Re: [Freeipa-devel] [PATCH] 105 Improve error message in ipactl
On Wed, 2011-08-03 at 15:18 -0400, Rob Crittenden wrote: Martin Kosek wrote: If a hostname configured in /etc/ipa/default.conf is changed and is different from the one stored in LDAP in cn=ipa,cn=etc,$SUFFIX ipactl gives an unintelligible error. This patch improves the error message and also offers a list of configured master so that the hostname setting in IPA configuration can be easily fixed. https://fedorahosted.org/freeipa/ticket/1558 Ack, works fine. rob Pushed to master, ipa-2-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 106 Improve dnszone-add error message
Check that NS address passed in dnszone-add is a domain name and not an IP address. Make this clear also the parameter help. https://fedorahosted.org/freeipa/ticket/1567 From b74f96b9ee1e9d6c60622506ade2d42623b292a7 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Thu, 4 Aug 2011 09:59:01 +0200 Subject: [PATCH] Improve dnszone-add error message Check that NS address passed in dnszone-add is a domain name and not an IP address. Make this clear also the parameter help. https://fedorahosted.org/freeipa/ticket/1567 --- ipalib/plugins/dns.py |8 +++- 1 files changed, 7 insertions(+), 1 deletions(-) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index d50a9f6e8467ee294e61f5d96657bdc1ee6d5941..105678b23c9faae3cc34ffc9084fc37d9ca29265 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -109,6 +109,7 @@ from ipalib import Flag, Int, List, Str, StrEnum from ipalib.plugins.baseldap import * from ipalib import _, ngettext from ipapython import dnsclient +from ipapython.ipautil import valid_ip from ldap import explode_dn # supported resource record types @@ -318,7 +319,7 @@ class dnszone(LDAPObject): Str('idnssoamname', cli_name='name_server', label=_('Authoritative nameserver'), -doc=_('Authoritative nameserver.'), +doc=_('Authoritative nameserver domain name'), ), Str('idnssoarname', cli_name='admin_email', @@ -431,6 +432,11 @@ class dnszone_add(LDAPCreate): # Check nameserver has a forward record nameserver = entry_attrs['idnssoamname'] +# NS record must contain domain name +if valid_ip(nameserver): +raise errors.ValidationError(name='name-server', +error=unicode(_(Nameserver address is not a fully qualified domain name))) + if not 'ip_address' in options and not options['force']: is_ns_rec_resolvable(nameserver) -- 1.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 002 Fixed adding host without DNS reverse zone
new version attached On Fri, 2011-07-29 at 12:11 -0500, Endi Sukma Dewata wrote: On 7/29/2011 11:12 AM, Petr Vobornik wrote: There was a small error in add.js:162. Fixed! Nice job on the dialog boxes. There's a problem though, the Retry doesn't quite work. This is because 'this' object passed to IPA.error_dialog actually points to Ajax context instead of the IPA.command, so calling execute() on it will fail. Fixed When Ajax call returns, it passes a context via 'this' object to the callback function. The object might contain some useful information which we would not be able to get any other way. The original code tries to maintain the context by passing 'this' object along the chain using call(). Feel free to add comments in the code to clarify this. So in dialog_open() you should pass 'that' into the 'command' parameter. You also need pass 'this' using another parameter so you can use it to call the error handler if you click Cancel. Also these changes should be reverted back to maintain the Ajax context: - that.on_error.call(this, xhr, text_status, error_thrown); + that.on_error(xhr, text_status, error_thrown); - that.on_success.call(this, data, text_status, xhr); + that.on_success(data, text_status, xhr); Reverted back. Just for my information: ajax context is preserved for some future use, or it is already used somewhere? The IPA.add_dialog can store the command object as an instance variable so the IPA.host_adder_dialog can refer to it from the error handler. Another thing, in the init() you can access the spec object directly, so don't really have to pass it as a parameter. Yeah, I know. The purpose for this was to be able to call init method again later (which was made public as xxx_init(spec)). But probably it isn't in compliance with removes of public init methods. petr From e142dc9764c8370957888081ebc6bafc611917e7 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Fri, 29 Jul 2011 10:53:01 -0400 Subject: [PATCH] Fixed adding host without DNS reverse zone https://fedorahosted.org/freeipa/ticket/1481 Shows status dialog instead of error dialog (error 4304 is treated like success). Refactored error dialog. Added generic message dialog (IPA.message_dialog) --- install/ui/add.js| 17 +--- install/ui/dialog.js | 28 install/ui/host.js | 42 ++ install/ui/ipa.js| 119 - 4 files changed, 149 insertions(+), 57 deletions(-) diff --git a/install/ui/add.js b/install/ui/add.js index 988ea8ff13819ccdd61a2033344e146dbaf09255..b4f1228f04d51893598860261b3bda09d07f8fab 100644 --- a/install/ui/add.js +++ b/install/ui/add.js @@ -31,6 +31,9 @@ IPA.add_dialog = function (spec) { that.method = spec.method || 'add'; that.pre_execute_hook = spec.pre_execute_hook; +that.on_error = spec.on_error ; +that.retry = typeof spec.retry !== 'undefined' ? spec.retry : true; +that.command = null; function show_edit_page(entity,result){ var pkey_name = entity.metadata.primary_key; @@ -51,9 +54,11 @@ IPA.add_dialog = function (spec) { var command = IPA.command({ entity: that.entity.name, method: that.method, +retry: that.retry, on_success: on_success, on_error: on_error }); +that.command = command; pkey_prefix = that.entity.get_primary_key_prefix(); @@ -127,8 +132,8 @@ IPA.add_dialog = function (spec) { var table = facet.table; table.refresh(); that.close(); -} -); +}, +that.on_error); }); that.add_button(IPA.messages.buttons.add_and_add_another, function() { @@ -141,8 +146,8 @@ IPA.add_dialog = function (spec) { var table = facet.table; table.refresh(); that.reset(); -} -); +}, +that.on_error); }); that.add_button(IPA.messages.buttons.add_and_edit, function() { @@ -154,8 +159,8 @@ IPA.add_dialog = function (spec) { that.close(); var result = data.result.result; that.show_edit_page(that.entity,result); -} -); +}, +that.on_error); }); that.add_button(IPA.messages.buttons.cancel, function() { diff --git a/install/ui/dialog.js b/install/ui/dialog.js index 0a1d5428a5b1763cbf4871a9cd59e7415f309c79..dc23db8d04a311d386f44c65c58aacee70c9a13c 100644 --- a/install/ui/dialog.js +++ b/install/ui/dialog.js @@ -656,3 +656,31 @@ IPA.deleter_dialog = function (spec) { return that; }; + +IPA.message_dialog = function(spec) { + +var that = IPA.dialog(spec); + +var init = function() { +spec = spec || {}; +that.message = spec.message || ''; +that.on_ok = spec.on_ok; +}; + +
Re: [Freeipa-devel] [PATCH] 843 reduce dogtag install time
On 2.8.2011 13:49, Martin Kosek wrote: On Mon, 2011-08-01 at 15:19 -0400, Rob Crittenden wrote: Ade Lee from the dogtag team looked at our installer and found that we restarted the pki-cad process too many times. Re-arranging some code allows us to restart it just once. The new config time for dogtag is 3 1/2 minutes, down from about 5 1/2. Ade is working on improvements in pki-silent as well which can bring the overall install time to 90 seconds. If we can get a change in SELinux policy we're looking at 60 seconds. This patch just contains the reworked installer part. Once an updated dogtag is released we can update the spec file to pull it in. rob This worked fine for standard dogtag installation + CA on a replica, but it failed with external CA: /var/log/ipaserver-install.log: ... response paneladmin/console/config/backupkeycertpanel.vm/panel res/ pwdagain/ dobackupchecked/dobackup errorStringFailed to create pkcs12 file./errorString size19/size pwd/ titleExport Keys and Certificates/title panels Vector Panel 2011-08-02 07:45:38,276 CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname vm-059.idm.lab.bos.redhat.com -cs_port 9445 -client_certdb_dir /tmp/tmp-GS6wzH -client_certdb_pwd '' -preop_pin BbkK9wJ7vD9UEzL4kBcO -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password '' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=IDM.LAB.BOS.REDHAT.COM -ldap_host vm-059.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password '' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd '' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=IDM.LAB.BOS.REDHAT.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=IDM.LAB.BOS.REDHAT.COM -ca_server_cert_subject_name CN=vm-059.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=IDM.LAB.BOS.REDHAT.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM -external true -ext_ca_cert_file /home/mkosek/cadb_f15/external-ca.crt -ext_ca_cert_chain_file /home/mkosek/cadb_f15/ipa.crt -clone false' returned non-zero exit status 255 2011-08-02 07:45:38,302 DEBUG Configuration of CA failed ... Works for me. It's just a guess, but didn't you happen to swap --external_cert_file and --external_ca_file? Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 843 reduce dogtag install time
On Thu, 2011-08-04 at 17:02 +0200, Jan Cholasta wrote: On 2.8.2011 13:49, Martin Kosek wrote: On Mon, 2011-08-01 at 15:19 -0400, Rob Crittenden wrote: Ade Lee from the dogtag team looked at our installer and found that we restarted the pki-cad process too many times. Re-arranging some code allows us to restart it just once. The new config time for dogtag is 3 1/2 minutes, down from about 5 1/2. Ade is working on improvements in pki-silent as well which can bring the overall install time to 90 seconds. If we can get a change in SELinux policy we're looking at 60 seconds. This patch just contains the reworked installer part. Once an updated dogtag is released we can update the spec file to pull it in. rob This worked fine for standard dogtag installation + CA on a replica, but it failed with external CA: /var/log/ipaserver-install.log: ... response paneladmin/console/config/backupkeycertpanel.vm/panel res/ pwdagain/ dobackupchecked/dobackup errorStringFailed to create pkcs12 file./errorString size19/size pwd/ titleExport Keys and Certificates/title panels Vector Panel 2011-08-02 07:45:38,276 CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname vm-059.idm.lab.bos.redhat.com -cs_port 9445 -client_certdb_dir /tmp/tmp-GS6wzH -client_certdb_pwd '' -preop_pin BbkK9wJ7vD9UEzL4kBcO -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password '' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=IDM.LAB.BOS.REDHAT.COM -ldap_host vm-059.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password '' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd '' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=IDM.LAB.BOS.REDHAT.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=IDM.LAB.BOS.REDHAT.COM -ca_server_cert_subject_name CN=vm-059.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=IDM.LAB.BOS.REDHAT.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM -external true -ext_ca_cert_file /home/mkosek/cadb_f15/external-ca.crt -ext_ca_cert_chain_file /home/mkosek/cadb_f15/ipa.crt -clone false' returned non-zero exit status 255 2011-08-02 07:45:38,302 DEBUG Configuration of CA failed ... Works for me. It's just a guess, but didn't you happen to swap --external_cert_file and --external_ca_file? Honza That's a good bet. I managed to find CRTs used in my installation and displayed their contents and they were indeed wrong. So the problem was only my side. ACK for Rob's patch then. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 843 reduce dogtag install time
On 4.8.2011 17:24, Martin Kosek wrote: On Thu, 2011-08-04 at 17:02 +0200, Jan Cholasta wrote: On 2.8.2011 13:49, Martin Kosek wrote: On Mon, 2011-08-01 at 15:19 -0400, Rob Crittenden wrote: Ade Lee from the dogtag team looked at our installer and found that we restarted the pki-cad process too many times. Re-arranging some code allows us to restart it just once. The new config time for dogtag is 3 1/2 minutes, down from about 5 1/2. Ade is working on improvements in pki-silent as well which can bring the overall install time to 90 seconds. If we can get a change in SELinux policy we're looking at 60 seconds. This patch just contains the reworked installer part. Once an updated dogtag is released we can update the spec file to pull it in. rob This worked fine for standard dogtag installation + CA on a replica, but it failed with external CA: /var/log/ipaserver-install.log: ... response paneladmin/console/config/backupkeycertpanel.vm/panel res/ pwdagain/ dobackupchecked/dobackup errorStringFailed to create pkcs12 file./errorString size19/size pwd/ titleExport Keys and Certificates/title panels Vector Panel 2011-08-02 07:45:38,276 CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname vm-059.idm.lab.bos.redhat.com -cs_port 9445 -client_certdb_dir /tmp/tmp-GS6wzH -client_certdb_pwd '' -preop_pin BbkK9wJ7vD9UEzL4kBcO -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password '' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=IDM.LAB.BOS.REDHAT.COM -ldap_host vm-059.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password '' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd '' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=IDM.LAB.BOS.REDHAT.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=IDM.LAB.BOS.REDHAT.COM -ca_server_cert_subject_name CN=vm-059.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=IDM.LAB.BOS.REDHAT.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM -external true -ext_ca_cert_file /home/mkosek/cadb_f15/external-ca.crt -ext_ca_cert_chain_file /home/mkosek/cadb_f15/ipa.crt -clone false' returned non-zero exit status 255 2011-08-02 07:45:38,302 DEBUG Configuration of CA failed ... Works for me. It's just a guess, but didn't you happen to swap --external_cert_file and --external_ca_file? Honza That's a good bet. I managed to find CRTs used in my installation and displayed their contents and they were indeed wrong. So the problem was only my side. ACK for Rob's patch then. Martin It would be nice to add some sanity checks (verify that --external_cert_file's subject name is correct and that its issuer name matches --external_ca_file's subject name) to prevent this kind of problem in the future. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 843 reduce dogtag install time
Martin Kosek wrote: On Thu, 2011-08-04 at 17:02 +0200, Jan Cholasta wrote: On 2.8.2011 13:49, Martin Kosek wrote: On Mon, 2011-08-01 at 15:19 -0400, Rob Crittenden wrote: Ade Lee from the dogtag team looked at our installer and found that we restarted the pki-cad process too many times. Re-arranging some code allows us to restart it just once. The new config time for dogtag is 3 1/2 minutes, down from about 5 1/2. Ade is working on improvements in pki-silent as well which can bring the overall install time to 90 seconds. If we can get a change in SELinux policy we're looking at 60 seconds. This patch just contains the reworked installer part. Once an updated dogtag is released we can update the spec file to pull it in. rob This worked fine for standard dogtag installation + CA on a replica, but it failed with external CA: /var/log/ipaserver-install.log: ... response paneladmin/console/config/backupkeycertpanel.vm/panel res/ pwdagain/ dobackupchecked/dobackup errorStringFailed to create pkcs12 file./errorString size19/size pwd/ titleExport Keys and Certificates/title panels Vector Panel 2011-08-02 07:45:38,276 CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname vm-059.idm.lab.bos.redhat.com -cs_port 9445 -client_certdb_dir /tmp/tmp-GS6wzH -client_certdb_pwd '' -preop_pin BbkK9wJ7vD9UEzL4kBcO -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password '' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=IDM.LAB.BOS.REDHAT.COM -ldap_host vm-059.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password '' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd '' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=IDM.LAB.BOS.REDHAT.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=IDM.LAB.BOS.REDHAT.COM -ca_server_cert_subject_name CN=vm-059.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=IDM.LAB.BOS.REDHAT.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM -external true -ext_ca_cert_file /home/mkosek/cadb_f15/external-ca.crt -ext_ca_cert_chain_file /home/mkosek/cadb_f15/ipa.crt -clone false' returned non-zero exit status 255 2011-08-02 07:45:38,302 DEBUG Configuration of CA failed ... Works for me. It's just a guess, but didn't you happen to swap --external_cert_file and --external_ca_file? Honza That's a good bet. I managed to find CRTs used in my installation and displayed their contents and they were indeed wrong. So the problem was only my side. ACK for Rob's patch then. Martin Pushed to master and ipa-2-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 235 Linked entries in HBAC/sudo details page.
On 08/03/2011 06:34 PM, Endi Sukma Dewata wrote: The association tables in HBAC/sudo details page have been modified to link the entries to the appropriate details page. Ticket #1535 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 002 Fixed adding host without DNS reverse zone
On 8/4/2011 4:22 AM, Petr Vobornik wrote: new version attached Almost there, just a few more minor issues. Also these changes should be reverted back to maintain the Ajax context: - that.on_error.call(this, xhr, text_status, error_thrown); + that.on_error(xhr, text_status, error_thrown); - that.on_success.call(this, data, text_status, xhr); + that.on_success(data, text_status, xhr); Reverted back. Just for my information: ajax context is preserved for some future use, or it is already used somewhere? The Ajax context right now is only used to get the URL causing HTTP error (ipa.js:301). Things might have changed, I'm not sure how to generate HTTP error anymore. The URL can actually be obtained from the url variable in the execute() method, but there are other things that you can get from Ajax context that might be useful in the future. Try setting a breakpoint inside the success_handler() or error_handler() and inspect the 'this' variable. I think we should make sure the callback functions behave like real Ajax callback function to avoid future problems, so 'this' should always point to Ajax context. There are actually a few places where the Ajax context doesn't get passed to the callback function: - ipa.js:409,418,428,431,436,620 - host.js:155 A bunch of these are existing issues. We can fix them separately. Another thing, in the init() you can access the spec object directly, so don't really have to pass it as a parameter. Yeah, I know. The purpose for this was to be able to call init method again later (which was made public as xxx_init(spec)). But probably it isn't in compliance with removes of public init methods. The init() method that we removed recently was a method that was called to initialize the object after the metadata becomes available. In the past some objects were created before the metadata was available, but now it's no longer the case so the object can be created and initialized at the same time. There's nothing wrong with creating an init() method to encapsulate the initialization sequence, but it doesn't need to be made public like before because the subclasses no longer need to call it explicitly. No need to change anything here. The default values in ipa.js:576-579 are redundant because they will be overridden by the spec in init(). I think the assignments in init() can be replaced by something like this: that.xhr = spec.xhr || {}; Note that the default value for xhr and error_thrown should be an empty object. There are some unit test failures in ipa_tests.js because IPA.error_dialog used to point to the dialog instance. You might want to change it to get the instance using something else, e.g. element ID. There are some other other unit test failures, but they seem to be caused by the earlier failure. They actually pass if run separately. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin
On Aug 3, 2011, at 7:32 AM, Rob Crittenden wrote: JR Aquino wrote: On Aug 2, 2011, at 5:55 AM, Rob Crittendenrcrit...@redhat.com wrote: JR Aquino wrote: I am fairly opposed to removing 'default' attrs which the rules are applied to... I am happy to provide a means to override them. While it may be second nature for all of us to know that there is an fqdn attribute, etc, our consumers are likely not going to intrinsically know our schema. We also deliberately mask the real attribute names in the framework. (fqdn = Host name) Providing a default feels like a happy medium which allows for ease of use and somewhat of a safety belt against users defining an incorrect attribute name. It also might get somewhat tiring to constantly provide --key=fqdn every time you add a hostname regex? Ok, but when you display rules fqdn is displayed. How are users to know they shouldn't include fqdn= when removing existing rules? I guess my preference would be to heavily document, in the example, the plugin, and the docs... My concern is that without a default, a typo in the attr would produce unintended results. Without a schema checker, it's kinda tough to take an attr at face value from a user. Does the python ldap implementation have a means to check schema in order to verify an attribute? The design of the automember pluginhHaving the attr in the Regex does make for some complexity We do have a schema checker. You can test for existence of an attribute with something like: import ldap as _ldap obj = ldap.schema.get_obj(_ldap.schema.AttributeType, attr) if obj is None: # Error, no such attribute def check_attr(self, attr): Verify that the user supplied key is a valid attribute in the schema ldap = self.api.Backend.ldap2 obj = ldap.schema.get_obj(_ldap.schema.AttributeType, attr) return obj [Thu Aug 04 16:58:41 2011] [error] File /usr/lib/python2.7/site-packages/ipalib/plugins/automember.py, line 209, in check_attr [Thu Aug 04 16:58:41 2011] [error] obj = ldap.schema.get_obj(_ldap.schema.AttributeType, attr) [Thu Aug 04 16:58:41 2011] [error] AttributeError: 'NoneType' object has no attribute 'get_obj' Seems that ldap doesn't have a get_obj inside of schema? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel