Re: [Freeipa-devel] [PATCH] 265 Fixed layout problem in permission adder dialog.

2011-09-09 Thread Petr Vobornik 

On 09/08/2011 06:51 PM, Endi Sukma Dewata wrote:

On 9/8/2011 11:13 AM, Petr Vobornik wrote:

In IPA.details_table_section:
1)not renamed list_section_create method


Fixed.


Code clean-up in aci.js:
2) IPA.rights_section can be deleted and replaced by spec object usage.
It doesn't add any functionality.


Fixed.


3) IPA.permission_details_facet can be deleted - it isn't used anywhere.


Fixed.



ACK

--
Petr Vobornik

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 266 Fixed sudo rule association dialogs.

2011-09-09 Thread Petr Vobornik 

On 09/08/2011 06:53 PM, Endi Sukma Dewata wrote:

On 9/8/2011 10:28 AM, Endi Sukma Dewata wrote:

The adder dialog for the user and host tables in sudo rule details
page have been fixed to use --not-in-sudorules to avoid showing
entries that are already added into the rule either directly or
indirectly via groups.

This does not apply to the command and run-as tables because they
do not support such option.

Ticket #1768


Wrong email title. It should be patch #266.


ACK

--
Petr Vobornik

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 012 Fixed inconsistency in enabling delete buttons

2011-09-09 Thread Petr Vobornik 

On 09/07/2011 09:06 PM, Endi Sukma Dewata wrote:

On 9/7/2011 7:16 AM, Petr Vobornik wrote:

https://fedorahosted.org/freeipa/ticket/1640
..

One issue, in HBAC/sudo rules details page if the category is changed
from 'all' to 'specific', the Delete button will be enabled although
there is no entries selected.

See the set_enabled() in IPA.association_table_widget. I think if the
parameter is true it should enable only the Add button. If the parameter
is false it disable both Add and Delete button and call unselect_all().


Fixed

--
Petr Vobornik
From ef769ee328dfd0d2293ec3095ddf021eea1fd3ed Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Wed, 7 Sep 2011 13:57:47 +0200
Subject: [PATCH] Fixed inconsistency in enabling delete buttons

https://fedorahosted.org/freeipa/ticket/1640

On the HBAC Rules page, where the rules are listed, if no rule is selected, the Delete button is not enabled, and cannot be clicked on.
But edit a Rule, and Delete button is enabled in the available sections - regardless of, if an object is selected to be deleted or not, or even if there is no object to be selected to delete.

One can click on this button...but then - there is no message indicating that something should be selected for deletion for this button to do anything.

Notes:
 * fixed association_table_widget and association_facet
---
 install/ui/association.js |   40 +++-
 1 files changed, 35 insertions(+), 5 deletions(-)

diff --git a/install/ui/association.js b/install/ui/association.js
index 1c9776b0e6c596be4dd07665b141891d2e7d4ba0..b999f0eade03bc2ab2f2a55d7baadb008ce0d9b7 100644
--- a/install/ui/association.js
+++ b/install/ui/association.js
@@ -352,24 +352,25 @@ IPA.association_table_widget = function (spec) {
 
 that.table_create(container);
 
-var remove_button = IPA.action_button({
+that.remove_button = IPA.action_button({
 name: 'remove',
 label: IPA.messages.buttons.remove,
 icon: 'remove-icon',
+'class': 'action-button-disabled',
 click: function() {
-if (!remove_button.hasClass('action-button-disabled')) {
+if (!that.remove_button.hasClass('action-button-disabled')) {
 that.remove_handler();
 }
 return false;
 }
 }).appendTo(that.buttons);
 
-var add_button = IPA.action_button({
+that.add_button = IPA.action_button({
 name: 'add',
 label: IPA.messages.buttons.add,
 icon: 'add-icon',
 click: function() {
-if (!add_button.hasClass('action-button-disabled')) {
+if (!that.add_button.hasClass('action-button-disabled')) {
 that.add_handler();
 }
 return false;
@@ -420,9 +421,25 @@ IPA.association_table_widget = function (spec) {
 that.set_enabled = function(enabled) {
 that.table_set_enabled(enabled);
 if (enabled) {
-$('.action-button', that.table).removeClass('action-button-disabled');
+if(that.add_button) {
+that.add_button.removeClass('action-button-disabled');
+}
 } else {
 $('.action-button', that.table).addClass('action-button-disabled');
+that.unselect_all();
+}
+};
+
+that.select_changed = function() {
+
+var values = that.get_selected_values();
+
+if (that.remove_button) {
+if (values.length === 0) {
+that.remove_button.addClass('action-button-disabled');
+} else {
+that.remove_button.removeClass('action-button-disabled');
+}
 }
 };
 
@@ -829,6 +846,18 @@ IPA.association_facet = function (spec) {
 that.refresh_table();
 };
 
+that.table.select_changed = function() {
+
+var values = that.table.get_selected_values();
+
+if (that.remove_button) {
+if (values.length === 0) {
+that.remove_button.addClass('action-button-disabled');
+} else {
+that.remove_button.removeClass('action-button-disabled');
+}
+}
+};
 }
 
 that.create_header = function(container) {
@@ -842,6 +871,7 @@ IPA.association_facet = function (spec) {
 name: 'remove',
 label: IPA.messages.buttons.remove,
 icon: 'remove-icon',
+'class': 'action-button-disabled',
 click: function() {
 if (!that.remove_button.hasClass('action-button-disabled')) {
 that.show_remove_dialog();
-- 
1.7.6

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 121 Set bind and bind-dyndb-ldap min nvr

2011-09-09 Thread Alexander Bokovoy 
On Fri, 09 Sep 2011, Martin Kosek wrote:

 bind-dyndb-ldap will be in stable repo soon, it has already been requested:
 https://admin.fedoraproject.org/updates/bind-dyndb-ldap-1.0.0-0.1.b1.fc15
 
 bind is still in koji only, it can be downloaded here:
 http://koji.fedoraproject.org/koji/buildinfo?buildID=262773
 
 There are 2 version of the patch - master and ipa-2-1.
ACK for both.

-- 
/ Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 868 better handling of ipa-pki-proxy.conf

2011-09-09 Thread Rob Crittenden 

- Remove ipa-pki-proxy.conf when IPA is uninstalled
- Move file removal to httpinstance.py and use remove_file()
- Add a version stanza
- Create the file if it doesn't exist on upgraded installs

https://fedorahosted.org/freeipa/ticket/1771

rob
From 7852db92caaace209b8ab226c4945c250d971ada Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Fri, 9 Sep 2011 17:07:09 -0400
Subject: [PATCH] Improved handling for ipa-pki-proxy.conf

- Remove ipa-pki-proxy.conf when IPA is uninstalled
- Move file removal to httpinstance.py and use remove_file()
- Add a version stanza
- Create the file if it doesn't exist on upgraded installs

https://fedorahosted.org/freeipa/ticket/1771
---
 install/conf/ipa-pki-proxy.conf   |2 ++
 install/tools/ipa-server-install  |6 +-
 install/tools/ipa-upgradeconfig   |   21 +
 ipaserver/install/httpinstance.py |8 
 4 files changed, 28 insertions(+), 9 deletions(-)

diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf
index 275f32645be6b41063ec5c20f0e0923f61efbaaa..91a99aaf9cd9ce3669fbe12450bfae1b220fa67b 100644
--- a/install/conf/ipa-pki-proxy.conf
+++ b/install/conf/ipa-pki-proxy.conf
@@ -1,3 +1,5 @@
+# VERSION 1 - DO NOT REMOVE THIS LINE
+
 ProxyRequests Off
 
 # matches for ee port
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 0572d4f2640fbb6eecb64060ebb8de1807d81aef..03cb2e06c283276b64b7fad0b448265e8c432af2 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -490,12 +490,8 @@ def uninstall():
 os.remove(ANSWER_CACHE)
 except Exception:
 pass
+
 # ipa-client-install removes /etc/ipa/default.conf
-try:
-os.remove(/etc/httpd/conf.d/ipa-rewrite.conf)
-os.remove(/etc/httpd/conf.d/ipa.conf)
-except:
-pass
 
 sstore._load()
 group_exists = sstore.restore_state(install, group_exists)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 4ac3092888b0daa14159d6e789e8e60f425ebb40..1b08382e40788b9be80d538607bd605320279d8e 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -52,7 +52,13 @@ def backup_file(filename, ext):
 while os.path.exists(backupfile):
 backupfile = backupfile + . + str(ext)
 
-shutil.copy2(filename, backupfile)
+try:
+shutil.copy2(filename, backupfile)
+except IOError, e:
+if e.errno == 2: # No such file or directory
+pass
+else:
+raise e
 
 def update_conf(sub_dict, filename, template_filename):
 template = ipautil.template_file(template_filename, sub_dict)
@@ -93,18 +99,24 @@ def find_version(filename):
 else:
 return -1
 
-def upgrade(sub_dict, filename, template):
+def upgrade(sub_dict, filename, template, add=False):
+
+Get the version from the current and template files and update the
+installed configuration file if there is a new template.
+
+If add is True then create a new configuration file.
+
 old = int(find_version(filename))
 new = int(find_version(template))
 
-if old  0:
+if old  0 and not add:
 print %s not found. % filename
 sys.exit(1)
 
 if new  0:
 print %s not found. % template
 
-if old  new:
+if old  new or add:
 backup_file(filename, new)
 update_conf(sub_dict, filename, template)
 print Upgraded %s to version %d % (filename, new)
@@ -149,6 +161,7 @@ def main():
 
 upgrade(sub_dict, /etc/httpd/conf.d/ipa.conf, ipautil.SHARE_DIR + ipa.conf)
 upgrade(sub_dict, /etc/httpd/conf.d/ipa-rewrite.conf, ipautil.SHARE_DIR + ipa-rewrite.conf)
+upgrade(sub_dict, /etc/httpd/conf.d/ipa-pki-proxy.conf, ipautil.SHARE_DIR + ipa-pki-proxy.conf, add=True)
 
 try:
 if __name__ == __main__:
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 4294bee1b75c64fc3af9bee2cfaf19c45629e6b6..266d72783e380b3840600d890fbf894cd1f76133 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -281,6 +281,14 @@ class HTTPInstance(service.Service):
 logging.debug(error)
 pass
 
+# Remove the configuration files we create
+try:
+installutils.remove_file(/etc/httpd/conf.d/ipa-rewrite.conf)
+installutils.remove_file(/etc/httpd/conf.d/ipa.conf)
+installutils.remove_file(/etc/httpd/conf.d/ipa-pki-proxy.conf)
+except:
+pass
+
 sebool_state = self.restore_state(httpd_can_network_connect)
 if not sebool_state is None:
 try:
-- 
1.7.6

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility

2011-09-09 Thread Simo Sorce 
On Thu, 2011-09-08 at 14:39 +0200, Sumit Bose wrote:
 On Thu, Sep 08, 2011 at 02:06:44PM +0200, Martin Kosek wrote:
  On Thu, 2011-09-08 at 13:52 +0200, Sumit Bose wrote:
   On Wed, Sep 07, 2011 at 06:10:50PM -0400, Simo Sorce wrote:
On Tue, 2011-08-30 at 16:40 +0200, Sumit Bose wrote:
 I don't think that we should run winbind.
 
 I also changed the path to the smb.conf file from /etc/ipa
 to /etc/samba
 which makes the change to /etc/sysconfig/samba unnecessary.
 
 Thanks for review.
 
Ok tested this today, after I was able to tame my machine.

Some issues and comments still.

1) If you just run ipa-adtrust-install it throws an error about an
Illegal netbios name and quits. That's not right, as it should ask for
the netbios name if one is not provided on the command line presenting a
default option (based on the last domain component uppercased maybe),
   
   fixed
   

2) I see the way you write the temp smb.conf is by using a lot of
fd.write() calls. It would be much easier instead to use the templating
engine we use elsewhere in the code and drop a template file in
install/share, this will allow us to easily tweak the initial
installation options w/o touching the python code every time.
   
   fixed
   
   new version attached.
   
   bye,
   Sumit
   

3) Everything installed and started but my smbd coredump immediately
after. It is almost certainly not a problem in your patch though :-)

So jokes aside if you fix 1 and 2 I think we can push to master.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

  
  Only one nitpick from me. The new man page header should be changed
  according to our last man page consolidation effort in ticket 1687 so
  that it is consistent with the others. In your case, the header should
  be:
  
  +.TH ipa-adtrust-install 1 Aug 23 2011 FreeIPA FreeIPA Manual 
  Pages
  
  Plus, --netbios-name option is not covered in the man page.
 
 Thank you for the feedback, I fixed it accordingly. New version
 attached.

NACK

Ok I spent an afternoon with gd's packages trying to get the install
work.
I have it finally start smbd if run manually.

Quite a few things needed to be changed in the configuration to get it
to start smbd (not a working solution yet though).

First of all for some reason passdb backend would use the hostname
instead of the ldapi socket. This seem to be fixed in the latest patch
(the install had been done with the previous)

- ldap ssl need to set to off, as dirsrv does not allow (nor we want) to
use start tls on ldapi
I had to use: net conf setparms global 'ldap ssl' off

- ldap suffix = cn=accounts,dc=ipa,dc=test is definitely not right.
This is not fixed in the current patch either.

It should be ldap suffix = $SUFFIX

- log file directive is unusual %d causes each log file to be created
with the pid number, that is very annoying when you want to see the logs
of a specific machine, please change it to use %m

- No service principal is created for cifs/fqdn

- No directive to tell samba to use the system keytab. you should
probably set 'kerberos method = system keytab'


I couldn't test everything due to other issues I found and need to
investigate in both the samba packaghes and krb5kdc segfaulting on me
when I try to use smbclient -k yes :-(

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 268 Fixed labels for run-as users and groups.

2011-09-09 Thread Endi Sukma Dewata 

The labels for the run-as users and groups tables in sudo rule details
page have been modified to improve the clarity.

Ticket #1752

--
Endi S. Dewata
From c05edd38c54994a295c3d7d15477bd87a599ee0d Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Fri, 9 Sep 2011 18:58:52 -0500
Subject: [PATCH] Fixed labels for run-as users and groups.

The labels for the run-as users and groups tables in sudo rule details
page have been modified to improve the clarity.

Ticket #1752
---
 install/ui/association.js  |4 +++-
 install/ui/sudo.js |3 +++
 install/ui/test/data/ipa_init.json |3 +++
 ipalib/plugins/internal.py |3 +++
 4 files changed, 12 insertions(+), 1 deletions(-)

diff --git a/install/ui/association.js b/install/ui/association.js
index a9cce8e841edbd75ed1de6c1e103f41fd2775a95..2adc6f5af955b87fb481179f03e21031100e2098 100644
--- a/install/ui/association.js
+++ b/install/ui/association.js
@@ -292,6 +292,8 @@ IPA.association_table_widget = function (spec) {
 that.other_entity = spec.other_entity;
 that.attribute_member = spec.attribute_member;
 
+that.label = that.label || IPA.metadata.objects[that.other_entity].label;
+
 that.associator = spec.associator || IPA.bulk_associator;
 that.add_method = spec.add_method || 'add_member';
 that.remove_method = spec.remove_method || 'remove_member';
@@ -324,7 +326,7 @@ IPA.association_table_widget = function (spec) {
 if (!that.columns.length) {
 that.create_column({
 name: that.name,
-label: IPA.metadata.objects[that.other_entity].label,
+label: that.label,
 entity_name: that.other_entity,
 primary_key: true,
 link: true
diff --git a/install/ui/sudo.js b/install/ui/sudo.js
index 4806c17b33d3b38e827453aa47f412db4785f905..43e7c50dba26335174cdb3da61025bec8ebf7b57 100644
--- a/install/ui/sudo.js
+++ b/install/ui/sudo.js
@@ -870,6 +870,7 @@ IPA.sudo.rule_details_runas_section = function(spec) {
 that.add_field(IPA.sudorule_association_table_widget({
 id: that.entity.name+'-runasruser_user',
 name: 'ipasudorunas_user',
+label: IPA.messages.objects.sudorule.runas_users,
 add_method: 'add_runasuser',
 remove_method: 'remove_runasuser',
 add_title: IPA.messages.association.add.ipasudorunas,
@@ -878,6 +879,7 @@ IPA.sudo.rule_details_runas_section = function(spec) {
 that.add_field(IPA.sudorule_association_table_widget({
 id: that.entity.name+'-runasuser_group',
 name: 'ipasudorunas_group',
+label: IPA.messages.objects.sudorule.groups_of_runas_users,
 add_method: 'add_runasuser',
 remove_method: 'remove_runasuser',
 add_title: IPA.messages.association.add.ipasudorunas,
@@ -902,6 +904,7 @@ IPA.sudo.rule_details_runas_section = function(spec) {
 that.add_field(IPA.sudorule_association_table_widget({
 id: that.entity.name+'-runasgroup_group',
 name: 'ipasudorunasgroup_group',
+label: IPA.messages.objects.sudorule.runas_groups,
 add_method: 'add_runasgroup',
 remove_method: 'remove_runasgroup',
 add_title: IPA.messages.association.add.ipasudorunasgroup,
diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json
index e15c2618814ef9a6714fc1fcda4ce8ac75f5e09b..9f02cd1864e2798430b9cd3c547aa76eb1c86f83 100644
--- a/install/ui/test/data/ipa_init.json
+++ b/install/ui/test/data/ipa_init.json
@@ -16211,11 +16211,14 @@
 command: Run Commands,
 deny: Deny,
 external: External,
+groups_of_runas_users: Groups of RunAs Users,
 host: Access this host,
 inactive: Inactive,
 ipaenabledflag: Rule status,
 options: Options,
 runas: As Whom,
+runas_groups: RunAs Groups,
+runas_users: RunAs Users,
 specified_commands: Specified Commands and Groups,
 specified_groups: Specified Groups,
 specified_hosts: Specified Hosts and Groups,
diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py
index b87fa27a38785f9a8034dafafd02f3ddda900173..bd1e9b97c6052f938f3f5f9c9a610a1ac4e7fca0 100644
--- a/ipalib/plugins/internal.py
+++ b/ipalib/plugins/internal.py
@@ -394,11 +394,14 @@ class i18n_messages(Command):
 command: _(Run Commands),
 deny: _(Deny),
 external: _(External),
+groups_of_runas_users: _(Groups of RunAs Users),
 host: _(Access this host),