Re: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry
On Jul 22, 2011, at 7:05 AM, Martin Kosek wrote: > On Thu, 2011-07-21 at 23:52 +, JR Aquino wrote: >> On Apr 25, 2011, at 9:00 AM, Simo Sorce wrote: >> >>> On Mon, 2011-04-25 at 14:59 +, JR Aquino wrote: On Apr 25, 2011, at 6:43 AM, Simo Sorce wrote: > On Thu, 2011-04-21 at 23:28 +, JR Aquino wrote: >> Hmmm >> Both Private Groups and the Hostgroup -> Netgroup Managed Entries >> create objects in the container: >> cn=Managed Entries,cn=plugins,cn=config >> >> Each Ldif contains 2 ldap objects. One that lives in the main $SUFFIX, >> and one in the cn=config >> >> How will these be treated by replication and the multi masters? > > Only the common objects in the public suffix are replicated. > I think at some point we discussed that we should use a filter in the > private config entry made so that we could enable/disable the plugin by > simply making the filter result true/false. > Thus not ever touch the entries in cn=config but simply > "enable"/"disable" the functionality by (not)adding the appropriate > attributes to objects so that filters would (not) match. > > Simo. This tool works by toggling the originfilter: objectclass=disabled in order to turn off the plugin. >>> >>> But this is backwards, because originfilter is defined in the >>> configuration entry stored in cn=config >>> >>> Meaning as soon as you change it one server will behave differently from >>> the others until you go and change it on each and every server. >> >> Finally able to revisit this Patch / Ticket: >> (To be used in conjunction with Patch 38) >> >> 25 Create Tool for Enabling/Disabling Managed Entry >> Plugins https://fedorahosted.org/freeipa/ticket/1181 >> >> Remove legacy ipa-host-net-manage >> Add ipa-managed-entries tool >> Add man page for ipa-managed-entries tool >> > > I have found few issues with the patch: > > 1) I don't think its necessary to change BuildRequires to > 389-ds-base-devel >= 1.2.8 This is no longer necessary and has been removed. > > 2) Invalid comment in get_dirman_password() function. There is no > verification of the password. It just prompts it This has been corrected > > 3) ipa-managed entries man pages: copy & paste error: > +Directory Server will need to be restarted after the schema > compatibility plugin has been enabled. Copy / Paste Typo corrected > > 4) Invalid help of the program: > # ipa-managed-entries --help > Usage: ipa-managed-entries [options] > ipa-managed-entries [options] > > - status action is missing > - running program without action is not allowed, i.e. should not be > offered Corrected help entries > > 5) I was thinking if there is a better solution to enabling/disabling of > the plugin. Likes setting something like "managedEntryEnabled" attribute > to on/off as we do with compat plugin. Current concept with disabling > the definition by damaging the originFilter and then restoring it from > an LDIF seems a bit awkward to me. This has been completely changed: Instead of looking to ldif files, an ldap look up is now performed to dynamically list the available managed entries. > > 6) ipa-managed-entries crashes when managed entry is a wrong file: > > # ipa-managed-entries status -f /usr/share/ipa/managed-entries.ldif > Directory Manager password: > > Traceback (most recent call last): > File "/usr/sbin/ipa-managed-entries", line 245, in >sys.exit(main()) > File "/usr/sbin/ipa-managed-entries", line 141, in main >originFilter = entry_attr['originFilter'][0] > KeyError: 'originFilter' This is no longer an issue now that it is no longer using the ldif files. > 7) What if there are more managed entries in the LDIF? This concept > would not work correctly then. A behavior I would expect: > a) User (optionally) passes a directory with managed entries LDIFs > b) ipa-managed-entries analyzes all LDIFs and prints available Managed > Entry definitions > c) I would choose the one I want to enable/disable via > ipa-managed-entries option Also no longer an issue. > Martin > Corrected Patch Attached: binscouuEWzDP.bin Description: freeipa-jraquino-0025-Create-Tool-for-Enabling-Disabling-Managed-Entries.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 270 Fixed posix group checkbox.
In the adder dialog for groups the checkbox has been modified to use the correct field name "nonposix" and be checked by default. Note: This is a temporary fix to minimize the changes due to release schedule. Eventually the field label will be changed into "Non-POSIX group" and the checkbox will be unchecked by default, which is more consistent with CLI. Ticket #1799 -- Endi S. Dewata From 1dac389949b79ee83a58051c069138affa8c9894 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata Date: Wed, 14 Sep 2011 12:36:58 -0500 Subject: [PATCH] Fixed posix group checkbox. In the adder dialog for groups the checkbox has been modified to use the correct field name "nonposix" and be checked by default. Note: This is a temporary fix to minimize the changes due to release schedule. Eventually the field label will be changed into "Non-POSIX group" and the checkbox will be unchecked by default, which is more consistent with CLI. Ticket #1799 --- install/ui/group.js | 21 ++--- install/ui/widget.js | 24 +++- 2 files changed, 33 insertions(+), 12 deletions(-) diff --git a/install/ui/group.js b/install/ui/group.js index 410a295d4ac98da161cee9455b910660ec608469..f8d42ea37fdbb3420008b332ca1a1717b3d36170 100644 --- a/install/ui/group.js +++ b/install/ui/group.js @@ -92,13 +92,28 @@ IPA.entity_factories.group = function () { 'cn', 'description', { -factory:IPA.checkbox_widget, -name: 'posix', +factory: IPA.nonposix_checkbox_widget, +name: 'nonposix', label: IPA.messages.objects.group.posix, undo: false, -checked: 'checked' +checked: true }, 'gidnumber'] }). build(); }; + +IPA.nonposix_checkbox_widget = function (spec) { + +spec = spec || {}; + +var that = IPA.checkbox_widget(spec); + +that.save = function() { +var value = that.checkbox_save()[0]; +// convert posix into non-posix +return [!value]; +}; + +return that; +}; \ No newline at end of file diff --git a/install/ui/widget.js b/install/ui/widget.js index 58698486894ce9e72842ea1cf011a5fb75286421..d4a46bd37a9ccfac48469c312d81081105816b4f 100644 --- a/install/ui/widget.js +++ b/install/ui/widget.js @@ -760,9 +760,10 @@ IPA.multivalued_text_widget = function(spec) { IPA.checkbox_widget = function (spec) { spec = spec || {}; + var that = IPA.widget(spec); -that.checked = spec.checked || ''; +that.checked = spec.checked; that.create = function(container) { @@ -773,7 +774,7 @@ IPA.checkbox_widget = function (spec) { that.input = $('', { type: 'checkbox', name: that.name, -checked : that.checked, +checked: that.checked, title: that.tooltip, change: function() { that.set_dirty(that.test_dirty()); @@ -796,17 +797,22 @@ IPA.checkbox_widget = function (spec) { }; that.update = function() { -var value = that.values && that.values.length ? that.values[0] : false; -if (value ==="FALSE"){ -value = false; -} -if (value ==="TRUE"){ -value = true; +var checked = that.checked || false; +if (that.values && that.values.length) { +var value = that.values[0]; +if (value === "FALSE") { +checked = false; +} +if (value === "TRUE") { +checked = true; +} } -that.input.attr('checked', value); +that.input.attr('checked', checked); }; +that.checkbox_save = that.save; + return that; }; -- 1.7.5.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 269 Fixed problem opening host adder dialog.
The hidden fqdn field in the host adder dialog has been changed to use a generic widget instead of text widget to avoid null pointer error since the UI elements are never created. Ticket #1788 Pushed to master and ipa-2-1 under one-liner/trivial rule. -- Endi S. Dewata From 5e7a5bdfa92cd63f96aa1484ba24d7dfc5646664 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata Date: Wed, 14 Sep 2011 18:03:02 -0500 Subject: [PATCH] Fixed problem opening host adder dialog. The hidden fqdn field in the host adder dialog has been changed to use a generic widget instead of text widget to avoid null pointer error since the UI elements are never created. Ticket #1788 --- install/ui/host.js |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/install/ui/host.js b/install/ui/host.js index 7eb2e98e5235cf73b67ecc2598d794cb23f7ac72..1b11251709f87196829002e323ad408ca5184b21 100644 --- a/install/ui/host.js +++ b/install/ui/host.js @@ -121,6 +121,7 @@ IPA.entity_factories.host = function () { height: 250, fields: [ { +factory: IPA.widget, name: 'fqdn', optional: true, hidden: true -- 1.7.5.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 016 Fixed: Some widgets do not have space for validation error message
On 9/14/2011 7:23 AM, Petr Vobornik wrote: Forgot to update tests - to address newly added validation row in table_widget. One issue, in all search and association facets we now have 2 rows of footer (there are 2 horizontal lines at the bottom). I think it would be better to use a single row for both summary/error messages and pagination. The messages will be left aligned, the pagination will be right aligned. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility
On Wed, 2011-09-14 at 14:50 +0200, Sumit Bose wrote: > a recent commit in master made another change necesary. Additionally I > renamed smbinstance to adtrustinstance and check for more samba client > binaries which are needed by the utility. New version attached. Tested and works great! ACK, Pushed to master. Simo. > -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Upgrading a machine to use the proxy.
On 09/14/2011 04:46 PM, Rob Crittenden wrote: > Adam Young wrote: >> To convert an older build where the PKI system wasn't proxied: >> >> >> awk '{print $0} /Define an AJP 1.3 Connector on port/ {print "> port=\"9447\" protocol=\"AJP/1.3\" redirectPort=\"9444\" />}" }' >> /etc/pki-ca/server.xml > server.xml.new ; mv server.xml.new >> /etc/pki-ca/server.xml >> >> sed -e "s/\[PKI_MACHINE_NAME\]/$HOSTNAME/g" -e >> "s/\[PKI_AJP_PORT\]/9444/g" /usr/share/pki/ca/conf/proxy.conf > >> /etc/pki-ca/proxy.conf >> >> >> I've used the default ports here. Adjest is you've altered yours. >> >> >> IPA copies the proxy.conf file into /etc/httpd/conf.d and renames it. >> You can do the same thing by hand. >> >> >> I'm not sure if this should go into PKI or IPA. > > Since these are dogtag configuration files I think dogtag needs to > handle updating them. > Agree. > rob > > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Upgrading a machine to use the proxy.
Adam Young wrote: To convert an older build where the PKI system wasn't proxied: awk '{print $0} /Define an AJP 1.3 Connector on port/ {print "}" }' /etc/pki-ca/server.xml > server.xml.new ; mv server.xml.new /etc/pki-ca/server.xml sed -e "s/\[PKI_MACHINE_NAME\]/$HOSTNAME/g" -e "s/\[PKI_AJP_PORT\]/9444/g" /usr/share/pki/ca/conf/proxy.conf > /etc/pki-ca/proxy.conf I've used the default ports here. Adjest is you've altered yours. IPA copies the proxy.conf file into /etc/httpd/conf.d and renames it. You can do the same thing by hand. I'm not sure if this should go into PKI or IPA. Since these are dogtag configuration files I think dogtag needs to handle updating them. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 874 suppress managed netgroups as indirect members of hosts
Suppress managed netgroups as indirect members of hosts. This enhances a previous patch that I did for hostgroups. rob >From 5ab1b8b8f82e419c4b6c80e01e6a0805ab62bffe Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Wed, 14 Sep 2011 16:33:33 -0400 Subject: [PATCH] Suppress managed netgroups as indirect members of hosts. By design these managed netgroups are not supposed to show unless you specifically want to see them. https://fedorahosted.org/freeipa/ticket/1738 --- ipalib/plugins/host.py| 34 ++ tests/test_xmlrpc/test_nesting.py |2 +- 2 files changed, 35 insertions(+), 1 deletions(-) diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 4230c44..52907ee 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -339,6 +339,23 @@ class host(LDAPObject): return managed_hosts +def suppress_netgroup_memberof(self, entry_attrs): +""" +We don't want to show managed netgroups so remove them from the +memberofindirect list. +""" +ng_container = DN(api.env.container_netgroup, api.env.basedn) +if 'memberofindirect' in entry_attrs: +for member in entry_attrs['memberofindirect']: +memberdn = DN(member) +if memberdn.endswith(ng_container): +try: +netgroup = api.Command['netgroup_show'](memberdn['cn'], all=True)['result'] +if self.has_objectclass(netgroup['objectclass'], 'mepmanagedentry'): +entry_attrs['memberofindirect'].remove(member) +except errors.NotFound: +pass + api.register(host) @@ -681,6 +698,8 @@ class host_mod(LDAPUpdate): if options.get('all', False): entry_attrs['managing'] = self.obj.get_managed_hosts(dn) +self.obj.suppress_netgroup_memberof(entry_attrs) + return dn api.register(host_mod) @@ -706,6 +725,7 @@ class host_find(LDAPSearch): (dn, entry_attrs) = entry set_certificate_attrs(entry_attrs) self.obj.get_password_attributes(ldap, dn, entry_attrs) +self.obj.suppress_netgroup_memberof(entry_attrs) if entry_attrs['has_password']: # If an OTP is set there is no keytab, at least not one # fetched anywhere. @@ -741,6 +761,8 @@ class host_show(LDAPRetrieve): if options.get('all', False): entry_attrs['managing'] = self.obj.get_managed_hosts(dn) +self.obj.suppress_netgroup_memberof(entry_attrs) + return dn def forward(self, *keys, **options): @@ -843,6 +865,10 @@ class host_disable(LDAPQuery): value=keys[0], ) +def post_callback(self, ldap, dn, entry_attrs, *keys, **options): +self.obj.suppress_netgroup_memberof(entry_attrs) +return dn + api.register(host_disable) class host_add_managedby(LDAPAddMember): @@ -852,6 +878,10 @@ class host_add_managedby(LDAPAddMember): has_output_params = LDAPAddMember.has_output_params + host_output_params allow_same = True +def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): +self.obj.suppress_netgroup_memberof(entry_attrs) +return (completed, dn) + api.register(host_add_managedby) @@ -861,4 +891,8 @@ class host_remove_managedby(LDAPRemoveMember): member_attributes = ['managedby'] has_output_params = LDAPRemoveMember.has_output_params + host_output_params +def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): +self.obj.suppress_netgroup_memberof(entry_attrs) +return (completed, dn) + api.register(host_remove_managedby) diff --git a/tests/test_xmlrpc/test_nesting.py b/tests/test_xmlrpc/test_nesting.py index cb2d1d0..a855960 100644 --- a/tests/test_xmlrpc/test_nesting.py +++ b/tests/test_xmlrpc/test_nesting.py @@ -815,7 +815,7 @@ class test_nesting(Declarative): managedby_host=[fqdn1], memberof_hostgroup = [u'testhostgroup2'], memberofindirect_hostgroup = [u'testhostgroup1'], -memberofindirect_netgroup = [u'testhostgroup1', u'testhostgroup2'], +memberofindirect_netgroup = [u'testhostgroup2'], ), ), ), -- 1.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 872 allow csr file to be provided interactively
On Wed, 2011-09-14 at 11:29 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Wed, 2011-09-14 at 14:23 +0200, Martin Kosek wrote: > >> On Tue, 2011-09-13 at 14:35 -0400, Rob Crittenden wrote: > >>> Add an escape clause to the CSR validator in the cert plugin. If the csr > >>> is a file just return and let the load_files() call slurp in the > >>> contents. It will still get validated. > >>> > >>> rob > >> > >> This works fine for CSR file. > >> > >> Shouldn't we fix this also for other File params? For example, > >> entitle-import command will be affected as well: > >> > >> takes_args = ( > >> File('usercertificate*', validate_certificate, > >> cli_name='certificate_file', > >> ), > >> ) > >> > >> We can create a separate ticket for entitle-import if you want. > >> > >> Martin > > > > Oh, and one more thing - API.txt has to be updated since you added a > > label to the CSR parameter. > > > > Martin > > > > Updated patch with API attached. I had that fixed, dropped my changes, > re-made them and forgot to update API again. > > entitle-import doesn't have stdin_if_missing set so will only read from > a file, there is no interactive option. > > rob ACK. Pushed to master, ipa-2-1. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Structured DNS record API proposal
Attached in the txt file. If you have any comments or suggestions to this proposal, please let me know. https://fedorahosted.org/freeipa/ticket/1766 https://fedorahosted.org/freeipa/ticket/1766 This is a proposal for API for per-DNS-type interface in FreeIPA. There are many structured DNS RR types where DNS data is not just an IP address or a domain name, but a (often complex) data structure. Example of adding a structured DNS RR (LOC in this case): ipa dnsrecord-add example.com @ --loc-rec "49 11 42.4 N 16 36 29.6 E 227.64m" It may be difficult to enter such DNS record to FreeIPA without making error (which would lead to invalid zone in this case). For this reason, I have created at least basic validators in my patch 120 (ticket 1106). GOAL: Create API useful for both CLI and WebUI capable of creating these structured DNS types CURRENT API: ipa dnsrecord-addAdd new DNS resource record. ipa dnsrecord-delDelete DNS resource record. ipa dnsrecord-find Search for DNS resources. ipa dnsrecord-modModify a DNS resource record. ipa dnsrecord-show Display DNS resource. PROPOSED API IMPROVEMENT: Proposed API for all supported structured DNS follows: ipa dnsrecord-afsdb-add --subtype=INT --hostname=STR ipa dnsrecord-cert-add --type=ENUM --tag=INT --algorithm=ENUM --certificate=STR ipa dnsrecord-ds-add --tag=INT --algorithm=ENUM --type=ENUM --digest=STR ipa dnsrecord-key-add --flags=LIST --protocol=INT --algorithm=ENUM --digest=STR ipa dnsrecord-kx-add --preference=INT --exchanger=STR ipa dnsrecord-loc-add --lat-deg=INT --lat-min=INT --lat-sec=FLOAT --lat-dir=ENUM --lon-deg=INT --lon-min=INT --lon-sec=FLOAT --lon-dir=ENUM --alt=FLOAT --h-precision=FLOAT --v-precision=FLOAT ipa dnsrecord-mx-add --priority=INT --mailserver=STR ipa dnsrecord-nsec-add --next=STR --types=LIST ipa dnsrecord-naptr-add --order=INT --preference=INT --flag=ENUM --service=STR --regexp=STR --replacement=STR ipa dnsrecord-sig-add --type=ENUM --algorithm=ENUM --labels=INT --original-ttl=INT --sig-expiration=INT --sig-inception=INT --tag=INT --signer=STR --signature=STR ipa dnsrecord-srv-add --priority=INT --weight=INT --port=INT --target=STR ipa dnsrecord-sshfp-add --algorithm=ENUM --type=ENUM --fingerprint=STR ipa dnsrecord-rrsig-add --type=ENUM --algorithm=ENUM --labels=INT --original-ttl=INT --sig-expiration=INT --sig-inception=INT --tag=INT --signer=STR --signature=STR To support also modification of current records (i.e. replacement) we can add a "mod" equivalent, e.g.: ipa dnsrecord-afsdb-mod --subtype=INT --hostname=STR ipa dnsrecord-cert-mod --type=ENUM --tag=INT --algorithm=ENUM --certificate=STR ... I think this is what WebUI guys will want. EXAMPLE OF OPTIONS: The available options for particular RR types will be based on RFC research I have already done for my patch 120. Lets see how the API will look. 1) LOC record example noted in the begging: ipa dnsrecord-loc-add example.com @ --lat-deg=49 --lat-min=11 --lat-sec=42.4 --lat-dir=N --lon-deg=16 --lon-min=36 --lon-sec=29.6 --lon-dir=E --alt=227.64 Good thing about options is that we can divide then to mandatory and optional and provide defaults. In this case, one can enter imprecise LOC record with: ipa dnsrecord-loc-add example.com @ --lat-deg=49 --lat-dir=N --lon-deg=16 --lon-dir=E 2) Another example with CERT RR type: CURRENT API: ipa dnsrecord-add example.com foo --cert-rec="1 0 5 MIIDfzCCAuigAwIBAgIKcYxqqAAAFzANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpVTS1BTUFMR0ExMB4XDTEwMDYwMTE3NTM1NVoXDTExMDYwMTE4MDM1NVowgY0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHUmVkbW9uZDEMMAoG" NEW API: ipa dnsrecord-cert-add example.com foo --type=PKIX --tag=0 --algorithm=RSASHA1 --certificate=MIIDfzCCAuigAwIBAgIKcYxqqAAAFzANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpVTS1BTUFMR0ExMB4XDTEwMDYwMTE3NTM1NVoXDTExMDYwMTE4MDM1NVowgY0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHUmVkbW9uZDEMMAoG" ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 871 add hostname regex
Alexander Bokovoy wrote: On Tue, 13 Sep 2011, Jan Cholasta wrote: What about IDN hosts? With this change we would require them to be always in Punycode? Oh, hadn't considered that, I was just following the relevent RFCs. Is there a way we can easily support those as well? The easiest way would probably be: normalizer=lambda value: unicode(value.encode('idna')) That's one part. Another one is visualizing such content -- for both Web UI and CLI we would need to run encodings.idna.ToUnicode(). Finally, make sure whatever we pass to external applications is properly formatted as well -- all of them should be able to work with xn- form. The UI also links the DNS hostname to the host entries so I'd think the names must be matchable in some way. If DNS can only store punycode names I think the regex will be fine. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 872 allow csr file to be provided interactively
Martin Kosek wrote: On Wed, 2011-09-14 at 14:23 +0200, Martin Kosek wrote: On Tue, 2011-09-13 at 14:35 -0400, Rob Crittenden wrote: Add an escape clause to the CSR validator in the cert plugin. If the csr is a file just return and let the load_files() call slurp in the contents. It will still get validated. rob This works fine for CSR file. Shouldn't we fix this also for other File params? For example, entitle-import command will be affected as well: takes_args = ( File('usercertificate*', validate_certificate, cli_name='certificate_file', ), ) We can create a separate ticket for entitle-import if you want. Martin Oh, and one more thing - API.txt has to be updated since you added a label to the CSR parameter. Martin Updated patch with API attached. I had that fixed, dropped my changes, re-made them and forgot to update API again. entitle-import doesn't have stdin_if_missing set so will only read from a file, there is no interactive option. rob >From 1d00575813aaa3ff4366f11100303fa029ad8bb4 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 13 Sep 2011 14:25:16 -0400 Subject: [PATCH] Skip the cert validator if the csr we are passed in is a valid filename The validator will still fire, just after the load_files() call. Basically it will hit the validator twice. The first time it will exit because the value of csr is a filename. The second time it will run the validator against the contents of the file. ticket https://fedorahosted.org/freeipa/ticket/1777 --- API.txt|2 +- ipalib/plugins/cert.py |7 +++ 2 files changed, 8 insertions(+), 1 deletions(-) diff --git a/API.txt b/API.txt index 5f8e72d..aee0c88 100644 --- a/API.txt +++ b/API.txt @@ -420,7 +420,7 @@ arg: Str('serial_number', validate_serial_number, label=Gettext('Serial number', output: Output('result', None, None) command: cert_request args: 1,3,1 -arg: File('csr', validate_csr, cli_name='csr_file', normalizer=normalize_csr) +arg: File('csr', validate_csr, cli_name='csr_file', label=Gettext('CSR', domain='ipa', localedir=None), normalizer=normalize_csr) option: Str('principal', label=Gettext('Principal', domain='ipa', localedir=None)) option: Str('request_type', autofill=True, default=u'pkcs10') option: Flag('add', autofill=True, default=False) diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index e32004e..aa3cf21 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -23,6 +23,7 @@ from ipalib import api, SkipPluginModule if api.env.enable_ra is not True: # In this case, abort loading this plugin module... raise SkipPluginModule(reason='env.enable_ra is not True') +import os from ipalib import Command, Str, Int, Bytes, Flag, File from ipalib import errors from ipalib import pkcs10 @@ -129,6 +130,11 @@ def validate_csr(ugettext, csr): Ensure the CSR is base64-encoded and can be decoded by our PKCS#10 parser. """ +if api.env.context == 'cli': +# If we are passed in a pointer to a valid file on the client side +# escape and let the load_files() handle things +if csr and os.path.exists(csr): +return try: request = pkcs10.load_certificate_request(csr) except TypeError, e: @@ -203,6 +209,7 @@ class cert_request(VirtualCommand): takes_args = ( File('csr', validate_csr, +label=_('CSR'), cli_name='csr_file', normalizer=normalize_csr, ), -- 1.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility
On Tue, Sep 13, 2011 at 06:01:33PM +0200, Sumit Bose wrote: > On Mon, Sep 12, 2011 at 05:24:38PM -0400, Simo Sorce wrote: > > On Mon, 2011-09-12 at 17:53 +0200, Sumit Bose wrote: > > [..] > > > > > > > I can now run 'smbclient -k -L' on my test system wit hthe recent samba > > > patch. > > > > Sorry a couple more nitpicks. > > > > Trying to reinstall ipa-adtrust-install it returned immediately with > > "Aborting Installation" and no explanation whatsoever. Turned out it saw > > there was the IPA autogenerated text in smb.conf and decided to get out. > > > > - 2 issues here: > > 1) no information (I had to check the code to see what reported that > > error message), so we need a reason nif we abort. > > 2) In interactive mode we should ask if we want to proceed anyway I > > think (to make it simpler to test it on an already enabled tree), but > > can be convinced it is safer to just abort. > > interactive mode now stops and ask for confirmation > > > > > > > - Once I fixed that by removing smb.conf and all tdbs to be sure, it > > failed because smb.conf was not found, we should not require to find it > > if we are going to wipe it anyway. If it is not there we should just go > > on and create one. > > > > fixed > > > > > - Then it correctly detected the samba sysaccount user existed and > > decided not to reset the password. Not sure why, if we proceeed and > > reset the password in both ldap and secrets.tdb we are sure they are the > > same, if we don't we just risk having no password (I wiped out > > secrets.tdb and running ipa-adtruct-install again is the fastest way to > > get that restered). I think you should always reset that password. > > fixed > > > > > > > - The installation also failed because the service entry under the > > master entry already existed. We should probably ignore and proceed, in > > case of existing object. Not fail. > > fixed, since ldap_enable() already print a logging.critical I added > another one which should clarify what happens. > > > > > > > Except for these points I had to set SELinux in permissive mode in order > > to run the epmd, we need to track SELinux changes in a ticket I think. > > > > I wasn't able to test smbclient -k yes due to another bug in smbd but > > the install seem fine so far, and I was able to get a ticket for cifs/ > > w/o any issue, and auth seemed to work. > > > > So if the nitpicks above get fixed it should be the last revision. > > Yes, if you do not find another major issue it would be nice if you can > open a new ticket for new features. > > bye, > Sumit a recent commit in master made another change necesary. Additionally I renamed smbinstance to adtrustinstance and check for more samba client binaries which are needed by the utility. New version attached. bye, Sumit > > > > > Simo. > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > From b7c2a3089b74a929cf28d581fd816a60d749ecc9 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 7 Sep 2011 10:17:12 +0200 Subject: [PATCH] Add ipa-adtrust-install utility https://fedorahosted.org/freeipa/ticket/1619 --- freeipa.spec.in|2 + install/po/Makefile.in |1 + install/share/Makefile.am |1 + install/share/smb.conf.template| 28 ++ install/tools/Makefile.am |1 + install/tools/ipa-adtrust-install | 249 + install/tools/man/Makefile.am |1 + install/tools/man/ipa-adtrust-install.1| 47 ipaserver/install/Makefile.am |1 + ipaserver/install/adtrustinstance.py | 281 ipaserver/install/service.py |3 +- .../test_ipaserver/install/test_adtrustinstance.py | 59 12 files changed, 673 insertions(+), 1 deletions(-) create mode 100644 install/share/smb.conf.template create mode 100755 install/tools/ipa-adtrust-install create mode 100644 install/tools/man/ipa-adtrust-install.1 create mode 100644 ipaserver/install/adtrustinstance.py create mode 100755 tests/test_ipaserver/install/test_adtrustinstance.py diff --git a/freeipa.spec.in b/freeipa.spec.in index 0f358fb4c34c52f2d86d1089b475e725fc6a5131..50b22b0779e77136a3a2bbc55dc8e56a6c094a8f 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -401,6 +401,7 @@ fi %doc COPYING README Contributors.txt %{_sbindir}/ipa-ca-install %{_sbindir}/ipa-dns-install +%{_sbindir}/ipa-adtrust-install %{_sbindir}/ipa-server-install %{_sbindir}/ipa-replica-conncheck %{_sbindir}/ipa-replica-install @@ -482,6 +483,7 @@ fi %{_mandir}/man1/ipa-server-certinstall.1.gz %{_mandir}/man1/ipa-server-install.1.gz %{_mandir}/man1/ipa-dns-install.1.gz +%{_mandir}/man1/ipa-adtrust-install.1.gz %{_mandir}/man1/ipa-ca-install.1.gz %{_mandir}/man1/ipa-compat-manage.1.gz %{_mandir}/man1/ipa-nis-manage.1.gz diff --git a/install/p
Re: [Freeipa-devel] [PATCH] 873 update ipa-ldap-updater man page
On Tue, 2011-09-13 at 16:13 -0400, Rob Crittenden wrote: > ipa-ldap-updater is really just meant to be run during upgrades, not as > a user utility. Add a blurb about that. > > This also fixes a bit of formatting and adds a bit about the order of > operations. > > rob ACK. Pushed to master, ipa-2-1. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 872 allow csr file to be provided interactively
On Wed, 2011-09-14 at 14:23 +0200, Martin Kosek wrote: > On Tue, 2011-09-13 at 14:35 -0400, Rob Crittenden wrote: > > Add an escape clause to the CSR validator in the cert plugin. If the csr > > is a file just return and let the load_files() call slurp in the > > contents. It will still get validated. > > > > rob > > This works fine for CSR file. > > Shouldn't we fix this also for other File params? For example, > entitle-import command will be affected as well: > > takes_args = ( > File('usercertificate*', validate_certificate, > cli_name='certificate_file', > ), > ) > > We can create a separate ticket for entitle-import if you want. > > Martin Oh, and one more thing - API.txt has to be updated since you added a label to the CSR parameter. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 016 Fixed: Some widgets do not have space for validation error message
Forgot to update tests - to address newly added validation row in table_widget. -- Petr Vobornik From 40382df3620607760e8a6033b93b178d149f9ed4 Mon Sep 17 00:00:00 2001 From: Petr Vobornik Date: Wed, 14 Sep 2011 13:01:25 +0200 Subject: [PATCH] Fixed: Some widgets do not have space for validation error message https://fedorahosted.org/freeipa/ticket/1454 The following widgets should call create_error_link() to create a space to show validation error messages: IPA.checkbox_widget IPA.checkboxes_widget IPA.radio_widget IPA.select_widget IPA.table_widget IPA.attributes_widget IPA.rights_widget IPA.target_section (it's a widget) Solution: * added call to checkbox, checkboxes, radio, select, table, attributes widget * rights_widget inherits it from checkboxes_widget. * target_section IS NOT a widget as it doesn't inherit from widget. It's still a section, which shows different widgets based on its state. * table_widget displays error_link above pagination. It looks better than under the table. --- install/ui/aci.js |2 + install/ui/test/widget_tests.js |2 +- install/ui/widget.js| 43 +- 3 files changed, 40 insertions(+), 7 deletions(-) diff --git a/install/ui/aci.js b/install/ui/aci.js index 5dcd69d447521ff5ed80088be1bd19bb3b851ba8..3be9953ae782320bace7bbc51e74d908b1c409d4 100644 --- a/install/ui/aci.js +++ b/install/ui/aci.js @@ -276,6 +276,8 @@ IPA.attributes_widget = function(spec) { if (that.object_type){ that.populate (that.object_type); } + +that.create_error_link(container); }; that.load = function(record) { diff --git a/install/ui/test/widget_tests.js b/install/ui/test/widget_tests.js index 9f0f6f0b59660a9c0648680ac94302ecf4d84aa5..141a0659e65ac01e781cad7f5ab5f3410fd1dc11 100644 --- a/install/ui/test/widget_tests.js +++ b/install/ui/test/widget_tests.js @@ -190,7 +190,7 @@ test("IPA.table_widget" ,function(){ widget.load(mock_results); -same ($('tr' ,widget_container).length, 4, 'four rows after load'); +same ($('tr' ,widget_container).length, 5, 'five rows after load'); }); diff --git a/install/ui/widget.js b/install/ui/widget.js index 58698486894ce9e72842ea1cf011a5fb75286421..e71cc22c1f660815afae0398f0bea0b8346d7a83 100644 --- a/install/ui/widget.js +++ b/install/ui/widget.js @@ -148,7 +148,7 @@ IPA.widget = function(spec) { the validation pattern. If the field value does not pass validation, displays the error message and returns false. */ that.validate = function() { -hide_error(); +that.hide_error(); that.valid = true; var values = that.save(); @@ -353,10 +353,10 @@ IPA.widget = function(spec) { error_link.css('display', 'block'); }; -function hide_error() { +that.hide_error = function() { var error_link = that.get_error_link(); error_link.css('display', 'none'); -} +}; that.set_enabled = function() { }; @@ -370,10 +370,12 @@ IPA.widget = function(spec) { // methods that should be invoked by subclasses that.widget_create = that.create; +that.widget_hide_error = that.hide_error; that.widget_load = that.load; that.widget_reset = that.reset; that.widget_save = that.save; that.widget_set_dirty = that.set_dirty; +that.widget_show_error = that.show_error; that.widget_test_dirty = that.test_dirty; return that; @@ -783,6 +785,8 @@ IPA.checkbox_widget = function (spec) { if (that.undo) { that.create_undo(container); } + +that.create_error_link(container); }; that.load = function(record) { @@ -858,6 +862,8 @@ IPA.checkboxes_widget = function (spec) { input.change(function() { that.set_dirty(that.test_dirty()); }); + +that.create_error_link(container); }; @@ -928,6 +934,8 @@ IPA.radio_widget = function(spec) { input.change(function() { that.set_dirty(that.test_dirty()); }); + +that.create_error_link(container); }; that.load = function(record) { @@ -1000,6 +1008,8 @@ IPA.select_widget = function(spec) { that.select.change(function() { that.set_dirty(that.test_dirty()); }); + +that.create_error_link(container); }; that.load = function(record) { @@ -1336,10 +1346,20 @@ IPA.table_widget = function (spec) { that.tfoot = $('').appendTo(that.table); +var columns_count = columns.length + (that.selectable ? 1 : 0); + +that.error_link_row = $('').appendTo(that.tfoot); + +td = $('', { +colspan: columns_count +}).appendTo(that.error_link_row); + +that.create_error_link(td); + tr = $('').appendTo(that.tfoot); td = $('', { -colspan: columns.length + (that.selectable ? 1 : 0) +col
Re: [Freeipa-devel] [PATCH] 872 allow csr file to be provided interactively
On Tue, 2011-09-13 at 14:35 -0400, Rob Crittenden wrote: > Add an escape clause to the CSR validator in the cert plugin. If the csr > is a file just return and let the load_files() call slurp in the > contents. It will still get validated. > > rob This works fine for CSR file. Shouldn't we fix this also for other File params? For example, entitle-import command will be affected as well: takes_args = ( File('usercertificate*', validate_certificate, cli_name='certificate_file', ), ) We can create a separate ticket for entitle-import if you want. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel