group of 1000 users and you delete the group, it has to remove memberOf from all those 1000 users). rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 734 Add handling for indirect memberof other entries.
Rob Crittenden wrote: Jakub Hrozek wrote: On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote: This creates a new custom attribute, memberofindirect_[plugin]. Using this you can tell the difference between being an actual memberof another entry and being a memberof as the result if inheritence. This is particularly useful when trying to remove members of an entry, you can only remove direct members. I had to add a couple of short sleep calls to make things work a little better. The memberof plugin runs as a postop and we have no way of knowing when it has done its work. If we don't pause we may show some stale data that memberof hasn't updated yet. .3 seconds is an arbitrary choice. I don't know the DS plugin architecture good enough but there's no callback or anything we can hook to? If the machine swaps or something, we might get incorrect data with the sleep anyway.. The ticket has an excellent test case for this. Similar tests can be done for users/groups and hosts/hostgroups. ticket 966 rob The testcase is failing for me: test_group[13]: hostgroup_add: Create u'testhostgroup1' ... FAIL test_group[14]: hostgroup_add: Create u'testhostgroup2' ... FAIL It seems that the objectlasses should be updated: expected = [u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', u'top'] got = [u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', u'top', u'mepOriginEntry'] Oh, that's because we create the netgroup now. Strange that I didn't see that, I just redid my base install on Thursday. I'll update that and give it another go. rob Updated patch rob freeipa-rcrit-734-2-indirect.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 728 default roles
Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/17/2011 04:35 AM, Rob Crittenden wrote: Add default roles and permissions for HBAC, SUDO and pw policy Created some default roles as examples. In doing so I realized that we were completely missing default rules for HBAC, SUDO and password policy so I added those as well. I ran into a problem when the updater has a default record and an add at the same time, it should handle it better now. ticket 585 rob I'm not sure about the HBAC rules ACIs. They are specified as: 'target = ldap:///cn=*,cn=hbac,$SUFFIX;' while HBAC rules' DN is: 'ipauniqueid=*,cn=hbac,$SUFFIX'. But HBAC rules do have a cn: attribute, so maybe the ACIs would work? No, you're right, this is wrong. I'll fix it up and resubmit. The patch also needs rebasing on top of recent changes to install/updates/Makefile.am Other than that, looks OK to me. btw when I was reviewing this patch, I noticed we add a DNS Administrators privilege in dns.ldif. Would it make sense to add DNS administration to Security Architect (replication management) and IT Specialist (hosts management)? The DNS stuff is added only if DNS is enabled on the server so I can't add them by default. rob Updated patch. rob freeipa-rcrit-728-2-roles.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 106 I18n update.
On 02/18/2011 11:48 PM, Endi Sukma Dewata wrote: On 2/18/2011 10:35 PM, Adam Young wrote: Hard-coded messages through out the code have been replaced by i18n messages obtained from json_metadata and i18n_messages. https://fedorahosted.org/freeipa/ticket/899 Needs rebase, due to mkosek's big patch. Attached is an updated version. I had to change IPA.cert into an entity because it has to be initialized after IPA.init() finishes loading the metadata messages. We might want to introduce a concept of plugin for Web UI (similar to plugin for ipalib). The first step is to rename IPA.entity_factories into IPA.plugins, but most of the work will be splitting the IPA.entity into plugin and real entity. Patch #107 can be used without rebase. Attached is a new version using the plugin framework. Please see certificate.js. Every function is an Object. There is no reason to create an object, and then have an init method on it. I haven't got a chance to provide a long explanation for this, but please try to apply all patches that I've submitted (until 109) and see the user.js, group.js and certificate.js. I think they are clearly structured and easy to understand. Try to think plugins as modules, and init() as start() or main(), or some other terms. Once all entity files are converted to use this framework, it maybe possible to remove init() from entity/facet/widget. The init() is not an unnecessary duplication of constructor, but it's a callback to indicate that the messages are loaded. OK, just completed a more in depth review. I stand by my origianl call. I don't want to make a change like this in the 2.0 timeframe. When we do make the change, it will incorporate some of these ideas, but we are not going to use the deliberate init() call. For now, just make the libraries for cert etc as lazy load accessors like I recommended earlier. It should be a pretty short addition to Patch 106-2. Hold on to the changes from patches 106-3 on and we will design a more complete refactoring target for the 2.1 release. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 728 default roles
On Mon, Feb 21, 2011 at 10:11:38AM -0500, Rob Crittenden wrote: Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/17/2011 04:35 AM, Rob Crittenden wrote: Add default roles and permissions for HBAC, SUDO and pw policy Created some default roles as examples. In doing so I realized that we were completely missing default rules for HBAC, SUDO and password policy so I added those as well. I ran into a problem when the updater has a default record and an add at the same time, it should handle it better now. ticket 585 rob I'm not sure about the HBAC rules ACIs. They are specified as: 'target = ldap:///cn=*,cn=hbac,$SUFFIX;' while HBAC rules' DN is: 'ipauniqueid=*,cn=hbac,$SUFFIX'. But HBAC rules do have a cn: attribute, so maybe the ACIs would work? No, you're right, this is wrong. I'll fix it up and resubmit. The patch also needs rebasing on top of recent changes to install/updates/Makefile.am Other than that, looks OK to me. btw when I was reviewing this patch, I noticed we add a DNS Administrators privilege in dns.ldif. Would it make sense to add DNS administration to Security Architect (replication management) and IT Specialist (hosts management)? The DNS stuff is added only if DNS is enabled on the server so I can't add them by default. rob Updated patch. rob Interdiff looks fine, but I'm not able to apply the patch (not even 3-way merge), can you rebase? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Use pygettext to generate translatable strings from plugin files.
This goes on top of my other localization patches! This patch replaces xgettext with a custom pygettext to generate translatable strings from plugin files in ipalib/plugins. pygettext was modified to handle plural forms (credit goes to Jan Hendrik Goellner) and had some bugs fixed by myself. We only use it for plugins, because it's the only place where we need to extract docstrings for the built-in help system. I also had to make some changes to the way the built-in documentation system gets docstrings from modules for this to work. How to test? 1) First, apply all of the localization patches found in thread Localization patches on freeipa-devel. Then apply this patch. 2) Regenerate your install/po/Makefile: - delete install/po/Makefile - run `./configure` in install 3) Regenerate the pot and po files: - run `make update-pot` in install/po - run `make update-po` in install/po 4) Make a change to one of the translations: - example: add translation to the ACI docstring * find docstring for ACI in install/po/es.po * change the corresponding msgstr to msgstr \nBuenos dias, amigos!\n Note: if the translatable string begins with \n, the translation also needs to begin with \n. Same goes for ending. 5) Install the modified translations: - run `make install` in install/po Note: I had some problems with this and had to make rpms and install IPA from beginning for it to work. Looks like doing `make install` manually updates /usr/local/share/locale instead of /usr/share/locale, but maybe I just did something wrong. 6) Set language to Spanish or whatever translation you modified: - example: * # LANG=es_ES.utf8 # export LANG 7) Display the translated documentation: - example: * # ipa help aci Buenos dias, amigos! Pavel freeipa-pzuna-83-pygettext.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Long overdue review of the UI guide
Hi, I finally got some time to review the UI spec. I found some minor and major issues. I do not have latest UI in front of me so please check that nothing is missing or incorrect based on the concerns below. 1) How many results we display in the facet list (like members of a goup)? What if there are many (thousands of group members)? Will we display them all? Or we provide a filter? But I do not see a filter for the facet lists in the spec so either the spec is wrong or we have a problem in UI. 2) Details pages header is the same as any other header not just lis pages. 3) After modal add dialog was used the spec says that the: After the entity is added the modal closes returning to the list page. Does the list get refreshed automatically in this case or not? Is filter preserved or not? 4) Action panel description State 2. See notes section. The first bullet in notes is confusing. The delete button should be grayed when there is no selection while the link should be enabled only if there is a single selection. If there are multiple selections the links should be grayed. 5) Action Panels in state 3. Table includes reference to Kyle by name :-) 6) The UI in multiple places in the example of the action panel says Net Groups but in the text of document it is correct: Netgroups. Please make sure that the correct wording is used in the actual UI, i.e. Netgroups - one word. 7) What is the status of the pages: Hosts I Manage Hosts Managing me Service I Manage? Are they a part of the UI? Do not remember them. Please double check. 8) Do we have the membership in the Netgroups as a facet for users, groups, host groups, hosts and netgroups. Please double check that in all 5 cases we have the correct facet in UI. 9) Do we have a facet Hosts Managing Me for the services? Do not remember them being there. Please double check. 10) Kyle, Ben in the action panel for the cases when we have several sub items as in HBAC for example the the ungrouped facet label (indented) has the same size and style as other (unindented) section labels. This is confusing. I suggest the ungrouped facet label should be of a different style. IMO it is confusing now. 11) I have not seen anything about DNS or automount in the spec. Is it intentional or omission? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 735 configure krb5_realm in sssd ipa provider
Set krb5_realm in sssd.conf in the ipa provider. ticket 925 rob freeipa-rcrit-735-sssd.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 728 default roles
Jakub Hrozek wrote: On Mon, Feb 21, 2011 at 10:11:38AM -0500, Rob Crittenden wrote: Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/17/2011 04:35 AM, Rob Crittenden wrote: Add default roles and permissions for HBAC, SUDO and pw policy Created some default roles as examples. In doing so I realized that we were completely missing default rules for HBAC, SUDO and password policy so I added those as well. I ran into a problem when the updater has a default record and an add at the same time, it should handle it better now. ticket 585 rob I'm not sure about the HBAC rules ACIs. They are specified as: 'target = ldap:///cn=*,cn=hbac,$SUFFIX;' while HBAC rules' DN is: 'ipauniqueid=*,cn=hbac,$SUFFIX'. But HBAC rules do have a cn: attribute, so maybe the ACIs would work? No, you're right, this is wrong. I'll fix it up and resubmit. The patch also needs rebasing on top of recent changes to install/updates/Makefile.am Other than that, looks OK to me. btw when I was reviewing this patch, I noticed we add a DNS Administrators privilege in dns.ldif. Would it make sense to add DNS administration to Security Architect (replication management) and IT Specialist (hosts management)? The DNS stuff is added only if DNS is enabled on the server so I can't add them by default. rob Updated patch. rob Interdiff looks fine, but I'm not able to apply the patch (not even 3-way merge), can you rebase? done freeipa-rcrit-728-3-roles.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 734 Add handling for indirect memberof other entries.
On Mon, Feb 21, 2011 at 09:44:49AM -0500, Rob Crittenden wrote: Rob Crittenden wrote: Jakub Hrozek wrote: On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote: This creates a new custom attribute, memberofindirect_[plugin]. Using this you can tell the difference between being an actual memberof another entry and being a memberof as the result if inheritence. This is particularly useful when trying to remove members of an entry, you can only remove direct members. I had to add a couple of short sleep calls to make things work a little better. The memberof plugin runs as a postop and we have no way of knowing when it has done its work. If we don't pause we may show some stale data that memberof hasn't updated yet. .3 seconds is an arbitrary choice. I don't know the DS plugin architecture good enough but there's no callback or anything we can hook to? If the machine swaps or something, we might get incorrect data with the sleep anyway.. The ticket has an excellent test case for this. Similar tests can be done for users/groups and hosts/hostgroups. ticket 966 rob The testcase is failing for me: test_group[13]: hostgroup_add: Create u'testhostgroup1' ... FAIL test_group[14]: hostgroup_add: Create u'testhostgroup2' ... FAIL It seems that the objectlasses should be updated: expected = [u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', u'top'] got = [u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', u'top', u'mepOriginEntry'] Oh, that's because we create the netgroup now. Strange that I didn't see that, I just redid my base install on Thursday. I'll update that and give it another go. rob Updated patch rob Strangely enough, I had to do a slight modification to make the test pass: hostgroup = [ -u'mepOriginEntry', u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', u'top', +u'mepOriginEntry', ] I thought that the comparison wouldn't take order into account.. Other than that, ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Long overdue review of the UI guide
On 02/21/2011 10:41 AM, Dmitri Pal wrote: Hi, I finally got some time to review the UI spec. I found some minor and major issues. I do not have latest UI in front of me so please check that nothing is missing or incorrect based on the concerns below. 1) How many results we display in the facet list (like members of a goup)? What if there are many (thousands of group members)? Will we display them all? Or we provide a filter? But I do not see a filter for the facet lists in the spec so either the spec is wrong or we have a problem in UI. Problem in the UI. Noticed it late last week myself, when I uploaded a really large dataset to the server. For example, since all users go int othe ipausers (unix) group, that facet one will only show the first 100 I entered a ticket for this. Needs to get into the spec, too https://fedorahosted.org/freeipa/ticket/992 2) Details pages header is the same as any other header not just lis pages. Not sop in the latest UI: You can see it here http://admiyo.fedorapeople.org/ipa/ui/ 3) After modal add dialog was used the spec says that the: After the entity is added the modal closes returning to the list page. Does the list get refreshed automatically in this case or not? Is filter preserved or not? Filter is preserved, list gets refreshed. 4) Action panel description State 2. See notes section. The first bullet in notes is confusing. The delete button should be grayed when there is no selection while the link should be enabled only if there is a single selection. If there are multiple selections the links should be grayed. Yeah...haven't figured out a good way grey out the button, as we are currently using the JQuery UI button for that control. The greying out of links was accomplished a while back. 5) Action Panels in state 3. Table includes reference to Kyle by name :-) Kyle Deserves it. Kyle Rocks! 6) The UI in multiple places in the example of the action panel says Net Groups but in the text of document it is correct: Netgroups. Please make sure that the correct wording is used in the actual UI, i.e. Netgroups - one word. We are pretty consistantly using New Groups all over the place. We can make the change. 7) What is the status of the pages: Hosts I Manage Hosts Managing me Service I Manage? Are they a part of the UI? Do not remember them. Please double check. Managed By is there, but I think we lost Hosts Managing Me there have been a lot of problems with the associations, and I would not be surprised if the LDAP relationship underneath it matches something that we deceded elsewhere we don't want to show. Added at ticket https://fedorahosted.org/freeipa/ticket/993 8) Do we have the membership in the Netgroups as a facet for users, Check groups, Check host groups, CHeck hosts check and netgroups. check Please double check that in all 5 cases we have the correct facet in UI. 9) Do we have a facet Hosts Managing Me for the services? Do not remember them being there. Please double check. Yes. text is Managed By 10) Kyle, Ben in the action panel for the cases when we have several sub items as in HBAC for example the the ungrouped facet label (indented) has the same size and style as other (unindented) section labels. This is confusing. I suggest the ungrouped facet label should be of a different style. IMO it is confusing now. 11) I have not seen anything about DNS or automount in the spec. Is it intentional or omission? Automount should not be there. DNS would have to be reverese engineered. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 106 I18n update.
On 02/21/2011 11:05 AM, Endi Sukma Dewata wrote: On 2/21/2011 9:25 AM, Adam Young wrote: I haven't got a chance to provide a long explanation for this, but please try to apply all patches that I've submitted (until 109) and see the user.js, group.js and certificate.js. I think they are clearly structured and easy to understand. Try to think plugins as modules, and init() as start() or main(), or some other terms. Once all entity files are converted to use this framework, it maybe possible to remove init() from entity/facet/widget. The init() is not an unnecessary duplication of constructor, but it's a callback to indicate that the messages are loaded. OK, just completed a more in depth review. I stand by my origianl call. I don't want to make a change like this in the 2.0 timeframe. When we do make the change, it will incorporate some of these ideas, but we are not going to use the deliberate init() call. For now, just make the libraries for cert etc as lazy load accessors like I recommended earlier. It should be a pretty short addition to Patch 106-2. Hold on to the changes from patches 106-3 on and we will design a more complete refactoring target for the 2.1 release. Attached is an updated patch with the IPA.plugin framework removed. For now I'm just using the same method used for IPA.sudo, using a plain hash table. The IPA.cert.CRL_REASON for now is hard-coded. Let's get this patch and 107 in first because they really should go together with patch 105 which is already pushed. Please submit your registry code as a separate patch, it shouldn't be combined with these i18n fixes. Thanks! I'm not ready to submit the Registry code either. I promise you that it will get the same scruitny from you and the team as any other design decision. I'll test 106-4 and 107 together. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 735 configure krb5_realm in sssd ipa provider
On Mon, Feb 21, 2011 at 10:27:26AM -0500, Rob Crittenden wrote: Set krb5_realm in sssd.conf in the ipa provider. ticket 925 rob This works fine, so Ack. One question, though, why don't we add the realm only if ipa_domain.upper() != krb5_realm? It would make the config file a little more readable for the 99% case where the two are the same. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 734 Add handling for indirect memberof other entries.
Jakub Hrozek wrote: On Mon, Feb 21, 2011 at 09:44:49AM -0500, Rob Crittenden wrote: Rob Crittenden wrote: Jakub Hrozek wrote: On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote: This creates a new custom attribute, memberofindirect_[plugin]. Using this you can tell the difference between being an actual memberof another entry and being a memberof as the result if inheritence. This is particularly useful when trying to remove members of an entry, you can only remove direct members. I had to add a couple of short sleep calls to make things work a little better. The memberof plugin runs as a postop and we have no way of knowing when it has done its work. If we don't pause we may show some stale data that memberof hasn't updated yet. .3 seconds is an arbitrary choice. I don't know the DS plugin architecture good enough but there's no callback or anything we can hook to? If the machine swaps or something, we might get incorrect data with the sleep anyway.. The ticket has an excellent test case for this. Similar tests can be done for users/groups and hosts/hostgroups. ticket 966 rob The testcase is failing for me: test_group[13]: hostgroup_add: Create u'testhostgroup1' ... FAIL test_group[14]: hostgroup_add: Create u'testhostgroup2' ... FAIL It seems that the objectlasses should be updated: expected = [u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', u'top'] got = [u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', u'top', u'mepOriginEntry'] Oh, that's because we create the netgroup now. Strange that I didn't see that, I just redid my base install on Thursday. I'll update that and give it another go. rob Updated patch rob Strangely enough, I had to do a slight modification to make the test pass: hostgroup = [ -u'mepOriginEntry', u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', u'top', +u'mepOriginEntry', ] I thought that the comparison wouldn't take order into account.. The list checking does currently assume the same order. Other than that, ack Ok, re-ordered and pushed. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 064 Document --enable-dns-updates in ipa-client-install man page
https://fedorahosted.org/freeipa/ticket/991 From b8d1fdcad3a6a23fbcb9aaf7cc7f332698fe5df5 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date: Mon, 21 Feb 2011 17:23:41 +0100 Subject: [PATCH] Document --enable-dns-updates in ipa-client-install man page https://fedorahosted.org/freeipa/ticket/991 --- ipa-client/man/ipa-client-install.1 |3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index 3ac5678..90a4f71 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -81,6 +81,9 @@ Configure pam to create a users home directory if it does not exist. .TP \fB\-\-uninstall\fR Remove the IPA client software and restore the configuration to the pre\-IPA state. +.TP +\fB\-\-enable\-dns\-updates\fR +This option tells SSSD to automatically update DNS with the IP address of this client. .SH EXIT STATUS 0 if the installation was successful -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 735 configure krb5_realm in sssd ipa provider
Jakub Hrozek wrote: On Mon, Feb 21, 2011 at 10:27:26AM -0500, Rob Crittenden wrote: Set krb5_realm in sssd.conf in the ipa provider. ticket 925 rob This works fine, so Ack. One question, though, why don't we add the realm only if ipa_domain.upper() != krb5_realm? It would make the config file a little more readable for the 99% case where the two are the same. Sure. We can't assume that the realm is always upper case so I'll do a case insensitive match (I did lower by reflex). rob freeipa-rcrit-735-2-sssd.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 736 hard limit for # of batch requests
Set a hard limit of 256 for the # of commands in a batch request we'll handle. ticket 984 rob freeipa-rcrit-736-limit.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 064 Document --enable-dns-updates in ipa-client-install man page
Jakub Hrozek wrote: https://fedorahosted.org/freeipa/ticket/991 ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Long overdue review of the UI guide
On 02/21/2011 11:01 AM, Adam Young wrote: 6) The UI in multiple places in the example of the action panel says Net Groups but in the text of document it is correct: Netgroups. Please make sure that the correct wording is used in the actual UI, i.e. Netgroups - one word. We are pretty consistantly using New Groups all over the place. We can make the change. We need to have a ticket for this. Please open. In all other places we use netgroups as one word. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 737 move BuildRequires
Move some BuildRequires so building with ONLY_CLIENT works. I tested with: $ mock -r fedora-14-x86_64 --define='ONLY_CLIENT 1' ./dist/srpms/freeipa-2.0.0GIT055a668-0.fc14.src.rpm rob freeipa-rcrit-737-spec.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 061 Validate NAPTR records
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm not sure about checking the flags - this might be a little too much validation. https://fedorahosted.org/freeipa/ticket/840 I think the flags length check needs to change. I would do this instead: flags = flags.replace('','') Otherwise someone might try to pass in the flags 'SAU' and all that would get set is A. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install
JR Aquino wrote: On 2/17/11 9:46 AM, Jan Zelenyjzel...@redhat.com wrote: JR Aquinojr.aqu...@citrix.com wrote: Lets try now. Attached is the corrected patch. There were several spots in ipa-client-install where the server could be defined and it was getting missed. I have omitted any change to ipa-client-install and instead just focused on ipadiscovery.py ipadiscovery.py now performs its own fetch of the CACert just to be sure. Regarding TLS vs LDAPS. LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never standardized in any formal specification. This usage has been deprecated along with LDAPv2, which was officially retired in 2003. LDAPS is still supported, but considered deprecated in favor of TLS as defined in RFC2830. On 2/17/11 2:01 AM, Jan Zelenýjzel...@redhat.com wrote: JR Aquinojr.aqu...@citrix.com wrote: This patch addresses the need to utilize TLS when using the ipa-client-install tool. It addresses ticket: https://fedorahosted.org/freeipa/ticket/974 Nack, running ipa-client-install returned this error: # ipa-client-install Retrieving CA from None failed. Command '/usr/bin/wget -O /etc/ipa/ca.crt http://None/ipa/config/ca.crt' returned non-zero exit status 4 One more question - shouldn't you use ldaps directly to connect to the server? Jan Sorry, I have to Nack it again, the patch seems incoplete, since it is only adding some cacert fetching code to IPADiscovery. Jan Please ignore previous patches for #18. Attached is the replacement all inclusive patch for this ticket. Per Rob: ipadiscovery should not attempt to create the /etc/ipa/ca.crt rather, it should populate a tempdir with the temp cert for the initial discovery bind. Attached is the full patch to provide both TLS and the safer wget of the ca.crt to a temporary directory created by tempfile.mkdtemp() Please verify that ipa-client-install from a separate machine functions as expected against a FreeIPA server who is set to nsslapd-minssf: 56 It looks ok except for the try/except around the tempfile. If it fails all heck is gonna break loose. We should raise a RuntimeError in that case. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install
Rob Crittenden rcrit...@redhat.com wrote: JR Aquino wrote: On 2/17/11 9:46 AM, Jan Zelenyjzel...@redhat.com wrote: JR Aquinojr.aqu...@citrix.com wrote: Lets try now. Attached is the corrected patch. There were several spots in ipa-client-install where the server could be defined and it was getting missed. I have omitted any change to ipa-client-install and instead just focused on ipadiscovery.py ipadiscovery.py now performs its own fetch of the CACert just to be sure. Regarding TLS vs LDAPS. LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never standardized in any formal specification. This usage has been deprecated along with LDAPv2, which was officially retired in 2003. LDAPS is still supported, but considered deprecated in favor of TLS as defined in RFC2830. On 2/17/11 2:01 AM, Jan Zelenýjzel...@redhat.com wrote: JR Aquinojr.aqu...@citrix.com wrote: This patch addresses the need to utilize TLS when using the ipa-client-install tool. It addresses ticket: https://fedorahosted.org/freeipa/ticket/974 Nack, running ipa-client-install returned this error: # ipa-client-install Retrieving CA from None failed. Command '/usr/bin/wget -O /etc/ipa/ca.crt http://None/ipa/config/ca.crt' returned non-zero exit status 4 One more question - shouldn't you use ldaps directly to connect to the server? Jan Sorry, I have to Nack it again, the patch seems incoplete, since it is only adding some cacert fetching code to IPADiscovery. Jan Please ignore previous patches for #18. Attached is the replacement all inclusive patch for this ticket. Per Rob: ipadiscovery should not attempt to create the /etc/ipa/ca.crt rather, it should populate a tempdir with the temp cert for the initial discovery bind. Attached is the full patch to provide both TLS and the safer wget of the ca.crt to a temporary directory created by tempfile.mkdtemp() Please verify that ipa-client-install from a separate machine functions as expected against a FreeIPA server who is set to nsslapd-minssf: 56 It looks ok except for the try/except around the tempfile. If it fails all heck is gonna break loose. We should raise a RuntimeError in that case. rob Agreed, I had moreless the same comment prepared. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Long overdue review of the UI guide
On 02/21/2011 12:56 PM, Dmitri Pal wrote: In all other places we use netgroups as one word. -- https://fedorahosted.org/freeipa/ticket/995 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Don't load the LDAP schema during startup
Jan Zelený wrote: Loading of the schema is now performed in the first request that requires it. https://fedorahosted.org/freeipa/ticket/583 Jan We still need to enforce that we get the schema, some low-level functions depend on it. Also, if the UI doesn't get its aciattrs (which are derived from the schema) then nothing will be editable. I'm getting this backtrace if I force no schema by disabling get_schema: [Mon Feb 21 13:57:33 2011] [error] ipa: ERROR: non-public: UnicodeDecodeError: 'utf8' codec can't decode byte 0xb3 in position 3: invalid start byte [Mon Feb 21 13:57:33 2011] [error] Traceback (most recent call last): [Mon Feb 21 13:57:33 2011] [error] File /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 211, in wsgi_execute [Mon Feb 21 13:57:33 2011] [error] result = self.Command[name](*args, **options) [Mon Feb 21 13:57:33 2011] [error] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 422, in __call__ [Mon Feb 21 13:57:33 2011] [error] ret = self.run(*args, **options) [Mon Feb 21 13:57:33 2011] [error] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 728, in run [Mon Feb 21 13:57:33 2011] [error] return self.execute(*args, **options) [Mon Feb 21 13:57:33 2011] [error] File /usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py, line 720, in execute [Mon Feb 21 13:57:33 2011] [error] dn, attrs_list, normalize=self.obj.normalize_dn [Mon Feb 21 13:57:33 2011] [error] File /usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py, line 629, in get_entry [Mon Feb 21 13:57:33 2011] [error] size_limit=size_limit, normalize=normalize [Mon Feb 21 13:57:33 2011] [error] File /usr/lib/python2.7/site-packages/ipalib/encoder.py, line 188, in new_f [Mon Feb 21 13:57:33 2011] [error] return f(*new_args, **kwargs) [Mon Feb 21 13:57:33 2011] [error] File /usr/lib/python2.7/site-packages/ipalib/encoder.py, line 199, in new_f [Mon Feb 21 13:57:33 2011] [error] return args[0].decode(f(*args, **kwargs)) [Mon Feb 21 13:57:33 2011] [error] File /usr/lib/python2.7/site-packages/ipalib/encoder.py, line 139, in decode [Mon Feb 21 13:57:33 2011] [error] return tuple(self.decode(m) for m in var) [Mon Feb 21 13:57:33 2011] [error] File /usr/lib/python2.7/site-packages/ipalib/encoder.py, line 139, in genexpr [Mon Feb 21 13:57:33 2011] [error] return tuple(self.decode(m) for m in var) [Mon Feb 21 13:57:33 2011] [error] File /usr/lib/python2.7/site-packages/ipalib/encoder.py, line 137, in decode [Mon Feb 21 13:57:33 2011] [error] return [self.decode(m) for m in var] [Mon Feb 21 13:57:33 2011] [error] File /usr/lib/python2.7/site-packages/ipalib/encoder.py, line 139, in decode [Mon Feb 21 13:57:33 2011] [error] return tuple(self.decode(m) for m in var) [Mon Feb 21 13:57:33 2011] [error] File /usr/lib/python2.7/site-packages/ipalib/encoder.py, line 139, in genexpr [Mon Feb 21 13:57:33 2011] [error] return tuple(self.decode(m) for m in var) [Mon Feb 21 13:57:33 2011] [error] File /usr/lib/python2.7/site-packages/ipalib/encoder.py, line 157, in decode [Mon Feb 21 13:57:33 2011] [error] dct[k] = self._decode_dict_val(k, v) [Mon Feb 21 13:57:33 2011] [error] File /usr/lib/python2.7/site-packages/ipalib/encoder.py, line 64, in _decode_dict_val [Mon Feb 21 13:57:33 2011] [error] return self.decode(val) [Mon Feb 21 13:57:33 2011] [error] File /usr/lib/python2.7/site-packages/ipalib/encoder.py, line 137, in decode [Mon Feb 21 13:57:33 2011] [error] return [self.decode(m) for m in var] [Mon Feb 21 13:57:33 2011] [error] File /usr/lib/python2.7/site-packages/ipalib/encoder.py, line 132, in decode [Mon Feb 21 13:57:33 2011] [error] var.decode(self.encoder_settings.decode_from) [Mon Feb 21 13:57:33 2011] [error] File /usr/lib64/python2.7/encodings/utf_8.py, line 16, in decode [Mon Feb 21 13:57:33 2011] [error] return codecs.utf_8_decode(input, errors, True) [Mon Feb 21 13:57:33 2011] [error] UnicodeDecodeError: 'utf8' codec can't decode byte 0xb3 in position 3: invalid start byte [Mon Feb 21 13:57:33 2011] [error] ipa: INFO: ad...@greyoak.com: user_show(u'admin', rights=True, all=True, raw=False, version=u'2.0'): UnicodeDecodeError ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install
On 2/21/11 10:46 AM, Jan Zeleny jzel...@redhat.com wrote: Rob Crittenden rcrit...@redhat.com wrote: JR Aquino wrote: On 2/17/11 9:46 AM, Jan Zelenyjzel...@redhat.com wrote: JR Aquinojr.aqu...@citrix.com wrote: Lets try now. Attached is the corrected patch. There were several spots in ipa-client-install where the server could be defined and it was getting missed. I have omitted any change to ipa-client-install and instead just focused on ipadiscovery.py ipadiscovery.py now performs its own fetch of the CACert just to be sure. Regarding TLS vs LDAPS. LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never standardized in any formal specification. This usage has been deprecated along with LDAPv2, which was officially retired in 2003. LDAPS is still supported, but considered deprecated in favor of TLS as defined in RFC2830. On 2/17/11 2:01 AM, Jan Zelenýjzel...@redhat.com wrote: JR Aquinojr.aqu...@citrix.com wrote: This patch addresses the need to utilize TLS when using the ipa-client-install tool. It addresses ticket: https://fedorahosted.org/freeipa/ticket/974 Nack, running ipa-client-install returned this error: # ipa-client-install Retrieving CA from None failed. Command '/usr/bin/wget -O /etc/ipa/ca.crt http://None/ipa/config/ca.crt' returned non-zero exit status 4 One more question - shouldn't you use ldaps directly to connect to the server? Jan Sorry, I have to Nack it again, the patch seems incoplete, since it is only adding some cacert fetching code to IPADiscovery. Jan Please ignore previous patches for #18. Attached is the replacement all inclusive patch for this ticket. Per Rob: ipadiscovery should not attempt to create the /etc/ipa/ca.crt rather, it should populate a tempdir with the temp cert for the initial discovery bind. Attached is the full patch to provide both TLS and the safer wget of the ca.crt to a temporary directory created by tempfile.mkdtemp() Please verify that ipa-client-install from a separate machine functions as expected against a FreeIPA server who is set to nsslapd-minssf: 56 It looks ok except for the try/except around the tempfile. If it fails all heck is gonna break loose. We should raise a RuntimeError in that case. rob Agreed, I had moreless the same comment prepared. Correction made, patch attached. except OSError, e: raise RuntimeError(Creating temporary directory failed: %s % str(e)) binu0O8DRrbr8.bin Description: freeipa-jraquino-0018-Use-TLS-for-ipadiscovery-during-ipa-client.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 049 Make nsslib IPv6 aware
Jakub Hrozek wrote: On Thu, Feb 17, 2011 at 08:25:37PM +0100, Jakub Hrozek wrote: On Wed, Feb 09, 2011 at 10:23:27AM +0100, Jan Zelený wrote: Jakub Hrozekjhro...@redhat.com wrote: On Thu, Feb 03, 2011 at 02:23:11PM +0100, Jan Zelený wrote: Jakub Hrozekjhro...@redhat.com wrote: Hi, attached is a patch to nsslib.py that changes its semantics so it is able to work with different address families. It is the last piece of IPv6 support. Aside from the hunks in the patch, I still need to set Requires: in the patch (don't know the exact version yet). Also, the attached patch always tries IPv4 first and only falls back to IPv6. I think there should be a config option that tells IPA to prefer one of the address families or use it exclusively for performance reasons. Please note that the patch requires the latest changes to python-nss in order to work correctly. Since John is still working on python-nss packages, this patch should be treated as a preview and not pushed even if it is deemed OK. At this stage, I'd like to get at least the general approach and code reviewed so I can fix it tomorrow. Thank you, Jakub The patch looks ok, all my questions answered off-list. Also tested with IPv4 (latest python-nss installed) and IPv6, both work fine. ACK Jan Thanks for the review. But attached is a new version of the patch that changes the semantics a little based on what's recommended by the new version of python-nss: don't construct the NetworkAddress object manually, but rather resolve the hostname using the AddrInfo object and then try connecting to the list of of NetworkAddress object manually. Changes consulted off-list, the patch looks good. Will do some more testing on RHEL6. Unless I find some issues, this patch is ACKed. Jan One more change - bumped the minimum required version of python-nss to 0.11 which is in the nightly devel repo now. and now with the patch attached. ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 106 I18n update.
On 02/21/2011 11:05 AM, Endi Sukma Dewata wrote: On 2/21/2011 9:25 AM, Adam Young wrote: I haven't got a chance to provide a long explanation for this, but please try to apply all patches that I've submitted (until 109) and see the user.js, group.js and certificate.js. I think they are clearly structured and easy to understand. Try to think plugins as modules, and init() as start() or main(), or some other terms. Once all entity files are converted to use this framework, it maybe possible to remove init() from entity/facet/widget. The init() is not an unnecessary duplication of constructor, but it's a callback to indicate that the messages are loaded. OK, just completed a more in depth review. I stand by my origianl call. I don't want to make a change like this in the 2.0 timeframe. When we do make the change, it will incorporate some of these ideas, but we are not going to use the deliberate init() call. For now, just make the libraries for cert etc as lazy load accessors like I recommended earlier. It should be a pretty short addition to Patch 106-2. Hold on to the changes from patches 106-3 on and we will design a more complete refactoring target for the 2.1 release. Attached is an updated patch with the IPA.plugin framework removed. For now I'm just using the same method used for IPA.sudo, using a plain hash table. The IPA.cert.CRL_REASON for now is hard-coded. Let's get this patch and 107 in first because they really should go together with patch 105 which is already pushed. Please submit your registry code as a separate patch, it shouldn't be combined with these i18n fixes. Thanks! ACK and pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 107 Updated test data files.
On 02/18/2011 10:31 AM, Adam Young wrote: On 02/18/2011 03:15 AM, Endi Sukma Dewata wrote: https://fedorahosted.org/freeipa/ticket/899 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel If applied without 106 it breaks the unit tests, so hold on this until 106 is rebased ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 110 Fixed error message for invalid Kerberos ticket.
https://fedorahosted.org/freeipa/ticket/490 -- Endi S. Dewata From f6f733d3cd23fdb79a4ff69e38af945bf0e67f15 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Fri, 18 Feb 2011 13:34:56 -0600 Subject: [PATCH] Fixed error message for invalid Kerberos ticket. https://fedorahosted.org/freeipa/ticket/490 --- install/ui/test/data/i18n_messages.json |2 +- install/ui/test/data/ipa_init.json |2 +- ipalib/plugins/internal.py | 13 +++-- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/install/ui/test/data/i18n_messages.json b/install/ui/test/data/i18n_messages.json index 1cceb8974ea3fb27fbf1711f4a1b6e8ba07635a5..da20f13742d72be2d7c2626b44206a7dede461a8 100644 --- a/install/ui/test/data/i18n_messages.json +++ b/install/ui/test/data/i18n_messages.json @@ -4,7 +4,7 @@ result: { messages: { ajax: { -401: Your kerberos ticket no longer valid.Please run KInit and then click 'retry'If this is your first time running the IPA Web UIa href='/ipa/errors/ssbrowser.html' Follow these directions/a to configure your browser. +401: Your kerberos ticket is no longer valid. Please run kinit and then click 'retry'. If this is your first time running the IPA Web UI a href='/ipa/config/unauthorized.html'follow these directions/a to configure your browser. }, association: { add: Add ${other_entity} into ${entity} ${primary_key}, diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json index 1428a538a34c8fee694f913d304ce4ed2a8cbdf9..59c4b20b57bbb9487e3f425fc7c2ab9a4a75be9e 100644 --- a/install/ui/test/data/ipa_init.json +++ b/install/ui/test/data/ipa_init.json @@ -9467,7 +9467,7 @@ { messages: { ajax: { -401: Your kerberos ticket no longer valid.Please run KInit and then click 'retry'If this is your first time running the IPA Web UIa href='/ipa/errors/ssbrowser.html' Follow these directions/a to configure your browser. +401: Your kerberos ticket is no longer valid. Please run kinit and then click 'retry'. If this is your first time running the IPA Web UI a href='/ipa/config/unauthorized.html'follow these directions/a to configure your browser. }, association: { add: Add ${other_entity} into ${entity} ${primary_key}, diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py index e8b34a09b41c04b8cdd33b01176f1bed1b1d6b99..89330bab075c321fe0da317a917825b4f222148e 100644 --- a/ipalib/plugins/internal.py +++ b/ipalib/plugins/internal.py @@ -1,6 +1,7 @@ # Authors: # Pavel Zuna pz...@redhat.com -# Adam YOung ayo...@redhat.com +# Adam Young ayo...@redhat.com +# Endi S. Dewata edew...@redhat.com # # Copyright (c) 2010 Red Hat # See file 'copying' for use and warranty information @@ -373,11 +374,11 @@ class i18n_messages(Command): validation_error:_(Text does not match field pattern), }, ajax:{ -401:_(Your kerberos ticket no longer valid.+ -Please run KInit and then click 'retry'+ -If this is your first time running the IPA Web UI+ -a href='/ipa/errors/ssbrowser.html' + -Follow these directions/a to configure your browser.) +401:_(Your kerberos ticket is no longer valid. + +Please run kinit and then click 'retry'. + +If this is your first time running the IPA Web UI + +a href='/ipa/config/unauthorized.html'+ +follow these directions/a to configure your browser.) }, dirty:_(This page has unsaved changes. Please save or revert.), } -- 1.6.6.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 110 Fixed error message for invalid Kerberos ticket.
On 02/21/2011 03:23 PM, Endi Sukma Dewata wrote: https://fedorahosted.org/freeipa/ticket/490 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install
On 2/21/11 11:18 AM, JR Aquino jr.aqu...@citrix.com wrote: On 2/21/11 10:46 AM, Jan Zeleny jzel...@redhat.com wrote: Rob Crittenden rcrit...@redhat.com wrote: JR Aquino wrote: On 2/17/11 9:46 AM, Jan Zelenyjzel...@redhat.com wrote: JR Aquinojr.aqu...@citrix.com wrote: Lets try now. Attached is the corrected patch. There were several spots in ipa-client-install where the server could be defined and it was getting missed. I have omitted any change to ipa-client-install and instead just focused on ipadiscovery.py ipadiscovery.py now performs its own fetch of the CACert just to be sure. Regarding TLS vs LDAPS. LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never standardized in any formal specification. This usage has been deprecated along with LDAPv2, which was officially retired in 2003. LDAPS is still supported, but considered deprecated in favor of TLS as defined in RFC2830. On 2/17/11 2:01 AM, Jan Zelenýjzel...@redhat.com wrote: JR Aquinojr.aqu...@citrix.com wrote: This patch addresses the need to utilize TLS when using the ipa-client-install tool. It addresses ticket: https://fedorahosted.org/freeipa/ticket/974 Nack, running ipa-client-install returned this error: # ipa-client-install Retrieving CA from None failed. Command '/usr/bin/wget -O /etc/ipa/ca.crt http://None/ipa/config/ca.crt' returned non-zero exit status 4 One more question - shouldn't you use ldaps directly to connect to the server? Jan Sorry, I have to Nack it again, the patch seems incoplete, since it is only adding some cacert fetching code to IPADiscovery. Jan Please ignore previous patches for #18. Attached is the replacement all inclusive patch for this ticket. Per Rob: ipadiscovery should not attempt to create the /etc/ipa/ca.crt rather, it should populate a tempdir with the temp cert for the initial discovery bind. Attached is the full patch to provide both TLS and the safer wget of the ca.crt to a temporary directory created by tempfile.mkdtemp() Please verify that ipa-client-install from a separate machine functions as expected against a FreeIPA server who is set to nsslapd-minssf: 56 It looks ok except for the try/except around the tempfile. If it fails all heck is gonna break loose. We should raise a RuntimeError in that case. rob Agreed, I had moreless the same comment prepared. Correction made, patch attached. except OSError, e: raise RuntimeError(Creating temporary directory failed: %s % str(e)) In the spirt of consistency, I have corrected a section further down where sys.exit is called instead of raising the exception. I have also broken out the removal of the temp files in a finally clause. Please review, and confirm that it meets with your approval. binAWXH3UqnwJ.bin Description: freeipa-jraquino-0018-Use-TLS-for-ipadiscovery-during-ipa-client.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 110 Fixed error message for invalid Kerberos ticket.
On 2/21/2011 2:38 PM, Adam Young wrote: https://fedorahosted.org/freeipa/ticket/490 ACK Pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 738 default.conf man page
Add a man page for the IPA configuration file default.conf. ticket 969 rob freeipa-rcrit-738-man.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools.
On 2/15/11 6:19 AM, Pavel Zuna pz...@redhat.com wrote: On 02/14/2011 04:56 PM, JR Aquino wrote: On 2/10/11 2:42 AM, Pavel Zunapz...@redhat.com wrote: On 02/08/2011 01:06 PM, Pavel Zuna wrote: The patch also corrects exception handling in some of the tools. Fix #874 Pavel Updated patch attached. Forgot to rename an identifier in exception handling. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel NACK It looks like LDAPUpdate calls may want to include ldapi=True? -=- # ipa-nis-manage enable Directory Manager password: Enabling plugin Traceback (most recent call last): File /usr/sbin/ipa-nis-manage, line 211, inmodule sys.exit(main()) File /usr/sbin/ipa-nis-manage, line 151, in main ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}) File /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py, line 101, in __init__ conn.do_simple_bind(bindpw=self.dm_password) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 350, in do_simple_bind self.simple_bind_s(binddn, bindpw) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204, in inner return f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 207, in simple_bind_s return self.result(msgid,all=1,timeout=self.timeout) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 181, in inner objtype, data = f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 436, in result res_type,res_data,res_msgid = self.result2(msgid,all,timeout) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204, in inner return f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 440, in result2 res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204, in inner return f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 446, in result3 ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout) File /usr/lib/python2.7/site-packages/ipaserver/ipaldap.py, line 204, in inner return f(*args, **kargs) File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 96, in _ldap_call result = func(*args,**kwargs) ldap.UNWILLING_TO_PERFORM: {'info': 'Minimum SSF not met.', 'desc': 'Server is unwilling to perform'} I can't reproduce this. :-/ For me it goes fine: [root@ipadev tools]# ./ipa-nis-manage enable Directory Manager password: Enabling plugin This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. Pavel To reproduce this, you must have minssf set in the dse.ldif on the ipa server. The highest number you can put in is: 56 due to some oddities with how SASL communicates bit strength. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] admiyo-0198-search-filter-focus
Not going to complete the whole tab-order aspect, but this covers the most important part, which is hitting enter and also focus for the filter field From bfb42f808cb7928768a40a6393b217c1aa60f9c6 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Mon, 21 Feb 2011 17:28:06 -0500 Subject: [PATCH] search filter focus afdter a search loads, focus moved to the search filter text box, tyhe most likely thing that the user will want to change on the page. https://fedorahosted.org/freeipa/ticket/983 --- install/ui/details.js |5 - install/ui/search.js | 12 +++- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/install/ui/details.js b/install/ui/details.js index f579fb612d4cb21edf582f86a4f7f220bee857f3..a2ad0896188470087981aa763237ba4f4751105d 100644 --- a/install/ui/details.js +++ b/install/ui/details.js @@ -571,7 +571,10 @@ IPA.button = function(spec) { 'class': 'ui-state-default ui-corner-all' }); -if (spec.click) button.click(spec.click); +if (spec.click) { +button.click(spec.click); +} + if (spec['class']) button.addClass(spec['class']); if (spec.icon) { diff --git a/install/ui/search.js b/install/ui/search.js index 11aa4f756fb17a41853ca0ff135ece8e5ecf60aa..101347f980f123f4afe38a3073ee1f606537e1d9 100644 --- a/install/ui/search.js +++ b/install/ui/search.js @@ -88,11 +88,20 @@ IPA.search_widget = function (spec) { var search_filter = $('span[name=search-filter]', that.container); +$('input[type=text]',search_filter).keypress( +function(e) { +/* if the key pressed is the enter key */ +if (e.which == 13) { +that.find(); +} +}); var button = $('input[name=find]', search_filter); that.find_button = IPA.button({ 'label': IPA.messages.buttons.find, 'icon': 'ui-icon-search', -'click': function() { that.find(); } +'click': function() { +that.find(); +} }); button.replaceWith(that.find_button); @@ -247,6 +256,7 @@ IPA.search_widget = function (spec) { } else { summary.text(data.result.summary); } +$('.search-filter input[type=text]', that.container).focus(); } function on_error(xhr, text_status, error_thrown) { -- 1.7.3.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0198-search-filter-focus
On 2/21/2011 4:32 PM, Adam Young wrote: Not going to complete the whole tab-order aspect, but this covers the most important part, which is hitting enter and also focus for the filter field ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Help define the roles IPA has by default
Dmitri Pal wrote: On 02/11/2011 10:12 AM, Rob Crittenden wrote: Dmitri Pal wrote: On 02/10/2011 07:25 PM, David O'Brien wrote: Dmitri Pal wrote: On 02/10/2011 03:05 PM, Jakub Hrozek wrote: On 02/10/2011 05:12 PM, Rob Crittenden wrote: But what other roles do we need? The mind boggles and rather than dictating what the initial ones will be I'm looking for some guidance/suggestions. thanks rob I'm actually wondering if we need to define many default roles in the upstream project. I'm thinking that every organization will have different needs and different ways of role delegation anyway, so I would rather make sure this feature is well documented with examples and use cases. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I think that a reasonble set of 3 -5 roles and documentation how to change them should be sufficient. I agree. On top of what Dmitri has already sent out, this thread is a really good continuation of documenting delegation, permissions, roles, etc., especially because this area is so different from v1. If we look at it from two perspectives, one being What does IPA need to function?, and the other being What do customers need?, then we can probably come up with a short list and provide some basic use cases, descriptions, and examples. Dmitri's list of 5 is good, although I would suggest settling on a naming format, by which I mean rather than a combination of person-based and role-based names, use a consistent format. Security Architect IPA Administrator are people (faiap), while Helpdesk is a department. Anyway, you get the idea. We've already started with Name, Description, Goals; with a few use cases I can put together short sections with links to existing docs on how to use the relevant commands, or write them as needed. cheers Sounds like a good idea. Well, some of these roles don't really match what we are shipping in v2. There is no place for Application Administrator at all and End User is implicit. So that leaves 3 roles. If we go with these we'll need to add some additional permissions/privileges to support it. If we go with this, here is what we're looking at. Also note that the role IPA Administrator is distinct from the group cn=admins which gives pretty much global access. Those that need additional permissions/privileges are marked with the ticket number. * Security Architect * IPA config (950) * Replication * Define delegation of roles to other, lower-level administrators * IPA Administrator * Define and create groups (and delete?) * Define the relationships between groups (what does this mean?) * Define and create roles for users and groups (what does this mean?) * Create nested groups (I don't know if we can have an aci for this) * Help Desk * Review what groups are enabled on what hosts (what does this mean, all groups are enabled on all hosts, right?) This mean he can read HBAC rules * Set up/manage a user's attributes * Place a user in a specific group * Reset a user password This is a good start but it completely leaves out the following: * Users (helpdesk can modify reset password, nobody can add/delete) * Host management * Service management * Hostgroups * SUDO * HBAC * netgroups * DNS * Automount rob How about this layout Helpdesk Engineer * Edit users * Reset passwords * Add/remove group membership * Troubleshoot the HBAC (in future but not modify the HBAC rules themselves) User administrator - the person who is responsible for creating users and groups. This is instead IPA administrator above. * Users - full control * Groups - full control IT Specialist * Hosts full control * Hostgroups full control * Services full control * DNS full control * Automount IT Security Specialist - includes all of the above + * Netgroups * SUDO * HBAC Security Architect * IPA config * Password policies * Kerberos config * Replication * Define delegation of roles to other, lower-level administrators Did I miss anything? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Any updates on this? I'm up to my neck in Access Control doc at the moment and looking for any and all information, especially when it comes to what IPA provides by default. It gives me something to build on. thanks -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 He who asks is a fool for five minutes, but he who does not ask remains a fool forever. ~ Chinese proverb ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel