Re: [Freeipa-devel] [PATCH] 843 reduce dogtag install time
On Mon, 2011-08-01 at 23:03 -0400, Adam Young wrote: On 08/01/2011 10:26 PM, Adam Young wrote: On 08/01/2011 03:19 PM, Rob Crittenden wrote: Ade Lee from the dogtag team looked at our installer and found that we restarted the pki-cad process too many times. Re-arranging some code allows us to restart it just once. The new config time for dogtag is 3 1/2 minutes, down from about 5 1/2. Ade is working on improvements in pki-silent as well which can bring the overall install time to 90 seconds. If we can get a change in SELinux policy we're looking at 60 seconds. This patch just contains the reworked installer part. Once an updated dogtag is released we can update the spec file to pull it in. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Disregard: same thing seems to be happening without this patch. Something is wrong. When I installed this patch, the browser works fine in a clean mode (never before initiailzied). Howevr, if the browser already has a certificate from the server, in the past I was able to go into Edit-preferences-advanced-Certificates, and remove both the server and the CA certificate, and then restart the browser. That does not work now. I just get the message Secure Connection Failed An error occurred during a connection to server15.ayoung.boston.devel.redhat.com. You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information: Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number. (Error code: sec_error_reused_issuer_and_serial) The page you are trying to view can not be shown because the authenticity of the received data could not be verified. Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site. Restarting IPA made no difference. The browser does not provide a lot of info in which to debug this. I'll try again with out the patch and see if there is a difference. In Firefox 5 I also have to clear browser cache along with removing certificates to get rid of 'sec_error_reused_issuer_and_serial'. Petr ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 843 reduce dogtag install time
On 08/03/2011 12:32 PM, Petr Vobornik wrote: On Mon, 2011-08-01 at 23:03 -0400, Adam Young wrote: On 08/01/2011 10:26 PM, Adam Young wrote: On 08/01/2011 03:19 PM, Rob Crittenden wrote: Ade Lee from the dogtag team looked at our installer and found that we restarted the pki-cad process too many times. Re-arranging some code allows us to restart it just once. The new config time for dogtag is 3 1/2 minutes, down from about 5 1/2. Ade is working on improvements in pki-silent as well which can bring the overall install time to 90 seconds. If we can get a change in SELinux policy we're looking at 60 seconds. This patch just contains the reworked installer part. Once an updated dogtag is released we can update the spec file to pull it in. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Disregard: same thing seems to be happening without this patch. Something is wrong. When I installed this patch, the browser works fine in a clean mode (never before initiailzied). Howevr, if the browser already has a certificate from the server, in the past I was able to go into Edit-preferences-advanced-Certificates, and remove both the server and the CA certificate, and then restart the browser. That does not work now. I just get the message Secure Connection Failed An error occurred during a connection to server15.ayoung.boston.devel.redhat.com. You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information: Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number. (Error code: sec_error_reused_issuer_and_serial) The page you are trying to view can not be shown because the authenticity of the received data could not be verified. Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site. Restarting IPA made no difference. The browser does not provide a lot of info in which to debug this. I'll try again with out the patch and see if there is a difference. In Firefox 5 I also have to clear browser cache along with removing certificates to get rid of 'sec_error_reused_issuer_and_serial'. Also, while testing multiple instances of dogtag, IMO, it's better to have a clean FF profile (or ensure to have the security domain name be unique for each CA). Delete the old profile and create a new profile. --- # firefox -ProfileManager --- Or invoke it with a certain new profile.. --- # firefox -P foobar --- Petr ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- /kashyap ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 105 Improve error message in ipactl
If a hostname configured in /etc/ipa/default.conf is changed and is different from the one stored in LDAP in cn=ipa,cn=etc,$SUFFIX ipactl gives an unintelligible error. This patch improves the error message and also offers a list of configured master so that the hostname setting in IPA configuration can be easily fixed. https://fedorahosted.org/freeipa/ticket/1558 From 386836c7cfd6ef30857ef5c38d059fb784c7a0eb Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Wed, 3 Aug 2011 12:44:46 +0200 Subject: [PATCH] Improve error message in ipactl If a hostname configured in /etc/ipa/default.conf is changed and is different from the one stored in LDAP in cn=ipa,cn=etc,$SUFFIX ipactl gives an unintelligible error. This patch improves the error message and also offers a list of configured master so that the hostname setting in IPA configuration can be easily fixed. https://fedorahosted.org/freeipa/ticket/1558 --- install/tools/ipactl | 23 ++- 1 files changed, 22 insertions(+), 1 deletions(-) diff --git a/install/tools/ipactl b/install/tools/ipactl index a9445170f556eb419514d41087d6b305360b89d4..f43c2e3291531539dabb1241fbbb37a8b680c771 100755 --- a/install/tools/ipactl +++ b/install/tools/ipactl @@ -25,6 +25,7 @@ try: from ipapython import sysrestore from ipapython import config from ipalib import api, errors +from ipalib.dn import DN import logging import ldap import ldap.sasl @@ -88,6 +89,25 @@ def get_config(): # LSB status code 3: program is not running raise IpactlError(Failed to get list of services to probe status:\n + Directory Server is stopped, 3) +except ldap.NO_SUCH_OBJECT: +masters_list = [] +dn = str(DN('cn=masters,cn=ipa,cn=etc,%s' % api.env.basedn)) +attrs = ['cn'] +try: +entries = con.search_s(dn, +ldap.SCOPE_ONELEVEL, +attrlist=attrs,) +except Exception, e: +masters_list.append(No master found because of error: %s % str(e)) +else: +for dn,master_entry in entries: +masters_list.append(master_entry.get('cn', [None])[0]) + +masters = \n.join(masters_list) + +raise IpactlError(Failed to get list of services to probe status!\n + Configured hostname '%s' does not match any master server in LDAP:\n%s + % (api.env.host, masters)) except Exception, e: raise IpactlError(Unknown error when retrieving list of services from LDAP: + str(e)) @@ -296,7 +316,8 @@ def main(): api.finalize() if '.' not in api.env.host: -raise IpactlError(Invalid hostname, must be fully-qualified) +raise IpactlError(Invalid hostname '%s' in IPA configuration!\n + The hostname must be fully-qualified % api.env.host) if args[0].lower() == start: ipa_start() -- 1.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin
On Aug 2, 2011, at 5:55 AM, Rob Crittenden rcrit...@redhat.com wrote: JR Aquino wrote: I am fairly opposed to removing 'default' attrs which the rules are applied to... I am happy to provide a means to override them. While it may be second nature for all of us to know that there is an fqdn attribute, etc, our consumers are likely not going to intrinsically know our schema. We also deliberately mask the real attribute names in the framework. (fqdn = Host name) Providing a default feels like a happy medium which allows for ease of use and somewhat of a safety belt against users defining an incorrect attribute name. It also might get somewhat tiring to constantly provide --key=fqdn every time you add a hostname regex? Ok, but when you display rules fqdn is displayed. How are users to know they shouldn't include fqdn= when removing existing rules? I guess my preference would be to heavily document, in the example, the plugin, and the docs... My concern is that without a default, a typo in the attr would produce unintended results. Without a schema checker, it's kinda tough to take an attr at face value from a user. Does the python ldap implementation have a means to check schema in order to verify an attribute? The design of the automember pluginhHaving the attr in the Regex does make for some complexity ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin
JR Aquino wrote: On Aug 2, 2011, at 5:55 AM, Rob Crittendenrcrit...@redhat.com wrote: JR Aquino wrote: I am fairly opposed to removing 'default' attrs which the rules are applied to... I am happy to provide a means to override them. While it may be second nature for all of us to know that there is an fqdn attribute, etc, our consumers are likely not going to intrinsically know our schema. We also deliberately mask the real attribute names in the framework. (fqdn = Host name) Providing a default feels like a happy medium which allows for ease of use and somewhat of a safety belt against users defining an incorrect attribute name. It also might get somewhat tiring to constantly provide --key=fqdn every time you add a hostname regex? Ok, but when you display rules fqdn is displayed. How are users to know they shouldn't include fqdn= when removing existing rules? I guess my preference would be to heavily document, in the example, the plugin, and the docs... My concern is that without a default, a typo in the attr would produce unintended results. Without a schema checker, it's kinda tough to take an attr at face value from a user. Does the python ldap implementation have a means to check schema in order to verify an attribute? The design of the automember pluginhHaving the attr in the Regex does make for some complexity We do have a schema checker. You can test for existence of an attribute with something like: import ldap as _ldap obj = ldap.schema.get_obj(_ldap.schema.AttributeType, attr) if obj is None: # Error, no such attribute rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 844 add netgroup to memberof association of hostgroups
Let hostgroups show that they are members of netgroups. rob freeipa-rcrit-844-memberof.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 235 Linked entries in HBAC/sudo details page.
The association tables in HBAC/sudo details page have been modified to link the entries to the appropriate details page. Ticket #1535 -- Endi S. Dewata From f2ddcc2b33d8bfddb34796ed7bf712708e33d735 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Wed, 3 Aug 2011 17:15:05 -0500 Subject: [PATCH] Linked entries in HBAC/sudo details page. The association tables in HBAC/sudo details page have been modified to link the entries to the appropriate details page. Ticket #1535 --- install/ui/association.js |3 ++- install/ui/hbac.js| 24 +--- install/ui/rule.js|5 ++--- install/ui/sudo.js| 16 +--- 4 files changed, 14 insertions(+), 34 deletions(-) diff --git a/install/ui/association.js b/install/ui/association.js index 3c924549ff244d6ad86be95949eb2553dc8bcb8f..2c6a1d2003be0668b61b230b8317263b06a822a5 100644 --- a/install/ui/association.js +++ b/install/ui/association.js @@ -320,7 +320,8 @@ IPA.association_table_widget = function (spec) { name: that.name, label: IPA.metadata.objects[that.other_entity].label, entity_name: that.other_entity, -primary_key: true +primary_key: true, +link: true }); } diff --git a/install/ui/hbac.js b/install/ui/hbac.js index 4e25123e4cd6c755d57a495347fb9a926e6f35bf..0e775aa0bf1213f8d9ce1aae9a342beeacf8d813 100644 --- a/install/ui/hbac.js +++ b/install/ui/hbac.js @@ -203,14 +203,10 @@ IPA.hbacrule_details_facet = function(spec) { function user_category_section(){ -var param_info = IPA.get_entity_param('hbacrule', 'usercategory'); - var section = IPA.rule_details_section({ name: 'user', -entity:that.entity, - +entity: that.entity, label: IPA.messages.objects.hbacrule.user, -text: param_info.doc+':', field_name: 'usercategory', options: [ { value: 'all', label: IPA.messages.objects.hbacrule.anyone }, @@ -242,13 +238,10 @@ IPA.hbacrule_details_facet = function(spec) { } function hostcategory_section(){ -var param_info = IPA.get_entity_param('hbacrule', 'hostcategory'); - var section = IPA.rule_details_section({ name: 'host', label: IPA.messages.objects.hbacrule.host, -entity:that.entity, -text: param_info.doc+':', +entity: that.entity, field_name: 'hostcategory', options: [ { value: 'all', label: IPA.messages.objects.hbacrule.any_host }, @@ -280,13 +273,10 @@ IPA.hbacrule_details_facet = function(spec) { } function servicecategory_section(){ -var param_info = IPA.get_entity_param('hbacrule', 'servicecategory'); - var section = IPA.rule_details_section({ name: 'service', -entity:that.entity, +entity: that.entity, label: IPA.messages.objects.hbacrule.service, -text: param_info.doc+':', field_name: 'servicecategory', options: [ { value: 'all', @@ -294,7 +284,7 @@ IPA.hbacrule_details_facet = function(spec) { { value: '', label: IPA.messages.objects.hbacrule.specified_services } ], -'tables': [ +tables: [ { field_name: 'memberservice_hbacsvc' }, { field_name: 'memberservice_hbacsvcgroup' } ] @@ -319,14 +309,10 @@ IPA.hbacrule_details_facet = function(spec) { } function sourcehostcategory_section(){ - -var param_info = IPA.get_entity_param('hbacrule', 'sourcehostcategory'); - var section = IPA.rule_details_section({ name: 'sourcehost', -entity:that.entity, +entity: that.entity, label: IPA.messages.objects.hbacrule.sourcehost, -text: param_info.doc+':', field_name: 'sourcehostcategory', options: [ { value: 'all', label: IPA.messages.objects.hbacrule.any_host }, diff --git a/install/ui/rule.js b/install/ui/rule.js index 3398f245da94f8399a0daff4e2864d8ce0e6c753..44f037f16446cdb354789f708c31d3d5ed096b03 100644 --- a/install/ui/rule.js +++ b/install/ui/rule.js @@ -28,7 +28,6 @@ IPA.rule_details_section = function(spec) { var that = IPA.details_section(spec); -that.text = spec.text; that.field_name = spec.field_name; that.options = spec.options || []; that.tables = spec.tables || []; @@ -38,11 +37,11 @@ IPA.rule_details_section = function(spec) { that.container = container; -if (that.text) container.append(that.text); - var field = that.get_field(that.field_name); var param_info = IPA.get_entity_param(that.entity.name, that.field_name); +
[Freeipa-devel] [PATCH 34/34] ticket 1568 - DN objects should support the insert method
Add dn.insert() and update unittest -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From 3f4ea9affb47fc9cdbc9436b7e74437c3de6f344 Mon Sep 17 00:00:00 2001 From: John Dennis jden...@redhat.com Date: Wed, 3 Aug 2011 19:14:51 -0400 Subject: [PATCH 34/34] ticket 1568 - DN objects should support the insert method Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Add dn.insert() and update unittest --- ipalib/dn.py | 30 +++--- tests/test_ipalib/test_dn.py |9 + 2 files changed, 36 insertions(+), 3 deletions(-) diff --git a/ipalib/dn.py b/ipalib/dn.py index 1311b6a..0eac711 100644 --- a/ipalib/dn.py +++ b/ipalib/dn.py @@ -1004,9 +1004,19 @@ class DN(object): dn[:] # Set the 2nd and 3rd RDN using slices (all are equivalent) -dn[1:3] = ('cn', 'Bob), ('dc', 'redhat.com') -dn[1:3] = [['cn', 'Bob], ['dc', 'redhat.com']] -dn[1:3] = RDN('cn', 'Bob), RDN('dc', 'redhat.com') +dn[1:3] = ('cn', 'Bob'), ('dc', 'redhat.com') +dn[1:3] = [['cn', 'Bob'], ['dc', 'redhat.com']] +dn[1:3] = RDN('cn', 'Bob'), RDN('dc', 'redhat.com') + +DN objects support the insert operation. + +dn.insert(i,x) is exactly equivalent to dn[i:i] = [x], thus the following +are all equivalent: + +dn.insert(i, ('cn','Bob')) +dn.insert(i, ['cn','Bob']) +dn.insert(i, RDN(('cn','Bob'))) +dn[i:i] = [('cn','Bob')] DN objects support equality testing and comparision. See RDN for the definition of the comparision method. @@ -1214,6 +1224,20 @@ class DN(object): return self +def insert(self, i, x): +''' +x must be a 2-value tuple or list promotable to an RDN object, +or a RDN object. + +dn.insert(i, x) is the same as s[i:i] = [x] + +When a negative index is passed as the first parameter to the +insert() method, the list length is added, as for slice +indices. If it is still negative, it is truncated to zero, as +for slice indices. +''' +self.rdns.insert(i, self._rdn_from_value(x)) + # The implementation of startswith, endswith, tailmatch, adjust_indices # was based on the Python's stringobject.c implementation diff --git a/tests/test_ipalib/test_dn.py b/tests/test_ipalib/test_dn.py index c647460..f4aa0aa 100644 --- a/tests/test_ipalib/test_dn.py +++ b/tests/test_ipalib/test_dn.py @@ -870,6 +870,15 @@ class TestDN(unittest.TestCase): slice_rdn = RDN(dn_slice[i]) self.assertEqual(slice_rdn, query_rdn) +# insert +dn = DN(self.rdn2) +dn.insert(0, self.rdn1) +self.assertEqual(dn, self.dn3) + +dn = DN(self.rdn1) +dn.insert(1, (self.attr2, self.value2)) +self.assertEqual(dn, self.dn3) + # Slices # Assign via RDN rdn_args = make_rdn_args(dn_low, dn_high, 'tuple', -- 1.7.4.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 35/35] ticket 1569 - Test DN object non-latin Unicode support
The DN unittest was lacking a test for i18n. The unittest was updated to store Hello in Arabic with both utf-8 and unicode and verify the values could be properly retrieved and converted to dn string syntax. During the testing a few problems were discovered and corrected. * passing in utf-8 caused an ASCII decode error becuase of Python's silly default encoding of ASCII. The fix was to explictly use the utf-8 codec. * there were a couple of places where encode/decode were not called correctly. * the internal attr and value members of the AVA class were renamed to explicitly show they are stored as unicode. Of course the unittest was updated as well. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From 72162496282a496a1a0a947d770b0f9a95d373f0 Mon Sep 17 00:00:00 2001 From: John Dennis jden...@redhat.com Date: Wed, 3 Aug 2011 19:26:19 -0400 Subject: [PATCH 35/35] ticket 1569 - Test DN object non-latin Unicode support Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit The DN unittest was lacking a test for i18n. The unittest was updated to store Hello in Arabic with both utf-8 and unicode and verify the values could be properly retrieved and converted to dn string syntax. During the testing a few problems were discovered and corrected. * passing in utf-8 caused an ASCII decode error becuase of Python's silly default encoding of ASCII. The fix was to explictly use the utf-8 codec. * there were a couple of places where encode/decode were not called correctly. * the internal attr and value members of the AVA class were renamed to explicitly show they are stored as unicode. Of course the unittest was updated as well. --- ipalib/dn.py | 38 ++--- tests/test_ipalib/test_dn.py | 94 ++ 2 files changed, 116 insertions(+), 16 deletions(-) diff --git a/ipalib/dn.py b/ipalib/dn.py index 0eac711..dc3119d 100644 --- a/ipalib/dn.py +++ b/ipalib/dn.py @@ -19,8 +19,11 @@ from ldap.dn import str2dn, dn2str from ldap import DECODING_ERROR +import codecs import sys +utf8_codec = codecs.lookup('utf-8') + __all__ = ['AVA', 'RDN', 'DN'] ''' @@ -519,44 +522,47 @@ class AVA(object): if not isinstance(value, basestring): raise TypeError(value must be basestring, got %s instead % value.__class__.__name__) -attr = attr.decode('utf-8') -value = value.decode('utf-8') - -self._attr = attr -self._value = value +self.attr = attr +self.value = value def _get_attr(self): -return self._attr +return self._attr_unicode def _set_attr(self, new_attr): if not isinstance(new_attr, basestring): raise TypeError(attr must be basestring, got %s instead % new_attr.__class__.__name__) -self._attr = new_attr +if isinstance(new_attr, unicode): +self._attr_unicode = new_attr +else: +self._attr_unicode = utf8_codec.decode(new_attr)[0] attr = property(_get_attr, _set_attr) def _get_value(self): -return self._value +return self._value_unicode def _set_value(self, new_value): if not isinstance(new_value, basestring): raise TypeError(value must be basestring, got %s instead % new_value.__class__.__name__) -self._value = new_value +if isinstance(new_value, unicode): +self._value_unicode = new_value +else: +self._value_unicode = utf8_codec.decode(new_value)[0] value = property(_get_value, _set_value) def _to_openldap(self): -return [[(self._attr.encode('utf-8'), self._value.encode('utf-8'), self.flags)]] +return [[(self._attr_unicode.encode('utf-8'), self._value_unicode.encode('utf-8'), self.flags)]] def __str__(self): return dn2str(self._to_openldap()) def __getitem__(self, key): if isinstance(key, basestring): -if key == self._attr: -return self._value +if key == self._attr_unicode: +return self._value_unicode raise KeyError(\%s\ not found in %s % (key, self.__str__())) else: raise TypeError(unsupported type for AVA indexing, must be basestring; not %s % \ @@ -578,8 +584,8 @@ class AVA(object): if not isinstance(other, self.__class__): raise TypeError(expected AVA but got %s % (other.__class__.__name__)) -return self._attr.lower() == other.attr.lower() and \ -self._value.lower() == other.value.lower() +return self._attr_unicode.lower() == other.attr.lower() and \ +self._value_unicode.lower() == other.value.lower() def __cmp__(self, other): 'comparision is case insensitive, see __eq__ doc for explanation' @@ -587,10 +593,10 @@ class AVA(object): if not