Re: [Freeipa-devel] [PATCH] 802 add message summary to sudorule
On Wed, 2011-06-15 at 17:29 +, JR Aquino wrote: > On Jun 14, 2011, at 6:36 PM, Rob Crittenden wrote: > > > Some of the sudorule commands were missing a message summary. > > > > ticket https://fedorahosted.org/freeipa/ticket/1255 > > > > rob > > ___ > > Freeipa-devel mailing list > > Freeipa-devel@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > NACK > > error: patch failed: ipalib/plugins/sudorule.py:189 > error: ipalib/plugins/sudorule.py: patch does not apply > > Appears to perhaps be off by 1 line number. You might have to rebase. I already ack-ed and pushed this patch to master, ipa-2-0. It applied to the branches without any problem. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0237-no-redirect-on-unknown-error
On 6/15/2011 6:44 PM, Adam Young wrote: On 06/15/2011 02:37 PM, Adam Young wrote: Part 2 https://fedorahosted.org/freeipa/ticket/1281 Now iterates through a list of known error types. If the server is down (service ipa stop) it throws an error with name 'NS_ERROR_NOT_AVAILABLE' which is not in the list, so it still does a redirection. There is another problem too, if the error name matches the list it doesn't call report_error(). Maybe this should be done the other way around. Instead of listing the errors not to redirect, we should list the errors which require redirection, i.e. IPA Error 4001 (entry not found). This is optional, in ipa.js:337 we could add the IPA error code into the error_thrown object. This way the error can be checked more reliably using error code rather than error name. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0237-no-redirect-on-unknown-error
On 06/15/2011 02:37 PM, Adam Young wrote:
Part 2
https://fedorahosted.org/freeipa/ticket/1281
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Now iterates through a list of known error types.
From de7eac32830e2e509858b28696aeddb8e3ba1e83 Mon Sep 17 00:00:00 2001
From: Adam Young
Date: Wed, 15 Jun 2011 14:34:54 -0400
Subject: [PATCH] no redirect on unknown error If the error name is indicates
a server wide error, do not attempt to redirect.
https://fedorahosted.org/freeipa/ticket/1281
---
install/ui/entity.js | 32
1 files changed, 24 insertions(+), 8 deletions(-)
diff --git a/install/ui/entity.js b/install/ui/entity.js
index 107c3c4d429fce2161ec209bb4c04d82ecea0d4c..70053fd1003e9a7c171d744253c69c8a07959205 100644
--- a/install/ui/entity.js
+++ b/install/ui/entity.js
@@ -136,17 +136,33 @@ IPA.facet = function (spec) {
details.append(''+error_thrown.message+'');
};
+that.redirect_on_error = function(){
+var current_entity = that.entity;
+while (current_entity.containing_entity){
+current_entity = current_entity.containing_entity;
+}
+IPA.nav.show_page(
+current_entity.name,
+that.entity.redirect_facet);
+};
+
+var no_redirect_errors =
+["Internal Server Error",
+ "Unknown Error",
+ "Kerberos ticket no longer valid."];
+
that.on_error = function(xhr, text_status, error_thrown) {
+
+/*If the error is in talking to the server, don't attempt to redirect,
+ as there is nothing any other facet can do either. */
+for (var i =0; i < no_redirect_errors.length; i += 1){
+if (error_thrown.name === no_redirect_errors[i]){
+return;
+}
+}
if (that.entity.redirect_facet )
{
-var current_entity = that.entity;
-while (current_entity.containing_entity){
-current_entity = current_entity.containing_entity;
-}
-IPA.nav.show_page(
-current_entity.name,
-that.entity.redirect_facet);
-return;
+that.redirect_on_error();
}else{
that.report_error(error_thrown);
}
--
1.7.5.2
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 180 Renamed associate.js to association.js.
--
Endi S. Dewata
From a84e4ad9d6327d3f0a17ba860ca53a7d883ad7d4 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata
Date: Tue, 14 Jun 2011 00:02:54 -0500
Subject: [PATCH] Renamed associate.js to association.js.
---
install/ui/Makefile.am |2 +-
install/ui/{associate.js => association.js} |0
install/ui/index.html |2 +-
install/ui/jsl.conf |2 +-
install/ui/test/aci_tests.html |2 +-
install/ui/test/all_tests.html |2 +-
install/ui/test/association_tests.html |2 +-
install/ui/test/association_tests.js|2 +-
install/ui/test/entity_tests.html |2 +-
9 files changed, 8 insertions(+), 8 deletions(-)
rename install/ui/{associate.js => association.js} (100%)
diff --git a/install/ui/Makefile.am b/install/ui/Makefile.am
index 3db1427b2a996a202923e43a491f21a3fc286a8a..dedc43dbeee567a33ba96efd3c091ff813903029 100644
--- a/install/ui/Makefile.am
+++ b/install/ui/Makefile.am
@@ -10,7 +10,7 @@ appdir = $(IPA_DATA_DIR)/ui
app_DATA = \
aci.js\
add.js\
- associate.js \
+ association.js \
automount.js \
background-center.png \
background-left.png \
diff --git a/install/ui/associate.js b/install/ui/association.js
similarity index 100%
rename from install/ui/associate.js
rename to install/ui/association.js
diff --git a/install/ui/index.html b/install/ui/index.html
index 6e85d28b3e02f6d0e6d621c85252db6698e4c195..8fa96bf728aa12e6d3489e1db418726fa357bc56 100644
--- a/install/ui/index.html
+++ b/install/ui/index.html
@@ -16,7 +16,7 @@
-
+
diff --git a/install/ui/jsl.conf b/install/ui/jsl.conf
index e7d09ec0cbaa59eff5c59c8129470bc5e1a10e15..06fdb60041fac13c52f3031b2745c8ab04533f8a 100644
--- a/install/ui/jsl.conf
+++ b/install/ui/jsl.conf
@@ -132,7 +132,7 @@
+process search.js
+process details.js
+process add.js
-+process associate.js
++process association.js
+process entity.js
+process navigation.js
+process rule.js
diff --git a/install/ui/test/aci_tests.html b/install/ui/test/aci_tests.html
index be035c4133acc7f0492b371c7cec3dd7bacfffc8..4b024ec1041783dc0185487e6401466cee66772f 100755
--- a/install/ui/test/aci_tests.html
+++ b/install/ui/test/aci_tests.html
@@ -18,7 +18,7 @@
-
+
diff --git a/install/ui/test/all_tests.html b/install/ui/test/all_tests.html
index be0bf3ea17abf57158a4d4f831a71d1bcb5d70ed..7af7e02b336f56f7cda0814d54dd89a303354f6c 100644
--- a/install/ui/test/all_tests.html
+++ b/install/ui/test/all_tests.html
@@ -15,7 +15,7 @@
-
+
diff --git a/install/ui/test/association_tests.html b/install/ui/test/association_tests.html
index e9e3650bac049500dfa2938e3d15cbbea960b543..a25e417af1344f8793ca3b6ab03921c172fc4d3e 100644
--- a/install/ui/test/association_tests.html
+++ b/install/ui/test/association_tests.html
@@ -12,7 +12,7 @@
-
+
diff --git a/install/ui/test/association_tests.js b/install/ui/test/association_tests.js
index bad8d1a84e5d8a6533fe8823309ab9be5a995da2..7eea1fc91212ddb855d824cc10cd301bc00a3a3a 100644
--- a/install/ui/test/association_tests.js
+++ b/install/ui/test/association_tests.js
@@ -18,7 +18,7 @@
* along with this program. If not, see
[Freeipa-devel] [PATCH] 179 Fixed paging for indirect members.
Since ticket #1273 has been fixed, the indirect members can be shown
using the regular association facet which supports paging.
--
Endi S. Dewata
From eae218c660109479c6a5f355f5ad184cbfe10c63 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata
Date: Mon, 13 Jun 2011 16:18:48 -0500
Subject: [PATCH] Fixed paging for indirect members.
Since ticket #1273 has been fixed, the indirect members can be shown
using the regular association facet which supports paging.
---
install/ui/associate.js | 60 ---
install/ui/entity.js| 10 +---
2 files changed, 1 insertions(+), 69 deletions(-)
diff --git a/install/ui/associate.js b/install/ui/associate.js
index 3a90f260e8fad67f82e8663169776136579c4496..2115e0fe15d1a02a6e5e929081ff6bf52df591a2 100644
--- a/install/ui/associate.js
+++ b/install/ui/associate.js
@@ -1092,63 +1092,3 @@ IPA.association_facet = function (spec) {
return that;
};
-
-IPA.indirect_association_facet = function (spec) {
-
-spec = spec || {};
-
-spec.page_length = 0;
-spec.read_only = true;
-
-var that = IPA.association_facet(spec);
-
-that.refresh = function() {
-
-function on_success(data, text_status, xhr) {
-
-that.table.empty();
-
-var count = data.result.count;
-if (count === 0) {
-that.table.summary.text(data.result.summary);
-return;
-}
-
-var results = data.result.result;
-for (var i=0; i___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 28/28] Update test_role_plugin test to include a comma in a, privilege
Update test_role_plugin test to include a comma in a privilege
Introduce a comma into a privilege name to assure we can handle
commas.
Commas must be escaped for some parameters, add escape_comma() utility
and invoke it for the necessary parameters.
Utilize a DN object to properly construct a DN and most importantly to
allow equality testing between the DN we expect and the one
returned. This is necessary because a DN can be encoded according to
different encoding syntaxes all of which are valid. DN objects always
decode from their input. DN objects can test for equality between DN's
without being affected by DN encoding.
Add a equality callback for the dn in the expected dict. When the test
framework tests for equality between the expected value and the
returned value it will call back into a function we provide which will
convert the returned dn into a DN object. An equality test is then
performed between two DN objects. This is the only way to properly
compare two dn's.
--
John Dennis
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
>From 3c2a92fd1a01a7750e90a119d497d5751932c796 Mon Sep 17 00:00:00 2001
From: John Dennis
Date: Wed, 15 Jun 2011 16:05:19 -0400
Subject: [PATCH 28/28] Update test_role_plugin test to include a comma in a
privilege
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Introduce a comma into a privilege name to assure we can handle
commas.
Commas must be escaped for some parameters, add escape_comma() utility
and invoke it for the necessary parameters.
Utilize a DN object to properly construct a DN and most importantly to
allow equality testing beween the DN we expect and the one
returned. This is necessary because a DN can be encoded according to
different encoding syntaxes all of which are valid. DN objects always
decode from their input. DN objects can test for equality between DN's
without being affected by DN encoding.
Add a equality callback for the dn in the expected dict. When the test
framework tests for equality between the expected value and the
returned value it will call back into a function we provide which will
convert the returned dn into a DN object. An equality test is then
performed between two DN objects. This is the only way to properly
compare two dn's.
---
tests/test_xmlrpc/test_role_plugin.py | 16 ++--
1 files changed, 10 insertions(+), 6 deletions(-)
diff --git a/tests/test_xmlrpc/test_role_plugin.py b/tests/test_xmlrpc/test_role_plugin.py
index 28d1c6b..82342c3 100644
--- a/tests/test_xmlrpc/test_role_plugin.py
+++ b/tests/test_xmlrpc/test_role_plugin.py
@@ -1,6 +1,7 @@
# Authors:
# Rob Crittenden
# Pavel Zuna
+# John Dennis
#
# Copyright (C) 2009 Red Hat
# see file 'COPYING' for use and warranty information
@@ -24,6 +25,7 @@ Test the `ipalib/plugins/role.py` module.
from ipalib import api, errors
from tests.test_xmlrpc import objectclasses
from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid
+from ipalib.dn import *
search = u'test-role'
@@ -41,9 +43,11 @@ role2_dn = u'cn=%s,%s,%s' % (
group1 = u'testgroup1'
group1_dn = u'cn=%s,%s,%s' % (group1, api.env.container_group, api.env.basedn)
-privilege1 = u'testpriv1'
-privilege1_dn = u'cn=%s,%s,%s' % (privilege1, api.env.container_privilege, api.env.basedn)
+privilege1 = u'r,w privilege 1'
+privilege1_dn = DN('cn', privilege1, DN(api.env.container_privilege), DN(api.env.basedn))
+def escape_comma(value):
+return value.replace(',', '\\,')
class test_role(Declarative):
@@ -158,7 +162,7 @@ class test_role(Declarative):
value=privilege1,
summary=u'Added privilege "%s"' % privilege1,
result=dict(
-dn=privilege1_dn,
+dn=lambda got: DN(got) == privilege1_dn,
cn=[privilege1],
description=[u'privilege desc. 1'],
objectclass=objectclasses.privilege,
@@ -170,7 +174,7 @@ class test_role(Declarative):
dict(
desc='Add privilege %r to role %r' % (privilege1, role1),
command=('role_add_privilege', [role1],
-dict(privilege=privilege1)
+dict(privilege=escape_comma(privilege1))
),
expected=dict(
completed=1,
@@ -451,7 +455,7 @@ class test_role(Declarative):
dict(
desc='Remove privilege %r from role %r' % (privilege1, role1),
command=('role_remove_privilege', [role1],
-dict(privilege=privilege1)
+dict(privilege=escape_comma(privilege1))
),
expected=dict(
completed=1,
@@ -472,7 +476,7 @@ class test_role(Declarative):
dict(
desc='Remove privilege %r from role %r again' % (privilege1, role1),
command=('role_remove_privilege', [role1],
-dict(privilege=privilege1)
+dict(privilege=escape_c
[Freeipa-devel] [PATCH 27/27] get_primary_key_from_dn returns decoded value
DN's may be encoded. If we're going to return the value from one of the
RDN's in the DN then we must decode the DN first, otherwise the returned
value won't be what we're expecting. Specifically the value getting
passed back through the RPC interface was not the value set because it
included escaping specific only to DN's. We want to treat the value as
the value set by the user, the fact it happens to live as part of a DN
is an irrelevant implementation detail which shouldn't be visible in the
values we exchange through the RPC mechanism.
This patch takes the DN as returned by an ldap search and creates a DN
object from it. The DN object allows us to robustly extract the value by
name. The DN object also assures the components in the DN have been
decoded back into normal unicode strings.
There are many other places where we need to properly handle DN's by
using a DN object, this is just one place, the minimum needed to get
comma's working in privileges. I'd rather make very small incremental
changes in the DN handling rather than introducing too many changes in
this critical area of the code, let's be conservative at this juncture.
--
John Dennis
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
>From a253c4a907e6f94b8b5193377d4009ddc94a2f20 Mon Sep 17 00:00:00 2001
From: John Dennis
Date: Wed, 15 Jun 2011 15:43:26 -0400
Subject: [PATCH 27/27] get_primary_key_from_dn returns decoded value
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
---
ipalib/plugins/baseldap.py |5 -
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 7d45525..a832bea 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -33,6 +33,7 @@ from ipalib.cli import to_cli, from_cli
from ipalib import output
from ipalib.text import _
from ipalib.util import json_serialize
+from ipalib.dn import *
global_output_params = (
Str('member',
@@ -318,7 +319,9 @@ class LDAPObject(Object):
return ''
except errors.NotFound:
pass
-return dn[len(self.primary_key.name) + 1:dn.find(',')]
+# DN object assures we're returning a decoded (unescaped) value
+dn = DN(dn)
+return dn[self.primary_key.name]
def get_ancestor_primary_keys(self):
if self.parent_object:
--
1.7.4.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Entity labels
Hi All, We need I18n labels for the entities to be used inside help messages and UI. Please take a look at the following tickets: https://fedorahosted.org/freeipa/ticket/1217 https://fedorahosted.org/freeipa/ticket/1249 Depending on the usage, we might need 4 different labels for each entity: Label #1: Lower-case singular label: e.g. user, DNS zone Label #2: Lower-case plural label: e.g. users, DNS zones Label #3: Upper-case singular label: e.g. User, DNS Zone Label #4: Upper-case plural label: e.g. Users, DNS Zones In the current code the lower-case labels are needed for server messages and the upper-case labels are needed for UI page titles. Due to the nature of untyped language, it's difficult to confirm whether upper-case labels are actually needed by the server, but there's a possibility. The server plugins currently define the following attributes: - object_name: It can be used as Label #1 (after fixing ticket #1217). - object_name_plural: It can be used as Label #2. - label: It can be used as Label #4. Here are the issues: Issue #1: There is no attribute that can be used as Label #3. Issue #2: The lower-case label is identical to the corresponding upper-case label (e.g. Label #1 & #3) except for the capitalization. Issue #3: Acronyms such as DNS need to remain upper-case in all labels. Some solutions have been proposed: Option #1: Define 4 different attributes, one for each label. By default translators only need to supply lower-case Label #1 and #2. The upper-case Label #3 and #4 will be generated automatically using a server-side method that will convert the first letters in each word in the label to upper case. Translators can also supply the upper-case labels if the method doesn't generate the correct conversion. Option #2: Define only the 2 lower-case attributes. Since it's unclear if the server needs the upper-case labels, we will just implement a client-side conversion method to generate upper-case labels for the UI. But if the server needs it too, we would have to add a similar method on the server-side. Also there will be no way to override the conversion. My personal preference is option #1. Any suggestions? Thanks. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 29 Raise DuplicateEntry Error when adding a duplicate sudo option
On Jun 15, 2011, at 8:03 AM, Rob Crittenden wrote: > A minor issue and a question. > > The minor issue is you changed a couple of options from optional to > mandatory, which is fine, but we need to bump up the minor version in VERSION > (older clients otherwise could not send the string and blow things up). Is there a rule of thumb or document that details when this is appropriate? > The question is, should we raise EmptyModList() when removing an option that > doesn't exist or NotFound(reason=_())? I think the second might be more > explanatory but might be harder for handle in scripts (how would you > distinguish between entry not found and option not found)? > > rob As per IRC conversation: Added new Exception: AttrValueNotFound Incremented minor version in VERSION Adjusted API 1276 (Raise AttrValueNotFound when trying to remove a non-existent option from Sudo rule) 1277 (Raise DuplicateEntry Error when adding a duplicate sudo option) 1308 (Make sudooption a required option for sudorule_remove_option) binr2ad1uNgGK.bin Description: freeipa-jraquino-0029-Raise-DuplicateEntry-Error-when-adding-a-duplicate.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0237-no-redirect-on-unknown-error
On 06/15/2011 02:37 PM, Adam Young wrote:
Part 2
https://fedorahosted.org/freeipa/ticket/1281
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
From d23d22ca6465753bd6588fa98cd9b87feebffd2a Mon Sep 17 00:00:00 2001
From: Adam Young
Date: Wed, 15 Jun 2011 14:34:54 -0400
Subject: [PATCH] no redirect on unknown error If the error name is Unknown
Error, it currently means that the server is down. While
we should do better error handling for this in the future,
currently at least we will stop trying to redirect.
---
install/ui/entity.js | 24
1 files changed, 16 insertions(+), 8 deletions(-)
diff --git a/install/ui/entity.js b/install/ui/entity.js
index 107c3c4d429fce2161ec209bb4c04d82ecea0d4c..8b07fe1e38b27f4b7d4314fb92693cef196b7fce 100644
--- a/install/ui/entity.js
+++ b/install/ui/entity.js
@@ -136,17 +136,25 @@ IPA.facet = function (spec) {
details.append(''+error_thrown.message+'');
};
+that.redirect_on_error = function(){
+var current_entity = that.entity;
+while (current_entity.containing_entity){
+current_entity = current_entity.containing_entity;
+}
+IPA.nav.show_page(
+current_entity.name,
+that.entity.redirect_facet);
+};
+
that.on_error = function(xhr, text_status, error_thrown) {
+/*If the server is down, don't attempt to redirect,
+ as there is nothing any other facet can do either. */
+if (error_thrown.name === "Unknown Error"){
+return;
+}
if (that.entity.redirect_facet )
{
-var current_entity = that.entity;
-while (current_entity.containing_entity){
-current_entity = current_entity.containing_entity;
-}
-IPA.nav.show_page(
-current_entity.name,
-that.entity.redirect_facet);
-return;
+that.redirect_on_error();
}else{
that.report_error(error_thrown);
}
--
1.7.5.2
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0237-no-redirect-on-unknown-error
Part 2 https://fedorahosted.org/freeipa/ticket/1281 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 799 The IP address provided to ipa-server-install must be local
Rob Crittenden wrote:
Martin Kosek wrote:
On Tue, 2011-06-14 at 08:56 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Mon, 2011-06-13 at 16:41 -0400, Rob Crittenden wrote:
Compare the configured interfaces with the supplied IP address and
optional netmask to determine if the interface is available.
Note the subtle change when comparing addresses. We have two object
types, IPNetwork and IPAddress. We should only compare addresses
when we
don't have an IPNetwork otherwise we can end up comparing an
address to
an object with a netmask and get a bad result.
https://fedorahosted.org/freeipa/ticket/1175
NACK.
1) This breaks ipa-replica-prepare:
# ipa-replica-prepare vm-046.idm.lab.bos.redhat.com
--ip-address=10.16.78.46
Usage: ipa-replica-prepare [options] FQDN (e.g. replica.example.com)
ipa-replica-prepare: error: option --ip-address: invalid IP address
10.16.78.46: No network interface matches the provided IP address and
netmask
Actually, this is not your fault, we just don't use IP address checking
in IPAOptionParser correctly. --ip-address option in
ipa-replica-prepare
has type "ipnet" which is validated by the CheckedIPAddress. As
match_local defaults to True, your new exception is raised.
Ok, but is 10.16.78.46 a configured network interface?
It is an IP address of new replica, i.e. its not a local network
interface address. As I written, the problem is in a type of
--ip-address option in ipa-replica-prepare. You can check Honza's mail
for implementation hint.
Ah, prepare. I tested with an existing replica file...
Well, I wonder if an easier fix would be to set match_local=False by
default and specifically ask to match_local when we want.
Updated patch attached.
rob
Martin
I think we need 2 new option types for IPAOptionParser such as
"iplocal"
and "ipnetlocal" which would be used for --ip-address option in
ipa-server-install or ipa-dns-install and which would use
match_local=True. Current types "ip" and "ipnet" should use
match_local=False.
2) CheckedIPAddress functionality (i.e. this fix) is neither in ipa-2-0
stable branch nor in RHEL 6.1. But this should be OK since it is
targeted for RHEL 6.2.
Right, I wasn't planning on pushing this to 2.0.
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
>From 3c9b11eaa34ea969b8d0b08ab8fb611f464d5403 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Mon, 13 Jun 2011 16:37:40 -0400
Subject: [PATCH] The IP address provided to ipa-server-install must be local
Compare the configured interfaces with the supplied IP address and
optional netmask to determine if the interface is available.
https://fedorahosted.org/freeipa/ticket/1175
---
install/tools/ipa-server-install |2 +-
ipapython/ipautil.py |7 +--
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 8fb13a3..756e4b0 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -596,7 +596,7 @@ def main():
# Check we have a public IP that is associated with the hostname
hostaddr = resolve_host(host_name)
if hostaddr is not None:
-ip = CheckedIPAddress(hostaddr)
+ip = CheckedIPAddress(hostaddr, match_local=True)
else:
if not options.ip_address:
print "Unable to resolve IP address for host name"
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index ed8f04a..91d19e9 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -66,7 +66,7 @@ def get_domain_name():
return domain_name
class CheckedIPAddress(netaddr.IPAddress):
-def __init__(self, addr, match_local=True, parse_netmask=True):
+def __init__(self, addr, match_local=False, parse_netmask=True):
if isinstance(addr, CheckedIPAddress):
super(CheckedIPAddress, self).__init__(addr)
self.prefixlen = addr.prefixlen
@@ -117,11 +117,14 @@ class CheckedIPAddress(netaddr.IPAddress):
continue
ifnet = netaddr.IPNetwork(fields[3])
-if ifnet == net or ifnet.ip == addr:
+if ifnet == net or (net is None and ifnet.ip == addr):
net = ifnet
iface = fields[1]
break
+if iface is None:
+raise ValueError('No network interface matches the provided IP address and netmask')
+
if net is None:
defnet = True
if addr.version == 4:
--
1.7.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0236-no-redirect-on-search
On 06/15/2011 01:50 PM, Endi Sukma Dewata wrote: On 6/15/2011 11:37 AM, Adam Young wrote: Removed extra whitespace Facet can override what to do on error There's a jslint warning, but other than that it can be pushed. This patch fixes the first item in ticket #1281. The second item is still a problem. Steps to reproduce: 1. Open a search page. 2. Run service dirsrv stop 3. Click one of the entries in the list. It will go to the details page and display an error dialog. If you close the dialog it will go back to search page and display another error dialog. See also the entitlements page, instead of displaying an error dialog it shows the error in the status bar below. Should we replace redirection with this? Or should we fix entitlements to show error dialog too? Normally the status bar in entitlements is used to show the enrollment status (which is not an error). Fixed the JSL error and pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0236-no-redirect-on-search
On 6/15/2011 11:37 AM, Adam Young wrote: Removed extra whitespace Facet can override what to do on error There's a jslint warning, but other than that it can be pushed. This patch fixes the first item in ticket #1281. The second item is still a problem. Steps to reproduce: 1. Open a search page. 2. Run service dirsrv stop 3. Click one of the entries in the list. It will go to the details page and display an error dialog. If you close the dialog it will go back to search page and display another error dialog. See also the entitlements page, instead of displaying an error dialog it shows the error in the status bar below. Should we replace redirection with this? Or should we fix entitlements to show error dialog too? Normally the status bar in entitlements is used to show the enrollment status (which is not an error). -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 26/26] Add backslash escape support for csv reader
The csv reader is used to break comma separated lists into individual items. However what if you want one of those items to have an embedded comma? The answer is to escape it by preceding the comma with a backslash. This patch adds support for escaping in the csv reader. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ >From e2e68df5a833417351cd89d1ac2cb7155334f795 Mon Sep 17 00:00:00 2001 From: John Dennis Date: Wed, 15 Jun 2011 13:06:14 -0400 Subject: [PATCH 26/26] Add backslash escape support for cvs reader Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit --- ipalib/parameters.py|3 ++- ipaserver/install/ldapupdate.py |3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ipalib/parameters.py b/ipalib/parameters.py index 1551df3..ee66084 100644 --- a/ipalib/parameters.py +++ b/ipalib/parameters.py @@ -1404,7 +1404,8 @@ class List(Param): def __unicode_csv_reader(self, unicode_csv_data, dialect=csv.excel, **kwargs): # csv.py doesn't do Unicode; encode temporarily as UTF-8: csv_reader = csv.reader(self.__utf_8_encoder(unicode_csv_data), -dialect=dialect, delimiter=self.separator, +dialect=dialect, +delimiter=self.separator, escapechar='\\', skipinitialspace=self.skipspace, **kwargs) for row in csv_reader: diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py index 9d36ddd..2d9c473 100644 --- a/ipaserver/install/ldapupdate.py +++ b/ipaserver/install/ldapupdate.py @@ -141,7 +141,8 @@ class LDAPUpdate: def __unicode_csv_reader(self, unicode_csv_data, quote_char="'", dialect=csv.excel, **kwargs): # csv.py doesn't do Unicode; encode temporarily as UTF-8: csv_reader = csv.reader(self.__utf_8_encoder(unicode_csv_data), -dialect=dialect, delimiter=',', +dialect=dialect, +delimiter=',', escapechar='\\', quotechar=quote_char, skipinitialspace=True, **kwargs) -- 1.7.4.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 802 add message summary to sudorule
On Jun 14, 2011, at 6:36 PM, Rob Crittenden wrote: > Some of the sudorule commands were missing a message summary. > > ticket https://fedorahosted.org/freeipa/ticket/1255 > > rob > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel NACK error: patch failed: ipalib/plugins/sudorule.py:189 error: ipalib/plugins/sudorule.py: patch does not apply Appears to perhaps be off by 1 line number. You might have to rebase. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0236-no-redirect-on-search
On 06/15/2011 11:28 AM, Adam Young wrote:
On 06/15/2011 11:24 AM, Adam Young wrote:
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Removed extra whitespace
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Facet can override what to do on error
From a779c30aeafe839bbfe3982151ffadd2ea03f336 Mon Sep 17 00:00:00 2001
From: Adam Young
Date: Wed, 15 Jun 2011 11:18:25 -0400
Subject: [PATCH] no redirect on search
https://fedorahosted.org/freeipa/ticket/1281
---
install/ui/entity.js | 13 +
install/ui/search.js |4
2 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/install/ui/entity.js b/install/ui/entity.js
index de57df544995df8a1f8721dfc6c9ff4698ec4f19..3b16c6518253d24ae450d46937aecb5ab245d16f 100644
--- a/install/ui/entity.js
+++ b/install/ui/entity.js
@@ -130,8 +130,15 @@ IPA.facet = function (spec) {
return $('.content', that.container);
};
+that.report_error = function(error_thrown){
+var details = $('.details', that.container).empty();
+details.append('Error: '+error_thrown.name+'');
+details.append(''+error_thrown.message+'');
+}
+
that.on_error = function(xhr, text_status, error_thrown) {
-if (that.entity.redirect_facet) {
+if (that.entity.redirect_facet )
+{
var current_entity = that.entity;
while (current_entity.containing_entity){
current_entity = current_entity.containing_entity;
@@ -141,9 +148,7 @@ IPA.facet = function (spec) {
that.entity.redirect_facet);
return;
}else{
-var details = $('.details', that.container).empty();
-details.append('Error: '+error_thrown.name+'');
-details.append(''+error_thrown.message+'');
+that.report_error(error_thrown);
}
};
diff --git a/install/ui/search.js b/install/ui/search.js
index 8250e0a76baacbac9de4a27165157cb1ff29aee4..5a9b14f0528dcf08f70e877bc6df56bb84bd2edd 100644
--- a/install/ui/search.js
+++ b/install/ui/search.js
@@ -287,6 +287,10 @@ IPA.search_facet = function(spec) {
that.search_refresh(that.entity);
};
+that.on_error = function(xhr, text_status, error_thrown) {
+that.report_error(error_thrown);
+};
+
that.search_refresh = function(entity){
$('input[type=checkbox]',that.table.thead).removeAttr("checked");
--
1.7.5.2
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 178 Removed FreeWay font files.
The CSS files in install/html and install/migration have been modified to use the Overpass font. The changes can be verified here: http://edewata.fedorapeople.org/freeipa/install/html/unauthorized.html http://edewata.fedorapeople.org/freeipa/install/migration/index.html -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 177 Fixed build break.
On 6/15/2011 10:51 AM, Martin Kosek wrote: On Wed, 2011-06-15 at 10:23 -0500, Endi Sukma Dewata wrote: The Makefile.am freeipa.spec.in have been updated according to the recent file changes. ACK. Works fine. Pushed to master. Thanks! -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 177 Fixed build break.
On Wed, 2011-06-15 at 10:23 -0500, Endi Sukma Dewata wrote: > The Makefile.am freeipa.spec.in have been updated according to the > recent file changes. > ACK. Works fine. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 25/25] assert_deepequal supports callback for equality
The unit test framework recursively checks for equality between the
"expected" and "got". When it finds a non-container object it checks for
equality between the expected and got objects. However sometimes a
simple equality test is insufficient. This can happen when two values
are equivalent but not equal. For example the two values might be
encoded differently, hence the encoded values differ, but when decoded
they are identical.
To support these special cases one can now insert callable object to
the expected container. When assert_deepequal sees a callable it does
not test for equality, rather it calls the callable passing it the got
object. The callable returns True if the got value is expected. This can
simply be done with a lambda expression with a closure on the expected
value, for example:
expected = {
dn=lambda got: DN(got) == privilege1_dn
}
In this case the "got" dn value is passed to the function which converts
it to a DN object which can be compared with privilege1_dn, a local DN
object, privilege1_dn is bound by closure. The equality callback is
necessary because DN's can be encoded differently.
--
John Dennis
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
>From 3382ad535c0a4729f75a02d40201d9a58e0deb5b Mon Sep 17 00:00:00 2001
From: John Dennis
Date: Wed, 15 Jun 2011 09:05:58 -0400
Subject: [PATCH 25/25] assert_deepequal supports callback for equality
testing
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
---
tests/util.py | 11 ++-
1 files changed, 10 insertions(+), 1 deletions(-)
diff --git a/tests/util.py b/tests/util.py
index 3d59f58..48260dd 100644
--- a/tests/util.py
+++ b/tests/util.py
@@ -266,6 +266,10 @@ def assert_deepequal(expected, got, doc='', stack=tuple()):
"""
Recursively check for type and equality.
+If a value in expected is callable then it will used as a callback to
+test for equality on the got value. The callback is passed the got
+value and returns True if equal, False otherwise.
+
If the tests fails, it will raise an ``AssertionError`` with detailed
information, including the path to the offending value. For example:
@@ -288,7 +292,7 @@ def assert_deepequal(expected, got, doc='', stack=tuple()):
expected = list(expected)
if isinstance(got, tuple):
got = list(got)
-if not (isinstance(expected, Fuzzy) or type(expected) is type(got)):
+if not (isinstance(expected, Fuzzy) or callable(expected) or type(expected) is type(got)):
raise AssertionError(
TYPE % (doc, type(expected), type(got), expected, got, stack)
)
@@ -312,6 +316,11 @@ def assert_deepequal(expected, got, doc='', stack=tuple()):
e_sub = expected[key]
g_sub = got[key]
assert_deepequal(e_sub, g_sub, doc, stack + (key,))
+elif callable(expected):
+if not expected(got):
+raise AssertionError(
+VALUE % (doc, expected, got, stack)
+)
elif expected != got:
raise AssertionError(
VALUE % (doc, expected, got, stack)
--
1.7.4.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 082 Add port 9443 to replica port checking
On Wed, 2011-06-15 at 11:19 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > Port 9443 (Agent secure port on PKI-CA) was missing. Additionaly, > > checked port descriptions case consistency fixed. > > > > https://fedorahosted.org/freeipa/ticket/1321 > > ack Pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 081 Missing krbprincipalname when uid is not set
On Wed, 2011-06-15 at 11:19 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > When user_add command is executed without uid parameter filled, user > > account is created without 'krbprincipalname' attribute. This renders > > the user account unusable. > > > > https://fedorahosted.org/freeipa/ticket/1279 > > ack Pushed to master, ipa-2-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0236-no-redirect-on-search
On 06/15/2011 11:24 AM, Adam Young wrote:
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Removed extra whitespace
From f53183f649aebe4f85a904639c21236a80c1eb32 Mon Sep 17 00:00:00 2001
From: Adam Young
Date: Wed, 15 Jun 2011 11:18:25 -0400
Subject: [PATCH] no redirect on search
https://fedorahosted.org/freeipa/ticket/1281
---
install/ui/entity.js |4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/install/ui/entity.js b/install/ui/entity.js
index de57df544995df8a1f8721dfc6c9ff4698ec4f19..24f2020619ee3249acc1c524175d7b7bd6f6793a 100644
--- a/install/ui/entity.js
+++ b/install/ui/entity.js
@@ -131,7 +131,9 @@ IPA.facet = function (spec) {
};
that.on_error = function(xhr, text_status, error_thrown) {
-if (that.entity.redirect_facet) {
+if (that.entity.redirect_facet &&
+(IPA.current_facet(that.entity) !== 'search'))
+{
var current_entity = that.entity;
while (current_entity.containing_entity){
current_entity = current_entity.containing_entity;
--
1.7.5.2
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 177 Fixed build break.
The Makefile.am freeipa.spec.in have been updated according to the
recent file changes.
--
Endi S. Dewata
From a5cbeb30e1097d3d653900cced3d76c2b7cc2b94 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata
Date: Wed, 15 Jun 2011 09:18:05 -0500
Subject: [PATCH] Fixed build break.
The Makefile.am freeipa.spec.in have been updated according to the
recent file changes.
---
freeipa.spec.in|5 -
install/ui/Makefile.am | 14 --
2 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 5c6c8a562e8c12791c059f96916c5519368385d2..cc674e1ad6c4fbee969637691ca6f82feb260516 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -398,7 +398,10 @@ fi
%{_usr}/share/ipa/ui/*.gif
%{_usr}/share/ipa/ui/*.css
%{_usr}/share/ipa/ui/*.js
-%{_usr}/share/ipa/ui/*.otf
+%{_usr}/share/ipa/ui/*.eot
+%{_usr}/share/ipa/ui/*.svg
+%{_usr}/share/ipa/ui/*.ttf
+%{_usr}/share/ipa/ui/*.woff
%dir %{_usr}/share/ipa/ui/layouts
%dir %{_usr}/share/ipa/ui/layouts/default
%{_usr}/share/ipa/ui/layouts/default/*.html
diff --git a/install/ui/Makefile.am b/install/ui/Makefile.am
index 87607a1a05da0fae2a95440a314f7cd29559cbb1..3db1427b2a996a202923e43a491f21a3fc286a8a 100644
--- a/install/ui/Makefile.am
+++ b/install/ui/Makefile.am
@@ -75,8 +75,18 @@ app_DATA = \
ui-icons_ededed_256x240.png \
ui-icons_ffcf29_256x240.png \
ui-icons_ff_256x240.png \
- FreeWay.otf \
- FreeWay-Bold.otf \
+ add-icon.png \
+ overpass_bold-web.eot \
+ overpass_bold-web.svg \
+ overpass_bold-web.ttf \
+ overpass_bold-web.woff \
+ overpass_regular-web.eot \
+ overpass_regular-web.svg \
+ overpass_regular-web.ttf \
+ overpass_regular-web.woff \
+ remove-icon.png \
+ search-bg.png \
+ search-icon.png \
spinner_header.gif \
spinner_large.gif \
spinner_small.gif \
--
1.7.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0236-no-redirect-on-search
From 9a49b4f23609e6a57775c0107de47b44b99a674f Mon Sep 17 00:00:00 2001
From: Adam Young
Date: Wed, 15 Jun 2011 11:18:25 -0400
Subject: [PATCH] no redirect on search
https://fedorahosted.org/freeipa/ticket/1281
---
install/ui/entity.js |6 +-
1 files changed, 5 insertions(+), 1 deletions(-)
diff --git a/install/ui/entity.js b/install/ui/entity.js
index de57df544995df8a1f8721dfc6c9ff4698ec4f19..58e1d150d81aac28f561844681632f19629a3cbc 100644
--- a/install/ui/entity.js
+++ b/install/ui/entity.js
@@ -1,3 +1,4 @@
+
/*jsl:import ipa.js */
/*jsl:import navigation.js */
@@ -131,11 +132,14 @@ IPA.facet = function (spec) {
};
that.on_error = function(xhr, text_status, error_thrown) {
-if (that.entity.redirect_facet) {
+if (that.entity.redirect_facet &&
+(IPA.current_facet(that.entity) !== 'search'))
+{
var current_entity = that.entity;
while (current_entity.containing_entity){
current_entity = current_entity.containing_entity;
}
+
IPA.nav.show_page(
current_entity.name,
that.entity.redirect_facet);
--
1.7.5.2
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 082 Add port 9443 to replica port checking
Martin Kosek wrote: Port 9443 (Agent secure port on PKI-CA) was missing. Additionaly, checked port descriptions case consistency fixed. https://fedorahosted.org/freeipa/ticket/1321 ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 081 Missing krbprincipalname when uid is not set
Martin Kosek wrote: When user_add command is executed without uid parameter filled, user account is created without 'krbprincipalname' attribute. This renders the user account unusable. https://fedorahosted.org/freeipa/ticket/1279 ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 792 Update translations
On Tue, 2011-06-14 at 17:41 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Mon, 2011-06-06 at 13:47 -0400, Rob Crittenden wrote: > >> Our translation files haven't been updated for a few months, this brings > >> things up to date. It is intended for master only. > >> > >> All I did to generate this patch was to run make update-po in > >> install/po. It is otherwise untouched by human hands. > >> > >> 4Mb of changes, 810 new messages, so this patch is huge, sorry. > >> > >> rob > > > > Eh, nice patch :-) Did you also pull new translations from Transifex? > > John wrote a howto in a mail "Transifex i18n translation changes". > > > > Btw if we also want to update ipa-2-0 translations, it would need a > > separate patch as those 2 branches have diverged. > > > > Martin > > > > There are no new translations upstream. Once this is pushed we can push > it to Transifex as well > > rob Ok, ACK from me then. Feel free to regenerate translations if some strings were changed before the review was completed. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 29 Raise DuplicateEntry Error when adding a duplicate sudo option
JR Aquino wrote:
On Jun 14, 2011, at 11:06 AM, Rob Crittenden wrote:
JR Aquino wrote:
On Jun 10, 2011, at 3:11 PM, JR Aquino wrote:
On Jun 9, 2011, at 10:24 AM, Rob Crittenden wrote:
JR Aquino wrote:
https://fedorahosted.org/freeipa/ticket/1277
Raise DuplicateEntry Error when adding a duplicate sudo option
nack, this will still fail if no ipasudoopt is passed in.
Also, is this case-sensitive?
Yes, it is case sensitive (Example: sudoOption: env_keep+=SSH_AUTH_SOCK)
Here is an adjusted patch to account for no ipasudoopt as well as an empty
space.
Minor correction: Addressed the 1 character change needed to address #1276
Added notes to indicate this patch fixes:
#1276 (Removed option from Sudo rule message is displayed even when the given
option doesn't exist.)
#1277 (Added option to Sudo rule message is displayed even when the given
option already exists.)
#1308 (Internal error while removing sudorule option without "--sudooption")
NACK
$ ipa sudorule-add test
--
Added sudo rule "test"
--
Rule name: test
Enabled: TRUE
$ ipa sudorule-remove-option test --sudooption=foo
---
sudorule-remove-option:
---
Rule name: test
ipa: ERROR: KeyError: 'ipasudoopt'
Traceback (most recent call last):
File "/home/rcrit/redhat/freeipa-master/ipalib/cli.py", line 1141, in run
sys.exit(api.Backend.cli.run(argv))
File "/home/rcrit/redhat/freeipa-master/ipalib/cli.py", line 965, in run
rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, **options)
File "/home/rcrit/redhat/freeipa-master/ipalib/plugins/sudorule.py", line
675, in output_for_cli
textui.print_attribute('Sudo Options', result['result']['ipasudoopt'])
KeyError: 'ipasudoopt'
ipa: ERROR: an internal error has occurred
Is this legal?
$ ipa sudorule-add-option test --sudooption=foo
sudorule-add-option:
Rule name: test
Sudo Options: foo
$ ipa sudorule-add-option test --sudooption=foo
ipa: ERROR: This entry already exists
$ ipa sudorule-add-option test --sudooption=FOO
sudorule-add-option:
Rule name: test
Sudo Options: foo
Sudo Options: FOO
This is legal ^ Or if you like double negatives, this is not illegal.
However, the only options that will be respected are listed:
http://www.gratisoft.us/sudo/man/1.8.1/sudoers.man.html in the SUDOERS OPTIONS
section. Some of the values can be singular like:
"sudoOption: !authenticate" which will allow you to run sudo without a password or
"sudoOption: iolog_dir=/var/log/sudo-playback"
I also noticed that ipasudoopt doesn't have a label and isn't shown in the rule
by default.
Here is a corrected patch to address the KeyError and the display issue.
A minor issue and a question.
The minor issue is you changed a couple of options from optional to
mandatory, which is fine, but we need to bump up the minor version in
VERSION (older clients otherwise could not send the string and blow
things up).
The question is, should we raise EmptyModList() when removing an option
that doesn't exist or NotFound(reason=_())? I think the second might be
more explanatory but might be harder for handle in scripts (how would
you distinguish between entry not found and option not found)?
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 803 disallow revocation reason 7
On Tue, 2011-06-14 at 22:05 -0400, Rob Crittenden wrote: > Revocation reason 7 is undefined in the RFCs, disallow it. > > https://fedorahosted.org/freeipa/ticket/1318 ACK. Works fine. Pushed to master, ipa-2-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 802 add message summary to sudorule
On Tue, 2011-06-14 at 21:36 -0400, Rob Crittenden wrote: > Some of the sudorule commands were missing a message summary. > > ticket https://fedorahosted.org/freeipa/ticket/1255 > > rob ACK. I checked if any unit test is broken because of newly returned summary field, but its OK. Pushed to master, ipa-2-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 801 Don't lose JSON decoding error
On Tue, 2011-06-14 at 17:52 -0400, Rob Crittenden wrote: > Don't let a JSON error get lost in cascading errors. > > If a JSON decoding error was found we were still trying to call the > XML-RPC function, losing the original error. > > https://fedorahosted.org/freeipa/ticket/1322 > > rob Pushed to master, ipa-2-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 079 DNS installation fails when domain and host domain mismatch
On Tue, 2011-06-14 at 13:53 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > This patch depends on my patch 078. A special patch for stable branch
> > attached.
> >
> > ---
> >
> > Create DNS domain for IPA server hostname first so that it's forward
> > record can be added. This results in 2 forward DNS zones created
> > when server hostname doesn't equal server domain.
> >
> > https://fedorahosted.org/freeipa/ticket/1194
>
> This look ok, just a style question.
>
> by definition fqdn is fully-qualified so is this necessary?
>
> +if '.' in self.fqdn:
> +self.host_domain = '.'.join(fqdn.split(".")[1:])
> +else:
> +self.host_domain = self.domain
>
> The test will always be true, right?
>
> rob
It should be. Maybe I was overcautious in this place. Attaching updated
patches.
Martin
>From 7513da959206b02e96e671716bd7270e7fedba68 Mon Sep 17 00:00:00 2001
From: Martin Kosek
Date: Thu, 9 Jun 2011 12:33:09 +0200
Subject: [PATCH] DNS installation fails when domain and host domain mismatch
Create DNS domain for IPA server hostname first so that it's forward
record can be added. This results in 2 forward DNS zones created
when server hostname doesn't equal server domain.
https://fedorahosted.org/freeipa/ticket/1194
---
ipaserver/install/bindinstance.py |9 +
1 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 2f897b423f30b6b08127783f00adcd6352f09ca4..8981c2fdbc0c84d611023b4a41e1209996d8035f 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -308,6 +308,7 @@ class BindInstance(service.Service):
self.domain = domain_name
self.forwarders = forwarders
self.host = fqdn.split(".")[0]
+self.host_domain = '.'.join(fqdn.split(".")[1:])
self.suffix = util.realm_to_suffix(self.realm)
self.ntp = ntp
self.create_reverse = create_reverse
@@ -402,6 +403,14 @@ class BindInstance(service.Service):
self._ldap_mod("dns.ldif", self.sub_dict)
def __setup_zone(self):
+if self.host_domain != self.domain:
+# add DNS domain for host first
+logging.debug("Host domain (%s) is different from DNS domain (%s)!" \
+% (self.host_domain, self.domain))
+logging.debug("Add DNS zone for host first.")
+
+add_zone(self.host_domain, self.zonemgr, dns_backup=self.dns_backup,
+ns_hostname=api.env.host, ns_ip_address=self.ip_address)
add_zone(self.domain, self.zonemgr, dns_backup=self.dns_backup,
ns_hostname=api.env.host, ns_ip_address=self.ip_address)
--
1.7.5.2
>From 5e0ce572e288a16aab3b3dc96517f4d402faf766 Mon Sep 17 00:00:00 2001
From: Martin Kosek
Date: Thu, 9 Jun 2011 12:55:01 +0200
Subject: [PATCH] DNS installation fails when domain and host domain mismatch
Create DNS domain for IPA server hostname first so that it's forward
record can be added. This results in 2 forward DNS zones created
when server hostname doesn't equal server domain.
https://fedorahosted.org/freeipa/ticket/1194
---
ipaserver/install/bindinstance.py |8
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index fa27451703d39b7d9607066fb1901fd58c1c9ee9..04e61d543366615ee7bdee9eaa5c9d577bb33dcd 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -267,6 +267,7 @@ class BindInstance(service.Service):
self.domain = domain_name
self.forwarders = forwarders
self.host = fqdn.split(".")[0]
+self.host_domain = '.'.join(fqdn.split(".")[1:])
self.suffix = util.realm_to_suffix(self.realm)
self.ntp = ntp
self.create_reverse = create_reverse
@@ -361,6 +362,13 @@ class BindInstance(service.Service):
self._ldap_mod("dns.ldif", self.sub_dict)
def __setup_zone(self):
+if self.host_domain != self.domain:
+# add DNS domain for host first
+logging.debug("Host domain (%s) is different from DNS domain (%s)!" \
+% (self.host_domain, self.domain))
+logging.debug("Add DNS zone for host first.")
+zone = add_zone(self.host_domain, self.zonemgr,
+self.dns_backup, self.ip_address)
zone = add_zone(self.domain, self.zonemgr,
self.dns_backup, self.ip_address)
--
1.7.5.2
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 082 Add port 9443 to replica port checking
Port 9443 (Agent secure port on PKI-CA) was missing. Additionaly, checked port descriptions case consistency fixed. https://fedorahosted.org/freeipa/ticket/1321 >From 6d2ae60382588f77b79265558bd3d895e970c854 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Wed, 15 Jun 2011 14:13:14 +0200 Subject: [PATCH] Add port 9443 to replica port checking Port 9443 (Agent secure port on PKI-CA) was missing. Additionaly, checked port descriptions case consistency fixed. https://fedorahosted.org/freeipa/ticket/1321 --- install/tools/ipa-replica-conncheck | 13 +++-- 1 files changed, 7 insertions(+), 6 deletions(-) diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index 7f876c95a977620683a11d52174c575c23c73447..7929579885c7e4e36716eb3587ab7d7450461e89 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -48,16 +48,17 @@ class CheckedPort(object): self.description = description BASE_PORTS = [ -CheckedPort(389, True, "Directory Service: unsecure port"), -CheckedPort(636, True, "Directory Service: secure port"), +CheckedPort(389, True, "Directory Service: Unsecure port"), +CheckedPort(636, True, "Directory Service: Secure port"), CheckedPort(88, False, "Kerberos"), ] CA_PORTS = [ -CheckedPort(7389, True, "PKI-CA: Directory Service"), -CheckedPort(9444, True, "PKI-CA: EE Secure port"), -CheckedPort(9445, True, "PKI-CA: Admin Secure port"), -CheckedPort(9446, True, "PKI-CA: EE Secure Client Auth port"), +CheckedPort(7389, True, "PKI-CA: Directory Service port"), +CheckedPort(9443, True, "PKI-CA: Agent secure port"), +CheckedPort(9444, True, "PKI-CA: EE secure port"), +CheckedPort(9445, True, "PKI-CA: Admin secure port"), +CheckedPort(9446, True, "PKI-CA: EE secure client auth port"), CheckedPort(9180, True, "PKI-CA: Unsecure port"), ] -- 1.7.5.2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 081 Missing krbprincipalname when uid is not set
When user_add command is executed without uid parameter filled, user
account is created without 'krbprincipalname' attribute. This renders
the user account unusable.
https://fedorahosted.org/freeipa/ticket/1279
>From 8bc3777e72590c665029e0d1e3698490b7a7dacd Mon Sep 17 00:00:00 2001
From: Martin Kosek
Date: Wed, 15 Jun 2011 13:41:41 +0200
Subject: [PATCH] Missing krbprincipalname when uid is not set
When user_add command is executed without uid parameter filled, user
account is created without 'krbprincipalname' attribute. This renders
the user account unusable.
https://fedorahosted.org/freeipa/ticket/1279
---
ipalib/plugins/user.py |1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 03766a3817233f3798ce19f04579522ca6110a34..de1aa33f3eb12ddab162ab83e2a9fe2b1c6ca3ff 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -347,6 +347,7 @@ class user_add(LDAPCreate):
home_dir = home_dir.replace('//', '/').rstrip('/')
entry_attrs['homedirectory'] = home_dir
entry_attrs.setdefault('krbpwdpolicyreference', 'cn=global_policy,cn=%s,cn=kerberos,%s' % (api.env.realm, api.env.basedn))
+entry_attrs.setdefault('krbprincipalname', '%s@%s' % (entry_attrs['uid'], api.env.realm))
if 'gidnumber' not in entry_attrs:
# gidNumber wasn't specified explicity, find out what it should be
--
1.7.5.2
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 080 Add a list of managed hosts
On Tue, 2011-06-14 at 14:12 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > Enhance Host plugin to provide not only "Managed By" list but also > > a list of managed hosts. The new list is generated only when --all > > option is passed. > > > > https://fedorahosted.org/freeipa/ticket/993 > > ack Pushed to master. I didn't update unit tests with the new list, so I added a fix for 2 unit tests to the patch before pushing. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0127-add-missing-files-in-rpm
On Wed, 2011-06-15 at 09:47 +0200, Martin Kosek wrote: > On Fri, 2011-01-14 at 14:20 -0500, Adam Young wrote: > > On 01/06/2011 04:13 AM, Pavel Zůna wrote: > > > On 2011-01-05 20:57, Adam Young wrote: > > >> Had to move some files around, and added to both Makefile.am and > > >> ipa.spec > > >> > > >> > > > > > > ACK. > > > > > > Pavel > > > > > > ___ > > > Freeipa-devel mailing list > > > Freeipa-devel@redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > Pushed to master > > NACK. This patch broke the build of master branch: > > make[5]: Entering directory > `/home/mkosek/freeipa/rpmbuild/BUILD/freeipa-2.0.90GIT058e3d0/install/ui' > make[5]: *** No rule to make target `FreeWay.otf', needed by `all-am'. > Stop. > make[5]: Leaving directory > `/home/mkosek/freeipa/rpmbuild/BUILD/freeipa-2.0.90GIT058e3d0/install/ui' > make[4]: *** [all-recursive] Error 1 > make[4]: Leaving directory > `/home/mkosek/freeipa/rpmbuild/BUILD/freeipa-2.0.90GIT058e3d0/install/ui' > make[3]: *** [all-recursive] Error 1 > > Martin I pointed my finger to incorrect patch, sorry Adam. The patch that broke the master build is Kyle's "0017-List-page-spacing-changes" (fb6f06d94dcfd664ba817ce61f84d600ee17c260). Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0127-add-missing-files-in-rpm
On Fri, 2011-01-14 at 14:20 -0500, Adam Young wrote: > On 01/06/2011 04:13 AM, Pavel Zůna wrote: > > On 2011-01-05 20:57, Adam Young wrote: > >> Had to move some files around, and added to both Makefile.am and > >> ipa.spec > >> > >> > > > > ACK. > > > > Pavel > > > > ___ > > Freeipa-devel mailing list > > Freeipa-devel@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > Pushed to master NACK. This patch broke the build of master branch: make[5]: Entering directory `/home/mkosek/freeipa/rpmbuild/BUILD/freeipa-2.0.90GIT058e3d0/install/ui' make[5]: *** No rule to make target `FreeWay.otf', needed by `all-am'. Stop. make[5]: Leaving directory `/home/mkosek/freeipa/rpmbuild/BUILD/freeipa-2.0.90GIT058e3d0/install/ui' make[4]: *** [all-recursive] Error 1 make[4]: Leaving directory `/home/mkosek/freeipa/rpmbuild/BUILD/freeipa-2.0.90GIT058e3d0/install/ui' make[3]: *** [all-recursive] Error 1 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 078 Improve DNS zone creation
On Tue, 2011-06-14 at 13:58 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > On Thu, 2011-06-09 at 11:31 +0200, Martin Kosek wrote: > >> When a new DNS zone is being created a local hostname is set as a > >> nameserver of the new zone. However, when the zone is created > >> during ipa-replica-prepare, the the current master/replica doesn't > >> have to be an IPA server with DNS support. This would lead to DNS > >> zones with incorrect NS records as they wouldn't point to a valid > >> name server. > >> > >> Now, a list of all master servers with DNS support is retrieved > >> during DNS zone creation and added as NS records for a new DNS > >> zone. > >> > >> https://fedorahosted.org/freeipa/ticket/1261 > > > > ACK, although I have not tested. > > > > Simo. > > > > Ack as well Pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
