[Freeipa-devel] Failed to remove SELinux rule for port 7390 when uninstalling server (S.O.Fedora 15)
Error thrown when uninstalling FreeIPA Server on Fedora 15 When I try to uninstall IPA server using command: ipa-server-install --uninstall -d or /usr/sbin/ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! Are you sure you want to continue with the uninstall procedure? [no]: yes Shutting down all IPA services Removing IPA client configuration Unconfiguring ntpd Unconfiguring CA directory server *root: CRITICAL Failed to remove SELinux rule for port 7390* Unconfiguring CA Unconfiguring named Unconfiguring directory server Regards, Pedro Nova ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Creation of replica failed: Failed to start replication on Fedora 15
Hi All, When Im installing ipa-server-replica on Fedora release 15 failed: [20/27]: setting up initial replication Starting replication, please wait until this has completed. [vmnxipatest02.freeipa.gsnet.corp] reports: Update failed! Status: [-2 - System error] creation of replica failed: Failed to start replication Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Then I run ipa-server-install --uninstall without issue. The server settings is Ok. Any ideas or support? Thanks, Pedro Nova ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0012 Modify existing SSSD configuration instead of dropping it
On Wed, 07 Sep 2011, Stephen Gallagher wrote: On Wed, 2011-09-07 at 16:15 +0300, Alexander Bokovoy wrote: Hi! When modifying SSSD configuration, attempt to add new domain rather than replacing whole configuration file. Only replace file in case it is impossible to parse it by current SSSD version. https://fedorahosted.org/freeipa/ticket/1750 Looks good to me. Ack. Unfortunately, there is a bug in libini_config that prevents modifying existing sssd configuration as it becomes unreadable by libini_config. https://fedorahosted.org/sssd/ticket/991 I would suggest to postpone this patch until libini_config bug is fixed and released. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 38 Move Managed Entries into their own container in the replicated space.
On Tue, 2011-09-06 at 22:33 +, JR Aquino wrote: On Jul 22, 2011, at 6:54 AM, Martin Kosek wrote: On Thu, 2011-07-21 at 23:00 +, JR Aquino wrote: Create: cn=Managed Entries,cn=etc,$SUFFIX Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX Create method for migrating any and all custom Managed Entries from the cn=config space into the new container. The Managed Entries plugin configurations weren't being created on replica installs. This patch addresses two seperate tickets and accounts for new installs, replica installs, and upgrades. https://fedorahosted.org/freeipa/ticket/1181 - Managed Entry Tool / New Container A separate patch will cover the management tool https://fedorahosted.org/freeipa/ticket/1222 - Add Managed Entries during Replica installation extended solution I found few issues with the patch (tested along with 25): 1) When upgrading an old instance, NGP and UGP definitions in cn=Managed Entries,cn=plugins,cn=config were not deleted. This lead to 2 managed entries plugin definitions Fixed this condition. 389 prohibits the deletion of Managed Entries while they are active. I had to perform the repointing to the new cn=etc container, perform the migration of the legacy configs, then perform a restart of dirsrv. 2) Managed entries on a replica didn't work for me. For example UPG was created on a master, but was not on a replica This should also be resolved now. Martin I had to break out the connection code in update for ldapupdate.py so that connections could be reestablished post dirsrv restart. I also had to create a service class to perform the restart. installutils.py has been modified to provide wait_for_open_socket() similar to wait_for_open_port() Hello JR, I tested you patch, it works fine for both upgrading the replicas and new installations. Old Managed Entries definitions were successfully deleted. I just found few issues with the patch format itself: 1) Commit message is all wrong, its all on the Subject line which is then put to commit title during git am. I suggest using our standard commit message formatting: COMMIT_TITLE COMMIT_DESCRIPTION TRAC_TICKET_LINK 2) There were few whitespace errors: $ git apply ~/freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch /home/mkosek/freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch:519: trailing whitespace. /home/mkosek/freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch:526: trailing whitespace. Otherwise the patch looks good to me, if it is OK with Rob (since he wrote the entire ldapupdate.py) I think we can push it after you fix the 2 changes I proposed. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility
On Wed, Sep 07, 2011 at 06:10:50PM -0400, Simo Sorce wrote: On Tue, 2011-08-30 at 16:40 +0200, Sumit Bose wrote: I don't think that we should run winbind. I also changed the path to the smb.conf file from /etc/ipa to /etc/samba which makes the change to /etc/sysconfig/samba unnecessary. Thanks for review. Ok tested this today, after I was able to tame my machine. Some issues and comments still. 1) If you just run ipa-adtrust-install it throws an error about an Illegal netbios name and quits. That's not right, as it should ask for the netbios name if one is not provided on the command line presenting a default option (based on the last domain component uppercased maybe), fixed 2) I see the way you write the temp smb.conf is by using a lot of fd.write() calls. It would be much easier instead to use the templating engine we use elsewhere in the code and drop a template file in install/share, this will allow us to easily tweak the initial installation options w/o touching the python code every time. fixed new version attached. bye, Sumit 3) Everything installed and started but my smbd coredump immediately after. It is almost certainly not a problem in your patch though :-) So jokes aside if you fix 1 and 2 I think we can push to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From fdc80a6178bcc9a6cfe461d072f5ad99670ef280 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Wed, 7 Sep 2011 10:17:12 +0200 Subject: [PATCH] Add ipa-adtrust-install utility https://fedorahosted.org/freeipa/ticket/1619 --- freeipa.spec.in |2 + install/po/Makefile.in |1 + install/share/Makefile.am|1 + install/share/smb.conf.template | 25 +++ install/tools/Makefile.am|1 + install/tools/ipa-adtrust-install| 244 + install/tools/man/Makefile.am|1 + install/tools/man/ipa-adtrust-install.1 | 44 ipaserver/install/Makefile.am|1 + ipaserver/install/service.py |3 +- ipaserver/install/smbinstance.py | 246 ++ tests/test_ipaserver/install/test_smbinstance.py | 59 + 12 files changed, 627 insertions(+), 1 deletions(-) create mode 100644 install/share/smb.conf.template create mode 100755 install/tools/ipa-adtrust-install create mode 100644 install/tools/man/ipa-adtrust-install.1 create mode 100644 ipaserver/install/smbinstance.py create mode 100755 tests/test_ipaserver/install/test_smbinstance.py diff --git a/freeipa.spec.in b/freeipa.spec.in index 31a1e943a3c33645e9d6a8a2c4fc86b89c32f382..772c5e39b13a740a33667efcd6ebfaca7c539a43 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -395,6 +395,7 @@ fi %doc COPYING README Contributors.txt %{_sbindir}/ipa-ca-install %{_sbindir}/ipa-dns-install +%{_sbindir}/ipa-adtrust-install %{_sbindir}/ipa-server-install %{_sbindir}/ipa-replica-conncheck %{_sbindir}/ipa-replica-install @@ -476,6 +477,7 @@ fi %{_mandir}/man1/ipa-server-certinstall.1.gz %{_mandir}/man1/ipa-server-install.1.gz %{_mandir}/man1/ipa-dns-install.1.gz +%{_mandir}/man1/ipa-adtrust-install.1.gz %{_mandir}/man1/ipa-ca-install.1.gz %{_mandir}/man1/ipa-compat-manage.1.gz %{_mandir}/man1/ipa-nis-manage.1.gz diff --git a/install/po/Makefile.in b/install/po/Makefile.in index 47c8bbba56041f95fc6641ff0188ab60db658de8..ac08b47921c0a96d0fe06b8d8f1419d7cd76bd36 100644 --- a/install/po/Makefile.in +++ b/install/po/Makefile.in @@ -51,6 +51,7 @@ PY_EXPLICIT_FILES = \ install/tools/ipa-server-install \ install/tools/ipa-ldap-updater \ install/tools/ipa-dns-install \ + install/tools/ipa-adtrust-install \ install/tools/ipa-ca-install \ ipa-client/ipa-install/ipa-client-install diff --git a/install/share/Makefile.am b/install/share/Makefile.am index f2a6a6cae418b2f31151130c4fd53db8cbbe922a..50ec816b42fcbad619504bf3ccf6ef293e5188ba 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -32,6 +32,7 @@ app_DATA =\ krb.con.template\ krbrealm.con.template \ preferences.html.template \ + smb.conf.template \ referint-conf.ldif \ dna.ldif\ master-entry.ldif \ diff --git a/install/share/smb.conf.template b/install/share/smb.conf.template new file mode 100644 index ..55948badef6e75e5159ecbd6f83ad8b62aff792a --- /dev/null +++ b/install/share/smb.conf.template @@ -0,0 +1,25 @@ +[global] +workgroup = $NETBIOS_NAME +realm = $REALM +security = user +domain master = yes +domain logons = yes +log level = 1 +max log size = 10 +log file = /var/log/samba/log.%d +passdb backend =
Re: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility
On Thu, 2011-09-08 at 13:52 +0200, Sumit Bose wrote: On Wed, Sep 07, 2011 at 06:10:50PM -0400, Simo Sorce wrote: On Tue, 2011-08-30 at 16:40 +0200, Sumit Bose wrote: I don't think that we should run winbind. I also changed the path to the smb.conf file from /etc/ipa to /etc/samba which makes the change to /etc/sysconfig/samba unnecessary. Thanks for review. Ok tested this today, after I was able to tame my machine. Some issues and comments still. 1) If you just run ipa-adtrust-install it throws an error about an Illegal netbios name and quits. That's not right, as it should ask for the netbios name if one is not provided on the command line presenting a default option (based on the last domain component uppercased maybe), fixed 2) I see the way you write the temp smb.conf is by using a lot of fd.write() calls. It would be much easier instead to use the templating engine we use elsewhere in the code and drop a template file in install/share, this will allow us to easily tweak the initial installation options w/o touching the python code every time. fixed new version attached. bye, Sumit 3) Everything installed and started but my smbd coredump immediately after. It is almost certainly not a problem in your patch though :-) So jokes aside if you fix 1 and 2 I think we can push to master. Simo. -- Simo Sorce * Red Hat, Inc * New York Only one nitpick from me. The new man page header should be changed according to our last man page consolidation effort in ticket 1687 so that it is consistent with the others. In your case, the header should be: +.TH ipa-adtrust-install 1 Aug 23 2011 FreeIPA FreeIPA Manual Pages Plus, --netbios-name option is not covered in the man page. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility
On Thu, Sep 08, 2011 at 02:06:44PM +0200, Martin Kosek wrote: On Thu, 2011-09-08 at 13:52 +0200, Sumit Bose wrote: On Wed, Sep 07, 2011 at 06:10:50PM -0400, Simo Sorce wrote: On Tue, 2011-08-30 at 16:40 +0200, Sumit Bose wrote: I don't think that we should run winbind. I also changed the path to the smb.conf file from /etc/ipa to /etc/samba which makes the change to /etc/sysconfig/samba unnecessary. Thanks for review. Ok tested this today, after I was able to tame my machine. Some issues and comments still. 1) If you just run ipa-adtrust-install it throws an error about an Illegal netbios name and quits. That's not right, as it should ask for the netbios name if one is not provided on the command line presenting a default option (based on the last domain component uppercased maybe), fixed 2) I see the way you write the temp smb.conf is by using a lot of fd.write() calls. It would be much easier instead to use the templating engine we use elsewhere in the code and drop a template file in install/share, this will allow us to easily tweak the initial installation options w/o touching the python code every time. fixed new version attached. bye, Sumit 3) Everything installed and started but my smbd coredump immediately after. It is almost certainly not a problem in your patch though :-) So jokes aside if you fix 1 and 2 I think we can push to master. Simo. -- Simo Sorce * Red Hat, Inc * New York Only one nitpick from me. The new man page header should be changed according to our last man page consolidation effort in ticket 1687 so that it is consistent with the others. In your case, the header should be: +.TH ipa-adtrust-install 1 Aug 23 2011 FreeIPA FreeIPA Manual Pages Plus, --netbios-name option is not covered in the man page. Thank you for the feedback, I fixed it accordingly. New version attached. bye, Sumit Martin From 85909ba9437171d763c8dfe68e4caede8de75c55 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Wed, 7 Sep 2011 10:17:12 +0200 Subject: [PATCH] Add ipa-adtrust-install utility https://fedorahosted.org/freeipa/ticket/1619 --- freeipa.spec.in |2 + install/po/Makefile.in |1 + install/share/Makefile.am|1 + install/share/smb.conf.template | 25 +++ install/tools/Makefile.am|1 + install/tools/ipa-adtrust-install| 244 + install/tools/man/Makefile.am|1 + install/tools/man/ipa-adtrust-install.1 | 47 ipaserver/install/Makefile.am|1 + ipaserver/install/service.py |3 +- ipaserver/install/smbinstance.py | 246 ++ tests/test_ipaserver/install/test_smbinstance.py | 59 + 12 files changed, 630 insertions(+), 1 deletions(-) create mode 100644 install/share/smb.conf.template create mode 100755 install/tools/ipa-adtrust-install create mode 100644 install/tools/man/ipa-adtrust-install.1 create mode 100644 ipaserver/install/smbinstance.py create mode 100755 tests/test_ipaserver/install/test_smbinstance.py diff --git a/freeipa.spec.in b/freeipa.spec.in index 31a1e943a3c33645e9d6a8a2c4fc86b89c32f382..772c5e39b13a740a33667efcd6ebfaca7c539a43 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -395,6 +395,7 @@ fi %doc COPYING README Contributors.txt %{_sbindir}/ipa-ca-install %{_sbindir}/ipa-dns-install +%{_sbindir}/ipa-adtrust-install %{_sbindir}/ipa-server-install %{_sbindir}/ipa-replica-conncheck %{_sbindir}/ipa-replica-install @@ -476,6 +477,7 @@ fi %{_mandir}/man1/ipa-server-certinstall.1.gz %{_mandir}/man1/ipa-server-install.1.gz %{_mandir}/man1/ipa-dns-install.1.gz +%{_mandir}/man1/ipa-adtrust-install.1.gz %{_mandir}/man1/ipa-ca-install.1.gz %{_mandir}/man1/ipa-compat-manage.1.gz %{_mandir}/man1/ipa-nis-manage.1.gz diff --git a/install/po/Makefile.in b/install/po/Makefile.in index 47c8bbba56041f95fc6641ff0188ab60db658de8..ac08b47921c0a96d0fe06b8d8f1419d7cd76bd36 100644 --- a/install/po/Makefile.in +++ b/install/po/Makefile.in @@ -51,6 +51,7 @@ PY_EXPLICIT_FILES = \ install/tools/ipa-server-install \ install/tools/ipa-ldap-updater \ install/tools/ipa-dns-install \ + install/tools/ipa-adtrust-install \ install/tools/ipa-ca-install \ ipa-client/ipa-install/ipa-client-install diff --git a/install/share/Makefile.am b/install/share/Makefile.am index f2a6a6cae418b2f31151130c4fd53db8cbbe922a..50ec816b42fcbad619504bf3ccf6ef293e5188ba 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -32,6 +32,7 @@ app_DATA =\ krb.con.template\ krbrealm.con.template \
[Freeipa-devel] [Freeipa-interest] Announcing FreeIPA 2.1.1
The FreeIPA Project is proud to announce the latest release of the FreeIPA. As always, the latest tarball can be found at http://freeipa.org/ FreeIPA 2.1.1 is available in Fedora 15. It is currently in the updates-testing repository along with a number of its dependencies. Fedora 16 and rawhide builds will be coming soon. == Highlights == * Reduced number of ports needed to punch through firewall by proxying dogtag through port 443 * New plugin, automember, that can automatically add users and hosts to groups and hostgroups based on regular expressions. * Indicator in the UI and CLI when a host has a one-time password set * DNS improvements - loading new zones via regular polling or LDAP persistent search == Upgrading == === Server === To upgrade a 2.0.0, 2.0.1 or 2.1.0 server do the following: # yum update freeipa-server --enablerepo=updates-testing This will pull in updated freeIPA, 389-ds, dogtag, libcurl and xmlrpc-c packages (and perhaps some others). A script will be executed in the rpm postinstall phase to update the IPA LDAP server with any required changes. There is a bug reported against 389-ds, https://bugzilla.redhat.com/show_bug.cgi?id=730387, related to read-write locks. The NSPR RW lock implementation does not safely allow re-entrant use of reader locks. This is a timing issue so it is difficult to predict. During testing one user experienced this and the upgrade hung. To break the hang kill the ns-slapd process for your realm, wait for the yum transaction to complete, then restart 389-ds and manually run the update process: # service dirsrv start # ipa-ldap-updater === Client === The ipa-client-install tool in the ipa-client package is just a configuration tool. There should be no need to re-run this on every client already enrolled. == Detailed Changelog == Adam Young (1): * enable proxy for dogtag Alexander Bokovoy (1): * Propagate environment when it is required. Endi S. Dewata (19): * Fixed browser configuration pages * Hide activation/deactivation link from regular users. * Fixed problem selecting value from combobox * Fixed inconsistent layout for password reset dialog. * Removed 'Hide already enrolled' checkbox. * Replaced page dirty dialog title. * Updated add and delete association dialog titles. * Removed unnecessary HBAC/sudo rule category modification. * Fixed command partial failure handling. * Fixed default map type in automount map adder dialog. * Fixed host OTP status. * Fixed host keytab status after setting OTP. * Fixed host adder dialog to show default DNS zone. * Fixed hard-coded UI messages. * Fixed problem adding hostgroup into netgroup. * Fixed problem with combobox. * Fixed hard-coded UI message in entity.js. * Fixed missing permission filter field. * Fixed problem with combobox using Sahi Jan Cholasta (6): * Make sure messagebus is running prior to starting certmonger. * Verify that passwords specified through command line options of ipa-server-install meet the length requirement. * Add option to install without the automatic redirect to the Web UI. * Search for users in all the naming contexts present on the directory server. * Add subscription-manager dependency for RHEL. * Verify that the external CA certificate files are correct. John Dennis (11): * ticket 1568 - DN objects should support the insert method * ticket 1569 - Test DN object non-latin Unicode support * ticket 1600 - convert unittests to use DN objects * ticket 1659 - invalid i18n string in dns.py * ticket 1660 - update LINGUAS file, add missing po files * ticket 1661 - Update all po files * ticket 1650 - compute accurate translation statistics * ticket 1707 - add documentation validation to makeapi tool * ticket 1705 - internationalize help topics * ticket 1706 - internationalize cli help framework * ticket 1669 - improve i18n docstring extraction Jr Aquino (2): * Improve sudorule documentation * Create FreeIPA CLI Plugin for the 389 Auto Membership plugin Martin Kosek (6): * Add missing attribute labels for sudorule * Fix automountkey-mod * Fix automountlocation-import conflicts * ipa-client-install breaks network configuration * Fix sudo help and summaries * Let Bind track data changes Petr Vobornik (8): * error dialog for batch command * Uncheck checkboxes in association after deletion * Show error in adding associations * Validation of details facet before update * Modify serial associator to use batch * Modifying sudo options refreshes the whole page * Enable update and reset button only if dirty * Attributes table not scrollable Rob Crittenden (24): * Add information on setting api.env.host in the ipactl.8 man page * Log each command in a batch separately. * Do batch logging on successful commands too, not just failures. * Fix wording in examples of delegation plugin. * Suppress 389-ds debug output when starting services * Fix thread deadlock by using pthreads library instead of
[Freeipa-devel] [PATCH] 265 Fixed sudo rule association dialogs.
The adder dialog for the user and host tables in sudo rule details page have been fixed to use --not-in-sudorules to avoid showing entries that are already added into the rule either directly or indirectly via groups. This does not apply to the command and run-as tables because they do not support such option. Ticket #1768 -- Endi S. Dewata From a794e3de7376a04235cd5222086b389b3aee1e8e Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Thu, 8 Sep 2011 09:44:17 -0500 Subject: [PATCH] Fixed sudo rule association dialogs. The adder dialog for the user and host tables in sudo rule details page have been fixed to use --not-in-sudorules to avoid showing entries that are already added into the rule either directly or indirectly via groups. This does not apply to the command and run-as tables because they do not support such option. Ticket #1768 --- install/ui/association.js |8 +--- install/ui/sudo.js| 11 +++ 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/install/ui/association.js b/install/ui/association.js index 1c9776b0e6c596be4dd07665b141891d2e7d4ba0..c7a1b6c0b9e94e7a8b4aa1c73c35c7c8e2ab4e54 100644 --- a/install/ui/association.js +++ b/install/ui/association.js @@ -493,13 +493,15 @@ IPA.association_table_widget = function (spec) { }; that.create_add_dialog = function() { + +var entity_label = that.entity.metadata.label_singular; var pkey = IPA.nav.get_state(that.entity.name+'-pkey'); -var label = IPA.metadata.objects[that.other_entity].label; +var other_entity_label = IPA.metadata.objects[that.other_entity].label; var title = that.add_title; -title = title.replace('${entity}', that.entity.metadata.label_singular); +title = title.replace('${entity}', entity_label); title = title.replace('${primary_key}', pkey); -title = title.replace('${other_entity}', label); +title = title.replace('${other_entity}', other_entity_label); return IPA.association_adder_dialog({ title: title, diff --git a/install/ui/sudo.js b/install/ui/sudo.js index 1a6b03b1be00dc093b10c38e2930d3af0b4cfcb7..c443ba9d846b9a9d20ec16f875a9c995dddb5e82 100644 --- a/install/ui/sudo.js +++ b/install/ui/sudo.js @@ -1042,18 +1042,21 @@ IPA.sudorule_association_table_widget = function(spec) { that.create_add_dialog = function() { +var entity_label = that.entity.metadata.label_singular; var pkey = IPA.nav.get_state(that.entity.name+'-pkey'); +var other_entity_label = IPA.metadata.objects[that.other_entity].label; var title = that.add_title; -title = title.replace('${other_entity}', IPA.metadata.objects[that.other_entity].label); -title = title.replace('${entity}', IPA.metadata.objects[that.entity.name].label_singular); +title = title.replace('${entity}', entity_label); title = title.replace('${primary_key}', pkey); +title = title.replace('${other_entity}', other_entity_label); return IPA.sudo.rule_association_adder_dialog({ title: title, pkey: pkey, other_entity: that.other_entity, -entity:that.entity, +attribute_member: that.attribute_member, +entity: that.entity, external: that.external }); }; @@ -1085,7 +1088,7 @@ IPA.sudo.rule_association_adder_dialog = function(spec) { if (!that.columns.length) { var pkey_name = IPA.metadata.objects[that.other_entity].primary_key; that.create_column({ -entity:that.entity, +entity: that.entity, name: pkey_name, label: IPA.metadata.objects[that.other_entity].label, primary_key: true, -- 1.7.5.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 265 Fixed layout problem in permission adder dialog.
On 09/08/2011 12:41 AM, Endi Sukma Dewata wrote: In order to maintain consistent layout between details page and dialog boxes the IPA.details_list_section has been replaced with IPA.details_table_section which is based on table. The IPA.target_section and other subclasses of IPA.details_list_section have been converted to use IPA.details_table_section as well. The unit tests have been updated accordingly. Ticket #1648 Some minor things: In IPA.details_table_section: 1)not renamed list_section_create method Code clean-up in aci.js: 2) IPA.rights_section can be deleted and replaced by spec object usage. It doesn't add any functionality. 3) IPA.permission_details_facet can be deleted - it isn't used anywhere. Should we unite label align? In add dialog labels are aligned left, in details table right. Otherwise it looks OK. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 266 Fixed sudo rule association dialogs.
On 9/8/2011 10:28 AM, Endi Sukma Dewata wrote: The adder dialog for the user and host tables in sudo rule details page have been fixed to use --not-in-sudorules to avoid showing entries that are already added into the rule either directly or indirectly via groups. This does not apply to the command and run-as tables because they do not support such option. Ticket #1768 Wrong email title. It should be patch #266. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 38 Move Managed Entries into their own container in the replicated space.
On Sep 8, 2011, at 4:38 AM, Martin Kosek wrote: On Tue, 2011-09-06 at 22:33 +, JR Aquino wrote: On Jul 22, 2011, at 6:54 AM, Martin Kosek wrote: On Thu, 2011-07-21 at 23:00 +, JR Aquino wrote: Create: cn=Managed Entries,cn=etc,$SUFFIX Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX Create method for migrating any and all custom Managed Entries from the cn=config space into the new container. The Managed Entries plugin configurations weren't being created on replica installs. This patch addresses two seperate tickets and accounts for new installs, replica installs, and upgrades. https://fedorahosted.org/freeipa/ticket/1181 - Managed Entry Tool / New Container A separate patch will cover the management tool https://fedorahosted.org/freeipa/ticket/1222 - Add Managed Entries during Replica installation extended solution I found few issues with the patch (tested along with 25): 1) When upgrading an old instance, NGP and UGP definitions in cn=Managed Entries,cn=plugins,cn=config were not deleted. This lead to 2 managed entries plugin definitions Fixed this condition. 389 prohibits the deletion of Managed Entries while they are active. I had to perform the repointing to the new cn=etc container, perform the migration of the legacy configs, then perform a restart of dirsrv. 2) Managed entries on a replica didn't work for me. For example UPG was created on a master, but was not on a replica This should also be resolved now. Martin I had to break out the connection code in update for ldapupdate.py so that connections could be reestablished post dirsrv restart. I also had to create a service class to perform the restart. installutils.py has been modified to provide wait_for_open_socket() similar to wait_for_open_port() Hello JR, I tested you patch, it works fine for both upgrading the replicas and new installations. Old Managed Entries definitions were successfully deleted. I just found few issues with the patch format itself: 1) Commit message is all wrong, its all on the Subject line which is then put to commit title during git am. I suggest using our standard commit message formatting: COMMIT_TITLE COMMIT_DESCRIPTION TRAC_TICKET_LINK 2) There were few whitespace errors: $ git apply ~/freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch /home/mkosek/freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch:519: trailing whitespace. /home/mkosek/freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch:526: trailing whitespace. Otherwise the patch looks good to me, if it is OK with Rob (since he wrote the entire ldapupdate.py) I think we can push it after you fix the 2 changes I proposed. Fixed the whitespace errors and adjusted the commit message. binxRjEG2Pvey.bin Description: freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 866 don't allow a otp to be set on enrolled hosts
Don't allow a one-time password to be set on enrolled hosts. This will invalidate the existing keytab. rob From 3ea2e26ceaf241f9d60b221efc640f77d60493eb Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Thu, 8 Sep 2011 13:47:37 -0400 Subject: [PATCH] Don't allow a OTP to be set on an enrolled host Setting a password invalidates the existing keytab https://fedorahosted.org/freeipa/ticket/1719 --- ipalib/plugins/host.py |8 1 files changed, 8 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 76f2045..6c6ad7d 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -604,6 +604,14 @@ class host_mod(LDAPUpdate): ) def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): +# Allow an existing OTP to be reset but don't allow a OTP to be +# added to an enrolled host. +if 'userpassword' in options: +entry = {} +self.obj.get_password_attributes(ldap, dn, entry) +if not entry['has_password'] and entry['has_keytab']: +raise errors.ValidationError(name='password', error=_('Password cannot be set on enrolled host.')) + # Once a principal name is set it cannot be changed if 'cn' in entry_attrs: raise errors.ACIError(info='cn is immutable') -- 1.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 38 Move Managed Entries into their own container in the replicated space.
On Sep 8, 2011, at 10:41 AM, JR Aquino wrote: On Sep 8, 2011, at 10:06 AM, JR Aquino wrote: On Sep 8, 2011, at 4:38 AM, Martin Kosek wrote: On Tue, 2011-09-06 at 22:33 +, JR Aquino wrote: On Jul 22, 2011, at 6:54 AM, Martin Kosek wrote: On Thu, 2011-07-21 at 23:00 +, JR Aquino wrote: Create: cn=Managed Entries,cn=etc,$SUFFIX Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX Create method for migrating any and all custom Managed Entries from the cn=config space into the new container. The Managed Entries plugin configurations weren't being created on replica installs. This patch addresses two seperate tickets and accounts for new installs, replica installs, and upgrades. https://fedorahosted.org/freeipa/ticket/1181 - Managed Entry Tool / New Container A separate patch will cover the management tool https://fedorahosted.org/freeipa/ticket/1222 - Add Managed Entries during Replica installation extended solution I found few issues with the patch (tested along with 25): 1) When upgrading an old instance, NGP and UGP definitions in cn=Managed Entries,cn=plugins,cn=config were not deleted. This lead to 2 managed entries plugin definitions Fixed this condition. 389 prohibits the deletion of Managed Entries while they are active. I had to perform the repointing to the new cn=etc container, perform the migration of the legacy configs, then perform a restart of dirsrv. 2) Managed entries on a replica didn't work for me. For example UPG was created on a master, but was not on a replica This should also be resolved now. Martin I had to break out the connection code in update for ldapupdate.py so that connections could be reestablished post dirsrv restart. I also had to create a service class to perform the restart. installutils.py has been modified to provide wait_for_open_socket() similar to wait_for_open_port() Hello JR, I tested you patch, it works fine for both upgrading the replicas and new installations. Old Managed Entries definitions were successfully deleted. I just found few issues with the patch format itself: 1) Commit message is all wrong, its all on the Subject line which is then put to commit title during git am. I suggest using our standard commit message formatting: COMMIT_TITLE COMMIT_DESCRIPTION TRAC_TICKET_LINK 2) There were few whitespace errors: $ git apply ~/freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch /home/mkosek/freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch:519: trailing whitespace. /home/mkosek/freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch:526: trailing whitespace. Otherwise the patch looks good to me, if it is OK with Rob (since he wrote the entire ldapupdate.py) I think we can push it after you fix the 2 changes I proposed. Fixed the whitespace errors and adjusted the commit message. freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch Self NAK Looks like I missed a piece in this recent patch that creates the cn=etc containers out of order. New patch to follow shortly Ok. Whitespace errors corrected Commit Format Corrected Order of creation for Managed Entry Container is now corrected Martin if you could do a quick double check to make sure everything still looks clean to you. After that, I believe it just needs Rob's blessing. binrtjvT9NWv7.bin Description: freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 867 detect CA install status
When using a selfsign CA you can't run ipa-ca-install at all and you can only run ipa-replica-prepare on the initial master. rob From cb2a4fd8c52602d8da8821348a5334ad7201bd57 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Thu, 8 Sep 2011 17:21:32 -0400 Subject: [PATCH] Detect CA installation type in ipa-replica-prepare and ipa-ca-install. ipa-ca-install can only add a dogtag CA to an IPA install. ipa-replica-prepare can only be run on the initial master with a selfsign backend. https://fedorahosted.org/freeipa/ticket/1756 https://fedorahosted.org/freeipa/ticket/1757 --- install/tools/ipa-ca-install | 13 ++--- install/tools/ipa-replica-prepare |3 +++ ipaserver/install/certs.py| 13 + 3 files changed, 22 insertions(+), 7 deletions(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 05a05dce9bf00102aa9781997f9d7f52fd5e8ba2..7ff457c96a5ccdef42f32b5fcf52807cd3f382bf 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -83,6 +83,12 @@ def main(): if not dsinstance.DsInstance().is_configured(): sys.exit(IPA server is not configured on this system.\n) +api.bootstrap(in_server=True) +api.finalize() + +if certs.ipa_self_signed(): +sys.exit('A selfsign CA can not be added') + # get the directory manager password dirman_password = options.password if not dirman_password: @@ -129,16 +135,9 @@ def main(): if not options.skip_conncheck: replica_conn_check(config.master_host_name, config.host_name, config.realm_name, True, options.admin_password) -api.bootstrap(in_server=True) -api.finalize() - # Configure the CA if necessary (CA, cs) = cainstance.install_replica_ca(config, postinstall=True) -if not CA: -# not a dogtag CA replica -sys.exit(Not a dogtag CA installation!) - # We need to ldap_enable the CA now that DS is up and running CA.ldap_enable('CA', config.host_name, config.dirman_password, util.realm_to_suffix(config.realm_name)) diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index 0c88244b33f46aa87f4f619a0b7053ec14fd7603..5755153e3a7ba0931abf5e020d735d9d944d7927 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -247,6 +247,9 @@ def main(): if not options.pkinit_pkcs12 and not certs.ipa_self_signed(): options.setup_pkinit = False +if certs.ipa_self_signed_master() == False: +sys.exit('A selfsign CA backend can only prepare on the original master') + try: installutils.verify_fqdn(replica_fqdn) except RuntimeError, e: diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index ead9c815936a882784144122c6722c59478a5156..1657c75c959bab73e2d6ddbdf871ddf0d1a51b9c 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -65,6 +65,19 @@ def ipa_self_signed(): else: return False +def ipa_self_signed_master(): + +The selfsign backend is enabled only one a single master. + +Return True/False whether this is that master. + +Returns None if not a self-signed server. + +if ipa_self_signed(): +return api.env.enable_ra +else: +return None + def find_cert_from_txt(cert, start=0): Given a cert blob (str) which may or may not contian leading and -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel