Re: [Freeipa-devel] [PATCH] 833 fix sudorule unit tests
On Tue, 2011-07-19 at 16:41 -0400, Rob Crittenden wrote: With the external user/group management fixed, correct the unit tests. The unit tests were incorrectly expecting the removed data back when removing external users. rob NACK There is still one unit test failure. Test test_a_sudorule_add_externaluser needs to be fixed as well. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 835 set default min int, handle longs
On Tue, 2011-07-19 at 22:15 -0400, Rob Crittenden wrote: Our handling of long values wasn't the best when dealing with negative values. Added a default minint similar to maxint and validate_scalar in Int to allow either int or long types. This lets it get to the min/max rules where we can compare properly and give a better error response. Note that I changed the language slightly from value 'must be at least x' to 'can be at least x'. It reads better to me this way but I'm flexible. https://fedorahosted.org/freeipa/ticket/1494 rob ACK, works fine, tests are OK. I won't argue with the wording of _rule_minvalue, both reads OK to me. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 833 fix sudorule unit tests
Martin Kosek wrote: On Tue, 2011-07-19 at 16:41 -0400, Rob Crittenden wrote: With the external user/group management fixed, correct the unit tests. The unit tests were incorrectly expecting the removed data back when removing external users. rob NACK There is still one unit test failure. Test test_a_sudorule_add_externaluser needs to be fixed as well. Martin Wow, not sure how I missed this one. Updated patch attached. rob From 8b1e8d090e1318a7a7d8b8814bf2c034cdd68917 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Tue, 19 Jul 2011 16:39:40 -0400 Subject: [PATCH] With the external user/group management fixed, correct the unit tests. The unit tests were incorrectly expecting the removed data back when removing external users. --- tests/test_xmlrpc/test_sudorule_plugin.py |6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/test_xmlrpc/test_sudorule_plugin.py b/tests/test_xmlrpc/test_sudorule_plugin.py index c428899..a079de7 100644 --- a/tests/test_xmlrpc/test_sudorule_plugin.py +++ b/tests/test_xmlrpc/test_sudorule_plugin.py @@ -280,7 +280,7 @@ class test_sudorule(XMLRPC_test): assert ret['completed'] == 1 failed = ret['failed'] entry = ret['result'] -assert 'externaluser' not in entry +assert entry['externaluser'] == () def test_a_sudorule_add_runasexternaluser(self): @@ -306,7 +306,7 @@ class test_sudorule(XMLRPC_test): assert ret['completed'] == 1 failed = ret['failed'] entry = ret['result'] -assert 'ipasudorunasextuser' not in entry +assert entry['ipasudorunasextuser'] == () def test_a_sudorule_add_runasexternalgroup(self): @@ -332,7 +332,7 @@ class test_sudorule(XMLRPC_test): assert ret['completed'] == 1 failed = ret['failed'] entry = ret['result'] -assert 'ipasudorunasextgroup' not in entry +assert entry['ipasudorunasextgroup'] == () def test_a_sudorule_add_option(self): -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 066 Remove wrong kpasswd sysconfig
I noticed that the file kpasswd init script reads is called /etc/sysconfig/ipa-kpasswd but krbinstance.py saved and wrote into /etc/sysconfig/ipa_kpasswd. I removed the linkes rather than fixing them for two reasons: 1) /var/kerberos/krb5kdc/kpasswd.keytab is the default 2) it probably wouldn't have worked anyway because the ktname must be prefixed with FILE:. From c85c4a532ff698a9399884fcfac002dc6b0d7adb Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date: Tue, 19 Jul 2011 15:47:57 +0200 Subject: [PATCH 1/2] Remove wrong kpasswd sysconfig --- ipaserver/install/krbinstance.py |3 --- 1 files changed, 0 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index ecb8427..5326e2f 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -512,9 +512,6 @@ class KrbInstance(service.Service): self.fstore.backup_file(/var/kerberos/krb5kdc/kpasswd.keytab) installutils.create_keytab(/var/kerberos/krb5kdc/kpasswd.keytab, kadmin/changepw) -self.fstore.backup_file(/etc/sysconfig/ipa_kpasswd) -update_key_val_in_file(/etc/sysconfig/ipa_kpasswd, export KRB5_KTNAME, /var/kerberos/krb5kdc/kpasswd.keytab) - def __setup_pkinit(self): if self.self_signed_ca: ca_db = certs.CertDB(self.realm, -- 1.7.6 signature.asc Description: OpenPGP digital signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 067 Silence a compilation warning in ipa_kpasswd
I was playing with ipa_kpasswd (long story short - I needed it running on a non-standard port) and I noticed there was a compilation warning - rtag was set but never checked. Also removes one unused #define. From 76a4895cd4f65bd9cb6251c23037e466bbd22eff Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date: Tue, 19 Jul 2011 16:07:57 +0200 Subject: [PATCH 2/2] Silence a compilation warning in ipa_kpasswd rtag was set but never checked which resulted in a compilation warning --- daemons/ipa-kpasswd/ipa_kpasswd.c | 21 - 1 files changed, 20 insertions(+), 1 deletions(-) diff --git a/daemons/ipa-kpasswd/ipa_kpasswd.c b/daemons/ipa-kpasswd/ipa_kpasswd.c index d3077fd..85e92e1 100644 --- a/daemons/ipa-kpasswd/ipa_kpasswd.c +++ b/daemons/ipa-kpasswd/ipa_kpasswd.c @@ -45,7 +45,6 @@ #define DEFAULT_KEYTAB FILE:/var/kerberos/krb5kdc/kpasswd.keytab #define TMP_TEMPLATE /var/cache/ipa/kpasswd/krb5_cc.XX -#define KPASSWD_PORT 464 /* blacklist entries are released only BLCAKLIST_TIMEOUT seconds * after the children performing the noperation has finished. @@ -576,8 +575,18 @@ int ldap_pwd_change(char *client_name, char *realm_name, krb5_data pwd, char **e ber_tag_t rtag, btag; ber_int_t bint; rtag = ber_scanf(sctrl, {t, btag); +if (rtag == LBER_ERROR) { +syslog(LOG_ERR, Could not decode a BER element); +goto done; +} + if (btag == LDAP_TAG_PWP_WARNING) { rtag = ber_scanf(sctrl, {ti}, btag, bint); +if (rtag == LBER_ERROR) { +syslog(LOG_ERR, Could not decode a BER element); +goto done; +} + if (btag == LDAP_TAG_PWP_SECSLEFT) { ret = asprintf(exterr2, (%d seconds left before password expires), bint); } else { @@ -588,9 +597,19 @@ int ldap_pwd_change(char *client_name, char *realm_name, krb5_data pwd, char **e exterr2 = NULL; } rtag = ber_scanf(sctrl, t, btag); +if (rtag == LBER_ERROR) { +syslog(LOG_ERR, Could not decode a BER element); +goto done; +} + } if (btag == LDAP_TAG_PWP_ERROR) { rtag = ber_scanf(sctrl, e, bint); +if (rtag == LBER_ERROR) { +syslog(LOG_ERR, Could not decode a BER element); +goto done; +} + switch(bint) { case 0: ret = asprintf(exterr1, Err%d: Password Expired., bint); -- 1.7.6 signature.asc Description: OpenPGP digital signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 833 fix sudorule unit tests
On Wed, 2011-07-20 at 09:12 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Tue, 2011-07-19 at 16:41 -0400, Rob Crittenden wrote: With the external user/group management fixed, correct the unit tests. The unit tests were incorrectly expecting the removed data back when removing external users. rob NACK There is still one unit test failure. Test test_a_sudorule_add_externaluser needs to be fixed as well. Martin Wow, not sure how I missed this one. Updated patch attached. rob ACK. Pushed to master, ipa-2-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin
JR Aquino wrote: On Jul 15, 2011, at 7:55 AM, Rob Crittenden wrote: Martin Kosek wrote: On Thu, 2011-07-14 at 23:05 +, JR Aquino wrote: On Jul 14, 2011, at 11:55 AM, wrote: https://fedorahosted.org/freeipa/ticket/1272 * Added new container in etc to hold the automembership configs. * Modified constants to point to the new container * Modified dsinstance to create the container * Modified hostgroup.py to add the new commands * Added xmlrpc test to verify functionality Minor adjustment: Auto Membership Plugin isn't available until 1.2.9-0.2+ Modified freeipa.spec.in: BuildRequires: 389-ds-base-devel= 1.2.9-0.2 I have reviewed your patch. Basic functionality is OK but I have some concerns. 1) I am not sure with the command name, it is not really clear to me what this command does. But I know from my experience that inventing a cool name for something new may be the most difficult task at all :-) Maybe command name hostgrouprule or hostgroupauto would be more clear? Perhaps my example docs were too soft with fqdn=^www[1-9]+\.example\.com etc.. I should 'clarify'... perhaps what I need to do is add more useful information to the doc, for example If I were to add to the doc area examples where hostnames are like: w[1-9]+s2r8\.example\.com The real reason for the usefulness of this technology, is in SaaS, Cloud, and Cluster environments, where the hostnames tend to be non-human readable, and more like a serial number detailing their function, their rack location, or their vm-instance, etc... It is because of those scenarios that caused me so much grief as a security engineer trying to assign rights that it became clear that I could just define the reproducible pattern to match assignment into a host group. The hostnames needed clarity in order to understand where they belonged in the network. I'll give it one more chance to pass the censors since I've been internally calling it clarity for the last 2 1/2 years that I've been using it... 2) Overloading execute method in functions hostgroupclarity_add_condition and hostgroupclarity_remove_condition is an over-kill for me. I think we could just read current inclusive/exclusive regexes in pre_callback, modify them and let LDAPUpdate class do the standard LDAP operations. I'll recode to perform the actions in a pre_callback. 3) I miss hostgroupclarity-mod module. What would I do if I want to update Description? Thank you for catching this, I will add it. 4) I didn't like this construct in the code, its error prone to potential future parameter changes. +if len(options) == 2: # 'all' and 'raw' are always sent +raise errors.EmptyModlist() I know it's in baseldap.py but I still wouldn't like to see this in plugins. I should be able to omit that once the code is located in the pre_callback. 5) Test test_clarityrule_plugin.py: reference to inexistent python module: +Test the `ipalib/plugins/clarityrule.py` module. Thank you, that is left over from a previous attempt. I will remove it. Then I did some real testing of the new command: 6) Invalid examples, fqdn is not supposed to be a part of regex $ ipa hostgroupclarity-add --inclusive-hostname-regex=fqdn=^www[1-9]+\.example\.com webservers Hostgroup Clarity Rule: webservers Inclusive Regex: fqdn=fqdn=^www[1-9]+.example.com Also an oversight, thanks, I will correct it. 7) It does not make sense to have a rule with only an exclusive regex: $ ipa hostgroupclarity-add --exclusive-hostname-regex=^www5+\.example\.com webservers Hostgroup Clarity Rule: webservers $ ipa host-add --force foo.example.co $ ipa hostgroup-show webservers Host-group: webservers Description: Web Servers Member hosts: www1.example.com I think we should 1) hide exclusive regex option in hostgroupclarity-add and 2) check that there is at least one inclusive regex in the rule when running hostgroupclarity-add-condition and hostgroupclarity-remove-condition. I agree, I'll hide it during the creation, and force it to require an inclusive prior to adding an exclusive. 8) Plugin incorrectly handles a situation when both inclusive and exclusive regex-es are being added: $ ipa hostgroupclarity-add --inclusive-hostname-regex=^www[1-9]+\.example\.com webservers Hostgroup Clarity Rule: webservers Inclusive Regex: fqdn=^www[1-9]+.example.com $ ipa hostgroupclarity-add-condition --inclusive-hostname-regex=^web[1-9]+\.example\.com --exclusive-hostname-regex=www5\.example\.com webservers Inclusive Regex: fqdn=^web[1-9]+.example.com, fqdn=^www[1-9]+.example.com Exclusive Regex: www5.example.com Exclusive regex misses fqdn. Will look into this. 9) Removing multiple conditions also works incorrectly: $ ipa hostgroupclarity-show webservers Hostgroup Clarity Rule: webservers Inclusive Regex: fqdn=^www[1-9]+.example.com, fqdn=^web[1-9]+.example.com Exclusive Regex: fqdn=www5.example.com $ ipa
Re: [Freeipa-devel] [PATCH] 820 make client errors clearer
Martin Kosek wrote: On Tue, 2011-07-19 at 10:40 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Wed, 2011-07-06 at 11:03 -0400, Rob Crittenden wrote: Some client errors were rather generic or outright misleading. This cleans up some return values and displays output from the ipa-enrollment extended operation. ticket https://fedorahosted.org/freeipa/ticket/1417 NACK. Good patch, but I found one issue: ipa-client/ipa-install/ipa-client-install: -if ret == -1 or not ds.getDomainName(): +if ret == ipadiscovery.NO_LDAP_SERVER or not ds.getDomainName(): You check for another error. That way the domain problem will not get caught there. Martin Updated patch attached, catching NOT_FQDN now. rob ACK, works fine. Martin pushed to master and ipa-2-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0271-no-dns.
From d669b5523282df99d97829e68de7f4c4a17d25d2 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Wed, 20 Jul 2011 11:43:41 -0400 Subject: [PATCH] no dns Remove all DNS entities if the DNS server is not installed. Removes it from the navigation as well. https://fedorahosted.org/freeipa/ticket/1498 --- install/ui/dns.js|5 + install/ui/navigation.js | 18 +++--- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/install/ui/dns.js b/install/ui/dns.js index 7401926532fb44e4b3c0dd7e9b2feda206b82fe8..58aeaddff84d3d93723a0cf081287ca2b32edcf2 100644 --- a/install/ui/dns.js +++ b/install/ui/dns.js @@ -117,6 +117,11 @@ IPA.dns_record_search_load = function (result) { }; IPA.entity_factories.dnsrecord = function() { + +if (!IPA.dns_enabled) { +throw DNS not enabled on server; +} + return IPA.entity_builder(). entity('dnsrecord'). containing_entity('dnszone'). diff --git a/install/ui/navigation.js b/install/ui/navigation.js index 25c519dcefd11b997765331ded37c66710ad17ed..b63741053e5dc6f803c5f426f4beee4360eeac1f 100644 --- a/install/ui/navigation.js +++ b/install/ui/navigation.js @@ -217,6 +217,7 @@ IPA.navigation = function(spec) { container.addClass('tabs'+depth); var ul = $('ul/').appendTo(container); +var created_count = 0; for (var i=0; itabs.length; i++) { var tab = tabs[i]; @@ -234,13 +235,14 @@ IPA.navigation = function(spec) { if (!tab.label) { tab.label = entity.label; } +created_count += 1; } var tab_li =$('li/').append($('a/', { href: '#'+tab_id, title: tab.label, html: tab.label -})).appendTo(ul); +})); if (tab.hidden){ tab_li.css('display','none'); @@ -249,12 +251,22 @@ IPA.navigation = function(spec) { tab.container = $('div/', { id: tab_id, name: tab.name -}).appendTo(container); +}); if (tab.children tab.children.length) { -that._create(tab.children, tab.container, depth+1); +var kids = +that._create(tab.children, tab.container, depth+1); +/*If there are no child tabs, remove the container */ +if (kids === 0){ +tabs.splice(i,1); +i -= 1; +continue; +} } +tab_li.appendTo(ul); +tab.container.appendTo(container); } +return created_count; }; that.update = function() { -- 1.7.5.2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 212 Creating reverse zones from IP address.
A custom adder dialog has been added for DNS zones to simplify creating reverse zones from IP address. The dialog provides a checkbox which indicates whether the content of the zone name field is an IP address. The IP address will be used to generate the reverse zone name and email address. Ticket #1045 -- Endi S. Dewata From 11af2ad4c93121dcd565f58e9e6e8fa4f6a969f1 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Tue, 19 Jul 2011 11:11:36 -0500 Subject: [PATCH] Creating reverse zones from IP address. A custom adder dialog has been added for DNS zones to simplify creating reverse zones from IP address. The dialog provides a checkbox which indicates whether the content of the zone name field is an IP address. The IP address will be used to generate the reverse zone name and email address. Ticket #1045 --- install/ui/dns.js | 135 +++- install/ui/test/data/ipa_init.json | 55 +++ 2 files changed, 174 insertions(+), 16 deletions(-) diff --git a/install/ui/dns.js b/install/ui/dns.js index 7401926532fb44e4b3c0dd7e9b2feda206b82fe8..86aacb51bd4dd24c6f456bdd6410ab937151c0da 100644 --- a/install/ui/dns.js +++ b/install/ui/dns.js @@ -80,15 +80,148 @@ IPA.entity_factories.dnszone = function() { }). standard_association_facets(). adder_dialog({ +factory: IPA.dnszone_adder_dialog, +width: 500, +height: 300, fields: [ 'idnsname', +{ +factory: IPA.checkbox_widget, +name: 'name_from_ip', +undo: false +}, 'idnssoamname', 'idnssoarname', -{factory:IPA.force_dnszone_add_checkbox_widget}] +{ +factory: IPA.force_dnszone_add_checkbox_widget +} +] }). build(); }; +IPA.dnszone_adder_dialog = function(spec) { + +spec = spec || {}; + +var that = IPA.add_dialog(spec); + +that.create = function() { + +var table = $('table/').appendTo(that.container); + +var field = that.fields.get('idnsname'); +var tr = $('tr/').appendTo(table); + +var td = $('td/', { +style: 'vertical-align: top;', +title: field.label +}).appendTo(tr); + +td.append($('label/', { +text: field.label+':' +})); + +td = $('td/', { +style: 'vertical-align: top;' +}).appendTo(tr); + +var span = $('span/', { +name: field.name +}).appendTo(td); + +field.create(span); +field.field_span = span; + +field = that.fields.get('name_from_ip'); +tr = $('tr/').appendTo(table); + +td = $('td/', { +style: 'vertical-align: top;', +title: field.label +}).appendTo(tr); + +td = $('td/', { +style: 'vertical-align: top;' +}).appendTo(tr); + +span = $('span/', { +name: field.name +}).appendTo(td); + +td.append($('label/', { +text: field.label +})); + +field.create(span); +field.field_span = span; + +var fields = that.fields.values; +for (var i=0; ifields.length; i++) { +field = fields[i]; +if (field.name == 'idnsname' || field.name == 'name_from_ip') continue; +if (field.hidden) continue; + +tr = $('tr/').appendTo(table); + +td = $('td/', { +style: 'vertical-align: top;', +title: field.label +}).appendTo(tr); + +td.append($('label/', { +text: field.label+':' +})); + +td = $('td/', { +style: 'vertical-align: top;' +}).appendTo(tr); + +span = $('span/', { +name: field.name +}).appendTo(td); + +field.create(span); +field.field_span = span; +} +}; + +that.save = function(record) { + +var idnsname; +var name_from_ip; + +var fields = that.fields.values; +for (var i=0; ifields.length; i++) { +var field = fields[i]; + +if (field.name == 'idnsname') { + +idnsname = field.save()[0]; + +} else if (field.name == 'name_from_ip') { + +name_from_ip = field.save()[0]; +if (name_from_ip) { +record.name_from_ip = idnsname; +} else { +record.idnsname = idnsname; +} + +} else if (field.name == 'idnssoarname') { + +field.optional = name_from_ip; + +} else { +var values = field.save(); +record[field.name] = values.join(','); +} +} +
Re: [Freeipa-devel] [PATCH] 0271-no-dns.
Adam Young wrote: ack, works for me with and without dns rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0271-no-dns.
On 07/20/2011 12:44 PM, Rob Crittenden wrote: Adam Young wrote: ack, works for me with and without dns rob From 58b0745d1bf2c4541565b341eb94a279e059b734 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Wed, 20 Jul 2011 11:43:41 -0400 Subject: [PATCH] no dns Remove all DNS entities if the DNS server is not installed. Removes it from the navigation as well. https://fedorahosted.org/freeipa/ticket/1498 move created count to last thing in the funciton. --- install/ui/dns.js|5 + install/ui/navigation.js | 18 +++--- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/install/ui/dns.js b/install/ui/dns.js index 7401926532fb44e4b3c0dd7e9b2feda206b82fe8..58aeaddff84d3d93723a0cf081287ca2b32edcf2 100644 --- a/install/ui/dns.js +++ b/install/ui/dns.js @@ -117,6 +117,11 @@ IPA.dns_record_search_load = function (result) { }; IPA.entity_factories.dnsrecord = function() { + +if (!IPA.dns_enabled) { +throw DNS not enabled on server; +} + return IPA.entity_builder(). entity('dnsrecord'). containing_entity('dnszone'). diff --git a/install/ui/navigation.js b/install/ui/navigation.js index 25c519dcefd11b997765331ded37c66710ad17ed..be2936dca1a0e86e81658e23cbdb0fc3aca7a4de 100644 --- a/install/ui/navigation.js +++ b/install/ui/navigation.js @@ -217,6 +217,7 @@ IPA.navigation = function(spec) { container.addClass('tabs'+depth); var ul = $('ul/').appendTo(container); +var created_count = 0; for (var i=0; itabs.length; i++) { var tab = tabs[i]; @@ -240,7 +241,7 @@ IPA.navigation = function(spec) { href: '#'+tab_id, title: tab.label, html: tab.label -})).appendTo(ul); +})); if (tab.hidden){ tab_li.css('display','none'); @@ -249,12 +250,23 @@ IPA.navigation = function(spec) { tab.container = $('div/', { id: tab_id, name: tab.name -}).appendTo(container); +}); if (tab.children tab.children.length) { -that._create(tab.children, tab.container, depth+1); +var kids = +that._create(tab.children, tab.container, depth+1); +/*If there are no child tabs, remove the container */ +if (kids === 0){ +tabs.splice(i,1); +i -= 1; +continue; +} } +created_count += 1; +tab_li.appendTo(ul); +tab.container.appendTo(container); } +return created_count; }; that.update = function() { -- 1.7.5.2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [WIP] ipapython/iputil.py refactoring for better cross-platform support
Hi, On 19.07.2011 16:36, Alexander Bokovoy wrote: I believe that nss-pam-ldapd uses a different configuration file than nss_ldap, I think I'd rather use the existence of that to determine what is being used. Calling out to rpm seems heavy-weight. In continuation of the same story, ticket 1368 asks for propagating hostname into static configuration (/etc/sysconfig/network, HOSTNAME variable on Red Hat systems). This is an example of system-specific common code where we want to ensure configuration is made and backed up but we don't care what is configuration's location and format. I.e. perfect example to write platform-specific support. I'm going to rework ipautil into providing common functions and loading platform-specific ones from separate files so that we can have Red Hat or Fedora (or LSB) platforms, Debian-based platforms and so on. Remeber, this is for ipa-client-install so some flexibility is welcomed here. I'll try to avoid using package management tools in such platform-specific code as much as possible also to avoid lock conflicts (if something is being installed in background you might get locked when asking a package database). We don't need to do platform detection at runtime as that is could be deferred to package maintainers. After all, IPA most likely will be packaged and ipa-client-install will come from such a package. Thus, providing proper ipautil-system.py file can be done as packaging effort. Attached is a first cut for the refactoring. It introduces ipapython.services which is a container for service- and platform-specific methods and classes that would require different behavior depending on a distribution in question. I moved existing code to ipapython/platform/redhat.py. ipapython/services.py is auto-generated and basically is one-liner: = from ipapython.platform.platform import * = Actual platform value is substituted using top-level Makefile's SUPPORTED_PLAFTORM= variable (defaults to 'redhat', can be redefined without modifying Makefile, in package building scripts, for example) and then ipapython/services.py is generated from ipapython/services.py.in I have converted all users of ipapython.iputil to a new interface but haven't really tested the code yet apart from make dist and make-lint. As it is work in progress, all comments and suggestions are welcome! -- / Alexander Bokovoy From 8ab1740193ffca750658c27c957d00b8de1eabf6 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Wed, 20 Jul 2011 20:20:22 +0300 Subject: [PATCH] First phase of iputil refactoring: introduce ipapython.services and ipapython.platform --- Makefile |8 ++ install/tools/ipa-nis-manage | 11 ++- install/tools/ipa-replica-install |2 +- install/tools/ipa-server-install |7 +- ipa-client/ipa-install/ipa-client-install | 62 +--- ipapython/Makefile|4 +- ipapython/ipautil.py | 117 +--- ipapython/platform/__init__.py| 23 ++ ipapython/platform/redhat.py | 116 ipapython/setup.py.in |2 +- ipaserver/install/bindinstance.py |2 +- ipaserver/install/cainstance.py |4 +- ipaserver/install/certs.py|2 +- ipaserver/install/dsinstance.py |6 +- ipaserver/install/httpinstance.py |2 +- ipaserver/install/krbinstance.py |2 +- ipaserver/install/ntpinstance.py |4 +- ipaserver/install/service.py | 55 +++--- 18 files changed, 306 insertions(+), 123 deletions(-) create mode 100644 ipapython/platform/__init__.py create mode 100644 ipapython/platform/redhat.py diff --git a/Makefile b/Makefile index 6484dbbc9263e28b220d2819ad47baaf910ba5f1..9d8802587f9fa1130271d3824667d83b637ac9ee 100644 --- a/Makefile +++ b/Makefile @@ -8,6 +8,8 @@ PRJ_PREFIX=freeipa RPMBUILD ?= $(PWD)/rpmbuild TARGET ?= master +SUPPORTED_PLATFORM=redhat + # After updating the version in VERSION you should run the version-update # target. @@ -109,6 +111,12 @@ version-update: release-update ipa-client/ipa-client.spec.in ipa-client/ipa-client.spec sed -e s/__VERSION__/$(IPA_VERSION)/ ipa-client/version.m4.in \ ipa-client/version.m4 + + if [ $(SUPPORTED_PLATFORM) != ]; then \ + sed -e s/SUPPORTED_PLATFORM/$(SUPPORTED_PLATFORM)/ ipapython/services.py.in \ +ipapython/services.py; \ + fi + if [ $(SKIP_API_VERSION_CHECK) != yes ]; then \ ./makeapi --validate; \ fi diff --git a/install/tools/ipa-nis-manage b/install/tools/ipa-nis-manage index 3625ae03a79830cb832e0644f0954c5fe0e8e67b..63977da6a72bd35eb32e408c09914ef9888487ef 100755 --- a/install/tools/ipa-nis-manage +++
Re: [Freeipa-devel] [WIP] ipapython/iputil.py refactoring for better cross-platform support
On 20.07.2011 20:30, Alexander Bokovoy wrote: I moved existing code to ipapython/platform/redhat.py. ipapython/services.py is auto-generated and basically is one-liner: = from ipapython.platform.platform import * = Actual platform value is substituted using top-level Makefile's SUPPORTED_PLAFTORM= variable (defaults to 'redhat', can be redefined without modifying Makefile, in package building scripts, for example) and then ipapython/services.py is generated from ipapython/services.py.in The original patch misses ipapython/services.py.in. I'll update patch but the file is really one-liner (attached). -- / Alexander Bokovoy from ipapython.platform.SUPPORTED_PLATFORM import * ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0271-no-dns.
On 07/20/2011 12:51 PM, Adam Young wrote: On 07/20/2011 12:44 PM, Rob Crittenden wrote: Adam Young wrote: ack, works for me with and without dns rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACKed in IRC by Edewata and pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [WIP] ipapython/iputil.py refactoring for better cross-platform support
On Wed, 2011-07-20 at 20:36 +0300, Alexander Bokovoy wrote: On 20.07.2011 20:30, Alexander Bokovoy wrote: I moved existing code to ipapython/platform/redhat.py. ipapython/services.py is auto-generated and basically is one-liner: = from ipapython.platform.platform import * = Actual platform value is substituted using top-level Makefile's SUPPORTED_PLAFTORM= variable (defaults to 'redhat', can be redefined without modifying Makefile, in package building scripts, for example) and then ipapython/services.py is generated from ipapython/services.py.in The original patch misses ipapython/services.py.in. I'll update patch but the file is really one-liner (attached). The direction looks good to me, please keep on. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 212 Creating reverse zones from IP address.
On 07/20/2011 12:10 PM, Endi Sukma Dewata wrote: A custom adder dialog has been added for DNS zones to simplify creating reverse zones from IP address. The dialog provides a checkbox which indicates whether the content of the zone name field is an IP address. The IP address will be used to generate the reverse zone name and email address. Ticket #1045 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK, but put in the space between the reverse checkbox line and the next row. Add a ticket for refactoring the dialogs to allow more layout options on a widget, so we can reduce the complexity of the code in the future. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [WIP] ipapython/iputil.py refactoring for better cross-platform support
On 07/20/2011 01:30 PM, Alexander Bokovoy wrote: Actualplatform value is substituted using top-level Makefile's SUPPORTED_PLAFTORM= variable (defaults to 'redhat', can be redefined without modifying Makefile, in package building scripts, for example) and then ipapython/services.py is generated from ipapython/services.py.in Why can't the platform be resolved at runtime instead of part of a static build? That would be more flexible wouldn't it? We would ship the same code in each release which is a win for robustness and reproducibility. I guess I don't see the advantage of static build time code selection in a language like Python. Earlier you said: I'll try to avoid using package management tools but since you're relying on build tools you're implicitly relying on package management tools. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 212 Creating reverse zones from IP address.
On 7/20/2011 1:45 PM, Adam Young wrote: ACK, but put in the space between the reverse checkbox line and the next row. Add a ticket for refactoring the dialogs to allow more layout options on a widget, so we can reduce the complexity of the code in the future. New patch attached. -- Endi S. Dewata From 5d3dfc0b73aa6197a137714d4b4422eca324b31e Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Tue, 19 Jul 2011 11:11:36 -0500 Subject: [PATCH] Creating reverse zones from IP address. A custom adder dialog has been added for DNS zones to simplify creating reverse zones from IP address. The dialog provides a checkbox which indicates whether the content of the zone name field is an IP address. The IP address will be used to generate the reverse zone name and email address. Ticket #1045 --- install/ui/dns.js | 142 +++- install/ui/test/data/ipa_init.json | 55 ++ 2 files changed, 181 insertions(+), 16 deletions(-) diff --git a/install/ui/dns.js b/install/ui/dns.js index 7401926532fb44e4b3c0dd7e9b2feda206b82fe8..e7c8801060e7a64b96b0d12af88674a78b8d5504 100644 --- a/install/ui/dns.js +++ b/install/ui/dns.js @@ -80,15 +80,155 @@ IPA.entity_factories.dnszone = function() { }). standard_association_facets(). adder_dialog({ +factory: IPA.dnszone_adder_dialog, +width: 500, +height: 300, fields: [ 'idnsname', +{ +factory: IPA.checkbox_widget, +name: 'name_from_ip', +undo: false +}, 'idnssoamname', 'idnssoarname', -{factory:IPA.force_dnszone_add_checkbox_widget}] +{ +factory: IPA.force_dnszone_add_checkbox_widget +} +] }). build(); }; +IPA.dnszone_adder_dialog = function(spec) { + +spec = spec || {}; + +var that = IPA.add_dialog(spec); + +that.create = function() { + +var table = $('table/').appendTo(that.container); + +var field = that.fields.get('idnsname'); +var tr = $('tr/').appendTo(table); + +var td = $('td/', { +style: 'vertical-align: top;', +title: field.label +}).appendTo(tr); + +td.append($('label/', { +text: field.label+':' +})); + +td = $('td/', { +style: 'vertical-align: top;' +}).appendTo(tr); + +var span = $('span/', { +name: field.name +}).appendTo(td); + +field.create(span); +field.field_span = span; + +field = that.fields.get('name_from_ip'); +tr = $('tr/').appendTo(table); + +td = $('td/', { +style: 'vertical-align: top;', +title: field.label +}).appendTo(tr); + +td = $('td/', { +style: 'vertical-align: top;' +}).appendTo(tr); + +span = $('span/', { +name: field.name +}).appendTo(td); + +td.append($('label/', { +text: field.label +})); + +field.create(span); +field.field_span = span; + +tr = $('tr/').appendTo(table); + +td = $('td/', { +colspan: 2, +html: 'nbsp;' +}).appendTo(tr); + +var fields = that.fields.values; +for (var i=0; ifields.length; i++) { +field = fields[i]; +if (field.name == 'idnsname' || field.name == 'name_from_ip') continue; +if (field.hidden) continue; + +tr = $('tr/').appendTo(table); + +td = $('td/', { +style: 'vertical-align: top;', +title: field.label +}).appendTo(tr); + +td.append($('label/', { +text: field.label+':' +})); + +td = $('td/', { +style: 'vertical-align: top;' +}).appendTo(tr); + +span = $('span/', { +name: field.name +}).appendTo(td); + +field.create(span); +field.field_span = span; +} +}; + +that.save = function(record) { + +var idnsname; +var name_from_ip; + +var fields = that.fields.values; +for (var i=0; ifields.length; i++) { +var field = fields[i]; + +if (field.name == 'idnsname') { + +idnsname = field.save()[0]; + +} else if (field.name == 'name_from_ip') { + +name_from_ip = field.save()[0]; +if (name_from_ip) { +record.name_from_ip = idnsname; +} else { +record.idnsname = idnsname; +} + +} else if (field.name == 'idnssoarname') { + +field.optional = name_from_ip; + +} else { +
Re: [Freeipa-devel] [PATCH] 212 Creating reverse zones from IP address.
On 07/20/2011 03:01 PM, Endi Sukma Dewata wrote: On 7/20/2011 1:45 PM, Adam Young wrote: ACK, but put in the space between the reverse checkbox line and the next row. Add a ticket for refactoring the dialogs to allow more layout options on a widget, so we can reduce the complexity of the code in the future. New patch attached. ACK. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0270-removing-setters-setup-and-init
On 7/19/2011 6:38 PM, Adam Young wrote: Missed a change to fix the unit tests. I haven't finished testing it, but here are some issues: 1. If DNS is disabled, the DNS zone entity throws an uncaught exception so the execution stops. 2. In add.js:41 the IPA.nav.show_entity_page() takes an array of primary keys instead of just a single primary key. 3. The metadata can be accessed in a simpler way, so instead of this: var pkey_name = IPA.metadata.objects[that.entity.name].primary_key; we can use this: var pkey_name = that.entity.metadata.primary_key; 4. The parentheses in association.js:718 is not necesary: spec = ({ name: spec }); 5. The combobox_open.png.white got added into the patch. 6. The author list got changed in entity.js. 7. In IPA.details_section.create() the div got changed into span and the details-field removed class got deleted. 8. Triggering a stack trace by calling null function probably will only work with Firebug, normal users will not get any notification about the error. This happens in dialog.js:301 and widget.js:1137. 9. The code related to HBAC access time got removed. I think when we deferred this feature last time we decided to comment out the code but not delete it. 10. The expand/collapse all in details facet no longer works. 11. There are some whitespace warnings. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [WIP] ipapython/iputil.py refactoring for better cross-platform support
On 20.07.2011 21:59, John Dennis wrote: On 07/20/2011 01:30 PM, Alexander Bokovoy wrote: Actualplatform value is substituted using top-level Makefile's SUPPORTED_PLAFTORM= variable (defaults to 'redhat', can be redefined without modifying Makefile, in package building scripts, for example) and then ipapython/services.py is generated from ipapython/services.py.in Why can't the platform be resolved at runtime instead of part of a static build? That would be more flexible wouldn't it? We would ship the same code in each release which is a win for robustness and reproducibility. I guess I don't see the advantage of static build time code selection in a language like Python. The reason for it is that runtime platform selection simply gives no advantages in IPA case. A typical deployment is a distribution of a prepared package to multiple clients, not building freeipa code on every single client with a purpose to run ipa-client-install on it. At this point we already know the platform. Replacing this knowledge with run-time detection that can go wrong and would require more extensive knowledge and effort to verify that platform is detected reliably isn't really productive. Earlier you said: I'll try to avoid using package management tools but since you're relying on build tools you're implicitly relying on package management tools. I was talking about using package management tools in runtime where one would incur computational costs. In proposed solution I'm trying to delegate a decision point to a package maintainer or a developer which already knows a platform s/he works with. There is no runtime overhead at all and single make SUPPORTED_PLATFORM=foobar would be equivalent to already utilised make -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0270-removing-setters-setup-and-init
On 7/20/2011 2:50 PM, Adam Young wrote: 8. Triggering a stack trace by calling null function probably will only work with Firebug, normal users will not get any notification about the error. This happens in dialog.js:301 and widget.js:1137. Gonna leave this, as we will catch things in development, and it won't happen on the live servers. These are never reach type conditions. Would it be better to throw an exception instead? Still not done, but here are new findings: 12. The search filter doesn't work initially. Reload the UI main page, (make sure there's no URL parameters), enter a filter, then hit Enter or click the icon, there's nothing happening. Go to another tab, then come back to the main page. Now the filter will work. 13. The 'other_entity' still contains entity name instead of entity object. One solution for the circular dependency problem is to create all entity objects first, then create the facets dialogs in the second stage. This requires simple modification to the entity_factories. 14. The comment move into the table_widget on association.js:710 might not be correct. I think we should try to reuse IPA.association_table_widget inside IPA.association_facet. 15. The assignment on association.js:733 is unused: var entity = that.entity; 16. Commented code in details.js:459 can be deleted. 17. The code in dialog.js lines 489 and 496 can be combined into: that.external_field = $('input/', { ... }).appendTo(external_panel); 18. Since the layout support is dropped, the install/ui/layouts can be removed as well. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin
On Jul 20, 2011, at 8:37 AM, Rob Crittenden wrote: JR Aquino wrote: On Jul 15, 2011, at 7:55 AM, Rob Crittenden wrote: Martin Kosek wrote: On Thu, 2011-07-14 at 23:05 +, JR Aquino wrote: On Jul 14, 2011, at 11:55 AM, wrote: https://fedorahosted.org/freeipa/ticket/1272 * Added new container in etc to hold the automembership configs. * Modified constants to point to the new container * Modified dsinstance to create the container * Modified hostgroup.py to add the new commands * Added xmlrpc test to verify functionality Minor adjustment: Auto Membership Plugin isn't available until 1.2.9-0.2+ Modified freeipa.spec.in: BuildRequires: 389-ds-base-devel= 1.2.9-0.2 I have reviewed your patch. Basic functionality is OK but I have some concerns. 1) I am not sure with the command name, it is not really clear to me what this command does. But I know from my experience that inventing a cool name for something new may be the most difficult task at all :-) Maybe command name hostgrouprule or hostgroupauto would be more clear? Perhaps my example docs were too soft with fqdn=^www[1-9]+\.example\.com etc.. I should 'clarify'... perhaps what I need to do is add more useful information to the doc, for example If I were to add to the doc area examples where hostnames are like: w[1-9]+s2r8\.example\.com The real reason for the usefulness of this technology, is in SaaS, Cloud, and Cluster environments, where the hostnames tend to be non-human readable, and more like a serial number detailing their function, their rack location, or their vm-instance, etc... It is because of those scenarios that caused me so much grief as a security engineer trying to assign rights that it became clear that I could just define the reproducible pattern to match assignment into a host group. The hostnames needed clarity in order to understand where they belonged in the network. I'll give it one more chance to pass the censors since I've been internally calling it clarity for the last 2 1/2 years that I've been using it... 2) Overloading execute method in functions hostgroupclarity_add_condition and hostgroupclarity_remove_condition is an over-kill for me. I think we could just read current inclusive/exclusive regexes in pre_callback, modify them and let LDAPUpdate class do the standard LDAP operations. I'll recode to perform the actions in a pre_callback. 3) I miss hostgroupclarity-mod module. What would I do if I want to update Description? Thank you for catching this, I will add it. 4) I didn't like this construct in the code, its error prone to potential future parameter changes. +if len(options) == 2: # 'all' and 'raw' are always sent +raise errors.EmptyModlist() I know it's in baseldap.py but I still wouldn't like to see this in plugins. I should be able to omit that once the code is located in the pre_callback. 5) Test test_clarityrule_plugin.py: reference to inexistent python module: +Test the `ipalib/plugins/clarityrule.py` module. Thank you, that is left over from a previous attempt. I will remove it. Then I did some real testing of the new command: 6) Invalid examples, fqdn is not supposed to be a part of regex $ ipa hostgroupclarity-add --inclusive-hostname-regex=fqdn=^www[1-9]+\.example\.com webservers Hostgroup Clarity Rule: webservers Inclusive Regex: fqdn=fqdn=^www[1-9]+.example.com Also an oversight, thanks, I will correct it. 7) It does not make sense to have a rule with only an exclusive regex: $ ipa hostgroupclarity-add --exclusive-hostname-regex=^www5+\.example\.com webservers Hostgroup Clarity Rule: webservers $ ipa host-add --force foo.example.co $ ipa hostgroup-show webservers Host-group: webservers Description: Web Servers Member hosts: www1.example.com I think we should 1) hide exclusive regex option in hostgroupclarity-add and 2) check that there is at least one inclusive regex in the rule when running hostgroupclarity-add-condition and hostgroupclarity-remove-condition. I agree, I'll hide it during the creation, and force it to require an inclusive prior to adding an exclusive. 8) Plugin incorrectly handles a situation when both inclusive and exclusive regex-es are being added: $ ipa hostgroupclarity-add --inclusive-hostname-regex=^www[1-9]+\.example\.com webservers Hostgroup Clarity Rule: webservers Inclusive Regex: fqdn=^www[1-9]+.example.com $ ipa hostgroupclarity-add-condition --inclusive-hostname-regex=^web[1-9]+\.example\.com --exclusive-hostname-regex=www5\.example\.com webservers Inclusive Regex: fqdn=^web[1-9]+.example.com, fqdn=^www[1-9]+.example.com Exclusive Regex: www5.example.com Exclusive regex misses fqdn. Will look into this. 9) Removing multiple conditions also works incorrectly: $ ipa hostgroupclarity-show webservers Hostgroup Clarity Rule:
Re: [Freeipa-devel] [PATCH] 0270-removing-setters-setup-and-init
On 7/20/2011 9:18 PM, Adam Young wrote: 8. Triggering a stack trace by calling null function probably will only work with Firebug, normal users will not get any notification about the error. This happens in dialog.js:301 and widget.js:1137. Gonna leave this, as we will catch things in development, and it won't happen on the live servers. These are never reach type conditions. Would it be better to throw an exception instead? Possibly. This code is going to get caught by the catch block in ipa.js get_entity anyway, so there is not much difference. Let's use the more common way to report error, which in this case throw an exception rather than invoking null function to do the same thing. We can attach useful information there even though it's only for development. 12. The search filter doesn't work initially. Reload the UI main page, (make sure there's no URL parameters), enter a filter, then hit Enter or click the icon, there's nothing happening. Go to another tab, then come back to the main page. Now the filter will work. Fixed. Was a pre existing problem in navigation.js, around line 115 It's still not working, now there's a js error in navigation.js:129. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin
Rob, I'm afraid I believe that ldap lookup is necessary. The user inputs a standard string to represent the possible host group… If i simply perform a get_dn it will indeed provide a dn, however, it won't verify that the host group actually exists… (you don't want to create an assignment rule for a non existent target host group) Martin, (except for the name Clarity), I have addressed your observations in this latest patch. Could you please have a look and let me know if there is anything else I need to take care of? Good point about the LDAP lookup. This looks a lot better but there are still a few issues: If group_dn is in the object then you can use self.obj.handle_not_found(*keys) for the NotFound. Ok, I will give that a shot! Or if it can't be moved, in the calls to group_dn() you can use the ldap handle passed into pre_callback. I guess you are using the includetype tuple to avoid coding long variable names everywhere? Would a symbol be better, eg: INCLUDE_RE = 'automemberinclusiveregex' EXCLUDE_RE = 'automemberexclusiveregex' That works, I'll swap em. Is there a way to validate the regex? Now that you mention it, I believe if I import re, we should be able to validate the initial regex and raise an exception if it is bogus. If we were to add an equivalent user group handler would it be the same code in add_condition and remove_condition? It is sort of nice to have everything together at the moment, I suspect it will need to be generalized at some point. Well. For the groups, I was thinking it starts to get a little different. I would still reuse the condition, but I believe I would pivot users into groups based upon something like their manager? Adding a clarity with no rules won't let you add rules: # ipa hostgroup-add --desc=hg1 hg1 # ipa hostgroupclarity-add hg1 # ipa hostgroupclarity-add-condition --exclusive-hostname-regex=^web5\.example\.com hg1 ipa: ERROR: no modifications to be performed This ^ is deliberate, you cannot add an exclusion rule if there is no existing or simultaneous inclusive rule. :) Martin asked for that, and I think its wise. The way you explained clarity today in IRC, how it brings clarity to managing membership with names no human can grok, I got it. Still, clarity is a bit awkward as a name. automember might be a better choice. Fair enough ;) I tried, perhaps I can /allude/ to it in the help / docs. automember it is. One final class I have been struggling with that I want to add… The object and attribute which defines the 'default group' is the parent of the actual rules… i.e. cn=hostgroup,cn=automember,cn=etc… The ipa cli seems to only want to let me make mods that assume I am specifying a target object on the cli… ipa hostgroupautomember-default-group=foo rulename - in this scenario, we don't actually want or need a rule name because its the container above… I have had success making the writes, but the cli syntax just doesn't lend itself to that level of abstraction… Any suggestions? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 213 Removed entitlement registration UUID field.
The UUID field has been removed from the entitlement registration dialog box because it's currently not supported. The code has been modified not to send empty UUID value should this become supported in the future. Ticket #1506 -- Endi S. Dewata From bf72a8817b43172dd28d06bd3f4249153ac591e3 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Wed, 20 Jul 2011 22:31:37 -0500 Subject: [PATCH] Removed entitlement registration UUID field. The UUID field has been removed from the entitlement registration dialog box because it's currently not supported. The code has been modified not to send empty UUID value should this become supported in the future. Ticket #1506 --- install/ui/entitle.js | 11 --- 1 files changed, 8 insertions(+), 3 deletions(-) diff --git a/install/ui/entitle.js b/install/ui/entitle.js index b3b09e562f078be33e8a4a0913bc8d1f4b8cfdcd..cd41649092234d11d295ac4512436c6591eceebb 100644 --- a/install/ui/entitle.js +++ b/install/ui/entitle.js @@ -131,12 +131,14 @@ IPA.entity_factories.entitle = function() { label: IPA.get_method_option('entitle_register', 'password').label, type: 'password', undo: false -}, +} +/* currently not supported { name: 'ipaentitlementid', label: IPA.get_method_option('entitle_register', 'ipaentitlementid').label, undo: false } +*/ ] }). dialog({ @@ -254,8 +256,7 @@ IPA.entitle.entity = function(spec) { method: 'register', args: [ username ], options: { -password: password, -ipaentitlementid: ipaentitlementid +password: password }, on_success: function(data, text_status, xhr) { that.status = IPA.entitle.online; @@ -266,6 +267,10 @@ IPA.entitle.entity = function(spec) { on_error: on_error }); +if (ipaentitlementid) { +command.set_option('ipaentitlementid', ipaentitlementid); +} + command.execute(); }; -- 1.7.5.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel