Re: [Freeipa-devel] [PATCH] 736 hard limit for # of batch requests
On Mon, 2011-02-21 at 11:48 -0500, Rob Crittenden wrote: Set a hard limit of 256 for the # of commands in a batch request we'll handle. ticket 984 rob ACK. Works for me. Tested by custom JSON command via curl. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 737 move BuildRequires
On Tue, Feb 22, 2011 at 10:34:35AM +0100, Jan Zeleny wrote: Rob Crittenden rcrit...@redhat.com wrote: Move some BuildRequires so building with ONLY_CLIENT works. I tested with: $ mock -r fedora-14-x86_64 --define='ONLY_CLIENT 1' ./dist/srpms/freeipa-2.0.0GIT055a668-0.fc14.src.rpm rob I'm a little confused. Some of the lines are only moved a couple lines above their original location (like python-ldap for instance). Does this really have an impact on building? The only three lines I undestand are those first three. Note the %else. Koji scratch build of client worked fine: http://koji.fedoraproject.org/koji/taskinfo?taskID=2856864 Ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 737 move BuildRequires
On Tue, Feb 22, 2011 at 11:21:41AM +0100, Jakub Hrozek wrote: Note the %else. Sorry, %endif. That separates BRs for !ONLY_CLIENT from those that are needed in both cases. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 061 Validate NAPTR records
On Mon, Feb 21, 2011 at 01:18:07PM -0500, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm not sure about checking the flags - this might be a little too much validation. https://fedorahosted.org/freeipa/ticket/840 I think the flags length check needs to change. I would do this instead: flags = flags.replace('','') Otherwise someone might try to pass in the flags 'SAU' and all that would get set is A. rob OK, that's much better. New patch attached. From aaeb347cfa015783606058a29b2009cf6306d578 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date: Fri, 18 Feb 2011 11:00:36 +0100 Subject: [PATCH] Validate NAPTR records https://fedorahosted.org/freeipa/ticket/840 --- API.txt |8 ipalib/plugins/dns.py | 26 ++ 2 files changed, 30 insertions(+), 4 deletions(-) diff --git a/API.txt b/API.txt index b7ea174..56cbb8b 100644 --- a/API.txt +++ b/API.txt @@ -515,7 +515,7 @@ option: List('keyrecord?', attribute=True, cli_name='key_rec',ist('keyrecord?', option: List('kxrecord?', attribute=True, cli_name='kx_rec',ist('kxrecord?', attribute=True, cli_name='kx_rec', doc='comma-separated list of KX records', label='KX record', multivalue=True) option: List('locrecord?', attribute=True, cli_name='loc_rec',ist('locrecord?', attribute=True, cli_name='loc_rec', doc='comma-separated list of LOC records', label='LOC record', multivalue=True) option: List('mxrecord?', _validate_mx, attribute=True, cli_name='mx_rec',ist('mxrecord?', _validate_mx, attribute=True, cli_name='mx_rec', doc='comma-separated list of MX records', label='MX record', multivalue=True) -option: List('naptrrecord?', attribute=True, cli_name='naptr_rec',ist('naptrrecord?', attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True) +option: List('naptrrecord?', _validate_naptr, attribute=True, cli_name='naptr_rec',ist('naptrrecord?', _validate_naptr, attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True) option: List('nsrecord?', attribute=True, cli_name='ns_rec',ist('nsrecord?', attribute=True, cli_name='ns_rec', doc='comma-separated list of NS records', label='NS record', multivalue=True) option: List('nsecrecord?', attribute=True, cli_name='nsec_rec',ist('nsecrecord?', attribute=True, cli_name='nsec_rec', doc='comma-separated list of NSEC records', label='NSEC record', multivalue=True) option: List('nsec3record?', attribute=True, cli_name='nsec3_rec',ist('nsec3record?', attribute=True, cli_name='nsec3_rec', doc='comma-separated list of NSEC3 records', label='NSEC3 record', multivalue=True) @@ -559,7 +559,7 @@ option: List('keyrecord?', attribute=True, cli_name='key_rec',ist('keyrecord?', option: List('kxrecord?', attribute=True, cli_name='kx_rec',ist('kxrecord?', attribute=True, cli_name='kx_rec', doc='comma-separated list of KX records', label='KX record', multivalue=True) option: List('locrecord?', attribute=True, cli_name='loc_rec',ist('locrecord?', attribute=True, cli_name='loc_rec', doc='comma-separated list of LOC records', label='LOC record', multivalue=True) option: List('mxrecord?', _validate_mx, attribute=True, cli_name='mx_rec',ist('mxrecord?', _validate_mx, attribute=True, cli_name='mx_rec', doc='comma-separated list of MX records', label='MX record', multivalue=True) -option: List('naptrrecord?', attribute=True, cli_name='naptr_rec',ist('naptrrecord?', attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True) +option: List('naptrrecord?', _validate_naptr, attribute=True, cli_name='naptr_rec',ist('naptrrecord?', _validate_naptr, attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True) option: List('nsrecord?', attribute=True, cli_name='ns_rec',ist('nsrecord?', attribute=True, cli_name='ns_rec', doc='comma-separated list of NS records', label='NS record', multivalue=True) option: List('nsecrecord?', attribute=True, cli_name='nsec_rec',ist('nsecrecord?', attribute=True, cli_name='nsec_rec', doc='comma-separated list of NSEC records', label='NSEC record', multivalue=True) option: List('nsec3record?', attribute=True, cli_name='nsec3_rec',ist('nsec3record?', attribute=True, cli_name='nsec3_rec', doc='comma-separated list of NSEC3 records', label='NSEC3 record', multivalue=True) @@ -604,7 +604,7 @@ option: List('keyrecord?', attribute=True, cli_name='key_rec',ist('keyrecord?', option: List('kxrecord?', attribute=True, cli_name='kx_rec',ist('kxrecord?', attribute=True, cli_name='kx_rec', doc='comma-separated list of KX records', label='KX record', multivalue=True) option: List('locrecord?', attribute=True, cli_name='loc_rec',ist('locrecord?', attribute=True, cli_name='loc_rec', doc='comma-separated
Re: [Freeipa-devel] [PATCH] 738 default.conf man page
On Mon, Feb 21, 2011 at 04:57:22PM -0500, Rob Crittenden wrote: Add a man page for the IPA configuration file default.conf. ticket 969 rob Looks good to me, Ack. The options that are in constants.py but not documented in the manpage seem to be unused. I guess we can remove them in the future (webui_assets_dir, mount_jsonserver etc..) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 735 configure krb5_realm in sssd ipa provider
On Mon, Feb 21, 2011 at 11:30:04AM -0500, Rob Crittenden wrote: Jakub Hrozek wrote: On Mon, Feb 21, 2011 at 10:27:26AM -0500, Rob Crittenden wrote: Set krb5_realm in sssd.conf in the ipa provider. ticket 925 rob This works fine, so Ack. One question, though, why don't we add the realm only if ipa_domain.upper() != krb5_realm? It would make the config file a little more readable for the 99% case where the two are the same. Sure. We can't assume that the realm is always upper case so I'll do a case insensitive match (I did lower by reflex). rob My sssd.conf is nice and minimal again, thank you :-) Ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 737 move BuildRequires
Jakub Hrozek jhro...@redhat.com wrote: On Tue, Feb 22, 2011 at 11:21:41AM +0100, Jakub Hrozek wrote: Note the %else. Sorry, %endif. That separates BRs for !ONLY_CLIENT from those that are needed in both cases. Yes I noticed that and I understand that part. I meant the part after the %endif - there is no need to move those dependencies. On the other hand it's definitely not a patch-blocker or something, so I give this patch ACK. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 728 default roles
Rob Crittenden rcrit...@redhat.com wrote: Jakub Hrozek wrote: On Mon, Feb 21, 2011 at 10:11:38AM -0500, Rob Crittenden wrote: Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/17/2011 04:35 AM, Rob Crittenden wrote: Add default roles and permissions for HBAC, SUDO and pw policy Created some default roles as examples. In doing so I realized that we were completely missing default rules for HBAC, SUDO and password policy so I added those as well. I ran into a problem when the updater has a default record and an add at the same time, it should handle it better now. ticket 585 rob I'm not sure about the HBAC rules ACIs. They are specified as: 'target = ldap:///cn=*,cn=hbac,$SUFFIX;' while HBAC rules' DN is: 'ipauniqueid=*,cn=hbac,$SUFFIX'. But HBAC rules do have a cn: attribute, so maybe the ACIs would work? No, you're right, this is wrong. I'll fix it up and resubmit. The patch also needs rebasing on top of recent changes to install/updates/Makefile.am Other than that, looks OK to me. btw when I was reviewing this patch, I noticed we add a DNS Administrators privilege in dns.ldif. Would it make sense to add DNS administration to Security Architect (replication management) and IT Specialist (hosts management)? The DNS stuff is added only if DNS is enabled on the server so I can't add them by default. rob Updated patch. rob Interdiff looks fine, but I'm not able to apply the patch (not even 3-way merge), can you rebase? done The patch now applies ok (just one whitespace warning), ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 728 default roles
On Tue, 2011-02-22 at 13:14 +0100, Jan Zelený wrote: Rob Crittenden rcrit...@redhat.com wrote: Jakub Hrozek wrote: On Mon, Feb 21, 2011 at 10:11:38AM -0500, Rob Crittenden wrote: Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/17/2011 04:35 AM, Rob Crittenden wrote: Add default roles and permissions for HBAC, SUDO and pw policy Created some default roles as examples. In doing so I realized that we were completely missing default rules for HBAC, SUDO and password policy so I added those as well. I ran into a problem when the updater has a default record and an add at the same time, it should handle it better now. ticket 585 rob I'm not sure about the HBAC rules ACIs. They are specified as: 'target = ldap:///cn=*,cn=hbac,$SUFFIX;' while HBAC rules' DN is: 'ipauniqueid=*,cn=hbac,$SUFFIX'. But HBAC rules do have a cn: attribute, so maybe the ACIs would work? No, you're right, this is wrong. I'll fix it up and resubmit. The patch also needs rebasing on top of recent changes to install/updates/Makefile.am Other than that, looks OK to me. btw when I was reviewing this patch, I noticed we add a DNS Administrators privilege in dns.ldif. Would it make sense to add DNS administration to Security Architect (replication management) and IT Specialist (hosts management)? The DNS stuff is added only if DNS is enabled on the server so I can't add them by default. rob Updated patch. rob Interdiff looks fine, but I'm not able to apply the patch (not even 3-way merge), can you rebase? done The patch now applies ok (just one whitespace warning), ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I have to NACK this. I have found some issues in the new LDAP records: 1) A wrong groupdn for the following ACI in 40-delegation.update: add:aci: '(target = ldap:///cn=*,cn=sudorules,cn=sudo,$SUFFIX;)(version 3.0;acl permission:Add SUDO rule;allow (add) groupdn = ldap:///cn=Add SUDOrule,cn=permissions,cn=pbac,$SUFFIX;)' It should be dap:///cn=Add SUDO rule,cn=permissions,cn=pbac,$SUFFIX 2) Another wrong target for few ACIs: ldap:///cn=*,cn=sudorules,cn=sudo,$SUFFIX is used instead of ldap:///ipaUniqueID=*,cn=sudorules,cn=sudo,$SUFFIX 3) Missing Description for the following new privileges: Write IPA Configuration Modify Users and Reset passwords Modify Group membership Remainder looks good. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 738 default.conf man page
Rob Crittenden wrote: Add a man page for the IPA configuration file default.conf. ticket 969 rob NACK A few too many typos and other errors. Spaces between the equals sign are ignored. Do you mean, Spaces surrounding equals signs are ignored.? +Specifies the base DN to use when performan LDAP operations. performing +Specfies the secure CA agent port. The defauilt is 9443. Specifies default +Specifies the unsecure CA end user port. The default is 9190. insecure For example. if you want to always perform client requests in verbose mode but do not want to have verbose enabled on the server add the verbose option to \fI/etc/ipa/cli.conf\fR. comma after example, not a period. add a comma after enabled on the server +Specifies whether the CA is acting is an RA agent, as an RA agent +Specifies the name of the CA backend to use. The current options are \fBselfsign\fR and \fBdogtag\fR. This is a server\-side setting. Changing this value is not recommended as the CA backend is only set up during ininitial installation. s/backend/back end/ s/selfsign/self-sign/ s/ininitial/initial/ +Specifies the kerberos realm. Kerberos ...and show the server(s) the client contacts. s/server(s)/servers/ +user IPA configurationf ile configuration file +Optional configuration files used in a particular context are. The value of mode is used to attempt to load these files, if they exist: I'm not sure what this means -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 He who asks is a fool for five minutes, but he who does not ask remains a fool forever. ~ Chinese proverb ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 737 move BuildRequires
Jan Zelený wrote: Jakub Hrozekjhro...@redhat.com wrote: On Tue, Feb 22, 2011 at 11:21:41AM +0100, Jakub Hrozek wrote: Note the %else. Sorry, %endif. That separates BRs for !ONLY_CLIENT from those that are needed in both cases. Yes I noticed that and I understand that part. I meant the part after the %endif - there is no need to move those dependencies. On the other hand it's definitely not a patch-blocker or something, so I give this patch ACK. Jan pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 735 configure krb5_realm in sssd ipa provider
Jakub Hrozek wrote: On Mon, Feb 21, 2011 at 11:30:04AM -0500, Rob Crittenden wrote: Jakub Hrozek wrote: On Mon, Feb 21, 2011 at 10:27:26AM -0500, Rob Crittenden wrote: Set krb5_realm in sssd.conf in the ipa provider. ticket 925 rob This works fine, so Ack. One question, though, why don't we add the realm only if ipa_domain.upper() != krb5_realm? It would make the config file a little more readable for the 99% case where the two are the same. Sure. We can't assume that the realm is always upper case so I'll do a case insensitive match (I did lower by reflex). rob My sssd.conf is nice and minimal again, thank you :-) Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 737 move BuildRequires
Jan Zeleny wrote: Rob Crittendenrcrit...@redhat.com wrote: Move some BuildRequires so building with ONLY_CLIENT works. I tested with: $ mock -r fedora-14-x86_64 --define='ONLY_CLIENT 1' ./dist/srpms/freeipa-2.0.0GIT055a668-0.fc14.src.rpm rob I'm a little confused. Some of the lines are only moved a couple lines above their original location (like python-ldap for instance). Does this really have an impact on building? The only three lines I undestand are those first three. Thanks for explanation Jan I had already sone a similar change in another spec I maintain and pull them out one at a time until it built properly, thus I didn't maintain order. What this does is it pulls most of the requires out of the ! ONLY_CLIENT conditional. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 736 hard limit for # of batch requests
Martin Kosek wrote: On Mon, 2011-02-21 at 11:48 -0500, Rob Crittenden wrote: Set a hard limit of 256 for the # of commands in a batch request we'll handle. ticket 984 rob ACK. Works for me. Tested by custom JSON command via curl. Martin pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 061 Validate NAPTR records
Jakub Hrozek wrote: On Mon, Feb 21, 2011 at 01:18:07PM -0500, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm not sure about checking the flags - this might be a little too much validation. https://fedorahosted.org/freeipa/ticket/840 I think the flags length check needs to change. I would do this instead: flags = flags.replace('','') Otherwise someone might try to pass in the flags 'SAU' and all that would get set is A. rob OK, that's much better. New patch attached. ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 738 default.conf man page
David O'Brien wrote: Rob Crittenden wrote: Add a man page for the IPA configuration file default.conf. ticket 969 rob NACK A few too many typos and other errors. Spaces between the equals sign are ignored. Do you mean, Spaces surrounding equals signs are ignored.? +Specifies the base DN to use when performan LDAP operations. performing +Specfies the secure CA agent port. The defauilt is 9443. Specifies default +Specifies the unsecure CA end user port. The default is 9190. insecure For example. if you want to always perform client requests in verbose mode but do not want to have verbose enabled on the server add the verbose option to \fI/etc/ipa/cli.conf\fR. comma after example, not a period. add a comma after enabled on the server +Specifies whether the CA is acting is an RA agent, as an RA agent +Specifies the name of the CA backend to use. The current options are \fBselfsign\fR and \fBdogtag\fR. This is a server\-side setting. Changing this value is not recommended as the CA backend is only set up during ininitial installation. s/backend/back end/ s/selfsign/self-sign/ s/ininitial/initial/ +Specifies the kerberos realm. Kerberos ...and show the server(s) the client contacts. s/server(s)/servers/ +user IPA configurationf ile configuration file +Optional configuration files used in a particular context are. The value of mode is used to attempt to load these files, if they exist: I'm not sure what this means Fixes applied. rob freeipa-rcrit-738-2-man.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 728 default roles
Martin Kosek wrote: On Tue, 2011-02-22 at 13:14 +0100, Jan Zelený wrote: Rob Crittendenrcrit...@redhat.com wrote: Jakub Hrozek wrote: On Mon, Feb 21, 2011 at 10:11:38AM -0500, Rob Crittenden wrote: Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/17/2011 04:35 AM, Rob Crittenden wrote: Add default roles and permissions for HBAC, SUDO and pw policy Created some default roles as examples. In doing so I realized that we were completely missing default rules for HBAC, SUDO and password policy so I added those as well. I ran into a problem when the updater has a default record and an add at the same time, it should handle it better now. ticket 585 rob I'm not sure about the HBAC rules ACIs. They are specified as: 'target = ldap:///cn=*,cn=hbac,$SUFFIX;' while HBAC rules' DN is: 'ipauniqueid=*,cn=hbac,$SUFFIX'. But HBAC rules do have a cn: attribute, so maybe the ACIs would work? No, you're right, this is wrong. I'll fix it up and resubmit. The patch also needs rebasing on top of recent changes to install/updates/Makefile.am Other than that, looks OK to me. btw when I was reviewing this patch, I noticed we add a DNS Administrators privilege in dns.ldif. Would it make sense to add DNS administration to Security Architect (replication management) and IT Specialist (hosts management)? The DNS stuff is added only if DNS is enabled on the server so I can't add them by default. rob Updated patch. rob Interdiff looks fine, but I'm not able to apply the patch (not even 3-way merge), can you rebase? done The patch now applies ok (just one whitespace warning), ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I have to NACK this. I have found some issues in the new LDAP records: 1) A wrong groupdn for the following ACI in 40-delegation.update: add:aci: '(target = ldap:///cn=*,cn=sudorules,cn=sudo,$SUFFIX;)(version 3.0;acl permission:Add SUDO rule;allow (add) groupdn = ldap:///cn=Add SUDOrule,cn=permissions,cn=pbac,$SUFFIX;)' It should be dap:///cn=Add SUDO rule,cn=permissions,cn=pbac,$SUFFIX 2) Another wrong target for few ACIs: ldap:///cn=*,cn=sudorules,cn=sudo,$SUFFIX is used instead of ldap:///ipaUniqueID=*,cn=sudorules,cn=sudo,$SUFFIX 3) Missing Description for the following new privileges: Write IPA Configuration Modify Users and Reset passwords Modify Group membership Remainder looks good. Martin Thanks for the careful review. Updated patch attached. rob freeipa-rcrit-728-4-roles.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 728 default roles
On Tue, 2011-02-22 at 09:22 -0500, Rob Crittenden wrote: Martin Kosek wrote: On Tue, 2011-02-22 at 13:14 +0100, Jan Zelený wrote: Rob Crittendenrcrit...@redhat.com wrote: Jakub Hrozek wrote: On Mon, Feb 21, 2011 at 10:11:38AM -0500, Rob Crittenden wrote: Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/17/2011 04:35 AM, Rob Crittenden wrote: Add default roles and permissions for HBAC, SUDO and pw policy Created some default roles as examples. In doing so I realized that we were completely missing default rules for HBAC, SUDO and password policy so I added those as well. I ran into a problem when the updater has a default record and an add at the same time, it should handle it better now. ticket 585 rob I'm not sure about the HBAC rules ACIs. They are specified as: 'target = ldap:///cn=*,cn=hbac,$SUFFIX;' while HBAC rules' DN is: 'ipauniqueid=*,cn=hbac,$SUFFIX'. But HBAC rules do have a cn: attribute, so maybe the ACIs would work? No, you're right, this is wrong. I'll fix it up and resubmit. The patch also needs rebasing on top of recent changes to install/updates/Makefile.am Other than that, looks OK to me. btw when I was reviewing this patch, I noticed we add a DNS Administrators privilege in dns.ldif. Would it make sense to add DNS administration to Security Architect (replication management) and IT Specialist (hosts management)? The DNS stuff is added only if DNS is enabled on the server so I can't add them by default. rob Updated patch. rob Interdiff looks fine, but I'm not able to apply the patch (not even 3-way merge), can you rebase? done The patch now applies ok (just one whitespace warning), ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I have to NACK this. I have found some issues in the new LDAP records: 1) A wrong groupdn for the following ACI in 40-delegation.update: add:aci: '(target = ldap:///cn=*,cn=sudorules,cn=sudo,$SUFFIX;)(version 3.0;acl permission:Add SUDO rule;allow (add) groupdn = ldap:///cn=Add SUDOrule,cn=permissions,cn=pbac,$SUFFIX;)' It should be dap:///cn=Add SUDO rule,cn=permissions,cn=pbac,$SUFFIX 2) Another wrong target for few ACIs: ldap:///cn=*,cn=sudorules,cn=sudo,$SUFFIX is used instead of ldap:///ipaUniqueID=*,cn=sudorules,cn=sudo,$SUFFIX 3) Missing Description for the following new privileges: Write IPA Configuration Modify Users and Reset passwords Modify Group membership Remainder looks good. Martin Thanks for the careful review. Updated patch attached. rob Good job! Its OK now. ACK Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 034 Entitlements ACIs not visible to Permission plugin
This patch fixes Entitlements privileges and ACIs. There were missing descriptions or the ACIs could not be processed by Permissino plugin because of missing prefix. https://fedorahosted.org/freeipa/ticket/997 From 2b088549da0b3c8beb4451d09e337b1dfa8ee9ce Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Tue, 22 Feb 2011 15:25:43 +0100 Subject: [PATCH] Entitlements ACIs not visible to Permission plugin This patch fixes Entitlements privileges and ACIs. There were missing descriptions or the ACIs could not be processed by Permissino plugin because of missing prefix. https://fedorahosted.org/freeipa/ticket/997 --- install/share/delegation.ldif |9 ++--- 1 files changed, 6 insertions(+), 3 deletions(-) diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 02dc850af1634483ad289eac261263db92157d11..5d4949ae37a33eabb9646b181e41923c5811275f 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -152,6 +152,7 @@ objectClass: top objectClass: groupofnames objectClass: nestedgroup cn: Register and Write Entitlements +description: Register and Write Entitlements member: cn=Entitlement Management,cn=roles,cn=accounts,$SUFFIX dn: cn=Read Entitlements,cn=privileges,cn=pbac,$SUFFIX @@ -160,6 +161,7 @@ objectClass: top objectClass: groupofnames objectClass: nestedgroup cn: Read Entitlements +description: Read Entitlements member: cn=Entitlement Management,cn=roles,cn=accounts,$SUFFIX member: cn=Entitlement Compliance,cn=roles,cn=accounts,$SUFFIX @@ -518,6 +520,7 @@ changetype: add objectClass: top objectClass: groupofnames objectClass: ipapermission +cn: Register Entitlements member: cn=Register and Write Entitlements,cn=privileges,cn=pbac,$SUFFIX dn: cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX @@ -656,17 +659,17 @@ aci: (targetattr = enrolledby || objectclass)(target = ldap:///fqdn=*,cn=comp dn: $SUFFIX changetype: modify add: aci -aci: (target = ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX;)(version 3.0;acl Register Entitlements;allow (add) groupdn = ldap:///cn=Register Entitlements,cn=permissions,cn=pbac,$SUFFIX;) +aci: (target = ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX;)(version 3.0;acl permission:Register Entitlements;allow (add) groupdn = ldap:///cn=Register Entitlements,cn=permissions,cn=pbac,$SUFFIX;) dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = usercertificate)(target = ldap:///ipaentitlement=*,cn=entitlements,cn=etc,$SUFFIX;)(version 3.0;acl Write Entitlements;allow (write) groupdn = ldap:///cn=Write entitlements,cn=permissions,cn=pbac,$SUFFIX;) +aci: (targetattr = usercertificate)(target = ldap:///ipaentitlement=*,cn=entitlements,cn=etc,$SUFFIX;)(version 3.0;acl permission:Write Entitlements;allow (write) groupdn = ldap:///cn=Write Entitlements,cn=permissions,cn=pbac,$SUFFIX;) dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = userpkcs12)(target = ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX;)(version 3.0;acl Read Entitlements;allow (read) groupdn = ldap:///cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX;) +aci: (targetattr = userpkcs12)(target = ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX;)(version 3.0;acl permission:Read Entitlements;allow (read) groupdn = ldap:///cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX;) # Create virtual operations entry. This is used to control access to # operations that don't rely on LDAP directly. -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 034 Entitlements ACIs not visible to Permission plugin
On Tue, 2011-02-22 at 15:46 +0100, Martin Kosek wrote: This patch fixes Entitlements privileges and ACIs. There were missing descriptions or the ACIs could not be processed by Permissino plugin because of missing prefix. https://fedorahosted.org/freeipa/ticket/997 I just want to add that this patch is built on a top of Rob's patch 728 default roles. Attached a patch with fixed typo in commit message. Martin From 6d6acc6f622b473922458bff4c42ab73b0c1d78e Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Tue, 22 Feb 2011 15:25:43 +0100 Subject: [PATCH] Entitlements ACIs not visible to Permission plugin This patch fixes Entitlements privileges and ACIs. There were missing descriptions or the ACIs could not be processed by Permission plugin because of missing prefix. https://fedorahosted.org/freeipa/ticket/997 --- install/share/delegation.ldif |9 ++--- 1 files changed, 6 insertions(+), 3 deletions(-) diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 02dc850af1634483ad289eac261263db92157d11..5d4949ae37a33eabb9646b181e41923c5811275f 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -152,6 +152,7 @@ objectClass: top objectClass: groupofnames objectClass: nestedgroup cn: Register and Write Entitlements +description: Register and Write Entitlements member: cn=Entitlement Management,cn=roles,cn=accounts,$SUFFIX dn: cn=Read Entitlements,cn=privileges,cn=pbac,$SUFFIX @@ -160,6 +161,7 @@ objectClass: top objectClass: groupofnames objectClass: nestedgroup cn: Read Entitlements +description: Read Entitlements member: cn=Entitlement Management,cn=roles,cn=accounts,$SUFFIX member: cn=Entitlement Compliance,cn=roles,cn=accounts,$SUFFIX @@ -518,6 +520,7 @@ changetype: add objectClass: top objectClass: groupofnames objectClass: ipapermission +cn: Register Entitlements member: cn=Register and Write Entitlements,cn=privileges,cn=pbac,$SUFFIX dn: cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX @@ -656,17 +659,17 @@ aci: (targetattr = enrolledby || objectclass)(target = ldap:///fqdn=*,cn=comp dn: $SUFFIX changetype: modify add: aci -aci: (target = ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX;)(version 3.0;acl Register Entitlements;allow (add) groupdn = ldap:///cn=Register Entitlements,cn=permissions,cn=pbac,$SUFFIX;) +aci: (target = ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX;)(version 3.0;acl permission:Register Entitlements;allow (add) groupdn = ldap:///cn=Register Entitlements,cn=permissions,cn=pbac,$SUFFIX;) dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = usercertificate)(target = ldap:///ipaentitlement=*,cn=entitlements,cn=etc,$SUFFIX;)(version 3.0;acl Write Entitlements;allow (write) groupdn = ldap:///cn=Write entitlements,cn=permissions,cn=pbac,$SUFFIX;) +aci: (targetattr = usercertificate)(target = ldap:///ipaentitlement=*,cn=entitlements,cn=etc,$SUFFIX;)(version 3.0;acl permission:Write Entitlements;allow (write) groupdn = ldap:///cn=Write Entitlements,cn=permissions,cn=pbac,$SUFFIX;) dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = userpkcs12)(target = ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX;)(version 3.0;acl Read Entitlements;allow (read) groupdn = ldap:///cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX;) +aci: (targetattr = userpkcs12)(target = ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX;)(version 3.0;acl permission:Read Entitlements;allow (read) groupdn = ldap:///cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX;) # Create virtual operations entry. This is used to control access to # operations that don't rely on LDAP directly. -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 728 default roles
Martin Kosek wrote: On Tue, 2011-02-22 at 09:22 -0500, Rob Crittenden wrote: Martin Kosek wrote: On Tue, 2011-02-22 at 13:14 +0100, Jan Zelený wrote: Rob Crittendenrcrit...@redhat.com wrote: Jakub Hrozek wrote: On Mon, Feb 21, 2011 at 10:11:38AM -0500, Rob Crittenden wrote: Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/17/2011 04:35 AM, Rob Crittenden wrote: Add default roles and permissions for HBAC, SUDO and pw policy Created some default roles as examples. In doing so I realized that we were completely missing default rules for HBAC, SUDO and password policy so I added those as well. I ran into a problem when the updater has a default record and an add at the same time, it should handle it better now. ticket 585 rob I'm not sure about the HBAC rules ACIs. They are specified as: 'target = ldap:///cn=*,cn=hbac,$SUFFIX;' while HBAC rules' DN is: 'ipauniqueid=*,cn=hbac,$SUFFIX'. But HBAC rules do have a cn: attribute, so maybe the ACIs would work? No, you're right, this is wrong. I'll fix it up and resubmit. The patch also needs rebasing on top of recent changes to install/updates/Makefile.am Other than that, looks OK to me. btw when I was reviewing this patch, I noticed we add a DNS Administrators privilege in dns.ldif. Would it make sense to add DNS administration to Security Architect (replication management) and IT Specialist (hosts management)? The DNS stuff is added only if DNS is enabled on the server so I can't add them by default. rob Updated patch. rob Interdiff looks fine, but I'm not able to apply the patch (not even 3-way merge), can you rebase? done The patch now applies ok (just one whitespace warning), ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I have to NACK this. I have found some issues in the new LDAP records: 1) A wrong groupdn for the following ACI in 40-delegation.update: add:aci: '(target = ldap:///cn=*,cn=sudorules,cn=sudo,$SUFFIX;)(version 3.0;acl permission:Add SUDO rule;allow (add) groupdn = ldap:///cn=Add SUDOrule,cn=permissions,cn=pbac,$SUFFIX;)' It should be dap:///cn=Add SUDO rule,cn=permissions,cn=pbac,$SUFFIX 2) Another wrong target for few ACIs: ldap:///cn=*,cn=sudorules,cn=sudo,$SUFFIX is used instead of ldap:///ipaUniqueID=*,cn=sudorules,cn=sudo,$SUFFIX 3) Missing Description for the following new privileges: Write IPA Configuration Modify Users and Reset passwords Modify Group membership Remainder looks good. Martin Thanks for the careful review. Updated patch attached. rob Good job! Its OK now. ACK Martin pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 034 Entitlements ACIs not visible to Permission plugin
Martin Kosek wrote: This patch fixes Entitlements privileges and ACIs. There were missing descriptions or the ACIs could not be processed by Permissino plugin because of missing prefix. https://fedorahosted.org/freeipa/ticket/997 ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] admiyo-0199-Net-group-to-Netgroup
From b0cb901f26834ba6e4e32d7d3a3ae10452de04e6 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Tue, 22 Feb 2011 11:35:25 -0500 Subject: [PATCH 199/203] Net group to Netgroup --- ipalib/plugins/netgroup.py |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/ipalib/plugins/netgroup.py b/ipalib/plugins/netgroup.py index 3e45fcc7c317e5b139fb7092c9fc81ac603c387c..610eb02c398c98b3f11da0463a193bd232275bb4 100644 --- a/ipalib/plugins/netgroup.py +++ b/ipalib/plugins/netgroup.py @@ -95,7 +95,7 @@ class netgroup(LDAPObject): 'memberhost': ('Member', '', 'no_'), } -label = _('Net Groups') +label = _('Netgroups') takes_params = ( Str('cn', -- 1.7.3.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] admiyo-0200-adder-dialogs-with-external
https://fedorahosted.org/freeipa/ticket/986 From c0af47af158ec9a30924f2571f8a1fef13c414ad Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Tue, 22 Feb 2011 12:58:26 -0500 Subject: [PATCH 200/203] adder dialogs with external made the styles for the internal and external classes match the styles for available. --- install/ui/ipa.css | 13 - 1 files changed, 8 insertions(+), 5 deletions(-) diff --git a/install/ui/ipa.css b/install/ui/ipa.css index 44643f7d47a57225bf59baf2b215d0776f30bea2..a9004c9f34965d077e17b6508f0001c5d6417f38 100644 --- a/install/ui/ipa.css +++ b/install/ui/ipa.css @@ -944,19 +944,22 @@ table.scrollable tbody { } .adder-dialog-internal { -border: 1px solid black; +background-color: #ff; +border: none; position: absolute; top: 0; left: 0; -bottom: 4.5em; -width: 25em; +bottom: 0; +width: 23em; +padding-top: 1em; + } .adder-dialog-external { -border: 1px solid black; +border: none; position: absolute; left: 0; bottom: 0; -width: 25em; +width: 23em; height: 4em; } -- 1.7.3.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 739 update permission help text
Based on feedback from David here is a hopefully clearer description of permissions. ticket 996 rob freeipa-rcrit-739-permission.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Don't load the LDAP schema during startup
Rob Crittenden rcrit...@redhat.com wrote: Jan Zelený wrote: Loading of the schema is now performed in the first request that requires it. https://fedorahosted.org/freeipa/ticket/583 Jan We still need to enforce that we get the schema, some low-level functions depend on it. Also, if the UI doesn't get its aciattrs (which are derived from the schema) then nothing will be editable. I'm getting this backtrace if I force no schema by disabling get_schema: Ok, I'm sending new version, it should handle these exceptions better and the operation should fail if it needs the schema and the schema is not available for some reason. -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic From 5ef34748ad1b2d055c86e6674f060d78ad2f8f5f Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Tue, 15 Feb 2011 09:37:58 +0100 Subject: [PATCH] Don't load the LDAP schema during startup https://fedorahosted.org/freeipa/ticket/583 --- ipalib/encoder.py | 11 +++-- ipalib/plugins/baseldap.py |6 ++- ipaserver/install/dsinstance.py |2 +- ipaserver/plugins/ldap2.py | 79 ++ 4 files changed, 67 insertions(+), 31 deletions(-) diff --git a/ipalib/encoder.py b/ipalib/encoder.py index f23e5659e848d37db1072ff59aa7e11796b0836c..1874d903aa0dc2a8c9ee1497164b9d418457c82a 100644 --- a/ipalib/encoder.py +++ b/ipalib/encoder.py @@ -56,11 +56,12 @@ class Encoder(object): self.encoder_settings = EncoderSettings() def _decode_dict_val(self, key, val): -f = self.encoder_settings.decode_dict_vals_table.get( -self.encoder_settings.decode_dict_vals_table_keygen(key, val) -) +key = self.encoder_settings.decode_dict_vals_table_keygen(key, val) +if key is None: +return None +f = self.encoder_settings.decode_dict_vals_table.get(key) if f: -return val +return f(val) return self.decode(val) def encode(self, var): @@ -155,6 +156,8 @@ class Encoder(object): self.encoder_settings.decode_postprocessor = lambda x: x for (k, v) in dct.iteritems(): dct[k] = self._decode_dict_val(k, v) +if dct[k] is None: +return None if not self.encoder_settings.decode_dict_vals_postprocess: self.encoder_settings.decode_postprocessor = tmp return dct diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 3cb72d7b09cc8c8a77bd4e594660ee376d668013..8866c2f6f1c84b9b5b785562db34b82481a52fb9 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -394,7 +394,11 @@ class LDAPObject(Object): objectclasses += self.possible_objectclasses # Get list of available attributes for this object for use # in the ACI UI. -attrs = self.api.Backend.ldap2.schema.attribute_types(objectclasses) +schema = self.api.Backend.ldap2.get_schema() +if not schema: +attrs = [] +else: +attrs = schema.attribute_types(objectclasses) attrlist = [] # Go through the MUST first for (oid, attr) in attrs[0].iteritems(): diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 2544e167bdff28c13201c5371070ab729ca84b67..c2081700bb7348f4db7e3467f64d040effd07cbe 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -133,7 +133,7 @@ def has_managed_entries(host_name, dm_password): conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='cn=config') conn.connect(bind_dn='cn=Directory Manager', bind_pw=dm_password) (dn, attrs) = conn.get_entry('cn=Managed Entries,cn=plugins', - ['*'], time_limit=2, size_limit=3000) + ['*'], time_limit=2, size_limit=3000, override=True) return True except errors.NotFound: return False diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index d1e31f5e6eff20cd162c0a11eb4e4404b43ae4b2..3ef076a3dd0c92422bea8fdd29b01e8e311be8ae 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -184,12 +184,6 @@ def get_schema(url, conn=None): return _ldap.schema.SubSchema(schema_entry[1]) -# cache schema when importing module -try: -_schema = get_schema(api.env.ldap_uri) -except AttributeError: -_schema = None - # The UPG setting will be cached the first time a module checks it _upg = None @@ -229,7 +223,6 @@ class ldap2(CrudBackend, Encoder): def __init__(self, shared_instance=True, ldap_uri=None, base_dn=None, schema=None): -global _schema CrudBackend.__init__(self, shared_instance=shared_instance) Encoder.__init__(self) self.encoder_settings.encode_dict_keys = True @@ -249,7 +242,7 @@
Re: [Freeipa-devel] [PATCH] 112 I18n update for dialog box buttons.
On 02/22/2011 12:28 PM, Endi Sukma Dewata wrote: https://fedorahosted.org/freeipa/ticket/899 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Localization patches.
Pavel Zůna wrote: On 2011-02-17 22:52, Rob Crittenden wrote: Pavel Zůna wrote: On 2011-02-17 05:09, Rob Crittenden wrote: Pavel Zůna wrote: My efforts in fixing localization all around the framework and preparing it for localizing docstrings have resulted in a lot of patches. Because I understand they have become a bit hard to track, I decided to post them all together in this thread to make review easier. After this is committed, there will be one more patch that switches xgettext for pygettext. Then hopefully, we'll be pretty much set when it comes to i18n. Pavel Patch 81 isn't applying for me. Help is not working for me either, this is due to patch 80. $ ipa help user ipa: ERROR: NameError: global name '_' is not defined Traceback (most recent call last): File /home/rcrit/redhat/freeipa-version/ipalib/cli.py, line 1087, in run api.finalize() File /home/rcrit/redhat/freeipa-version/ipalib/plugable.py, line 619, in finalize plugin_iter(base, (magic[k] for k in magic)) File /home/rcrit/redhat/freeipa-version/ipalib/base.py, line 397, in __init__ sorted(members, key=lambda m: getattr(m, name_attr)) File /home/rcrit/redhat/freeipa-version/ipalib/plugable.py, line 608, in plugin_iter plugins[klass] = PluginInstance(klass) File /home/rcrit/redhat/freeipa-version/ipalib/plugable.py, line 585, in __init__ self.instance = klass() File /home/rcrit/redhat/freeipa-version/ipalib/plugable.py, line 184, in __init__ self.doc = _(inspect.getdoc(cls)) NameError: global name '_' is not defined ipa: ERROR: an internal error has occurred Patches 69, 71 and 73 are still working fine. What is switching from xgettext to pygettext going to do? This was answered by John Dennis: xgettext doesn't parse python docstrings. rob Rebased version of 81 attached. It should also fix the traceback you're getting. Pavel Something is still not working. I'm having a hard time reproducing how I got this but with LANG=es_US.UTF-8 for a while I was getting this with every ipa user-* request: ipa: ERROR: UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in position 20: ordinal not in range(128) Traceback (most recent call last): File /home/rcrit/redhat/freeipa-version/ipalib/cli.py, line 1090, in run sys.exit(api.Backend.cli.run(argv)) File /home/rcrit/redhat/freeipa-version/ipalib/cli.py, line 917, in run rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, **options) File /home/rcrit/redhat/freeipa-version/ipalib/frontend.py, line 953, in output_for_cli textui.print_entries(result, order, labels, flags, print_all) File /home/rcrit/redhat/freeipa-version/ipalib/cli.py, line 346, in print_entries self.print_entry(entry, order, labels, flags, print_all, format, indent) File /home/rcrit/redhat/freeipa-version/ipalib/cli.py, line 378, in print_entry label, value, format, indent, one_value_per_line File /home/rcrit/redhat/freeipa-version/ipalib/cli.py, line 309, in print_attribute self.print_indented(format % (attr, text[0]), indent) File /home/rcrit/redhat/freeipa-version/ipalib/cli.py, line 232, in print_indented print (CLI_TAB * indent + text) UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in position 20: ordinal not in range(128) ipa: ERROR: ha ocurrido un error interno I think it is blowing up on this user: User login: jose First name: Jose Last name: contraseñas Home directory: /home/jose Login shell: /bin/sh Account disabled: TRUE Member of groups: ipausers Then all of a sudden things started working fine, so I'm not sure what's going on. Is this traceback meaningful to you? rob This looks like a bug in the textui backend. You get this error when you do something like this: a = u'\xf1' a.decode('utf-8') Traceback (most recent call last): File stdin, line 1, in module File /usr/lib/python2.6/encodings/utf_8.py, line 16, in decode return codecs.utf_8_decode(input, errors, True) UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in position 0: ordinal not in range(128) It means we're not handling encoding/decoding from/to the CLI right somewhere. The character \xf1 corresponds to the small N with tilde in Jose's last name. I'm going to look into it, but I don't think it's related to the localization patches. Pavel I'm seeing 2 test failures: == FAIL: Test the `ipalib.plugable.Plugin.__init__` method. -- Traceback (most recent call last): File /usr/lib/python2.7/site-packages/nose/case.py, line 186, in runTest self.test(*self.arg) File /home/rcrit/redhat/freeipa-tests/tests/test_ipalib/test_plugable.py, line 237, in test_init assert o.summary == 'Do sub-classy things.' AssertionError == FAIL: Test gettext translation -- Traceback (most recent call last):
Re: [Freeipa-devel] [PATCH] admiyo-0199-Net-group-to-Netgroup
On 2/22/2011 12:20 PM, Adam Young wrote: ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0201-reorder-user-search-columns
On 2/22/2011 12:22 PM, Adam Young wrote: ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 739 update permission help text
On Tue, Feb 22, 2011 at 01:38:11PM -0500, Rob Crittenden wrote: Based on feedback from David here is a hopefully clearer description of permissions. ticket 996 rob I think you sent a wrong patch, this is the default.conf manpage one. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Don't load the LDAP schema during startup
Jan Zelený wrote: Rob Crittendenrcrit...@redhat.com wrote: Jan Zelený wrote: Loading of the schema is now performed in the first request that requires it. https://fedorahosted.org/freeipa/ticket/583 Jan We still need to enforce that we get the schema, some low-level functions depend on it. Also, if the UI doesn't get its aciattrs (which are derived from the schema) then nothing will be editable. I'm getting this backtrace if I force no schema by disabling get_schema: Ok, I'm sending new version, it should handle these exceptions better and the operation should fail if it needs the schema and the schema is not available for some reason. This breaks the XML-RPC server. I fixed one problem: --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -253,9 +253,10 @@ class ldap2(CrudBackend, Encoder): def get_syntax(self, attr, value): if not self.schema: -self.schema = get_schema(self.ldap_uri, self.conn) -if not self.schema: +schema = get_schema(self.ldap_uri, self.conn) +if not schema: return None +object.__setattr__(self, 'schema', schema) obj = self.schema.get_obj(_ldap.schema.AttributeType, attr) if obj is not None: return obj.syntax But simply things like get_entry() return an InternalError now. I'm not sure where you were going by adding this. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 739 update permission help text
Jakub Hrozek wrote: On Tue, Feb 22, 2011 at 01:38:11PM -0500, Rob Crittenden wrote: Based on feedback from David here is a hopefully clearer description of permissions. ticket 996 rob I think you sent a wrong patch, this is the default.conf manpage one. D'oh, here you go. rob freeipa-rcrit-739-permission.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 739 update permission help text
On Tue, Feb 22, 2011 at 03:24:01PM -0500, Rob Crittenden wrote: Jakub Hrozek wrote: On Tue, Feb 22, 2011 at 01:38:11PM -0500, Rob Crittenden wrote: Based on feedback from David here is a hopefully clearer description of permissions. ticket 996 rob I think you sent a wrong patch, this is the default.conf manpage one. D'oh, here you go. rob I agree with the changes, but now I realized that davido mentioned privilege not permission. The privilege docstring contains the same errors as permission, can you also copy the changes into ipalib/plugins/privilege.py ? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Localization patches.
On Tue, Feb 22, 2011 at 02:16:01PM -0500, Rob Crittenden wrote: Pavel Zůna wrote: On 2011-02-17 22:52, Rob Crittenden wrote: Pavel Zůna wrote: On 2011-02-17 05:09, Rob Crittenden wrote: Pavel Zůna wrote: My efforts in fixing localization all around the framework and preparing it for localizing docstrings have resulted in a lot of patches. Because I understand they have become a bit hard to track, I decided to post them all together in this thread to make review easier. After this is committed, there will be one more patch that switches xgettext for pygettext. Then hopefully, we'll be pretty much set when it comes to i18n. Pavel Patch 81 isn't applying for me. Help is not working for me either, this is due to patch 80. $ ipa help user ipa: ERROR: NameError: global name '_' is not defined Traceback (most recent call last): File /home/rcrit/redhat/freeipa-version/ipalib/cli.py, line 1087, in run api.finalize() File /home/rcrit/redhat/freeipa-version/ipalib/plugable.py, line 619, in finalize plugin_iter(base, (magic[k] for k in magic)) File /home/rcrit/redhat/freeipa-version/ipalib/base.py, line 397, in __init__ sorted(members, key=lambda m: getattr(m, name_attr)) File /home/rcrit/redhat/freeipa-version/ipalib/plugable.py, line 608, in plugin_iter plugins[klass] = PluginInstance(klass) File /home/rcrit/redhat/freeipa-version/ipalib/plugable.py, line 585, in __init__ self.instance = klass() File /home/rcrit/redhat/freeipa-version/ipalib/plugable.py, line 184, in __init__ self.doc = _(inspect.getdoc(cls)) NameError: global name '_' is not defined ipa: ERROR: an internal error has occurred Patches 69, 71 and 73 are still working fine. What is switching from xgettext to pygettext going to do? This was answered by John Dennis: xgettext doesn't parse python docstrings. rob Rebased version of 81 attached. It should also fix the traceback you're getting. Pavel Something is still not working. I'm having a hard time reproducing how I got this but with LANG=es_US.UTF-8 for a while I was getting this with every ipa user-* request: ipa: ERROR: UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in position 20: ordinal not in range(128) Traceback (most recent call last): File /home/rcrit/redhat/freeipa-version/ipalib/cli.py, line 1090, in run sys.exit(api.Backend.cli.run(argv)) File /home/rcrit/redhat/freeipa-version/ipalib/cli.py, line 917, in run rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, **options) File /home/rcrit/redhat/freeipa-version/ipalib/frontend.py, line 953, in output_for_cli textui.print_entries(result, order, labels, flags, print_all) File /home/rcrit/redhat/freeipa-version/ipalib/cli.py, line 346, in print_entries self.print_entry(entry, order, labels, flags, print_all, format, indent) File /home/rcrit/redhat/freeipa-version/ipalib/cli.py, line 378, in print_entry label, value, format, indent, one_value_per_line File /home/rcrit/redhat/freeipa-version/ipalib/cli.py, line 309, in print_attribute self.print_indented(format % (attr, text[0]), indent) File /home/rcrit/redhat/freeipa-version/ipalib/cli.py, line 232, in print_indented print (CLI_TAB * indent + text) UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in position 20: ordinal not in range(128) ipa: ERROR: ha ocurrido un error interno I think it is blowing up on this user: User login: jose First name: Jose Last name: contraseñas Home directory: /home/jose Login shell: /bin/sh Account disabled: TRUE Member of groups: ipausers Then all of a sudden things started working fine, so I'm not sure what's going on. Is this traceback meaningful to you? rob This looks like a bug in the textui backend. You get this error when you do something like this: a = u'\xf1' a.decode('utf-8') Traceback (most recent call last): File stdin, line 1, in module File /usr/lib/python2.6/encodings/utf_8.py, line 16, in decode return codecs.utf_8_decode(input, errors, True) UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in position 0: ordinal not in range(128) It means we're not handling encoding/decoding from/to the CLI right somewhere. The character \xf1 corresponds to the small N with tilde in Jose's last name. I'm going to look into it, but I don't think it's related to the localization patches. Pavel I'm seeing 2 test failures: == FAIL: Test the `ipalib.plugable.Plugin.__init__` method. -- Traceback (most recent call last): File /usr/lib/python2.7/site-packages/nose/case.py, line 186, in runTest self.test(*self.arg) File /home/rcrit/redhat/freeipa-tests/tests/test_ipalib/test_plugable.py, line 237, in test_init assert o.summary == 'Do sub-classy things.' AssertionError
Re: [Freeipa-devel] [PATCH] 739 update permission help text
Jakub Hrozek wrote: On Tue, Feb 22, 2011 at 03:24:01PM -0500, Rob Crittenden wrote: Jakub Hrozek wrote: On Tue, Feb 22, 2011 at 01:38:11PM -0500, Rob Crittenden wrote: Based on feedback from David here is a hopefully clearer description of permissions. ticket 996 rob I think you sent a wrong patch, this is the default.conf manpage one. D'oh, here you go. rob I agree with the changes, but now I realized that davido mentioned privilege not permission. The privilege docstring contains the same errors as permission, can you also copy the changes into ipalib/plugins/privilege.py ? Good idea, updated patch attached. rob freeipa-rcrit-739-2-permission.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] admiyo-0204-split-logo
From b34ce11a9d9894edbb80fe4b2576f688249ff4a5 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Tue, 22 Feb 2011 16:46:33 -0500 Subject: [PATCH] split logo This allows for more flexilibity in customizing the site, as an end user can replace the logo, the banner or both --- install/ui/index.html|2 +- install/ui/ipabanner.png | Bin 0 - 668 bytes install/ui/ipalogo.png | Bin 2492 - 1959 bytes 3 files changed, 1 insertions(+), 1 deletions(-) create mode 100644 install/ui/ipabanner.png diff --git a/install/ui/index.html b/install/ui/index.html index e3205d69f5ae44b7b4da536fa8d0808a451dac53..7b6331148ca75facd78837135f37354c9e918f4c 100644 --- a/install/ui/index.html +++ b/install/ui/index.html @@ -51,7 +51,7 @@ div class=center-container div class=header span class=header-logo -a href=#img src=ipalogo.png //a +a href=#img src=ipalogo.png /img src=ipabanner.png //a /span span id=header-network-activity-indicator class=network-activity-indicator img src=spinner_header.gif / diff --git a/install/ui/ipabanner.png b/install/ui/ipabanner.png new file mode 100644 index ..56bea691bed75675f27dbfb6316cd8050f01ffa9 GIT binary patch literal 668 zcmeAS@N?(olHy`uVBq!ia0vp^O+c*5!3HGzqzqRBDaPU;cPEB*=VV?2Ic!PZ?k)`f zL2$v|%LToCO|{#S9GG!XV7ZFlwkP{XE)7O#Hj|jBu9bVp|CK-?$r9Iy66gHf z+|;}h2Ir#G#FEq$h4Rdj3Y;j-+=HK5?K`-#uL%Ln~)oC`Fuz`Tveg(D@9Er^R z6Z{x_E|fHF6P}X8AbbJD$#F0{pq$eD;ki=ZVZX_%E_BuSZ(8tDFz5Ntnso}9x5Zjw z3b{C36+{{XSeyiLF#gQtsAkAr@VtN^5=hd4^)@di%gX7xcTMF*6x$;-?UBc*}7WH zV{=elJCXep(}B5_Jsay%)%3!JUcT3Cdc^3EbnDEKD@D0%57-)}zuwOLZYoP%y2dh_ zB%rdhzIQI|xfjs#a^lLjk3vhdz5OHPpA#ve~qB*L?gNz4i2CpetH{fm$_oEEU3 z;eqakU$zacU#f#5A66ad+PHeL(fZ)c#rHD{C6gq=j-Yz+jyMS~=gPNw;BYjJ|#X zkGS$7vkjYS9eP+B%4gQBIJr$S@kHGGIT~n3+8oRWh!2o85C^2W~XV5?Uz#~@}1hD zUi-dWnKeuIoaeWKv}m81g2z5tk#TWtZ_Kk%^0MS`{qgpUdF4)9S0|!((4AuY9x3 z=F_QOhJYRaa@~44s7;38@WWvpZWQ(`{rSw|@QEP%`z);()J*_p4ZbnD6JOcILZ? zrB=DD-+q{R#tzV`@QiW|AJW_cNZRAsj7EPU$@EF{Kj=^c5a55*|4v5=!hNubN2 b?h|Kn?Ckd%)+=g(4d@4)z4*}Q$iB}sY(~+ literal 0 HcmV?d1 diff --git a/install/ui/ipalogo.png b/install/ui/ipalogo.png index 62185c1b0e2ad9223a69a69e8cfd93a442b9f51d..2251193f05d46884f66e06a3b1d6347721ce0270 100644 GIT binary patch literal 1959 zcmV;Y2Uz%tP)h;3K|Lk000e1NJLTq0015U001Ni1^@s6p3#bF1b5ch_0Itp) z=Px#24YJ`L;(K){{a7y{D4^000SaNLh0L01FcU01FcV0GgZ_7bV*G`2ipP` z6)i2qhk9-R000?uMObu0Z*6U5Zgc=ca%Ew3Wn_CX@2HM@dakSAh-}000L9NklZ zSi|j@TWnO6^6fkIp@s99vh6!#TerNwXqGwq|M%pd|?+2?43?L#0HG(u$}`sUr0$ zs#G;;OQfcXidsmdG$;A)Bq_I(j-lZQbW)hMU2FF#;RM;|sQDJf0cP%(?Y}F?Ag zr5)NW=mT~+WSb~`v0@`UQ0*#zR%||B%jmx0{jK|eTKt3{vEuetvrS=Y+=Cqbnx} zG!`#w4DbE$;sPOV5E_hq`{fW$UXIfbrkDChh=KU#hOPe)-bQ4RI(WLGS)BAdQ zu{DK(g0`yS~oK-t9uj30qjDk5w$j15PO|Gk5I#U}H*7{eCnSUl|ZBR9B`b3`+*$ zBeYx*wD;ddW$CQ_=5Wi;o_c)!8Nj}s{o{deD13hV8xN-S^dEEWt-B;Hl{}|bMMMh zMsjIvJ4vKSk;$bwdm+KQ$Epa1mkrG+$!z`SJ1=j0eaF^VUcGlGumI$=X)~tul?zv ztS;R=m@%6Y!jLZxx|8Mm!gP8-(Z|Q2W+G@hpMuRET~HmF3fT6{1AWq+tm-dghec z$BRYZGfzL(bRcj4r_|q^ToSN;yYuMon5ulUFQuCRw6GB(jn)|)bqzC^WbUjCnVid! zmT8=59DQq6h?+HR0bs_t-b!@v$3gvc=q*k+n@c_j=KPJyyO%4B(%yFLXYZlyV| zX0DLedV}bb1Io{SRuYK4ErM5+NPBqA6lSE=9!-o}1yw$+=t^ddz+fQRGycs|UX zs-s0Z{mPFYsoyfH{${HKKuOV(r!PoBxN%vHv-ZA5B9lsWaNno48utOer`_ZB0AH zQ?l5$rsYGhnpM7St%!1ElW6odoPcXKY6J5wT_NHw2+dF3h~1=wT3dNiplQwz^W z96WN)XgS~MtzEO+X;@M(4MVA5;XJyNr9=;Z#JtL5RL$5s?Nbtf9J^QGF-8if`IgW z$MdgtCPhbgMr3myA)Rvo3mCcCYCSf)g%AV+Asn|yzP11N^4P}Vvs$Iz?qOlw}o) zl)sJZ8co*+b5lXUmbA`mS1eBpUr(X{O7vBgN%7nUIi1{5Yj0_s-BR{z`d-zQ zD4Qbr$v(Nyws*{9T`aqmtVMBv39KY_Dn(b~yY!yv_8hm=?H@8kdvr*}lb$ej z8cVxq6+udY5^~2IPWo0C4@~cv2HA@OkkU^=#a9QM`YsRkvPddrtLc#~TAY8+V z_LhtGp0rM+a#H#utX_D9uP*8%KHSURLyJi{bto}1?k#o$EVYG?z!w@TqaxBnSfP5 zFjPX=E21x!mHXd4Mvg!K^q)fdYdLTZXaah_P;b^H(Jn56kdNj9PZNdhS{ZjP zi$YllW#J18)6hKpKqZC6Ch44oR2Eh+3@Rvk`ZFTypo5l0KANMH?DGDQ;JvLO3-|v zpNuy|D40eofs%6KU};!*DAKtzFaQ}g(SWVfU=NA0MoQE4dpwYU`1^otCuG@*N3T z3=^3YCz%*aa@!DDg238ZQ)5!UUwItlEo1#vl2q2}6L?e}fmI_O!DJdA?_;H)b z(}rkQPsRu|$cvSakcDoG@l+*z?Nf=Z|WLIn`gAm=2xhaG+k@C00I5v078r_ zd#|RXJW90RW!Jt^ka4t`V$q^r3c@K|Pu*6r4|v6eR$?IO1)o!Dr`4NT$b^BejK; z0*Q-M21+RmnPK(PPINlu?zEPYHTMFgR7sE($czy!PNa2hGX0g;XCR+IvsToPN(! zJ;~6jjO}B)gZLtnFDH66hfetCS=-_OztM0?xuE8imvu@cK-3X{Q3IN+|=zAvI3 z2496zcF+{cWdU+mF7o;pgjfX7%Gc_sy?ZR(}$u-0S6iGzo=3OFo`TyC$RF1(mC zEzx3at$NQB^f_(_N=7fBeB~ou~JFIHo-QM|G000KZEP+V5Ebk@wfpL|ROJ2ng^ zXIeRL22!}#j?4Vnle5Jo6~6|N$JH17!HX{5!wi?4AqVt$*Eh^6j6#=jKv_KnxfL zvVeQ54n*YdR1*k|22j0f^WC9})td%0W`pa2=XuPZJvlpR%5|{sO9TSx#5%6EAKiWG z?PvC75LTXSTbK6ZZrh9$yhNTR;I20g4xGeEwUxQ1zn!(LhKoDzFd=`16gbzhV zXR!15-j)L|?2SjyM1e#emJUmdJ}E-M(sC%U|xOE^qMtuN)~+Qd*!p|-Cr0fPF!n0 z{m%J=+jjL``lurhOabXz0VfLnRP#5+{s6R@y+MH)_*NJ(01@Qr^hH91v9^epc|! t_6PC-nECZ={u^e-D4cj-{eSmI;9skP6ZJ^WN}2!w002ovPDHLkV1nkCpECde literal 2492 zcmV;t2}AaYP)h;3K|Lk000e1NJLTq005x?001Qj1^@s6DsYK-PbVXQnQ*UN; zcVTj606}DLVr3vnZDD6+Qe|Oed2z{QJOBU*UP(kjRCwC#n`}XrBS=d$PQZnB#V zOTs1O#J!w*rW((NJ}Vc3yRQb`=K2jkalD`){6boar^+-Ry(yrrLEW*mEu$#Ay^Q+
Re: [Freeipa-devel] [PATCH] admiyo-0204-split-logo
On 2/22/2011 3:48 PM, Adam Young wrote: ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 113 Fixed buttons for DNS records.
The order of the Add and Delete buttons has been reversed to be consistent with those in other facets. -- Endi S. Dewata From 77070192fec42b64697f8456d1303b6bf722d082 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Tue, 22 Feb 2011 17:00:50 -0600 Subject: [PATCH] Fixed buttons for DNS records. The order of the Add and Delete buttons has been reversed to be consistent with those in other facets. --- install/ui/policy.js | 12 ++-- 1 files changed, 6 insertions(+), 6 deletions(-) diff --git a/install/ui/policy.js b/install/ui/policy.js index c26dfc5c574cb4497f6afdb51e27ac233633ba41..c35696b617c3ff1e47688d9b643ea2d7190de84b 100644 --- a/install/ui/policy.js +++ b/install/ui/policy.js @@ -324,15 +324,15 @@ IPA.records_facet = function (spec){ IPA.action_button({ -'label': IPA.messages.buttons.add, -'icon': 'ui-icon-plus', -'click': add_click +label: IPA.messages.buttons.remove, +icon: 'ui-icon-trash', +click: function(){ delete_records(records_table); } }).appendTo(action_controls); IPA.action_button({ -'label': IPA.messages.buttons.remove, -'icon': 'ui-icon-trash', -'click': function(){delete_records(records_table);} +label: IPA.messages.buttons.add, +icon: 'ui-icon-plus', +click: add_click }).appendTo(action_controls); div.append('span class=records-buttons/span'); -- 1.6.6.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 20 Create default disabled sudo bind user
This patch addressees ticket #998 It adds: * ldif to create a default sudo bind user: dn: uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX * modifications to dsinstance.py to add the ldif * modifications to dsinstance.py to add a call to ipautil.ipa_generate_password() for an random password. It is added to the sub_dict as 'RANDOM_PASSWORD' * addition to the Makefile.am in install/share to account for the new ldif file Documentation to follow will include: the method of enabling the user with: * LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D cn=Directory Manager uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com * Configuring nss_ldap.conf for using this user as the binddn * Help file for the ipa sudo command to reference the user and the written documentation. freeipa-jraquino-0020-Create-default-disabled-sudo-bind-user.patch Description: freeipa-jraquino-0020-Create-default-disabled-sudo-bind-user.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel