[Freeipa-devel] [PATCH] 38 Verify length of passwords in ipa-server-install
Verify that passwords specified through command line options of ipa-server-install meet the length requirement (at least 8 characters long). https://fedorahosted.org/freeipa/ticket/1621 Honza -- Jan Cholasta From 1e6b8242f9f3cf31bc86b539fdc9ccbcb19bced6 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Mon, 15 Aug 2011 09:02:39 +0200 Subject: [PATCH] Verify that passwords specified through command line options of ipa-server-install meet the length requirement. ticket 1621 --- install/tools/ipa-server-install |5 + 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 3605b03..a959ea4 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -175,6 +175,11 @@ def parse_options(): options, args = parser.parse_args() safe_options = parser.get_safe_opts(options) +if options.dm_password is not None and len(options.dm_password) 8: +parser.error(DS admin password must be at least 8 characters long) +if options.admin_password is not None and len(options.admin_password) 8: +parser.error(Admin user password must be at least 8 characters long) + if not options.setup_dns: if options.forwarders: parser.error(You cannot specify a --forwarder option without the --setup-dns option) -- 1.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 38 Verify length of passwords in ipa-server-install
On 15.08.2011 10:11, Jan Cholasta wrote: Verify that passwords specified through command line options of ipa-server-install meet the length requirement (at least 8 characters long). https://fedorahosted.org/freeipa/ticket/1621 ACK. Are there any additional requirements towards the password complexity other than 8 letters minimum length? -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 111 Let Bind track data changes
A new version of bind-dyndb-ldap has been released. Thanks to the new
persistent search feature, the name server can immediately pull new DNS
zones when they are created in IPA.
Since the bind-dyndb-ldap plugin has not been released in F-15 yet, one
has to use the provided src.rpm:
http://mkosek.fedorapeople.org/bind-dyndb-ldap/srpm/bind-dyndb-ldap-0.2.0-5.fc17.src.rpm
or rpms I built for x86_64 F-15:
http://mkosek.fedorapeople.org/bind-dyndb-ldap/x86_64/
There is one setback though. When I investigated DNS persistent search
behavior I still miss the ability to detect changes to the DNS zone
itself. Adding a record (for example MX record) to the zone does not
trigger an update of the zone in nameserver cache. We still have to wait
for cache timeout (argument cache_ttl). We cannot therefore use this
feature as a solution of:
https://fedorahosted.org/freeipa/ticket/1114
https://fedorahosted.org/freeipa/ticket/1125
https://fedorahosted.org/freeipa/ticket/1126
Martin
From 877589895e07dc1fb4d3ddfc72ffb4fbb83aa151 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Mon, 15 Aug 2011 10:14:00 +0200
Subject: [PATCH] Let Bind track data changes
Integrate new bind-dyndb-ldap features to automatically track
DNS data changes:
1) Zone refresh
Set --zone-refresh in installation to define number of seconds
between bind-dyndb-ldap polls for new DNS zones. User now
doesn't have to restart name server when a new zone is added.
2) New zone notifications
Use LDAP persistent search mechanism to immediately get
notification when any new DNS zone is added. Use --zone-notif
install option to enable. This option is mutually exclusive
with Zone refresh.
To enable this functionality in existing IPA installations,
update a list of arguments for bind-dyndb-ldap in /etc/named.conf.
An example when zone refresh is disabled and DNS data change
notifications are enabled:
dynamic-db ipa {
...
arg zone_refresh 0;
arg psearch on;
};
This patch requires bind-dyndb-ldap-0.2.0-5 or later.
https://fedorahosted.org/freeipa/ticket/649
https://fedorahosted.org/freeipa/ticket/826
---
install/share/bind.named.conf.template |2 ++
install/tools/ipa-dns-install | 20 +++-
install/tools/ipa-server-install | 20 +++-
install/tools/man/ipa-dns-install.1|6 ++
install/tools/man/ipa-server-install.1 |6 ++
ipalib/constants.py|3 +++
ipaserver/install/bindinstance.py | 11 +--
7 files changed, 64 insertions(+), 4 deletions(-)
diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template
index e843b4c005cbbbee55a2f9ef5374a6a3f12dbfca..f133b089a9eb428e9ad76b66a3ff162b45e5a779 100644
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -44,4 +44,6 @@ dynamic-db ipa {
arg auth_method sasl;
arg sasl_mech GSSAPI;
arg sasl_user DNS/$FQDN;
+ arg zone_refresh $ZONE_REFRESH;
+ arg psearch $PERSISTENT_SEARCH;
};
diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index cf400dd75cdf747ec24ccfc7d2dabd4873c8962b..09006a2009c42a61ab80172637eeaf87a9db0635 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -29,6 +29,7 @@ from ipapython import version
from ipapython import ipautil, sysrestore
from ipalib import api, errors, util
from ipapython.config import IPAOptionParser
+from ipalib.constants import DNS_ZONE_REFRESH
import krbV
import ldap
@@ -49,6 +50,14 @@ def parse_options():
default=False, help=Do not create reverse DNS zone)
parser.add_option(--zonemgr, dest=zonemgr,
help=DNS zone manager e-mail address. Defaults to root)
+parser.add_option(--zone-notif, dest=zone_notif,
+ action=store_true, default=False,
+ help=Let name server receive notification when a new zone is added. \
+ Zone refresh is turned off when zone notification is enabled)
+parser.add_option(--zone-refresh, dest=zone_refresh,
+ default=DNS_ZONE_REFRESH, type=int,
+ help=A delay between checks for new DNS zones. Defaults to %d \
+ % DNS_ZONE_REFRESH)
parser.add_option(-U, --unattended, dest=unattended, action=store_true,
default=False, help=unattended installation never prompts the user)
@@ -64,6 +73,12 @@ def parse_options():
if not options.forwarders and not options.no_forwarders:
parser.error(You must specify at least one --forwarder option or --no-forwarders option)
+if options.zone_refresh 0:
+parser.error(negative numbers not allowed for --zone-refresh)
+
+if options.zone_notif: # mutually exclusive features
+options.zone_refresh = 0
+
return safe_options, options
def main():
@@ -179,7
[Freeipa-devel] [PATCH] 39 Fix internal error when removing the last PTR record from a DNS record entry.
https://fedorahosted.org/freeipa/ticket/1632
Honza
--
Jan Cholasta
From f018cdb47be57929430aef3b3dea0e2c64b9c5f8 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 15 Aug 2011 15:39:54 +0200
Subject: [PATCH] Fix internal error when removing the last PTR record from a
DNS record entry.
ticket 1632
---
ipalib/plugins/dns.py |9 +
1 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index 105678b..1eb4148 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -632,10 +632,11 @@ class dnsrecord(LDAPObject):
error=unicode(_('Reverse zone %s requires exactly %d IP address components, %d given')
% (zone_name, zone_len, ip_addr_comp_count)))
-for ptr in options['ptrrecord']:
-if not ptr.endswith('.'):
-raise errors.ValidationError(name='ptr-rec',
-error=unicode(_('PTR record \'%s\' is not fully qualified (check traling \'.\')') % ptr))
+if options['ptrrecord'] is not None:
+for ptr in options['ptrrecord']:
+if not ptr.endswith('.'):
+raise errors.ValidationError(name='ptr-rec',
+error=unicode(_('PTR record \'%s\' is not fully qualified (check traling \'.\')') % ptr))
return dn
--
1.7.6
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 244 Fixed link style in dialog box.
The general link style defined in ipa.css was overriden by a more
specific rule in jquery-ui.css. So the style has been modified to
include the more specific rule.
Ticket #1623
Pushed under one-liner rule.
--
Endi S. Dewata
From 234bf969b4e0f7ad46bd60b8b0709256364b Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Mon, 15 Aug 2011 08:50:51 -0500
Subject: [PATCH] Fixed link style in dialog box.
The general link style defined in ipa.css was overriden by a more
specific rule in jquery-ui.css. So the style has been modified to
include the more specific rule.
Ticket #1623
---
install/ui/ipa.css |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/install/ui/ipa.css b/install/ui/ipa.css
index 4079fb33e293fb443433eb11ceb8f876ff810136..9f94d470b12f3643a65fa03ae5a8f1384d551510 100644
--- a/install/ui/ipa.css
+++ b/install/ui/ipa.css
@@ -939,7 +939,7 @@ span.attrhint {
.ui-widget-content {
}
-a {
+a, .ui-widget-content a {
text-decoration: none;
color: #1d85d5;
font-weight: normal;
--
1.7.5.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 111 Let Bind track data changes
On 08/15/2011 08:20 AM, Martin Kosek wrote: A new version of bind-dyndb-ldap has been released. Thanks to the new persistent search feature, the name server can immediately pull new DNS zones when they are created in IPA. Since the bind-dyndb-ldap plugin has not been released in F-15 yet, one has to use the provided src.rpm: http://mkosek.fedorapeople.org/bind-dyndb-ldap/srpm/bind-dyndb-ldap-0.2.0-5.fc17.src.rpm or rpms I built for x86_64 F-15: http://mkosek.fedorapeople.org/bind-dyndb-ldap/x86_64/ There is one setback though. When I investigated DNS persistent search behavior I still miss the ability to detect changes to the DNS zone itself. Adding a record (for example MX record) to the zone does not trigger an update of the zone in nameserver cache. We still have to wait for cache timeout (argument cache_ttl). We cannot therefore use this feature as a solution of: https://fedorahosted.org/freeipa/ticket/1114 https://fedorahosted.org/freeipa/ticket/1125 https://fedorahosted.org/freeipa/ticket/1126 So what are our options here? Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 245 Fixed problem with buttons in enrollment dialog.
The panel for selection buttons (i.e. and ) has been re-
positioned to avoid being covered by the adder-dialog-right panel.
Ticket #1626
--
Endi S. Dewata
From 8ddbbf310fb429267dc9663e65a3a24f0ec6e8ff Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Mon, 15 Aug 2011 09:13:13 -0500
Subject: [PATCH] Fixed problem with buttons in enrollment dialog.
The panel for selection buttons (i.e. and ) has been re-
positioned to avoid being covered by the adder-dialog-right panel.
Ticket #1626
---
install/ui/dialog.js | 42 +-
1 files changed, 21 insertions(+), 21 deletions(-)
diff --git a/install/ui/dialog.js b/install/ui/dialog.js
index 5d0ce14fac2337986038c174533ee3de235fa3c9..3513f0c17fc92a3a5bde3048293f5bebd294b5ea 100644
--- a/install/ui/dialog.js
+++ b/install/ui/dialog.js
@@ -431,26 +431,6 @@ IPA.adder_dialog = function (spec) {
that.available_table.create(available_content);
-var buttons_panel = $('div/', {
-name: 'buttons',
-'class': 'adder-dialog-buttons'
-}).appendTo(container);
-
-var p = $('p/').appendTo(buttons_panel);
-$('input /', {
-type: 'button',
-name: 'remove',
-value: ''
-}).appendTo(p);
-
-p = $('p/').appendTo(buttons_panel);
-$('input /', {
-type: 'button',
-name: 'add',
-value: ''
-}).appendTo(p);
-
-
var right_panel = $('div/', {
'class': 'adder-dialog-right'
}).appendTo(container);
@@ -472,6 +452,26 @@ IPA.adder_dialog = function (spec) {
that.selected_table.create(selected_content);
+var buttons_panel = $('div/', {
+name: 'buttons',
+'class': 'adder-dialog-buttons'
+}).appendTo(container);
+
+var p = $('p/').appendTo(buttons_panel);
+$('input /', {
+type: 'button',
+name: 'remove',
+value: ''
+}).appendTo(p);
+
+p = $('p/').appendTo(buttons_panel);
+$('input /', {
+type: 'button',
+name: 'add',
+value: ''
+}).appendTo(p);
+
+
that.filter_field = $('input[name=filter]', that.container);
var button = $('input[name=find]', that.container);
--
1.7.5.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 111 Let Bind track data changes
On Mon, 2011-08-15 at 14:20 +0200, Martin Kosek wrote: A new version of bind-dyndb-ldap has been released. Thanks to the new persistent search feature, the name server can immediately pull new DNS zones when they are created in IPA. Since the bind-dyndb-ldap plugin has not been released in F-15 yet, one has to use the provided src.rpm: http://mkosek.fedorapeople.org/bind-dyndb-ldap/srpm/bind-dyndb-ldap-0.2.0-5.fc17.src.rpm or rpms I built for x86_64 F-15: http://mkosek.fedorapeople.org/bind-dyndb-ldap/x86_64/ There is one setback though. When I investigated DNS persistent search behavior I still miss the ability to detect changes to the DNS zone itself. Adding a record (for example MX record) to the zone does not trigger an update of the zone in nameserver cache. We still have to wait for cache timeout (argument cache_ttl). We cannot therefore use this feature as a solution of: https://fedorahosted.org/freeipa/ticket/1114 https://fedorahosted.org/freeipa/ticket/1125 https://fedorahosted.org/freeipa/ticket/1126 Is this a bug/deficiency of the plugin ? Or is it something that depends on named internals somehow ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 245 Fixed problem with buttons in enrollment dialog.
On 08/15/2011 04:29 PM, Endi Sukma Dewata wrote: The panel for selection buttons (i.e. and ) has been re- positioned to avoid being covered by the adder-dialog-right panel. Ticket #1626 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 245 Fixed problem with buttons in enrollment dialog.
On 8/15/2011 9:43 AM, Petr Vobornik wrote: On 08/15/2011 04:29 PM, Endi Sukma Dewata wrote: The panel for selection buttons (i.e. and ) has been re- positioned to avoid being covered by the adder-dialog-right panel. Ticket #1626 ACK Pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 004 error dialog for batch command
On 08/11/2011 06:16 PM, Endi Sukma Dewata wrote:
On 8/11/2011 11:03 AM, Endi Sukma Dewata wrote:
Some issues:
1. I think by default all batch commands should use this feature. The
batch command is used for various purposes, not just for deletion.
Consider this scenario:
First, find a way to log in simultaneously using different accounts. You
can use either multiple machines, accounts, or browsers, whichever is
the easiest.
In the first session, log in as admin, create a test user, add it into
the admins group.
Then in the second session, login as the test user, then edit a sudo
rule. Modify the description and the enabled flag (this will be executed
as separate operations in a single batch). Don't click Update yet.
Back to the first session, remove the test user from the admins group.
Then go back to the second session, click Update.
Since the test user doesn't have admin rights anymore the operations
will fail. However, currently these failures are not reported and the
values simply revert back to the original. The error dialog should show
these errors.
So in this case we don't really need the 'partial_success_notify' flag,
or it can be renamed into 'show_error' which should be true by default.
done
The 'retry' flag in IPA.command can be renamed to 'show_error' too.
sending without this (not essential part of this patch - not
batch_command). But I agree it should be probably changed - to be
consistent.
2. The 'partial_success_message' probably can be renamed intofile:
'error_message' which will say something like 'Some operations failed.'
done
3. Instead of a checkbox for show_errors_checkbox, it might be better to
use 'Show details' and 'Hide details' links.
done
4. In ipa.js:510 instead of repeating the error message the
error_thrown.name could say something like 'Batch Error' or 'Operations
Error'.
used 'Operations Error' - batch is internal naming and probably
confusing to user
5. The add_error() could be moved into IPA.error_dialog so the
IPA.batch_command doesn't need to hold the 'errors' list.
left in batch_command for possible future use in custom handlers
6. The list of errors should be displayed as a list (with bullets) like
in the deleter dialog.
done
7. Just for consistency, the Retry label declaration in ipa.js:737 could
be moved into the if-statement like the other labels.
done
--
Petr Vobornik
From 383cc50aa31b24921b426eb662563be0f6943894 Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Thu, 11 Aug 2011 10:28:50 +0200
Subject: [PATCH] error dialog for batch command
https://fedorahosted.org/freeipa/ticket/1597
https://fedorahosted.org/freeipa/ticket/1592
Added option to show multiple errors in error dialog.
---
install/ui/ipa.js | 138 ---
install/ui/search.js |4 +-
install/ui/test/data/ipa_init.json |7 ++-
ipalib/plugins/internal.py |5 ++
4 files changed, 140 insertions(+), 14 deletions(-)
diff --git a/install/ui/ipa.js b/install/ui/ipa.js
index 8a3dd4e7d596914687e412aefdda27d7d699261d..9a252f1e50fdaf544cb872fe0dbed9377e791559 100644
--- a/install/ui/ipa.js
+++ b/install/ui/ipa.js
@@ -417,6 +417,11 @@ IPA.batch_command = function (spec) {
var that = IPA.command(spec);
that.commands = [];
+that.errors = [];
+that.error_message = spec.error_message || (IPA.messages.dialogs ?
+IPA.messages.dialogs.batch_error_message : 'Some operations failed.');
+that.show_error = typeof spec.show_error == 'undefined' ?
+true : spec.show_error;
that.add_command = function(command) {
that.commands.push(command);
@@ -429,7 +434,21 @@ IPA.batch_command = function (spec) {
}
};
+var clear_errors = function() {
+that.errors = [];
+};
+
+var add_error = function(command, name, message, status) {
+that.errors.push({
+command: command,
+name: name,
+message: message,
+status: status
+});
+};
+
that.execute = function() {
+clear_errors();
IPA.command({
name: that.name,
@@ -444,25 +463,38 @@ IPA.batch_command = function (spec) {
var command = that.commands[i];
var result = data.result.results[i];
+var name = '';
+var message = '';
+
if (!result) {
+name = 'Internal Error '+xhr.status;
+message = result ? xhr.statusText : Internal error;
+
+add_error(command, name, message, text_status);
+
if (command.on_error) command.on_error.call(
this,
xhr,
text_status,
{
-name: 'Internal Error '+xhr.status,
-
Re: [Freeipa-devel] [PATCH] 39 Fix internal error when removing the last PTR record from a DNS record entry.
On 15.08.2011 16:56, Jan Cholasta wrote: https://fedorahosted.org/freeipa/ticket/1632 NACK. I would rather see it fixed for all record types similarly. In order to do that, instead of fixing a callback for PTR record it would be good to fix pre_callback that calls it. Patch attached. -- / Alexander Bokovoy From c7c414f32a56bb675f9d6b808daf609434fb1aa3 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Mon, 15 Aug 2011 18:35:32 +0300 Subject: [PATCH] Pass empty options as empty arrays for supported dns record types. https://fedorahosted.org/freeipa/ticket/1632 --- ipalib/plugins/dns.py |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index 105678b23c9faae3cc34ffc9084fc37d9ca29265..e967c5c03a91fcbff82a7d8e62cdc8157a4a461d 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -886,6 +886,8 @@ class dnsrecord_mod(dnsrecord_mod_record): def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): for rtype in options: rtype_cb = '_%s_pre_callback' % rtype +if options[rtype] is None and rtype in _record_attributes: +options[rtype] = [] if hasattr(self.obj, rtype_cb): dn = getattr(self.obj, rtype_cb)(ldap, dn, entry_attrs, *keys, **options) -- 1.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 242 Removed custom layout for password reset.
On 08/11/2011 07:44 PM, Endi Sukma Dewata wrote: The dialog box for resetting user password has been modified to use the standard layout. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel patch from code and working perspective is OK. Has this patch assigned some ticket? Don't know exactly what is IPA's policy for submitting patches without tickets in Trac (for future tracking). -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 242 Removed custom layout for password reset.
On 08/15/2011 11:44 AM, Petr Vobornik wrote: On 08/11/2011 07:44 PM, Endi Sukma Dewata wrote: The dialog box for resetting user password has been modified to use the standard layout. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel patch from code and working perspective is OK. Has this patch assigned some ticket? Don't know exactly what is IPA's policy for submitting patches without tickets in Trac (for future tracking). I would prefer to have a ticket. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 242 Removed custom layout for password reset.
On 8/15/2011 11:01 AM, Dmitri Pal wrote: patch from code and working perspective is OK. Has this patch assigned some ticket? Don't know exactly what is IPA's policy for submitting patches without tickets in Trac (for future tracking). I would prefer to have a ticket. OK, I'll open a ticket for this. Usually it's part of a clean up process or needed for subsequent bug fixing. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] preview of threading patch
According to the 389-ds team we should use pthread read-write locks for now to avoid a deadlock. I borrowed some nice wrapper code which supports both from slapi-nis. I expect that we'll change this to the slapi lock api once it is available. I'm still testing this code, sending patch out to confirm approach. rob thread.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 004 error dialog for batch command
On 8/15/2011 10:28 AM, Petr Vobornik wrote: done ACK. Will push after release. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 242 Removed custom layout for password reset.
On 08/15/2011 12:29 PM, Endi Sukma Dewata wrote: On 8/15/2011 11:01 AM, Dmitri Pal wrote: patch from code and working perspective is OK. Has this patch assigned some ticket? Don't know exactly what is IPA's policy for submitting patches without tickets in Trac (for future tracking). I would prefer to have a ticket. OK, I'll open a ticket for this. Usually it's part of a clean up process or needed for subsequent bug fixing. Which means that there should be a ticket for the cleanup effort that encompasses several patches. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] preview of threading patch
On 08/15/2011 11:25 AM, Rob Crittenden wrote: According to the 389-ds team we should use pthread read-write locks for now to avoid a deadlock. I borrowed some nice wrapper code which supports both from slapi-nis. I expect that we'll change this to the slapi lock api once it is available. I'm still testing this code, sending patch out to confirm approach. I don't know if you want all of the stuff in wrap.c/.h - for example, the rpc include - but I suppose it does make it cleaner if you want to update this in the future directly from slapi-nis Also, you might want to add configure.ac tests to decide whether or not to use nspr threads/locks, pthread locks, and/or slapi_rwlocks. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] preview of threading patch
On Mon, 2011-08-15 at 14:39 -0400, Rob Crittenden wrote: Rob Crittenden wrote: According to the 389-ds team we should use pthread read-write locks for now to avoid a deadlock. I borrowed some nice wrapper code which supports both from slapi-nis. I expect that we'll change this to the slapi lock api once it is available. I'm still testing this code, sending patch out to confirm approach. rob Using wrap seems like overkill, here is a simpler solution. Looks much simpler to digest, I prefer this one. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] testing pki-ca behind apache for ipa
Cross posting to the freeipa devel list, as I think this is where people are going to be most interested. On 08/15/2011 12:00 PM, Ade Lee wrote: Adam, As you know, I have been testing putting a dogtag CA behind an apache instance - and using the standard ports to contact the CA. The basic idea is to let apache handle the client authentication required, and then to pass the relevant parameters to tomcat using AJP. What this means is there will be a dogtag.conf file placed under /etc/httpd/httpd.conf - and this file will contain Location elements with ProxyPass directives. Some of these (agent pages) will require client authentication, and some will not. I had run into an issue with my browser where when switching from non-client-auth to client-auth, renegotiations were being disallowed. This is, I strongly suspect due to the fixes in NSS for the MITM issue, where unsafe legacy renegotiations will be disallowed. Attempts to pass the relevant environment parameters to NSS failed to alter this result. I'll continue to work with Rob on this. However, I believe that this problem will not affect the installation/ interaction of IPA with dogtag. Why? Because the ipa-ra-plugin is using the latest NSS under the covers - which uses the new safe regotiation protocol. My initial testing seems to indicate that this is in fact the case. However, as I have been pulled into fips issues, I was hoping you could continue the testing. Once we have a working setup, we can worry about the code changes to pkicreate/pkisilent to do most of the configuration. Here is what you need to do: 1. Install ipa with dogtag 2. Stop the CA (service pki-cad stop pki-ca) 3. Modify /etc/pki-ca/server.xml. You need to uncomment the ajp port, and have it redirect for SSL to the EE port (9444) 4. Modify the web.xml in /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml to turn off the filtering mechanism. You will see stanzas like the following for ee, agent and admin ports. Make sure that active is set to false for all. filter filter-nameAgentRequestFilter/filter-name filter-classcom.netscape.cms.servlet.filter.AgentRequestFilter/filter-class init-param param-namehttps_port/param-name param-value9203/param-value /init-param init-param param-nameactive/param-name param-valuefalse/param-value /init-param /filter 5. Place the attached dogtag.conf file into /etc/httpd/conf.d/ 6. restart the ca. (service pki-cad start pki-ca) We are now ready to do some testing. 1. Modify the ipa-ra-plugin config to point to port 443 instead of 9443 2. Do your IPA cert tests and confirm that it works ok. 3. Try installing a replica. Make sure to pass https://hostname:443 That is - do not leave out the 443 part as the installation code will not recognize 443 as a default port. Actually, now that I think about it - there will be more changes needed in the Installation Panel code to get all this to work. So I'll get to this when I can. Thanks, Ade ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 39 Fix internal error when removing the last PTR record from a DNS record entry.
Alexander Bokovoy wrote: On 15.08.2011 16:56, Jan Cholasta wrote: https://fedorahosted.org/freeipa/ticket/1632 NACK. I would rather see it fixed for all record types similarly. In order to do that, instead of fixing a callback for PTR record it would be good to fix pre_callback that calls it. Patch attached. ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Setting user password by default
A user commented in IRC that the WebUI used to allow setting the default password when the user was added. WHile the simple use cae of Add and edit makes it easy enough to do for a single user, adding users in bulk (Add and add another) gets annoying if you need to really do add and edit, then update the password, then got back to the list...etc. Should default password be on the add page? The CLI use case can have the user prompted for it if they so desire. This means that, while it would be tough to do in bulk, doing one at a time is pretty straightforward. I'm not sold. Does anyone want to chime in before I open a ticket.? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] testing pki-ca behind apache for ipa
On 08/15/2011 12:00 PM, Ade Lee wrote:
Adam,
As you know, I have been testing putting a dogtag CA behind an apache
instance - and using the standard ports to contact the CA. The basic
idea is to let apache handle the client authentication required, and
then to pass the relevant parameters to tomcat using AJP.
What this means is there will be a dogtag.conf file placed
under /etc/httpd/httpd.conf - and this file will contain Location
elements with ProxyPass directives. Some of these (agent pages) will
require client authentication, and some will not.
I had run into an issue with my browser where when switching from
non-client-auth to client-auth, renegotiations were being disallowed.
This is, I strongly suspect due to the fixes in NSS for the MITM issue,
where unsafe legacy renegotiations will be disallowed. Attempts to
pass the relevant environment parameters to NSS failed to alter this
result. I'll continue to work with Rob on this.
However, I believe that this problem will not affect the installation/
interaction of IPA with dogtag. Why? Because the ipa-ra-plugin is
using the latest NSS under the covers - which uses the new safe
regotiation protocol.
My initial testing seems to indicate that this is in fact the case.
However, as I have been pulled into fips issues, I was hoping you could
continue the testing. Once we have a working setup, we can worry about
the code changes to pkicreate/pkisilent to do most of the
configuration.
Here is what you need to do:
1. Install ipa with dogtag
2. Stop the CA (service pki-cad stop pki-ca)
service ipa stop
3. Modify /etc/pki-ca/server.xml. You need to uncomment the ajp port,
and have it redirect for SSL to the EE port (9444)
[root@f15server ~]# diff /etc/pki-ca/server.xml.orig /etc/pki-ca/server.xml
216a217
Connector port=8009 protocol=AJP/1.3 redirectPort=9444 /
4. Modify the web.xml in /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml to
turn off the filtering mechanism. You will see stanzas like the
following for ee, agent and admin ports. Make sure that active is set
to false for all.
filter
filter-nameAgentRequestFilter/filter-name
filter-classcom.netscape.cms.servlet.filter.AgentRequestFilter/filter-class
init-param
param-namehttps_port/param-name
param-value9203/param-value
/init-param
init-param
param-nameactive/param-name
param-valuefalse/param-value
/init-param
/filter
[root@f15server WEB-INF]# git diff web.xml.orig web.xml
diff --git a/web.xml.orig b/web.xml
index 7f757bd..affa315 100644
--- a/web.xml.orig
+++ b/web.xml
@@ -12,7 +12,7 @@
/init-param
init-param
param-nameactive/param-name
- param-valuetrue/param-value
+ param-valuefalse/param-value
/init-param
/filter
@@ -25,7 +25,7 @@
/init-param
init-param
param-nameactive/param-name
- param-valuetrue/param-value
+ param-valuefalse/param-value
/init-param
/filter
@@ -42,7 +42,7 @@
/init-param
init-param
param-nameactive/param-name
- param-valuetrue/param-value
+ param-valuefalse/param-value
/init-param
/filter
@@ -55,7 +55,7 @@
/init-param
init-param
param-nameactive/param-name
- param-valuetrue/param-value
+ param-valuefalse/param-value
/init-param
/filter
5. Place the attached dogtag.conf file into /etc/httpd/conf.d/
mv ~/dogtag.conf /etc/httpd/conf.d/
6. restart the ca. (service pki-cad start pki-ca)
service ipa start
We are now ready to do some testing.
1. Modify the ipa-ra-plugin config to point to port 443 instead of 9443
diff /usr/lib/python2.7/site-packages/ipalib/constants.py.orig
/usr/lib/python2.7/site-packages/ipalib/constants.py
140c140
('ca_agent_port', 9443),
---
('ca_agent_port', 443),
2. Do your IPA cert tests and confirm that it works ok.
service ipa restart
cannot connect to
'https://f15server.ayoung.boston.devel.redhat.com:443/ca/agent/ca/displayBySerial':
''
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
